Selasa, 13 Desember 2005

Non-Technical Means Unearth Best Intrusions

Thanks again to the latest SANS NewsBites, I learned of an interesting trade secret theft case. From the CNET News story:

"John O'Neil, former CEO of Business Engine Software, pleaded guilty in a San Francisco federal court on Wednesday to conspiracy to download and steal the trade secrets of software competitor Niku over a 10-month period...

From October 2001 until July 2002, Business Engine used the passwords to gain unauthorized access to Niku's systems more than 6,000 times and downloaded over 1,000 confidential documents containing trade secrets, the complaint alleged. The stolen documents included technical specifications, product designs, prospective customers, customer proposals, client account information and pricing.

Niku discovered the break-in after a Business Engine salesman made an unsolicited call to one of Niku's prospective clients, a Nike employee who happened to be related to Niku's chief information officer, Warren Leggett. The call raised suspicion because the Nike employee was not ordinarily responsible for software purchasing decisions, had never heard of Business Engine and had no idea how the salesman had obtained his contact information, according a declaration by Leggett.

The incident prompted Leggett to examine his company's computer logs and files from his recent meeting with Nike. He quickly determined from a trail of Internet network addresses that someone from outside the company had been stealing files. Leggett was able to trace the intrusions back to Business Engine by using Internet domain registration information and publicly available Internet tools." (emphasis added)

Whoa. Niku has been 0wn3d for 10 months, and accessed "more than 6,000 times," before a freak family relation caused the right gears to mesh. What kind of security did Niku have (or not have) that would let a compromise continue undetected and unimpeded for so long?

The sad fact is that many of the most interesting intrusions (i.e., not worms, or bots, or viruses) are discovered by non-technical means. Once a company is clued in to the fact they have a breach, the question becomes one of scoping the incident. For example:


  • What happened/is happening?

  • What systems are or may be affected?

  • What information did the intruder copy, change, or destroy? (violations of confidentiality, integrity, or availability)

  • When did the intruder first gain unauthorized access?

  • When was the last time the intruder accessed victim systems?


Most organizations are not collecting the NSM data they need to answer these questions. Is yours?

0 komentar:

Posting Komentar