Ways for combating breaches and loss of data in your organization
By Ken Michael
From insider theft at Tesla to cyber-espionage by government-funded bad actors, manufacturing businesses face multiple threats. Keeping sensitive information and proprietary data is key to not only making a profit in our global economy but also to the sheer survival of your business.
Using data from the last three years’ Data Breach Investigations Reports by Verizon, we have determined the top threats manufacturing businesses are facing with insider IT tips for stopping them.
No, your business is not the center of the latest James Bond film but cyber-espionage is a real thing. This occurs when external actors infiltrate your network or system for the purpose of stealing sensitive data and trade secrets.
According to the 2016 Data Breach Investigations Report by Verizon, the greatest threat to manufacturing businesses that year came from cyber-espionage which accounted for nearly half (47 percent) of all data loss. The 2017 Verizon report showed 21 percent of confirmed breaches were related to espionage and in 2018, 30 percent of information stolen from the manufacturing industry involved trade secrets, according to the 2018 Data Breach Investigations Report by Verizon.
“The actors are predominantly state-affiliated groups,” warned the 2016 report, which showed manufacturing companies were among the top targets for cyber-espionage that year. “Competitors and nation states are also mixing it up.”
Your company’s trade secrets (i.e. proprietary data) are the most commonly sought after data in cyber-espionage breaches accounting for 90 percent of the data stolen, according to the 2016 report. That trend is continuing as evidenced by ongoing thefts.
“Looking at all-industry data, most cyberattacks are opportunistic,” according to the 2018 report. “But in manufacturing, 86 percent are targets. That target is often the planning, research, and development of your new solution. Almost half (47 percent) of breaches involved the theft of intellectual property to gain competitive advantage.”
According to an online article by CNN Tech, the Trump administration found “Chinese theft of American intellectual property currently costs between $225 billion and $600 billion annually.” The CNN article mentioned that those numbers fall in line with estimates from a 2017 report by the Commission on the Theft of American Intellectual Property.
The New York Post reported in June 2018 that Chinese government-employed hackers broke into a U.S. Navy contractor’s computers and stole a plethora of proprietary data. According to the article “Chinese hackers stole secret plans for new US Navy Weapon” some of the data stolen included plans for the development of “a supersonic anti-ship missile that U.S. subs hoped to carry by 2020.”
In another piece by CNN Tech, “Chinese wind turbine firm found guilty of stealing U.S. secrets,” one of China’s top wind turbine makers was found guilty of stealing trade secrets from an American tech firm, nearly putting the American company out of business due to financial losses incurred by the theft.
Espionage begins with the same threat actions as many other patterns of attack such as phishing and malware in order to gain access. In addition to phishing and malware, bad actors also use drive-by downloads, leveraging browser or common plug-in vulnerabilities to accomplish their mission of compromising a desktop on the corporate LAN and proceeding from there.
Due to the simple fact that malicious software was involved in 90 percent of cyber-espionage incidents in 2016 and has continued to play a major role in hacks, endpoint protection is a necessity. Whether delivered by email, a web drive-by, or direct/remote installation, protecting endpoint data is critical. Here are some things you should do:
• Make browser and plug-in updates a priority
• Use and update your anti-virus (AV)
• Use a Data Execution Prevention (DEP)
• Use Endpoint Threat Detection and Response (ETDR)
Because phishing is such a prominent cyber-espionage attack vector, protecting email communication is a key component to security. To protect your business against email-based attacks, be sure to implement defenses that incorporate the following:
• Spam protection
• Block lists
• Header analysis
• Static/Dynamic email attachment and URL analysis
• Reporting procedures for suspected phishing attempts
Secure your internal systems by protecting the whole network. To defend your business, be sure to:
• Use multi-factor authentication
• Segment the network
• Block C2 communications and remediate compromises
Monitoring & Logging
Don’t wait to find out about a breach from law enforcement or a customer. Log files and change management systems can give you an early warning of a security compromise. Internal monitoring of devices, applications, and networks is necessary in order to learn from attempted breaches, hacks, and data loss. At a minimum your business should implement:
• Account monitoring
• Audit log monitoring
• Network/IDS monitoring
Privilege Misuse & Abuse
Misuse and abuse includes any unapproved or malicious use of organizational resources. This includes insider misuse but also covers outsiders as well through collusion and criminal partnerships. Privilege misuse can occur at the hands of a disgruntled employee, someone looking to make a quick buck, or even an employee recruited by organized crime.
The 2016 Verizon report showed 24 percent of confirmed breaches came from privilege misuse while 21 percent was attributed to web apps. In 2017, 25 percent of confirmed breaches involved internal actors. Breaches involving internal actors continued in an upward trend across the board as more than a quarter of all of the confirmed breaches (28 percent) in 2018 involved internal actors.
In June 2018, Tesla filed a lawsuit against a former employee for suspected insider theft. According to CNBC, the company’s CEO Elon Musk issued an email to employees that the man “conducted quite extensive and damaging sabotage.” The lawsuit was filed after the former employee allegedly made changes to the company’s source code and exported gigabytes of proprietary data to unknown third parties.
When roles were classified by incident in the 2016 Verizon report, almost one third were end users with access to sensitive data in order to perform their job duties. Only 14 percent were in leadership roles such as those with executive titles or those in management. Another 14 percent were in roles that required elevated access to sensitive data to do their jobs.
What this means is that you should worry less about job titles and more about the level of access people have to proprietary data regardless of their role. Build strong relationships with employees in the company while maintaining a healthy level of suspicion toward everyone to best protect your business.
Anyone is capable of making a mistake and it happens fairly regularly. The distinction here is that employee errors occur by accident or as a result of a lack of training. They have no malicious intent though they can still lead to a breach. Such mistakes can surface in the form of misdelivery, publishing, or disposal of information. This occurs when someone sends an email with sensitive data to the wrong recipient, publishes information that should not have been, or disposes of information that should have been retained.
In the 2018 Verizon report, “errors were at the heart of almost one in five (17 percent) breaches. That included employees failing to shred confidential information, sending an email to the wrong person, or misconfiguring web servers. While none of these were deliberately ill-intentioned, they could all still prove costly.”
Love Them, Watch Them, Train Them
Whether malicious or not, employees can be a major threat. Be sure to monitor their authorized daily activity, especially if they have access to monetizable data such as financial account information, personally identifiable information (PII), payment cards, or medical records.
Train to Prevent Losses
Cybersecurity awareness training is also a must. Train all employees to be aware that the safety and security of your company lies squarely on their shoulders. During the onboarding process, train employees that security is everyone’s business when it comes to protecting your organization. Teach them situational awareness and include physical security of company assets in both new employee orientation and ongoing training for all employees.
Continue regular training of all employees to remind them of company policies and procedures. Be sure to discuss clearing desks and desktops before leaving for the night and never leaving business assets in vehicles since car windows are not hard to break.
This goes hand in hand with monitoring your employees because USBs can spell trouble. Research from the 2016 study identified numerous instances of audits performed following the departure of an employee that uncovered evidence of a USB drive being used to transfer data prior to them leaving. Protect your company by taking measures to identify the use of portable drives as soon as possible.
Be sure to apply the method of least privilege in the workplace. If an employee doesn’t need access to sensitive data to do their job, they should not have access to sensitive data. Give minimal access to each employee based on what they need to perform their duties. Limiting access to information makes it tougher for employees to steal data and decreases the number of people suspect to such theft. In addition, by limiting access, you also reduce the odds of being burned by honest human error as well.
In order to do this, you must know where your data is stored and who has access to it. For example, is all of your business data in digital form or are there paper files? If there are paper copies, who has access? Do they need it to perform their job? If it is all digital, do you have a server on the premises that all employees can access or it is limited? If your data is in the cloud, do all employees have access and how can you limit who can get to it? Also, ensure your organization has processes in place to revoke access to information quickly in the event someone changes roles or leaves.
Keep a record of common errors made by employees that put your company at risk. Address such errors swiftly with individuals and with others immediately by calling a special meeting of all staff or using internal email. Follow up on common errors during regularly scheduled cybersecurity awareness trainings with all employees.
Web app attacks were also up across the board in 2016 and have continued to be a threat over the last two years. The financial, entertainment, and information industries have been hit hard in addition to manufacturing businesses. Web attacks occur whenever a web application is used as a vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. Websites can be defaced and used to host malware, participate in distributed denial of service (DDoS) attacks, or can be repurposed as a phishing site.
Addressing Web App Attacks
Employ multifactor authentication for web apps. If you are securing a web-based app, think beyond just multifactor authentication since customers can be tracked with keylogging malware. Your IT department or service provider can help address such concerns.
Watch for valid inputs. Ensure that an image upload functions properly and isn’t really a web shell. Make sure your users can’t provide commands to the database through your customer name field.
Be aware of plugins. Monitoring OS and core applications is difficult enough but you must also scan for third-party plugins. Establish a process for CMS platforms and third-party plugins to make sure they are legitimate and safe.
Phishing & Malware
Phishing was a huge issue when it came to instigating hacks in 2016 and that has carried through to today. In 2016, more people fell victim to phishing schemes than ever before, opening the door to bad actors. Most did so unknowingly by clicking on a link or attachment in an email. In such cases, malware may also be introduced to a system with the potential to steal credentials leading to even more severe data loss.
Phishing was still a huge issue in both the 2017 and 2018 Verizon studies. Though many organizations thought they had the basics covered, they discovered that was not the case. In fact, one in 14 people were tricked into clicking on a malicious link or attachment in 2017 and in 2018, it was found that four percent of people will click on any given phishing campaign. When phishing worked in 2017, 95 percent of the time malware was then installed to capture and export data or took control of business systems.
To Click or Not to Click
Provide ongoing training for all employees so they are reminded of company security policies and teach them how to avoid an attack, spot the signs of an attack, and how to react if they suspect one has occurred or has been attempted. Continuous training of employees to stop them from clicking on malicious links and attachments will improve your overall digital security as they are your first line of defense.
One of the new trends that picked up speed in 2017 was urgent messages from “the CEO” or other top executives. Many businesses saw an uptick in fraudulent messages sent to unsuspecting employees from bad actors posing as the company CEO, human resources department, etc., demanding immediate action such as ordering a wire transfer of company funds. These messages were sent on copied corporate letterhead with a believable back story that left employees with access to funds hustling to complete orders without questioning the message for fear of losing their jobs.
Covering Your Business
Make sure every employee, particularly those in finance and those with access to proprietary data, understands that no request for payment will ever be made through an unauthorized process. Also, ask your IT personnel to mark external emails with an unmistakable stamp. This will help employees see which emails are coming from external sources versus internal ones at a glance.
Other Quick Takeaways
“Older vulnerabilities are still heavily targeted; a methodical patch approach that emphasizes consistency and coverage is more important than expedient patching,” according to the 2016 Verizon report. In other words, have a regular schedule in place for making patches rather than racing around responding to the latest patches being issued. You’re better served by regularly and consistently addressing patches in the software your company utilizes.
Don’t forget to cover your physical security. All data theft doesn’t happen in the digital world. For example, employ surveillance cameras and entry systems for restricted areas. Keep proprietary data and sensitive information in restricted areas with limited access in locked cabinets behind locked doors. These steps can help avoid criminals tampering with systems or stealing sensitive material that has been printed.
Physical security is also a problem when it comes to protecting data since laptops, tablets, phones, USBs, and paper documents are all targets. According to the 2016 report, physical theft occurs most frequently, 39 percent of the time, at the victim’s own work area. Nearly 40 percent of physical thefts were from the personal vehicle of an employee. Laptops were the most common target but documents lead to data loss the most since it is easy to read and requires no hacking. Remind employees not to leave things out on their desks, especially overnight when cleaning crews or others may be in the building. Also, make it a policy that company assets are not left in personal vehicles.
Encrypt It to Protect It
When it comes to mobile devices and removable media, ensure that full disk encryption is applied. This should become standard to the build of every device before you hand it over to your employees. You can also encrypt sensitive data in order to render it useless to a thief in the event it is stolen. Teach employees how to encrypt emails before sending them to further protect valuable data.
Improved Security with Data Classification
You need to make every effort to protect your paper and digital data. Start by making an attempt to run your business as paperless as possible. Not only will this make your company more environmentally friendly and save it money, but there will be less valuable data floating around in paper form.
Consider paper documents that are both at rest and in motion. Paper at rest are paper documents stored in filing cabinets, sitting on desks, or taking up space in the recycle bin. Paper in motion are printed documents being mailed, carried around, or transported in some manner.
Establish data classifications and make it a policy violation with potential consequences to print and transport sensitive data. To begin classifying documents, you must first consider what is sensitive and who should have access to it. Next, consider how paper documents are being transported and how they are saved and stored. Also take into consideration how paper data is destroyed at the end of its life cycle.
Data classifications should be outlined for both paper and digital data. From digital information stored in the cloud to paper documents, the same care and attention should be given to both. Every bit of data has a life cycle to it. Consider how your company cleans house to destroy paper and electronic data at the end of contracts as well as marking documents for destruction at the end of their life cycle. Your business should have a process in place so that at the end of a project or contract, all raw data from the client ranging from drawings and proprietary data to financial documents is properly destroyed within the legal timeline outlined in the contract and/or by government regulations.
When it comes time to dispose of an asset such as a computer, tablet, or phone, ensure there are procedures in place for wiping them clean of data BEFORE they are trashed, recycled, or resold. You can ask your IT department to institute a rigorous process for wiping and checking all assets for data before their disposal.
When it comes to paper documents, ensure all are properly shredded prior to disposal. You can even hire a company to come shred and dispose of paper data that has outlived its use. Scheduling regular “cleaning” of paper files will help ensure proper disposal.
Should you have more questions about threats to the manufacturing industry or how to protect your business against them, please contact Dox online or contact me, Ken Michael, at (585) 295-1932 or visit us online. Thank you for your time and stay safe online.