Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

03:06 AM

Nissan Hack A Harsh Reminder About Protecting Data Stores From Spies

News of corporate espionage attacks against Nissan offers security practitioners a reminder of the real reason they bring home a paycheck

Nissan's disclosure this week of a malware attack in which attackers stole employee user-account credentials was a chilling reminder of the reality of industrial espionage.

While it may be easy to get caught up in toeing the compliance line and focusing solely on the protection of personally identifiable information (PII), at the end of the day security professionals need to remember that protecting business-critical intellectual property (IP) should be their No. 1 concern, security pundits warn.

"Will I say that every company is at risk? No, not every company. If you’re already open-source or don't possess IP of great value, then there’s not a huge monetary [or] intellectual gain in ripping you off," says Ken Pickering, development manager of security intelligence for Core Security. "But time and time again, we've seen evidence that foreign powers and corporations are finding it's easier to steal information than develop it."

Nissan said in a statement that it believes its "systems are secure and that no customer, employee or program data has been compromised." As of yet it is unclear what the attackers were targeting with the theft of credentials, but it's believed that they likely were seeking information on Nissan's electric vehicle drivetrain.

In many cases, enterprises don't prioritize defense against cyberespionage attacks because they don't view them as a real threat, experts say. That's partially because they're rarely reported from the news and remain hidden from view of decision makers at yet-to-be-hit companies.

"I believe that corporate espionage is a massive threat, but it's something that we really don't hear about because it's typically theft of intellectual property, for which there is no real motivation for a company to disclose," says Josh Shaul, CTO of Application Security, Inc. "And a lot of this corporate espionage is nation-states that are stealing from corporations and bringing that info back to their government. So a lot of it ends up getting dumped into the secret files that the bureaus of our U.S. government need to investigate. So they're not allowed to talk about that."

The initial breach targeting usernames and passwords for more in-depth attacks against IP should be enough to make security pros reach for their pencils to start taking notes, says Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark Software. He believes Nissan's woes follow a cookie-cutter script for similar attacks.

"Hackers gain access to administrative and privileged accounts -- once inside, they leverage the privileged account, or elevate privileges associated with the account, to gain access to additional servers, databases, and other high-value systems only a select few people are actually granted permission to access. The result, as demonstrated over the past few weeks, is easy access to millions of sensitive records. Or, in the case of Nissan, it's secret sauce," Bosnian says.

Organizations across all industries need to realize that privileged accounts and passwords are the top target for hackers, he adds. "Controlling these access points needs to be a priority for companies like Nissan and others that put protecting their intellectual property against internal and external threats at the top of their priority list," Bosnian says.

Though Andrew Jaquith, CTO for Perimeter E-Security, agrees that privileged access control may be one important component to staving off corporate spies committed to sniffing out the organization's most valuable IP, he warns that it takes a host of measures to effectively lay out protections. His belief is that organizations need to follow what he calls a three-by-three formulation for security.

"You really need to be good at three sets of things: technology, or stuff you can buy; competencies, or IT skills to develop; and traits, or behaviors you need to be encouraging among your employees," Jaquith says. "You need a little bit of all of those things. It's basically stuff, skills and attitudes."

Within those three categories, he believes there are three top priorities that can achieve the most effective results. Within technology, he believes those that allow you to zone access to data and segment the network, those like IDS and IPS that allow you to track known signatures of attacks and flag suspicious traffic, and those with Web security filtering technologies are the top three types of technology to first invest in.

Within competencies, he names the ability to compartmentalize information on a need-to-know basis, the ability to spot anomalies and aberrations in network traffic and act on those, and the ability to streamline and automate incident response as the most important. And within traits, he names security awareness, phishing resistance, and an attitude of responsible custodianship of data as critical to instill within corporate culture.

Though it may not quite fit within the perfect matrix laid out by Jaquith, both Shaul and Pickering believe there is one other critical ingredient to staving off attacks by corporate spies: Organizations today need to think like a hacker.

"Thinking 'like a hacker' is a serious skill. It requires patience, diligence, and technical aptitude," he says. "Some companies think generic IT staff can handle complex security scenarios, and I'm just not sure that's the case anymore. These people are different ... Skilled hackers need a wide knowledge base on a pretty Swiss army knife array of technologies to penetrate a modern enterprise, and do so without being detected by modern IDS, DLP, [and other] systems."

Organizations also need to remember where the most critical information resides, Shaul says. He says that it depends on the organization, but on the whole it would be safe to say that in spite of plenty of unstructured IP floating around the IT infrastructure, a good two-thirds of it still lives in the database. Whether it is a software company that uses a source control tool to store source code in a database or a manufacturer that depends on CAD tools, which store designs in the database, organizations store more than just Social Security numbers and addresses in databases.

Shaul says he encourages companies that have already bought database activity monitoring tools to satisfy compliance demands on PII protections to "use what they've already paid for" and extend those measures to databases containing critical IP -- though the results of that pitch, he adds, are still mixed.

In the end, beyond the technical details, Shaul says it comes down to applying common sense to risk assessment.

"The first step for everybody is to think, 'If I would steal from my company, what would I want to steal?'" he says. "And then start to protect that. So throw out all the notions of regulations and customer info and everything and just take that few moments to think about what's really the most valuable thing for a thief to take from my business."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/22/2012 | 4:55:30 PM
re: Nissan Hack A Harsh Reminder About Protecting Data Stores From Spies
This is a really well researched and crafted article. -Nice work Ericka. -It is informative and thought provoking.

thanks again.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...