Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

5/1/2018
08:05 AM
Steve Durbin
Steve Durbin
News Analysis-Security Now
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybercriminals Increasingly Targeting 'Crown Jewels' Both Inside & Out

Protecting the 'crown jewels' of an enterprise and organization is always a top priority. However, cybercriminals are now trying to steal this privileged data from both inside, as well as outside, businesses of all kinds.

For centuries, organizations have been acquiring, producing, leasing, licensing and selling assets. Accounted for in financial statements, these assets represent an organization's wealth and financial stability.

This also makes them vulnerable to theft and fraud.

As a priority, organizations should focus on those assets that are of the highest value and risk -- commonly referred to by business leaders as the "crown jewels."

Assets such as property, plant and equipment are tangible whereas information is an intangible asset. There are two types of intangible assets:

  • Legal -- such as trade secrets, copyrights and customer lists
  • Competitive -- such as company culture, collaboration activities and customer relationships

Both types are essential drivers of competitive advantage and shareholder value today. It's common to view the value or importance of information by using a simple classification chart.

However, mission-critical information assets represent only the very tip of the highest layer. Information of high business value or impact could still register as "high" or "critical" but not necessarily be designated as mission-critical.

Traditional risk assessment approaches would not identify this information separately, so mission-critical information assets typically require a different approach to identification.

Information Security Forum (ISF) research has uncovered two main factors that typically influence whether or not an information asset is classed as a crown jewel. The first is its value to the organization. The second is its potential impact if the asset is compromised.

At the ISF, we refer to information assets with a high value and business impact rating as "mission-critical information assets." Examples of mission-critical information assets include details of:

  • information that supports overall business operations, including board papers, M&A or upcoming redundancy plans
  • material relating to possible and planned future products and services, such as formulas for new drugs, engineering specifications or upcoming exploration locations
  • information relating to promoting and selling an organization's products and services that can include non-competition agreements, competitive analysis or an upcoming marketing campaign

When identifying mission-critical information assets, organizations should consider whether:

  • the information asset contributes to, or supports, business value, which include business revenue, competitive advantage, operational effectiveness, as well as legal, regulatory or contractual compliance
  • the business could be impacted in the event of the confidentiality, integrity or availability of the information asset being compromised, considering any financial, operational, legal/ regulatory compliance, reputational, or health and safety implications

Insiders pressured into giving up crown jewels
Privileged insiders, or individuals with access to an organization's crown jewels, are some of the most dangerous people within an organization. They are often a diverse and unconnected group within the organization, extending beyond senior business managers, and by proxy, their personal assistants.

Those with access to the crown jewels can also include people in the roles of systems administrator, infrastructure architect and network support engineer, as well as specific external contractors.

In the coming years, new attacks will impact both business reputation and shareholder value, and cyber risk exists in every aspect of the enterprise. Even in the cybercrime era, the age-old threat of violence still spreads fear. To achieve greater gains, well-funded criminal groups will combine their substantial global reach and digital expertise with intimidation or savagery to threaten privileged insiders into giving up mission-critical information assets such as financial details, intellectual property (IP) and strategic plans.

An organization that loses any of their crown jewels to attackers will be impacted by heavy financial losses and brand damage when planned products are copied and released earlier by competitors. Targeted organizations that cannot guarantee the safety of their highly skilled privileged insiders may find recruitment and retention increasingly difficult.

Cybercriminals' inspiration
The growing value of information, combined with the ability of organized criminal groups to profit from its theft, has led to a dramatic rise in cybercrime rates. (See Cybercrime: More Like Facebook's Model Than Traditional Criminal Enterprise.)

An approach frequently employed by cybercriminals to steal information is to exploit privileged credentials. In the past, by recruiting even more people with the skills to steal credentials, organized criminal groups have realized a marked improvement in profits from cybercrime.

Nevertheless, there is another way to gain access to such credentials: directly from the people themselves, each of whom becomes a physical target.

The tactic of targeting specific individuals has already been successful in other lucrative areas of criminal activity.

Individuals to target can be identified through sources such as LinkedIn or Facebook. Coercion can then take place in either a virtual or physical environment. For example, a technique of "sextortion" can be adapted to blackmail insiders into handing over an organization's crown jewels.

In extreme cases, criminals may also resort to violence, or the threat of violence against a privileged insider, including holding the family captive until the crown jewels have been compromised, a tactic which has been used successfully during armed robberies.

Criminal gangs will see merit in coercing privileged insiders into providing direct access to an organization's systems as they will be able to:

  • significantly reduce the level of cyber expertise they require: replacing that expertise with "muscle"
  • continue to enjoy access to one or more individuals who have already "assisted" the gangs and can easily be persuaded to do so again
  • simplify the process of stealing mission-critical information assets by operating at "arm's length"

Moving forward, merciless criminal groups, rogue competitors and nation-states will directly target mission-critical information assets. If compromised, the loss of this data can cripple an organization.

Consequently, an organization should take steps to identify and record these assets. The individuals with access to, or responsibility for, the management and protection of these assets should also be identified on that record.

At the same time, procedures can be put in place for individuals to report any coercion or threat, and arrangements made for anyone affected to receive appropriate protection.

Be prepared
As dangers accelerate, organizations must fully commit to disciplined and practical approaches to managing the major changes ahead. Employees at every level of the organization will need to be involved, including board members and managers in non-technical roles.

Here are a few recommendations to consider:

  • Identify the organization's mission-critical information assets, and the individuals who own and access them
  • Invest in special measures to protect individuals with privileged access, including instruction in physical security precautions, as well as exposure to social engineering methods
  • Implement mechanisms to protect the organization against the insider threat, which includes screening prospective employees and embedding appropriate clauses in employment contracts
  • Adopt a "trust-but-verify" approach to privileged insiders

Related posts:

Steve Durbin is managing director of the Information Security Forum. His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator on technology and security issues. Previously, he was a senior vice president at Gartner.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...