June 28, 2015
Corporate espionage is on the rise. For those unfamiliar with the term – also commonly referred to as industrial or economic espionage – corporate espionage is when one corporate entity or government hacks into the systems of another corporate entity to steal their data. The first conviction for economic espionage in the U.S. happened only recently. Last year a Taiwanese national who worked for Boeing and later Rockwell Corporation was convicted of stealing trade secrets from the Aerospace giants. Acting on behalf of the People’s Republic of China, not Taiwan, Dongfan “Greg” Chung exfiltrated thousands of technical documents from Rockwell and Boeing to aid in China’s quest to build an earth-orbiting space shuttle.
Also making headlines is the report that the FBI was investigating the St. Louis Cardinals organization on allegations that they hacked into the Houston Astros’ internal network for information. Based on the evidence released thus far, the nature of the hack was not particularly sophisticated. However, it was similar to one commonly seen in cybercriminal networks. The Cardinals got a hold of now Astros General Manger Jeff Lunhow’s passwords from his time as an employee at the St. Louis Cardinals, and then they attempted to use those same passwords on the Astros’ systems.
While it is technically illegal for the St. Louis Cardinals to hack opposing teams’ systems, the onus is partly on the Houston Astros here. When they adopted a computerized system for managing scouting, player development, and other front office functions to mimic the St. Louis Cardinals’ computer system that Lenhow left behind, they should have required Lunhow to use new passwords. Beyond enforcing new passwords, it sounds like the organization was allowing users to access the corporate network from networks that weren’t protected. For all we know, the Cardinals aren’t the only organization to see the Astros’ data. Hopefully other organizations learn from the mistakes of the Astros. If you are going to move your system to the Internet, you also should adopt Internet security practices to protect yourselves.
The problems with the Astros in this scenario remind me of the problems with just about every organization. Your own users, you even, are your greatest threat to your system. The only way to prevent the attacks that have happened implies that the organization needs to play a bit of offense to assess its own defenses. Two-factor authentication would have helped here. There are a lot of great services for two-factor, but Duo Security is my favorite. Of course I’m going to argue that network perimeter defenses like Numa protecting home networks would have been very effective in brute force login attempts. Any audit by the Astros to penetrate their own systems would have probably proved possible, but we need to wait for more information.
If you’re in a competitive space with lots of Intellectual Property, plenty of card-paying customers, or sensitive information, you may have already been hacked. Your competitors here and abroad are coming for you and your computers. Be sure you have built adequate defenses to keep unauthorized guests out. To keep intruders out, take these three steps immediately:
- Enforce rigorous password requirements like no repeat passwords and the use of special characters.
- Add two-factor authentication to any critical systems.
- Require users to access corporate systems on protected networks only.
Last year the Citadel malware was discovered by Trusteer. Citadel’s intended use was to capture the master password of the password management apps. Here’s a warning: if you’re going to use these services, be sure to use a master password that you don’t use anywhere else.
The key takeaway from the Astros is that passwords pose one of the greatest attack vectors to organizations because they are often human-generated, thereby lacking creativity and complexity. Password management is a great way around that because many password managers will generate complex passwords for you. LastPass is great for password management. Even they were hacked recently, but no one got access to their system of encrypted “User Vaults” containing usernames and passwords. We are never short on reminders that no system is impenetrable and to avoid repeat passwords.
Image Credit: Flickr/Lionel Martinez
Did you like this article?
Get more delivered to your inbox just like it!