Most corporations are woefully unprepared to counter attempts at corporate espionage, say experts who perform vulnerability assessments designed to uncover security weaknesses that can leak valuable data.

In the US alone, corporations lose as much as $300bn a year to hacking, cracking, physical security breaches and other criminal activity, according to Ira Winkler, author of Spies among us and president of the Internet Security Advisors Group, which performs espionage simulations and provides other services.

Although espionage is usually associated with high-tech approaches involving wireless security breaches and zombified PCs, low-tech tactics such as walking into a building are common, says Johnny Long, a security researcher at Computer Sciences Corp and author of No-Tech Hacking.

"To me, computers are irrelevant," Winkler says. "It's about what data do I want, what form does it take, and how can I steal it?"

Any company can be a target, says Peter Wood, chief of operations at First Base Technologie, a consultancy that performs ethical hacking services. Spies are interested in anything from financial data to intellectual property and customer data. They might steal information for blackmail purposes, but "the most common motive for physical intrusion is industrial espionage", he says.

Here are several of the most common ploys and the countermeasures you can put into place to spot, and possibly even stop the work of a spy.

Tailgating

One of the most disturbingly successful ways for outsiders to infiltrate an organisation is also the least high-tech: following an authorised employee through the front door.

"In 90 percent of the companies I've worked with, it's so simple to get in, it's pathetic," Winkler says. To blend in, the spy might hold a cup of coffee or a sandwich, dress in a suit minus the jacket or even wear a counterfeit badge.

Antismoking regulations have also made it simple to sneak into buildings through the back door, where smokers tend to huddle, Wood adds. And Long claims to have walked right through delivery or loading dock doors.

Once they're inside, spies have lots of ways to access sensitive information. They can pose as IT support personnel, photocopying papers they find on unattended desks or at printers. Or they can just walk into an empty meeting room, plug in a laptop and pull data off the network. In that scenario, a convincing ploy is for spies to work in pairs, with one posing as a consultant and the other as an employee, says Wood, who has used that tactic.

If someone enters the room, Wood says he apologises for the 'double-booking' and moves on. "It's just a matter of having the right attitude and being confident," he says.

NEXT PAGE: Posing as an employee and other tricks spies use

  1. Spies are everywhere
  2. Posing as an employee and other tricks spies use
  3. Using web applications to spy on businesses
  4. Why you need to be wary of insider theft
  5. How to stop phishing scams

Corporate espionage is a bigger concern than most of us think. In the US, as much as £150bn a year is lost to hacking, cracking, physical security breaches and other criminal activity. Here's our round-up of steps you can take to make sure its much harder for spies to do any damage.

How to stop spies: According to Winkler, you can't just establish policies; you must also enforce the rules that prohibit security guards, receptionists and other workers from letting people into the building if they can't prove that they're employees.

Companies also need to set clear procedures for reporting suspicious people. No one wants a vigilante culture, "but if you see someone acting unusually, you should make note of what that person is doing", Winkler says.

Posing as an employee

Spies often pretend to be IT support personnel because it enables them to look legitimate while sitting at users' PCs. The tactic involves either looking for vacated offices or blatantly asking employees to leave their desks so the spy can, say, update the antivirus software. In other cases, spies have posed as cleaning staffers, gaining after-hours access.

Winkler says he was once hired to expose a company's security vulnerabilities but was asked to avoid accessing the CEO's system. However, as he was leaving the executive suite, an assistant asked him, "Why didn't you update Mr So-and-So's computer?"

"There I was, sitting at the CEO's desk at a Fortune 50 company," he says. "I tried to avoid seeing anything sensitive, but I had to pretend I was doing something."

How to stop spies: Employee awareness goes a long way.

"Most organisations don't even remotely invest in staff awareness," Winkler says.

"Most people seem to assume if you're in the building, you must be okay, and that's a presumption that criminals rely on. You need to have standards for what is and isn't appropriate and then reinforce that with a mind-set of challenging people who don't adhere to those parameters."

A second line of defence is to use protective tools such as screensavers with password controls, and to encrypt data and require strong passwords for employees with liberal access rights, such as IT administrators and C-level executives.

"Most networks are poorly protected," Wood says. "We see trivial, stupid passwords in every firm we visit. Often, the password is the same as the account name."

Finally, classify information in terms of how valuable it is and store it accordingly, says Wood. Even by applying encryption and password controls to just the accounts of IT administrators and senior staff members, companies could solve 70 percent of the problem, he says.

"It would make [accessing information] so much more difficult that it would be a major accomplishment," says Wood.

NEXT PAGE: Using web applications to spy on businesses

  1. Spies are everywhere
  2. Posing as an employee and other tricks spies use
  3. Using web applications to spy on businesses
  4. Why you need to be wary of insider theft
  5. How to stop phishing scams

Corporate espionage is a bigger concern than most of us think. In the US alone, as much as £150bn a year is lost to hacking, cracking, physical security breaches and other criminal activity. Here's our round-up of steps you can take to make sure its much harder for spies to do any damage.

Posing as a visitor

Another way of infiltrating a corporation is by posing as a legitimate visitor, such as a telephone or electrical maintenance person, a burglar-alarm inspector or someone from the Fire Brigade checking smoke detectors.

Wood says he creates convincing costumes by purchasing a fluorescent jacket and work boots and downloading iron-on logos from the internet. "The whole thing can cost £5" he says, which goes to show how useless physical credentials such as business cards are today.

Items he has found while walking around buildings posing as a visitor include customer account details, payroll data discs, a voicemail guide with default passwords, information about spending on advertising, bank statements, a staff directory and whiteboards covered with notes about corporate strategy.

How to stop spies: The identities of outsiders seeking access to the building must be verified with more than ID cards, Wood says.

An employee should ask a visitor to identify his employer, and then the employee should verify the information on the web and follow up with a phonecall to the company to ensure that the visitor is legitimate.

"It's tedious but necessary," Wood says.

Persistence pays. Once, when Winkler was posing as a person from the companies oversees head office who needed a tour of a facility, he was interrupted by a manager who asked why he was being shown around. Winkler gave him a phone number.

"It was 2am in the US, so by the time he could reach anyone, I was out of the area," he says.

Web applications

Of course, not all spies take the low-tech approach; an increasing number are taking advantage of known insecurities in web applications, according to a SANS Institute report on the Top 20 internet security risks of 2007. The report names vulnerable web applications as the top new risk, enabling websites to be poisoned, data stolen and computers connected to the website compromised. In 2008, the report says, web application attacks will grow substantially.

How to stop spies: Web-canning tools can help find application vulnerabilities, especially when combined with source code review tools and application penetration tests. The SANS Institute also recommends inspecting the web application framework's configuration and hardening it appropriately.

"No one should be engaged to write web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications," the report concludes.

  1. Spies are everywhere
  2. Posing as an employee and other tricks spies use
  3. Using web applications to spy on businesses
  4. Why you need to be wary of insider theft
  5. How to stop phishing scams

Corporate espionage is a bigger concern than most of us think. In the US alone, as much as £150bn a year is lost to hacking, cracking, physical security breaches and other criminal activity. Here's our round-up of steps you can take to make sure its much harder for spies to do any damage.

Insider theft

An efficient way for spies to work is to pay inside employees to steal information. Often, there's nothing high-tech about the maneuvre, Winkler says; employees simply use their existing access rights to download greater volumes of data than they ordinarily should.

How to stop spies: Use a combination of access control and proactive auditing, Winkler says. For instance, if customer service representatives generally access 30 records a day, he says, and suddenly a couple of people are accessing 100 a day, that's a red flag.

So is an employee who suddenly begins accessing data from home, adds Ken van Wyck, a principal consultant at US firm KRvW Associates LLC. "You're looking for drastic changes in behaviour," he says, which can be detected through statistical anomaly detection programs.

It's also important to use the access control capabilities of the operating system, van Wyck adds. "People don't take the time to configure these very well," he says. "Many employees can access more than they need to do their job."

Another counter-measure is to disable the USB ports through the system's password-protected BIOS or use centralised tools that restrict the use of ports and external devices, according to the SANS Institute report, making it more difficult for wannabe spies to easily export the data.

Keystroke loggers

Spies that get inside buildings can do other damage, such as implementing keystroke loggers. Some of these devices email the keystrokes of anyone using the computer to a predefined email address, while others store keystrokes in flash memory.

Many are nearly impossible to detect, such as those that attach directly to the keyboard connector. Wood knows one case where spies pretending to be office cleaners nearly stole £1.5m from a UK bank using this technique.

How to stop spies: Physical inspection of the computer is the only way to detect a keystroke logger, Wood says. Because of the impracticality of doing that, one company that Wood knows of now glues all its keyboards into the system unit.

Phishing

As defined by Wikipedia, phishing is a form of social engineering in which spies use a collection of techniques to manipulate people into releasing information (such as passwords) or performing actions that compromise confidential data, such as clicking on a link that enables someone else to remotely control a machine. In fact, the SANS Institute identifies phishing as one of the biggest internet security risks.

For example, a spy might call the help desk from a pay-as-you-go mobile phone, claim to be working at home and request that a new username and password be sent as a text message to his phone.

And some spies employ what the SANS Institute calls 'spear phishing', in which they send individual employees highly targeted email messages that include specific information designed to make the messages look genuine. For instance, a request for usernames and passwords might appear to be from the head of human resources.

NEXT PAGE: Tips to stop phishing scams

  1. Spies are everywhere
  2. Posing as an employee and other tricks spies use
  3. Using web applications to spy on businesses
  4. Why you need to be wary of insider theft
  5. How to stop phishing scams

Corporate espionage is a bigger concern than most of us think. In the US alone, as much as £150bn a year is lost to hacking, cracking, physical security breaches and other criminal activity. Here's our round-up of steps you can take to make sure its much harder for spies to do any damage.

Tips to stop phishing scams

How to stop spies: Wood suggests training staffers to be cautious and giving them tips on how to detect social engineering. For instance, he says, they should withhold information when callers act rushed, drop names, use intimidation, ask odd questions or request forbidden information. There should also be clear policies as to how to report an incident and to whom.

The SANS Institute says it's important to continually raise employee awareness of these techniques, perhaps through drills that involve mock phishing attempts. Companies should also avoid exposing too much information on public websites, including logos and employee email addresses.

  1. Spies are everywhere
  2. Posing as an employee and other tricks spies use
  3. Using web applications to spy on businesses
  4. Why you need to be wary of insider theft
  5. How to stop phishing scams