SlideShare a Scribd company logo

Digital Espionage and Business Intelligence

Roopak K Prajapat
Roopak K Prajapat
1 of 9
Download to read offline
Digital Espionage and Business Intelligence THE COUNTER MOVE IMPERATIVE By – Roopak K Prajapat Contents Introduction............................................................................................................................................................................. 12 A Peak into Time........................................................................................................................................................................ 2 Business Intelligence: A Perfect Target ................................................................................................................................... 33 Risk Assessment Approach...................................................................................................................................................... 44 Scope................................................................................................................................................................................... 44 Risk Identification................................................................................................................................................................ 44 1. Vulnerability Scan ................................................................................................................................................... 44 2. Interview Application Teams.................................................................................................................................. 44 3. Interview Customers............................................................................................................................................... 45 4. Consult Security Expert........................................................................................................................................... 55 Risk Categorization.............................................................................................................................................................. 55 1. Data Risks................................................................................................................................................................ 55 2. Process Risks........................................................................................................................................................... 55 3. Infrastructure Risks................................................................................................................................................. 55 Risk Prioritization ................................................................................................................................................................ 55 Common BI Risks ..................................................................................................................................................................... 55 Conclusion ............................................................................................................................................................................... 88 References............................................................................................................................................................................... 88 Introduction With recent spate of digital security incidents involving Sony and heartbleed, there is a new found focus is on digital security. However one particular aspect of digital espionage is often left with tongue in cheek. At the other end there is also a great focus on analytics and business intelligence in corporate IT departments. This means that these departments churn the most important data for organization and convert it into easily understandable wisdom. This analyzed wisdom is the sum of all
knowledge and experiences that an organization generates over its lifespan, which also increases the overall risk and security measures requirement for a BI environment. In this paper I’ve tried to identify the common security threats to BI platforms and its data. Also this paper tries to highlight a process which should be implemented to safeguard this nectar of business knowledge on a periodic basis. A Peak into Time Information espionage and sabotage have been around since long; officially starting in 1878, just two years after the telephone was invented by Alexander Graham Bell. A group of teenage boys hired to run the switchboards were kicked off of a telephone system in New York. The reason? The boys were more interested in knowing how the phone system worked than in making proper connections and directing calls to the correct place. In essence, they were trying to "hack" the system to see how it worked1 . Since then the techniques and tools have only improved to “hack and plunder” information from organizations much to the discomfort of its protectors. While sabotage is usually easy to detect as it disrupts the normal services; it is comparatively easy to recover by putting better controls in place. Digital espionage is a much more difficult event - even to realize its occurrence as it tends to be planned well, for long termand specially designed to be untraceable. In fact the digital espionage has a well-established market with price tags on its products. Figure 1 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ When it comes to data theft from an organization; the amount of its losses increase manifold if the total cost of collecting, sorting and storing this information is also included; not to forget the cost of reduction in brand value and trust, besides legal, legislative and other related costs. As per a study done by Ponemon Institute LLC sponsored by Symantec in May 2013: 1 http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078. The most and least expensive breaches. German and US companies had the most costly data breaches ($199 and $188 per record, respectively). These countries also experienced the highest total cost (US at $5.4 million and Germany at $4.8 million). The least costly breaches occurred in Brazil and India ($58 and $42, respectively). In Brazil total cost was $1.3 million and in India it was $1.1 million. Size of data breaches. On average, Australian and US companies had data breaches that resulted in the greatest number of exposed or compromised records (34,249 and 28,765 records, respectively). On average, Italian and Japanese companies had the smallest number of breached records (18,285 and 18,237 records, respectively).
The average total organizational cost of data breach Figure 2 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf Business Intelligence: A Perfect Target Digital espionage is not so much heard of, given the fact that in 2014 only 10.2% of cyber-attacks were motivated with espionage as backdrop. My personal opinion is that it could be more. Because it’s very hard to prove its occurrence which leads to lesser reporting. However its presence is well acknowledged. Before moving further let’s take a look at the definition of digital espionage. Digital espionage is a form of hacking that is conducted for commercial or political reasons. Foreign cyber spies steal secret information for political purposes or to engineer new technologies that they do not have the knowledge to produce on their own. Digital espionage is also conducted for the purposes of stealing trade secrets so as to obtain a more competitive edge or to develop and then launch a product at the same time as its original manufacturer. Digital espionage is a direct threat to national security worldwide as well as to enterprise.2 What comes across clearly from above definition is that the major motive behind digital espionage is to steal information. If there is one place where most important and aggregated organizational data is available – then it is its data warehouse. It is the ultimate treasure trove; hence securing data warehouse becomes a very critical imperative and most of the organizations take this very seriously. Also due to the fact that data warehouses usually have single instance within an organization and are never accessed directly but by a few chosen ones makes it formidable and easily detectable target. The next best place to retrieve this information is through the tools that connect to data warehouse, extracting its juice. That is where business intelligence tools become the perfect target for digital espionage. Why so? Because BI tools by their purpose tend to access the most important, critical, aggregated and summarized information. Isn’t it so? Also because BI is 2 http://www.techopedia.com/definition/27159/digital-espionage Figure 3 http://hackmageddon.com/category/security/cyber-attacks-statistics/
a complex process involving multiple tiers makes it an ideal spot to plant a CUT-OUT agent. A weak or not-so-well-thought- out BI solution may expose its vulnerabilities. Vulnerability to cyber-attack exposes companies to material and intangible losses. There is also the matter of corporate governance. At times corporate boards are also held to account by shareholders for cyber-related losses. Now that enough has been said about digital espionage; the responsibility to introduce deterrent controls falls on the decision makers, owners and teams that manage BI tools. Besides installing security apparatus another important thing that works as real-time check on its vulnerability profile is security threat/risk assessment. Following sections in this paper deal about how to go about assessing risks to a BI environment. Risk Assessment Approach As with any major initiative, planning pays many dividends. A clear approach in terms of what, how and when should be dealt first. Scope Define a clear scope. For the purpose of this paper we scope it to security and legal risks. Risk Identification At this stage, define what risk is. It may be a security risk, legal risk or business continuity risk. In this paper we will talk about security and legal risks. Risks to a BI environment (it applies to any application) should be done in four steps. 1. Vulnerability Scan Have your environment been scanned by vulnerability management tools such as QualysGuard, McAfee MVM, nCircle, Rapid7 etc… These tolls will give a very good idea of existing general security threats identified from across the world. Include following infrastructure in your scan: a) Data Sources b) Metadata Repositories c) Network d) Application e) Web Servers f) Application Servers g) Operating Systems h) ETL etc… The results from this scan will give you a good view of threat status and priorities. However these tools cannot provide any results either from process or functionality point of view. The results at this stage only represent the situation “as is” and not “could be”. 2. Interview Application Teams Speak to your application teams. Include system administrators,analysts, developers, managers and other stake holders who support and develop the application and keep it running. They can and will provide valuable insight into the application and its grey areas. Ask them what processes, tools, and external/internal factors could compromise application’s security. They will provide a very exhaustive internal view of application’s working and nuances. Ask them about security threats originating from application functionalities and capabilities. 3. Interview Customers Interviewing customers will expose you to the threat perception by end users? As BI is all about business, a reasonable space should be given to customers. Sometimes customers give inputs which were completely ignored or not even seen by either parties. Specifically ask for legal and business risks.
4. Consult Security Expert Now that you have consolidated information from previous three steps. Take it to your available security expert. Discuss details with him/her. Some threats are more profound and are on large scale than others. Security experts can help put a perspective and remediation plan in place for them. Note: - Ensure that you treat the vulnerability/Threat information as confidential and share only on need to know basis. Knowledge of vulnerability is vulnerability in itself. Risk Categorization Categorize risk assessment results in following buckets. 1. Data Risks All vulnerabilities that may expose data to unauthorized person should be put in this bucket. You might want to deal with these risks in association with data owner/stewards. Example row level security. 2. Process Risks Any vulnerability that may arise due to periodic process should be put in this bucket. It will enable you to assign process owners that would ensure these risks are covered well. Example patch management. 3. Infrastructure Risks Vulnerabilities that arise due to infrastructure such as servers, network etc… These risks can be covered by support staff. Risk Prioritization First things first. Identify which vulnerabilities are most impactful and how likely are they to happen. For each vulnerability identified from above steps put two columns ahead of them. a) Impact b) Likelihood Both above factors should be assigned values of High, Medium or Low. Any vulnerability that has a high in either of these columns should be your priority. Common BI Risks Here are some of the common risks associated with BI platforms. Risk Description Remediation Host Intrusion Host intrusion is the incident when hackers acquire controls of the server system or application.  Ensure network hardening is in place.  Ensure Server hardening is in place.  Install host detection/prevention system software.  Ensure antivirus systems are installed and up to date. Network Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Possible network attacks are: Passive  Network  Keep infrastructure behind firewall.  Keep production and non-production environments in different network segments.  Block all unnecessary services.
 wiretapping  Port scanner  Idle scan Active  Denial-of-service attack  Spoofing  Man in the middle  ARP poisoning  Smurf attack  Buffer overflow  Heap overflow  Format string attack  SQL injection  Cyber-attack Audit A periodic audit is must for a production BI environment to keep it risk free and healthy. An absence of audit is a risk in itself as vulnerabilities may add up over time.  Define a periodic audit process.  Identify audit process owner.  Enable automated auditing solutions.  Report audit results. Topology At times different application tiers are hosted in same network or servers or both. This increases the total risk exposed by that particular network or server. All BI applications have multiple tiers. Ensure that you are separating these tiers and hosting them on different servers.  Ensure web servers, application servers, databases and other such components are hosted on different servers.  If possible different tiers on separate network segments. Regulatory Compliance Does the BI Application store compliant/regulated content of any of the following nature:  healthcare information (HIPAA/ePHI)  credit card data (PCI DSS regulated cardholder data)  personally identifiable information (PII, state data breach laws)  export controlled information (EAT/ITAR regulated information)  customer financial information (GLBA regulated customer account information)  FDA/pharmaceutical regulated information (21 CFR part 11)  Other?  Clearly identify BI use cases which possess regulatory data.  Always ask data owners if the data falls under any regulatory compliance.  Build whole BI platform with compliance standards even if only one use case is regulation bound. Classified Information Classified data could be:  Intellectual property  human resources information  customer information  prospect information  customer lists  Other sensitive secret information.  Clearly identify BI use cases which possess classified data.  Always ask data owners for data classification.  Build whole BI platform with compliance standards even if only one use case is regulation bound.  Encrypt data during transit and at rest.
Separation of Duties It is the concept of having more than one person required to complete a task. Provide platform related information and access only on need to know basis.  Ensure access is based on groups instead of individuals.  Ensure approval workflow for group access.  Ensure support team, architects, developers and end users have access only to required areas of application. Patch Management All major vendors release patches and updates periodically. Patch Management process ensures that these updates are tested and applied on time.  Test updates and patches before applying  Follow regular patching and cumulative update process.  Test for security threats post patching Email/Subscription Almost all BI applications allow users to subscribe to reports and dashboards. This data can be delivered to emails, file system or otherwise. If BI system security is compromised, hackers can also create infinite number of subscriptions that can overwhelm the servers and result in denial of service.  Allow subscription for only logged in/approved user.  Implement time bound subscriptions.  Regularly audit subscriptions  Remove inactive subscriptions.  Cap number of subscriptions per user Data level security BI reports and dashboards are accessed by a wide range of people. However at times not all are authorized to see all the data. An example would be row level security at data warehouse level.  Implement migration/release validation checks to ensure configuration for row level security.  Implement user delegation strategies.  Regularly audit OLAP access.  Return no data in case of delegation failure. Caching Many BI application cache data to decrease response time.  Ensure no caching is done for row- level security data.  Authenticate and check authorization before delivering cached data.  Implement cache security. Authorization Authorizationis a process of giving permissions for a particular action.  Assign access only to security roles and never to individuals.  Periodically review access.  Use user authorization instead of service account whenever possible. Branding (Legal risk) Most of the vendor solutions display their brand identify on their products. An easy identification of product increases risk because these products may have known vulnerabilities which can be easily leveraged by hackers.  Ensure applications are not showing third party identifiable information.  Implement customized report/dashboard templates to remove third party information.
Service(faceless) Accounts Many a times platform engineers are forced to use service (faceless) accounts to access data. Specially in case of externally facing applications where external users may not have an account in corporate directory services and may use alternate methods for user delegation such as query banding instead of direct delegation. Knowledge of these services accounts may jeopardize the data security as anyone with knowledge of service accounts can directly access data sources.  Maintain separate service accounts for production and non-production systems.  Service account details should be shared only on need to know basis and fix accountability.  Use a credential repository to store service accounts.  Change service account password periodically if possible.  Ensure that service account credentials are hashed before storing them in applications.  Secure hashing keys. Web Application Firewalls A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.  Ensure web application firewalls are in place for all web accessed BI applications.  Never keep production web application firewall in non-blocking mode. Conclusion Analytics and BI are the buzz words in industry but a lot depends on how they are utilized. End results of BI operations are “Intelligence” in themselves; it means that they need to be secured in letter and spirit. This paper tried to educate BI platform owners, engineers and decision makers to understand the significance of assessing the risks for their platform and how to go about it. A clearly defined approach and pointed identification of security and legal risks will save executives and platform owners from a lot of uncomfortable questions, situations and losses. This paper has tried to identify a few of prevalent security and legal risks in BI platforms however the technology stack has a reputation of outdoing itself in sophistication and complexity. These risks need to be reviewed and updated time and again to keep them relevant, not to mention keeping organizations healthy and functioning. References Digital Espionage http://www.techopedia.com/definition/27159/digital-espionage World's Biggest Data Breaches http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 2014 Cyber Attacks Statistics (Aggregated) http://hackmageddon.com/category/security/cyber-attacks-statistics/ A Brief History of Computer Hacking By Michael Devitt http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078. Timeline of computer security hacker history http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
2013 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by Symantec. Independently Conducted by Ponemon Institute LLC, May 2013 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach- Report_daiNA_cta72382.pdf Common Web Application Vulnerabilities By Susan Kennedy, CISA, CIW http://www.isaca.org/Journal/Past-Issues/2005/Volume-4/Documents/jpdf0504-Common-Web-Application.pdf Espionage and sabotage in the virtual world By Adam Palin http://www.ft.com/cms/s/2/0fc23a76-b70a-11e2-a249-00144feabdc0.html Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis By Stephen R. Band, Ph.D. (Counterintelligence Field Activity - Behavioral Science Directorate); Dawn M. Cappelli (CERT); Lynn F. Fischer, Ph.D. (DoD Personnel Security Research Center); Andrew P. Moore (CERT); Eric D. Shaw, Ph.D. (Consulting & Clinical Psychology, Ltd.); Randall F. Trzeciak (CERT) http://resources.sei.cmu.edu/asset_files/TechnicalReport/2006_005_001_14798.pdf CIS Security Benchmarks. https://benchmarks.cisecurity.org/ Security Configuration Guides By NSA (National Security Agency, USA). https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/

Recommended

White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedStuart Clarke
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsEnterprise Management Associates
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocHewlett Packard Enterprise Business Value Exchange
 
cybersecurity-250
cybersecurity-250cybersecurity-250
cybersecurity-250Chris Crowe
 

Recommended

White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedStuart Clarke
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsEnterprise Management Associates
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocHewlett Packard Enterprise Business Value Exchange
 
cybersecurity-250
cybersecurity-250cybersecurity-250
cybersecurity-250Chris Crowe
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
5 Tips for Executing a Great Newsjack
5 Tips for Executing a Great Newsjack5 Tips for Executing a Great Newsjack
5 Tips for Executing a Great Newsjackprnewswire
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016thinkASG
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Rahul Neel Mani
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBakerTillyConsulting
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB'sGuise Bule
 
Cyber security master class 2018
Cyber security master class 2018Cyber security master class 2018
Cyber security master class 2018Sanjana Khound
 
Windy City CIOs report 6 8 16
Windy City CIOs report 6 8 16Windy City CIOs report 6 8 16
Windy City CIOs report 6 8 16Mark H. Griesbaum
 
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Sarin Yuok
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secureMeg Weber
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
What Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersWhat Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersUnited Security Providers AG
 
Exeter - Cyber Security Breakfast Briefing
Exeter - Cyber Security Breakfast BriefingExeter - Cyber Security Breakfast Briefing
Exeter - Cyber Security Breakfast BriefingPKF Francis Clark
 
Securing information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPSecuring information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPPhilippe Boivineau
 
sc_can0315_28373
sc_can0315_28373sc_can0315_28373
sc_can0315_28373Katherine Thompson
 
Russell_Craft_Resume
Russell_Craft_ResumeRussell_Craft_Resume
Russell_Craft_ResumeRussell Craft
 
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...290840829041912
 

More Related Content

What's hot

You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
5 Tips for Executing a Great Newsjack
5 Tips for Executing a Great Newsjack5 Tips for Executing a Great Newsjack
5 Tips for Executing a Great Newsjackprnewswire
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016thinkASG
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Rahul Neel Mani
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBakerTillyConsulting
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB'sGuise Bule
 
Cyber security master class 2018
Cyber security master class 2018Cyber security master class 2018
Cyber security master class 2018Sanjana Khound
 
Windy City CIOs report 6 8 16
Windy City CIOs report 6 8 16Windy City CIOs report 6 8 16
Windy City CIOs report 6 8 16Mark H. Griesbaum
 
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Sarin Yuok
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secureMeg Weber
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
What Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersWhat Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersUnited Security Providers AG
 
Exeter - Cyber Security Breakfast Briefing
Exeter - Cyber Security Breakfast BriefingExeter - Cyber Security Breakfast Briefing
Exeter - Cyber Security Breakfast BriefingPKF Francis Clark
 
Securing information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPSecuring information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPPhilippe Boivineau
 

What's hot (20)

You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case study
 
5 Tips for Executing a Great Newsjack
5 Tips for Executing a Great Newsjack5 Tips for Executing a Great Newsjack
5 Tips for Executing a Great Newsjack
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations Campaign
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in Cybersecurity
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB's
 
Cyber security master class 2018
Cyber security master class 2018Cyber security master class 2018
Cyber security master class 2018
 
Windy City CIOs report 6 8 16
Windy City CIOs report 6 8 16Windy City CIOs report 6 8 16
Windy City CIOs report 6 8 16
 
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10
 
What Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersWhat Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security Providers
 
Exeter - Cyber Security Breakfast Briefing
Exeter - Cyber Security Breakfast BriefingExeter - Cyber Security Breakfast Briefing
Exeter - Cyber Security Breakfast Briefing
 
Securing information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPSecuring information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WP
 
sc_can0315_28373
sc_can0315_28373sc_can0315_28373
sc_can0315_28373
 

Viewers also liked

Russell_Craft_Resume
Russell_Craft_ResumeRussell_Craft_Resume
Russell_Craft_ResumeRussell Craft
 
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...290840829041912
 
Responsive web design - reasons and techniques
Responsive web design - reasons and techniquesResponsive web design - reasons and techniques
Responsive web design - reasons and techniquesTejaswita Takawale
 
Presentazione Irene Ricci
Presentazione Irene RicciPresentazione Irene Ricci
Presentazione Irene Riccislidequintasia
 
importancia de los blogs
importancia de los blogsimportancia de los blogs
importancia de los blogsdeysicool
 
Final integrated project
Final integrated projectFinal integrated project
Final integrated projectTrace96
 
Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...
Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...
Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...Irekia - EJGV
 
Lafarge Experience Letter_100415
Lafarge Experience Letter_100415Lafarge Experience Letter_100415
Lafarge Experience Letter_100415PHANISH SHETTY
 
Competitive Intelligence Analysis
Competitive Intelligence AnalysisCompetitive Intelligence Analysis
Competitive Intelligence AnalysisGeorge Giannakeas
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
підсумки роботи за напрямком екол-натур робота -2009-2015
підсумки роботи за напрямком екол-натур робота -2009-2015підсумки роботи за напрямком екол-натур робота -2009-2015
підсумки роботи за напрямком екол-натур робота -2009-20151anatolij338
 
Full blast 2nd grade 1st term 2a
Full blast 2nd grade 1st term 2aFull blast 2nd grade 1st term 2a
Full blast 2nd grade 1st term 2aGhazi Alharbi
 
Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?
Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?
Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?ADWAYS KOREA
 

Viewers also liked (17)

Russell_Craft_Resume
Russell_Craft_ResumeRussell_Craft_Resume
Russell_Craft_Resume
 
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
E0b887e0b8b2e0b899e0b884e0b8ade0b8a1e0b8a1e0b884e0b8a3e0b8b9e0b897e0b8a7e0b8b...
 
Responsive web design - reasons and techniques
Responsive web design - reasons and techniquesResponsive web design - reasons and techniques
Responsive web design - reasons and techniques
 
Amfiteater final web
Amfiteater final webAmfiteater final web
Amfiteater final web
 
Presentazione Irene Ricci
Presentazione Irene RicciPresentazione Irene Ricci
Presentazione Irene Ricci
 
importancia de los blogs
importancia de los blogsimportancia de los blogs
importancia de los blogs
 
Final integrated project
Final integrated projectFinal integrated project
Final integrated project
 
Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...
Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...
Lehendakariaren hitzaldia - Makina-erreminta eta fabrikazio teknologien biltz...
 
Lafarge Experience Letter_100415
Lafarge Experience Letter_100415Lafarge Experience Letter_100415
Lafarge Experience Letter_100415
 
Competitive Intelligence Analysis
Competitive Intelligence AnalysisCompetitive Intelligence Analysis
Competitive Intelligence Analysis
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
підсумки роботи за напрямком екол-натур робота -2009-2015
підсумки роботи за напрямком екол-натур робота -2009-2015підсумки роботи за напрямком екол-натур робота -2009-2015
підсумки роботи за напрямком екол-натур робота -2009-2015
 
Full blast 2nd grade 1st term 2a
Full blast 2nd grade 1st term 2aFull blast 2nd grade 1st term 2a
Full blast 2nd grade 1st term 2a
 
Resume
ResumeResume
Resume
 
Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?
Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?
Adways Session 6.아직 식지 않은 일본 모바일 콘텐츠의 열기: 후발주자인 우리가 왜 일본에서 성공할 수 있었나?
 
Unisa 2010
Unisa 2010Unisa 2010
Unisa 2010
 
Los Ácidos nucleicos 1 - Material Genetico
Los Ácidos nucleicos 1 - Material GeneticoLos Ácidos nucleicos 1 - Material Genetico
Los Ácidos nucleicos 1 - Material Genetico
 

Similar to Digital Espionage and Business Intelligence

The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurityMark Albala
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firmsRobert Westmacott
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackSusan Kennedy
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityRahul Tyagi
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023incmagazineseo
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2Mike Revell
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
Data Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEPData Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEPJoseph Lopez, M.ISM
 
The #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat EditionThe #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat EditionGhader Ahmadi
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 

Similar to Digital Espionage and Business Intelligence (20)

The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurity
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firms
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider Attack
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe Security
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Data Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEPData Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEP
 
The #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat EditionThe #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat Edition
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 

Digital Espionage and Business Intelligence

  • 1. Digital Espionage and Business Intelligence THE COUNTER MOVE IMPERATIVE By – Roopak K Prajapat Contents Introduction............................................................................................................................................................................. 12 A Peak into Time........................................................................................................................................................................ 2 Business Intelligence: A Perfect Target ................................................................................................................................... 33 Risk Assessment Approach...................................................................................................................................................... 44 Scope................................................................................................................................................................................... 44 Risk Identification................................................................................................................................................................ 44 1. Vulnerability Scan ................................................................................................................................................... 44 2. Interview Application Teams.................................................................................................................................. 44 3. Interview Customers............................................................................................................................................... 45 4. Consult Security Expert........................................................................................................................................... 55 Risk Categorization.............................................................................................................................................................. 55 1. Data Risks................................................................................................................................................................ 55 2. Process Risks........................................................................................................................................................... 55 3. Infrastructure Risks................................................................................................................................................. 55 Risk Prioritization ................................................................................................................................................................ 55 Common BI Risks ..................................................................................................................................................................... 55 Conclusion ............................................................................................................................................................................... 88 References............................................................................................................................................................................... 88 Introduction With recent spate of digital security incidents involving Sony and heartbleed, there is a new found focus is on digital security. However one particular aspect of digital espionage is often left with tongue in cheek. At the other end there is also a great focus on analytics and business intelligence in corporate IT departments. This means that these departments churn the most important data for organization and convert it into easily understandable wisdom. This analyzed wisdom is the sum of all
  • 2. knowledge and experiences that an organization generates over its lifespan, which also increases the overall risk and security measures requirement for a BI environment. In this paper I’ve tried to identify the common security threats to BI platforms and its data. Also this paper tries to highlight a process which should be implemented to safeguard this nectar of business knowledge on a periodic basis. A Peak into Time Information espionage and sabotage have been around since long; officially starting in 1878, just two years after the telephone was invented by Alexander Graham Bell. A group of teenage boys hired to run the switchboards were kicked off of a telephone system in New York. The reason? The boys were more interested in knowing how the phone system worked than in making proper connections and directing calls to the correct place. In essence, they were trying to "hack" the system to see how it worked1 . Since then the techniques and tools have only improved to “hack and plunder” information from organizations much to the discomfort of its protectors. While sabotage is usually easy to detect as it disrupts the normal services; it is comparatively easy to recover by putting better controls in place. Digital espionage is a much more difficult event - even to realize its occurrence as it tends to be planned well, for long termand specially designed to be untraceable. In fact the digital espionage has a well-established market with price tags on its products. Figure 1 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ When it comes to data theft from an organization; the amount of its losses increase manifold if the total cost of collecting, sorting and storing this information is also included; not to forget the cost of reduction in brand value and trust, besides legal, legislative and other related costs. As per a study done by Ponemon Institute LLC sponsored by Symantec in May 2013: 1 http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078. The most and least expensive breaches. German and US companies had the most costly data breaches ($199 and $188 per record, respectively). These countries also experienced the highest total cost (US at $5.4 million and Germany at $4.8 million). The least costly breaches occurred in Brazil and India ($58 and $42, respectively). In Brazil total cost was $1.3 million and in India it was $1.1 million. Size of data breaches. On average, Australian and US companies had data breaches that resulted in the greatest number of exposed or compromised records (34,249 and 28,765 records, respectively). On average, Italian and Japanese companies had the smallest number of breached records (18,285 and 18,237 records, respectively).
  • 3. The average total organizational cost of data breach Figure 2 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf Business Intelligence: A Perfect Target Digital espionage is not so much heard of, given the fact that in 2014 only 10.2% of cyber-attacks were motivated with espionage as backdrop. My personal opinion is that it could be more. Because it’s very hard to prove its occurrence which leads to lesser reporting. However its presence is well acknowledged. Before moving further let’s take a look at the definition of digital espionage. Digital espionage is a form of hacking that is conducted for commercial or political reasons. Foreign cyber spies steal secret information for political purposes or to engineer new technologies that they do not have the knowledge to produce on their own. Digital espionage is also conducted for the purposes of stealing trade secrets so as to obtain a more competitive edge or to develop and then launch a product at the same time as its original manufacturer. Digital espionage is a direct threat to national security worldwide as well as to enterprise.2 What comes across clearly from above definition is that the major motive behind digital espionage is to steal information. If there is one place where most important and aggregated organizational data is available – then it is its data warehouse. It is the ultimate treasure trove; hence securing data warehouse becomes a very critical imperative and most of the organizations take this very seriously. Also due to the fact that data warehouses usually have single instance within an organization and are never accessed directly but by a few chosen ones makes it formidable and easily detectable target. The next best place to retrieve this information is through the tools that connect to data warehouse, extracting its juice. That is where business intelligence tools become the perfect target for digital espionage. Why so? Because BI tools by their purpose tend to access the most important, critical, aggregated and summarized information. Isn’t it so? Also because BI is 2 http://www.techopedia.com/definition/27159/digital-espionage Figure 3 http://hackmageddon.com/category/security/cyber-attacks-statistics/
  • 4. a complex process involving multiple tiers makes it an ideal spot to plant a CUT-OUT agent. A weak or not-so-well-thought- out BI solution may expose its vulnerabilities. Vulnerability to cyber-attack exposes companies to material and intangible losses. There is also the matter of corporate governance. At times corporate boards are also held to account by shareholders for cyber-related losses. Now that enough has been said about digital espionage; the responsibility to introduce deterrent controls falls on the decision makers, owners and teams that manage BI tools. Besides installing security apparatus another important thing that works as real-time check on its vulnerability profile is security threat/risk assessment. Following sections in this paper deal about how to go about assessing risks to a BI environment. Risk Assessment Approach As with any major initiative, planning pays many dividends. A clear approach in terms of what, how and when should be dealt first. Scope Define a clear scope. For the purpose of this paper we scope it to security and legal risks. Risk Identification At this stage, define what risk is. It may be a security risk, legal risk or business continuity risk. In this paper we will talk about security and legal risks. Risks to a BI environment (it applies to any application) should be done in four steps. 1. Vulnerability Scan Have your environment been scanned by vulnerability management tools such as QualysGuard, McAfee MVM, nCircle, Rapid7 etc… These tolls will give a very good idea of existing general security threats identified from across the world. Include following infrastructure in your scan: a) Data Sources b) Metadata Repositories c) Network d) Application e) Web Servers f) Application Servers g) Operating Systems h) ETL etc… The results from this scan will give you a good view of threat status and priorities. However these tools cannot provide any results either from process or functionality point of view. The results at this stage only represent the situation “as is” and not “could be”. 2. Interview Application Teams Speak to your application teams. Include system administrators,analysts, developers, managers and other stake holders who support and develop the application and keep it running. They can and will provide valuable insight into the application and its grey areas. Ask them what processes, tools, and external/internal factors could compromise application’s security. They will provide a very exhaustive internal view of application’s working and nuances. Ask them about security threats originating from application functionalities and capabilities. 3. Interview Customers Interviewing customers will expose you to the threat perception by end users? As BI is all about business, a reasonable space should be given to customers. Sometimes customers give inputs which were completely ignored or not even seen by either parties. Specifically ask for legal and business risks.
  • 5. 4. Consult Security Expert Now that you have consolidated information from previous three steps. Take it to your available security expert. Discuss details with him/her. Some threats are more profound and are on large scale than others. Security experts can help put a perspective and remediation plan in place for them. Note: - Ensure that you treat the vulnerability/Threat information as confidential and share only on need to know basis. Knowledge of vulnerability is vulnerability in itself. Risk Categorization Categorize risk assessment results in following buckets. 1. Data Risks All vulnerabilities that may expose data to unauthorized person should be put in this bucket. You might want to deal with these risks in association with data owner/stewards. Example row level security. 2. Process Risks Any vulnerability that may arise due to periodic process should be put in this bucket. It will enable you to assign process owners that would ensure these risks are covered well. Example patch management. 3. Infrastructure Risks Vulnerabilities that arise due to infrastructure such as servers, network etc… These risks can be covered by support staff. Risk Prioritization First things first. Identify which vulnerabilities are most impactful and how likely are they to happen. For each vulnerability identified from above steps put two columns ahead of them. a) Impact b) Likelihood Both above factors should be assigned values of High, Medium or Low. Any vulnerability that has a high in either of these columns should be your priority. Common BI Risks Here are some of the common risks associated with BI platforms. Risk Description Remediation Host Intrusion Host intrusion is the incident when hackers acquire controls of the server system or application.  Ensure network hardening is in place.  Ensure Server hardening is in place.  Install host detection/prevention system software.  Ensure antivirus systems are installed and up to date. Network Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Possible network attacks are: Passive  Network  Keep infrastructure behind firewall.  Keep production and non-production environments in different network segments.  Block all unnecessary services.
  • 6.  wiretapping  Port scanner  Idle scan Active  Denial-of-service attack  Spoofing  Man in the middle  ARP poisoning  Smurf attack  Buffer overflow  Heap overflow  Format string attack  SQL injection  Cyber-attack Audit A periodic audit is must for a production BI environment to keep it risk free and healthy. An absence of audit is a risk in itself as vulnerabilities may add up over time.  Define a periodic audit process.  Identify audit process owner.  Enable automated auditing solutions.  Report audit results. Topology At times different application tiers are hosted in same network or servers or both. This increases the total risk exposed by that particular network or server. All BI applications have multiple tiers. Ensure that you are separating these tiers and hosting them on different servers.  Ensure web servers, application servers, databases and other such components are hosted on different servers.  If possible different tiers on separate network segments. Regulatory Compliance Does the BI Application store compliant/regulated content of any of the following nature:  healthcare information (HIPAA/ePHI)  credit card data (PCI DSS regulated cardholder data)  personally identifiable information (PII, state data breach laws)  export controlled information (EAT/ITAR regulated information)  customer financial information (GLBA regulated customer account information)  FDA/pharmaceutical regulated information (21 CFR part 11)  Other?  Clearly identify BI use cases which possess regulatory data.  Always ask data owners if the data falls under any regulatory compliance.  Build whole BI platform with compliance standards even if only one use case is regulation bound. Classified Information Classified data could be:  Intellectual property  human resources information  customer information  prospect information  customer lists  Other sensitive secret information.  Clearly identify BI use cases which possess classified data.  Always ask data owners for data classification.  Build whole BI platform with compliance standards even if only one use case is regulation bound.  Encrypt data during transit and at rest.
  • 7. Separation of Duties It is the concept of having more than one person required to complete a task. Provide platform related information and access only on need to know basis.  Ensure access is based on groups instead of individuals.  Ensure approval workflow for group access.  Ensure support team, architects, developers and end users have access only to required areas of application. Patch Management All major vendors release patches and updates periodically. Patch Management process ensures that these updates are tested and applied on time.  Test updates and patches before applying  Follow regular patching and cumulative update process.  Test for security threats post patching Email/Subscription Almost all BI applications allow users to subscribe to reports and dashboards. This data can be delivered to emails, file system or otherwise. If BI system security is compromised, hackers can also create infinite number of subscriptions that can overwhelm the servers and result in denial of service.  Allow subscription for only logged in/approved user.  Implement time bound subscriptions.  Regularly audit subscriptions  Remove inactive subscriptions.  Cap number of subscriptions per user Data level security BI reports and dashboards are accessed by a wide range of people. However at times not all are authorized to see all the data. An example would be row level security at data warehouse level.  Implement migration/release validation checks to ensure configuration for row level security.  Implement user delegation strategies.  Regularly audit OLAP access.  Return no data in case of delegation failure. Caching Many BI application cache data to decrease response time.  Ensure no caching is done for row- level security data.  Authenticate and check authorization before delivering cached data.  Implement cache security. Authorization Authorizationis a process of giving permissions for a particular action.  Assign access only to security roles and never to individuals.  Periodically review access.  Use user authorization instead of service account whenever possible. Branding (Legal risk) Most of the vendor solutions display their brand identify on their products. An easy identification of product increases risk because these products may have known vulnerabilities which can be easily leveraged by hackers.  Ensure applications are not showing third party identifiable information.  Implement customized report/dashboard templates to remove third party information.
  • 8. Service(faceless) Accounts Many a times platform engineers are forced to use service (faceless) accounts to access data. Specially in case of externally facing applications where external users may not have an account in corporate directory services and may use alternate methods for user delegation such as query banding instead of direct delegation. Knowledge of these services accounts may jeopardize the data security as anyone with knowledge of service accounts can directly access data sources.  Maintain separate service accounts for production and non-production systems.  Service account details should be shared only on need to know basis and fix accountability.  Use a credential repository to store service accounts.  Change service account password periodically if possible.  Ensure that service account credentials are hashed before storing them in applications.  Secure hashing keys. Web Application Firewalls A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.  Ensure web application firewalls are in place for all web accessed BI applications.  Never keep production web application firewall in non-blocking mode. Conclusion Analytics and BI are the buzz words in industry but a lot depends on how they are utilized. End results of BI operations are “Intelligence” in themselves; it means that they need to be secured in letter and spirit. This paper tried to educate BI platform owners, engineers and decision makers to understand the significance of assessing the risks for their platform and how to go about it. A clearly defined approach and pointed identification of security and legal risks will save executives and platform owners from a lot of uncomfortable questions, situations and losses. This paper has tried to identify a few of prevalent security and legal risks in BI platforms however the technology stack has a reputation of outdoing itself in sophistication and complexity. These risks need to be reviewed and updated time and again to keep them relevant, not to mention keeping organizations healthy and functioning. References Digital Espionage http://www.techopedia.com/definition/27159/digital-espionage World's Biggest Data Breaches http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 2014 Cyber Attacks Statistics (Aggregated) http://hackmageddon.com/category/security/cyber-attacks-statistics/ A Brief History of Computer Hacking By Michael Devitt http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078. Timeline of computer security hacker history http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
  • 9. 2013 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by Symantec. Independently Conducted by Ponemon Institute LLC, May 2013 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach- Report_daiNA_cta72382.pdf Common Web Application Vulnerabilities By Susan Kennedy, CISA, CIW http://www.isaca.org/Journal/Past-Issues/2005/Volume-4/Documents/jpdf0504-Common-Web-Application.pdf Espionage and sabotage in the virtual world By Adam Palin http://www.ft.com/cms/s/2/0fc23a76-b70a-11e2-a249-00144feabdc0.html Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis By Stephen R. Band, Ph.D. (Counterintelligence Field Activity - Behavioral Science Directorate); Dawn M. Cappelli (CERT); Lynn F. Fischer, Ph.D. (DoD Personnel Security Research Center); Andrew P. Moore (CERT); Eric D. Shaw, Ph.D. (Consulting & Clinical Psychology, Ltd.); Randall F. Trzeciak (CERT) http://resources.sei.cmu.edu/asset_files/TechnicalReport/2006_005_001_14798.pdf CIS Security Benchmarks. https://benchmarks.cisecurity.org/ Security Configuration Guides By NSA (National Security Agency, USA). https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/