1. Digital Espionage and
Business Intelligence
THE COUNTER MOVE IMPERATIVE
By – Roopak K Prajapat
Contents
Introduction............................................................................................................................................................................. 12
A Peak into Time........................................................................................................................................................................ 2
Business Intelligence: A Perfect Target ................................................................................................................................... 33
Risk Assessment Approach...................................................................................................................................................... 44
Scope................................................................................................................................................................................... 44
Risk Identification................................................................................................................................................................ 44
1. Vulnerability Scan ................................................................................................................................................... 44
2. Interview Application Teams.................................................................................................................................. 44
3. Interview Customers............................................................................................................................................... 45
4. Consult Security Expert........................................................................................................................................... 55
Risk Categorization.............................................................................................................................................................. 55
1. Data Risks................................................................................................................................................................ 55
2. Process Risks........................................................................................................................................................... 55
3. Infrastructure Risks................................................................................................................................................. 55
Risk Prioritization ................................................................................................................................................................ 55
Common BI Risks ..................................................................................................................................................................... 55
Conclusion ............................................................................................................................................................................... 88
References............................................................................................................................................................................... 88
Introduction
With recent spate of digital security incidents involving Sony and heartbleed, there is a new found focus is on digital security.
However one particular aspect of digital espionage is often left with tongue in cheek. At the other end there is also a great
focus on analytics and business intelligence in corporate IT departments. This means that these departments churn the most
important data for organization and convert it into easily understandable wisdom. This analyzed wisdom is the sum of all
2. knowledge and experiences that an organization generates over its lifespan, which also increases the overall risk and security
measures requirement for a BI environment. In this paper I’ve tried to identify the common security threats to BI platforms
and its data. Also this paper tries to highlight a process which should be implemented to safeguard this nectar of business
knowledge on a periodic basis.
A Peak into Time
Information espionage and sabotage have been around since long; officially starting in 1878, just two years after the
telephone was invented by Alexander Graham Bell. A group of teenage boys hired to run the switchboards were kicked off
of a telephone system in New York. The reason? The boys were more interested in knowing how the phone system worked
than in making proper connections and directing calls to the correct place. In essence, they were trying to "hack" the system
to see how it worked1
.
Since then the techniques and tools have only improved to “hack and plunder” information from organizations much to the
discomfort of its protectors. While sabotage is usually easy to detect as it disrupts the normal services; it is comparatively
easy to recover by putting better controls in place. Digital espionage is a much more difficult event - even to realize its
occurrence as it tends to be planned well, for long termand specially designed to be untraceable. In fact the digital espionage
has a well-established market with price tags on its products.
Figure 1 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
When it comes to data theft from an organization; the amount of its losses increase manifold if the total cost of collecting,
sorting and storing this information is also included; not to forget the cost of reduction in brand value and trust, besides
legal, legislative and other related costs.
As per a study done by Ponemon Institute LLC sponsored by Symantec in May 2013:
1
http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078.
The most and least expensive breaches. German and US companies had the most costly data breaches ($199 and $188 per
record, respectively). These countries also experienced the highest total cost (US at $5.4 million and Germany at $4.8
million). The least costly breaches occurred in Brazil and India ($58 and $42, respectively). In Brazil total cost was $1.3 million
and in India it was $1.1 million.
Size of data breaches. On average, Australian and US companies had data breaches that resulted in the greatest number of
exposed or compromised records (34,249 and 28,765 records, respectively). On average, Italian and Japanese companies
had the smallest number of breached records (18,285 and 18,237 records, respectively).
3. The average total organizational cost of data breach
Figure 2 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
Business Intelligence: A Perfect Target
Digital espionage is not so much heard of, given
the fact that in 2014 only 10.2% of cyber-attacks
were motivated with espionage as backdrop. My
personal opinion is that it could be more.
Because it’s very hard to prove its occurrence
which leads to lesser reporting. However its
presence is well acknowledged.
Before moving further let’s take a look at the
definition of digital espionage.
Digital espionage is a form of hacking that is conducted for commercial or political reasons. Foreign cyber spies steal secret
information for political purposes or to engineer new technologies that they do not have the knowledge to produce on their
own. Digital espionage is also conducted for the purposes of stealing trade secrets so as to obtain a more competitive edge
or to develop and then launch a product at the same time as its original manufacturer. Digital espionage is a direct threat to
national security worldwide as well as to enterprise.2
What comes across clearly from above definition is that the major motive behind digital espionage is to steal information.
If there is one place where most important and aggregated organizational data is available – then it is its data warehouse.
It is the ultimate treasure trove; hence securing data warehouse becomes a very critical imperative and most of the
organizations take this very seriously. Also due to the fact that data warehouses usually have single instance within an
organization and are never accessed directly but by a few chosen ones makes it formidable and easily detectable target.
The next best place to retrieve this information is through the tools that connect to data warehouse, extracting its juice.
That is where business intelligence tools become the perfect target for digital espionage. Why so? Because BI tools by their
purpose tend to access the most important, critical, aggregated and summarized information. Isn’t it so? Also because BI is
2
http://www.techopedia.com/definition/27159/digital-espionage
Figure 3 http://hackmageddon.com/category/security/cyber-attacks-statistics/
4. a complex process involving multiple tiers makes it an ideal spot to plant a CUT-OUT agent. A weak or not-so-well-thought-
out BI solution may expose its vulnerabilities.
Vulnerability to cyber-attack exposes companies to material and intangible losses. There is also the matter of corporate
governance. At times corporate boards are also held to account by shareholders for cyber-related losses.
Now that enough has been said about digital espionage; the responsibility to introduce deterrent controls falls on the
decision makers, owners and teams that manage BI tools. Besides installing security apparatus another important thing that
works as real-time check on its vulnerability profile is security threat/risk assessment. Following sections in this paper deal
about how to go about assessing risks to a BI environment.
Risk Assessment Approach
As with any major initiative, planning pays many dividends. A clear approach in terms of what, how and when should be
dealt first.
Scope
Define a clear scope. For the purpose of this paper we scope it to security and legal risks.
Risk Identification
At this stage, define what risk is. It may be a security risk, legal risk or business continuity risk. In this paper we will talk about
security and legal risks. Risks to a BI environment (it applies to any application) should be done in four steps.
1. Vulnerability Scan
Have your environment been scanned by vulnerability management tools such as QualysGuard, McAfee MVM, nCircle,
Rapid7 etc… These tolls will give a very good idea of existing general security threats identified from across the world.
Include following infrastructure in your scan:
a) Data Sources
b) Metadata Repositories
c) Network
d) Application
e) Web Servers
f) Application Servers
g) Operating Systems
h) ETL etc…
The results from this scan will give you a good view of threat status and priorities. However these tools cannot provide
any results either from process or functionality point of view. The results at this stage only represent the situation “as
is” and not “could be”.
2. Interview Application Teams
Speak to your application teams. Include system administrators,analysts, developers, managers and other stake holders
who support and develop the application and keep it running. They can and will provide valuable insight into the
application and its grey areas. Ask them what processes, tools, and external/internal factors could compromise
application’s security. They will provide a very exhaustive internal view of application’s working and nuances.
Ask them about security threats originating from application functionalities and capabilities.
3. Interview Customers
Interviewing customers will expose you to the threat perception by end users? As BI is all about business, a reasonable
space should be given to customers. Sometimes customers give inputs which were completely ignored or not even seen
by either parties. Specifically ask for legal and business risks.
5. 4. Consult Security Expert
Now that you have consolidated information from previous three steps. Take it to your available security expert. Discuss
details with him/her. Some threats are more profound and are on large scale than others. Security experts can help put
a perspective and remediation plan in place for them.
Note: - Ensure that you treat the vulnerability/Threat information as confidential and share
only on need to know basis. Knowledge of vulnerability is vulnerability in itself.
Risk Categorization
Categorize risk assessment results in following buckets.
1. Data Risks
All vulnerabilities that may expose data to unauthorized person should be put in this bucket. You might want to deal
with these risks in association with data owner/stewards. Example row level security.
2. Process Risks
Any vulnerability that may arise due to periodic process should be put in this bucket. It will enable you to assign process
owners that would ensure these risks are covered well. Example patch management.
3. Infrastructure Risks
Vulnerabilities that arise due to infrastructure such as servers, network etc… These risks can be covered by support
staff.
Risk Prioritization
First things first. Identify which vulnerabilities are most impactful and how likely are they to happen. For each vulnerability
identified from above steps put two columns ahead of them.
a) Impact
b) Likelihood
Both above factors should be assigned values of High, Medium or Low. Any vulnerability that has a high in either of these
columns should be your priority.
Common BI Risks
Here are some of the common risks associated with BI platforms.
Risk Description Remediation
Host Intrusion Host intrusion is the incident when hackers
acquire controls of the server system or
application.
Ensure network hardening is in
place.
Ensure Server hardening is in place.
Install host detection/prevention
system software.
Ensure antivirus systems are
installed and up to date.
Network Network security consists of the provisions and
policies adopted by a network administrator to
prevent and monitor unauthorized access,
misuse, modification, or denial of a computer
network and network-accessible resources.
Possible network attacks are:
Passive
Network
Keep infrastructure behind firewall.
Keep production and non-production
environments in different network
segments.
Block all unnecessary services.
6. wiretapping
Port scanner
Idle scan
Active
Denial-of-service attack
Spoofing
Man in the middle
ARP poisoning
Smurf attack
Buffer overflow
Heap overflow
Format string attack
SQL injection
Cyber-attack
Audit A periodic audit is must for a production BI
environment to keep it risk free and healthy.
An absence of audit is a risk in itself as
vulnerabilities may add up over time.
Define a periodic audit process.
Identify audit process owner.
Enable automated auditing solutions.
Report audit results.
Topology At times different application tiers are hosted
in same network or servers or both. This
increases the total risk exposed by that
particular network or server.
All BI applications have multiple tiers. Ensure
that you are separating these tiers and hosting
them on different servers.
Ensure web servers, application
servers, databases and other such
components are hosted on different
servers.
If possible different tiers on separate
network segments.
Regulatory
Compliance
Does the BI Application store
compliant/regulated content of any of the
following nature:
healthcare information (HIPAA/ePHI)
credit card data (PCI DSS regulated
cardholder data)
personally identifiable information (PII,
state data breach laws)
export controlled information (EAT/ITAR
regulated information)
customer financial information (GLBA
regulated customer account information)
FDA/pharmaceutical regulated
information (21 CFR part 11)
Other?
Clearly identify BI use cases which
possess regulatory data.
Always ask data owners if the data
falls under any regulatory
compliance.
Build whole BI platform with
compliance standards even if only
one use case is regulation bound.
Classified
Information
Classified data could be:
Intellectual property
human resources information
customer information
prospect information
customer lists
Other sensitive secret information.
Clearly identify BI use cases which
possess classified data.
Always ask data owners for data
classification.
Build whole BI platform with
compliance standards even if only
one use case is regulation bound.
Encrypt data during transit and at
rest.
7. Separation of Duties It is the concept of having more than one
person required to complete a task.
Provide platform related information and
access only on need to know basis.
Ensure access is based on groups
instead of individuals.
Ensure approval workflow for group
access.
Ensure support team, architects,
developers and end users have
access only to required areas of
application.
Patch Management All major vendors release patches and updates
periodically. Patch Management process
ensures that these updates are tested and
applied on time.
Test updates and patches before
applying
Follow regular patching and
cumulative update process.
Test for security threats post
patching
Email/Subscription Almost all BI applications allow users to
subscribe to reports and dashboards. This data
can be delivered to emails, file system or
otherwise. If BI system security is
compromised, hackers can also create infinite
number of subscriptions that can overwhelm
the servers and result in denial of service.
Allow subscription for only logged
in/approved user.
Implement time bound
subscriptions.
Regularly audit subscriptions
Remove inactive subscriptions.
Cap number of subscriptions per user
Data level security BI reports and dashboards are accessed by a
wide range of people. However at times not all
are authorized to see all the data. An example
would be row level security at data warehouse
level.
Implement migration/release
validation checks to ensure
configuration for row level security.
Implement user delegation
strategies.
Regularly audit OLAP access.
Return no data in case of delegation
failure.
Caching Many BI application cache data to decrease
response time.
Ensure no caching is done for row-
level security data.
Authenticate and check
authorization before delivering
cached data.
Implement cache security.
Authorization Authorizationis a process of giving permissions
for a particular action.
Assign access only to security roles
and never to individuals.
Periodically review access.
Use user authorization instead of
service account whenever possible.
Branding (Legal risk) Most of the vendor solutions display their
brand identify on their products. An easy
identification of product increases risk because
these products may have known
vulnerabilities which can be easily leveraged
by hackers.
Ensure applications are not showing
third party identifiable information.
Implement customized
report/dashboard templates to
remove third party information.
8. Service(faceless)
Accounts
Many a times platform engineers are forced to
use service (faceless) accounts to access data.
Specially in case of externally facing
applications where external users may not have
an account in corporate directory services and
may use alternate methods for user delegation
such as query banding instead of direct
delegation.
Knowledge of these services accounts may
jeopardize the data security as anyone with
knowledge of service accounts can directly
access data sources.
Maintain separate service accounts
for production and non-production
systems.
Service account details should be
shared only on need to know basis
and fix accountability.
Use a credential repository to store
service accounts.
Change service account password
periodically if possible.
Ensure that service account
credentials are hashed before storing
them in applications.
Secure hashing keys.
Web Application
Firewalls
A web application firewall (WAF) is an
appliance, server plugin, or filter that applies a
set of rules to an HTTP conversation.
Generally, these rules cover common attacks
such as cross-site scripting (XSS) and SQL
injection. By customizing the rules to your
application, many attacks can be identified and
blocked.
Ensure web application firewalls are
in place for all web accessed BI
applications.
Never keep production web
application firewall in non-blocking
mode.
Conclusion
Analytics and BI are the buzz words in industry but a lot depends on how they are utilized. End results of BI operations are
“Intelligence” in themselves; it means that they need to be secured in letter and spirit.
This paper tried to educate BI platform owners, engineers and decision makers to understand the significance of assessing
the risks for their platform and how to go about it. A clearly defined approach and pointed identification of security and
legal risks will save executives and platform owners from a lot of uncomfortable questions, situations and losses. This paper
has tried to identify a few of prevalent security and legal risks in BI platforms however the technology stack has a reputation
of outdoing itself in sophistication and complexity. These risks need to be reviewed and updated time and again to keep
them relevant, not to mention keeping organizations healthy and functioning.
References
Digital Espionage
http://www.techopedia.com/definition/27159/digital-espionage
World's Biggest Data Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2014 Cyber Attacks Statistics (Aggregated)
http://hackmageddon.com/category/security/cyber-attacks-statistics/
A Brief History of Computer Hacking By Michael Devitt
http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078.
Timeline of computer security hacker history
http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
9. 2013 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by Symantec. Independently Conducted
by Ponemon Institute LLC, May 2013
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-
Report_daiNA_cta72382.pdf
Common Web Application Vulnerabilities By Susan Kennedy, CISA, CIW
http://www.isaca.org/Journal/Past-Issues/2005/Volume-4/Documents/jpdf0504-Common-Web-Application.pdf
Espionage and sabotage in the virtual world By Adam Palin
http://www.ft.com/cms/s/2/0fc23a76-b70a-11e2-a249-00144feabdc0.html
Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis By Stephen R. Band, Ph.D. (Counterintelligence
Field Activity - Behavioral Science Directorate); Dawn M. Cappelli (CERT); Lynn F. Fischer, Ph.D. (DoD Personnel Security
Research Center); Andrew P. Moore (CERT); Eric D. Shaw, Ph.D. (Consulting & Clinical Psychology, Ltd.); Randall F. Trzeciak
(CERT)
http://resources.sei.cmu.edu/asset_files/TechnicalReport/2006_005_001_14798.pdf
CIS Security Benchmarks.
https://benchmarks.cisecurity.org/
Security Configuration Guides By NSA (National Security Agency, USA).
https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/