《IP盗窃和网络敲诈风险日益严重》--哈尔滨安天科技集团股份有限公司提供

2018-07-05

最近的迪士尼和Netflix攻击事件揭露知识产权和公司机密所面临的风险,这些风险都是由廉价的黑客工具和加密货币驱动的。

最新Verizon数据泄露事件报告警告说,旨在窃取知识产权(IP)和公司机密的网络间谍攻击正在兴起。此后不久,就出现了活生生的例子娱乐巨头迪士尼被黑客入侵,黑客盗走未上映《加勒比海盗5:死无对证》,要求迪士尼支付赎金,否则公开影片迪士尼拒绝了。

在迪士尼攻击事件之前,还发生了一起重大的娱乐盗窃事件:一名黑客窃取了Netflix尚未播出的《女子监狱第五季全集(共10集),要求Netflix支付赎金否则网上泄露全集。Netflix拒绝支付赎金,该剧便在网上遭全集泄露。

公司应该担心IP盗窃

Verizon的报告指出,网络间谍活动尤为关注制造业(占90%)。大多数此类网络间谍活动是由国家威胁源发动的,旨在窃取尖端技术供本国使用。

然而,迪士尼攻击事件显示,不开发耐虫超级作物或基因治疗的公司也会被当成攻击目标。有些企业对网络敲诈的概念嗤之以鼻,认为他们无关紧要,不足以吸引黑客的注意。但是正如Verizon的报告所述,行业和规模并不重要,“如果您有(或者黑客认为您有)有用的信息,就会成为IP盗窃的潜在目标。”

如今,这一标准几乎适用于所有人,攻击者的目标包括:专有金融技术解决方案,赌场游戏软件,秘密食谱,移动应用程序,甚至公司秘密(如营销策略、员工招聘或新产品研究的资料)。当然,没有发行书籍、电影、电视剧等都是目标。

此外,黑客不再需要雄厚的资金和高明的技术,就能够入侵企业系统。

加密货币和“傻瓜恶意软件”降低了黑客门槛

以前计算机黑客攻击需要高超的技术实力。要想成为一名黑客,必须拥有强大的编码技能,并且能够理解操作系统、网络架构和硬件。然而,暗网Darknet的迅速发展使得黑客不再需要机器人级别技能。他们可以购买廉价,易于使用的基于云的“傻瓜恶意软件”。有一群力争进取的黑客甚至提供客户支持,帮助客户解决遇到的问题。

比特币等加密货币的崛起也有助于网络勒索的增长。在比特币之前,发送和接收非常大笔的资金,同时保持机密性和匿名性是很难。现在,任何人都可以注册一个比特币账户,随心所欲发送、接收和花费资金,无需担心暴露自己的身份和住址。

第三方供应商可能使大企业面临风险

Netflix攻击事件揭示了另一个IP安全问题:大公司的安全水平受到第三方业务伙伴的影响。

一般来说,黑客入侵大型公司的支付系统或数据库来搜索银行卡数据或敏感的个人数据,如社保号。非常小的公司不值得他们付出精力。而现在,大量易于使用的工具和不可追踪的支付方式,以及公司(包括许多第三方供应商)在网络上存储着价值数百万美元的知识产权的事实促使网络犯罪分子越来越有创意。

入侵者不必渗透Netflix本身;而是劫持了Netflix的第三方后期制作厂商Larson Studios。同样,犯罪分子可能会入侵服装品牌的纺织品供应商,窃取下个季度的所有款式设计或者入侵真人秀选手的手机,在大结局播出公布获胜者。

在某些情况下,入侵一个小供应商可能比攻击跨国公司更有利可图。由于Larson Studios向许多电视网络提供后期制作服务,因此可能会出现更多的勒索攻击。

对抗IP盗窃

网络保险公司已经注意到第三方供应商漏洞问题了;一些政策要求组织确保其业务伙伴的系统的安全。但是说起来容易做起来难虽然像迪士尼这样的大型公司能够在其系统上实施诺克斯堡(译者注自从1940年美国陆军装甲兵司令部搬到Fort Knox[诺克斯堡]以后,诺克斯堡成为美国装甲力量最重要的军事训练基地,美联储的金库也设在这里。高度戒备的诺克斯堡是美国国库黄金存放处,有7道电网围护,全副武装的保安,一道重达24吨的安全门)级别的安全措施,但这些措施可能会破坏小企业的预算。不过,迪士尼和Netflix表示,只有庞大的预算并不能保证安全。

一个客户端解决方案是网络分段:公司为供应商创建一个独立的系统,使用独立的设置来处理任务,尽可能减少与公司主系统的连接和数字足迹。然而,这涉及成本问题在某些情况下(如Netflix案例),供应商可能需要高度专业的软件和硬件来完成其工作,这使得创建这样一个孤立的系统不太可能。

另一个成本解决方案是:供应商完全在云中工作,与大公司的系统隔离。供应商不能将数据下载到自己的网络上,云解决方案应使用双因素身份验证(密钥卡或应用程序)进行安全保护,以避免与登录凭证有关的安全问题。这种设置并不是万无一失的,而且可能要求供应商投资实现更快速的连接或处理较慢的速度,但是能够减轻其经济负担。

最后,各种规模的组织应考虑与托管安全服务提供商(MSSP)合作(请注意:Mosaic451就是一家MSSP,还有许多其他公司也提供这些服务)。使用MSSP比内部执行网络安全功能更加便宜,特别是组织不必在安全人员、软件和硬件方面投资了

随着知识产权的存储数字化,IP盗窃和网络勒索可能会成为像勒索软件一样严重的问题。各种规模的企业必须摆脱这种威胁,了解风险,采取积极措施防范风险。


《The Growing Danger of IP Theft and Cyber Extortion》

http://www.darkreading.com/cloud/the-growing-danger-of-ip-theft-and-cyber-extortion/a/d-id/1329247?

Robert McFarlane

7/6/2017

The recent hacks of Disney and Netflix show the jeopardy that intellectual property and company secrets are in, fueled by cheap hacking tools and cryptocurrencies.

Shortly after the latest Verizon Data Breach Incident Report warned of a rise in cyber-espionage attacks aimed at stealing intellectual property (IP) and company secrets, a real-life example hit the news. Entertainment juggernaut Disney was hacked, with attackers gaining access to Pirates of the Caribbean: Dead Man Tell No Tales, and threatening to release the movie in five-minute increments until a ransom of an undisclosed amount was paid. Disney has refused.

This follows on the heels of another high-profile entertainment theft; a hacker stole 10 unreleased episodes of Netflix's series Orange Is the New Black and threatened to dump them online unless the company paid a hefty ransom in Bitcoin. Netflix refused, and the episodes were posted on the Internet.

Yes, Your Company Should Worry About IP Theft
The Verizon report notes that cyber espionage is of particular concern in the manufacturing industry, where it accounts for 90% of cyber attacks. Most of these cyberspy operations are perpetrated by state actors who are stealing cutting-edge technology for use in their home countries.

However, as the Disney hack illustrates, companies don't have to be developing pest-resistant supercrops or gene therapy to become targets. Some businesses scoff at the notion of cyber extortion, thinking that they're too unimportant to attract the attention of hackers. As the Verizon report shows, industry and size don't matter: "if you have — or may be perceived to have — useful information, then you are a potential target" for IP theft.

These days, that applies to pretty much everyone: proprietary financial technology solutions, casino gaming software, secret recipes, mobile apps, even company secrets such as data on marketing strategy, employee recruitment, or research into new products. And, of course things such as unreleased books, movies, and television series are targets.

Furthermore, you no longer have to be a well-funded foreign spy — or even particularly technically inclined — to break into enterprise systems.

Cryptocurrencies and "Malware for Dummies" Lower the Bar for Hackers
Computer hacking used to require a high level of technical prowess. A would-be hacker had to have strong coding skills and understand operating systems, network architectures, and hardware. However, the Darknet has evolved to the point where Mr. Robot-level technical expertise isn't necessary. Inexpensive, easy-to-use, cloud-based "malware for dummies" can be purchased. At least one group of enterprising hackers even offers customer support in case you run into problems.

The rise of cryptocurrencies such as Bitcoin has also helped cyber extortion grow. Before Bitcoin, sending and receiving very large sums of money while maintaining secrecy and anonymity wasn't something just anyone could do. Now, anyone can sign up for a Bitcoin account and send, receive, and spend as much money as they want, without anyone knowing who or where they are.

Third-Party Vendors Can Put Large Enterprises at Risk
The Netflix hack shone a light on another problem with IP security: large companies are only as secure as their third-party business associates.

Generally, hackers used to target the payment systems or databases of large corporations in search of card data or sensitive personal data, such as Social Security numbers. Targeting a very small company wasn’t worth the effort. Now, with easy-to-use hacking tools, untraceable payment methods, and the fact that companies (including many third-party vendors) store millions of dollars' worth of intellectual property on their networks, cybercriminals are getting creative.

 

The intruders didn't have to penetrate Netflix itself; they hacked Netflix's third-party post-production vendor, Larson Studios. In a similar vein, criminals could hack into a clothing brand's textile vendor and steal all of their patterns for next season or hack into reality TV contestants' phones and reveal the winner of the current season before the finale airs.

In some cases, breaking into one small vendor can be more lucrative than breaching a multinational. Because Larson Studios sells post-production services to many television networks, it is likely that more extortion attempts are coming.

Combatting IP Cybertheft
Cyber insurers have noticed third-party vendor vulnerabilities for some time; some policies require that organizations ensure the security of their business associates' systems. That's easier said than done. While large companies like Disney can afford to implement Fort Knox-level security on their systems, such measures may break smaller firms' budgets. However, Disney and Netflix show that a large budget alone doesn't guarantee safety from intrusion.

One client-side solution is network segmentation, in which companies create an isolated system for the vendor to work on tasks with a standalone setup, minimal connection to the company's main system, and as small a digital footprint as possible. However, there are costs involved, and in some cases (likely in the Netflix case) the vendor may need highly specialized software and hardware to do its work, which makes creating such an isolated system impossible.

Another, less-expensive solution is for vendors to work entirely in the cloud, isolated from the larger company's system. Vendors shouldn't be able to download data onto their own networks, and the cloud solution should be secured with two-factor authentication with a key fob or app to avoid the usual security concerns concerning login credentials. This setup isn't foolproof, and it may require vendors to invest in faster connections or deal with slower speeds, but it would ease some of their financial burden.

Finally, organizations of all sizes should consider partnering with a managed security services provider (MSSP). (Note: Mosaic451 is an MSSP, but many other companies offer these services.) Using an MSSP is less expensive than performing cybersecurity functions in-house, especially since the organization doesn't have to make additional investments in security personnel, software, and hardware.

With so much intellectual property being stored digitally, IP theft and cyberextortion are likely to become as big a problem as ransomware. It's imperative for companies of all sizes to get out ahead of this threat, understand the risks, and implement proactive measures to prevent it.

  附件:

《The Growing Danger of IP Theft and Cyber Extortion》--原文.pdf

《The Growing Danger of IP Theft and Cyber Extortion》--译文.pdf

联系我们
办公地点:中国电子技术标准化研究院
地址:北京安定门东大街1号
邮编:100007
电话:010-64102639
邮箱:cciahyz@china-cia.org.cn

微信公众号