Tuesday, January 8, 2013

What's Missing in your Threat Landscape Picture?

ENISA (European Network and Information Security Agency) recently published its "ENISA Threat Landscape" report for 2012. Overall it's a good document as far as traditionally known threats go, but it's a re-hash of the threat landscape that we've accepted as complete because we've relied on security vendors to create it. A vendor tends to focus on the part of the threat landscape that their product addresses and ignore what's irrelevant to their product line. Customers often accept that as accurate because, after all, they aren't in the business of information security or threat assessment and rely upon the advice from their vendors, which I'm sorry to say is often incomplete.

The following threat table from ENISA illustrates what I mean:

According to ENISA's paper, the above table was created from 120 reports issued from Virus/Malware protection vendors, CERTS, security agencies, commercial companies in the area of security, industrial associations and committees, and Networks of Excellence (p. 10). Unfortunately, they tend to mirror each other in terms of what they report. In the Intelligence Community, this is a cognitive bias known as mirror-imaging. Customers, especially governments and multi-national corporations, need to go beyond these types of traditional and limited threat landscapes and expand it to include at least two more very important areas:

  1. Vendor-to-Government relationships (V:G)
  2. Offices in Foreign States (OFS)

Vendor-To-Government Relationships
U.S. companies, especially those in the Fortune 100, rely upon vendors, both foreign and domestic, for everything from development work to marketing. Yet very few take the time to do a deep dive into who their vendors' executives are and what their relationships are with other partners and government officials. As an example, we (meaning my company Taia Global) regularly perform this type of due diligence for our client firms and at least 70% of the time discover significant foreign government relationships with both U.S.-based and foreign-based vendors who have unrestricted access to valuable data owned by our clients. Frequently, prior to our investigation, no one was aware of those relationships.

Offices in Foreign States
U.S. companies who have offices in Russia and China, including Hong Kong, are at high risk for technology theft through both legal and illegal means. It may be through a local vendor who provides "secure" paper shredding services off-site when in reality those documents aren't destroyed but are sold to interested parties. It may be through legal intercepts on all landline, VOiP, mobile and satellite communications from the foreign offices of a U.S. company in Russia or China. It may be through a legal request to review your products' source code for "national security" reasons. The bottom line from a threat landscape perspective is - if you're doing business in a foreign state, there are a dozen ways for them to access your company's crown jewels; all of which have nothing to do with spear phishing, APT, or botnets.

If your company has overseas offices or uses vendors who do, the traditional threat landscape - even one created from over 100 sources - is incomplete. And if your security plan is built around that limited threat landscape, you're intellectual property is still at risk. Contact us for more information.

No comments:

Post a Comment