igor - Fotolia
India is investigating a data leak of 22,000 pages of documents that expose secrets about the combat capabilities of the Scorpene-class submarines DCNS is building for the country’s navy.
Six Scorpene submarines worth $3.5bn are being built in co-operation with an Indian government-owned shipbuilder in Mumbai.
DCNS said it may have been the victim of “economic warfare,” according to Reuters.
A DCNS spokeswoman said the leak had come against a difficult commercial backdrop and that corporate espionage could be to blame. “Competition is getting tougher and tougher, and all means can be used in this context,” she is quoted as saying.
The leak was made public by Australian media because DCNS is contracted to build a fleet of Shortfin Barracuda submarines for Australia, but details of these vessels were not contained in the leak, according to the BBC.
Australian prime minister Malcolm Turnbull said the data leak was a reminder of the importance of cyber security, but said it would not endanger Australia’s contract with DCNS.
Maintain awareness to protect IP
Tod Beardsley, Rapid7 security research manager, said the leak of DCNS’s data is proof that it is “incredibly difficult” to keep critical intellectual property safe and secure in today’s world of highly interconnected global manufacturing.
“Though most companies aren’t handling highly sensitive details regarding military capabilities, we all are operating in an aggressive environment populated by sophisticated attackers with skillsets and capabilities once reserved for international super spies,” he said.
Javvad Malik, security advocate at AlienVault, said intellectual property can be the most difficult form of data to protect.
“This is because it is usually unstructured, and often times the full value of the whole data isn’t realised by the individuals who may be working on portions of it,” he said.
However, Malik said for defence contractors, IP protection is even more important. “This should start with a security-aware culture throughout the whole organisation. Having the fundamentals in place even for non-sensitive projects helps maintain awareness,” he said.
Security needs to be architected in from the beginning, said Malik. “Services should be designed to be hard to compromise, be easy to maintain and quick to recover. A good idea is to follow a segmented approach so that if certain aspects of the organisation are breached, the critical data can remain protected,” he said.
Malik added that it is vitally important that logs and alarms are reviewed and followed up on. “In the aftermath of a breach, investigators are able to find the logs detailing what occurred almost without fail,” he said.
“In many cases, a security product would have raised an alert or alarm of some sort that subsequently was ignored – resulting in the breach,” he added.
Data classification and permissions
Despite the challenges of protecting IP, Mark James, security specialist at ESET, said data loss prevention (DLP) systems can not only stop users from sending data to an external source, but can also be used to track and monitor data movement that is prohibited.
“Of course there’s always a caveat; there is often no 100% way to stop people getting hold of something they should not have once its committed to paper form, but with digital technology you can certainly make things difficult,” he said.
Jonathan Sander, vice-president of product strategy at Lieberman Software, said one of the most common ways highly sensitive information, such as the DCNS submarine plans, gets leaked is because organisations rely on the same controls for sensitive data and the rest of their files.
“Often these controls are poorly understood. A file will be placed in what is thought to be a restricted location, but it turns out many more people have access than realised through poorly configured permissions,” he said.
Without diligent data access governance, Sander said these misplaced files are easy targets for malicious insiders, malware and other mundane attacks.
“It’s hard to blame people for misplacing these files as most organisations lack data classification. They may have a policy on the books about it and if you open the file to read it you may see all manner of references to its level of secrecy, but those typically fail to be marked on the file in a way that will signal who should open it at all or where it should be allowed to live on fileshares.
“That leads to sensitive information living in the wrong places simply because it wasn’t obvious what it was when it was moved,” he said.
Unchecked administrators are also a threat to data, said Sander. “Whether it’s the disgruntled insider or the outsider who manages to hijack elevated rights, the privileges of the admin bypass even the best controls.
“Having this super power to blow past security to steal even well managed and classified data is why the bad guys are always after privilege,” he said.
Read more about cyber espionage
- Russian state-sponsored hackers work office hours and target western governments, according to F-Secure report
- A cyber espionage group has targeted high-profile technology, internet, commodities and pharmaceutical companies in the US, Europe and Canada.
- Abuse of credentials and watering-hole attacks are the main tactics used by a cyber espionage group.