It’s the human threat, stupid

Anyone who has worked to defend enterprise secrets from theft knows that the answer to success certainly doesn’t come from technology alone.

Few know this better than Eric O’Neill. O’Neill is the former FBI operative who worked as an investigative specialist and played a crucial role in the arrest and conviction of FBI agent Robert Hanssen for spying against the U.S. for the former Soviet Union and Russia. The 2007 movie “Breach” was based on O’Neill’s experience investigating Hanssen.

“The human element is usually the weakest link,” O’Neill said yesterday at the 2011 Computer Enterprise and Investigations Conference (CEIC) 2011.

That’s not to say IT security isn’t important. It is. In fact, the forensic analysis of a Palm Pilot played a crucial role in the apprehension of Hanssen, as it detailed the location and time of his next drop to the Russians. And the explosion of electronic devices has become crucial to fighting both the spying of nations and of corporate espionage. “Spies previously had to first photocopy or photograph the material they wanted, then make arrangements for drops and payments,” O’Neill said. “Today they just capture it on their phone and email it to anywhere in the world.”

It’s also probably no surprise that an attacker today is likely to start their attack with their web browser. “When you think of hackers, the hackers will spend some time social engineering their targets rather than spend hours of hacking,” he said. “If I were to try to steal from you, I would examine your personnel, and today I’d start on Twitter, Facebook, and look at as many people involved with you that I can find,” O’Neill said. “I would look for people who talked about how they hated their boss. I’d find out where they like to hang out and I’d go see what they had to say,” he said.

Some of the other things an attacker is likely to do to start, O’Neill said, is to comb through public Web sites, file Freedom of Information Act (FOIA) requests, eavesdrop on employees at airline terminals. “Be carful when traveling abroad, don’t leave your laptop in hotel room,” he said. “Dumpster diving is also one of the easiest ways to find out about someone.”

Also, don’t underestimate the depths an adversary might go to grab the information they seek. He told one story of an organization setting up a fake charity and requesting older computers be donated from the target company. “The company donated the computers to what they thought was a charity, and the drives had plenty of information on them,” he said. “Front companies are a common technique,” he said.

Another company sought to steal secrets from a U.S. company. This company played as if they were forming a partnership — and said as part of an international relations building effort they were funding a documentary. They asked if they could send a film crew to the target company. “The targeted company was smart at first, and granted permission for a film crew of three. Well, 10 people showed with cameras and started moving through the building. They lost track of many of them and they stole everything they wanted,” he said.

Also, don’t think it’s only large companies that are being targeted. “If I want to attack the State Department, am I going to approach the State Department directly, or am I going to approach a State Department contractor with much less security?” he asked. Of course, they’re going to target the least defended entryway. That means smaller firms with larger — or even interesting — partners need to always be on the lookout for these potential threats themselves.

There’s much at stake, O’Neill believes. “Information is the key to world leadership today. Attackers seek anything, from solar array technology to the next vaccine, that they think will help them get a head start on technological superiority,” he said.