The Official (ISC)2 SSCP CBK Reference. Mike Wills

Чтение книги онлайн.

СКАЧАТЬ constantly research the capabilities of their competitors to identify new opportunities, technologies, and markets. Market research and all forms of open source intelligence (OSINT) gathering are legal and ethical practices for companies, organizations, and individuals to engage in. Unfortunately, some corporate actors extend their research beyond the usual venue of trade shows and reviewing press releases and seek to conduct surveillance and gather intelligence on their competitors in ways that move along the ethical continuum from appropriate to unethical and, in some cases, into illegal actions. In many legal systems, such activities are known as espionage, rather than research or business intelligence, as a way to clearly focus on their potentially criminal nature. (Most nations consider it an illegal violation of their sovereignty to have another nation conduct espionage operations against it; most nations, of course, conduct espionage upon each other regardless.) To complicate things even further, nearly all nations actively encourage their corporate citizens to gather business intelligence information about the overseas markets they do business in, as well as about their foreign or multinational competitors operating in their home territories. The boundary between corporate espionage and national intelligence services has always been a blurry frontier.

      When directed against a competitor or a company trying to enter the marketplace, corporate-level espionage activities that might cross over an ethical or legal boundary can include attempts to do the following:

       Establish business relationships to gain federated access to e-business information such as catalogs, price lists, and specifications

       Gather product service or maintenance manuals and data

       Recruit key personnel from the firm, either as new employees or as consultants

       Engaging in competitive, information-seeking arrangements with key suppliers, service vendors, or customers of the target firm

       Probing and penetration efforts against the target's websites and online presence

       Social engineering efforts to gather intelligence data or provide the reconnaissance footprint for subsequent data gathering

       Unauthorized entry or breaking into the target's property, facilities, or systems

       Visiting company facilities or property, ostensibly for business purposes, but as intelligence-gathering

      All of the social engineering techniques used by hackers and the whole arsenal of advanced persistent threat (APT) tools and techniques might be used as part of an industrial espionage campaign. Any or all of these techniques can and often are done by third parties, such as hackers (or even adolescents), often through other intermediaries, as a way of maintaining a degree of plausible deniability.

You will probably never know if that probing and scanning hitting your systems today has anything to do with the social engineering attempts by phone or email of a few weeks ago. You'll probably never know if they're related to an industrial espionage attempt, to a ransom or ransomware attack, or as part of an APT's efforts to subvert some of your systems as launching pads for their attacks on other targets. Protect your systems against each such threat vector as if each system does have the defense of the company's intellectual property “crown jewels” as part of its mission. That's what keeping confidences, what protecting the confidential, proprietary, or business-private information, comes down to, doesn't it?

      Integrity

      Integrity, in the common sense of the word, means that something is whole, complete, its parts smoothly joined together. People with high personal integrity are ones whose actions and words consistently demonstrate the same set of ethical principles. Having such integrity, you know you can count on them and trust them to act both in ways they have told you they would and in ways consistent with what they've done before.

      When talking about information systems, integrity refers to both the information in them and the processes (that are integral to that system) that provide the functions we perform on that information. Both of these—the information and the processes—must be complete, correct, function together correctly, and do so in reliable, repeatable, and deterministic ways for the overall system to have integrity.

      When we measure or assess information systems integrity, therefore, we can think of it in several ways.

       Binary: Either our information system has integrity or it does not. We can rely upon it or we cannot.

       Threshold-based: Our information system has at least a minimum level of systems and information integrity to function reliably but possibly in a degraded way, either with higher than desired (but still acceptable) error rates or at reduced transaction throughput or volume levels.

      Note that in all but the simplest of business or organizational architectures, you'll find multiple sets of business logic and therefore business processes that interact with each other throughout overlapping cycles of processing. Some of these lines of business can function independently of each other, for a while, so long as the information and information systems that serve that line of business directly are working correctly (that is, have high enough levels of integrity).

       Retail online sales systems have customer-facing processes to inform customers about products, services, and special offers. Their shopping cart systems interact with merchandise catalog databases, as well as with order completion, payment processing, and order fulfillment. Customer sales order processing and fulfillment can occur—with high integrity—even though other systems that update the catalogs to reflect new products or services or bring new vendors and new product lines into the online store are not available.

       Computer-aided manufacturing systems have to control the flow of materials, parts, subassemblies, and finished products on the factory floor, interacting with logistics and warehousing functions on both the input and output sides of the assembly line. These systems are typically not tightly coupled with the functions of other business elements, such as finance, sales and marketing, or personnel management, even though at some point the assembly line grinds to a halt if finance hasn't paid the bills to suppliers in a timely way.

       REAL WORLD EXAMPLE: Trustworthiness Is Perceptual

      You make a decision to trust in what your systems are telling you. You choose to believe what the test results, the outputs of your monitoring systems, and your dashboards and control consoles are presenting to you as “ground truth,” the truth you could observe if you were right there on the ground where the event reported by your systems is taking place. Most of the time, you're safe in doing so.

      The operators of Iran's nuclear materials processing plant believed what their control systems were reporting to them, all the while the Stuxnet malware had taken control of both the processing equipment and the monitoring and display systems. Those displays lied to their users, while Stuxnet drove the uranium processing systems to self-destruct.

      An APT that gets deep into your system can make your systems lie to you as well. Attackers have long used the techniques of perception management to disguise their actions and mislead their targets' defenders.

      Your defense: Find a separate and distinct means for verifying what your systems are telling you. Get out-of-band or out-of-channel and gather data in some other way that is as independent as possible from your mainline systems; use this alternative source intelligence as a sanity check.

      Integrity СКАЧАТЬ