Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 36

Corporations constantly research the capabilities of their competitors to identify new opportunities, technologies, and markets. Market research and all forms of open source intelligence (OSINT) gathering are legal and ethical practices for companies, organizations, and individuals to engage in. Unfortunately, some corporate actors extend their research beyond the usual venue of trade shows and reviewing press releases and seek to conduct surveillance and gather intelligence on their competitors in ways that move along the ethical continuum from appropriate to unethical and, in some cases, into illegal actions. In many legal systems, such activities are known as espionage, rather than research or business intelligence, as a way to clearly focus on their potentially criminal nature. (Most nations consider it an illegal violation of their sovereignty to have another nation conduct espionage operations against it; most nations, of course, conduct espionage upon each other regardless.) To complicate things even further, nearly all nations actively encourage their corporate citizens to gather business intelligence information about the overseas markets they do business in, as well as about their foreign or multinational competitors operating in their home territories. The boundary between corporate espionage and national intelligence services has always been a blurry frontier.

When directed against a competitor or a company trying to enter the marketplace, corporate-level espionage activities that might cross over an ethical or legal boundary can include attempts to do the following:

 Establish business relationships to gain federated access to e-business information such as catalogs, price lists, and specifications

 Gather product service or maintenance manuals and data

 Recruit key personnel from the firm, either as new employees or as consultants

 Engaging in competitive, information-seeking arrangements with key suppliers, service vendors, or customers of the target firm

 Probing and penetration efforts against the target's websites and online presence

 Social engineering efforts to gather intelligence data or provide the reconnaissance footprint for subsequent data gathering

 Unauthorized entry or breaking into the target's property, facilities, or systems

 Visiting company facilities or property, ostensibly for business purposes, but as intelligence-gathering

All of the social engineering techniques used by hackers and the whole arsenal of advanced persistent threat (APT) tools and techniques might be used as part of an industrial espionage campaign. Any or all of these techniques can and often are done by third parties, such as hackers (or even adolescents), often through other intermediaries, as a way of maintaining a degree of plausible deniability.

You will probably never know if that probing and scanning hitting your systems today has anything to do with the social engineering attempts by phone or email of a few weeks ago. You'll probably never know if they're related to an industrial espionage attempt, to a ransom or ransomware attack, or as part of an APT's efforts to subvert some of your systems as launching pads for their attacks on other targets. Protect your systems against each such threat vector as if each system does have the defense of the company's intellectual property “crown jewels” as part of its mission. That's what keeping confidences, what protecting the confidential, proprietary, or business-private information, comes down to, doesn't it?