Internet monitoring can save your organisation

I have often written about episodes where security fails, even in cases when it should not have, had basic good practices been followed. So one might ask, ‘why don’t we hear about many success stories?’

A reason for that is the nature of news. While bad events tend to be reported, the same cannot be said for when the story has a happy ending. For a happy ending story to become news it has to have an element of the extraordinary.

One such extraordinary story happened to Goldman Sachs as reported by Wired. Sergey Aleynikov was about to jump ship from Goldman Sachs to competitor Teza Technologies and he was going to take Goldman Sachs’s high speed trading system with him. From the Wired reportage it is apparent that Sergey Aleynikov knew what he was doing and how to keep a low profile about it, so much so that I believe what he did to be very hard to detect.

From what we are told, Sergey Aleynikov set up scripts to copy, compress, encrypt and upload through https 32 megabytes of source code. Obviously source code compresses really well so those 32 megabytes could easily have been brought down to less than 5 megabytes.

Even if he made the mistake of compressing only after encrypting (thus losing the source code compressibility advantage) 32 megabytes is still a very small amount. Furthermore he used https for transferring outside the company to ensure that he was not being monitored and that he was sending to the correct destination. His scripts then deleted themselves removing any evidence of what had happened. A very good plan that should have worked; so how was he detected?

It seems that Goldman Sachs’s security team is top notch. They had really good monitoring software in place that was able to detect anomalous web usage. We do not know what the link was generally used for but for less than 32 megabytes to be considered anomalous the monitoring software must have been extremely fine tuned.

The team was also very professional and dedicated to following policy as indicated by them launching an investigation even though the anomaly was so small. Their dedication paid off as they managed to uncover and stop the theft.

This story clearly highlights that correctly implemented security software and procedures can help detect even the most carefully laid plan of attack. Monitoring doesn’t have to be invasive; trends/usage monitoring can be enough to detect malicious activity, at which point a proper investigation can be launched.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.