Perhaps an attacker might exploit a security or configuration weakness of an externally accessible system or application, with the aim of gaining user credentials or establishing a surveillance point.
Attackers can also exploit publicly known or nonpublicly known technology vulnerabilities. And to access truly sensitive information, they can resort to tactics such as bribery.
During a targeted attack, more than one system or application-level vulnerability could be directly exploited. Once a single system or account is compromised, virtually the entire environment can be gradually traversed until the ultimate goal of the attack is achieved.
Often, the attackers place monitoring software in out-of-the-way locations and systems, such as log servers, where traditional IT security methods aren't looking for intrusions. They collect the data and send it out, such as via FTP, in small amounts over time, so they don't rise over the noise of normal traffic and call attention to themselves.
Who are the data thieves targeting?
If you think your company is not a likely target of electronic spying, don't be so sure. Although military systems and government contractors will always be major targets, services that carry information for many types of organizations are also extremely attractive because a single intrusion can provide information about a large range of targets, Kocher says. For example, Webmail services, telephone networks, shippers' databases, and social networking sites are all likely targets.
Any company with advanced intellectual property or sensitive research and development data is of interest to spies, notes Paul Kurtz, COO of Good Harbor Consulting and a recognized cyber security and homeland security expert who has served in senior positions on the White House's National Security and Homeland Security Councils.
"Adversaries will look up the supply chain too in order to gain access to more sensitive data, so those organizations supporting sensitive government and private sector groups should also monitor for espionage activity," Kurtz says.
What risks do you face?
What's at risk for your organization if it doesn't at least look into whether it's being spied upon electronically? Quite a bit.
"It's the worst-case scenario at stake: the loss of competitive advantage," says PricewaterhouseCooper's Lobel. For instance, a government entity that's doing the spying could hand over intellectual property to one of your biggest competitors. This could allow the competitor to avoid the research and development cost and time that your company has spent, or tip them off to future products in your pipeline.
Kurtz says private-sector firms have the most to lose today, as the federal government is doing little to help them and they are "hemorrhaging intellectual property, which will lead to loss in market share, investor confidence, and ultimately their ability to compete and survive as a company."
Sign up for Computerworld eNewsletters.