Nortel Breach Highlights Security Vulnerabilities of All Enterprises

Nortel is dealing with the fallout from a 10-year data breach that exposed thousands of sensitive company documents to cyber-spies. The question security experts now are asking is how many other enterprises are vulnerable to a similar attack?

The decade-long security breach at Nortel that exposed thousands of company documents is just one example of how vulnerable corporations are to cyber-espionage. What's even more worrisome is the likelihood that many businesses have been breached and are unaware of it, security experts said.

Industrial espionage is not new, as perpetrators try to bridge technology gaps by stealing from others. Companies can bypass years of research and development by somehow obtaining technical documents, prototypes and other sensitive information. This can allow them to create products that are highly similar or underbid competitors because they don't have to take into account their research and development costs.

The Internet has made spying "so much easier," Chris Petersen, CTO of LogRhythm wrote on the company blog. It's just a matter of compromising a password, logging in to the system and getting down to business, Petersen wrote.

"How many other U.S. corporations are breached and leaking right now? Personally, I'm afraid we'd be appalled by the number; it is likely very high," Petersen said.

Nortel first discovered the breach in 2004 when its IT staff noticed a suspicious set of documents being downloaded by an executive, according to a Feb. 14 report in The Wall Street Journal. It turned out attackers had accessed the network using log-in credentials stolen from seven senior executives as early as 2000, and sensitive information was being transmitted back to a computer with a Chinese IP address.

Although some at the company were aware of the breach, Nortel€™s own IT security department was still discovering€”as late as 2009€”that spyware rootkits were placed on some of the company€™s computers.

At the time, this operation would have been considered "sophisticated," but now would be considered "pedestrian," said Anup Ghosh, founder of Invincea.

The "unsettling truth" is that these types of attacks can still work today, Ghosh said. Enterprises are still focusing heavily on the network perimeter and not securing the inside, as well.

The Aurora attacks, the RSA breach and other attacks identified in 2011 clearly demonstrated that corporations are under constant threat from nation-states, such as China, seeking shortcuts to technological advances, said Neil Roiter, research director of Corero Network Security.

CIOs, CTOs and CSOs have long known that this type of extended and invasive breach was a "possibility" and "likely occurring" in a number of companies, said Mike Logan, president of Axis Technology.

It is expensive and time-intensive to extensively investigate a breach, and companies often stop as soon as they get reports that everything is fine, Logan said. Nortel changed passwords and monitored certain activity before declaring the job done. It did not search extensively for other malicious activity or continue monitoring, which allowed these attacks to continue for several years.

Stopping the internal investigation too soon can be "devastating," Logan said.

The failure of Nortel, which many viewed as an "innovative and sophisticated IT company," to fully investigate and then address the risks posed by this data breach is "puzzling," Roiter said.

It's possible the company underestimated the risks eight years ago, Roiter added. Recent events may also lead to more aggressive monitoring of enterprise networks to detect suspicious outbound traffic and other activity in the event of a breach.

The new guidelines from the U.S. Securities and Exchange Commission for organizations to disclose breaches and any security risks that may have a material impact on the company's operations may result in more disclosures, Roiter said. Companies will be more up-front about these events for the sake of the business community at large. If the guidelines had been in place even a few years ago, Nortel would likely have had to disclose the incident.

Even if Nortel was not sure what intellectual property had been stolen, the fact that computers belonging to key executives were compromised is material enough.

The guidelines will also force organizations to start thinking about preventive measures to stop the attack before it gets through the network, Ghosh said. "The more disclosure we see, the more likely we are to adopt innovative solutions that defend against these types of attacks," he said.

U.S. corporations and agencies must become more diligent and vigilant in their approach to network-security monitoring, said Petersen. Organizations can stem the leak, but they need to invest resources and effort to detect and respond to breaches. "The perimeter simply cannot hold; cyber-threats will find a way in," Petersen said.