228 ◾ Security Strategy: From Requirements to Reality
e ability to distract a commander or divert forces by causing catastrophic events like fl ooding
(opening dam fl ood gates), explosions, and fi res (power grid overloads) is equally as eff ective. In
the past these attacks required physical access; today, they can be carried out from anywhere due
to the wonders of the Internet and computerized control systems. ese types of off ensive activi-
ties are usually confi ned to military and government intelligence agencies where time, eff ort, and
costs are not signifi cant factors. Information warfare has three primary attributes: reconnaissance,
acquisition, and disruption. Reconnaissance in off ensive terms is learning about your enemy’s
strengths, weaknesses, plans, and schedules. Information can be gathered by compromising e-mail
accounts, eavesdropping on Web conferences, intercepting message transmissions, and the like.
Acquisition is gaining access to an enemy asset for sabotage, theft, tampering, or monitoring
purposes. Attacks include password cracking, buff er overfl ow exploits, SQL injection, and oth-
ers. Disruption is using an acquired asset or other means to disrupt or deny your enemy access to
critical information or functions. Destruction of data, logic bombs, equipment shutdowns, and
falsifi cation of critical data are some of the options. When these activities are controlled by the
military or government agencies (e.g., the CIA), a fair number of checks and balances can be in
place to prevent abuses. Outside of the military and government purview, these skills can be used
for corporate espionage.
Corporate espionage is the gathering of intelligence that can be used to maintain or gain com-
petitive or fi nancial advantage. According to the Society of Competitive Intelligence Professionals
(SCIP), corporations spend more than $2 billion annually to keep tabs on one another. While
SCIP promotes ethical techniques for information gathering, there are many less ethical tech-
niques that can produce more desirable results. Hacking into computer systems to acquire client
lists, personnel records, fi nancial data, trade secrets, pricing information, production plans, and
research and development data is one such technique that is well suited to a hacker skill set. Other
“softer” techniques such as social engineering can be used to gain entrance into online corporate
conferences (i.e., NetMeeting, WebEx, etc.), social networks, and collaboration shares. While the
world tends to view hacking as illustrating technical skills, Kevin Mitnick is more famous for
his social engineering skills. In his book e Art of Deception, Mitnick points out how worthless
fi rewalls, encryption, and other technical controls are against a gifted social engineer. Ira Winkler,
in his book Corporate Espionage, details a number of diff erent techniques he has used to exploit
human targets.
Although we certainly do not advocate unethical techniques for intelligence gathering, if this
is one of your strategic objectives, hiring a hacker may be a good tactic. ere is one caveat, how-
ever: Make sure you keep a good eye on their activities lest their eff orts be turned inward and you
become the target.
How to Use This Tactic for Offense
Maintaining an off ensive hacking capability is an expensive proposition and the primary reason
why these activities are usually confi ned to military and government agencies. Part of the expense
is related to hiding the activity from the ones being targeted, and the other is providing the means
necessary to properly monitor agent activities to identify and thwart potential abuses. Most non-
government entities outsource off ensive intelligence gathering to a competitive intelligence (CI)
professional (i.e., an ethical corporate spy); the exception might be large enterprises involved in
highly competitive endeavors. ese organizations may choose to keep some intelligence gather-
ing activities in-house. It really depends on the level of intelligence needed, the eff ort required to
gather it, and the costs involved.
TAF-K11348-10-0301-C012.indd 228TAF-K11348-10-0301-C012.indd 228 8/18/10 3:11:56 PM8/18/10 3:11:56 PM