How to stop them: Web scanning tools can help find application vulnerabilities, especially when combined with source code review tools and application penetration tests. The SANS Institute also recommends inspecting the Web application framework's configuration and hardening it appropriately. "No one should be engaged to write Web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications," the report concludes.

Insider theft
An efficient way for spies to work is to pay inside employees to steal information. Often, there's nothing high-tech about the maneuver, Winkler says; employees simply use their existing access rights to download greater volumes of data than they ordinarily should.

How to stop them: Use a combination of access control and proactive auditing, Winkler says. For instance, if customer service representatives generally access 30 records a day, he says, and suddenly a couple of people are accessing 100 a day, that's a red flag. So is an employee who suddenly begins accessing data from home, adds Ken van Wyck, a principal consultant at KRvW Associates, a security consultancy in Alexandria, Va. "You're looking for drastic changes in behavior," he says, which can be detected through statistical anomaly detection programs.

It's also important to use the access control capabilities of the operating system, van Wyck adds. "People don't take the time to configure these very well," he says. "Many employees can access more than they need to do their job."

Another countermeasure is to disable the USB ports through the system's password-protected BIOS or use centralized tools that restrict the use of ports and external devices, according to the SANS Institute report, making it more difficult for wannabe spies to easily export the data.

Keystroke loggers
Spies that get inside buildings can do other damage, such as implementing keystroke loggers. Some of these devices e-mail the keystrokes of anyone using the computer to a predefined e-mail address, while others store keystrokes in flash memory. Many are nearly impossible to detect, such as those that attach directly to the keyboard connector. Wood knows one case where spies pretending to be office cleaners nearly stole $300 million pounds from a U.K. bank using this technique.

How to stop them: Physical inspection of the computer is the only way to detect a keystroke logger, Wood says. Because of the impracticality of doing that, one company that Wood knows of now glues all its keyboards into the system unit.

Phishing
As defined by Wikipedia, phishing is a form of social engineering in which spies use a collection of techniques to manipulate people into releasing information (such as passwords) or performing actions that compromise confidential data, such as clicking on a link that enables someone else to remotely control a machine. In fact, the SANS Institute identifies phishing as one of the biggest Internet security risks.

For example, a spy might call the help desk from a pay-as-you-go mobile phone, claim to be working at home and request that a new username and password be sent as a text message to his phone. And some spies employ what the SANS Institute calls "spear phishing," in which they send individual employees highly targeted e-mail messages that include specific information designed to make the messages look genuine. For instance, a request for usernames and passwords might appear to be from the head of human resources.

How to stop them: Wood suggests training staffers to be cautious and giving them tips on how to detect social engineering. For instance, he says, they should withhold information when callers act rushed, drop names, use intimidation, ask odd questions, or request forbidden information. There should also be clear policies as to how to report an incident and to whom.

The SANS Institute says it's important to continually raise employee awareness of these techniques, perhaps through drills that involve mock phishing attempts. Companies should also avoid exposing too much information on public Web sites, including logos and employee e-mail addresses.

Computerworld is an InfoWorld affiliate.