Besides people, a company’s most valuable asset is its intellectual property. Because of this, organizations must ensure that they’re doing all they can to protect this vital asset.
Smart Business spoke with Rockie Brockway, GSEC, GCIH, GSNA, Cisco TSS/Security, the security practice director for LOGOS Communications, Inc. dba Black Box Network Services, about intellectual property and what businesses should be doing to protect their valuable data.
What threats do companies face when it comes to their intellectual property?
Cybercrime has evolved over the last two decades, from brute force attacks for bragging rights in the ‘hacker’ communities to billion-dollar black and grey market profit centers. Today, we are seeing very sophisticated tools that can control millions of hacked ‘zombie’ computers for a single purpose, like mass spamming or attacking other Internet resources. And, these tools come with 800 numbers for live tech support just like any other software you might purchase at your favorite home electronics chain. The bottom line today is that it is easier and cheaper for new or developing companies to purchase stolen trade secrets in an effort to be competitive than it is to develop it themselves, and such incentive opportunities will always create markets, legal or not. This demand translates into exceptionally ingenious ways to exfiltrate critical intellectual property from organizations and presents a large challenge for the security industry as a whole to keep up with the innovations being developed as a result of these new markets.
The other primary threat to an organization’s intellectual property is geo-political in its nature — state-sponsored hacking with the intent to gather as much competitive intelligence not only through stolen IP and trade secrets but also through business methodologies in an effort to try to get a leg up on other countries in these shaky economic times.
What are some ways data can be stolen?
Lost USB sticks, stolen laptops, improper disposal of documents, disgruntled employees, third-party vendors, not to mention targeted hacking attempts and even ‘hacktivism.’ If you can think of a vector for data loss it probably can be done. But the tried-and-true threat vector in the war against data loss ends up being the human factor and social engineering, which has also vastly improved in the last decade. Today, spear and whale phishing high-impact targets, such as CEOs, presidents and board members, and getting them to navigate to a website that installs a malicious application that hasn’t been seen before is commonplace and once that foothold is in place, a little patience goes a long way. If you look at the recent slew of high-profile attacks that resulted in severe data loss like RSA, Oak Ridge Labs and others they all share the same MO — targeted spear phishing, malicious code execution, staying low and under the radar of existing security countermeasures and data exfiltration.
What preventive measures should companies put in place?
Process is key here, and the object is not to panic and throw solutions in place without having a clear understanding of what you are trying to protect, its impact on the business should they be stolen (or worse), the assets that support the business's critical data and the security compromises and risk the business is willing to accept — basic risk management, which unfortunately can be easily overlooked. This process defines the corporate security policies and comprises the strategic half of a good security model. The tactical half of the model is defined by these policies and needs to protect, detect and react to threats. Given the mobile nature of information technology, endpoint host protections are a must, and I am a big advocate of application whitelisting technology. If an organization has the ability to inventory and classify business-use applications, then whitelisting can be utilized to only allow those approved applications to be able to run on the user systems. For most organizations, malware doesn’t constitute a business-use application so it isn’t allowed to execute. And apart from the obvious countermeasures, such as firewalls and encryption use, identity and event correlation are also crucial to a strong security posture. Again, with the adoption of BlackBerrys, iPhones, iPads, Android devices and other mobile platforms, organizations cannot simply rely on their traditional perimeter defenses to protect their intellectual property. Security industry guru Richard Bejtlich recently tweeted that ‘identity is the new corporate perimeter’ and that is a very astute observation. On the correlation side, security information and event management (SIEM) systems gather, analyze and present information from network and security devices, vulnerability and identity management tools, OS and database logs and policy compliance tools and correlate and prioritize the data for not only lower administrative overhead but also for auditing and incident response.
How can businesses thwart attacks?
The answer to this question is almost always tied to the adjacent question, ‘Who is accountable if security is breached?’ Security is very subjective so there needs to be a powerful advocate within the organization that has the ability to fight the appropriate battles when necessary in order to ensure security isn’t glossed over as another optional insurance policy. That, combined with the adoption of an enterprise risk management program that weighs the business risks of everything from third-party vendor access to business critical assets to personal mobile devices on the business networks truly gives organizations the leg up on defending their business. One specific action that I highly endorse is the development of a real security awareness program, and not one that exists solely to satisfy a compliance audit checkbox. Regular awareness training can significantly reduce the potential for success of spear-phishing attacks and other social engineering efforts. Another idea is corporate peer groups, meetings of representatives of organizations in the same or similar verticals to discuss what they are seeing, what works, what does not work and share information security best practices and war stories. There is great value in measuring yourself to your immediate peers in terms of security statistics and practices.
What if, despite a business’s best efforts, IP theft occurs?
There are many variables that go into this equation, but in general, the process should go detect, disconnect from the Internet, determine the root cause of the data leakage, fix it, clean up and then resume operations. This is where the enterprise risk management program should already have answered questions like ‘Can the business afford to disconnect from the Internet in the event of a security incident?’ and ‘Should we make a public statement that could potentially harm our reputation?’ Your legal department should most definitely be involved in this process. Involving the appropriate local, state and/or federal authorities is a must. Both the FBI and Secret Service have been investigating security incidents for decades and are highly qualified to provide expert guidance during the investigation.
How can businesses ensure departing employees won’t take intellectual property with them?
The quick and dirty answer is through data loss prevention (DLP) systems. DLP systems give organizations the ability to classify certain data as important and then assign policies to those documents or files. Policies can range from very simple, such as blocking any outbound e-mails that contains Social Security numbers, to more complex rules, such as only members of the executive board are allowed to write documents classified as containing intellectual property to a USB drive. In reality, however, such systems can be cost-prohibitive to many organizations in the SMB market and many find themselves trying to piece together several disparate technologies with higher administrative overhead to accomplish similar results. Like security itself, the balance between capital expenses versus operating expenses is always going to be different from company to company and may dictate which controls are feasible and which are not.
How can businesses best handle having facilities in areas around the world that may be attempting to steal their intellectual property?
This is a continuing and evolving issue for many global organizations. Some have taken the view that any data that is accessible by users in facilities in certain countries should already be considered as compromised. For these businesses, the strategic action plan becomes one focused on designing system and network controls with the ability to enforce the principle of least privilege on the one hand but do not hinder any employees’ ability to do their jobs. Identity is critical in these situations, as is the ability to restrict who has access to sensitive information and control access to removable media. Some organizations are now deploying virtual desktop farms in these regions to address some of their concerns around losing intellectual property, so their sensitive data does not actually reside in these facilities. Others have decided that a certain level of data loss is an acceptable business risk of having facilities is these areas and keep their actual crown jewels under lock and key. At the end of the day, the business must make the decision on what is and is not acceptable and those decisions must be made through the organization’s enterprise risk management process.
Rockie Brockway, GSEC, GCIH, GSNA, Cisco TSS/Security, is the security practice director for LOGOS Communications, Inc. dba Black Box Network Services. Reach him at (440) 250-3673 or email@example.com.