“Ifyouthinktechnologycansolveyoursecurityproblems,thenyoudon’tunderstandtheproblemsandyoudon’tunderstandthetechnology.”

- BruceSchneier

IntellectualPropertyProtection―CrossRoadsbetweenEthics,Information

Security,andInternalAudit

Mr.RickBrunner,CISSPApplicationSecurityArchitect

GMFinancial

Disclaimer

Theviews,thoughts,claims,oropinionsinthispresentationaresolelythoseofthepresenter.

Nothinginthispresentationrepresentstheviews,thoughts,claims,oropinionsofGMFinancial,UnitedStatesAirForce,theAirForceReserves,theDepartmentofDefense,ortheIntelligenceCommunity.

Objectives

• RecognizetheimpactandcostofIntellectualPropertyExfiltration

• Identifytheissuesofre-usingworkproducts• DiscusstechniquesinmitigatingthreatstoanOrganization’sIntellectualProperty

IntellectualObjects• Theexpressionintellectualobjects referstovariousformsofintellectualproperty

• Intellectualpropertyconsistsof“objects”thatarenottangible

• Non-tangibleor"intellectual"objectsrepresentcreativeworksandinventions,i.e.,themanifestationsorexpressionsofideas

IntellectualPropertyProtectionSchemes

• Copyrightlaw• Patents• Trademarks• Tradesecrets

TradeSecrets

• AtradesecretisdefinedasInformationusedintheoperationofabusinessorotherenterprisethatissufficientlyvaluableandsecrettoaffordanactualorpotentialeconomicadvantageoverothers

• Tradesecretscanbeusedtoprotect– Formulas(suchastheoneusedbyCoca-Cola)– Blueprintsforfutureprojects– Chemicalcompounds– Processofmanufacturing

ValueofIntellectualPropertyComponentsofS&P500MarketValue

0

20

40

60

80

100

120

1975 1985 1995 2005 2009

IntangibleAssets

TangibleAssets

Source:OceanTomo

TheLandscape

TheActors• External—External actors originate outside the victim

organization and its network of partners. Typically, no trust or privilege is implied for external entities.

• Internal—Internal actors come from within the victim organization. Insiders are trusted and privileged (some more than others).

• Partners—Partners include any third party sharing a business relationship with the victim organization. Some level of trust and privilege is usually implied between business partners

Source:Verizon’s2013DataBreachInvestigationsReport

TheirPurpose

Source:Verizon’s2013DataBreachInvestigationsReport

VarietyofExternalActors

Source:Verizon’s2013DataBreachInvestigationsReport

ProfilingThreatActors

Source:Verizon’s2013DataBreachInvestigationsReport

ExfiltrationAnunauthorizedreleaseofdatafromwithinacomputersystemornetworkhttp://en.wikipedia.org/wiki/Exfiltration

Source:TrendMicroIncorporated—TrendLabs SecurityinContextPaper

Exfiltration— RemoteUser

Source:TrendMicroIncorporated—TrendLabs SecurityinContextPaper

Ours—ReaperUAV

http://www.hightech-edge.com/mq_9-reaper-hunter-killer-deployed-combat-missions-iraq-mq_1-rq_1-predator/2488

Source:Mandiant Overview--“State-of-the-Hack”

Theirs—ChinaDragonUAV

http://www.sinodefenceforum.com/air-force/chinese-uav-ucav-development-24-3526.html

Source:Mandiant Overview--“State-of-the-Hack”

OurF-22,TheirJ-20

http://aviationintel.com/wp-content/uploads/2011/05/j20f22comp.jpg

NotableOthers

RSA Hacked Via Recruitment Plan

OperationAurorahttp://www.pcmag.com/article2/0,2817,2391951,00.asp

http://en.wikipedia.org/wiki/File:IllegalFlowerTribute1.jpg

Exfiltration—TheEmployee

InsiderThreatCaseDatabase

Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017

CasesinThreeMajorCrimeTypesbySector

Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017

AssetAttacked

Source:AnAnalysisofTechnicalObservationsinInsiderTheftofIntellectualPropertyCaseshttp://repository.cmu.edu/cgi/viewcontent.cgi?article=1660&context=sei

How

Other methods?

AnAnalysisofTechnicalObservationsinInsiderTheftofIntellectualPropertyCaseshttp://repository.cmu.edu/cgi/viewcontent.cgi?article=1660&context=sei

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Customerinformation

Sourcecode Businessplans Tradesecrets Internalbusiness

information

Proprietarysoftware

E-mail

Remotenetworkaccess

File/datatransfer

Downloadedtopersonallaptop

Removablemedia

Hostunknown

Theftofprinteddocuments

ExfiltrationBreakdown– AssetTargeted

Case1– LockheedMartinvBoeingLockheedMartinemployeewenttoBoeingin1999fora7.5%raise• LockheedMartinIntellectualPropertywentaswell• Employeeofferedtobringtheentirerocketproposalwith

ifhired(Disputed)• Boeingpersonnelwentthroughethicstraining• Boeinglegal-triggeredcallstoLockheedMartinandthe

AirForceinformingthemthatsevenpagesofharmlessdatahadbeenfoundandonlyviewedby2people

• 2003AirForceinvestigationconcludedthatBoeingwasinpossessionofover22,000pagesofLockheedMartinconfidentialandproprietarymaterial

Case2– DeputyAssistantSecretary(DAS)oftheAirForceforAcquisitionandManagement

PrincipalDASoftheAirForceforAcquisitionandManagement• DASawardeddozensofcontractstoBoeingfrom2000-2002,

aswellascontroversial$23billionprocurementforleasingArielrefuelingtankers

• Boeinghiredtheirrelativewhilestillinoffice• Boeingofferedthemapositionafterleavingcurrentposition• Boeing’sCFOandformerDASpleadedguiltytoviolationsof

theconflictofintereststatues• DASadmittedthatBoeing’sfavorsinhiringrelativesand

pendingemploymentofferinfluencedcontractingdecisions

Result• Individualswerefired• LockheedMartinfiledacivilsuiteagainstBoeing• UndersecretaryoftheAirForcestrippedBoeingofseven

launchesworth$1billionandreallocatedthemtoLockheedMartin

• DOJandCongressionalInvestigation,Decision(6/30/2006)– $615millioninfines

• $565millioncivilsettlement• $50millionmonetarypenaltyforseparatecriminalagreement

– Boeingacceptedresponsibilityforitsemployees• Continuedcooperationwithfederalinvestigators• Maintainedaneffectiveethicsandcomplianceprogram,withparticularattentioninhiringformergovernmentofficialsandhandlingcompetitorinformation

• Receiveda20-monthsuspensionof3businessunitsfromGovernmentcontracting

http://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf

TopReasonsEmployeesBelieveItIsAcceptabletoTakeCorporateData

Key Findings• Employees are moving Intellectual Property outside the company in all directions• When employees change jobs, sensitive business documents often travel with them• Employees are not aware they are putting themselves and their companies at risk• They attribute ownership of Intellectual Property to the person who created it• Organizations are failing to create a culture of security

PercentageWhoSayaSoftwareDeveloperShouldHavetheRighttoRe-UseCodeforAnotherCompany

http://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf

Takeaways• Insiderthreatsareinfluencedbyacombinationof

– Organizational– Behavioral– Technicalissues

• Management,humanresources,informationtechnology,softwareengineering,legal,informationsecurity,internalauditandthecriticaldata“owners”– Understandtheoverallscopeoftheproblem– Communicateittoallemployeesintheorganization.

'Securityisanotaproduct,butaprocess.'It'smorethandesigningstrongcryptographyintoasystem;it'sdesigningtheentiresystemsuchthatallsecuritymeasures,includingcryptography,worktogether. —

BruceSchneier

CanInsidersbeStopped?• ItDepends--Stoppingthemisacomplexproblem• Prevented/mitigatedthroughalayereddefensestrategyconsistingof

– Policies– Procedures– Technicalcontrols

• Paycloseattentiontomanyaspectsoftheorganization,including– Organizationalculture– Businesspoliciesandprocedures– Technicalenvironment

• Lookbeyondinformationtechnologytotheorganization’soverallbusinessprocessesandtheinterplaybetweenthoseprocessesandthetechnologiesused

Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017

OrganizationCulture• Leadbyexample• Createapositivework

environment• Anticipateandmanage

negativeworkplaceissue• Createananonymous

reportingsystem• Knowyourassets• Clearlydocumentand

consistentlyenforcepoliciesandcontrols

Source:See“References”slide

OrganizationCulture(Continued)

• Beginningwiththehiringprocess,monitorandrespondtosuspiciousordisruptivebehavior

• Developaformalizedinsiderthreatprogram

• Beespeciallyvigilantregardingsocialmedia

Source:See“References”slide

BusinessPoliciesandProcedures• Performregular(and

unscheduled)Audits• Haveuniformdataclassification

andprivacyscheme• Incorporateinsiderthreat

awarenessintosecurityawarenessandtrainingforallemployees

• Enforceseparationofdutiesandleastprivilege

• Developacomprehensiveemployeeterminationprocedure,includingdeactivatingallknownsystemandapplicationaccess

Source:See“References”slide

BusinessPoliciesandProcedures(Continued)

• Institutionalizesystemchangecontrols• Institutestringentaccesscontrolsand

monitoringpoliciesonprivilegedusers• Implementstrictpasswordand

accountmanagementpoliciesandpractices

• Considerthreatsfrominsidersandbusinesspartnersinenterprise-wideriskassessments

• Defineexplicitsecurityagreementsforanycloudservices,especiallyaccessrestrictionsandmonitoringcapabilities

• Developaninsiderincidentresponseplanandinvestigateeveryincident

Source:See“References”slide

TechnicalEnvironment

• Implementinternalcontrolscommensuratewiththesensitivityofthedataorinformation

• Implementsecurebackupandrecoveryprocesses

• Trackandsecurethephysicalenvironment

• Monitorandcontrolremoteaccessfromallendpoints,includingmobiledevices,anduselayereddefenses

Source:See“References”slide

TechnicalEnvironment(Continued)

• Usecentralizedloggingandcorrelationcapabilitytologandmonitoremployee,application,system,andnetworkactions

• Establishabaselineofnormalnetworkdevicebehavior

• Closethedoorstounauthorizeddataexfiltration

• Considerinsiderthreatsinthesoftwaredevelopmentlifecycle

Source:See“References”slide

References• CommonSenseGuidetoMitigatingInsiderThreats,4thEdition

http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017

• EightTipsToPreventEmployeeTheftandFraudhttp://www.allbusiness.com/prevent-employee-theft-fraud/16704398-1.html

• What'sYoursisMine:HowEmployeesarePuttingYourIntellectualPropertyatRiskhttp://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf

• DataDiscoveryandClassificationinFiveEasyStepshttp://trendedge.trendmicro.com/pr/tm/te/document/DLP_Data_Discovery_and_Classification_in_5_Steps_090630.pdf

• TheCERT®GuidetoInsiderThreatsHowtoPrevent,Detect,andRespondtoInformationTechnologyCrimes(Theft,Sabotage,Fraud)ISBN-13:978-0-321-81257-5,ISBN-10:0-321-81257-3