ntxissacsc4 - intellectual property protection― cross roads between ethics, information security,...
TRANSCRIPT
“Ifyouthinktechnologycansolveyoursecurityproblems,thenyoudon’tunderstandtheproblemsandyoudon’tunderstandthetechnology.”
- BruceSchneier
IntellectualPropertyProtection―CrossRoadsbetweenEthics,Information
Security,andInternalAudit
Mr.RickBrunner,CISSPApplicationSecurityArchitect
GMFinancial
Disclaimer
Theviews,thoughts,claims,oropinionsinthispresentationaresolelythoseofthepresenter.
Nothinginthispresentationrepresentstheviews,thoughts,claims,oropinionsofGMFinancial,UnitedStatesAirForce,theAirForceReserves,theDepartmentofDefense,ortheIntelligenceCommunity.
Objectives
• RecognizetheimpactandcostofIntellectualPropertyExfiltration
• Identifytheissuesofre-usingworkproducts• DiscusstechniquesinmitigatingthreatstoanOrganization’sIntellectualProperty
IntellectualObjects• Theexpressionintellectualobjects referstovariousformsofintellectualproperty
• Intellectualpropertyconsistsof“objects”thatarenottangible
• Non-tangibleor"intellectual"objectsrepresentcreativeworksandinventions,i.e.,themanifestationsorexpressionsofideas
IntellectualPropertyProtectionSchemes
• Copyrightlaw• Patents• Trademarks• Tradesecrets
TradeSecrets
• AtradesecretisdefinedasInformationusedintheoperationofabusinessorotherenterprisethatissufficientlyvaluableandsecrettoaffordanactualorpotentialeconomicadvantageoverothers
• Tradesecretscanbeusedtoprotect– Formulas(suchastheoneusedbyCoca-Cola)– Blueprintsforfutureprojects– Chemicalcompounds– Processofmanufacturing
ValueofIntellectualPropertyComponentsofS&P500MarketValue
0
20
40
60
80
100
120
1975 1985 1995 2005 2009
IntangibleAssets
TangibleAssets
Source:OceanTomo
TheLandscape
TheActors• External—External actors originate outside the victim
organization and its network of partners. Typically, no trust or privilege is implied for external entities.
• Internal—Internal actors come from within the victim organization. Insiders are trusted and privileged (some more than others).
• Partners—Partners include any third party sharing a business relationship with the victim organization. Some level of trust and privilege is usually implied between business partners
Source:Verizon’s2013DataBreachInvestigationsReport
TheirPurpose
Source:Verizon’s2013DataBreachInvestigationsReport
VarietyofExternalActors
Source:Verizon’s2013DataBreachInvestigationsReport
ProfilingThreatActors
Source:Verizon’s2013DataBreachInvestigationsReport
ExfiltrationAnunauthorizedreleaseofdatafromwithinacomputersystemornetworkhttp://en.wikipedia.org/wiki/Exfiltration
Source:TrendMicroIncorporated—TrendLabs SecurityinContextPaper
Exfiltration— RemoteUser
Source:TrendMicroIncorporated—TrendLabs SecurityinContextPaper
Ours—ReaperUAV
http://www.hightech-edge.com/mq_9-reaper-hunter-killer-deployed-combat-missions-iraq-mq_1-rq_1-predator/2488
Source:Mandiant Overview--“State-of-the-Hack”
Theirs—ChinaDragonUAV
http://www.sinodefenceforum.com/air-force/chinese-uav-ucav-development-24-3526.html
Source:Mandiant Overview--“State-of-the-Hack”
OurF-22,TheirJ-20
http://aviationintel.com/wp-content/uploads/2011/05/j20f22comp.jpg
NotableOthers
RSA Hacked Via Recruitment Plan
OperationAurorahttp://www.pcmag.com/article2/0,2817,2391951,00.asp
http://en.wikipedia.org/wiki/File:IllegalFlowerTribute1.jpg
Exfiltration—TheEmployee
InsiderThreatCaseDatabase
Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
CasesinThreeMajorCrimeTypesbySector
Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
AssetAttacked
Source:AnAnalysisofTechnicalObservationsinInsiderTheftofIntellectualPropertyCaseshttp://repository.cmu.edu/cgi/viewcontent.cgi?article=1660&context=sei
How
Other methods?
AnAnalysisofTechnicalObservationsinInsiderTheftofIntellectualPropertyCaseshttp://repository.cmu.edu/cgi/viewcontent.cgi?article=1660&context=sei
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Customerinformation
Sourcecode Businessplans Tradesecrets Internalbusiness
information
Proprietarysoftware
Remotenetworkaccess
File/datatransfer
Downloadedtopersonallaptop
Removablemedia
Hostunknown
Theftofprinteddocuments
ExfiltrationBreakdown– AssetTargeted
Case1– LockheedMartinvBoeingLockheedMartinemployeewenttoBoeingin1999fora7.5%raise• LockheedMartinIntellectualPropertywentaswell• Employeeofferedtobringtheentirerocketproposalwith
ifhired(Disputed)• Boeingpersonnelwentthroughethicstraining• Boeinglegal-triggeredcallstoLockheedMartinandthe
AirForceinformingthemthatsevenpagesofharmlessdatahadbeenfoundandonlyviewedby2people
• 2003AirForceinvestigationconcludedthatBoeingwasinpossessionofover22,000pagesofLockheedMartinconfidentialandproprietarymaterial
Case2– DeputyAssistantSecretary(DAS)oftheAirForceforAcquisitionandManagement
PrincipalDASoftheAirForceforAcquisitionandManagement• DASawardeddozensofcontractstoBoeingfrom2000-2002,
aswellascontroversial$23billionprocurementforleasingArielrefuelingtankers
• Boeinghiredtheirrelativewhilestillinoffice• Boeingofferedthemapositionafterleavingcurrentposition• Boeing’sCFOandformerDASpleadedguiltytoviolationsof
theconflictofintereststatues• DASadmittedthatBoeing’sfavorsinhiringrelativesand
pendingemploymentofferinfluencedcontractingdecisions
Result• Individualswerefired• LockheedMartinfiledacivilsuiteagainstBoeing• UndersecretaryoftheAirForcestrippedBoeingofseven
launchesworth$1billionandreallocatedthemtoLockheedMartin
• DOJandCongressionalInvestigation,Decision(6/30/2006)– $615millioninfines
• $565millioncivilsettlement• $50millionmonetarypenaltyforseparatecriminalagreement
– Boeingacceptedresponsibilityforitsemployees• Continuedcooperationwithfederalinvestigators• Maintainedaneffectiveethicsandcomplianceprogram,withparticularattentioninhiringformergovernmentofficialsandhandlingcompetitorinformation
• Receiveda20-monthsuspensionof3businessunitsfromGovernmentcontracting
http://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf
TopReasonsEmployeesBelieveItIsAcceptabletoTakeCorporateData
Key Findings• Employees are moving Intellectual Property outside the company in all directions• When employees change jobs, sensitive business documents often travel with them• Employees are not aware they are putting themselves and their companies at risk• They attribute ownership of Intellectual Property to the person who created it• Organizations are failing to create a culture of security
PercentageWhoSayaSoftwareDeveloperShouldHavetheRighttoRe-UseCodeforAnotherCompany
http://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf
Takeaways• Insiderthreatsareinfluencedbyacombinationof
– Organizational– Behavioral– Technicalissues
• Management,humanresources,informationtechnology,softwareengineering,legal,informationsecurity,internalauditandthecriticaldata“owners”– Understandtheoverallscopeoftheproblem– Communicateittoallemployeesintheorganization.
'Securityisanotaproduct,butaprocess.'It'smorethandesigningstrongcryptographyintoasystem;it'sdesigningtheentiresystemsuchthatallsecuritymeasures,includingcryptography,worktogether. —
BruceSchneier
CanInsidersbeStopped?• ItDepends--Stoppingthemisacomplexproblem• Prevented/mitigatedthroughalayereddefensestrategyconsistingof
– Policies– Procedures– Technicalcontrols
• Paycloseattentiontomanyaspectsoftheorganization,including– Organizationalculture– Businesspoliciesandprocedures– Technicalenvironment
• Lookbeyondinformationtechnologytotheorganization’soverallbusinessprocessesandtheinterplaybetweenthoseprocessesandthetechnologiesused
Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
OrganizationCulture• Leadbyexample• Createapositivework
environment• Anticipateandmanage
negativeworkplaceissue• Createananonymous
reportingsystem• Knowyourassets• Clearlydocumentand
consistentlyenforcepoliciesandcontrols
Source:See“References”slide
OrganizationCulture(Continued)
• Beginningwiththehiringprocess,monitorandrespondtosuspiciousordisruptivebehavior
• Developaformalizedinsiderthreatprogram
• Beespeciallyvigilantregardingsocialmedia
Source:See“References”slide
BusinessPoliciesandProcedures• Performregular(and
unscheduled)Audits• Haveuniformdataclassification
andprivacyscheme• Incorporateinsiderthreat
awarenessintosecurityawarenessandtrainingforallemployees
• Enforceseparationofdutiesandleastprivilege
• Developacomprehensiveemployeeterminationprocedure,includingdeactivatingallknownsystemandapplicationaccess
Source:See“References”slide
BusinessPoliciesandProcedures(Continued)
• Institutionalizesystemchangecontrols• Institutestringentaccesscontrolsand
monitoringpoliciesonprivilegedusers• Implementstrictpasswordand
accountmanagementpoliciesandpractices
• Considerthreatsfrominsidersandbusinesspartnersinenterprise-wideriskassessments
• Defineexplicitsecurityagreementsforanycloudservices,especiallyaccessrestrictionsandmonitoringcapabilities
• Developaninsiderincidentresponseplanandinvestigateeveryincident
Source:See“References”slide
TechnicalEnvironment
• Implementinternalcontrolscommensuratewiththesensitivityofthedataorinformation
• Implementsecurebackupandrecoveryprocesses
• Trackandsecurethephysicalenvironment
• Monitorandcontrolremoteaccessfromallendpoints,includingmobiledevices,anduselayereddefenses
Source:See“References”slide
TechnicalEnvironment(Continued)
• Usecentralizedloggingandcorrelationcapabilitytologandmonitoremployee,application,system,andnetworkactions
• Establishabaselineofnormalnetworkdevicebehavior
• Closethedoorstounauthorizeddataexfiltration
• Considerinsiderthreatsinthesoftwaredevelopmentlifecycle
Source:See“References”slide
References• CommonSenseGuidetoMitigatingInsiderThreats,4thEdition
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
• EightTipsToPreventEmployeeTheftandFraudhttp://www.allbusiness.com/prevent-employee-theft-fraud/16704398-1.html
• What'sYoursisMine:HowEmployeesarePuttingYourIntellectualPropertyatRiskhttp://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf
• DataDiscoveryandClassificationinFiveEasyStepshttp://trendedge.trendmicro.com/pr/tm/te/document/DLP_Data_Discovery_and_Classification_in_5_Steps_090630.pdf
• TheCERT®GuidetoInsiderThreatsHowtoPrevent,Detect,andRespondtoInformationTechnologyCrimes(Theft,Sabotage,Fraud)ISBN-13:978-0-321-81257-5,ISBN-10:0-321-81257-3