Business Issues -> Security & Risk
By: Nigel Stanley, Practice Leader - IT Security, Bloor Research
Published: 20th December 2011
Copyright Bloor Research © 2011
Criminals are criminals. Although there are some novel crimes committed against computer systems, almost all of these crimes fit into the mould of a good old fashioned offences such as theft, fraud and harassment. Unfortunately the often remote, cross jurisdictional and complex technical nature of many computer crimes make these offences far more difficult to investigate and successfully prosecute. Physical crimes are normally so much more straightforward to deal with.
Another complicating factor of computer crime is the sheer scale of the offences being committed. Adding more zeros to a fraudulent bank transfer is easy - so why not go for tens of millions rather than just millions? Creating a Botnet controlling 5 computers is as easy as creating a Botnet of 5 million.
Intellectual property theft and industrial espionage have been around ever since one person was seen to have a better idea than another. The problem with computerised intellectual theft is that we see the stealing of designs, plans and technical documents on an industrial scale - way beyond the imagination of a cold war spy equipped with a micro camera.
We now face organised attempts to steal intellectual property in whatever form it may take. It seems to me that, in many cases, there are organised attempts to suck up as much intellectual property as can possibly be found.
Motivations may be commercial espionage or, in many instances but difficult to prove, state-sponsored espionage designed to enable, in the main, emerging economies to accelerate their growth.
Much of the reporting around this area is accompanied by a nudge and a wink, and the usual state perpetrators alluded to rather than open and direct accusations being made, probably as the diplomatic fall out could be considerable. With the current state of western economies, upsetting the provider of your country's national loan may not be the wisest of strategies.
Returning from the macro to the micro what can companies and organisations do today to protect their intellectual property?
The good news is that by applying some good user education and sound, proven technologies most intellectual property attacks can be thwarted. In many instances these attacks are successful due to people doing silly things rather than deliberate theft. I call this type of inside threat the incompetent and non-malicious rather than the competent and malicious. In many instances, and we have all seen it and maybe done it, accidentally sending an email attachment to the wrong email address can happen all to often.
The ability for many email client applications to automatically resolve addresses is often to blame, as one Fred Smith may be your boss and another Fred Smith may be your competitor. A couple of years ago this type of problem was attracting the attention of IT security vendors selling data loss prevention products, designed to stop just such accidental leaks. This was done by building up a data flow knowledge base and trapping out of course errors. Unfortunately for a number of reasons this type of solution didn't take off as much as I thought it might do. I think this was down to implementation issues and the fact that this type of intelligence-based solution is quite difficult to get right.
Tools and Technologies
There are a number of tools and technologies placed to help protect against intellectual property loss or theft. There is no silver bullet and technologies across all of these areas will need to be carefully considered.
Turning plain data into unreadable gibberish using encryption enables a business to protect its data. Modern day encryption technologies are effectively unbreakable without a suitable key and the implementation of a good system should not see any detrimental affect on speed of data transfer or a slowing of business systems. The encryption system should include recovery and accessibility options so that in both the short term and long term the data can be made available to the business. Key management is a vital part of any data encryption strategy.
There are increasing amounts of technology that can detect a pattern of behaviour symptomatic of an inside threat. Intrusion detection systems, coupled with intrusion prevention systems working as a form of smart firewall, can be extremely useful tools.
Access controls enable an audit trail such that if there is a data leak it can be traced back to a likely culprit. Combining identity management with a separation of duties strategy can prevent the likelihood of any one individual having such a holistic view of systems that they could compromise the data by themselves. A strategy of "least privileges" to do their job should be implemented for all staff.
As emails are now regarded on the same legal basis as a note on headed paper, outbound emails can easily violate a company's security policy either following a deliberate act or one of incompetence. Putting in place tools to enforce best practice email management can help reduce this risk. These tools can also reduce the chances of intellectual property slipping out unnoticed..
Preventing the download of a customer or product design database is probably high up on the agenda for anyone monitoring an inside threat. Some attacks can be more sinister and less obvious than an entire download, such as financial data being queried at the wrong time of year. By putting in a database assurance layer to the threat protection matrix you can detect and deal with any out of course or abnormal database access behaviour.
By putting in place an Enterprise Security Management product it is possible to have a holistic view of your inside threat from a central monitoring point. Risk can be uncovered by monitoring contextual data to see what is going on inside the business and algorithms used to flag unusual or threatening behaviour in real time. These issues can be flagged to IT or the business for immediate, appropriate action.
Inappropriate or unusual web-based activity can be an indicator that there may be an emerging inside threat. By using a tool to help enforce corporate web usage and Instant Messaging guidelines you can also detect an inside threat in real time, be it reputational as users visit unauthorised sites, or a more direct threat as they start a business in direct competition to their employer.
Software development is complex at the best of times - but how do you know that one of your developers has not written code that either accidentally or deliberately compromises your product or internal systems? Few IT security professionals understand software development as well as they do IT security, and this weakness can and has been exploited by developers.
Monitoring data as it moves through an organisation is critical, as it can easily be diverted to a USB key and taken outside the business with a couple of mouse clicks. By putting in place a data loss management system each data move can be monitored and unusual movements flagged for immediate action. Contextualising data access is important, for example product design data being accessed from home at 3 am on a Sunday morning could be suspicious.
Solutions are now available that can restrict device and port control at an extremely granular level, such as defining specific data that can be copied to a specific USB key with a particular serial number. These products will often use encryption technologies to protect data on the USB key.
Users, maybe frustrated with poor applications, can very easily start to threaten the stability of a software estate. Tools and policies need to be implemented and then monitored to ensure that only approved software is loaded and used. Unlicensed software can also prove a reputational risk as it is illegal to use and the associated publicity can be an embarrassment.
Anti Virus and Malware has a big part to play in terms of offering a basic line of defence and good quality advice, training and consultancy at the right time can save an organisation a lot of time and money. The more objective the advice, the more valuable it is likely to be.
The Smartphone Risk
I do want to mention what I consider to be a big threat to intellectual property protection and that is the huge increase in the use of smartphones. Every company I work with has an executive team fully equipped with these fantastic tools that I believe are the most intimate form of IT we have ever had. We take them everywhere and their capability is every bit as good as fully fledged PCs were only a few years ago. Unfortunately smartphones are now coming under the spotlight of hackers and malcontents as they fully understand that the value of intellectual property on these devices can be significant. This data is often the freshest and most relevant to the business being targeted as it is residing on executives' mobile devices ready for immediate access.
The security industry has failed to embrace these devices as quickly as the consumer, resulting in some major security issues remaining unfixed, increasing smartphone vulnerability. For many companies, securing these devices should be a top of the list priority.
The threat to intellectual property is very real. Even the most motivated, committed and enthusiastic staff can and will make mistakes that may result in significant data loss. By investing in appropriate technology solutions coupled with regular staff training and awareness sessions to mitigate your inside threat, you are taking proactive steps that should see this problem significantly reduce.
Posted: 20th December 2011 | By Stephen Ghilchrist :
Great post, I agree with your comments.
Posted: 22nd December 2011 | By Richard Rosen :
This is a good compilation of data security practices. I like particularly your mention of having âa holistic view of your inside threat from a central monitoring point "to see what is going on inside the business" I have worked with many companies to implement a simple enough tool, but one frequently not mentioned: employee computer monitoring at the endpoint. It records and archives everything done on a PC. Behavioral flags can be set. And should an audit trail be needed, itâs there, easy to search, saving a lot of that pain-in-the-neck time of combing through logs and invariably failing to come up with everything you need.
The smartphone risk you note is going to explode in awareness in my opinion when a high value incident is regaled in the media. My experience with this looming threat so far is out-of-sight-out-of-mind.
Similar to smartphone risk is off-network laptops, either stolen or lost, at which point the data can become more valuable to the thief than the laptop. This risk extends to employees who feel theyâre home free when off network and can send the crown jewels to their USB drives without any chance of being found out. Fortunately, there are applications that prevent intellectual property from leaving the laptop, pinpoint its location, retrieve and delete data â and it will actually capture the identity of the thief! What a good feeling when Mr. Thief receives an email identifying him and a FedEx number with which to send the laptop lest his next appointment be with the police.
As my mother would say, better to learn from another's mistakes than your own. Let's hope your words fall on ears that hear.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761