Protecting Our Data

Monday, July 04, 2011

Michael Fisher


We all talk about protecting our data.  But what are we really protecting?  Is all of our data really worth protecting? And to what extend or to what level? 

Is my spreadsheet that I created at work to keep track of my son’s ERA as a pitcher on his little league team need to be protected? Do my requests for time off need to be replicated, backed up and secured from theft? 

Does all of the documentation on the latest company project that might lead to a patent for a valuable product need protecting? 

What do all these items have in common?  They are all documents of one sort or another. But the last item, the item that could make or break my company is critical and is more than a piece of paper or series of papers, project information, points of failure, points of success, etc. 

It is Intellectual Property and as such needs to be protected like a new born baby because if the diaper falls off at the wrong moment or is removed by our nanny at the wrong time we will have more than a mess on our hands. 

So we applied for a patent but it expires in 20 years after the original filing date.  But what about the “documentation”, the intellectual property that lead us to this point?  Guess what? It never expires. So while we are spending millions to protect our patent doesn’t it also make sense to protect our intellectual property? 

So Bob in accounting has decided he has had enough with his boss and has decided to leave and take a job with a competitor.  Bob fills his company laptop up with “Documents”, 63,472 documents to be exact.  He then goes home and copies these documents to a thumb drive and then to his home PC for “safe storage”.  Bob is a great guy so we just let him have access to our account list our R&D files, etc. Hey, we have patents, right?? What’s the big deal? 

So now Bob gives his 2 week notice.  In the old days we terminate pretty much then and do an exit interview, get his key(s), ID and security card, laptop and have him sign that he has returned any and all property to us and off he goes. If well liked there might even be a party or 3.

Unfortunately for Bob, we had instituted a new process called Data Loss Prevention (or DLP for short) a few months earlier without telling the community at large.  Oops, my bad.  So what does that mean?  Every piece of digital or digitized data, documentation and yes Intellectual Property (IP) was marked so to speak. 

Without the slightest hint of it each time anything on the network was, read, changed, copied, moved or deleted we knew who, what, when , from/to where, how and yes this actually included when his internet connected home PC accepted the documents from the thumb drive.

Fantasy right, Not possible right?  (Of course many in this group know this all to be truisms).

So back to Bob’s exit interview.  So Bob, on October 15, 2010 you copied some files to your laptop, could you explain what they consisted of?  Bob replied they were just some photos from a vacation and that since he was leaving he was taking them off the server.  Ah ok Great. How many were there, Bob? 

Bob’s response not too many under a hundred as he recalled.  So then we ask him do you have any property that belongs to XYZ company?, Bob, now feeling a bit nervous, fidgets before answering and of course replies absolutely not with great confidence.  We grimace and allow a moment of silence while we allow Bob to settle a bit. 

Bob, at exactly 5:37pm that day you started downloading 63,472 documents to your company laptop. Can you then explain what the rest of those documents were?  Bob fidgets a lot.  He is now extremely nervous. Bob is having difficulty talking.  Stumbles over his words.

He said they were work related things he needed to finish a few things up before leaving the company.  So Bob, why did you download the complete plans to our last 10 inventions plus ones in the works when your accounting position has nothing to do with this information?  I think Bob was about to, well drop a load.

Bob, we know that you copied this information to a thumb drive and then to your home PC, named Bob_HOME with an IP address of xxx-xxx-xxx-xxx. This is your home PC and roadrunner account IP.  Why in the weeks before you are planning to leave us would you copy our private information, customer account information, etc to your home PC? 

And when asked if you had any of our property you denied it both in writing and verbally (recorded no less).  Bob was completely flustered.  I ask you again, Bob, do you have any of our property including intellectual property in your possession?  Bob finally came clean.  Unfortunately for Bob he not only lost his job, but his freedom as well. 

So I ask you all how safe is your IP?  Do you hire foreign nationals and provide them full access to your IP?  Do you provide unmonitored access to your data and IP?  What is really at stake here? Can we afford the status Quo when it comes to Intellectual Property?  Is this a rarity or an everyday occurrence? So many questions, so few answers.

Possibly Related Articles:
Information Security
Storage Access Control Data Loss Prevention Intellectual Property Employees DLP
Post Rating I Like this!
Phil Agcaoili Funny you should post this...
FBI holds Libertyville man on theft of trade secrets <We all need to be building data exfiltration detection capabilities and monitoring/responding vigilantly.
Phil Agcaoili .
Many companies bury their head in the sand and/or are dealing with internal politics to deploy data loss prevention technology or have issues simply detecting signs of attack, loss or theft for a variety of reasons.

Until we take the time to KNOW what our important data is, determine where it is, how it is transacted, how to reduce our threat profile/reduce instances of that data (from being replicated and transported), and then de-scope our defensive boundaries, we will be stuck.

We need to fix this state.

Also, we need to look hard at Data Governance and start with a decent Data Classification program that identifies and marks all critical data assets.

As you mentioned, we also need to simplify the rules and properly educate our users on our expectations with respect to appropriate data handling (for our most important data).

We also need to collapse our perimeters once and for all and reduce our scope of protection. There's too much to protect at this point (it's all in scope for so many that I've spoke to) and need to focus on protecting that which is most important. Once we mark our most important data, we should better protect it in secure enclaves and treat everything accessing these enclaves as hostile. Here we focus and leverage defense-in-depth good security practices and ensure continuous improvement for good preventative controls are stay in place (place-do-check-act-repeat) and we focus abuse and data exfiltration detection activities.

Danny Lieberman also spoke of Offensive security options and also believe that there is another defensive strategy there to defend our most important data (e.g. Honeypots, counterintelligence, etc.).
Michael Fisher So Phil that leads me to the next part of this informational which I mentioned in passing. Foreign Nationals. So what does the Chinese government do? They send their brightest to study here and then go to work for large American companies. Incentive ? Great quality of life for their families back home. You keep sending information and IP back to us in China and we in turn take care of your family. You stop sending, well not real sure what might happen to your family. I believe that some of these people want out of their contracts but how ? I would say that if they contacted the FBI most likely they might just get the assistance they need in order to be free but who knows
Phil Agcaoili .
Without targeting any specific country, the Advanced Persistent Threat (APT) seeks to gain economic advantage and corporate espionage and intellectual property theft is one way to go about that.

Russia use to use sleepers during the cold war for a variety of operations.

Frankly, the US educates many students from many foreign countries. Students come and go or stay and work for US companies.

The US offshores work and has joint ventures all over the world. We cannot solve this problem because there is no perimeter. There are no secrets.

We are one world.
Michael Fisher all we can do is put a plug in the Dike
Phil Agcaoili .

We need to change the way to look at the world and how we maintain the freedom that the US was founded upon and then figure out how best to stay secure.

Freedom is greater than Security is greater then Convenience.

Right now, Convenience trumps Security trumps Freedom.
Michael Fisher Freedom is the right of ALL people until it infringes on the rights of others. These people who steal intellectual property and other worldly goods, those that attempt and do take away the rights of others including hackers and corporate theft should be hunted down as though they were very serious criminals. The FBI and other teams are doing just that but at times I think their hands are tied and so a lot of criminals get away with these white collar crimes. We need to educate our employees as to what is truly held sacred by a community, government, and corporate ( all sizes) America and explain to them what is legal and what they can and cannot do and how their freedom could be at jeopardy should they decide to take company property to use for their own gain. We put controls in place and monitoring because we should and because in today's world economy we have to. I am free to do what I want to do and so are you as long as we do not infringe on the rights of others be they personal or corporate rights. That said the businesses out there must also acknowledge that their people may truly be their greatest assets and treat them with respect because if you don't it won't really matter to them what the consequences of their action might be if they feel that they will be free of the day to day lack of respect at work. They may even come to look upon their prosecution for stealing IP (if caught) as a sense of freedom from oppression and then are able to tell their story.

Sorry for rambling but unfortunately, freedom has to these days be measured in layers and levels. I want to feel free to use my credit cards wherever and however I want, but I really appreciate it when I am asked for additional ID and a finger print or key code is not out of the question. Does this infringe on my freedom? Absolutely.

I co-wrote a paper on Aviation Security that was presented to the US Senate and DHS describing what if scenarios and other informationals that seem to have had some affect at airports. You must present a fingerprint in Israel to get on a plane.

What if I were to tell you that I could easily get through security without a real boarding pass? Are we protecting our freedom to fly safely if we allow known terrorists to board planes in the US and other countries? It is unfortunately a bit like the economy of present. What many were used to earning is no more. We have a new level of expected earning.

We now have a new level of expected security and freedom and they must be tied together or we risk losing all freedoms. As I go through an airport I look at people, people's expressions, faces, movements, etc. I don't see fear in them but if we took away security to provide more freedom of movement there would be dead people everywhere.

We are a disposable society and need to have that shoe in 15 colors and that shirt in 5 colors and on and on. And how does that go? I am not going to pay a lot for that muffler!!! We literally pushed and drove our country to where we are today. If we knew what the folks at CENTCOM, FBI, etc knew we would flock to security just as we do towards personal freedom.

We are one world, there are no secrets. I beg to differ. Have you ever been in a race with your best friend where both of you would do anything to win. We are in that race right now and I do not consider them my best friends.

There is a company that produces surgical steel equipment for operating room technicians and doctors. They offshored production and within a month or 2 products with their labels where showing up in other customer locations. That in itself would be bad enough but then the equipment began to fail and began to rust. The company started getting calls of complaints but when the equipment was returned for review it was not their product nor were they THEIR customers. Their technology, IP, and patents had been taken down the road to another factory and sold as their products. This country that made the product has no laws against stealing others IP.

We are one world and there are no secrets but there should be and it is my job and that of other security professionals to protect it.

One last thing, The Smart Grid and electric Grid that runs our world is at risk. We need to help consumers get a better grip on energy usage but before we can do this we need to make sure the barrier between consumers and the power grid controllers is 100% secure or we put our freedom at risk. Let's just say that someone bent on damaging and destroying the grid could do so.

Freedom means we have chooses. If a company chooses to ignore warning signs then you are 100% correct, they have no secrets.

All the best and be safe.

Michael Fisher Well now it is official. Apple products are being sold in a Fake Apple store set up in China and most likely with the knowledge of the local and possible national government. Heck why should i pay $499 for an IPAD when I can get the real thing for less than half at my favorite store in China?

Maybe now Apple will consider protecting their intellectual property by manufacturing it here in the USA.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.