View
117
Download
1
Category
Preview:
Citation preview
The Loss of Intellectual Property in the Digital Age:What Companies can do to Protect Themselves
Christopher Kranich
The Digital Revolution
• People are now more connected– More information in less time– More often– Greater distances– Many security challenges for business
Cyber-based Threats to IP
• Sources evolving and growing rapidly– Competitors– Malicious employees– Well intentioned employees– Criminal groups– Hacktivists– Foreign governments
IP is Valuable
• Cost to design new projects or services– Engineers– Designers
• Cost to manufacture– Proprietary processes– Material sourcing– Pricing information
• Marketing costs
New Work Locations
• From home• On The road• Businesses/public places• Security– More chances for deletion, theft of compromise• WiFi networks• Device theft of damage• Over the Shoulder• Co-mingling of the personal and the private
Types of Devices
• Laptops• Theft, Over-the-shoulder, WiFi
• Smart Phones• Theft, WiFi, unpatched
• Tablets• Theft, WiFi, unpatched
• Desktops• Not updated, no virus protections
More Data
• Large capacity• Smaller storage medium• Cheap• More cloud-based storage
• User can download a large amount of IP quickly
• Malicious or innocent intentions
Reasons IP is Compromised
• Innocent Reasons– Work outside of office– Curiosity– Recovered IP
• Malicious Reasons– Do not like job– Sell IP for profit– Hacktivism– For fun
Employee Views of IP
• Attribute ownership to the person who created it
• Cheap, easily moved, copied, and manipulated
• Okay to take with them to their next job
Symantec Report
VW vs. GM
• Executives took 1000’s of pages• Photocopied in physical from– Secretary– Other Witnesses
• Carried out in boxes of briefcases• Lots of witnesses to IP removal• 100 million Dollar settlement
Starwood vs. Hilton
• Over 100,000 files stolen– Starwood luxury concept• Hilton came up with their own version
– Board presentations– Market research studies– Valued at 1 million Dollars
• Downloaded to laptop– Easy to steal data– Quick, behind closed doors, portable
What Companies Can Do To Protect Themselves
Encrypt Data
• VPN
• Full-disk encryption
• USB sticks
• Emails and attachments
Mobile Device Management
• Common for employees to bring their own device (BYOD)
• Poses many security challenges– Corporate data vulnerable to theft, damage, or
deletion– Hard to keep track of– Corporate data and personal data on same device
Software Solutions
• MobileNow• MobileIron• Zenprise• IBM• Symantec• Airwatch
Customizable Device Policies
• Control which device features and built-in apps can be used
• Specify what the authentication requirements are
• Apply specific policy sets to specific groups of users– Time, roles, types of data, location
Jailbroken or Rooted Devices
• Pose a big security risk– Unstable or not updated
• Detect these devices• Enforce greater controls for them– Lock or wipe– Ban from network– Approved apps– Vpn– Device kept up-to-date
Centralized Updating
• Update OS and apps remotely– Convenient and easy
• All devices patched at the same time– All devices on same footing– Eliminates specific vulnerabilities
Applications
• App blacklisting
• Block and revoke any apps from any user
• Track usage
• App-to-app encryption
Email Features
• Ability to encrypt attachments
• Prevent unauthorized copying and forwarding
• Restrict sharing of attachments to certain apps
• Specify attachment file types to encrypt
Data Storage
• Storage all data in a home directory– Persisitent and centralized location– Easy to set up automatic backups– Easy to selectively distribute data– Easy to track data and wipe if neccesary– Can have multiple clients• Different platforms accessing the same directory
Data Access Restrictions
• Geofencing– Data only accessible in certain locations– Prevents data from being accessed off site or an
area of the office • Time-Based– Data only accessible at certain times• When employees are working• When a project is active
Remote Lock, Locate, and Wipe
• Lost or stolen
• Infected with malware
• User leaves company
Data Leakage Prevention
• Deep content inspection
• Reads data to find high value IP
• Does not prevent attacks
• Limits accidental deletion or moving
Data Leakage Prevention
• System figures out sensitive data on it’s own
• Logs moving, copying, and deleting
• Prevents user from emailing data out by making it read only
• Requires fine tuning
Attribute-Based Access Control
• Grants access based on attributes– Location– Authentication method– Deviation from the norm– Type of data– Time of access
Cloud Storage Solutions
• Data integrity
• Access is controlled
• Data must be available when needed
Cloud Storage Solutions
• Policy for backing up data• Data is encrypted in storage• Data is sent to facility securely• Data is backed up regularly• Data is kept in multiple locations
Employee Training
• Protect credentials
• Good passwords or passphrases
• Social engineering
• Alerting IT
Basic Security Principles
• Log activities• Set up alerts• Use IDS system• Set up firewalls on internet connections• Control physical access
Basic Security Principles
• Set up user accounts
• Give users their own account
• Provide the minimum amount of access needed
Questions and Comments
Recommended