industrial esppgionage – how not to become a victim? see_ industrial... · people first,...
TRANSCRIPT
People First,Performance Now
Ministry of Science,Technology and Innovation
Industrial Espionage – How Not To Become A p gVictim?Alan SeeAlan SeeCEO, Firmus
6 November 2012
People First,Performance Now
Ministry of Science,Technology and Innovation
INDUSTRIAL ESPIONAGE IN THE NEWS
People First,Performance Now
Ministry of Science,Technology and Innovation
WHAT IS INDUSTRIAL ESPIONAGE?•Theft of trade secrets by persons or business entities with:
Knowledge or intent that the theft will benefit any foreign government, foreign instrumentality, or foreign agent, or
Knowledge or intent that the theft will benefit anyone other than the owner of the trade secret, and knowing th ff ill i j th tthe offense will injure that owner
•“Trade secrets” are defined broadly, but not without limit•Benefit requirement for trade secret theft is limited to “economic” benefit.
People First,Performance Now
Ministry of Science,Technology and Innovation
PROTECTION OF IP ASSETS
To qualify as a trade secret an asset must derive economic• To qualify as a trade secret, an asset must derive economic value from not being generally known and be subject to reasonable degrees of protection.
• Securing confidential information is equally important. IP assets that do not rise to the level of trade secrets can still be protected as confidential information.be protected as confidential information.
People First,Performance Now
Ministry of Science,Technology and Innovation
TECHNIQUES OF INDUSTRIAL ESPIONAGE
– Theft by an insider (esp. current or former employee)– Exploiting lax password management
E il– Email spam– Manipulation of supplier/customer relationship– Aggressive collection of public informationAggressive collection of public information
People First,Performance Now
Ministry of Science,Technology and Innovation
CRIMINAL PROSECUTION CASE STUDYCRIMINAL PROSECUTION CASE STUDY: Opel vs Volkswagen
• It’s bad enough for a company when their top executives jump ship• It s bad enough for a company when their top executives jump ship– but imagine how it must have felt for Opel when their chief ofproduction moved to rival Volkswagen and was followed by not one,not two, but seven other executives. Opel cried industrial espionage, Op p g– over an alleged missing bundle of confidential documents – inresponse to which Volkswagen parried with accusations ofdefamation.
• The four-year legal battle was resolved in 1997 when Volkswagenagreed to pay General Motors, the parent company of Opel, $100million and place an order for over $1 billion’s worth of car parts.Volkswagen still refused to apologize, though, showing that evenmultinational car companies can be as stubborn as 5-year-oldchildren.
People First,Performance Now
Ministry of Science,Technology and Innovation
CRIMINAL PROSECUTION CASE STUDYCRIMINAL PROSECUTION CASE STUDY: VICTIM GOLDMAN SACHS
• Goldman Sachs programmer copied and transferred• Goldman Sachs programmer copied and transferredhundreds of thousands of lines of proprietary source codefor benefit of a competitor
• Convicted of theft of trade secrets under EconomicConvicted of theft of trade secrets under EconomicEspionage Act of 1996 and transportation of stolen propertyin interstate commerce
• Sentenced to 97 months in prison, 3 years of supervisedp , y prelease, and $12,500 fine (U.S. v. Aleynikov, No. 1:10-cr-00096 (S.D.N.Y. Feb. 11, 2010)
People First,Performance Now
Ministry of Science,Technology and Innovation
CIVIL PROSECUTION CASE STUDY STARWOODCIVIL PROSECUTION CASE STUDY: STARWOOD HOTELS v. HILTON HOTELS
• Starwood alleged that Hilton induced Starwood• Starwood alleged that Hilton induced Starwoodemployees to serve as corporate spies to provide Hiltonwith Starwood’s confidential development plans andbusiness opportunities for its luxury brandsbusiness opportunities for its luxury brands
• Alleged theft of 100,000+ electronic files• Preliminary & permanent injunction; court monitors
i t d til 2013 i i i l i ti tiappointed until 2013; ongoing criminal investigation• Starwood Hotels v. Hilton Hotels Corp., No. 09-cv-3862
(S.D.N.Y. Apr. 16, 2009)( p , )
People First,Performance Now
Ministry of Science,Technology and Innovation
INNOCENT BUT RISKY ACTIONSINNOCENT BUT RISKY ACTIONS DID YOU EVER...
…Print a confidential document on the wrong printer?
...Send company data to your private email account?
…Copy data to an non-encrypted USB device?
...Send an email to the wrong recipient?
9
People First,Performance Now
Ministry of Science,Technology and Innovation
Regulatory DataCorporate
• Credit card data
Regulatory Data
• Intellectual property
Secrets
• Privacy data (PII)
• Health care information
• Financial information
• Trade secrets
People First,Performance Now
Ministry of Science,Technology and Innovation
DATA ECO SYSTEMDATA ECO SYSTEM
SENDNon-sensitive Data
COPY
POST
BOARD
Regulatory Data
STOREEMPLOYEES
CONTRACTORSCompany SecretsACCESS
CONTRACTORS
RISKRISKidentities user actions information
RISKRISK
People First,Performance Now
Ministry of Science,Technology and Innovation
PREVENTION OF INDUSTRIAL ESPIONAGE• The first step to a better defense is to identify the
i f ti th t if l t ld iti ll h thinformation that, if lost, would critically harm thecompany, and the value of that information to yourcompany and its competitors.
• These are your "crown jewels" and require the best• These are your "crown jewels" and require the bestsafeguards.
• Information security managers must be able to identifythe company's intellectual property its location and itsthe company s intellectual property, its location and itsvalue.
• Protect and control who has access to this information.A risk assessment sho ld then be performed to identif• A risk assessment should then be performed to identifyexisting security vulnerabilities to those crown jewels
People First,Performance Now
Ministry of Science,Technology and Innovation
PREVENTION OF INDUSTRIAL ESPIONAGE• It is also important to establish a complete list of data
it i ti i l diitems your organization owns or processes, including aninventory of all intellectual property that could affectrevenue or reputation.
• Involve stakeholders from across the organization to• Involve stakeholders from across the organization toidentify this information.
• Examples of such information include copyrightedmaterial patents trademarks operating proceduresmaterial, patents, trademarks, operating procedures,user manuals, policies, memos, reports, plans, contracts,source code, recipes, manufacturing plans, chemicalformulas, design drawings and patent applicationsformulas, design drawings and patent applicationsformed to identify existing security vulnerabilities to thosecrown jewels
People First,Performance Now
Ministry of Science,Technology and Innovation
PREVENTION OF INDUSTRIAL ESPIONAGE• Once you fortify your crown jewels, you must determine
h t t t i t th l t h tt k t Ohow to protect against the low-tech attack vectors. Oneway to do this is through an incentivized and targetedsecurity awareness program that includes regular,enterprise-wide security testingenterprise-wide security testing.
• Realistically, employees respond better to carrots thansticks. If you properly train and incentivize securityawareness you will gain a strong defenseawareness, you will gain a strong defense.
People First,Performance Now
Ministry of Science,Technology and Innovation
PREVENTION OF INDUSTRIAL ESPIONAGE• The final step is to simulate an actual attack, which often
"bl d d th t" i t i itoccurs as a "blended threat" in your enterprise securitytesting.
• This exercise should focus on all types of informationregardless of its form You should implement testingregardless of its form. You should implement testingalong several attack vectors.
• For example, combine a network pen-test with physicaland social engineering assessments The results willand social engineering assessments. The results willgive you a better idea of your current attack defenses.
People First,Performance Now
Ministry of Science,Technology and Innovation
MAIN DRIVERS
REGULATION• BNM GPIS HIPAA PCI SOX• BNM GPIS, HIPAA, PCI, SOX• Thousands of regional privacy laws
SENSITIVE DATA• Product designs, IP• M&A, Financials, Legal
16
People First,Performance Now
Ministry of Science,Technology and Innovation
HOW DOES DATA LEAK?Data Sources User Actions
At rest Move files
Access shares
C t
files shares
In useCopy todevice
Cut, copy,pastePrint
In motion Outbound email
IM, blogsWeb postingemail
17
gposting
Data Loss Prevention Program Lifecycle Management (driven by risk based policies)
DISCOVER CLASSIFICATION ENFORCE
g ( y p )
Risk Across the Infrastructure
DISCOVER CLASSIFICATION ENFORCE
End Users & Risk Teams Security Controls
?RISKRISK
TIME
Understand RiskReduce Risk
TIME
People First,Performance Now
Ministry of Science,Technology and Innovation
RISK BASED APPROACH
• To move to a risk based approach you must employ aTo move to a risk based approach you must employ a risk analysis scheme to properly categorize your risks.
• What are our risks?• What is the probability of their occurrence?• When are they most likely to occur?• What is the severity of their consequence?• What is the severity of their consequence?
People First,Performance Now
Ministry of Science,Technology and Innovation
WHAT ARE YOU AT RISK?WHAT ARE YOU AT RISK?
LaptopsPrintoutsThumb drives, CDs, DVDsEmail Hardware and Software ControlsFile TransfersTrade showsLost or stolen
Hardware and Software Controls
Mobile devices
VoiceFace to faceTelephoneScanned images
Human Behaviorsg
People First,Performance Now
Ministry of Science,Technology and Innovation
WHAT’S THE PROBABILITY/CONSEQUENCES?WHAT’S THE PROBABILITY/CONSEQUENCES?
People First,Performance Now
Ministry of Science,Technology and Innovation
WHAT’S THE PROBABILITY/CONSEQUENCES?WHAT’S THE PROBABILITY/CONSEQUENCES?
Goal is to move the
riskriskdown the
scale
People First,Performance Now
Ministry of Science,Technology and Innovation
COST OF INDUSTRIAL ESPIONAGE
Organizations that rely on intellectual property (IP) for saled bj l d f hiand use are subject to more long-term and far-reaching
costs when leaked. IP is the heart of today’s technology,manufacturing, pharmaceutical, engineering and evenfinancial firms, and their most coveted sustainableadvantage. When lost, it can have a direct andimmediate impact on both the R&D costs associateded ate pact o bot t e & costs assoc atedwith the asset, and the revenue estimates for the fulllifecycle of the asset.
People First,Performance Now
Ministry of Science,Technology and Innovation
• Intellectual PropertyFees for legal recourse to address who leaked the
COST OF INDUSTRIAL ESPIONAGE
– Fees for legal recourse to address who leaked the data and discover if it is being used inappropriately
– Short-term impact to R&D cost recuperation– Long-term impact to profitability/revenue projections– System and process audits to identify and correct the
so rce of the leaksource of the leak
Forrester Research and Ponemon Institute peg the cost of the average data leak at $1 5M to $4 8Mof the average data leak at $1.5M to $4.8M.
Ultimately, the cost of the leak is determined by the size and nature of the organization, the sensitivity of the data leaked,
and the size of the leak itselfand the size of the leak itself.
People First,Performance Now
Ministry of Science,Technology and Innovation
• Personally Identifiable Information and Personal Health
COST OF INDUSTRIAL ESPIONAGE
Information– Average cost per record associated with a leak to
make affected parties wholemake affected parties whole– Fees for legal representation– Engaging a PR firm to minimize damage and restore
reputation– Consumer creditability monitoring