The Loss of Intellectual Property in the Digital Age:What Companies can do to Protect Themselves

Christopher Kranich

The Digital Revolution

• People are now more connected– More information in less time– More often– Greater distances– Many security challenges for business

Cyber-based Threats to IP

• Sources evolving and growing rapidly– Competitors– Malicious employees– Well intentioned employees– Criminal groups– Hacktivists– Foreign governments

IP is Valuable

• Cost to design new projects or services– Engineers– Designers

• Cost to manufacture– Proprietary processes– Material sourcing– Pricing information

• Marketing costs

New Work Locations

• From home• On The road• Businesses/public places• Security– More chances for deletion, theft of compromise• WiFi networks• Device theft of damage• Over the Shoulder• Co-mingling of the personal and the private

Types of Devices

• Laptops• Theft, Over-the-shoulder, WiFi

• Smart Phones• Theft, WiFi, unpatched

• Tablets• Theft, WiFi, unpatched

• Desktops• Not updated, no virus protections

More Data

• Large capacity• Smaller storage medium• Cheap• More cloud-based storage

• User can download a large amount of IP quickly

• Malicious or innocent intentions

Reasons IP is Compromised

• Innocent Reasons– Work outside of office– Curiosity– Recovered IP

• Malicious Reasons– Do not like job– Sell IP for profit– Hacktivism– For fun

Employee Views of IP

• Attribute ownership to the person who created it

• Cheap, easily moved, copied, and manipulated

• Okay to take with them to their next job

Symantec Report

VW vs. GM

• Executives took 1000’s of pages• Photocopied in physical from– Secretary– Other Witnesses

• Carried out in boxes of briefcases• Lots of witnesses to IP removal• 100 million Dollar settlement

Starwood vs. Hilton

• Over 100,000 files stolen– Starwood luxury concept• Hilton came up with their own version

– Board presentations– Market research studies– Valued at 1 million Dollars

• Downloaded to laptop– Easy to steal data– Quick, behind closed doors, portable

What Companies Can Do To Protect Themselves

Encrypt Data

• VPN

• Full-disk encryption

• USB sticks

• Emails and attachments

Mobile Device Management

• Common for employees to bring their own device (BYOD)

• Poses many security challenges– Corporate data vulnerable to theft, damage, or

deletion– Hard to keep track of– Corporate data and personal data on same device

Software Solutions

• MobileNow• MobileIron• Zenprise• IBM• Symantec• Airwatch

Customizable Device Policies

• Control which device features and built-in apps can be used

• Specify what the authentication requirements are

• Apply specific policy sets to specific groups of users– Time, roles, types of data, location

Jailbroken or Rooted Devices

• Pose a big security risk– Unstable or not updated

• Detect these devices• Enforce greater controls for them– Lock or wipe– Ban from network– Approved apps– Vpn– Device kept up-to-date

Centralized Updating

• Update OS and apps remotely– Convenient and easy

• All devices patched at the same time– All devices on same footing– Eliminates specific vulnerabilities

Applications

• App blacklisting

• Block and revoke any apps from any user

• Track usage

• App-to-app encryption

Email Features

• Ability to encrypt attachments

• Prevent unauthorized copying and forwarding

• Restrict sharing of attachments to certain apps

• Specify attachment file types to encrypt

Data Storage

• Storage all data in a home directory– Persisitent and centralized location– Easy to set up automatic backups– Easy to selectively distribute data– Easy to track data and wipe if neccesary– Can have multiple clients• Different platforms accessing the same directory

Data Access Restrictions

• Geofencing– Data only accessible in certain locations– Prevents data from being accessed off site or an

area of the office • Time-Based– Data only accessible at certain times• When employees are working• When a project is active

Remote Lock, Locate, and Wipe

• Lost or stolen

• Infected with malware

• User leaves company

Data Leakage Prevention

• Deep content inspection

• Reads data to find high value IP

• Does not prevent attacks

• Limits accidental deletion or moving

Data Leakage Prevention

• System figures out sensitive data on it’s own

• Logs moving, copying, and deleting

• Prevents user from emailing data out by making it read only

• Requires fine tuning

Attribute-Based Access Control

• Grants access based on attributes– Location– Authentication method– Deviation from the norm– Type of data– Time of access

Cloud Storage Solutions

• Data integrity

• Access is controlled

• Data must be available when needed

Cloud Storage Solutions

• Policy for backing up data• Data is encrypted in storage• Data is sent to facility securely• Data is backed up regularly• Data is kept in multiple locations

Employee Training

• Protect credentials

• Good passwords or passphrases

• Social engineering

• Alerting IT

Basic Security Principles

• Log activities• Set up alerts• Use IDS system• Set up firewalls on internet connections• Control physical access

Basic Security Principles

• Set up user accounts

• Give users their own account

• Provide the minimum amount of access needed

Questions and Comments