industrial esppgionage – how not to become a victim? see_ industrial... · people first,...

People First,Performance Now

Ministry of Science,Technology and Innovation

Industrial Espionage – How Not To Become A p gVictim?Alan SeeAlan SeeCEO, Firmus

6 November 2012



INDUSTRIAL ESPIONAGE IN THE NEWS



WHAT IS INDUSTRIAL ESPIONAGE?•Theft of trade secrets by persons or business entities with:

Knowledge or intent that the theft will benefit any foreign government, foreign instrumentality, or foreign agent, or

Knowledge or intent that the theft will benefit anyone other than the owner of the trade secret, and knowing th ff ill i j th tthe offense will injure that owner

•“Trade secrets” are defined broadly, but not without limit•Benefit requirement for trade secret theft is limited to “economic” benefit.



PROTECTION OF IP ASSETS

To qualify as a trade secret an asset must derive economic• To qualify as a trade secret, an asset must derive economic value from not being generally known and be subject to reasonable degrees of protection.

• Securing confidential information is equally important. IP assets that do not rise to the level of trade secrets can still be protected as confidential information.be protected as confidential information.



TECHNIQUES OF INDUSTRIAL ESPIONAGE

– Theft by an insider (esp. current or former employee)– Exploiting lax password management

E il– Email spam– Manipulation of supplier/customer relationship– Aggressive collection of public informationAggressive collection of public information



CRIMINAL PROSECUTION CASE STUDYCRIMINAL PROSECUTION CASE STUDY: Opel vs Volkswagen

• It’s bad enough for a company when their top executives jump ship• It s bad enough for a company when their top executives jump ship– but imagine how it must have felt for Opel when their chief ofproduction moved to rival Volkswagen and was followed by not one,not two, but seven other executives. Opel cried industrial espionage, Op p g– over an alleged missing bundle of confidential documents – inresponse to which Volkswagen parried with accusations ofdefamation.

• The four-year legal battle was resolved in 1997 when Volkswagenagreed to pay General Motors, the parent company of Opel, $100million and place an order for over $1 billion’s worth of car parts.Volkswagen still refused to apologize, though, showing that evenmultinational car companies can be as stubborn as 5-year-oldchildren.



CRIMINAL PROSECUTION CASE STUDYCRIMINAL PROSECUTION CASE STUDY: VICTIM GOLDMAN SACHS

• Goldman Sachs programmer copied and transferred• Goldman Sachs programmer copied and transferredhundreds of thousands of lines of proprietary source codefor benefit of a competitor

• Convicted of theft of trade secrets under EconomicConvicted of theft of trade secrets under EconomicEspionage Act of 1996 and transportation of stolen propertyin interstate commerce

• Sentenced to 97 months in prison, 3 years of supervisedp , y prelease, and $12,500 fine (U.S. v. Aleynikov, No. 1:10-cr-00096 (S.D.N.Y. Feb. 11, 2010)



CIVIL PROSECUTION CASE STUDY STARWOODCIVIL PROSECUTION CASE STUDY: STARWOOD HOTELS v. HILTON HOTELS

• Starwood alleged that Hilton induced Starwood• Starwood alleged that Hilton induced Starwoodemployees to serve as corporate spies to provide Hiltonwith Starwood’s confidential development plans andbusiness opportunities for its luxury brandsbusiness opportunities for its luxury brands

• Alleged theft of 100,000+ electronic files• Preliminary & permanent injunction; court monitors

i t d til 2013 i i i l i ti tiappointed until 2013; ongoing criminal investigation• Starwood Hotels v. Hilton Hotels Corp., No. 09-cv-3862

(S.D.N.Y. Apr. 16, 2009)( p , )



INNOCENT BUT RISKY ACTIONSINNOCENT BUT RISKY ACTIONS DID YOU EVER...

…Print a confidential document on the wrong printer?

...Send company data to your private email account?

…Copy data to an non-encrypted USB device?

...Send an email to the wrong recipient?

9



Regulatory DataCorporate

• Credit card data

Regulatory Data

• Intellectual property

Secrets

• Privacy data (PII)

• Health care information

• Financial information

• Trade secrets



DATA ECO SYSTEMDATA ECO SYSTEM

SENDNon-sensitive Data

COPY

POST

BOARD

Regulatory Data

STOREEMPLOYEES

CONTRACTORSCompany SecretsACCESS

CONTRACTORS

RISKRISKidentities user actions information

RISKRISK



PREVENTION OF INDUSTRIAL ESPIONAGE• The first step to a better defense is to identify the

i f ti th t if l t ld iti ll h thinformation that, if lost, would critically harm thecompany, and the value of that information to yourcompany and its competitors.

• These are your "crown jewels" and require the best• These are your "crown jewels" and require the bestsafeguards.

• Information security managers must be able to identifythe company's intellectual property its location and itsthe company s intellectual property, its location and itsvalue.

• Protect and control who has access to this information.A risk assessment sho ld then be performed to identif• A risk assessment should then be performed to identifyexisting security vulnerabilities to those crown jewels



PREVENTION OF INDUSTRIAL ESPIONAGE• It is also important to establish a complete list of data

it i ti i l diitems your organization owns or processes, including aninventory of all intellectual property that could affectrevenue or reputation.

• Involve stakeholders from across the organization to• Involve stakeholders from across the organization toidentify this information.

• Examples of such information include copyrightedmaterial patents trademarks operating proceduresmaterial, patents, trademarks, operating procedures,user manuals, policies, memos, reports, plans, contracts,source code, recipes, manufacturing plans, chemicalformulas, design drawings and patent applicationsformulas, design drawings and patent applicationsformed to identify existing security vulnerabilities to thosecrown jewels



PREVENTION OF INDUSTRIAL ESPIONAGE• Once you fortify your crown jewels, you must determine

h t t t i t th l t h tt k t Ohow to protect against the low-tech attack vectors. Oneway to do this is through an incentivized and targetedsecurity awareness program that includes regular,enterprise-wide security testingenterprise-wide security testing.

• Realistically, employees respond better to carrots thansticks. If you properly train and incentivize securityawareness you will gain a strong defenseawareness, you will gain a strong defense.



PREVENTION OF INDUSTRIAL ESPIONAGE• The final step is to simulate an actual attack, which often

"bl d d th t" i t i itoccurs as a "blended threat" in your enterprise securitytesting.

• This exercise should focus on all types of informationregardless of its form You should implement testingregardless of its form. You should implement testingalong several attack vectors.

• For example, combine a network pen-test with physicaland social engineering assessments The results willand social engineering assessments. The results willgive you a better idea of your current attack defenses.



MAIN DRIVERS

REGULATION• BNM GPIS HIPAA PCI SOX• BNM GPIS, HIPAA, PCI, SOX• Thousands of regional privacy laws

SENSITIVE DATA• Product designs, IP• M&A, Financials, Legal

16



HOW DOES DATA LEAK?Data Sources User Actions

At rest Move files

Access shares

C t

files shares

In useCopy todevice

Cut, copy,pastePrint

In motion Outbound email

IM, blogsWeb postingemail

17

gposting

Data Loss Prevention Program Lifecycle Management (driven by risk based policies)

DISCOVER CLASSIFICATION ENFORCE

g ( y p )

Risk Across the Infrastructure

DISCOVER CLASSIFICATION ENFORCE

End Users & Risk Teams Security Controls

?RISKRISK

TIME

Understand RiskReduce Risk

TIME



RISK BASED APPROACH

• To move to a risk based approach you must employ aTo move to a risk based approach you must employ a risk analysis scheme to properly categorize your risks.

• What are our risks?• What is the probability of their occurrence?• When are they most likely to occur?• What is the severity of their consequence?• What is the severity of their consequence?



WHAT ARE YOU AT RISK?WHAT ARE YOU AT RISK?

LaptopsPrintoutsThumb drives, CDs, DVDsEmail Hardware and Software ControlsFile TransfersTrade showsLost or stolen

Hardware and Software Controls

Mobile devices

VoiceFace to faceTelephoneScanned images

Human Behaviorsg



WHAT’S THE PROBABILITY/CONSEQUENCES?WHAT’S THE PROBABILITY/CONSEQUENCES?



WHAT’S THE PROBABILITY/CONSEQUENCES?WHAT’S THE PROBABILITY/CONSEQUENCES?

Goal is to move the

riskriskdown the

scale



COST OF INDUSTRIAL ESPIONAGE

Organizations that rely on intellectual property (IP) for saled bj l d f hiand use are subject to more long-term and far-reaching

costs when leaked. IP is the heart of today’s technology,manufacturing, pharmaceutical, engineering and evenfinancial firms, and their most coveted sustainableadvantage. When lost, it can have a direct andimmediate impact on both the R&D costs associateded ate pact o bot t e & costs assoc atedwith the asset, and the revenue estimates for the fulllifecycle of the asset.



• Intellectual PropertyFees for legal recourse to address who leaked the


– Fees for legal recourse to address who leaked the data and discover if it is being used inappropriately

– Short-term impact to R&D cost recuperation– Long-term impact to profitability/revenue projections– System and process audits to identify and correct the

so rce of the leaksource of the leak

Forrester Research and Ponemon Institute peg the cost of the average data leak at $1 5M to $4 8Mof the average data leak at $1.5M to $4.8M.

Ultimately, the cost of the leak is determined by the size and nature of the organization, the sensitivity of the data leaked,

and the size of the leak itselfand the size of the leak itself.



• Personally Identifiable Information and Personal Health


Information– Average cost per record associated with a leak to

make affected parties wholemake affected parties whole– Fees for legal representation– Engaging a PR firm to minimize damage and restore

reputation– Consumer creditability monitoring



Th k YThank You

industrial esppgionage – how not to become a victim? see_ industrial... · people first,...

Documents