So yesterday I talked about the real risk that economic/corporate espionage is causing. It's huge!! This topic always ranks in the Top 3 whenever I ask the CSO "What is the biggest security risk you currently have?" Let's face it....every business has something that you consider to be unique. Something that provides you with "competitive advantage". Maybe it's the secret formula in your fried chicken <mmmmm>...or maybe it's the unique process that you use to get your product to market fastest. Every company has a reason that they think they do it faster, better, or more efficient then the other guys in your market....and that, my friend, is worth protecting.
Before I get into the finer points of managing that risk, let's look at the common threads that occur in these two case studies.
The first is the lack of audit controls which would have identified and provided non-repudiation of access to the classified data. Auditing is a key and often overlooked pillar of information security. Often the sheer volume of audit logs creates a burden of work on those responsible for their timely review. However, the use of 3rd party parsing tools allows this to be minimized. Additionally, the mindset of “log everything” that is coming out of regulatory compliance requirements (and overzealous and overpaid auditors) does nothing to lessen this volume. Often the correlation of data to events is reduced or missed entirely due to these mistakes. DuPont was able to identify the breach using logfiles eventually, but the alarms were a bit slow in identifying the attacker. One has to wonder what would have happened if the attacker had conducted his attack in shorter than 6 months.
The second common theme seen in the DuPont and Denso case studies is the complete failure to provide adequate data encryption for “data at rest”. Anything that is deemed valuable enough to be tagged a “trade secret” is worth the effort of encryption. During my research, I did not find a single reference to data encryption or any sort of persistent document protection in either of these cases. Granted that Mr. Min would have had access and the subsequent encryption keys for research projects he was working on, he should not have had them for projects outside of his department. His ability to access these documents indicates that little if any data encryption existed.
Another common error is the lack of proper access controls. As mentioned previously, Mr. Min had access to projects he was not actively involved in and a failure to restrict his access to these documents was not evident. While the Denso case is still unfolding, it is hard to believe that an engineer at Denso would need access to over 130,000 unique blueprints for 1,700 projects in a 6-month period. A failure to provide even a rudimentary access control policy contributed to the loss of intellectual property in both cases.
The last commonality discussed is the simple lack of data classification procedure. In the Denso case it was revealed that Denso was not even aware of the location of the classified data and furthermore couldn’t quickly identify what was and what was not considered a “trade secret”. Security professionals know that limited resources prevent the ability to “protect everything, all the time”. A simple data classification process would have helped them rapidly determine what was mission-critical to the survivability of their business.
So now we see some common mistakes. Let's look at some of the non-technical means by which we can help reduce the risk:
1. Data Classification – This is simply defined as “the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted.” It helps identify where the true assets of the organization lie, and provides guidance and process to assist in the protection of that data. In certain types of data, like medical records, the data classification scheme will be mandated by one or more regulatory guidelines. In other situations, it is up to the business to define and impose the classification scheme. The number of levels or classes of classification should be easily manageable and most importantly, consistent. Some organizations divide their data into three simple categories (i.e. Restricted, Sensitive, Public) while the U.S. government tends to break this into many more groups, such as Top Secret, Secret, Confidential, etc.
2. Location of Sensitive Data – Once you’ve established the priority of what the trade secret is, the identification of where that trade secret resides is of high importance. A simple managerial policy stating the proper storage of trade secrets (classified accordingly) is to be stored on “Server X” allows the technical controls people to turn on the required technical controls to ensure this high value asset is adequately protected. In my discussions with Fortune 100 company CSOs, this is a huge issue as they find more and more sensitive data is being inadvertently stored on local machines and mobile devices, such as laptops and cell phones. A written Acceptable Use policy regarding the storage of classified material is a necessity.
3. Physical Access Controls – The importance of physical restrictions to the data is the next crucial step in the security of your most valuable data. You’ve identified what the asset is, you’ve identified where it should be stored, and now you need to ensure that only those with appropriate and necessary requirements have access to that data. Data can certainly be accessed “over the wire” (which I’ll discuss in the technical controls section) but restricting physical access to “Server X” is paramount. A majority of the data leakage issues were experiencing today are from the use of personal devices such as iPods (aka “podslurping”), USB thumbdrives, cell phones, PDAs, etc. Restricting the access to the USB port is essential and this can be restricted both technically and non-technically.
4. Background checks – The Denso case proves that a background check on new hires is a critical piece of the security process. Too often corporations fail to wait for the results of a background investigation before provisioning the user account and network access. While this is important for the typical rank and file employee, it is paramount for the network administrators, who will own the keys to the kingdom. Background checks are certainly not foolproof, so be careful as to the manner in which they are conducted or you could open yourself to legal concerns.
5. Legislation: The Economic Espionage Act of 1996 - The Economic Espionage Act of 1996 (EEA) was signed into law by President Clinton and contains two provisions for identifying and prosecuting cases involving economic espionage and the theft of trade secrets. The first, 18 U.S.C. § 1831, criminalizes the theft of trade secrets used to benefit a foreign power (the economic espionage section) and can result in a individual punishment of up to $500,000 and 10 years in prison Organizations violating this statute can be fined up to $10 Million dollars. The second aspect of the EEA, which is 18 U.S.C. § 1832, addresses the theft of trade secrets “ that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof”. The punishment here is imprisonment not to exceed 10 years and/or a fine of up to $500,000 and in the case of organizations, a fine of up to $5 Million dollars. The EEA applies to individuals who are U.S. citizens, regardless of where they are physically located, as well as to non-U.S. citizens if the act of espionage was conducted on U.S. soil. A person cannot be convicted if the trade secret was disclosed through the use of reverse engineering or parallel development. As is typical of most laws around computer crime, seizure of assets used in the violation of the law is almost certain to occur. Prior to the establishment of the EEA, any corporate entity that felt they had suffered a loss of trade secrets were forced to contact law enforcement and their intellectual property could potentially be publicly disclosed during public court proceedings. While the EEA is certainly a step in the right direction with regards to prosecuting industrial espionage cases, it does not prevent legal intelligence gathering capabilities used by most foreign intelligence agencies and well-staffed corporate attackers such as “dumpster diving” or using refined online search tools (aka “Google Hacking”) to identify public data.
 The Information Security Glossary. March 29th, 2007. http://www.yourwindow.to/information-security/gl_dataclassification.htm
 “The Economic Espionage Act of 1996: A Brief Guide” http://www.ncix.gov/publications/booklets_brochures/booklet_EconomicEsp/eea_brochure_00.pdf
Next Post: Discussing some of the Technical Controls we can use to mitigate the economic espionage risk