 |
Protecting Knowledge | Expanding Markets | Exploring Frontiers |
|
 |
| The ProVerity Security Matters Blog |
|
January 2012 Zappos Hacked: The Shoe Drops
December 2011 Cargill Nets Corporate Spy Under Economic Espionage Act
November 2011 Tricare's
Turkey: Backup Tapes Go AWOL
October 2011 Hooters
Gets Pinched
Customer info was exposed when online shoe retailer Zappos got a nasty surprise. This time, they got it half right. Customer account data was hacked, but their credit card details were not because Zappos did the right thing and encrypted them. Why not encrypt all customer data? Store it in multiple places or out in the cloud? Many possibilities to keep your customers safe.
Israel Consumer Hack Evokes Government Response: Act of Cyberwar? A breach of consumer data in Israel provoked an unusually belligerent response: the Israeli Government weighed in, calling the hack an act of cyberwar. These are untested waters -- just when does a cyber breach cross the line into national security? The supposed perpetrator was a Saudi residing in Mexico (doubtful on both counts), but that doesn't really matter. The lesson here is that the asymmetric nature of the cyber threat means that your data can be reached by anyone anywhere. This hack did not got unanswered. Within a week, an Israeli hacker had reportedly exposed Saudi, Egyptian and Syrian user data in retaliation.
Cargill Nets Corporate Spy Under Economic Espionage Act News reports indicate a rare victory in the use of the Economic Espionage Act. This time, a Cargill researcher was convicted for stealing trade secrets. He also did it to Dow. At both employers, Kexue a/k/a “John” Huang signed confidentiality agreements. These are necessary but not sufficient. Employers need to actively monitor their organizations for out of the ordinary activities and behavior that may indicate a rogue insider is at work. We can only imagine the trade secretes Cargill possesses. Even in the pre-Internet era Cargill representatives in far-flung corners of the world would send market intelligence by telex -- on weather, crop and soil conditions, etc. The stuff, in short, that can move markets and is worth big bucks to those able to get a jump on the competition. Forbes worries that "not only Dow but other major players in the agribusiness — ADM, Monsanto, potash and fertilizer producers — may all become targets of attempts to steal their trade secrets." Yep. Unless they already have.  back to top
Lowly Thumb Drive Comprimises U.S. Military Network A fascinating account with new details in the Washington Post regarding a malicious computer worm dubbed "agent.btz". This nasty piece of malware burrowed itself into highly sensitive U.S. military networks and was only discovered when it tried to phone home. Rather than a sophisticated cyber operation, the most likely transfer mechanism for this payload was a simple flash drive that a user unwittingly plugged into a computer on the network. (Wired Magazine also weighed in on the updated news report.) While the underlying story dates from 2008 it is still a worthy reminder of how effectively payloads can be delivered via removable media. In an earlier post we discussed the need for a mobile device management plan, since nasty apps can jump from users' smartphones onto the corporate network. Accordingly, you should also review your corporate policies and procedures for removable media. If you allow removable media to be introduced into the system, are you conducting automatic scans and reviewing log files for indications of suspicious activity from within the network? back to top
Trade Secret kaput? German Co. Gets U.S. Docs (In Court) Germany company Heraeus Kulzer (HKG) makes surgical cement. It accused Biomet, an American competitor, of stealing its trade secrets. To bolster its case, HKG sought to use the U.S. courts to obtain relevant documents under legal disclosure even though the case was being tried in Germany. A U.S. federal court approved HKG’s request earlier this year. While most of the focus on this legal case was about discovery, we were much more interested in how the trade secrets were exposed to a rival. As it turns out HKG had a distribution agreement with Merck (the German one) dating back to the 1970’s. Confidential data was routinely shared as part of this arrangement. Separately and without HKG, Merck created a joint venture (JV) with Biomet, where HKG’s same secrets were revealed. Two lessons here:
back to top
Tricare's Turkey: Backup Tapes Go AWOL Military retirees got more than Thanksgiving cards in the mail this season. The military health care system Tricare began notifying almost 5 million beneficiaries that their personal data had been stolen when a Defense Department contractor left unencrypted backup tapes in his car. A lawsuit is pending. This case recalls another unfortunate episode when in 2005 Bank of America lost backup tapes in transit—and with them the financial records of over one million federal employees (including U.S. Senators). That year, Ameritrade and Iron Mountain also lost backup tapes. The most recent data loss was not the only data breach to hit the Tricare system and expose sensitive patient data. In December 2002, thieves broke into the Phoenix, Arizona, headquarters of TriWest and stole laptops and hard drives containing over half a million patient records. As the Tricare system is a likely model for government-sponsored healthcare in the future, individuals have the right to expect and demand that their personally identifiable information (PII in industry parlance) is being treated with due care by the government and its contractors. As innumerable cases have shown, one slip up can be mighty costly. In the current Tricare case, not only will millions of service members be exposed to identity theft and exploitation, but Tricare and its contractors will suffer reputational damage and legal action. The most action we have seen on behalf of the U.S. government is to force disclosure when breaches occur, not adequately strengthen data privacy protection requirements. As a contractor to the Department of Veterans Affairs (VA) ProVerity has been working with the Veterans healthcare system (VHA) to improve its protection of PII. We offer the following suggestions based on our experience, not only for healthcare records but for any organization that must physically transport sensitive data, either because they are still dealing with antiquated information systems, or because they have a justifiable fear of cyber attacks against electronic data. First, the data itself. - Information should be segmented. We find it
highly disturbing that so many records would reside in one place. If unencrypted information containing millions of records must be physically moved from one place to another (as opposed to secure data transfers or encrypted storage in the cloud), then some best practices are in order. - Consider the most secure means to move the data.
Usually this is with a physical courier (i.e. a trusted individual
within your organization). Carefully weigh the risk of outsourcing this
important task to an express package service. Incidentally, some of these tips are adopted from
Chapter 5 of the National Industrial Security Policy Operating Manual.
The irony does not escape us that this policy is enforced by the
Department of Defense, which has oversight over the contractor in the
Tricare case.
McKinsey to Execs: Get Engaged in Cybersecurity Your intellectual property (IP) is a juicy target, and there are now more ways to get it via cyber attacks. In the latest print edition of the McKinsey Quarterly, the international strategic consulting firm offers up "Cybersecurity: a senior executive’s guide. " In the article, McKinsey notes that cyber threats are growing in importance and virulence thanks in part to massive data proliferation, mobile device use, and inclusion of vendors and customers in corporate networks—combined with cybercriminals’ growing sophistication. McKinsey surveyed IT managers at 25 top companies and found CIO and IT managers under pressure to raise corporate cyber defenses. This is not enough, the article argues. McKinsey calls for a cross-cutting strategy that involves all the major functions of the business. Top-level executives must become more engaged in efforts to protect IP across the board in a way that does not unduly hamper growth. First and foremost, executives must determine which assets deserve the most protection, protecting the data itself and access to it, rather than concentrating on perimeter defenses alone. We wholeheartedly agree with the points raised and are pleased to see this issue elevated for consideration by upper management, and not merely considered a problem for the IT folks to fix with more firewalls. Today the most innovative companies hold the majority of their assets in intangibles (i.e. intellectual property) that bestow competitive advantage on the firm. These are most likely in digital form, stored on a corporate network, and are not necessarily secret widget designs. Our rather tongue-in-cheek posting last month highlighted that even a restaurant chain like Hooters possesses trade secrets in the form of strategy documents that undergird its successful business model. When ProVerity conducts security vulnerability analysis of a company, we usually begin by asking corporate executives to point us toward their "crown jewels." Theft or misappropriation of these trade secrets would cause exceptionally grave damage to the company, possibly even putting it out of business. Over the course of our analysis we are able to quantify the reality gap between how corporate policy says these trade secrets should be protected (and how corporate execs think they are) and the reality on the ground. Johnny Millennial doing peer-to-peer sharing on the corporate network is usually just the tip of the iceberg. An interesting point, which McKinsey touches on,
is the need to conduct a careful risk vs. gain analysis when
considering entry into new markets. A company must ask whether the
potential increase in market share is worth the risk that key
intellectual property may be unduly exposed and end up in the hands of
competitors. ’Tis the Season: Annual Reports on Economic Espionage While October in Washington, D.C. saw the news focused on the budget discussions, the Kim Kardashian wedding/divorce, Lindsey Lohan and the GOP primary race, two agencies issued reports that received little discussion in the mainstream media, despite the gravity of the situation. The Defense Security Service (DSS) and Office of the National Counterintelligence Executive (ONCIX) both released studies on economic espionage activities targeting U.S. technologies. In "Targeting U.S. Technologies, A Trend Analysis of Reporting from Defense Industries 2011" DSS provides statistics on Suspicious Contact Reports (SCR) that cleared defense contractors reported to the government during 2009-2010. Breaking the data down by region, the report examines the methods adversaries used in efforts to illegally obtain protected technology and which technologies they were after. Marine sensors and Unmanned Aerial Vehicles (UAV) top the list. Bottom line: though the percentages differ, the basic techniques used by the bad guys haven’t changed that much. We recommend reading this report as a defensive measure, regardless of your industry. The full report can be found here. Also worth a read is the ONCIX report "Foreign Spies Stealing US Economic Secrets in Cyberspace 2011" which identifies trends from 2009-2011. Though the report focuses mainly on collection through cyber-attacks it does speak to traditional methods. For the first time, ONCIX levels an accusatory finger at countries it considers the worst perpetrators. The complete report can be found here. Anyone who closely follows the issue of economic espionage will find no real surprises in either report regarding the most aggressive countries and which technologies are the most highly prized. In our view, the biggest revelation was the ONCIX reporting the corporate reaction to leakage of trade secrets. Company officials complained to the government that the format for reporting being victimized by economic espionage was too complicated because different agencies use different formats and because it is just too difficult to place a monetary value on stolen intellectual property. We find these complaints to be highly dubious at best. To suggest that a company would invest millions of dollars into product R&D without a well thought out estimate of Return on Investment (ROI) is unbelievable. And the argument that the multiple reporting formats are too complicated and confusing is also pretty thin gruel. If standard accounting practices enable companies to place a dollar value on their intangibles, shouldn’t the American investor reasonably expect a degree of transparency if key IP is lost and will materially affect the business and its market value? In this time of dire economic straits that resulted in no small part from opacity in corporate behavior, it seems to us that U.S. companies should place protection of their core value first and foremost—and be clear about their protective measures. This in an economy that is 75% dependent on the development of intellectual property. Even the FBI has declared economic espionage its second highest priority behind terrorism. But make no mistake: the FBI can’t be everywhere, and—we hate to engage in blaming the victim here, but would you leave your Maserati parked in a poorly lit area with the doors unlocked, keys on the dash, and a sign on the windshield instructing passers-by on how to break in and abscond with the car? We didn’t think so. This is a true clarion call to national economic security. The statistics are dire and the sheer amount of losses (generally in the hundreds of billions of dollars annually) is almost hard to fathom. Investors should be outraged that this issue continues to be swept under the rug. Corporate innovators should likewise be outraged that brazen adversaries continue to purloin their hard-won trade secrets, corporate management remains generally ambivalent, and law enforcement is stretched too thin to stop this menace in its tracks before the worst breaches occur. As for punishing the guilty, U.S. economic espionage laws are unfortunately both weak and narrowly defined, with penalties for these crimes relatively light. Let’s also not fail to address the issue of corporate reporting to the government. It seems to us that reporting of economic crimes, no matter how imperfect, is more valuable than total ignorance of the threat. It’s necessary to identify, quantify and then protect core IP. ProVerity does this for companies all the time and we often uncover valuable assets that are unduly exposed and that the companies did not fully realize they possessed. We are happy to discuss with concerned parties. For the record, we are also quite willing to
assist the ONCIX in developing a single format reporting processes that
is both easy for businesses to use and captures meaningful data. Note
to program managers: We are on the GSA Schedule. Happy Thanksgiving!
October 2011 Hooters
Gets Pinched
Hooters Gets its Assets Pinched This will be the last time we’ll ever put Hooters and intellectual property in the same sentence. In this case, Hooters alleges it lost crucial trade secrets when a departing executive took computer files to a company planning to start a competing restaurant called Twin Peaks (No, we’re not making that up). In its lawsuit against former VP Joseph Hummel, Hooters claims he absconded with a "substantial volume" of sensitive files related to strategic corporate planning. His M.O. allegedly involved - Downloading files and emailing them to a private
email account
For the record, the CEO of Twin Peaks calls the charges "baseless". Nevertheless, Hooters appears to have made some basic mistakes in handling the departure of a key employee. So, for this advisory note we’ll focus on exit processing. Sound practices for departing employees are valid in both good times and bad. In our current economic straits, layoffs will continue and among those will be employees in possession of your trade secrets. When the economy improves, company superstars (who tend to have the most responsibility and therefore access to significantly more strategic data) will defect to competitors. We recommend you bring HR solidly into the fold to ensure your company has a rigorous checkout procedure for departing employees—and that it is consistently followed. While you can’t remove what’s in employees’ heads, clearly remind them of any restrictive covenants they have signed (confidentiality, non-disclosure, or non-compete agreements). If necessary, have them re-read and sign again. Retain the original and give them a copy as a parting gift. Ensure that all corporate equipment has been returned (to include company laptop and smart phone). Please, please have the IT department wipe the data before re-issuance to avoid unauthorized access to sensitive data. Above all, be certain to shut off all corporate computer access and disable user accounts before an employee leaves the building (preferably while still in the exit interview). From an HR perspective the exit interview can be a
valuable information-gathering exercise. Departing employees may feel
they have "nothing to lose" by venting. While sour grapes need to be
taken with a grain of salt, security will at least be alert to truly
disgruntled ex-employees, as opposed to those who simply didn’t feel
challenged or are leaving for better opportunities. Over time, patterns
can become apparent, such as which departments have consistent turnover
and low morale. If these departments intersect with your most sensitive
proprietary data, it’s time to more closely cover your assets. Chicken wings anyone? Who Are These Wall St. Zombies and What Do They Crave? The Fed tells us the U.S. economy will probably continue bumping along with low growth and stubbornly high unemployment for the time being. Out of the economic malaise has sprung the #Occupy Wall Street movement. But is this mere street theater or does it have the potential to be something more threatening? Here we will not weigh in on political points of view, but look at the physical security implications of this movement. The largely peaceful (though sometimes rough-and-tumble) protests coalesce around disaffection with the U.S. economy and political system. Within a month the movement has grown beyond the New York Financial District to at least nine cities including Chicago, Los Angeles and Boston. On its official website Occupy Wall Street calls itself a "leaderless resistance movement." There does not as yet appear to be any coherent agenda or end game, and multiple lists of demands are circulating. Without clear goals, such movements can spiral into violence as participants grow frustrated when conditions do not improve. Reactions vary. On October 6, the President said, "the protesters are giving voice to a more broad-based suspicion about how our financial system works." This high-level acknowledgement of their cause may raise expectations unrealistically. Acclaim for the cause is not universal, however. On their blog, the economists at Freakonomics (we follow them on Twitter) chided the protesters and called for less anger and more innovation. In the political arena, things are less subtle. House Majority Leader Eric Cantor (R-Va.) called the protesters a "mob". With a diverse movement such as this, splinter groups are apt to form. This has already happened in Washington, D.C. Some offshoots may be more violent in nature. Recall that this year’s "Arab Spring" in the Middle East—which some protestors claim as a model—has seen its share of violence. Athens and London also come to mind. No need to be alarmist, but this is a good time to review your continuity of operations plans and protocols to ensure safety for employees working at facilities in central business districts. Points to consider: Review options to have employees work remotely if necessary. Stay apprised of local law enforcement advisories. As background reading, we recommend this fascinating account of how U.S. Customs and Border Protection, in cooperation with Canadian authorities, was able to use tactical intelligence to diffuse potentially violent protests at the Peace Bridge international crossing. Review planned areas of protest to see if they affect your daily operations. Most gatherings are announced in advance on the Occupy Wall St. website. Note that splinter groups may not have the organizational capacity to widely diffuse their protest plans. We also echo two recommendations from the Vancouver (Canada) business district in advance of planned October 15 demonstrations—to set up security at entrances or near areas like windows where property damage could occur and to remove portable items outside business locations. We’ll be following this one closely to see what,
if anything develops. If nothing else, it’s fun to watch the zombies.
For more on what to do in the event of zombie attack, see this Centers for Disease
Control alert. Egads! My CXO Wants a Secure Home Office The 24/7 work world means your C-Suite boss wants to connect from home, but also handle proprietary files. Measures you take will depend on the nature of the threats, risk and sensitivity of the information being handled. Some things to consider in setting up a secure remote office: Workspace Security The physical space where business is conducted can play a major role in preventing the loss of proprietary or sensitive data and information. Everyone has had fantasies about sitting poolside in high fashion sunglasses and negotiating a major deal. The reality is, in most cases, this presents a real security concern. Home workspaces should be in an area that can be secured by a locking door and constructed to prevent sensitive conversations being overheard from outside the space. Furniture inside the room should be arranged to prevent computer monitors/screens being read over the shoulder (“shoulder surfing”) or through windows or glass panels in doors. There should be secure storage for papers and laptops either in a locking desk or file cabinet. If possible, the best solution a high security cabinet. Laptops and papers should be secured at the end of each work session inside the locking container as part of a clean desk policy/practice. Though not always practical, operating paperless lowers the risk of exposure or loss of data. For more information regarding creating a secure work environment the Department of Defense manual 5220.22-M, National Industrial Security Policy and Operating Manual (NISPOM) provides basic elements. Printers and Shredders Printing should be kept to a minimum. Printing creates documents which require storage or disposal. If the executive must print, choose printers that do not retain any data in volatile memory that could be later recalled. It is better to go for a simpler, less expensive option here. Once printed, documents require storage or disposal. We have addressed storage recommendations above, so let’s discuss disposal. Shredders are an inexpensive means to securely dispose of sensitive documents. When selecting a shedder, first look at those that use a cross-cut method of shredding. Never use a strip-cut shredder as they allow for the document to be reassembled. The next criterion is the particle size created by the cross-cut shredder. When it comes to shredders, the smaller the particle size the better. Look at the number of pages that can be shredded at one time. Many home office cross-cut shredders will allow for 6-10 pages at once but keep in mind this may impact the particle size. More expensive commercial shredders can often provide both a high page capacity and smaller particle size. There is of course a difference in price but, depending on the sensitivity of the material, they may present a better option. After the document has been shredded, we recommend stirring the shred bin to mix the documents so particles from the same pages are not clumped together. Access to Proprietary Networks and Data Protection Accessing data real-time will almost always be a requirement of the C-suite executive. Many of today’s executives are armed with multiple portable data processing devices such as laptops, smart phones and now tablet personal computers. Providing such access, and still protecting the data, can be accomplished without disrupting the business mission. For additional guidance on information security best practices check out the National Institute of Standards and Technology (NIST) Computer Security Division, Computer Security Resources Center. Some approaches to consider are as follows: The Virtual Private Network (VPN): A VPN scrambles data as it is transmitted between your mobile device and a server. This allows you to access sensitive data securely stored on a remote server. It is always more secure to leave sensitive data on a server, where it is managed by a system administrator, and use a VPN to access it. Hard Drive and/or File Encryption: When there is no option other than to store sensitive data on the hard drive, and such storage has been approved, you should encrypt the hard drive or the relevant files on the hard drive. If the computer or electronic media files are lost, the encryption will protect the data, and render it invisible to anyone but the owner of the data, since they alone know the password. Remember to back up critical files frequently to a secure server, in case your files and/or hard drive become corrupt or otherwise inaccessible. Email: As email has become the most common form of business communication and most executives carry portable data processing devices to receive and check email, the use of an encrypted email server or service is highly recommended. Products, such as Email2™ which are compatible with Microsoft Outlook™ and most popular smart phones, as well as other products, offer viable flexible cost solutions for both large and small business operating environments. These encrypted email applications allow for the email and all attachments to reside on the secure server but still be accessed by the recipient. If the portable device is lost or stolen the data is not lost as well. Although somewhat outdated this NIST Information Technology Bulletin still provides excellent information on securing external computers and other devices used by Teleworkers. The upside of the secure executive home workspace
is that the corporate data is more secure. Downside: the boss has more
opportunities to reach out to you.
Insider Threat Memo from the FBI: "Protect It, Report It, Get it Right" During an Economic Espionage conference in DC in October 2011, the FBI provided a useful memory jogger for how to protect your company’s proprietary info. Protect It. Conduct red teams and security vulnerability analysis to find out where your weaknesses are. Consider that not all malicious insiders are obvious. FBI Agents shared these scenarios as potential red flags: Abrupt resignation. Any sudden departure is suspicious. Review what information the employee had access to and review system logs for signs of data leakage. Be sure to shut off all computer access for that person. Mr. Magoo. The bumbler who always seems to have a problem both bumping into walls and maintaining good security practices may in fact be using this persona to distract attention away from what he is really doing. Curious George. More than naturally curious, this character may be seeking to collect proprietary data outside his normal purview by asking a lot of seemingly innocent questions. Clever chimp! Theft "victims". Really? How many times can you lose your corporate cell phone and laptop with all the company data? Odd hours. Is Bob merely a night owl or is it easier for him to filch data when no one else is around? Problem children. The disgruntled and disaffected make poor workmates and excellent insider threats. Suspicious computer activity. This of course merits closer scrutiny. Especially if system logs indicate that an external threat may in fact be masquerading as a legitimate user. Report It. Make sure your company has protocols in place for reporting suspicious behavior which may indicate a rogue insider is at work stealing your sensitive corporate data. This includes alerting the proper authorities. Get It Right. Take precautions
when collecting and preserving evidence for a potential legal case.
Don’t open your company up to potential counter-suits. Like Armani,
those suits tend to be pretty expensive. Nasty Apps Can Infect Your Network via Mobile Devices Mobile device exploitation is on the rise as is the number of devices being employed by companies. With the skyrocketing sales of mobile devices (iPhone, iPad, Blackberry, and Android) is an explosion of the Application market. Apps are primarily designed to be useful for device owners. Unfortunately, the bad guys understand the desire find "an App for that" and create malware that could make your life miserable and wreak havoc on your company’s operations. Trusting device owners download without knowing that malicious code programming code lurks within. This malware can capture personal data from a device’s folders, calendars, logs, and contact list and transmit them to the criminals behind the App. Once activated on the device, this App may be designed to do a one-time exploitation or run for the life of the device. Imagine that an exploited device is company-owned and your employee uses it to conduct official business like creating proprietary documents and preparing internal strategy presentations. Imagine further that the bad guys may not just be competitors, but sponsored by a foreign government with unlimited resources. Starts getting a little scary, doesn’t it? It happens every day to people and companies who would never think they would be targeted. Companies should begin immediately developing a Mobile Device Management (MDM) Policy and Plan. An MDM should establish the rules for employees on what they can and cannot load onto their mobile devices. It should also include a physical control plan for email exchange, texting, and other common uses that would allow for sensitive or proprietary data to be on the device. The plan should establish timelines for regular logical and physical audits to review what data has been residing on the devices and a process for sanitizing the devices before servicing or trade-in for new models. If you are a normal commercial user, you are
advised to be very careful in choosing Apps to download. Conduct some
internet due diligence on the App and contact the device maker to learn
of any malware reports. True, this is less fun than downloading on the
fly but it could prevent you from getting a nasty surprise later. |
 print page  email page |
 |
||
|
||
 |
||
ProVerity signs an agreement with
email2 to offer A Smarter Send through encrypted communications.Country Risk | Careers | Contact | Privacy | Terms of Use
Copyright © 2011 ProVerity, Inc. All rights reserved