NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security,...
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
440 -
download
1
Transcript of NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security,...
![Page 1: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/1.jpg)
“Ifyouthinktechnologycansolveyoursecurityproblems,thenyoudon’tunderstandtheproblemsandyoudon’tunderstandthetechnology.”
- BruceSchneier
![Page 2: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/2.jpg)
IntellectualPropertyProtection―CrossRoadsbetweenEthics,Information
Security,andInternalAudit
Mr.RickBrunner,CISSPApplicationSecurityArchitect
GMFinancial
![Page 3: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/3.jpg)
Disclaimer
Theviews,thoughts,claims,oropinionsinthispresentationaresolelythoseofthepresenter.
Nothinginthispresentationrepresentstheviews,thoughts,claims,oropinionsofGMFinancial,UnitedStatesAirForce,theAirForceReserves,theDepartmentofDefense,ortheIntelligenceCommunity.
![Page 4: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/4.jpg)
Objectives
• RecognizetheimpactandcostofIntellectualPropertyExfiltration
• Identifytheissuesofre-usingworkproducts• DiscusstechniquesinmitigatingthreatstoanOrganization’sIntellectualProperty
![Page 5: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/5.jpg)
IntellectualObjects• Theexpressionintellectualobjects referstovariousformsofintellectualproperty
• Intellectualpropertyconsistsof“objects”thatarenottangible
• Non-tangibleor"intellectual"objectsrepresentcreativeworksandinventions,i.e.,themanifestationsorexpressionsofideas
![Page 6: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/6.jpg)
IntellectualPropertyProtectionSchemes
• Copyrightlaw• Patents• Trademarks• Tradesecrets
![Page 7: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/7.jpg)
TradeSecrets
• AtradesecretisdefinedasInformationusedintheoperationofabusinessorotherenterprisethatissufficientlyvaluableandsecrettoaffordanactualorpotentialeconomicadvantageoverothers
• Tradesecretscanbeusedtoprotect– Formulas(suchastheoneusedbyCoca-Cola)– Blueprintsforfutureprojects– Chemicalcompounds– Processofmanufacturing
![Page 8: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/8.jpg)
ValueofIntellectualPropertyComponentsofS&P500MarketValue
0
20
40
60
80
100
120
1975 1985 1995 2005 2009
IntangibleAssets
TangibleAssets
Source:OceanTomo
![Page 9: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/9.jpg)
TheLandscape
![Page 10: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/10.jpg)
TheActors• External—External actors originate outside the victim
organization and its network of partners. Typically, no trust or privilege is implied for external entities.
• Internal—Internal actors come from within the victim organization. Insiders are trusted and privileged (some more than others).
• Partners—Partners include any third party sharing a business relationship with the victim organization. Some level of trust and privilege is usually implied between business partners
Source:Verizon’s2013DataBreachInvestigationsReport
![Page 11: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/11.jpg)
TheirPurpose
Source:Verizon’s2013DataBreachInvestigationsReport
![Page 12: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/12.jpg)
VarietyofExternalActors
Source:Verizon’s2013DataBreachInvestigationsReport
![Page 13: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/13.jpg)
ProfilingThreatActors
Source:Verizon’s2013DataBreachInvestigationsReport
![Page 14: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/14.jpg)
ExfiltrationAnunauthorizedreleaseofdatafromwithinacomputersystemornetworkhttp://en.wikipedia.org/wiki/Exfiltration
Source:TrendMicroIncorporated—TrendLabs SecurityinContextPaper
![Page 15: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/15.jpg)
Exfiltration— RemoteUser
Source:TrendMicroIncorporated—TrendLabs SecurityinContextPaper
![Page 16: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/16.jpg)
Ours—ReaperUAV
http://www.hightech-edge.com/mq_9-reaper-hunter-killer-deployed-combat-missions-iraq-mq_1-rq_1-predator/2488
Source:Mandiant Overview--“State-of-the-Hack”
![Page 17: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/17.jpg)
Theirs—ChinaDragonUAV
http://www.sinodefenceforum.com/air-force/chinese-uav-ucav-development-24-3526.html
Source:Mandiant Overview--“State-of-the-Hack”
![Page 18: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/18.jpg)
OurF-22,TheirJ-20
http://aviationintel.com/wp-content/uploads/2011/05/j20f22comp.jpg
![Page 19: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/19.jpg)
NotableOthers
RSA Hacked Via Recruitment Plan
OperationAurorahttp://www.pcmag.com/article2/0,2817,2391951,00.asp
http://en.wikipedia.org/wiki/File:IllegalFlowerTribute1.jpg
![Page 20: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/20.jpg)
Exfiltration—TheEmployee
![Page 21: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/21.jpg)
InsiderThreatCaseDatabase
Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
![Page 22: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/22.jpg)
CasesinThreeMajorCrimeTypesbySector
Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
![Page 23: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/23.jpg)
AssetAttacked
Source:AnAnalysisofTechnicalObservationsinInsiderTheftofIntellectualPropertyCaseshttp://repository.cmu.edu/cgi/viewcontent.cgi?article=1660&context=sei
![Page 24: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/24.jpg)
How
Other methods?
![Page 25: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/25.jpg)
AnAnalysisofTechnicalObservationsinInsiderTheftofIntellectualPropertyCaseshttp://repository.cmu.edu/cgi/viewcontent.cgi?article=1660&context=sei
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Customerinformation
Sourcecode Businessplans Tradesecrets Internalbusiness
information
Proprietarysoftware
Remotenetworkaccess
File/datatransfer
Downloadedtopersonallaptop
Removablemedia
Hostunknown
Theftofprinteddocuments
ExfiltrationBreakdown– AssetTargeted
![Page 26: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/26.jpg)
Case1– LockheedMartinvBoeingLockheedMartinemployeewenttoBoeingin1999fora7.5%raise• LockheedMartinIntellectualPropertywentaswell• Employeeofferedtobringtheentirerocketproposalwith
ifhired(Disputed)• Boeingpersonnelwentthroughethicstraining• Boeinglegal-triggeredcallstoLockheedMartinandthe
AirForceinformingthemthatsevenpagesofharmlessdatahadbeenfoundandonlyviewedby2people
• 2003AirForceinvestigationconcludedthatBoeingwasinpossessionofover22,000pagesofLockheedMartinconfidentialandproprietarymaterial
![Page 27: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/27.jpg)
Case2– DeputyAssistantSecretary(DAS)oftheAirForceforAcquisitionandManagement
PrincipalDASoftheAirForceforAcquisitionandManagement• DASawardeddozensofcontractstoBoeingfrom2000-2002,
aswellascontroversial$23billionprocurementforleasingArielrefuelingtankers
• Boeinghiredtheirrelativewhilestillinoffice• Boeingofferedthemapositionafterleavingcurrentposition• Boeing’sCFOandformerDASpleadedguiltytoviolationsof
theconflictofintereststatues• DASadmittedthatBoeing’sfavorsinhiringrelativesand
pendingemploymentofferinfluencedcontractingdecisions
![Page 28: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/28.jpg)
Result• Individualswerefired• LockheedMartinfiledacivilsuiteagainstBoeing• UndersecretaryoftheAirForcestrippedBoeingofseven
launchesworth$1billionandreallocatedthemtoLockheedMartin
• DOJandCongressionalInvestigation,Decision(6/30/2006)– $615millioninfines
• $565millioncivilsettlement• $50millionmonetarypenaltyforseparatecriminalagreement
– Boeingacceptedresponsibilityforitsemployees• Continuedcooperationwithfederalinvestigators• Maintainedaneffectiveethicsandcomplianceprogram,withparticularattentioninhiringformergovernmentofficialsandhandlingcompetitorinformation
• Receiveda20-monthsuspensionof3businessunitsfromGovernmentcontracting
![Page 29: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/29.jpg)
http://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf
TopReasonsEmployeesBelieveItIsAcceptabletoTakeCorporateData
Key Findings• Employees are moving Intellectual Property outside the company in all directions• When employees change jobs, sensitive business documents often travel with them• Employees are not aware they are putting themselves and their companies at risk• They attribute ownership of Intellectual Property to the person who created it• Organizations are failing to create a culture of security
![Page 30: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/30.jpg)
PercentageWhoSayaSoftwareDeveloperShouldHavetheRighttoRe-UseCodeforAnotherCompany
http://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf
![Page 31: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/31.jpg)
Takeaways• Insiderthreatsareinfluencedbyacombinationof
– Organizational– Behavioral– Technicalissues
• Management,humanresources,informationtechnology,softwareengineering,legal,informationsecurity,internalauditandthecriticaldata“owners”– Understandtheoverallscopeoftheproblem– Communicateittoallemployeesintheorganization.
![Page 32: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/32.jpg)
'Securityisanotaproduct,butaprocess.'It'smorethandesigningstrongcryptographyintoasystem;it'sdesigningtheentiresystemsuchthatallsecuritymeasures,includingcryptography,worktogether. —
BruceSchneier
![Page 33: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/33.jpg)
CanInsidersbeStopped?• ItDepends--Stoppingthemisacomplexproblem• Prevented/mitigatedthroughalayereddefensestrategyconsistingof
– Policies– Procedures– Technicalcontrols
• Paycloseattentiontomanyaspectsoftheorganization,including– Organizationalculture– Businesspoliciesandprocedures– Technicalenvironment
• Lookbeyondinformationtechnologytotheorganization’soverallbusinessprocessesandtheinterplaybetweenthoseprocessesandthetechnologiesused
Source:CommonSenseGuidetoMitigatingInsiderThreats,4thEditionhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
![Page 34: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/34.jpg)
OrganizationCulture• Leadbyexample• Createapositivework
environment• Anticipateandmanage
negativeworkplaceissue• Createananonymous
reportingsystem• Knowyourassets• Clearlydocumentand
consistentlyenforcepoliciesandcontrols
Source:See“References”slide
![Page 35: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/35.jpg)
OrganizationCulture(Continued)
• Beginningwiththehiringprocess,monitorandrespondtosuspiciousordisruptivebehavior
• Developaformalizedinsiderthreatprogram
• Beespeciallyvigilantregardingsocialmedia
Source:See“References”slide
![Page 36: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/36.jpg)
BusinessPoliciesandProcedures• Performregular(and
unscheduled)Audits• Haveuniformdataclassification
andprivacyscheme• Incorporateinsiderthreat
awarenessintosecurityawarenessandtrainingforallemployees
• Enforceseparationofdutiesandleastprivilege
• Developacomprehensiveemployeeterminationprocedure,includingdeactivatingallknownsystemandapplicationaccess
Source:See“References”slide
![Page 37: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/37.jpg)
BusinessPoliciesandProcedures(Continued)
• Institutionalizesystemchangecontrols• Institutestringentaccesscontrolsand
monitoringpoliciesonprivilegedusers• Implementstrictpasswordand
accountmanagementpoliciesandpractices
• Considerthreatsfrominsidersandbusinesspartnersinenterprise-wideriskassessments
• Defineexplicitsecurityagreementsforanycloudservices,especiallyaccessrestrictionsandmonitoringcapabilities
• Developaninsiderincidentresponseplanandinvestigateeveryincident
Source:See“References”slide
![Page 38: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/38.jpg)
TechnicalEnvironment
• Implementinternalcontrolscommensuratewiththesensitivityofthedataorinformation
• Implementsecurebackupandrecoveryprocesses
• Trackandsecurethephysicalenvironment
• Monitorandcontrolremoteaccessfromallendpoints,includingmobiledevices,anduselayereddefenses
Source:See“References”slide
![Page 39: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/39.jpg)
TechnicalEnvironment(Continued)
• Usecentralizedloggingandcorrelationcapabilitytologandmonitoremployee,application,system,andnetworkactions
• Establishabaselineofnormalnetworkdevicebehavior
• Closethedoorstounauthorizeddataexfiltration
• Considerinsiderthreatsinthesoftwaredevelopmentlifecycle
Source:See“References”slide
![Page 40: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/40.jpg)
References• CommonSenseGuidetoMitigatingInsiderThreats,4thEdition
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34017
• EightTipsToPreventEmployeeTheftandFraudhttp://www.allbusiness.com/prevent-employee-theft-fraud/16704398-1.html
• What'sYoursisMine:HowEmployeesarePuttingYourIntellectualPropertyatRiskhttp://www.iplawalert.com/uploads/file/WP_WhatsYoursIsMine-HowEmployeesarePuttingYourIntellectualPropertyatRisk.pdf
• DataDiscoveryandClassificationinFiveEasyStepshttp://trendedge.trendmicro.com/pr/tm/te/document/DLP_Data_Discovery_and_Classification_in_5_Steps_090630.pdf
• TheCERT®GuidetoInsiderThreatsHowtoPrevent,Detect,andRespondtoInformationTechnologyCrimes(Theft,Sabotage,Fraud)ISBN-13:978-0-321-81257-5,ISBN-10:0-321-81257-3
![Page 41: NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit](https://reader031.fdocuments.us/reader031/viewer/2022021815/587059901a28aba2118b6279/html5/thumbnails/41.jpg)