Intellectual Property Society presenting Bridging the Gap: Securing IP Curtis Coleman, CISSP, CISM Director, Electronic Security Seagate Technology
Agenda Introductions IP and E-Commerce • Why should I care? I’m a small company. • IP Audit – Take Inventory Is snooping really a threat? Primer on how they operate? High Tech & Non-Tech Solutions
Bridging the Gap: Securing IP June 2003
For Public Use
Page 2
Senior Computer Security Officer for the B-2 Stealth Bomber US Air Force - 20 years Top Secret Clearance Operations Officer • Minuteman Missiles • Electronic Warfare • Computer Security • B-2 Stealth System USAF Medal of Achievement
• Computer Systems Security Research • Authored Book USAF WCCS Security
Bridging the Gap: Securing IP June 2003
For Public Use
Page 3
Commander of a team of Information Warfare Specialists (CyberKnights)
Bridging the Gap: Securing IP June 2003
For Public Use
Page 4
The CyberKnight Mission
Bridging the Gap: Securing IP June 2003
For Public Use
Page 5
IBM Executive Computer Security Specialist “Ethical Hacker” Goal: Identify Critical Business Processes & Intellectual Property Penetrate Secure IP • • • • • • •
United Nations World Bank Morgan Stanley - Dean Witter AT&T Global Networks Ernst & Young Security Services Bank of America Hallmark, Inc. US Military & Government Agencies Bridging the Gap: Securing IP June 2003
For Public Use
Page 6
IP Relates to E-Commerce E-Commerce involves selling products or services that are based on IP • Music, Video, Pictures • Software, Graphics, Designs • Training material, systems, etc. IP is involved in making E-Commerce work: • Software, networks, routers/switches • Chips, designs, user interfaces, etc.
Bridging the Gap: Securing IP June 2003
For Public Use
Page 7
Small or Middle Sized Businesses Have Need to Protect Their IP E-Commerce businesses and Internet related businesses are based on product or patent licensing • Different technologies are required to create a product • Companies often outsource the development of some components E-Commerce based businesses usually hold a great deal of their value in IP • The value of the E-Commerce business is directly affected by whether you have protected your IP
Bridging the Gap: Securing IP June 2003
For Public Use
Page 8
IP Audit – Take Inventory Patents, patent applications, innovations that could be patentable Copyright • Software, designs, documentation or technical writing, software scripts, user interface material, schematics, artwork, web site designs, music, photos, video Distinct signs, company name, product names, logos Trade secrets – has commercial value to you, not generally known • Product formulas, customer lists, business strategies & models, plans for technical enhancements to products Any valuable that is intangible Bridging the Gap: Securing IP June 2003
For Public Use
Page 9
The Purpose of IP Audit The purpose of the IP Audit is to review what IP your company has and determine how to protect, exploit, and enhance its value. Example: Your E-Commerce business is affected by Patents • Patents are not just for large companies. Patents are not only for high technology • Some of the most successful E-Commerce companies have used patents for business methods: • Amazon • America On-Line • DoubleClick • eBay • PriceLine Bridging the Gap: Securing IP June 2003
For Public Use
Page 10
Is Snooping Really A Threat? American Society of Industrial Security • Sept 2002 – surveyed 138 companies • Reported lost in R&D or financial data at $53Billion Society of Competitive Intelligence Professional • Govern by a set of legal and ethical guidelines Foreign governments Chinese Proverb – “the death of a thousand cuts” • • • •
Most companies don’t have a means of tracking the loss of IP They go on hemorrhaging, losing market share Gradually it takes the vitality out of the company Usually seen as, “Oh well, that’s just bad luck in business”
Bridging the Gap: Securing IP June 2003
For Public Use
Page 11
Training Material – Easy to Obtain Art of Deception Netspionage Your Secrets Are My Business Naked in Cyberspace
Bridging the Gap: Securing IP June 2003
For Public Use
Page 12
Five Step Primer: How Snoops Operate Step 1: Find Out What’s Public The number one damage to companies is their own people don’t know how to handle the company’s IP Salespeople Detail R&D facility Suppliers Public Relations EPA/OSHA Employees
Bridging the Gap: Securing IP June 2003
Tradeshows to attract recruits brag about sales on Website press release on patents over reported on facilities chat on Yahoo boards
For Public Use
Page 13
Five Step Primer: How Snoops Operate Step 2: Work the Phones List of employee names, titles, extentions Internal newsletters, promotions, retirements, new hires • The more the snoop knows about the person answering the phone, the easier to work that person for information • Snoop won’t ask direct questions • Snoop will guide the conversation in ways that seem innocuous • Snoop shows high interested in the target and what he does • A 5 minutes survey becomes 20 minutes of IP gathering
Bridging the Gap: Securing IP June 2003
For Public Use
Page 14
Five Step Primer: How Snoops Operate Step 3: Go into the Field Any public place where employees go, snoops go too! • Airports • Coffee shops • Restaurants • Bars near company offices or factory • Tradeshows Snoops use Job Interviews • Sees what you are asking for in new hires (skills, technology) • Asks one of your employees in for a job interview Bridging the Gap: Securing IP June 2003
For Public Use
Page 15
Five Step Primer: How Snoops Operate Step 4: Put it Altogether It is not only trade secrets that are valuable! Example: 3 Grad Students • Company was interested in a new technology • Students publishing papers for 2 years on new technology • Suddenly they stopped writing • Investigation showed all 3 moved to same town and worked for high tech competitor • Talk to them on phone about previous published papers • Figured out when new technology would hit the market • Gave an 18 months heads up on the competition plans
Bridging the Gap: Securing IP June 2003
For Public Use
Page 16
Five Step Primer: How Snoops Operate Step 5: And If All Else Fails . . . Other countries have vastly different ethical and legal guidelines for information gathering! • Bugs, bribes, theft, extortion • Widely practiced throughout the world • Espionage is sometimes sanctioned or even carried out by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy.
Bridging the Gap: Securing IP June 2003
For Public Use
Page 17
A Growing Concern
IP Rights vs. Privacy Everything in Cyberspace is composed of bits (1s & 0s) Digital works are perfectly reproducible, an infinite number of times without degradation On the Web, a copy is the original The need for Digital Rights Management (DRM) • Security & integrity features of computer OS • Rights-management and tracking • Encryption • Digital Signatures • Fingerprinting and other “marking” technology The Consumer’s Privacy vs DRM
Bridging the Gap: Securing IP June 2003
For Public Use
Page 18
High Technology & Non-Technology Solutions High Technology Firewalls
Non-Technology
Policies
Intrusion Detection Systems
Standards
Content Filtering
Procedures
Access Control Lists
Security Awareness
Digital Rights Management Cryptography • SSL • Certificates • Digital Signatures • Steganography
Bridging the Gap: Securing IP June 2003
For Public Use
Page 19
Any Questions ? Contact Info: Curtis Coleman, CISSP, CISM Phone: 831-439-7194 eMail:
[email protected]
Bridging the Gap: Securing IP June 2003
For Public Use
Page 20