Cole Man

Intellectual Property Society presenting Bridging the Gap: Securing IP Curtis Coleman, CISSP, CISM Director, Electronic Security Seagate Technology

Agenda Introductions IP and E-Commerce • Why should I care? I’m a small company. • IP Audit – Take Inventory Is snooping really a threat? Primer on how they operate? High Tech & Non-Tech Solutions

Bridging the Gap: Securing IP June 2003

For Public Use

Page 2

Senior Computer Security Officer for the B-2 Stealth Bomber US Air Force - 20 years Top Secret Clearance Operations Officer • Minuteman Missiles • Electronic Warfare • Computer Security • B-2 Stealth System USAF Medal of Achievement

• Computer Systems Security Research • Authored Book USAF WCCS Security

Bridging the Gap: Securing IP June 2003

For Public Use

Page 3

Commander of a team of Information Warfare Specialists (CyberKnights)

Bridging the Gap: Securing IP June 2003

For Public Use

Page 4

The CyberKnight Mission

Bridging the Gap: Securing IP June 2003

For Public Use

Page 5

IBM Executive Computer Security Specialist “Ethical Hacker” Goal: Identify Critical Business Processes & Intellectual Property Penetrate Secure IP • • • • • • •

United Nations World Bank Morgan Stanley - Dean Witter AT&T Global Networks Ernst & Young Security Services Bank of America Hallmark, Inc. US Military & Government Agencies Bridging the Gap: Securing IP June 2003

For Public Use

Page 6

IP Relates to E-Commerce E-Commerce involves selling products or services that are based on IP • Music, Video, Pictures • Software, Graphics, Designs • Training material, systems, etc. IP is involved in making E-Commerce work: • Software, networks, routers/switches • Chips, designs, user interfaces, etc.

Bridging the Gap: Securing IP June 2003

For Public Use

Page 7

Small or Middle Sized Businesses Have Need to Protect Their IP E-Commerce businesses and Internet related businesses are based on product or patent licensing • Different technologies are required to create a product • Companies often outsource the development of some components E-Commerce based businesses usually hold a great deal of their value in IP • The value of the E-Commerce business is directly affected by whether you have protected your IP

Bridging the Gap: Securing IP June 2003

For Public Use

Page 8

IP Audit – Take Inventory Patents, patent applications, innovations that could be patentable Copyright • Software, designs, documentation or technical writing, software scripts, user interface material, schematics, artwork, web site designs, music, photos, video Distinct signs, company name, product names, logos Trade secrets – has commercial value to you, not generally known • Product formulas, customer lists, business strategies & models, plans for technical enhancements to products Any valuable that is intangible Bridging the Gap: Securing IP June 2003

For Public Use

Page 9

The Purpose of IP Audit The purpose of the IP Audit is to review what IP your company has and determine how to protect, exploit, and enhance its value. Example: Your E-Commerce business is affected by Patents • Patents are not just for large companies. Patents are not only for high technology • Some of the most successful E-Commerce companies have used patents for business methods: • Amazon • America On-Line • DoubleClick • eBay • PriceLine Bridging the Gap: Securing IP June 2003

For Public Use

Page 10

Is Snooping Really A Threat? American Society of Industrial Security • Sept 2002 – surveyed 138 companies • Reported lost in R&D or financial data at $53Billion Society of Competitive Intelligence Professional • Govern by a set of legal and ethical guidelines Foreign governments Chinese Proverb – “the death of a thousand cuts” • • • •

Most companies don’t have a means of tracking the loss of IP They go on hemorrhaging, losing market share Gradually it takes the vitality out of the company Usually seen as, “Oh well, that’s just bad luck in business”

Bridging the Gap: Securing IP June 2003

For Public Use

Page 11

Training Material – Easy to Obtain Art of Deception Netspionage Your Secrets Are My Business Naked in Cyberspace

Bridging the Gap: Securing IP June 2003

For Public Use

Page 12

Five Step Primer: How Snoops Operate Step 1: Find Out What’s Public The number one damage to companies is their own people don’t know how to handle the company’s IP Salespeople Detail R&D facility Suppliers Public Relations EPA/OSHA Employees

Bridging the Gap: Securing IP June 2003

Tradeshows to attract recruits brag about sales on Website press release on patents over reported on facilities chat on Yahoo boards

For Public Use

Page 13

Five Step Primer: How Snoops Operate Step 2: Work the Phones List of employee names, titles, extentions Internal newsletters, promotions, retirements, new hires • The more the snoop knows about the person answering the phone, the easier to work that person for information • Snoop won’t ask direct questions • Snoop will guide the conversation in ways that seem innocuous • Snoop shows high interested in the target and what he does • A 5 minutes survey becomes 20 minutes of IP gathering

Bridging the Gap: Securing IP June 2003

For Public Use

Page 14

Five Step Primer: How Snoops Operate Step 3: Go into the Field Any public place where employees go, snoops go too! • Airports • Coffee shops • Restaurants • Bars near company offices or factory • Tradeshows Snoops use Job Interviews • Sees what you are asking for in new hires (skills, technology) • Asks one of your employees in for a job interview Bridging the Gap: Securing IP June 2003

For Public Use

Page 15

Five Step Primer: How Snoops Operate Step 4: Put it Altogether It is not only trade secrets that are valuable! Example: 3 Grad Students • Company was interested in a new technology • Students publishing papers for 2 years on new technology • Suddenly they stopped writing • Investigation showed all 3 moved to same town and worked for high tech competitor • Talk to them on phone about previous published papers • Figured out when new technology would hit the market • Gave an 18 months heads up on the competition plans

Bridging the Gap: Securing IP June 2003

For Public Use

Page 16

Five Step Primer: How Snoops Operate Step 5: And If All Else Fails . . . Other countries have vastly different ethical and legal guidelines for information gathering! • Bugs, bribes, theft, extortion • Widely practiced throughout the world • Espionage is sometimes sanctioned or even carried out by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy.

Bridging the Gap: Securing IP June 2003

For Public Use

Page 17

A Growing Concern

IP Rights vs. Privacy Everything in Cyberspace is composed of bits (1s & 0s) Digital works are perfectly reproducible, an infinite number of times without degradation On the Web, a copy is the original The need for Digital Rights Management (DRM) • Security & integrity features of computer OS • Rights-management and tracking • Encryption • Digital Signatures • Fingerprinting and other “marking” technology The Consumer’s Privacy vs DRM

Bridging the Gap: Securing IP June 2003

For Public Use

Page 18

High Technology & Non-Technology Solutions High Technology Firewalls

Non-Technology

Policies

Intrusion Detection Systems

Standards

Content Filtering

Procedures

Access Control Lists

Security Awareness

Digital Rights Management Cryptography • SSL • Certificates • Digital Signatures • Steganography

Bridging the Gap: Securing IP June 2003

For Public Use

Page 19

Any Questions ? Contact Info: Curtis Coleman, CISSP, CISM Phone: 831-439-7194 eMail: [email protected]

Bridging the Gap: Securing IP June 2003

For Public Use

Page 20