In Depth

Stop (IP) Thief!

Insiders (like the temp who sits at this desk) can use many tools and techniques to pilfer your intellectual property. How many can you find?

By Scott Berinato

September 01, 2006 — CSO — USB

Storage Keys

RISK: 3 d

How: Transfer electronic files onto plugged-in USB storage devices

Why: Low cost; easily concealed; portable; zero configuration; plug and play with any computer

Why not: Storage space limited though increasing

Mitigation: Disconnect USB ports; confiscate keys

Monitor important file activity/transfers

Comments: Keys quickly turning into a scourge because of their cost and form factor. Managing this

threat should be a top priority.

USB Copier

Risk: 3 d

How: Transfer data from one USB key to another without a computer

Why: Portable; concealable; zero configuration; allows proliferation of stolen data

Why not: Relatively new technology; hard to find

Mitigation: Confiscate copiers

Ban possession and use onsite

Comments: USB copiers not yet well known but they will be. CSOs should prepare. While banning USB

copiers could help, once keys holding critical data are taken offsite, theyâ¬"re easily copied.

Laptop

Hard Drive

Risk: 3 sg

How: Transfer network files onto local hard drive

Why: Laptops ubiquitous and taking them

offsite not unusual or suspicious behavior;

massive storage space allows large-scale

data theft

Why not: Likely to leave digital footprints of computer and file use if confiscated

Mitigation: Monitor file use and activity

Many commercial programs classify and encrypt data, block unauthorized file transfers and alert

security if important files are tampered with; also consider LoJack-like devices for laptops

Adopt laptop check-in and check-out policies and rules of use for laptops outside the office

Comments: Classic security/productivity clash. As useful as laptops are, they create numerous risks to

intellectual property, including losing them. Prepare for policy battles.

Laptop Applications

Risk: 2 sg

How: Transfer IP out of company through e-mail, IM, Web-based remote access, FTP, other applications

Why: Create immediate access outside company; physical removal not necessary; quick transaction; can

make it look like normal online activity

Why not: Require an accomplice (knowing or unwitting) person or machine to receive data; likely to

leave audit trail

Mitigation: Use products to inspect and prevent transactions

Ban hard-to-control apps like IM

Monitor applications and file transfer activity

Comments: Risk rating is 2, not 3, because of wide variety of defenses available. Biggest challenge isnâ¬"t

the mechanics of stopping the crime but the clash of productivity and openness with the need to

secure. Some companies will easily ban IM, others will have a user revolt. And you canâ¬"t ban e-mail, yet

surveillance of e-mail is an imperfect option too.

Camera

Cell Phone

Risk: 3 sg

How: Take pictures of notes, whiteboards, labs, other sensitive data

Why: Discreet; can capture handwritten data; portable; concealable; physical removal unnecessary

Why not: Low image quality; limited storage space

Mitigation: Ban camera cell phones from use on premises

Where appropriate, search bags for camera cell phones upon building entry

Employees should report unusual behavior with cell phones

• Email
• Print
• Comments
• Digg This
• SlashDot

• The Clean Desk Test: What's Wrong with This Picture?
• Spy Repellent
• Attack of the iPods!
• Intellectual Property Protection: The Basics
• Nation States' Espionage and Counterespionage