1. The Loss of Intellectual Property in
the Digital Age:
What Companies can do to Protect
Themselves
Christopher Kranich

2. The Digital Revolution
• People are now more connected
– More information in less time
– More often
– Greater distances
– Many security challenges for business

3. Cyber-based Threats to IP
• Sources evolving and growing rapidly
– Competitors
– Malicious employees
– Well intentioned employees
– Criminal groups
– Hacktivists
– Foreign governments

4. IP is Valuable
• Cost to design new projects or services
– Engineers
– Designers
• Cost to manufacture
– Proprietary processes
– Material sourcing
– Pricing information
• Marketing costs

5. New Work Locations
• From home
• On The road
• Businesses/public places
• Security
– More chances for deletion, theft of compromise
• WiFi networks
• Device theft of damage
• Over the Shoulder
• Co-mingling of the personal and the private

6. Types of Devices
• Laptops
• Theft, Over-the-shoulder, WiFi
• Smart Phones
• Theft, WiFi, unpatched
• Tablets
• Theft, WiFi, unpatched
• Desktops
• Not updated, no virus protections

7. More Data
• Large capacity
• Smaller storage medium
• Cheap
• More cloud-based storage
• User can download a large amount of IP
quickly
• Malicious or innocent intentions

8. Reasons IP is Compromised
• Innocent Reasons
– Work outside of office
– Curiosity
– Recovered IP
• Malicious Reasons
– Do not like job
– Sell IP for profit
– Hacktivism
– For fun

9. Employee Views of IP
• Attribute ownership to the person who
created it
• Cheap, easily moved, copied, and manipulated
• Okay to take with them to their next job
Symantec Report

10. VW vs. GM
• Executives took 1000’s of pages
• Photocopied in physical from
– Secretary
– Other Witnesses
• Carried out in boxes of briefcases
• Lots of witnesses to IP removal
• 100 million Dollar settlement

11. Starwood vs. Hilton
• Over 100,000 files stolen
– Starwood luxury concept
• Hilton came up with their own version
– Board presentations
– Market research studies
– Valued at 1 million Dollars
• Downloaded to laptop
– Easy to steal data
– Quick, behind closed doors, portable

12. What Companies Can Do To Protect Themselves

13. Encrypt Data
• VPN
• Full-disk encryption
• USB sticks
• Emails and attachments

14. Mobile Device Management
• Common for employees to bring their own
device (BYOD)
• Poses many security challenges
– Corporate data vulnerable to theft, damage, or
deletion
– Hard to keep track of
– Corporate data and personal data on same device

15. Software Solutions
• MobileNow
• MobileIron
• Zenprise
• IBM
• Symantec
• Airwatch

16. Customizable Device Policies
• Control which device features and built-in
apps can be used
• Specify what the authentication requirements
are
• Apply specific policy sets to specific groups of
users
– Time, roles, types of data, location

17. Jailbroken or Rooted Devices
• Pose a big security risk
– Unstable or not updated
• Detect these devices
• Enforce greater controls for them
– Lock or wipe
– Ban from network
– Approved apps
– Vpn
– Device kept up-to-date

18. Centralized Updating
• Update OS and apps remotely
– Convenient and easy
• All devices patched at the same time
– All devices on same footing
– Eliminates specific vulnerabilities

19. Applications
• App blacklisting
• Block and revoke any apps from any user
• Track usage
• App-to-app encryption

20. Email Features
• Ability to encrypt attachments
• Prevent unauthorized copying and forwarding
• Restrict sharing of attachments to certain apps
• Specify attachment file types to encrypt

21. Data Storage
• Storage all data in a home directory
– Persisitent and centralized location
– Easy to set up automatic backups
– Easy to selectively distribute data
– Easy to track data and wipe if neccesary
– Can have multiple clients
• Different platforms accessing the same directory

22. Data Access Restrictions
• Geofencing
– Data only accessible in certain locations
– Prevents data from being accessed off site or an
area of the office
• Time-Based
– Data only accessible at certain times
• When employees are working
• When a project is active

23. Remote Lock, Locate, and Wipe
• Lost or stolen
• Infected with malware
• User leaves company

24. Data Leakage Prevention
• Deep content inspection
• Reads data to find high value IP
• Does not prevent attacks
• Limits accidental deletion or moving

25. Data Leakage Prevention
• System figures out sensitive data on it’s own
• Logs moving, copying, and deleting
• Prevents user from emailing data out by
making it read only
• Requires fine tuning

26. Attribute-Based Access Control
• Grants access based on attributes
– Location
– Authentication method
– Deviation from the norm
– Type of data
– Time of access

27. Cloud Storage Solutions
• Data integrity
• Access is controlled
• Data must be available when needed

28. Cloud Storage Solutions
• Policy for backing up data
• Data is encrypted in storage
• Data is sent to facility securely
• Data is backed up regularly
• Data is kept in multiple locations

29. Employee Training
• Protect credentials
• Good passwords or passphrases
• Social engineering
• Alerting IT

30. Basic Security Principles
• Log activities
• Set up alerts
• Use IDS system
• Set up firewalls on internet connections
• Control physical access

31. Basic Security Principles
• Set up user accounts
• Give users their own account
• Provide the minimum amount of access
needed

32. Questions and Comments