Embed Size (px)
DESCRIPTION
By Curtis Coleman
Citation preview
Intellectual Property Societypresenting
Bridging the Gap: Securing IP
Curtis Coleman, CISSP, CISMDirector, Electronic Security
Seagate Technology
Bridging the Gap: Securing IPJune 2003 Page 2
For Public Use
Agenda
Introductions
IP and E-Commerce• Why should I care? I’m a small company.• IP Audit – Take Inventory
Is snooping really a threat?
Primer on how they operate?
High Tech & Non-Tech Solutions
Bridging the Gap: Securing IPJune 2003 Page 3
For Public Use
Senior Computer Security Officer for the B-2 Stealth Bomber
US Air Force - 20 yearsTop Secret ClearanceOperations Officer• Minuteman Missiles• Electronic Warfare• Computer Security• B-2 Stealth SystemUSAF Medal of Achievement• Computer Systems Security
Research• Authored Book USAF WCCS
Security
Bridging the Gap: Securing IPJune 2003 Page 4
For Public Use
Commander of a team of Information Warfare Specialists (CyberKnights)
Bridging the Gap: Securing IPJune 2003 Page 5
For Public Use
The CyberKnight Mission
Bridging the Gap: Securing IPJune 2003 Page 6
For Public Use
IBM Executive Computer Security Specialist “Ethical Hacker”
Goal:
Identify Critical Business Processes & Intellectual Property
Penetrate
Secure IP • United Nations World Bank• Morgan Stanley - Dean Witter• AT&T Global Networks• Ernst & Young Security Services• Bank of America• Hallmark, Inc.• US Military & Government Agencies
Bridging the Gap: Securing IPJune 2003 Page 7
For Public Use
IP Relates to E-Commerce
E-Commerce involves selling products or services that are based on IP• Music, Video, Pictures• Software, Graphics, Designs• Training material, systems, etc.
IP is involved in making E-Commerce work:• Software, networks, routers/switches• Chips, designs, user interfaces, etc.
Bridging the Gap: Securing IPJune 2003 Page 8
For Public Use
Small or Middle Sized Businesses Have Need to Protect Their IP
E-Commerce businesses and Internet related businesses are based on product or patent licensing• Different technologies are required to create a product• Companies often outsource the development of some
componentsE-Commerce based businesses usually hold a great deal of their value in IP• The value of the E-Commerce business is directly affected
by whether you have protected your IP
Bridging the Gap: Securing IPJune 2003 Page 9
For Public Use
IP Audit – Take Inventory
Patents, patent applications, innovations that could be patentableCopyright• Software, designs, documentation or technical writing,
software scripts, user interface material, schematics, artwork, web site designs, music, photos, video
Distinct signs, company name, product names, logosTrade secrets – has commercial value to you, not generally known• Product formulas, customer lists, business strategies &
models, plans for technical enhancements to productsAny valuable that is intangible
Bridging the Gap: Securing IPJune 2003 Page 10
For Public Use
The Purpose of IP Audit
The purpose of the IP Audit is to review what IP your company has and determine how to protect, exploit, and enhance its value.Example: Your E-Commerce business is affected by Patents• Patents are not just for large companies. Patents are not only
for high technology• Some of the most successful E-Commerce companies have
used patents for business methods:• Amazon• America On-Line• DoubleClick• eBay• PriceLine
Bridging the Gap: Securing IPJune 2003 Page 11
For Public Use
Is Snooping Really A Threat?
American Society of Industrial Security• Sept 2002 – surveyed 138 companies• Reported lost in R&D or financial data at $53Billion
Society of Competitive Intelligence Professional• Govern by a set of legal and ethical guidelines
Foreign governmentsChinese Proverb – “the death of a thousand cuts”
• Most companies don’t have a means of tracking the loss of IP• They go on hemorrhaging, losing market share• Gradually it takes the vitality out of the company• Usually seen as, “Oh well, that’s just bad luck in business”
Bridging the Gap: Securing IPJune 2003 Page 12
For Public Use
Training Material – Easy to Obtain
Art of Deception
NetspionageYour Secrets Are My Business
Naked in Cyberspace
Bridging the Gap: Securing IPJune 2003 Page 13
For Public Use
Five Step Primer:How Snoops OperateStep 1: Find Out What’s Public
The number one damage to companies is their own people don’t know how to handle the company’s IPSalespeople TradeshowsDetail R&D facility to attract recruitsSuppliers brag about sales on
WebsitePublic Relations press release on patentsEPA/OSHA over reported on facilitiesEmployees chat on Yahoo boards
Bridging the Gap: Securing IPJune 2003 Page 14
For Public Use
Five Step Primer:How Snoops OperateStep 2: Work the PhonesList of employee names, titles, extentionsInternal newsletters, promotions, retirements, new hires
• The more the snoop knows about the person answering the phone, the easier to work that person for information
• Snoop won’t ask direct questions• Snoop will guide the conversation in ways that seem
innocuous• Snoop shows high interested in the target and what he does• A 5 minutes survey becomes 20 minutes of IP gathering
Bridging the Gap: Securing IPJune 2003 Page 15
For Public Use
Five Step Primer:How Snoops OperateStep 3: Go into the FieldAny public place where employees go, snoops go too!
• Airports• Coffee shops• Restaurants• Bars near company offices or factory• Tradeshows
Snoops use Job Interviews• Sees what you are asking for in new hires (skills,
technology)• Asks one of your employees in for a job interview
Bridging the Gap: Securing IPJune 2003 Page 16
For Public Use
Five Step Primer:How Snoops OperateStep 4: Put it Altogether
It is not only trade secrets that are valuable!Example: 3 Grad Students
• Company was interested in a new technology• Students publishing papers for 2 years on new technology• Suddenly they stopped writing• Investigation showed all 3 moved to same town and worked for
high tech competitor• Talk to them on phone about previous published papers• Figured out when new technology would hit the market• Gave an 18 months heads up on the competition plans
Bridging the Gap: Securing IPJune 2003 Page 17
For Public Use
Five Step Primer:How Snoops OperateStep 5: And If All Else Fails . . .
Other countries have vastly different ethical and legal guidelines for information gathering!• Bugs, bribes, theft, extortion• Widely practiced throughout the world• Espionage is sometimes sanctioned or even carried
out by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy.
Bridging the Gap: Securing IPJune 2003 Page 18
For Public Use
A Growing Concern IP Rights vs. Privacy
Everything in Cyberspace is composed of bits (1s & 0s)
Digital works are perfectly reproducible, an infinite number of times without degradation
On the Web, a copy is the original
The need for Digital Rights Management (DRM)• Security & integrity features of computer OS• Rights-management and tracking• Encryption• Digital Signatures• Fingerprinting and other “marking” technology
The Consumer’s Privacy vs DRM
Bridging the Gap: Securing IPJune 2003 Page 19
For Public Use
High Technology & Non-TechnologySolutions
High Technology Non-Technology
Firewalls PoliciesIntrusion Detection Systems StandardsContent Filtering ProceduresAccess Control Lists Security AwarenessDigital Rights ManagementCryptography
• SSL• Certificates• Digital Signatures• Steganography
Bridging the Gap: Securing IPJune 2003 Page 20
For Public Use
Any Questions ?
Contact Info:Curtis Coleman, CISSP, CISM
Phone: 831-439-7194
eMail: [email protected]
