Security Manager's Journal: A deal that's too good to be true
Offshore coding vendor offers a great price for quality work, but it may be stealing the company's source code.
Computerworld - My company is always looking for ways to save money. One maneuver -- outsourcing the development of a module of one of our software products -- almost cost us big time.
We had chosen a provider in Southeast Asia, based not just on its extremely low cost but also on the quality of work we'd seen it deliver in the past, which was far superior to that of other low-cost, offshore locations. Recently, we decided to decrease the number of engineers working on the project, and the vendor ended up laying off one of the removed engineers. That laid-off engineer let us know that the vendor was using our source code to create a competing product. He either wouldn't or couldn't tell us many details, but he did say that our source code was being copied to USB drives to avoid detection and then being shared within the vendor company.
We had to act quickly to verify the accusation and stop the theft before all of our source code could be taken.
Our company policy is that vendors working in an R&D capacity must use hardware that we provide. That's a good first step, but my preference, naturally, would have been to use that hardware to implement precautions that would protect our intellectual property. Unfortunately, we don't do anything special with those laptops.
We also didn't have any monitoring equipment at this small office. Now that we badly needed to monitor its traffic, we decided to quietly reroute it to Singapore, a main hub for us where we had recently deployed data loss prevention (DLP) technology. Next, we surreptitiously deployed endpoint DLP agents to the PCs in the office of the suspect vendor. Now we had full visibility, both at the network layer and at the endpoint.
Block Those Drives
Within hours, we got a hit.
Two software engineers on the project were copying huge amounts of source code from their desktops (which shouldn't have been storing source code) to external USB drives.
We wanted to block that data and keep it off the USB drives. We looked at doing this via the BIOS, but that proved to be difficult. A technician would have to go to the site and configure the BIOS on all of the PCs in the vendor's office. Not only would that take a lot of time, but using BIOS to turn off the USB ports would also block legitimate items, such as USB mice, keyboards and cameras, and all of those would be needed.
Next we considered employing the DLP endpoint agent to block USB drives, but we already knew about a bug that prevents the agent from differentiating between a USB drive and a second hard drive installed in the laptop. Our DLP vendor is working on a fix for that problem, but we don't have it yet.
We also investigated the use of Microsoft Group Policy Objects, and that may work for the long term, but that fix wouldn't be quick enough to meet our present needs. The quick-and-dirty option that we settled on to block the use of external storage devices was to change a policy configuration in our endpoint antivirus software. No one had to travel to the site, and we weren't disabling devices such as mice, keyboards and cameras. Critically important, we have a policy set up that makes it impossible for users to disable antivirus protection.
Now that we feel more secure about what is happening at the office of the offshore vendor, we will work with our legal and human resources departments to investigate the source code leakage in more detail. That vendor might not work for us much longer. I will also be advocating that we restrict the use of USB drives on all corporate devices used to process sensitive information.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!