Another Impetus For IP Protection

A virus infection points up the dangers of making it all too easy for visitors to get on the company network.

A virus incident this week caused me a bit of anxiety about my last big undertaking. But once the infection was under control, it got me thinking about a pending project and the need to get it funded.

My anxiety arose from the timing of the incident: On Monday, we had 65 desktops infected with a variant of a well-known virus. Monday was the first workday after Friday evening, which is when we had installed a Multiprotocol Label Switching (MPLS) network circuit between our company’s corporate network and the 200-person remote office of a company that we recently acquired.

The reason my jaw dropped to the floor upon learning about this incident was that I had authorized the MPLS connection. If an infected desktop at the acquired company was the source of this propagation of malicious code, it wouldn’t be good for me. Prior to the authorization, I had completed a security assessment, and one of its main purposes was to ensure that after connecting our two offices, we wouldn’t become infected by a virus lurking within the acquired company’s network. Naturally, I couldn’t help but see direct cause and effect in this situation.

Fortunately, the infection was pure coincidence, and we quickly quarantined the infestation. I have a really good incident response process in place to deal with viruses and worms. We were able to conduct some forensics on the virus and then send that information to Trend Micro, which in turn created an interim detection and removal tool for us. The tool was quickly installed on the infected desktops, and we were able to stop the propagation. As standard practice, we also blocked the ability of this variant to communicate with an external Web site by putting the URL on our Web caching gateways, thus preventing any infected resources from trying to “call home.”

So, if the MPLS circuit wasn’t to blame, what was? The source, we think, was a vendor’s laptop. That’s the problem I’m going to need more funds to address. And the problem isn’t just that rogue laptops can introduce viruses. The problem is that our network is very flat, and visitors who connect to it will find little to stop them from accessing our intellectual property.

We have a policy banning vendor representatives from connecting to our network. But the ban is regularly violated, and until I can get the company to invest in Cisco’s Network Admission Control or a similar technology, rogue laptops will continue to be a risk. Eventually, when the network team completes the upgrade of our network, I’ll be able to mandate segmentation, with our internal desktop network clearly separated from public areas like conference rooms, which should be authorized for limited Internet access only.

I’ve brought this to the attention of our network manager, who has assured me that the right thing will be done once the routers and switches have been upgraded to accommodate proper network segmentation.

But protecting our intellectual property is a great concern for my company, and I’m always looking for the best ways to do it. We have plenty of brochures, intranet pages and training available aimed at educating our employees on the importance of IP protection. However, those things can take us only so far. There must be a technology complement, and I frequently propose various approaches to the company’s division and business unit owners. Though they share my concerns, it all boils down to funding. As is typical with semiconductor companies, my employer is very tight with IT spending.

SO Obvious

One way around that might be to focus on strategic objectives. My company uses SOs to drive bonus plans and set priorities for initiatives. I’ve noticed that after executives sign off on an SO, it often becomes easier to get funding for things that will help satisfy the SO. And I know that one of our main product divisions — and by far the most profitable — has an SO that’s completely focused on the threat of critical design documents and source code leaving the company.

I regularly meet with this group, and I have proposed deploying digital rights management and a content monitor. Right now, I’m putting together my initial production rollout of Microsoft’s Rights Management Services (RMS). Although this technology can be incorporated in most Microsoft Office applications and Exchange e-mail, it is limited. It can’t protect Adobe PDFs or the applications we use to create design documents and source code. To address those shortcomings, I might consider laying another technology on top of RMS to provide additional functionality. I’ve been looking at enterprise rights management from Waltham, Mass.-based Liquid Machines to satisfy this requirement.

As for content monitors, they would notify us or take other appropriate action when data that has been identified as sensitive — whether documents, source code or anything containing keywords that we define — is in transit on the network. With content-monitoring tools from any of the major players, including Reconnex, Tablus and Vontu, a centralized management console is used to “register” data into the system, and the sensors watch for either the entire document, parts of it or any network traffic containing certain keywords.

My goal is to leverage the needs of this particular division to satisfy the IP protection needs of the entire company. If I can place sensors at all of our Internet egress points, then I will have the luxury of watching all of our network traffic. And I will be able to use the content-monitoring technology to look for any manner of sensitive information leaving the company, including financial results, strategic plans, legal documentation and human resources data. I’ll keep my fingers crossed and hope that this SO will benefit the rest of my company.

What Do You Think?

This week’s journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons. Contact him at, or join the discussions in our security blogs:

To find a complete archive of our Security Manager’s Journals, go online to


Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon