Alleged IP Theft Opens Door to Better Security

A former employee may have taken valuable intellectual property, but there are no logs to show his activities.

Last week, I was called into a meeting with our company's legal counsel and several U.S. attorneys. The topic was the alleged theft of intellectual property by a former employee. An investigation was under way, and they needed information from me.

I am not privy to all the details -- I don't know whether the former employee was able to sell the documents he is alleged to have stolen or put them to some other illicit use -- but this incident gave me a great way to justify the security requirements I want to include in a new application.

These are the facts of the case that I do know. This employee had resigned recently. According to our legal counsel, just before the employee's departure, he apparently transferred hundreds of design-specification documents and source code for one of our flagship products to a server outside our control. I was in the room with the lawyers to help the prosecution prove beyond a reasonable doubt that the employee had logged into the data repository between certain dates, that he had transferred the data and, more important, that he knew that this activity was wrong.

The first part of the request was fairly straightforward, but I don't have a way to provide all the information I would like. I was able to capture logs that indicated that the employee used his SecurID token and VPN client to access the network on several occasions just prior to his departure. The problem is that the applications that contain the design documents and source code aren't configured to log user activity. That capability just wasn't enabled when the system was deployed six years ago. We can show that this user was on our network at certain times, but we don't have any logs to tell us the details of his activity on the servers or within the applications that maintain the intellectual property.

I had better luck on the question of whether the alleged thief knew that he wasn't supposed to transfer sensitive data outside the company. Our company has extensive policies and guidelines regarding data classification and the handling of intellectual property. We just have to prove that this employee read and understood this information.

Lucky Break

Thankfully, our company's corporate learning center maintains records that show which employees have successfully passed or completed various online classes and mandatory training sessions. Each year, employees must complete refresher training on a variety of topics. One of those is on intellectual property protection, and here's where we got lucky. This former employee had completed the online training just three months ago, with a passing grade! The training provides specific guidance in the area of transferring sensitive information outside the company without approval.

A side concern was that the suspect could argue that he had transferred the data to an external account so that he could work on the documents at home. But his supervisor told us that he wasn't given permission to do such work on his home PC.

Applying the Lessons

It will be interesting to see whether this investigation is fatally hampered by the lack of log data. That would certainly make it all the more imperative that our new product life-cycle management application is rolled out with full log capabilities.

I've mentioned before how important this PLM application will be. Our company produces hardware that sells for $30,000 to over $10 million. Our products take years to develop, and a lot of documentation is involved: component and parts data, bills of materials, engineering change orders and more.

For several years, I have maintained an application architecture policy and guide. I tweak it from time to time to keep up with new technologies or new areas of concern, but I've kept it generic enough that it can be applied to almost any enterprise-class application. I have divided the guide into various sections, including authentication, authorization, logging, encryption and separation of duties. Within the logging section, I require that certain user activities be logged, such as log-in and log-out, the granting of additional privileges, and check-in and checkout of data. I also want exceptions logged, such as would occur when there's a sudden spike in check-out activity. That way, if a user who normally checks out, say, 10 documents at a time suddenly checks out 100 documents, we can look into it. Quite often, that sort of thing happens with employees who are leaving the company.

My goal is to ensure that security is baked into the application so we are able to prevent and detect most illicit activity without affecting productivity. We don't let ourselves get too crazy with requirements and security controls, however, because our basic assumption is that a determined insider will always be able to get around any security controls.

I have submitted my document on application security controls to the project team, and so far, they have agreed to almost all of my recommendations, especially those that involve the logging of activity and the protection of sensitive data. The next step is to convert my recommendations into actionable control test points to ensure that the application meets the agreed-upon security controls. I've learned that such testing is necessary. I have found that project managers will often tell me that they're going to give me what I want -- that security won't be an afterthought -- in an attempt to appease me and get me off their backs. With a test matrix, I can very easily determine whether the controls that were agreed upon were in fact implemented. That's what I call the day of reckoning. w

What Do You Think?

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security

To find a complete archive of our Security Manager's Journals, go to computerworld.com/secjournal

Related:
5 collaboration tools that enhance Microsoft Office
  
Shop Tech Products at Amazon