Intellectual Property Magazine: Computer Hacking and IP Theft
Catherine White, Staff Writer & Sub-Editor for Intellectual Property Magazine, contacted me about an article she was about to write on Computer Hacking and IP Theft. In the interview she asked me a series of in-depth and thought-provoking questions. She has done her research quite well and also interviewed some outstanding experts in the field. Her article appears in the March 2011 issue of Intellectual Property Magazine and is entitled "I spy with my little virtual eye" and the text of the article is as follows:
I spy with my little virtual eye...
Catherine White taps into the virtual world of computer hacking and its real threat to IP
|
|
Hackers who single out their target have done their homework. They do background research on that person, they know their friends, their family, their hobbies and interests. These forms of attacks are very dangerous,” said Kevin Rowney, director of breach response at software security company Symantec.
You would be forgiven for thinking that you are reading an excerpt from a fictional spy novel or thriller but what you are actually reading about is the growing reality of cyber crime and IP theft. A virtual world where anything can happen from financial institutions being breached by Russian networks to hacking operations taking place in a church. Plots so inconceivable that even James Bond would be shaken and most definitely stirred.
What is computer hacking?
Computer hacking involves trying to circumvent computer and network security and then selling the information obtained to criminals, competitors or to use for extortion. President of NetWitness, a network security company, Nick Lantuh said, “Hackers make billions of dollars from cybercrime. The revenues are greater than in the drug trade and far safer. It is much easier, cheaper and informative than sending out spies to countries to perform the act of gathering information. The other main benefit is that it’s anonymous.”
Richard LaMagna of consulting firm LaMagna and Associates said that it can also refer to the “ ‘cracking’ (gain unauthorised access to computers with malicious intentions) or by-passing of security features that are intended to prevent unauthorised use of a software programme, often referred to as digital rights management technologies (DRM).”
LaMagna continued, “In both cases, the hacker gains unauthorised access to a computer or a system from which he or she can steal information, intellectual property, trade secrets, personal identifying information, user names, passwords, email addresses, contact lists, etc.
“Pirates often distribute or sell the criminally hacked versions of software, which have security access controls removed, and the software programmes are either copied onto CDs, offered through peer-to-peer file sharing programmes, or offered for downloading for a fee on websites.”
Rowney pointed out that there are three major adversaries that pose a threat to IP:
1) Hackers-parties who are breaking into computers via the internet remotely and stealing IP;
2) Malicious insiders – employees who have turned against their organisations and have sought to rip-off IP from their employer or the enterprise they work for; and
3) Well meaning insiders – employees who mean well and stay loyal to their companies but end up making a mistake out of ignorance or haste that results in the breach and the exposure of IP eg, copying large amounts of IP onto laptops without encryption, then leaving that laptop unattended or losing it. Or by loading peer-to-peer file share programmes to download music and not realising that these programmes can also access other information on the computer.
There is also the issue of ‘data spill events’. This is when employees copy sensitive data inside a company to a secondary drive and leave it there without any protection. Thus, inside the corporate network, workers are using, updating, browsing content and copying out of the primary system, which is protected and into the secondary location where it has no protection at all. This leaves it open to theft by malicious insiders or hackers. “All three forms of these sources of threat impose significant risk to IP and anyone trying to defend their IP must be aware of all three risks”, Rowney said.
What do hackers look for?
Most hackers look for vulnerabilities in a company’s computer system and often gain access through third-party partners and collaborators who access the firm’s system via an extranet or virtual private network, commonly the weakest points of access.
Sam Conforti of law firm Sam Conforti LLC said, “The new industrial espionage no longer is the tourist taking a factory tour and clicking away with his or her camera. Today industrial espionage is gaining surreptitious access to a company’s network and downloading confidential files.”
These files can be anything of value to the hacker, from personal identifiable information to very targeted products, facts, formula, mergers and acquisition activity, patented processes, design documents and executive emails. Lantuh said, “If it provides a competitive advantage or intelligence which supports technology acquisition or has a monetary value that can be sold or exploited, then it is of value to hackers. The damage which occurs to the victim is a hit to their brand and a hit to their potential market cap.” LaMagna added that when counterfeit brands do enter the market and companies are unable to protect confidential and customer data, “they face serious issues of liability and possible government sanctions”.
Employer v employee
Theft of IP and other sensitive information from companies is very common. Insider hacking reached 48% of overall hacking activity in the 2010 Data Breach Investigations Report by Verizon Business, an IP communications and information technology service, and the United States Secret Service (USSS).
Insiders, who for malicious purposes abused their right to access corporate information, were the most common cases worked by the USSS. This crime increased by 26%. Conforti noted the increase in insider hacking indicated “the new white collar crime of the day is IP theft.”
Whilst all companies are exposed to IP theft, LaMagna said that, “healthcare and financial services are the most vulnerable when it comes to data breaches and hacking attempts, while the high-tech sector is most exposed to attempts to steal IP, often by careless or disgruntled insiders or third-party collaborators.”
As a result, Rowney noted that there is no definitive measurement of IP loss within enterprises and the main reason for this is because “companies do not report the extent of loss and often hide the event after a security breach because they fear this could harm their reputation”.
Lantuh added that if a firm does report a breach there are many others that do not, due to a “lack of visibility in these organisations meaning that these numbers are actually higher since many companies simply don’t know they have been breached”.
Countries and hackers
Hacking is both an insider and outsider problem. There is a lot of targeting from the cyber crime gangs in Eastern Europe, Latin America and Asia. There is also a significant amount of IP theft that occurs from nations which support home-grown industries/interests in gaining military technology or research and development efforts. There is a consistent top 10 list of countries most responsible for hacking and these include China, Brazil, Germany, UK, Russia and the US.
However, Lantuh noted that where a hack is aimed at commonly differs from where it began, “The highest hacker rate is actually in the US, but this is not necessarily indicative of where those hacks originate from. Many hacks from China or Eastern Europe originate their attacks from machines that have been compromised in the US or in another country.”
LaMagna offered some insights into why these particular countries are in the lead. “Countries such as the US, the UK and Germany have a high rate of internet use and the high rate of e-commerce and banking presents a target-rich environment for criminals to make money. Countries such as Brazil, India and China are experiencing dramatic growth in internet infrastructure and broadband usage which presents new opportunities for criminals. In many cases, countries lag behind in terms of cyber crime legislation and enforcement—thus there is no risk or deterrence.”
Computer hacking growth
IP theft is growing rapidly. Conforti said, “In the 21st century it is a foregone conclusion that computer hacking is a part of everyday life, both business and private home computing. If you feel you are immune to such matters or that it could never happen to you, then you are unwise and simply tempting fate.”
Research group Osterman published a study which showed that 74% of companies worldwide believed hacking and malware will increase in 2011. Malware refers to software that can destroy data, affect a computer’s performance and allow spammers to send emails to accounts. Malware includes viruses or worms (a software programme capable of reproducing itself that can spread from one computer to the next over a network).
There are several reasons why computer hacking is increasing:
1) New hacking techniques – the pace of innovations in hacking techniques has developed rapidly over the past few years. Such techniques are called ‘targeted attacks’, which are built around the idea of customising the computer virus in a way that will be effective for single use against a particular target. These customised viruses are called ‘mutated malware’ which have been altered so that no classic, signature-based anti-virus programme can detect them.
2) Information becoming digitised – more data is put online and made accessible via the computer network, resulting in information becoming more portable. The more applications and technology that can access this data, like smartphones, iPads, the more difficult it becomes to secure that data.
3) Profit margins - selling data is extremely profitable for hackers. It is also easy to deploy hacking technology and target it towards organisations.
4) Disregard for IP – there is a prevailing view that digital theft isn’t really theft and that it is a harmless practice with no victims.
In response to the rise in hacking incidences, new technologies are being invented. Many IP products have copy prevention features and DRM, like product activation keys, which notify the IP holder if a piece of software is being hacked or copied. Some products have a “time bomb” which means that after a certain period, if they are not registered with the manufacturer or authenticated, they will no longer function.
There is also a mutated malware identification system based on anti-virus technology which builds up an encyclopaedia of software running worldwide and monitors this malware. It has 1.5 billion programmes that help to understand new threats. Therefore, if something unrecognisable comes up on the encyclopaedia this is alerted straight away.
Approaching IP security
A small percentage of organisations understand what is needed to combat IP theft and protect valuable assets. Rowney said, “Many enterprises first do not have clear knowledge of where their most essential data is, where it is going and how it is being used. Without knowledge of this, it is hard to claim that you are doing an adequate job of managing the risk of a possible breach. Second, many organisations have not taken the basic steps to enumerate chief IP assets.”
The most common mistakes made by enterprises regarding IP security are:
• Budget issues – many companies are in denial about the level of risks that are currently at play eg, significant IP theft can compromise an entire product line, so they under value security issues. On the other hand, some businesses do not have the money for IP security. This is especially true for smaller firms that have no policies and procedures in place and regard safety as low priority. The majority of data leaks and breaches could be avoided by system administrators and employees’ adoption of best safe practices through tools, technology and greater awareness via training;
• Becoming overwhelmed – protecting IP is a massive task. There is so much data and if a company attempts to embrace the entire range of protection available, it becomes impossible to do. Therefore, enterprises should be realistic that only the narrow range of essential IP should be defended. This way they can focus their attention and be on top of the situation;
• Point solution’ confusion (solving one particular problem without regard to related issues)- when addressing IP security, companies point their resources towards the next point solution technology eg DLP or web filtering. This can become unmanageable because a company will have to maintain, operate and keep the technology up to date. Although all these point solutions are targeted towards a piece of the problem, they do not offer protection and this causes a management nightmare for the security teams. Lantuh said, “Add this to the fact that security has to some extent used compliance as a proxy for sound operational security practices and has gone to a ‘check-box mentality’ which provides a false sense of security, meaning cyber criminals will not get caught by your signature based solutions.” Firms therefore need a real-time ‘catch-everything’ network- monitoring solution that can be mined for intelligence on what is happening. Thus, businesses can detect risk, qualified threat and do this on an ongoing basis; and
• Time factor– many organisations often underestimate the amount of resources, money, people and time it takes to really protect and implement a sound security protection strategy. LaMagna noted that companies that rely heavily on IP such as pharma, technology and publishing groups, “are surprisingly reluctant to allocate substantial budgets to IP protection programmes ... This is because assessing IP is a difficult and time-consuming exercise. Often, law enforcement referrals take time to come to a successful conclusion and even then the penalties are not severe enough to act as a deterrent.”
Your mission, should you choose to accept it...
Rowney highlighted the steps on how enterprises should protect themselves from security breaches:
1) Protect infrastructure with modern systems to defend against infection. Virus infection is usually the primary mode of intrusion, which hacker teams are using to access IP. So companies should use new advanced techniques that can specifically confront the threat of targeted attacks.
2) Appropriate authorisation and authentication infrastructure. Make sure that only the intended parties and appropriate consumers of IP inside the enterprise are able to see it. Such means could be passwords but sometimes these are insufficient and insecure. Therefore, some companies are looking into ‘two factor authentication’ which is a form of advanced authentication such as ID cards, personal identification numbers and fingerprints.
3) Adequate management on the underline system. Many computers that are hacked into have out- of-date configurations or lack appropriate patches against the most up to date solutions vendors offer. In addition, if a company has security problems this makes hacker access easier. They also may not have the appropriate updates to accompany applications, like PDFS or Java, which can open up a gap in security framework allowing hackers to break in. Appropriate management systems should have patch-updates and appropriate revisions of commercial software.
4) Know where information is and where it is going. Data loss prevention solutions allow to identify IP at its source and track its transmission in email, its exposure on servers and possible copy or theft. There are modern detection algorithms, which are quite good at identifying specific forms of IP breach, like words stored, where it is going to and how it is used.
5) Appropriate network monitoring. This allows an enterprise to watch for traces of infection. These break-in events create patterns of network activity, which could alert a team to the urgent need for a remediation of the affected systems.
6) Education. Employees should be educated and trained to not rely on point solutions or ‘fix-of-the-day’ technologies. There needs to be a deep continual monitoring of what is going on, Lantuh added.
Steps for post attack
Lantuh highlighted what companies should do after a security breach has taken place:
1) a) Engage their incident response plan if they have one. b) Perform a forensics investigation to find the root cause of the attack. c) Remediate the situation. d) Do a post-mortem analysis on the incident and determine any lessons learned which can be incorporated into the incident response plan for process improvement. e) Check the entire enterprise for like compromise
2) Use what was learned from the attack. After an attack, companies should incorporate what they have learnt into the internet response process for the next incident, continually improving the process.
3) Spread knowledge. After a company realises what needs to be done, they should spread this knowledge out to see if there was compromise anywhere else in the corporation. Employees should be educated in understanding the importance of clicking on links or helping workers/well meaning insiders understand the potential risks of posting links on the web or sharing them inappropriately.
Mission impossible?
Ending the war on cyber crime will be a long battle, as long as data accessible technology, like iPhones and iPads, keep evolving. The only real way companies can defend themselves is if they implement the correct security steps, but Rowney noted enterprises are their own worst enemies. “Malicious insiders stealing data can easily be prevented by using modern security technology. Despite this, businesses are not using such software, so hacking happens all over again”.
A message many companies wish would “self destruct in 5,4,3,2,1”.
Footnotes
1. Predictions for 2011. An Osterman Research Survey Report
2. Verizon 2010 Data Breach Investigations Report
3. Further reading: Online Trust Alliance 2011 Data Breach & Loss Incident Readiness Guide to Help Businesses Protect Online Trust & Confidence https://otalliance.org/news/releases/DataBreach1_25_11.html
