Trade Secrets and Intellectual Property
There are different objectives behind malware and hacking attacks, and one of the primary reasons is obviously financial gain. The methods malicious hackers use to achieve financial gain have over time changed and evolved. In the past, this activity centered around acquiring credit card details or identities which would then be sold on the black market, but now malicious hackers are starting to eye far more lucrative opportunities.
The BBC carried a story on a study published by McAfee stating that malicious hackers are starting to realize that acquiring trade secrets and intellectual property from companies and selling them to their victim’s competitors is a highly lucrative venture.
How true this statement is! Just think about the information that is stored in a typical company’s IT infrastructure and the advantages such information could give to an unscrupulous competitor – source codes, strategy plans, legal documents such as patent filings, as well as various forms of research that organizations might have done. Some information can be very valuable to the attacker himself to further his agenda on acquiring this type of information. Data, such as partners’ information and contact details, can be an effective tool for an attacker to launch targeted and effective social engineering attacks.
Some companies will be very tempted to get their hands on their competitors’ strategy plans or legal documents, and they would be willing to pay good money in order to do so. Malicious hackers are not a company’s only concern either; where intellectual property is concerned, insider attacks are probably a higher risk than any external attack by a malicious hacker. McAfee’s views that these targeted attacks are on the rise are supported by recent events which McAfee’s report highlights as well.
Here are a couple of examples:
- Three employees were convicted of stealing Coca-Cola’s trade secrets.
- A Former Goldman Sachs programmer was recently convicted for taking his ex-employer company’s trading software when applying for a job with a competitor.
- The Stuxnet worm specifically targeted Industrial Infrastructure.
- Huang Kexue took his employer’s intellectual property to get government grants to start a competing business.
The list goes on and on.
The damage caused to companies is enormous. If the theft is undiscovered, the competitor will have an advantage that could potentially put the other victim company out of business or cause significant financial loss. If the theft is discovered but not prevented in time, a company might still end up with the same hefty losses and potentially long court battles. The only way out is to be able to stop the theft or discover it in a timely manner before any damage is done.
Having multiple layers of security can reduce the surface area for attacker to exploit. These can include minor controls such as proper user access control, disabling of unused services and other similar best practices. These basic security considerations will help and, since they can be implemented without the need for any additional software, they are generally not expensive to implement. In fact, in a lot of cases the cost of most security controls is that for the manpower required to implement them. Unfortunately some companies do not understand how vulnerable the corporate network is to such attacks because they don’t invest in the right network security tools and simply do without. Every company has information that is worth stealing, be it intellectual property or a customer list.
There is one lesson to be learnt: Security needs to be implemented before a disaster happens and not when it’s too late. Unfortunately, there are still companies that do not heed this basic advice.
There is certainly increased risk of internal breaches as more and more people equate that their proprietary information is a valued commodity to be moved between their employer and its competitors.
If people want to take that risk, there is enough legal precedent so that they know precisely what kinds of repercussions face them. And the dumbest criminals are the ones who don’t think they can be caught, especially if their employers are keeping current on their security measures.
Trade secrets and intellectual properties are what keep businesses apart. We can’t drink the same testing cola, can’t use the same kind of laundry detergent, etc. Pepsi is Pepsi – Coke is Coke. The taste of Coke is what it identifies itself.
As consumers, we need diversity to what product or service we will use. We’re always looking for different things. And if some breaks this diversity by sharing trade secrets and IPs, we can’t differentiate Coke from Pepsi. We’ll all be using the same things.
Trade / IP theft is not new anymore. But these days, they’re more sinister than before.
This type of theft is the worst. It can surely kill a business. Just recently, CME Group filed a case against one of their senior programmers. The programmer was Chunlai Yang. He was arrested just last week. He worked for CME for more than 10 years.
CME said Chunlai Yang illegally downloaded source codes of their software. They suspect that he is selling the source codes to China. This case is still under investigation by the FBI.
Thanks for bring that story to our attention Elaine, personally I have not heard of the case, guess it’s too fresh.
Thanks again!
Internal regulations that divide access and use the least privilege principle can help. In one of my previous jobs where I wasn’t a programmer and I didn’t need access to the source code, I explicitly asked not to be given one. Can you imagine how shocked my bosses were when they heard my motives?
All the cases which Emmanuel lists are good examples of what happens when you have a Trojan horse inside.
Tana brings up a very good point. Users should be aware that having some access denied, if they do not really need that access, is actually a good thing for them and the company.
If an attacker were to compromise their account, possibly even through no fault of their own, and with that manages to damage the company, they will be in for trouble. They will be investigated and their security practices will be questioned.
Users should indeed, as Tana rightfully mentioned, just ensure they get the access that they need to get their job done. Anything else just exposes them and the company to unnecessary risks.