Fighting Against IP Espionage

A Q&A with Marshall Heilman of Mandiant
IP espionage is a real and growing concern for business, and a recent report from Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, details the malicious activity coming out of China from one organization. To find out more about the specific attacks and what companies can do to protect their data, we spoke to Mandiant director of consulting Marshall Heilman.

What are some key themes from your recent report, APT1: Exposing One of China’s Cyber Espionage Units?
Most important is that this type of activity is real, and it’s a real threat. Almost any company out there that makes any technology of interest should pay attention—and the line I say jokingly is that if you’re not making anything that makes you a target, then you should probably pack it up and go home. The report focused on one specific group that targets the Fortune 500 companies we work with, but this threat is also real for smaller companies as well.

One of the most common espionage attack methods is low sophistication spear phishing. How can we mitigate this exposure, beyond employee training?
The basic concept behind spear phishing is that the user receives a legitimate-looking email that asks them to do something that reveals data, such as opening a link. Preventing spear phishing comes down to preventing the user from opening any links or preventing that email in the first place. There are a lot of antispam solutions out there but I would argue that emails can and will get through those solutions, so we have to focus on making sure the user doesn’t compromise data security when it happens. One way is to make certain that all of the applications on a system are patched—not just things like Microsoft Windows but also Shockwave, Quicktime and Java. Another solution, which is extremely difficult for most companies, is to limit what users can install on the system, usually by reducing privileges, and thus reduce exposure to malware. Another option is to run application whitelisting on critical servers, so that attackers that gain access to an environment cannot execute malicious code on those servers.. Finally, using an internal web proxy for users, and denying access to “uncategorized” web sites, is also effective against stopping malware.

What tactics would you recommend for guarding a highly valuable trade secret, such as 10 years of R&D for a pharmaceutical drug?
Because I’m in the security business my recommendations would be far more draconian than most people’s. I would take all the research and make certain it was housed in a certain part of the server environment with good controls and segmentation that would disallow anyone from touching the data outside of that environment. I would use software such as Citrix Solutions, which requires two-factor identification for anyone who wants to interact with the data and only exposes data that is authorized for use. The important thing is to put the sensitive information in one location that ensures extremely limited access. However, many firms balk at this sort of solution and I have only implemented it at smaller organizations because it can be very frustrating for users. I find that companies that have already suffered a breach are more amenable to implementing stricter measures. Companies that haven’t often say “we will add that to our road map” but likely won’t get around to it. Honestly, I think it’s just an awareness issue. Five years ago, no one in the mainstream recognized this problem. This is slowly changing but the more aware we are, the better we can protect ourselves from these threats and the more willing companies will be to adopt measures to do so.

In summary…
Many companies, brokers and insurers are focused on the privacy liability and class action lawsuits associated with cyber risk (which, granted, are major reasons for concern).What Mr. Heilman highlights here is often THE biggest liability for businesses that own and depend upon their intellectual property assets. Theft of this property can be catastrophic, and this cyber risk exposure may only increase with the use of outside business partner systems, or third party (cloud) infrastructure or apps. Moreover, studies such as Mandiant’s have shown that bad guys still revert to exploiting human error and tricking employees into helping them gain unauthorized access to private networks that might house IP. Comparatively low-tech attack methods like phishing can nevertheless pose a significant risk unless companies are properly educating their employees and anticipating this tactic.

Dear Data Analytics … Thank You for the Spam

Reprinted with permission from HB Litigation.

Have you ever wondered why the same advertisement seems to be following you around the Internet?  Toby Merrill of ACE Professional Risk attributes this phenomenon to the increased use of data analytics by advertisement companies.  Data analytics is being used to track online users’ preferences so that companies can specifically target users with advertisements that match their interests.  This type of data collection has led to the hot-button issues of whether companies are infringing on their customers’ privacy rights and whether this data is being wrongfully collected.

These are some of the themes that emerged during a panel discussion at HB’s recent conference titled NetDiligence® Cyber Risk & Privacy Liability Forum (recordings available!).  The panel was moderated byToby Merrill, ACE Professional Risk, and comprised Katherine Race Brin, Federal Trade Commission; Linda Clark, Reed Elsevier; John Graham, Zurich North America Betty Shepherd, S.H. Smith & Company andGabriel Weinberg, DuckDuckGo.

How are companies using data analytics?
The panel recognized many positive ways that data analytics is currently being used.  The education industry is using it to enhance student learning.  Financial institutions are using it to protect credit card customers from fraud.  However, Zurich’s John Graham says “some companies are taking the posture of ‘let’s collect all the data that we can because we don’t even know what we are going to be able to use that for in the future.’”  The panel recognized that this type of mass collection creates a dangerous situation because companies are exposing themselves to liability if that information was wrongfully collected or if that information gets lost or stolen.

Gabriel Weinberg, creator of the online search engine DuckDuckGo, says that “businesses realize that [consumer behavior] data is valuable,” and “over the last five years … data collection has been pretty much hidden from consumers.”  He said that preferential data collection is a growing industry and that the FTC “has to deal with how to reconcile the data collection with what consumers want.”  Gabriel reflected on his own experience running a search engine and said that consumers “really care about [their behaviors being tracked] and [this issue] is not going to go away the same way people have dismissed privacy in the past.”

How is the FTC protecting consumer privacy?
FTC’s Katherine Race Brin said that her agency is focused on protecting consumer rights and has created a privacy report that outlines best practices that companies should follow when handling private information.  She says that the report outlines three main concepts that companies should consider.

First, companies should focus on “privacy by design,” which means that when a company designs a product or service they should be thinking about what data they are collecting or sharing as a result of this product or service.

Second, she said the FTC policy advocates “simplified consumer choice,” which means companies should provide consumers with “clear contextual [privacy] choice options.”

Third, Brin advised, companies should focus on “transparency,” which means simplifying privacy policies so that consumers can understand them.

Brin said the FTC is focused on bringing enforcement actions against companies whose practices are deceptive or unfair in violation of the Federal Trade Commission Act.  She continued by saying that the FTC has recently brought privacy actions against major online companies like Google and Facebook in order to ensure that these companies provided their consumers with privacy protections.

Every panelist agreed that the best way to ensure better privacy protection is to educate the consumers, along with the businesses, about the issues involved with preferential targeting.  It will be interesting to see how consumer privacy laws develop throughout the next decade and how the use of data analytics is affected by this demand for privacy.

HB’s next NetDiligence® Cyber Risk & Privacy Forum will take place in Marina del Rey, California, on October 10-11, 2013.  The event will be Co-Chaired by Mary Guzman, McGriff Seibels & Williams; Oliver Brew, Liberty Insurance; Chris Keegan, FINEX Global; Tim Francis, Travelers Bond & Financial Products; and Mark Schreiber, Edwards Wildman.

Tim Prosky is a 2015 J.D. candidate at Elon University School of Law in Elon, N.C.  He earned his degree in accounting from the University of South Carolina.  Prosky is a 2013 HB Litigation Conferences Summer Associate.

No more posts.