A new report released by Verizon Information Technologies that examines incidents of intellectual property (IP) theft at companies in several industries, including the high tech, financial, and manufacturing sectors, offers sobering news to the electronics industry as it seeks to electronically protect its patents -- the very thing that brings value and competitive advantage to a company's business.
DBIR Snapshot: Intellectual Property Theft is a report that examined 85 confirmed data breaches over the last two years resulting in the theft of intellectual property. The findings are based on breaches investigated by Verizon's Research Intelligence Solutions Knowledge (RISK) Team or one of its partner organizations, which include the Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, the Police Central e-Crime Unit, and the United States Secret Service.
The data shows that while most of the breaches originate from external entities that often use malware and hacking methods to steal IP data, even more troubling is that 46 percent of employees are participating in the theft of intellectual property information. The research also shows that efforts to combat system penetration will have to focus on several aspects of data security as adversaries rely on multiple methods of attack to successfully penetrate a company's knowledge assets.
The study outlines several ways that an attack occurs, including:
An external agent sends a phishing email that successfully lures an executive to open the attachment
Malware infects the executive's laptop, creating an entry into accessing sensitive data
An external agent accesses the executive's laptop, viewing email and other valuable data
A system administrator misconfigures access controls when building a new file server
An external agent accesses a mapping file server from the executive's laptop and steals intellectual property
Listing the top three methods an attacker uses to carry out IP theft, the research found that 45 percent of data penetration occurred via abuse of system access or privileges, another 34 percent occurred as a result of using stolen login credentials, and 32 percent were the result of pretexting, which is the act of using false information to trap individuals into divulging privileged information that can be used to penetrate data systems.
When managing security in a modern high-tech supply chain, Wade Baker, managing principal for Verizon's RISK team, said the links between supply chain partners such as component suppliers, contract manufacturers, and distributors operating across the globe opens up the electronic manufacturing enterprise to many new security threats.
"If I have three other partners who I depend on to send me information so that I can do what I need to do for my business, and if a supply chain partner sends me information [with a computer virus attached], or if my information is compromised, the impact spreads," said Baker, who is also the principal author of the report.
While the report offers several recommendations to protect IP theft, the report concludes that:
There is no silver bullet that can guarantee protection against IP theft. The diversity, complexity, and ingenuity of tactics preclude a one-size-fits-all solution. As our findings have shown, however, there are several common factors across successful attacks that warrant attention. Insider abuse—whether premeditated or requisitioned through trickery—is a favored method of filching IP. And if an insider won't cooperate, stealing their credentials will work almost as well. Short of that, brute-forcing or using SQL injection against web applications stands a good chance of success.
The report also lists a number of recommendations to protect against IP theft, which include:
Privileged users:
Use pre-employment screening to eliminate the problem before it starts. Don't give users more privileges than they need and use separation of duties. Make sure they have direction (they know policies and expectations) and supervision (to make sure they adhere to them).
Training and awareness:
Increase awareness of social engineering: educate employees about different methods of social engineering and the vectors from which these attacks could arise. In many of our cases, we see users clicking on links they shouldn't and opening attachments received from unidentified persons.
Stolen credentials:
Keeping credential-capturing malware off systems is priority number one. Consider two-factor authentication where appropriate.
Secure development:
Focus on application testing and code review. While SQL injection attacks are the most common, cross-site scripting, authentication bypass, and exploitation of session variables contributed to many of the network-based attacks.
If there's anything that IT security executives at high-tech manufacturing companies can learn from the report's findings, it is that as their extended supply chains rely on networks that manage sensitive company information, they need to continue to develop policies and procedures that will prevent these attacks. Certainly, the time, effort, and resources committed to mitigating IP theft is a worthwhile endeavor.
It's always good to be vigilant with regard to implementing practices and procedures that will protect sensitive data, especially since the electronics supply chain expands into Asia, Europe and other parts of the world where it's arguably more difficult to secure critical data.
I agree with you both. Nicole's article did point out that,
'There is no silver bullet that can guarantee protection against IP theft. The diversity, complexity, and ingenuity of tactics preclude a one-size-fits-all solution'.
Like you said Ariella, it's important to remain alert.
Yes, i agree with that but it also has to be a periodically conducted exercise. After sometimes management of most organizations do relax on this until intranet or their local network systems get compromised.
It's such a difficult thing to achieve but the article pin-pointed one good measure to do this. There should be level of involvement for every employee in organizations - who and who should have access privilege rights to some organizations' data. Even though, organization would still be worried about some self -acclaimed indispensable employees.
I think so too, human factor plays a role in all these thefts. Staff have to be trained on the risks if they involve in any of these activities and protection measure to take.
No matter what type of cryptographic algorithms and security systems are in place, the weakest link of any security system in the world is the human beings who are targets of social engineering attacks. The bigger the incentive of attacking a system, the more creative and hence more successful such social attacks can become.
Stealing IP can be a very profitable attack for thieves. Therefore, the human factor that has any involvement with such IP matters should be trained and regularly updated to be aware of new types of potential threats. It will also be useful if ethical hacking methods and penetration tests are applied randomly to test how well the people are defending the system based on th training they receive.
No, the report did not say how the attackers who succeeded at intellectual property theft used the information, or if there was a monetary gain for them.
The report did say that the most compromised areas of an enterprise are the databases and file servers, which is where most organizations store internal data and knowledge.
The report went on to say that "This serves as a reminder that when we lock down file servers storing IP, we can't neglect to lock file drawers too." I'm sure this is good advice.
Sometimes a resigning staff may copy out some important stuff and bring it over to the new company. I know some japanese companies even adopt laptops without storage, that is everything is from the company cloud server. Plugging in an unauthorised thumbdrive will be rejected.
While some parts of the high-tech supply chain network can be improved by implementing policies and procedures, other parts of the network are beyond the control of even the most skilled supply chain executive.
As Intel improves its chip technology and deals with a declining PC market, the company is still making a concerted effort to improve its supply chain.
EBN Dialogue enables and encourages you to participate in live chats with notable leaders and luminaries. Not only editors and journalists, but the entire EBN community is able to comment and ask questions. Listed below are upcoming and archived chats.
Archived Dialogues
Thailand Stages a Comeback Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters.
Euro-Crisis: What It Means for High-Tech Firms Join EBN Editor in Chief Bolaji Ojo and Contributing Editor Jennifer Baljko on Thursday, July 12, at 10:00 a.m. EDT for a Live Chat on high-tech and Europe's economic difficulties.
Microsoft Surface: Potential Winners & Losers What are the implications for the electronics industry supply chain of Microsoft Corp.'s decision to launch its own tablet PC? Join industry veteran and EE Times' systems and OEM expert Rick Merritt on Tuesday, July 3, at 12:00 pm EDT for a Live Chat on this subject.
Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters.
Peter Drucker famously said "Trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window." Yet in the razor's-edge world of electronics—with a lean supply chain and just-in-time demands—the need to know the future is vital.
You've heard the saying "the No. 1 supply chain risk is your people." That hasn't always been the case. But today's complex global supply chain requires a new type of multitalented employee. It's one who understands, finance, marketing, economics, is savvy with technology, graceful with relationships and can think analytically.
Where are these people? Are universities properly preparing the next generation supply chain professionals? How do train your existing workforce for these new, demanding positions?
Brian Fuller, editor-in-chief of EBN, will lead a 60-minute Avnet Velocity panel discussion that will ask and answer these and other questions swirling around today's supply-chain talent challenges.
To save this item to your list of favorite EBN content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This