“Mr. Mallery, several of our employees have gone to work for a competitor, and we believe they took some of our proprietary information with them. Can you help us?” I hear this plea every single day. What surprises me is that the client acts like this is something new or unusual, when in fact it is extremely common.
Expanded bandwidth and increased data storage capacities are now availble at low cost, allowing people to transmit, store and transport large amounts of data with very little effort. Much has been written about the threat of USB storage (see “Portable Data Storage Devices: Security Nightmare,” July 2005 Security Technology & Design, p.36).
Anything Can Be Uploaded
Another threat is the development of free or low-cost online data storage sites such as Yahoo! Briefcase, which lets users store 30 MB of files for free. Many other sites provide even more storage capacity. For instance, FlipDrive offers 5 GB of free storage for 30 days. Does this frighten anyone?
There are so many of these sites that it’s difficult to keep track of all of them, so it can be difficult, if not impossible, to block access to them. But you should still try. In the box on p.32 I’ve included a short list of sites that you can start with, but keep in mind that it is by no means comprehensive.
Visit some of these sites to learn the types of services they offer. Many allow users to share files, which makes the sites that much more of a threat to proprietary information.
Who Can Access What?
Because people can disseminate proprietary information with the click of a mouse, businesses must work harder to protect their information. The first step is to ensure that all digital files have the appropriate file rights assignments. Not every employee in an organization should have access to every single file. Unfortunately, they do in many organizations, because it is easier to allow everyone full access than to figure out who should have access to which files. But in this environment it is easy to steal information.
Users should have access to only the files they need to do their job. Identifying who has access to which files can be a challenge, but several tools can help.
Sysinternals has two free tools, ShareEnum and AccessEnum. Another useful tool is Somarsoft’s DumpSec (formerly DumpACL) which lets security professionals review the Access Control Lists for all files on a system.Access Control Lists show which users can perform which actions on particular files. The tool is free and can be downloaded from Somarsoft’s Web site.
Manage Files Closely
Now you know how to start securing proprietary information and trade secrets. But blocking storage sites and managing file rights are not enough, since the biggest threats to trade secrets are the employees that do need access to proprietary information. These individuals often remove trade secrets from the office by, for instance, e-mailing material to a personal e-mail account so they can work on projects at home, or downloading materials to a corporate laptop so they have access to information while on the road. At this point, data is outside of corporate control.
If an employee who becomes disgruntled already has proprietary information in his possession, taking it with him when he goes to a competitor is a trivial matter.
You can protect documents by converting them to Adobe .pdf files and applying a password to restrict printing and editing. The nearby image shows this option being configured within Adobe Acrobat 6.0 Professional. This may be helpful for protecting a small number of documents. Larger organizations or businesses that want more control over their data may wish to use an enterprise rights management tool.
Enterprise Rights Management
Enterprise rights management helps you provide “persistent security” to electronic files—that is, file-level security that lasts throughout the file’s life. Once a file is created, the user can assign it a wide range of permissions. Microsoft Office 2003 Professional’s Information Rights Management application offers enterprise rights management capabilities. This solution lets you set and change file permissions for specific users and groups, assign permissions based on roles, restrict printing, forwarding and copying, and set file expiration dates. This type of technology can greatly enhance an organization’s control over its proprietary information and trade secrets.
However, implementing Microsoft’s Information Rights Management is not a project to be undertaken lightly. It requires significant back-end support because it relies on Microsoft Windows Rights Management Services for Windows Server 2003. It also requires Microsoft Active Directory, Microsoft Internet Information Services, a database such as Microsoft SQL, and Microsoft Office 2003 Professional. Individuals with Microsoft Office 2003 Professional can create documents with restricted permissions by using the free trial service for IRM at http://tinyurl.com/cge4n. It requires a Microsoft .NET Passport account, but it gives you an excellent opportunity to learn more about setting permissions on documents.
There are many commercially available digital rights management solutions besides Microsoft’s IRM. One is Authentica Inc.’s Secure Documents, which appears to have some features that can help an organization corral its information. These include letting content owners place watermarks into documents and providing a detailed audit trail.
Other products include Airzip Inc.’s FileSecure and Liquid Machines Document Control, which integrates with 65 applications and file formats. To gain a better understanding of the capabilities of these tools, take the time to view one of Liquid Machines’ online demos at www.liquidmachines.com.
The security and tracking capabilities of these tools can also help an organization comply with many regulations, such as HIPAA requirements.
Nine Tips for Keeping Secrets
You should always apply multiple levels of security to protect trade secrets. An organization should never rely on a single security product or implementation. The following solutions in combination can offer robust protection.
1.Tell employees that they are not allowed to distribute proprietary information. Include this prohibition in employment agreements and severance agreements. Implement non-disclosure agreements. Remember that you can only legally claim information as a trade secret if you can show that you’re taking appropriate steps to protect it. Addressing trade secret issues in policies and agreements is a good first step. This seems like an obvious protection mechanism, but it is overlooked by many organizations.
2.Implement basic file rights management. Allow users access to only the information they need to do their jobs. If an employee gives a two-week notice of his intent to leave the company, his rights should be reviewed and possibly restricted.
3.Manage or block access to portable data storage devices such as CDs, DVDs, USB drives and floppy disks. Products like DeviceWall from Centennial Software and SecureWave’s Sanctuary Device Control can help you control the use of these devices.
4.Block access to online data storage sites.
5.Prohibit the use of consumer-grade instant messaging and chat. These programs are often used to bypass corporate monitoring and logging of communications. Individuals intent on sharing information with a competitor or co-conspirator will often use instant messaging.
6.Implement enterprise/digital rights management to restrict permissions on corporate files and control the actions a user can take on specific files.
7.Immediately disable network access and remote access for terminated employees. See “You’re Fired!” in the March 2005 issue of Security Technology & Design (p.74)) for tips on how to do this.
8.When employees leave, ask them to sign a document stating that they have removed all proprietary information and software from home computer systems. While this may not always be effective, it shows that you are taking every step possible to protect your information. Producing this document in court during an intellectual property or theft of trade secrets case could prove helpful.
9.Consistently and aggressively go after employees who violate non-compete agreements in jurisdictions where they are enforceable. Encourage your organization’s legal team to learn about the civil remedies associated with the Computer Fraud and Abuse Act (CFAA). While this is a criminal statute, it has been effectively applied to theft of trade secrets cases. It has a very low threshold of $5,000 which may be easily reached during an investigation into the loss of trade secrets. See Nick Ackerman’s excellent article, “Trade Secrets: CFAA’s $5,000 Threshold” (www.dorsey.com/news/news_detail.aspx?id=175277803).
Strong Policy Is the Foundation
All the measures outlined above should be added to standard IT security policies and procedures such as
• an acceptable use policy for corporate computer systems. Have employees sign it and put it in their personnel folder.
• secure passwords that are changed periodically.
• anti-virus programs that are kept up to date.
• forensically wiping the hard drives of discarded computers.
• updating all operating systems and applications.
• intrusion prevention/intrusion detection systems. Ensure they are monitored frequently by a qualified individual.
• periodic assessments of your network security. These should include a combination of third-party vulnerability assessments and the judicious use of tools such as the Microsoft Baseline Security Analyzer and the benchmark and scoring tools available from the Center for Internet Security
Listing these fundamental IT security principles seems a little silly, but I have been involved in the IT security industry for 10 years, and I still see organizations that overlook one or more of these steps. By combining a sound IT security program with the internal controls mentioned in this article, organizations can maintain control over their proprietary information and trade secrets.
John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. Mr. Mallery can be reached at firstname.lastname@example.org.