For DuPont, Gary Min may have seemed a model employee. A research chemist at DuPont’s research laboratory in Circleville, Ohio, Min was a naturalized U.S. citizen with a doctorate from the University of Pennsylvania who had worked for DuPont for 10 years, even earning a business degree from Ohio State University with help from his employer. During that time, he had moved up the ranks within the company, taking on various responsibilities on research and development projects within its Electronic Technologies business unit. He specialized in the company’s Kapton line of high-performance films, which are used, among other places, in NASA’s Mars Rover.
But Min’s veneer of respectability began to crack on Dec. 12, 2005, when he told his employer he would be leaving his job. According to a civil complaint filed by DuPont against Min, a company search the next day revealed that Min had recently been an avid user of the company’s electronic document library, accessing almost 23,000 documents between May and December 2005, including more than 7,300 records in the two weeks prior to his giving notice. Alarmingly, Min had strayed from his area of specialization, rummaging through sensitive documents related to Declar, a DuPont polymer that competed directly with PEEK, a product made by Min’s future employer, Victrex.
With Min indicating he would relocate to a Shanghai office of Victrex, DuPont appealed to both law enforcement and the civil courts that it was worried its former researcher was absconding with a treasure trove of trade secrets for Victrex and perhaps other Chinese companies.
DuPont is not alone. The broad outlines of the Min case — his Chinese nationality, his links to companies operating in that country, and the broad scope of his attempted intellectual-property heist from DuPont — are in keeping with what the FBI says is an epidemic of state-sponsored economic espionage. By one estimate, there are as many as 3,000 front companies in the United States whose sole purpose is to steal secrets and acquire technology for China’s booming economy.
Welcome to the brave new world of enterprise security, circa 2007. It’s a world where the troubles of yesteryear — loud and stupid Internet worms and viruses such as MSBlaster, Sobig, or SQL Slammer — seem trivial. In their place are rogue insiders with legitimate credentials, armed with Trojans and rootkits controlled from afar that may lurk for years without detection, bleeding companies of sensitive information. It’s a world in which premeditated plunder of specific data, rather than the mere breaching of the perimeter, is the point of network intrusions. And that means companies, more than ever, must monitor and secure data to prevent it from falling into the wrong hands.
Higher value, freer flow
“This is a problem of the evolving value of data,” says Marv Goldschmitt, vice president of business development at Tizor, a data auditing and protection firm. “Data has taken on a value beyond what it originally had, and individuals don’t know how to deal with that,” he says. Moreover, the migration of almost all intellectual property and critical data to purely digital form, as well as the interconnectedness of corporate networks with each other and the Internet, stand in the way of discovering when data has been pilfered or that anything has gone awry, Goldschmitt says.
Security experts are painfully aware that clamping down on insider threats and data leaks is an order of magnitude more difficult than stopping malware. And while recognition of the data-security problem is spreading fast within enterprises, very few have taken steps to lock down their sensitive data and intellectual property.
“In our experience, most firms are far from addressing it,” says Phil Neray, vice president of marketing at Guardium, a database threat and security monitoring firm. “These companies have hundreds of systems installed around the world but very few installed to protect intellectual property.”
“The risk level is still very high,” says Steve Roop, vice president of products and marketing at Vontu, one of a slew of smaller DLP (data-leak prevention) firms.
According to data accumulated from Vontu risk assessments on customer networks, approximately 2 percent of all sensitive or confidential files are exposed to theft by unauthorized personnel, and around one of every 400 e-mails that leave a company exposes sensitive data — either sent to an unauthorized recipient or sent to an authorized recipient in an insecure form that can be sniffed or otherwise stolen.
Companies usually overlook that exposed data because their security posture is still focused on network perimeters, not on what might be going on behind the firewall or even over secure connections with business partners and suppliers, says Paul Stamp, an analyst at Forrester. “The perimeter around data is shrinking. Between joint ventures and collaborative [business to business] stuff and remote users, the perimeter has become highly porous.”
Exposure via business partners and third-party contractors is a top concern at Communications Data Services (CDS), a subscription service bureau that’s part of Hearst, says Paul McCarthy, director of information services. In its databases, CDS maintains files (including credit card numbers) for 155 million active subscribers to publications such as Better Homes and Gardens, U.S. News and World Report, Vogue, and Readers’ Digest. Much of that sensitive data comes to CDS through channels that can be difficult to police, such as agents and third-party contractors, as well as over the phone and via the Web, McCarthy says.
Securing critical data that may be used in a variety of contexts is a daunting prospect for any enterprise. But the harsh reality of regulations such as Sarbanes-Oxley and the PCI (Payment Card Industry) data security standard are helping set priorities for enterprises that might otherwise remain in denial.
In particular, Sarbanes-Oxley’s requirement that companies audit the access of privileged users to sensitive data — and PCI’s requirement to track user identity information whenever credit card data is touched — are pushing companies to home in on where sensitive data resides and how it is being used, Goldschmitt says.
At CDS, PCI and Sarbanes-Oxley prompted the company to take a close look at all of its processes for handling subscriber data, McCarthy says. In addition to doing its own SAS (Statement on Auditing Standard) 70 audits of internal security controls, CDS is regularly audited by third parties.
Increasingly, audits are forcing enterprises such as CDS to push security measures closer to where data resides, whether on laptops, in databases, or in shared directories, Stamp says. It’s a simple prescription but one that’s difficult to implement because most companies start out with a hazy understanding of what their sensitive data is, let alone where it resides on their networks.
“Companies wake up and realize, ‘We don’t know anything!’” Goldschmitt says. “We’ve had companies come to us and say, ‘We have 20,000 data servers and absolutely no idea which of them have sensitive data on them’.”
Zeroing in and locking down
When the panic subsides, the hard work of discovery begins. Fortunately, enterprises have more data security tools at their disposal today than ever before.
Most companies in the DLP space, including Vontu and Tizor, can audit network activity to find sensitive data such as credit card numbers, magnetic-stripe data, or intellectual property on database and file servers, and monitor user access to that data. Firms such as PointSec — now part of CheckPoint — and startup Provilla can perform similar audits at the desktop level, monitoring file copying to portable storage devices, as well as e-mail and Internet-based file transfers.
Once that key data has been identified, DLP firms offer various strategies for securing it — from tagging key intellectual property with signatures that raise alarms whenever they pass outside of the company’s control to blocking USB ports to prevent data transfer to portable devices. None of those approaches is sufficient to protect data without larger organizational changes, experts say.
“There are really cultural changes that need to occur,” Guardium’s Neray says. “You’ve got to focus on insiders and trust — trust and verify.”
Companies need to define security policies that cover critical data and educate employees about acceptable behavior. “If you’ve got an SAP application, your company might access the database 22,000 times a day as part of your normal business processes. But if someone’s using Microsoft Excel and bogus credentials to access SAP, that’s a violation of policy,” Neray says, adding that traditional perimeter defenses and identity- and access-management products also play a vital role in data security. In particular, companies should use their identity-management platforms and strict policies to link specific IP addresses to specific users, rather than allowing shared credentials to muddy the waters should a forensic examination need to take place. “The problem is you’ve got applications like SAP and Oracle eBusiness Suite, which have privileged credentials to access the database, and those are widely available in the IT environment. Developers are using them, [database administrators], and the help desk,” he says.
Enterprises also need to build practical, bottom-up policies that actually get enforced, rather than imposing unrealistic, top-down security policies that just get ignored, Stamp says. “Once you have a handle [on] where your data is and where it’s going, you can start shoring up your infrastructure from the ground up.”
Some of those measures can be straightforward. Companies seeking to protect data on laptops and other mobile devices have been a boon to top-tier data encryption vendors such as RSA and PGP.
Even at PKWare, makers of PKZip, simple encryption features that work across diverse platforms have helped drive sales. Data security now accounts for half of the company’s business, compared with just 20 percent three years ago, says Todd McLees, vice president of marketing.
As CDS has discovered, start with the obvious and build from there. The company used a layered approach to get a handle on external security — with standard security measures such as firewalls, VPNs, and SSL encryption — then added configuration control technology from Tripwire. More recently, McCarthy says, CDS has deployed outbound filtering technology from Palisade Systems that can do packet-level inspection and spot data such as credit card numbers that might be traversing the company’s network or leaving the company over FTP or HTTP.
CDS has gone further than tackling sensitive data as it flows among authorized employees inside the company. It also has determined the behavior of hundreds of companies that contract with the magazines CDS works with, many of which pay far less attention to data security — and may send spreadsheets or CDs with sensitive subscriber data to the company.
Nonetheless, the threat of a Gary Min-style rogue insider looms large. The goal, McCarthy says, is to put up enough barriers that it becomes almost impossible for a lone insider to do significant damage.
“You want to reduce it to the point where nobody can act alone and do something,” McCarthy says, “where you need a conspiracy of persons to make it happen.”