Intellectual Property theft
please use the provided references website beside yours.
All Provided material has copyright.
your internship assignment takes you to the Corporate Security office, headed by the Chief Security Officer (CSO). This office has recently completed an investigation into how a competitor may have obtained copies of the confidential architectural drawings and design plans for a new type of resort that the company had planned for a recently acquired island property. At least one competitor is known to have received copies of the company’s intellectual property through an economic development office within its country’s government. It is suspected that an Advanced Persistent Threat mechanism may have been used to exfiltrate information from Padgette-Beale’s existing hotel property within that geo-political jurisdiction. Another competitor, also operating in that geographic area, contacted Padgette-Beale’s Corporate Security Office and disclosed that it had been sent URLs for web pages containing links to the resort plans by an unknown party. The other firm wanted to make it clear to Padgett-Beale that they did not condone nor participate in such illegal and unethical taking or receiving of another company’s intellectual property.
As part of the company’s response to this theft, the CSO’s office has been asked to prepare a background briefing for company’s executives that addresses the problem of protecting intellectual property stored in digital form. The briefing must include recommendations for best practices that the company’s executives should be adopting to prevent / respond to such thefts.
Begin by reading the readings for this week. Then find additional information through your own research.
Write a 1/5 page summary of your research and analysis for review by the CSO’s senior staff. Your summary should begin by explaining the problem of intellectual property theft. Next, address the reasonable and customary processes and procedures which should be used to discourage or make it difficult for employees, managers, and executives to inadvertently misuse and/or steal the company’s intellectual property (at a minimum, you must address data classification and marking, separation of duties, and least privilege). You should also identify and explain five or more best practices which the company should implement as it responds to this growing problem.
Remember to list and cite your sources at the end of your research summary using a professional and consistent citation format (APA recommended).
rotecting Intellectual Property (IP) and Trade Secrets
Protecting Assets Containing IP / Trade Secrets
Identifying Types and Locations of Digital Assets
Categorization & Marking of Documents
Separation / Segregation of Duties
Principle of Least Privilege
Why Intellectual Property is Stolen
Competitive Intelligence
Corporate Spying
Espionage & Nation State Actors
How Intellectual Property is Stolen
Exploit Kits & Malware
Advanced Persistent Threats
Data Exfiltration
Attack Vectors
Dumpster Diving
Malware
Phishing Emails
Social Engineering
Practice Analysis and Solution Development for a Cybersecurity Problem
Preventing Intellectual Property Theft
Protecting Intellectual Property Stored in Digital Form
Best Practices for Executives & Others to Prevent / Respond to IP Theft,
ntellectual property and trade secrets are valuable assets of a company. For hotels and property management firms like Padgett-Beale, such information could include market strategies, expansion plans, and designs for resorts which a competitor could use to to gain leverage or a market advantage. Financial planning documents are of particular interest to competitors. There are legal ways for competitors to obtain such information, e.g. by posing as guests on a property, listening in on conversations in restaurants, or scanning public websites for documents that contain sensitive information about a company’s future plans and strategies. There are also gray areas — times when a competitor exploits the negligence or malfeasance of employees with access to sensitive information. Such employees may download files or receive emails on personal devices which are lost or misplaced. Or, they may make physical copies of digital files and then lose control over those copies, perhaps by tossing them into the trash or a recycling bin from which the papers are retrieved and exploited (this is called “dumpster diving”). Employees may even deliberately send or disclose a company’s intellectual property to individuals who are not authorized to receive it, possibly as retaliation or as a misguided or misinformed attempt at “whistle blowing.”
Competing businesses and nation states do not always act in legal or ethical ways when seeking information that a company has not disclosed, published, or otherwise made public. When a company or an individual illegally obtains intellectual property belonging to another, we call that theft. When a nation state performs the same act, it may be categorized as espionage or spying. Such thefts can be done from within or near a company’s buildings, e.g. via wiretapping or hacking into networks. Or, an attack can be launched from a distance using social engineering and phishing emails to gain entry for malware which spreads silently through an enterprise to open systems and networks to additional types of attacks. Such attacks, notably advanced persistent threats, can lay dormant within an enterprise for extended periods of time before waking up and phoning home to the attackers who then issue commands to launch additional malware and control the search for and exfiltration of intellectual property.
The reality is that determined thieves and spies, especially nation state actors, are finding ways to exploit vulnerabilities and infiltrate systems and networks despite a company’s efforts to secure their infrastructure. Defenders need to find and close tens of thousands of “holes” in their network and system defenses. A threat actor only needs to find one or a few ways into the systems and networks. The threat actor doesn’t even need to write or develop the software to accomplish this. Such software is available for rent or purchase on the dark web. Or, in the case of nation state actors, government employees including military members, are gathered together in teams who write and operate attack software that infiltrates systems and then hangs around for years (sometimes for decades).
Realizing that it may not be possible to completely secure computers and networks, we find ourselves needing to consider the problem of providing additional layers of protection for the company’s intellectual property that is present on its systems and networks, in digital form. Intellectual property must be found (located), identified by type, and categorized according to value or sensitivity (marked). Once these steps have been taken, a company can implement access controls and other layered protections using the principles of separation of duties and least privilege. These layers of defense can make it more difficult for malware to move from system to system within an enterprise. Separation of duties and least privilege can also make it more difficult for employees to gain access to or misuse the company’s intellectual property. (Note: the terms segregation of duties and separation of duties refer to the same principle.)
For this week’s discussion, you will analyze a situation involving the possible theft of intellectual property and formulate recommendations for how the company should respond to protect its property.
https://www.upcounsel.com/intellectual-theft
https://static1.squarespace.com/static/555b2d4ee4b011aa38092227/t/55c2399fe4b0ea0e6b351442/1438792095307/NJCCIC+-+Exploit+Kits+-+A+Prevailing+Vector+for+Malware+Distribution.pdf
http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/how_do_threat_actors_steal_your_data.pdf