In today's high-technology environment, thefts of proprietary material and network intrusions are a major organizational threat. This appendix is designed to help organizations develop the ability to prevent such proprietary theft and network intrusion—and, when they do occur, to know how to respond to recover their property and stop further intrusions. I hope you can review this information quickly and easily, and that it will function as a check list as you review your organization's needs. If you have questions regarding this appendix, please call or e-mail me at:
John C. SmithPrevention and Recovery ConsultingTrade Secret Theft and Network IntrusionsMountain View, CA 94040(650) 964-1956e-mail: [email protected] site: http://www.JCSmithInv.comCopyright © 1997
The information in this appendix comes from my eight years of experience as the senior criminal investigator, High Technology Theft/Computer Crime Unit, Santa Clara County District Attorney's Office, working in high-technology crime in Silicon Valley. This appendix includes the insight I gained from investigating 50-plus trade secret/proprietary theft (industrial espionage) cases; recovering hundreds of millions of dollars' worth of stolen proprietary property; investigating more than 40 network intrusions; searching countless personal computers in various types of criminal cases; and interviewing many suspects, witnesses, victims, and other people involved in these crimes.
It has been my experience that, to determine the extent of your loss or the extent of a network intrusion, it is necessary to conduct an investigation and execute a search warrant on the suspect's workspace and/or personal computer system. We generally found more property than the victim thought had been taken. Such investigations allow investigators to search for the types of hacking tools and programs (such as backdoor logins) that may have been used on your systems.
When a crime has been committed, do not confront or talk with the suspect. If you do, you give the suspect the opportunity to hide or destroy evidence.
Know your options about talking with law enforcement. Most agencies will not start an investigation unless the victim wants to do so. An official report must be filed before a search warrant can be issued.
Do not wait too long to call. It is best to immediately consult with law enforcement to learn about your options. Evidence can be lost if you wait too long.
Call our office or your local law enforcement agency and make a police report. Request a search warrant to recover your property. You can use this information to file for an injunction.
Make an official report to the federal authorities, probably the FBI.
File a civil law suit and seek an injunction when appropriate.
Take appropriate disciplinary action against any involved employees.
Do nothing and hope that the problem stops before your organization suffers any substantial damage.
To conduct an investigation, think of Smith's Seven Step System, which consists of the following:
SPEED. The case should be handled quickly before evidence and property are destroyed.
STEALTH. The investigation must be done quietly or the suspect will learn of it.
SYSTEM SECURITY. No further damage should be allowed to your system.
SECURE EVIDENCE. Chain of possession to ensure it is admissible.
SUSPICIOUS/SUSPECT EMPLOYEES. Most thefts are done by employees.
SHOW and TELL REPORTING. Learn how to make a report understandable.
SEARCH WARRANT. Prepare and serve a warrant when necessary.
An organization is less likely to be victimized if it has the following characteristics:
Has adopted security policies to protect its systems and data.
Makes its security policies known to all who work in the organization.
Has planned on how it will react to intrusions and losses.
Encourages the reporting of suspicious incidents and has a method in place that makes reporting easy and confidential.
Attempts to recover its stolen material.
Makes it known that offenders will be criminally prosecuted.
Has analyzed the major threats to the organization and has considered how to deal with them.
Realizes that the major threat is probably a person authorized to be on the premises.
Organizations should continue to provide ongoing awareness training to remind everyone that the organization could be a target for the theft of proprietary data or a network intrusion.
Your plan and your working environment must be balanced. Your rules and operating instructions cannot be so severe that work and creativity are restricted, yet rules and accepted security practices should convey the message that thefts, acts of vandalism, and computer misuse will not be condoned.
Management should take security seriously and allocate the resources needed to implement and inspect the correct policies. Training should be provided. Business goals (such as deadlines) should not be allowed to take precedence over security.
Most importantly, your company should develop an attitude and mind set that it is not willing to be a victim and that it will not tolerate people who steal from or attack its site. Law enforcement has long known that thieves and predators pick on easy and willing victims. Realize that incidents do happen and can happen to your company. Your company management must also understand this fact.
Your written plan should be approved by corporate legal, corporate security, management, and the computer/network manager. The plan should be agreed on, be in writing, and be approved by the head of the organization.
Organizations should involve employees in developing a plan. Employees know organizational weaknesses and how to exploit them.
Identify the decision-maker who is authorized to call law enforcement. Identify who will be the day-to-day coordinator of an incident and who will work with law enforcement and attorneys. Provide for a response team that is trained to investigate network intrusions.
All managers, supervisors, and systems administrators should be very familiar with the plan and have a copy available. All employees should receive a copy of the plan or a briefing on the contents of the plan. Your plan should specify that any employee who learns of a theft or network intrusion will not discuss it with anyone except management, security, the legal department, or a designated person.
Know the appropriate state and federal laws. Include copies of state and federal laws with your plan. Determine your guidelines for prosecuting. Prosecution is necessary for a law enforcement investigation and if you want to use the search warrant process.
Know the appropriate local or federal law enforcement agency that has jurisdiction for any problems you might have. Establish the appropriate contacts. Keep names and phone numbers updated. Talk with law enforcement at least once a year. Offer tours or briefings. Know the capabilities of your law enforcement resources.
Know how long it will normally take local law enforcement and federal law enforcement to obtain a search warrant. Discuss what information or reports law enforcement will share with you. Know whether you will be able to obtain law enforcement reports for use in civil cases. Know whether you can you get reports from federal cases.
Plan for filing a civil injunction or temporary restraining order (TRO) as soon as law enforcement has completed the search warrant or covert investigation. Injunctions are frequently used by victims to prohibit suspects from using proprietary information that has been taken under questionable circumstances.
Make sure the audit or accounting functions are turned on.
Have servers in a physically secure location to prevent unauthorized access.
Control modem connections; use smart cards or a call-back system.
Make sure secure firewalls are set up and configured properly.
On a regular basis, run programs (for example, Crack, Tiger, COPS, and Satan) to check for system weaknesses.
Keep current on new programs designed to find system vulnerabilities.
Use a virus-checker program.
Have a password file in a hidden location (that is, a shadow password file).
Close holes in operating systems.
Do not allow the importation of software into the system.
Monitor the size of outgoing mail and notify the system administrator of large outgoing messages.
Track and audit company proprietary data when it is copied and printed.
Watch for the computer system behaving strangely or improperly.
Put names or hidden markers in source code—unusual code that would work only with something you have done or misspelled words.
Make timely system backups.
Keep one copy of backup tapes in a secure facility offsite.
Plan on how to handle various intrusions, such as broken accounts, system or root access, backdoor logins, sniffers, and Trojan horses.
Ensure that patches have been made to networks and that you apply the patch whenever a new one is made available. Watch CERT bulletins.
Several studies and my experience indicate that employees and other persons who are authorized to be on the company premises or who are in a trusted relationship commit most computer crimes.
Do complete background checks before hiring someone or allowing someone access to company resources.
In new employee indoctrination, stress the importance of proprietary data and that any compromise of proprietary data will result in discipline, termination, or prosecution.
Warn against bringing in other companies' proprietary data.
Conduct thorough exit interviews.
Advise departing employees that it is against the law to take proprietary material, and that you will prosecute anyone caught taking any type of proprietary information.
Determine whether the employee who is leaving has worked on important-enough material that a letter should be sent to him or her or to the new employer reiterating the non-disclosure and confidentiality documents signed by the former employee. Letters are frequently used by companies to warn other companies when an employee has changed jobs and the former employer is concerned that the employee may divulge proprietary information.
Set up an easy-to-use system that allows employees to covertly or anonymously report suspicious behavior.
Set up a reward system for preventing loss of data or helping to recover data.
Develop a method to combat the belief by many employees that anyone who has worked on something has a right to take a copy. This feeling of ownership occurs regardless of the signing of non-disclosure agreements and ownership/invention agreements. One of the most common criminal defenses used is that the ex-employee just wanted a sample of their work.
Control and approve any articles written about the company by employees.
Educate current employees on the cost and impact to the organization—and to them personally—of the loss of proprietary information.
Do not give prospective or new employees an email account or access to their new work environment before they have officially terminated from their last employer.
For your proprietary material to be considered secret, you must be able to show that you took adequate steps to protect it.
In both civil and criminal cases, you must explain what steps or methods your company used to protect its property.
The following are measures that can be used to protect proprietary information:
Require non-disclosure agreements from employees, contractors, and anyone with access to the protected material.
Require non-employees to sign a contract describing their access to protected material before the non-employee is given any type of proprietary material.
Conduct thorough exit interviews.
Collect all documentation of terminating employees.
Maintain secure and locked facilities.
Require employees to wear badges; require visitors to wear badges and be accompanied by escorts.
Maintain document control.
Ensure that all documents are marked and numbered.
Keep logs of who is issued what documents.
Use a need-to-know policy to determine who can access proprietary material.
Restrict on a need-to-know basis access to networks where proprietary data is kept.
Password-protect computers and networks where important data is kept.
Properly mark proprietary and confidential documents. The confidential markings can be minimized if they are seen on routine documents. Mark only proprietary documents, not everything.
Do not have more than two security classifications.
Have an easy-to-use accounting system in place to track who checks out and returns proprietary documents. Require that the document-control system be used and inspect its use. Have the document-control processes audited by management on a random basis.
Track printouts from the computer accounting system. Have confidential and proprietary markings automatically put on every printed proprietary document.
Track and audit downloads of computer files.
Set up a disposal method for documents when they are no longer needed.
Limit access to source code; limit physical access to documents.
Train employees in how to protect proprietary data when they are traveling. Discuss hazards and how employees can protect themselves or detect methods such as these:
Microphones in hotels, meeting rooms, and transportation
Searches of rooms and briefcases by unknown persons
Train employees in what to do when they are approached by representatives of a competitor, a foreign company, or a foreign country.
Require that employees report when they are asked to be a guest or a speaker, to serve on a committee of a foreign country, or are put in a situation of working with a person who may be collecting information. Debrief employees when they return from overseas trips.
Determine how to handle visitors who take photographs and notes while touring your facilities.
Determine how to handle employees who are asked to lunch or other social functions by competitors.
Managers and supervisors should be trained to recognize and report employees who manifest behavior that may lead to acts against an organization. Such behavior may include the following:
Employees who are angry at the company or a supervisor for being passed over for promotion, for not receiving a raise, for a perceived lack of respect, and so on.
Employees with an unusually high fixation on making large sums of money, getting promoted in a company, acquiring a lot of stock from a start-up company, and so on.
Employees acting strangely or being spotted with suspicious people.
Management should continually reinforce that first-line managers and supervisors will often be the first to learn of unusual employee behavior and that most problems are caused by insiders.
Create an environment in which employees will report suspicious behavior or actions. Have in place an anonymous reporting or call-in process and ensure that management takes this seriously. Offer rewards for saving data in the face of thefts or attempts at theft.
Train managers, supervisors, and all staff on how to make reports and explain why it is important to react quickly and quietly.
There are many ways for people to get at confidential information:
Dumpster diving
Obtaining your data from other companies
Hiring your key employees
Sniffing data on networks
Going through trash inside the building
Monitoring unsecured faxes and telephones (particularly true in other countries)
Voice gathering by using sound-directional equipment
Foreign or competing representatives who visit or tour your facilities
Interns or students assigned to your facilities
Often, the employees who make the least money have the most access in a company: security personnel, maintenance personnel, and janitors. The following are possible weak links:
Is the company contracting for services, and are those employees bonded or backgrounded?
Don't overlook trash being put in unlocked dumpsters.
Social engineering of unsophisticated employees who talk about passwords in front of others.
Employees with gambling or drinking problems, or employees who hang around card clubs.
Allowing non-employees and employees of contractors too much access to sensitive areas or documents.
Allowing too many employees without the necessary need-to-know access to sensitive areas or documents.
Allowing work to be done that is not understood by a supervisor or management.
Unlimited access to copy machines or downloading of documents.
Allowing computer data to be sent out of the company without some type of check or monitoring.
Allowing employees to write papers or to give presentations about the company or its products without the information going through a review process.
Not enforcing company policy.
Allowing engineers or other technical employees to use their own equipment, computers, or notebooks.
Not protecting customer information, strategic forecasts, or business plans.
Not running Crack or other tools that check for network vulnerabilities.
Not closing computer accounts of employees who have left the company.
Proprietary documents that are not marked or that are printed from a computer without adequate proprietary notice.
Allowing a proprietary document to be moved, downloaded, or printed from a computer network without a warning that the material is proprietary.
The following are the California state laws that are used in a majority of high-technology cases. They can be downloaded from this site:
499c PC—. Trade Secret Theft
Trade secret means any information—including formula, pattern, compilation, program, device, method, technique, or process—that derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use. A felony. See the California Penal Code for complete wording.
502 PC—. Computer (Network) Related Crimes, Illegal Intrusion
Primarily a felony. See the California Penal Code for complete wording.
Accesses, alters, damages, deletes, destroys, or uses data to defraud or obtain something of value.
Knowingly accesses and without permission takes, copies, or makes use of any data from a computer system or a computer network.
Knowingly and without permission uses or causes to be used computer services. (Misdemeanor)
Knowingly accesses and alters, damages, deletes, or destroys any data on a computer or network.
Knowingly and without permission causes the disruption of computer services or denies or causes the denial of computer services to a computer, computer system, or computer network.
Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. (Misdemeanor)
Knowingly introduces any computer contaminant into any computer, computer system, or computer network. (Misdemeanor)
If the computer used by the suspect is located in Santa Clara County, we can prosecute even though the suspect broke into a system in another state.
641.3 PC—. Commercial Bribery
A felony. Any employee who solicits, accepts, or agrees to accept money or anything of value from a person other than his or her employer, other than in trust for the employer, corruptly and without the knowledge and consent of the employer, in return for using or agreeing to use his or her position for the benefit of that other person, and any person who offers or gives an employee money or anything of value under those circumstances is guilty of commercial bribery. The money or thing of value must exceed $100.
Section 1832, Theft of Trade Secrets. Whoever, with intent to convert a trade secret that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will injure any owner of trade secret, knowingly (steals, copies, duplicates, sends, receives, buys, or possesses knowing it to be stolen).
The following are some of the more serious cases of proprietary theft and network intrusions that the Santa Clara County District Attorney's Office has investigated:
Kevin M. used the name of a victim company manager and obtained a modem account. He uploaded his own code and obtained superuser status on several systems. He then downloaded source code through cutouts and cellular phones.
BV used cracking tools obtained on the Internet to gain system administration status at an Ivy League university. He then inserted a back-door login program into the operating system.
RY, after leaving a company, gained access to the network through a security hole. On two occasions, he erased the manufacturing database and made hidden changes in the system. He almost stopped company operations for two days.
MI, who wanted to make more money, gave notice and then compressed the victim company's source code. He emailed it to his account on a public provider and then to his home.
CVD was the manager of the computer center. He used his employees to rewrite the company's source code and then sold it. He formed a company with the profit and was trying to sell the program overseas. The code was moved using modem and tape.
Marc G. was caught trying to get on a flight back to France after working in a local software development company. He had taken enough papers to replicate that company's program. Five
tar(copy) commands were found on the company's system.WBS, an angry employee in the defense industry, took a few papers at a time concerning a non-classified part of a proprietary project. By the time he was fired, he had an 18-inch-thick stack of papers. He also took a copy of the company's business plan. He was offering these to the victim company's competitors to get a job.
INT wanted schematics and manufacturing/process information to help start up a new competing company. He hired a victim employee as a consultant who brought the information he needed to the new company. During a search warrant in a case over disputed source code, we found a proprietary document that would allow the replication of the victim's product. The engineer with the document said it had been given to him when he was a scientist in the Soviet Union, within six months of the publication date. He was able to retrieve it after the fall of the Iron Curtain.
JW is an engineer who took processing data for a product and used it to obtain consulting fees and to get a job in another country. We arrested him two days before he was to leave for his new job in South America. This information may have been used as the basis of a partnership with a business in Europe.
T & G took documents and source code. We found that T was, at the same time, also serving as the vice president of a company in Beijing. Further investigation revealed that T was sending documents to a company in Beijing.
HT, while visiting a company with whom he had a business association, downloaded their customer database into his laptop computer and sent it to his company in Europe.
F was employed as an engineer to develop computer instructions for manufacturing. He became angry and erased all the programs on the company computers. We recovered the programs at his home.
AK acquired proprietary documents on his employer's new technology. He quit and obtained several jobs where it appeared he was using the documents to make himself look good and to advance in the new company.
RC broke passwords on a network; using those accounts, he sent messages to the president of the institution trying to get the system administrators fired.
A software engineer left the company where he developed the nucleus of a software program. In an extremely short time, he produced a similar competing product. Many lines of code are the same.
A technician took prototype circuit boards out of new computers and sold them.
Raj, an Indian electrical engineer, was working as a security guard in an R&D facility for one company while working in several other companies that had similar products. He had not listed his EE degree on his application for the security guard position. Raj was stopped trying to get back into the R&D facility six months after he had walked off that job.
A local manufacturing company, trying to do business with a Pacific Rim company, entered into a working agreement. When the local company stopped visitors from the other company from taking notes and photos of their equipment, a representative of the foreign company tried bribery to get manufacturing details. The victim did not prosecute for fear of not being able to do business in that country. A second local company discovered that a company from the same Pacific Rim country hired away a manager. That manager put together a team of former employees from the victim company. The team developed a duplicate product to put on the competing market in an extremely short time.