Blog Entries

Last week, a contract worker at a Oak Ridge National Lab was caught trying to sell nuclear secrets. Apparently he needed some extra money and thought that by stealing these secrets and selling them to a foreign government would allow him to pay off his debts.

This is a serious breath of security, and given that the low level contract worker was allowed to access this information and steal it is amazing. Fortunately, he was caught by an under cover agent acting as a potential buyer of these nuclear secrets. There’s no doubt that Oak Ridge has a policy to prevent this sort of security breach, but the procedure to follow it was not executed.

If these secrets would have been sold to a foreign government, the consequences would have been very damaging. There’s never enough security to protect proprietary information and it’s important to not only have a policy, but to also be very diligent in the procedure to protect that sort of information.

Many business owners don’t think something could happen like this at their business. However, if it happened at a high security nuclear facility, what would stop it from happening to your business?

On July 23rd an anonymous person was able to find the password to one of Fox’s secure servers in plain sight. Unfortunately, this is not an uncommon occurence, one person making a small oversight can put millions of dollars of company information at risk.  While browsing around the Fox News website (www.foxnews.com), the person stumbled across a file which contained the username and password for a highly secure FTP server.  Luckily, this person chose to publically expose the flaw instead of exploiting it or selling it to a malicious hacker.  Fox was able to patch the information leak by quickly changing the password to their server, but since the exploit had already been made public, there was still a great deal of damage done to their reputation.  As a major news outlet, much of their business depends on them being able to keep confidential information secure until they are ready to release it to the public.  Leaks like this could cause potential sources to think twice before sending them sensitive information; or even more importantly, it could cause mistrust among their viewership.

The only way to prevent leaks like this is through frequent and thorough security audits.  Oftentimes, internal teams do not have the time or resources necessary to conduct these audits frequently enough.  It is unknown how long the Fox News password was publically available, but it is likely that a well implemented monitoring program would have found the password first, notified Fox News, and allowed them to fix the problem before it became public.

We are bombarded with new technologies every year. It seems like everything is getting smaller, faster, and comes with a thick instruction book on how to run it. The new technologies allow new and unique ways for thieves to find and collect information.

However, one of the most common, low tech ways that thieves find information by stealing a company’s laptop computer from an employee. From an article by Small Business Trends, stolen or lost laptops are one of the most common methods that thieves use to find confidential information.

The article goes to say that you should use some sort of encryption software. That way, even if someone finds or steals your laptop, they will have a hard time making it readable. If you have encryption software on your laptop, it will more or less make the information on it unusable to anyone trying to view it.

So, even if a thief uses a low tech method in acquiring your company’s sensitive data, you can use some form of high tech to protect it.

In a recent survey sponsored by Reconnex Inc., a Mountain View, Calif.-based vendor of data loss protection appliances, 85% of the CIOs questioned said they did a good job of identifying intellectual property, and 74% said they were doing a good job of securing all their information which was classified as intellectual property. While these survey results are promising, the actual ability of these CIOs to protect their classified information is not as good as they think. Most of them are still using internal, manual monitoring techniques to try and protect their data. The problem with these techniques is that as the company expands, they have to continually hire more people to keep up with the increasing volume of confidential information. They also don’t have the manpower to search all the possible sources of information leaks, often having to settle on monitoring only a few of the most obvious ones. The best way for a company to truly be protected from information loss is to implement a comprehensive automated monitoring system that has the ability to scale with the company as it grows.

Recently several highly classified documents were discovered on public government servers. These documents included detailed schematics of a military detainee holding facility in southern Iraq, geographical surveys and aerial photographs of two military airfields outside Baghdad, and plans for a new fuel farm at Bagram Air Base in Afghanistan. Anyone could log in as a guest to the public FTP server and download these documents to their personal computers. It is hard to believe, but this kind of information is mistakenly posted on public servers all the time:

“In a survey of servers run by agencies or companies involved with the military and the wars in Iraq and Afghanistan, The Associated Press found dozens of documents that officials refused to release when asked directly, citing troop security.”

The officials in the military had no idea these documents had been leaked by careless employees and contractors until they were discovered by private citizens and sent to news organizations.  Even though these documents posed an immediate threat to troop security, they were still able to slip through the tight security regulations of the US military.  This is a prime example of why no matter how good you think your organization’s security procedures are, it is still in your best interest to retain the services of a third party monitoring service to find leaks like this as soon as they occur.

Most of the time, companies don’t even realize it when they are at risk for information loss. The threat of losing confidential and proprietary information on the web is still so new that many companies have not implemented procedures and best practices to ensure that their intellectual property is safe. We have just launched a free quiz that companies can take to find out if they are at risk or not. If you are interested in learning more about what your company can do to protect its information, contact us today for a free assessment.

Take the quiz now!

A company’s former employees are a significant threat for confidential information loss. If not managed properly, they can post insider information to one site on the web, which can in turn spread like wildfire until there is no way for the company to contain the loss of information. In one recent high profile case, a former Dell Sales Manager posted a list of “22 confessions” outlining how a person could cheat Dell’s system to get cheaper computers than otherwise possible, abuse the warranty system to get new laptops after a model is no longer in production, how to get bargains on printer cartridges from “cool” kiosk employees, and many more secrets and strategies that only a company employee would know. The information quickly spread across the internet, but the way that Dell handled the incident caused it to become a PR disaster for the company. Read our in depth case study here.

Here is my challenge to you…don’t think you have anything to worry about when it comes to protecting your intellectual property and confidential information online? Let us give you a sample of what is out there on your company…for free without any obligation. Everyday current and former employees, partners, and customers post information and documents on the web that they shouldn’t. This is done 75% of the time without maliciousness: either by mistake or thinking that the link they posted the information or document to was secure. We see only about 25% of the confidential and proprietary data that gets posted on the internet, be it on blogs, forums, open links, etc, come from someone or some party that wants to create harm against another.Still, no matter how the information got there, it is still doing damage to your company. The FBI acknowledges that nearly $300 billion (that is $300 with a very large “B”) each year to intellectual property (IP) theft. A portion of that comes from actions like social engineering and espionage. However, a significant portion also comes from companies being careless about how they protect confidential documents that describe their company’s future product roadmaps, new R&D processes, future marketing strategies, or eminent M&A activities.What I find moderately amusing is that companies still are spending a significant amount of money on network security but pay little attention to internal processes of how their employees, contractors, and vendors communicate internal, non-public information and documents to the outside world. In future blogs, I’ll be talking about simple and easy steps your company can take to reduce the threat of confidential information and IP loss. But, it all has to start with someone picking up the ball and running with it.Take care,

Tim Rhodes

Yesterday, Google signed an agreement to purchase email security and compliance provider Postini for $625 million in cash. This is a great amount as Google takes the next steps to provide business level email services through its Gmail brand name.

Google had to do this because security is a very important concern for any business in using their services. A security breach can cost a company a lot of money and time to resolve the security breach and prevent it from happening again.

Do your clients trust you with their private information? What would happen if your client’s private information was released to the public? If your company isn’t using security measures to protect private information, you are leaving yourself open for lawsuits. There are countless examples of court rulings which have ruled against companies that have not provided security measures in their business, and the negative publicity can be devastating to a company’s sales and brand name.

Take the extra step and make sure you have your business protected with security measures in place. If it’s good enough for Google, shouldn’t it be good enough for your company?

When we begin working for a new client, we like to start by conducting an in-depth internet security audit to determine what threats currently face that client on the world wide web. While we are conducting that audit we look for the following things:

• Compliance with federal laws such as the Sarbanes Oxley Act and the Federal Information Security Management Act. This could include financial statement or other confidential documents that were inadvertantly posted on a publically accessible server.
• Business reputation damaging items, such as blog posts made by vindictive former employees. This could also include libelous comments made about key employees in the company.
• Intellectual property that has been posted on competitor, partner, or reseller sites. Often times third parties might not have strict enough company policies regarding what can be posted on the internet and what cannot.
• Brand, copyright, or trademark violations. We search the web to make sure that no one is misusing your brand or violating any of your copyrights or trademarks.

After we identify the threats currently facing our client, we work closely with that client to eliminate the threats. We start by finding and contacting the owners of the sites where the threat is posted, then continue to escalate the issue until it is resolved. We find that most threats can be eliminated without having to involve our legal team, but we are prepared to take legal action when necessary.

The final measure we take is to enroll our client into an ongoing monitoring program. In one of these programs we will continuously monitor the sites were threats were posted in the past to ensure ongoing compliance. We also actively search for new sources of threats and work with our clients to remove them on a case by case basis.

We have a variety of different ongoing monitoring programs to meet any company’s needs. Contact us today to find out more about how we can help you!