ISSSource White Papers

Posts Tagged ‘proprietary information’

Tuesday, March 6, 2012 @ 05:03 PM gHale

Information is intrinsic to the core of any business. Most organizations would find it impossible to function without the availability and absolute privacy of their proprietary – and priceless – information. Therefore, securing it across the extended enterprise is critical to the success of any organization.

Every organization needs to take a layered approach to security, utilizing both processes and solutions designed to prevent compromise. Complicating the challenge of managing risk and securing data is the fact “the enterprise” now extends far beyond what were the traditional boundaries of enterprise networks and perimeter firewalls. Companies are giving direct network access to trusted business partners and contract workers, and in some cases, even to customers.

Workers access the enterprise network remotely using consumer-class mobile devices, many of which are personally owned and not controlled by the company whose network they access.

Moreover, data and applications are being moved into public and hybrid cloud environments where the data owners have little direct control over security.

Find out more in the McAfee white paper.

Wednesday, March 30, 2011 @ 04:03 PM gHale

Cybercriminals know data is king and that is why hacking in and finding out a company’s proprietary information and trade secrets means top dollars, according to a new survey.

The cyber underground economy is making its money on the theft of corporate intellectual capital which includes trade secrets, marketing plans, research and development findings and even source code, according to a survey by security supplier McAfee and SAIC, a scientific and technical products and services provider.

The study, which surveyed more than 1,000 senior IT decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East, reveals the changes in attitudes and perceptions of intellectual property protection in the last two years.

The findings report which countries end up being the least safe to store corporate data, the rate at which organizations are experiencing breaches and the response rate to prevent or remediate data breaches.

“Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents,” said Simon Hunt, VP and CTO, endpoint security at McAfee. “We’ve seen significant attacks targeting this type of information. Sophisticated attacks such as s Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding.”

Key findings from the report include:
Impact of Data Breaches: A quarter of organizations have had a merger/acquisition and, or a new product/solution roll-out stopped or slowed by a data breach, or the credible threat of a data breach. If an organization experienced a data breach, only half of those organizations took steps to remediate and protect systems from future breaches.

Organizations are looking to store intellectual property abroad: The economic downturn resulted in a hike in companies reassessing the risks of processing data outside their home country, in search of cheaper options, with approximately half surveyed responding they would do so. That is an increase since 2008. Approximately one third of organizations are looking to increase the amount of sensitive information they store abroad, up from one in five two years ago.

Cost of securing data abroad: In China, Japan, U.K. and the U.S., organizations are spending more than $1 million a day on their IT. In the U.S., China, and India, organizations are spending more than $1 million per week on securing sensitive information abroad.

Geographic threat perceptions to intellectual property: China, Russia, Pakistan are the least safe for data storage, and the United Kingdom, Germany and the United States are the most safe, according to the survey. Of the global organizations surveyed however, a large amount of organizations are not conducting frequent risk assessments, with more than a quarter of organizations asses the threats or risks posed to their data only twice a year or less.

Organizations keeping quiet about data breaches: Only three in ten organizations report all data breaches suffered, and six in ten organizations currently “pick and choose” the breaches they report. The report also shows organizations may seek out countries with more lenient disclosure laws, with eight in ten organizations that store sensitive information abroad influenced by privacy laws requiring notification of data breaches to customers.

Device management a current challenge: One of the greatest challenges organizations face when managing information security is the proliferation of devices, such as iPads, iPhones and Androids. Securing mobile devices continues to be a pain point for most organizations, with 62 percent of respondents identifying this as a challenge. Concurrently, the report shows the most significant threat reported by organizations when protecting sensitive information is data leaks.

Wednesday, March 2, 2011 @ 05:03 PM gHale

Exxon Mobil, Royal Dutch Shell and BP are three of the six major energy companies hit by cyber attacks through Internet servers in China where thieves stole proprietary information, according to officials close to the investigations.

In a report filed on, cyber security software provider McAfee Inc. reported the attacks resulted in the loss of “project-financing information with regard to oil and gas field bids and operations.” In its report, McAfee, assisted by other cyber security firms, didn’t identify the energy companies targeted. The attacks, which it dubbed “Night Dragon,” originated “primarily in China” and occurred during the past three years.

The list of companies hit, none of which disclosed the attacks in filings with regulators, also includes Marathon Oil, ConocoPhillips and Baker Hughes, according to the people familiar with the investigations and requested anonymity because of the confidential nature of the matter.

Hackers broke into the computer network of Baker Hughes, said Gary Flaharty, spokesman for the Houston-based provider of advanced drilling technology. Baker Hughes concluded the incident didn’t need disclosure because it wasn’t material to investors, he said, declining to comment further.

In some of the cases, hackers had undetected access to company networks for more than a year, said Greg Hoglund, chief executive of Sacramento, CA-based HBGary Inc., a cyber security company that investigated some of the security breaches. Hoglund declined to identify his clients.

“Legal information, information on deals and financial information are all things that appear to be getting targeted,” Hoglund said, summing up conclusions his firm made from the types of documents and persons targeted by the hackers.

Hackers targeted computerized topographical maps worth “millions of dollars” that show locations of potential oil reserves, said Ed Skoudis, whose company, Washington-based InGuardians Inc., investigated two recent breaches of U.S. oil companies’ networks. He declined to name his clients or the origin of the hackers.

The McAfee report described the techniques used to get into the energy company computers as “unsophisticated” and commonly used by Chinese hackers. The attacks began in November 2009, McAfee said. Two cyber investigators familiar with the probes said the attacks began even earlier in 2008.

McAfee based the report on information gathered from its own work on the breaches and from others who were directly involved in investigating them. The report, produced on the condition the affected companies not be identified, was done to “educate the community,” said Ian Bain, a McAfee spokesman.

Ma Zhaoxu, spokesman for China’s Ministry of Foreign Affairs, said he had no information about the attacks on the oil companies when asked about the issue.

Archived Entries