In today’s increasingly information-driven world, data can be a crucial commodity, more valuable than any physical asset. Thus, any organization must make the best possible efforts to protect its data from unauthorized access. Intellectual property (IP) is a category of data that includes innovations, methods, and trade secrets (UpCounsel, 2020). All of these types of information have economic value and can cause significant harm if obtained and used by a competitor. As more and more IP is stored in digital formats on hardware connected to the Internet, exfiltrating protected data becomes easier.
A particular danger of IP theft is that it can continue unnoticed for a long time. This allows a competitor to gain an unfair advantage by exploiting exposed trade secrets over a duration. Moreover, although IP theft itself is a deliberate act, attackers often exploit vulnerabilities in an organization’s data storage and processing systems to gain access. Therefore, a significant portion of protection against IP theft involves implementing practices that aid in the early detection, prevention, and removal of said vulnerabilities.
The first step in developing a strategy to prevent IP theft is determining which data needs to be protected. This is achieved through a process of data classification and marking, which involves identifying and marking data according to its sensitivity (Clawson, 2020). The categories defined in the process can then be used to determine which security measures and access restrictions can be assigned to each object.
The principle of least privilege (POLP) calls for assigning each actor — be it an employee, computer process, or work group — the minimal amount of access to data necessary to perform its task. A majority of security breaches involve privileged credentials (BeyondTrust, 2021). Therefore, enforcing the POLP keeps the number of potential vectors of attack to a minimum, thus creating fewer opportunities for a data breach.
Segregation of duties (SoD) is another principle of restricting access. It is aimed at improving oversight by ensuring that no entity should be able to both cause and conceal accidental errors or deliberate fraud (Ferroni, 2016). Generally, the SoD model requires that all entities only have authority over one of four categories: authorization, custody, recording, and verification (Ferroni, 2016). Other models can offer different categorizations, and, thus, segregation, but the principle remains the same.
Based on the three principles outlined above, one can suggest relevant best practices for Padgett-Beale to avoid IP theft in the future and be better prepared to respond to it if it happens. As noted, data breaches that lead to IP theft nearly always use internal vulnerabilities to establish access to restricted data (FireEye, n. d.; TrendMicro, 2013). As such, internal measures should aim at reducing these vulnerabilities. The first practice is enforcing data classification, which will serve as the base for the company’s data security policies. Second, these policies should be guided by the POLP to ensure that an attacker has a few targets available as possible. Third, SoD practices should be maintained so no actor can deliberately create and conceal a vulnerability. With these in place, accidentally exposing a potential vector of attack becomes less likely, and deliberately creating one requires collusion between actors with differing duties.
As the recent instance of IP theft on Pagett-Beale was likely perpetuated through an advanced persistent threat (APT) mechanism, additional practices should be devised to protect against further such attacks. These attacks often use social engineering, phishing, and similar tactics that rely on human error to infiltrate organizations (Siddiqi, et al., 2016). Previous best practices are limited to lowering the number of targets against whom these tactics can be successful. Implementing data security and data hygiene training as a fourth best practice will help reduce the likelihood of success of both targeted and untargeted attacks of this kind. Finally, APTs are known to exploit zero-day vulnerabilities in software (Siddiqi, et al., 2016). This can be prevented by ensuring all software the company uses is kept updated.
References
BeyondTrust (2021). What is the least privilege & why do you need it?
Clawson, C. (2020). Best practices for data tagging, data classification & data enrichment.
Ferroni, S. (2016). Implementing segregation of duties: A practical experience based on best practices. ISACA Journal, 2016(3), pp.
FireEye (n. d.). Anatomy of advanced persistent threats. Web.
Siddiqi, M., Aziz, A., & Oad, K. (2016). Advanced persistent threats defense techniques: A review. ResearchGate. Web.
Trend Micro (2013). Data exfiltration: How do threat actors steal your data?
UpCounsel (2020). Intellectual theft: Everything you need to know.