Why do you need Source Code and IP Protection?

Protect your R&D:

Making the right investments is crucial for your company to be competitive. Your company invests in product development, research, and more. Often all of this investment is retained as trade secrets and is kept private. Your company is highly valued for all these investments, and it is imperative to protect your privately kept intellectual property.

Data breaches:

Malware and advanced persistent threats are on the rise. Source code or IP theft is one type of data breach. Large technology companies including Facebook, Google, Twitter got breached in the recent past. Source code & IP theft is the most under-reported.

Loss of reputation:

In 6 to 9 months of a data breach, a number of small to mid-size businesses either have a substantial loss in revenue or go out of business. Specifically, consumers would not prefer to buy from company hit with a data breach. Breach of your most valuable assets is likely to be less attractive to your prospective employees, and partners.

FAQs

Intellectual Property is a creation, invention, idea, or a product of your work or imagination. Intellectual property includes but not limited to source code, datasets, designs, business plans, literary and artistic works, symbols, names, and images created or a result of your thinking or imagination. For example, in the case of artificial intelligence, code, models, and datasets can be considered Intellectual Property.

Legally you may protect your Intellectual Property by using patents, trademarks, and copyrights. You may also protect your Intellectual Property from disclosure by way of non-disclosure agreements, contractual agreements, or employment agreements. To create a competitive differentiation you may establish clear data protection agreements with your customers, partners, or other third-parties and protect Intellectual Property contractually. Data and data analytics has become very important, and clear policies of the collection, use, and disclosure will add additional layer of protection for your Intellectual Property, and your substantial investment in research and development.

Source code whether open source or proprietary, datasets, models, efficacy data, test vectors and many software related Intellectual Property can be protected legally using copyrights. You must disclose these copyrights as part of the legal copyright protection. Many companies recognize that this way of legal protection is ineffective and often counter-productive. A smart software engineer could improve or create new copyright works based on the original work.

Trade secrets, private protective mechanisms is likely the most effective way you could protect your proprietary source code or related Intellectual Property. A lot of software is open source today and is protected under respective open source license to copy, modify, use or distribute. When your secret sauce is in that 5% of software that is proprietary to your company, it is likely best kept as a Trade secret. Trade secrets may not be legally protected. However, you have perpetual protection as long as you take the steps to control use and disclosure. You may control such use and disclosure using non-disclosure agreement, data protection agreements, data processing agreements, security controls, employment or post-employment restrictions, and systems for intellectual property protection.

Source code theft is one type of data breach. Large technology companies including Facebook, Google, Twitter, got breached in the recent past. Source code theft is the most under-reported.

Only 7% of companies polled feel that they face a threat from sponsored hackers. The truth is 68% of hacks are sponsored hacks. Only 12% feel that the threat is malicious. The truth is 73% of breaches are malicious. Nearly 70% of companies feel that they have all the security they need. But it is more likely that they are not prepared for a data breach incident. Far from it. It takes 6 months to find out that you were breached.

Accidental insiders are compromised users that were spear-phished. Accidental insiders are your employees who are unaware that they caused a data breach. Your employees are your biggest risk. The reason is simple they are targets. Because, they have access credentials to your network, your source code, your customer data. The majority are compromised users were either spear-phished or were targeted by non-work related email accounts.

Malicious insiders are your employees who are aware of and are directly responsible for the data breach. Your employees are your biggest risk. The reason is simple they have access credentials to your network, your source code, your customer data, and more. Nearly 10% of breaches were caused by malicious insiders, maybe a pissed off co-founder, or a recently fired executive, or senior person. These are the most difficult to prevent.

The risk for organizations related to data breaches is very high. Take the first steps to prevent data breaches and implement the following steps;

a) Implement multi-factor authentication for access to all your digital assets

b) Re-evaluate security policies including policies related to employee onboarding and exit

c) Educate all your employees and potentially your partners on handling and protecting confidential information

d) Re-evaluate your data breach response plan

Protecting Source code, and your customer data should be one of your security priorities. Over the past 10 years, all 50 states have laws on data breach notification related to customer data, and the result is more data breach reports. However, there is no law that requires companies to disclose theft of internal data or source code. It is the most under-reported.

$250. What does it take to target and breach your company? A phishing page, wifi hacking software, password hacking software, and software to remain completely anonymous. All for $250. Over a period of 1-5 days, a hacker can sit in a coffee shop next to your company, target one of many employees (posing as a person looking for a job…), gain access to your wifi network, password hack one of the employees, and voila steal your source code.

Hackers have all the tools they need and they are very inexpensive. How about your company? Do you have network discovery recently? Applied all the necessary application patches? How about pen testing? Or check if your firewall policies have tampered?

Before compromising any system, the hacker needs to get into your network. If you implemented any protections, that is not an easy task, even if you have some minimal security. Lockheed Martin’s Cyber Kill Chain is a well-known model of the attack lifecycle and applies well to the attack patterns we have seen in the mega breaches so far. Let’s review the Cyber-Kill-Chain. The hacks are not crimes of convenience. The hacks are done over a span of time. The hacks are planned and the groups responsible have done their homework in the recon phase of the cyber kill chain. They gather a great deal of intelligence on their target, they learn about their corporate structure and employees, they map out the organization’s IT infrastructure such as IP ranges, ports and running services. In addition they identify vendors, services providers and trusted business partners who may provide a less direct path into their target network. They are trying to find a weakness.

A successful hack has been about targeting of remote desktop apps, by running scans of the network the attacker can easily identify the presence of a remote desktop app. Other examples are simple brute forcing of passwords, gaining login credentials through spearphishing or other social engineering campaigns. A recent example is a combination of a phishing attack that hit a trusted business partner, and then able to gain access to network using the partner credentials. And finally, we have old exploits targeting unpatched apps and systems. Once hackers gain access to the network things get a little easier. The hackers begin to target what are classified as the crown jewels of the network such as active directory, network applications and find a way to escalate privileges. The hacker then installs malware to harvest source code. The next and final phase is the exfiltration of the data to a drop site, this is a rather delicate process that the attacker will take extra special care to avoid detection. The exfiltration is done deliberately and slowly, i.e. no large data transfers, consistent bandwidth usage, etc.

A recent high-profile case is of Waymo that sued Uber for intellectual property theft and settled for $245 million. An insider with privileges already has access to the network and your assets. A malicious insider could scan the network, find ways to change access privileges if they don’t have access. The malicious insider then installs malware to harvest source code. The next and final phase is the exfiltration of the data to a drop site, this is a rather delicate process that the attacker will take extra special care to avoid detection. The exfiltration is done deliberately and slowly, i.e. no large data transfers, consistent bandwidth usage, etc.

One approach for source code protection is to implement 2FA. Two factor authentication is a simple and easy way to ensure extra level of protection for any compromised user. Combine 2FA with the ability to white-list IP addresses that can access your network, will provide a very high level of difficulty for the hackers. Step 2: Periodically checking for application patches is important, because auto-updaters can be disabled, ignored by user, or simply break. Step 3: Proxying all traffic through your firewall provides a way to ensure that outgoing traffic has only one way out. Set group policy to point all browsers to the proxy. Then set the firewall to allow web traffic only from the proxy. You could also distribute proxy settings through WPAD (Web proxy auto-discovery), and re-direct all port 80 traffic. Port 443 is a bit more difficult, where you need to intervene with the PC’s certificate. Lastly, end point protection. This is simple and easy to do. Any typical end point protector that may also include other end point security is highly useful. You could set policies and disable USB drives, printing on external printers, and more. While there are a number of other practices that are useful, these four practices if applied appropriately and periodically checked will lower your risk of a data breach.

Another major thing you could do is to ensure you have employee awareness and review your security policies. Phishing is a type of fraud in which a hacker attempts to get personal information. They impersonate as a legitimate source. Your employees should be made aware of this. They should be careful in trusting. FBI reported losses from business email compromise hit $12.5 Billion. Employment agreements (NDA, assignment of IP, etc..), On-boarding (privilege access..), policy violations and adverse action (managers, and supervisors must be made aware and trained), exit interview, off-boarding.. Do a quick review and ensure that you have some if not all of these in place. DPAs are becoming a standard with vendors. If you are working with AWS, Azure, or other large providers, you may not have a big say in their DPA, but it is indeed a good idea to review or discuss data security and protection policies of your vendors.

Information Security Enforcer provides source code protection as a service. We are different from other solutions because we offer cloud-based service for small and mid-size businesses, We are simple to deploy using a proxy to direct all traffic for inspection. We do not need any pre-processing to identify your intellectual property. Our service starts at $500 a month for upto 40 users.

InfoSecEnforcer focuses on exfiltration and preventing exfiltration. We are different from other solutions because we offer cloud-based service with a lot of automation including automated source code classification and identification, automated policy generation based on your employee account privileges. We are simple to deploy. And, we do not need any pre-processing to identify your intellectual property. You could be up and running in 1-2 days.

You could implement several ways to monitor your cloud traffic and usage.

a) Network monitoring tools and systems

b) On-prem proxy to re-direct all cloud traffic for inspection

c) Cloud-based proxy to re-direct all traffic for inspection

A key requirement for proxy traffic is to implement endpoint protection and endpoint agents that direct and proxy all traffic via the company services even when the employee is outside the traditional company network. This could imply the implementation of mobile device management and implementing a transparent proxy for mobile devices.