Biggest Mistakes Companies Make with Data & Information Security

Archive for the ‘Intellectual Property’ Category

Biggest Mistakes Companies Make with Data & Information Security

Posted by

The fundamental mistake companies make with data security is…

Neglecting data governance.

Many companies lack the processes, policies, and standards for protecting data throughout its life-cycle. How is new data added and classified? How are people given access, and how often is that access reviewed? Are the backups and redundancies sufficient given the type of data? How is data access monitored and reported on? Is sufficient data loss prevention in place to protect the company? And, once the data reaches its end-of-life, how is the data gracefully retired? The companies which fail to think through the long term implications of data leave themselves open to security incidents and breaches.

 

Read the rest of the insights here:

Data Security Experts Reveal the Biggest Mistakes Companies Make with Data & Information Security
https://digitalguardian.com/blog/data-security-experts-reveal-biggest-mistakes-companies-make-data-information-security

Protect IP and the Professors’ Letter

Posted by

Back in May, US senator Patrick Leahy (D-VT) introduced Senate Bill S.968. This bill is also known as the Protect IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property) of 2011. The bill is aimed at giving the government the power of copyright enforcement online. The bill is currently on hold.

The proponents of the legislation point to the wide range of intellectual property abuses on the Internet. If passed into law, Protect IP would allow the US government to directly offline websites that are infringing. As we have heard for years from the RIAA and MPAA, IP theft results in the loss of billions in revenues yearly.

Opponents object to giving the government the power to offline websites. There are due process concerns as well as free speech concerns. As we have seen in other countries, these types of powers lend themselves to misuse to silence opposition. There are also technical concerns as the bill mandates certain facets of DNS.

Yesterday, on the Intellectual Property Briefing site, Jeff Kettle posted an article on the bill.

“The most recent opposition has been the ‘Professors’ Letter.’  Backed by ‘108 professors from 31 states, the District of Columbia, and Puerto Rico,’ this report to the members of Congress addresses three major issues with the Protect IP Act.  The report states that the Act ‘has grave constitutional infirmities, potentially dangerous consequences for the stability and security of the Internet’s addressing system, and will undermine United States foreign policy and strong support of free expression on the Internet around the world.’”

Let’s hope the US legislature listens to all parties involved.

Avoiding infringement: Trade secrets

Posted by

With competition between firms, there exists a pressure to obtain a competitor’s trade secrets to either defuse the competitor’s advantage or to build an advantage for the organization. The information security professional must ensure that the organization’s equipment is not used for corporate espionage. There may be extra pressure on the professional to either turn a blind eye to such illegal activities, or (given the technological prowess of white hat hackers) to facilitate the illegal activities. Performing illegal activities for an employer does not shield an employee from prosecution. Such pressures must be avoided.

Ideas and innovations can be legally gleaned from existing products. Organizations have legal methods at their disposal. Products can be reverse engineered to determine how they work. (The reverse engineering cannot be used to circumvent protection mechanisms according to the DMCA, however.) The Uniform Trade Secrets Act (1990) states that reverse engineering is permissible providing the “acquisition of the known product” are by “a fair and honest means, such as purchase of the item on the open market.” It is possible to purchase a software package or piece of equipment, take it apart, and determine the ideas behind its design and production.

Another option for obtaining trade secrets legally is to use a clean room technique. Here, a team is provided very specific requirements and source information. They work in a dedicated and isolated space to ensure that existing secrets are not used in reproducing the work. The key here is documenting the inputs and outputs of the team. “Records of the clean room development are saved to demonstrate that trade secrets were independently developed and to refute any claims that a work was copied. (Stim, 2001)”. This provides some level of protection, but clean room is not a defense in “doctrine of equivalents” cases.

 

References:

Stim, R. (2001). Intellectual Property: Patents, Trademarks, and Copyrights, 2nd Edition. Albany: Delmar.

Avoiding infringement: Patents

Posted by

Avoiding infringing on other organization’s patents are conversely easy and difficult. For the most part, the day-to-day activities of a firm will not run into patent infringement. Business methods and processes, as discussed earlier, are un-patentable. It can be difficult to avoid the “doctrine of equivalents” should the organization be producing goods, as there is a gamut of patents that have been registered.

The division responsible for developing the goods is equally responsible for avoiding patent conflicts. The effort is largely comprised of informal searches and formal searches of the patent database. The effort begins with an informal web search on UPSTO for comparable ideas and products. Once found, note the claims and ensure that the organization’s product is not substantially equivalent to those claims. If any patents are found or if there is any doubt as to whether infringement will occur, a patent attorney should also be engaged. The patent provides the formal search and review. At this point, if one or more patents are being infringed upon, then the attorney and the organization can proceed with negotiating a license with the patent holder. If not, then the organization can proceed with the product production.

Avoiding Infringement: Copyrights

Posted by

There have been some discussions as to an organization’s responsibilities for enforcing copyright protections and preventing digital piracy. The Digital Millennium Copyright Act (DMCA) includes a safe harbor provisions that shield service providers from fines if their networks are used for digital piracy. A comparable safe harbor does not exist for organization’s private networks. Thus, the first area to secure is the network against it from being used to breach copyright. Due diligence applies again insofar as an organization must demonstrate an active security program with regular reviews. Many commercial firewalls can be configured to block software that facilitates piracy. From an administrative perspective, the organization’s acceptable use policy must explicitly forbid violating the intellectual property rights of others using the organization’s technology.

As part of the information security education program, copyright and fair use can be explained. Copy writers and the creative staff must understand how they can reuse text from copyrighted materials without opening the organization to liability. Application developers must understand the differences in software copyrights and respect the various licenses when making derivative works. Systems engineers must understand how software licenses allow and restrict use, and follow these licenses when deploying software onto the organization’s equipment. The legal and information security departments can perform subsequent audits to ensure that people are aware of the laws and the policies, and are taking appropriate steps to respect other’s property.

Avoiding Infringement: Trademarks

Posted by

When designing trademarks, the organization has a responsibility to ensure that the new mark is not infringing on an existing mark. There was a case in 1998 where Tommy Hilfiger was assessed for damages on the “Star Class” trademark. Hilfiger had his attorney perform a search of federally registered marks, but failed to search state and common marks. This lead to damages as Hilfiger was not shown to have performed due diligence in the duty to search. New trademarks – whether it is a product name, service name, slogan, domain name, or other initiative – should be thoroughly researched to ensure that there is not a use in the federal or state registration systems, or in the commons.

When reusing another organization’s trademark, reasonable effort should be put forward to use the exact mark and include the ™ trademark symbol as appropriate. Many firms have restrictions on how their logo and mark can be used (for example, on a partner’s website or a business card.) These restrictions must be researched and understood. In doing so, an organization can avoid accidental misuse of another firm’s IP.

Avoiding Infringement

Posted by

April is Copyright Awareness month according to the Copyright Society of the USA. This article is part of a series delving into the topics of trademarks, copyrights, patents and trade secrets. Follow the tag “Intellectual Property” to read all the articles.

An information security professional has a duty to his organization to protect its information assets, and a duty to his profession to ensure the organization’s technology is not used for illegal activity. The next four articles cover Intellectual Property from the perspective of avoiding infringement.

Protecting your assets: Trade secrets

Posted by

The purposes of copyright and patents are to publicly distribute and protect intellectual property, while trade secrets are used to privately hold and use IP. While the information security field is naturally cautious of security through obscurity, keeping specific aspects of an organization’s processes and knowledge secret can provide an advantage. To define a trade secret, three items must be present: “the information is not generally known or ascertainable by proper means; the information has economic value; the owner of the secret must use reasonable efforts to maintain secrecy. (Stim, 2001)”

Demonstrating due care and due diligence in guarding an organization’s information systems and informational assets is critical in keeping trade secrets undisclosed, and prosecuting competitors should the secrets by discovered. “The enforcement of trade secret protection is time-consuming and expensive later on. Generally, the proof required consists of a showing that there was an active security program in place that was sufficient to protect the information as confidential (Bosworth & Kabay, 2002).”

There are several ways to protect trade secrets. The information security program and the controls over access (both physical and digital) play a role. Agreements – confidentiality, non-disclosure, and third-party – can also be used to restrict people who have access to the trade secret from communicating it out. The agreements can be used in breach of contract suits to prevent the trade secret from being released or to seek compensation for its release. In addition, the “inevitable disclosure doctrine” can be enacted to prevent employees who have access to sensitive information from leaving for a competitor where that information will naturally be a part of their role.

 

References:

Bosworth, S., & Kabay, M. E. (2002). Computer Security Handbook, 4th Edition. New York: John Wiley & Sons, Inc.
Stim, R. (2001). Intellectual Property: Patents, Trademarks, and Copyrights, 2nd Edition. Albany: Delmar.

Protecting your assets: Copyrights

Posted by

Copyright can be contentious issue for security practitioners weaned on open source and raised on Slashdot. It is important to remember that open source licenses, Copyleft, and Creative Commons are themselves imaginative hacks on traditional copyright law. It is copyright that makes these alterative licenses possible.

The purpose of Copyleft and Creative Commons is simple: disperse information as widely and as freely as possible. The purpose lines up neatly with the hacker ethic. Information wants to be free, after all, and these licenses are ways to ensure its freedom while still maintaining some protective controls for the author. The purpose is in turning works into generative pieces. Standard copyright reserves all rights for the author.

The decision on the copyright license to use lies with the organization. Specifically, the designated owner of the information asset is charged with making these decisions. As the security managers for the information networks, our responsibility is to educate the designated owner and ensure that the decisions are enforced correctly and consistently.

Copyrighting a document has a few obvious requirements. The document must be original and not infringe on other’s existing copyrights. It must be fixed form, like a document, image, or an audio/visual recording. Architectural plans and software source code can also be copyrighted. The copyright protects a given expression of an idea, but not the idea itself. Thus an architecture plan that is copyrighted protects the plan itself, but not the ideas behind designing the plan. Software copyrights are similar. The copyright protects the specific source code but not the underlying idea, method, or algorithm. Copyrighted works must be substantive. A short phrase, a brief sound clip, a plan for a room’s walls, and a short code snippet all are non-copyrightable.

Copyright provides specific protections. Other organizations cannot copy without permission (unless permission has been granted with Creative Commons or similar licensing). People and firms that buy copyrighted material, however, do have extended rights (called First Sale doctrine) to resell or redistribute the purchased copy. Similarly, the Right to Adapt exists that gives control over derivative works are produced to the original author. End user license agreements can be tailored to avoid First Sale doctrine and Right to Adapt. These licenses provide tighter control over how the property is used.

The commercial impact of unauthorized works is taken into account in copyright infringement cases. The end users can still reuse and create the document under Fair Use. Fair Use allows remixes based on four conditions: how different and unique the new content is, the nature of the work, the amount of the original copyrighted material in the new material, and the effect on the market. Evidence of the market effect may be present in the information systems. The evidence, for example, may be in sales trends, in store traffic, or in web site traffic. It is, therefore, important that copyright protection mechanism include systems that gather, correlate, and maintain statistics on use.

Copyright materials can be registered with the United States Patent and Trademark Office (USPTO). Simply affixing the © symbol to a work (or corresponding Creative Commons symbol) creates an enforceable copyright. Copyright protects intellectual property for the life of the longest living author plus a period of 70 years. Works for hire, created for a firm for pay, are protected for 95 years from the date of first published or 120 years from when the material was created, whichever is less.