® BuscaLegis.ccj.ufsc.Br
Carole Longendyke
P.G. Lewis & Associates, LLC
Whitehouse Station, NJ
It has become standard lead-in for authors of articles such as this to quote statistics about the percentage of documents that are never printed to paper. Although the estimate varies, the simple undisputed fact is that the ratio of digital documents to their paper counterpart is skewed significantly toward the digital. Consequently, document management and information security have become high priorities for companies of all sizes. Secondary to the day-to-day management of electronic information is the protection of critical elements of the business work product – the intellectual property created by and for the company.
Alteration to the business playing field as a result of intellectual property theft is not always obvious. The truly obvious instances, such as proprietary designs showing up on competitors’ bids, may result in an immediate call of foul. But the more discrete use of proprietary information such as client lists, market surveys, and research data, can significantly alter the playing field without the victim company even being aware that it has happened. This stealth use of stolen IP can be the most damaging, because it can skew market advantage unbeknownst to the victim organization. The ability to detect theft of IP early on, therefore, is critical.
How do organizations determine that thefts have occurred without having first been clued to the event by outside sources? The answer may be in regular and thorough audits of security protocols, as well as a sweep for evidence of breeches in those protocols. Failure to conduct audits and investigations regularly can have devastating results.
Case in point—a biochemical research organization took great care to guard against its research data leaking to competitors. Scientists and other key employees were bound by strict security agreements forbidding the movement of confidential and proprietary data from the confines of the network. To further guard against the compromise of document security, the company email client was configured to ensure that file attachments could only be distributed within the network to other employees on the email server. Company policy prohibited the copying of files onto removable devices such as USB thumb drives or CDs, and employees were forbidden from possessing such devices on the premises. As backup to this particular policy, all company computers had been modified so that USB ports were read-only, further restricting the unauthorized copying of files to removable media.
To most, these measures may seem comprehensive enough. This forward-thinking organization had taken significant steps to protect itself from compromise of the security of its proprietary information. But one component to these security measures – proactive investigation of breeches – was overlooked. The company ended up paying handsomely for this oversight.
The theft of IP in this example came to the attention of the organization several months after the departure of an entire team of research scientists. The scientists had all been working on the same project for nearly three years, and all submitted their resignations within weeks of one another. The loss of so many scientists on a single research team crippled the project, with immeasurable results. Nearly a third of the organizations human and financial resources had been devoted to this particular project. The resulting delay would prove to have a significant effect on the company’s projected revenues, but the true impact of this event was far greater than initially recognized.
The organization lost significant momentum in its research, but this was only the tip of the iceberg in terms of the impact. To the shock and dismay of management, a competing organization headed by none other than the former scientific research team was launched within months. To the greater shock and dismay of corporate counsel, non-compete agreements were either non-existent or woefully riddled with loopholes.
The emerging competing organization showed several suspicious advantages. First, it had been able to secure significant research funding in a period of time considered implausibly brief by investment standards. This red flag pointed to the question of timing. Had the scientists been working on behalf of this new and competing organization before submitting their resignation?
The greatest blow to the original organization came when this new, well-funded competition announced its research focus to be one for which significant overlap of research efforts would exist between this new project and the project that occupied the scientist’ focus for the three years prior. While no direct competition existed in terms of the project itself, both projects – the one announced by the scientists in their new organization and the project they developed at the original company – would require very similar research data. Did the scientists manage to take more from their research efforts in their previous employment than that which could be recalled from memory? Considering the volume and complexity of the data, it was extremely unlikely that the scientists could replicate the research findings in such a short amount of time without prior research data in hand. However, “extremely unlikely” is hardly sufficient cause to launch a costly and public lawsuit, particularly in light of the controls that had been in place to prevent the very activities that were suspected to have occurred.
Although preventative and protective efforts were in place, the suspicions of IP theft were sufficient enough to warrant a forensic investigation. The working theories were two-fold: First, had the scientists emailed files outside of the company network, and second, had the scientists copied files onto removable media and walked right out the door with them. Because security measures were in place to prevent emailing through the company email server, a simple audit of the servers was sufficient to determine that a breech had not occurred. Additionally, backup tapes were forensically restored and analyzed for the time period in question. No evidence of files having been emailed out of the company was discovered, nor was there evidence that the security measures were compromised or breeches covered up.
Investigating the possibility of file copying onto removable media required that the PC’s used by the scientists be forensically acquired and analyzed. Fortunately, most of the computers had not been reassigned to other employees, as they were out of date and queued for recycling. Following the removable media theory, investigators first examined the computers for evidence of file copying onto removable media. When a device is connected to a computer – a device such as a USB thumb drive – an entry is made in the registry of the operating system. Additionally, since all of the computers were configured for read-only access of removable media from USB ports, the registry was examined for alterations to these configuration settings. The result of this phase of the investigation: there was no evidence of document transfer through the email server, nor was there evidence of file copying onto removable media.
The most logical explanation – if indeed file copying had occurred – was transfer of files via the Internet. As is the case with most companies, access to Internet resources was not only allowed, but encouraged. The breadth of information available to researchers on both public and private databases is invaluable. The Internet is the World Book Encyclopedia of the world, with new information being updated constantly. Rare is the work place that cannot benefit from real-time access to Internet resources. For this reason, few companies actually restrict access to the Internet, although many have “appropriate use” policies in place. Adherence to such policies – or rather, the gross lack of adherence to policy – is a topic all its own.
To fully appreciate the end to this case study requires at least a cursory understanding of how Internet files are tracked and stored on a computer. When an individual browses the Internet, entire web pages are stored locally – meaning, they are not placed on the network server or other global location, but are instead cached to the hard drive of the machine upon which the web pages are viewed. The reason for this dates back the origins of web browsing, which was accomplished through modem dial-up. Even the fastest dial-up connection was excruciatingly slow, so browsers were designed to cache the files associated with web pages to the local hard drive. Once the files and images were cached or stored locally on the drive, return visits to the web page would not require re-downloading of new or changed images and files. The browser, upon returning to a previously visited website, would check the “last updated” date of the web page with the dates associated with the cached files, and if no updates had occurred since the original download date of the files in the cache, those files were displayed instead of re-downloading them from the web site. The result is the perception of significantly increased browsing speed.
So how is this relevant in a forensic investigation of a computer? Since web pages are cached in their entirety on the local hard drive, an investigator need only recover and reconstruct the files associated with web browsing to duplicate the pages visited by the user. In the case of the scientists suspected of intellectual property theft, analysis of the cached web pages revealed the smoking gun.
Consider web-based email. There are several options available for this type of email, the most popular being Hotmail and Yahoo. Google’s Gmail is new to the web-based email scene, and offers an unprecedented 2 gigabytes of email storage. The advantage of web-based email is in the way the messages are stored – on the client server, not the local machine. This means a user can access the email account from any computer connected to the Internet and view the messages and attachments identically in his home in Livingston, New Jersey, his workplace in Manhattan, or while on vacation in the Caribbean.
In this case study of theft of intellectual property, it came as no surprise that the scientists – all of whom can be argued are intelligent and strategic – did not appear to have attempted to breech the security of the email system. They did, however, all have web-based email accounts on Hotmail.com. Data forensic investigators were able to recover and reconstruct entire Hotmail web pages, including the inbox, which showed message subject lines, recipients, and the names of attached files. Apparently, these intelligent and ambitious scientists had spent months planning their departure and subsequent launch of the competing organization, and the web-based email trail was blinding proof. With the use of web-based email, these individuals were able to communicate through email outside the control and scrutiny of internal auditors, and also attach documents to emails for later retrieval from their home computers.
Armed with the evidence obtained through the data forensic examination, corporate counsel filed suit and was able to secure a restraining order prohibiting continued development of the research project underway at the competing organization.
As stories such as the one depicted here become more widely known, some organizations with high risk confidential and propriety information are taking significant internal measures to secure the information. One such measure is to restrict Internet access to a select number of computers, outside of the company network, to prevent co-mingling of secret data with the Internet at large.
Information security is a large and evolving industry, and the focus is typically on prevention. The very nature of technological advancements requires continued diligence, as counter-security measures are as quick to evolve as those aimed at protection. In a perfect world, there would be no crime, and security measures would be 100% effective. Until then, the ability to anticipate and investigate will remain a primary concern for those charged with protecting intellectual as well as physical assets.
Carole Longendyke is a Partner and Director of
Forensics for P.G. Lewis & Associates, LLC, a Data Forensics firm located
in Whitehouse Station, NJ (www.pglewis.com).
http://www.intelproplaw.com/Articles/cgi/smartarchive.cgi?sortby=date&submit=Sort