JOHN C. SMITH GROUP
HIGH TECHNOLOGY INVESTIGATIONS & SECURITY CONSULTING
SILICON VALLEY & ROSEVILLE, CALIFORNIA
916-782-7234 email firstname.lastname@example.org
Web Site http://www.jcsmithinv.com
In today's high technology environment, thefts of propriety material and network intrusions are a major organizational threat. This Reporting & Planning Guideline is designed to help business and organizations develop the ability to prevent such proprietary theft and network intrusion and, when they do occur, to know how to respond to recover their property and stop further intrusions. I hope that you can review it quickly and easily and that it will function as a check off list as you review your organization. If you have questions regarding this guideline please call me or sent e-mail.
The information in this guideline came from my eight years experience as the Senior Criminal Investigator, High Technology Theft / Computer Crime Unit, Santa Clara County District Attorney's Office working high technology crime in Silicon Valley and working in high technology companies, such as Netscape, 3Com and myCFO. This includes the insight gained from investigating 65 plus trade secret / proprietary theft (industrial espionage) cases, recovering hundreds of million dollars worth of stolen proprietary property, investigating over 50 plus network intrusions, countless searches of personal computers in various types of criminal cases, and many interviews with suspects, witnesses, victims and other people involved in these crimes.
It has been my experience that to determine the extent of your loss or the extent of a network intrusion it is necessary to conduct an investigation and when possible to execute a search warrant on the suspect's work space and/or personal computer system. We generally found more property than the victim thought had been taken. Such investigations allow investigators to search for the types of hacking tools and programs, such as backdoor logins that may have been used on your systems.
FOR IMMEDIATE PROBLEMS
WHEN A CRIME HAS BEEN COMMITTED DO NOT CONFRONT OR TALK WITH THE SUSPECT. This gives them the opportunity to hide or destroy evidence.
DO NOT WAIT TOO LONG TO CALL. It is best to immediately consult with your corporate security manager, attorney, security consultant, or law enforcement to learn your options. Evidence can be lost.
Know your options about talking with law enforcement. Must agencies will not start an investigation unless the victim wants to do so. An official report needs to be filed before a search warrant can be issued.
Always consult with your corporate security manager and legal counsel immediately and before notifying law enforcement.
You can call the District Attorney's Office or your local law enforcement agency to make a police report. Request a search warrant to recover your property. You can use this information to file for an injunction.
You can make an official report to the Federal authorities, probably the FBI.
Filea a civil law suit and seek an injunction when appropriate. This can be done in conjuction with other actions such as filing a criminal report
Take appropriate disciplinary action against any involved employee. Rember this could become a court action.
Do nothing and hope that the problem stops before your organization suffers any substantial damage.
CONDUCTING AN INVESTIGATION
To conduct an investigation, think of Smith's Seven Step System, which
consists of the following seven steps:
SPEED; Case should be handled quickly before evidence and property are destroyed.
STEALTH; Investigation has to be done quietly or suspect will learn of it.
SYSTEM SECURITY; No further damage should be allowed to you system.
SECURE EVIDENCE; Chain of possession to ensure it is admissible.
SUSPICIOUS / SUSPECT EMPLOYEES; Most thefts are done by employees.
SHOW & TELL - REPORTING; How to make a report understandable.
SEARCH WARRANT - PREPARE AND SERVE.
Copy 2004, John C. Smith
An organization is less likely to be victimized if it:
1) If it has adopted security policies to protect its systems and
2) Makes its security policies known to all who work in the organization,
3) Has planned on how it will react to intrusions and losses,
4) Encourages the reporting of suspicious incidents and has a method in place that makes reporting easy and confidential,
5) Attempts to recover its stolen material, and
6) Makes it known that offenders will be criminally & civilly prosecuted.
7) Has analyzed the major threats to the organization and considered how to deal with them.
8) Realizes that the major threat is probably a person authorized to be on the premises.
Organizations should continue to provide ongoing awareness training to remind everyone that the organization could be a target for the theft of proprietary data or a network intrusion.
Your plan and your working environment have to be balanced. Your rules and operating instructions cannot be so severe that work and creativity is restricted, yet rules and accepted security practices should convey the message that thefts, acts of vandalism, and computer misuse will not be condoned.
Management should take security seriously and allocate the resources needed to implement and inspect the correct policies.
Training should be provided.
Business goals (deadlines) should not be allowed to take precedence over security.
Most important most important is that your company develop an attitude and mind set that you are not willing to be victim and that you will NOT tolerate people who steal or attach your site.
Law enforcement has long known that thieves and predators pick on easy and willing victims.
Realize that these incidents DO HAPPEN and can happen to your company. Your company management also has to understand this.
Your written plan should be approved by corporate legal, corporate security, management, and the computer / network manager. It should be agreed on, be in writing, and be approved by the head of the organization.
Organizations should involve employees in developing a plan. Employees know organizational weaknesses and how to exploit them.
Identify the decision maker who is authorized to call law enforcement.
Identify who will be the day to day coordinator of an incident to work with law enforcement and attorneys.
Provide for a response team who is trained to investigate network intrusions.
All managers, supervisors, and systems administrators should be very familiar with the plan and have a copy available.
All employees should have received a copy or a briefing on the contents.
Your plan should specify that any employee who learns of a theft or network
intrusion will not discuss this with anyone except management, security, legal
department, or a designated person.
Remember: Rumors fly at the speed of sound.
LAW & LEGAL PROCESS
Know the appropriate State and Federal laws.
Put copies of state and Federal laws with your plan.
Determine your guidelines for prosecuting. Prosecution is necessary for a law enforcement investigation and to use the search warrant process.
Know the appropriate local or federal law enforcement agency that would have jurisdiction for problems you might have.
Establish the appropriate contacts. Keep name and phone numbers updated. Talk with law enforcement at least once per year. Offer tours or briefings. Know their capabilities.
Know how long it will normally take local law enforcement and federal law enforcement to obtain a search warrant.
Discuss what information or reports that they will share with you.
Will you be able to obtain law enforcement reports for use in civil cases.
Can you get reports from Federal cases?
Plan for filing a civil injunction or TRO (temporary restraining order) as soon as law enforcement has completed search warrant or covert investigation.
Injunctions are frequently used by victims to prohibit suspects from using proprietary information that has been taken under questionable circumstances.
COMPUTER & NETWORK SYSTEMS
Make sure the audit or account functions are turned on.
Have servers in a physically secure location to prevent unauthorized access.
Control modem connections. Use smart cards or call back system.
Make sure secure firewalls are set up and configured properly.
On a regular basis run programs to check for systems weaknesses, ie., Crack, Tiger, COPS, Satan.
Keep current on new programs designed to find system vulnerabilities.
Use virus checker program.
Have passwd file in a hidden location ie., shadow password file.
Close holes in operating systems.
Do not allow importation of software into system.
Monitor size of outgoing mail and have system administrator notified of
large outgoing messages.
Track and audit company proprietary data when copied and printed.
Watch for computer system behaving strangely or improperly.
Put name or hidden markers in source code. Unusual code that would only work with something you have done or misspelled words.
Have timely system backups made.
Keep one copy of backup tapes in secure facility offsite.
Plan on how to handle various intrusions:
Broken Accounts; System or Root Access; Backdoor Logins; Sniffers; Trojan horses.
Ensure that patches have been made to networks and that this is done each time a new patch is made available. Watch CERT bulletins.
Several studies and my experience indicate that employees and other persons authorized to be on company premises or are in a trusted relationship commit most computer crimes.
Do complete background checks before hiring or allowing access or company.
In new employee indoctrination, stress the importance of proprietary data and that any compromise will result in discipline, termination, or prosecution.
Warn against bringing in other companies' proprietary data.
Conduct thorough exit interviews.
Advise departing employees that it is against the law to take proprietary material and that you will prosecute anyone caught taking any type of proprietary information.
Has the employee who is leaving worked on important enough material that a letter should be sent to them or the new employer reiterating the non-disclosure and confidentiality documents signed by the former employee?
Letter (warnings) are frequently used by companies to warn other companies when an employee has changed jobs and the former employer is concerned that the employee may divulge proprietary information.
Set up an easy to use system that allows employees to covertly or anonymously report suspicious behavior.
Set up a reward system for preventing loss or to helping recover data.
Develop a method to combat the belief by many employees that anyone who worked on something has a right to take a copy.
This feeling of ownership occurs regarding of signing non-disclosure agreements, and ownership/invention agreements.
One of the most common criminal defenses used is that the ex-employee just wanted a sample of their work.
Control and approve any articles written about the company by employees.
Educate current employees on the cost and impact to organization, and to them personally, of the loss of proprietary information.
Do not give prospective or new employees an e-mail account or access to their new work environment before they have officially terminated from their last employer.
METHODS OF SAFEGUARDING PROPRIETARY MATERIAL
For your proprietary material to be considered secret, you have to be able to show that you took adequate steps to protect it.
In both civil and criminal cases, you will have to explain what steps or methods your company used to protect its property.
The following are measures that can be used to protect proprietary information:
Require non-disclosure agreements of employees, contractors and anyone with access to the protected material.
Require a non employee to sign a contract describing their access to protected material before the non employee is given any type of proprietary material.
Conduct through exit interviews.
Collect all document fromf terminating employees.
Maintain secure and locked facilities.
Require employees to wear badges.
Visitors to have badges and escorts.
Maintain document control.
Ensure that all documents are marked and numbered.
Logs are kept of who is issued what documents.
Utilize a need to know policy on who can access proprietary material
Restrict on a need to know basis access to networks where proprietary data is kept.
Password protect computers and networks where important data is kept.
Properly mark proprietary and confidential documents. Otherwise the confidential markings are minimized by being seen on routine documents.
Do not have toomany confidential classifications.
Mark only proprietary documents, not everything.
Have an easy-to-use accounting system in place to track who checks out and returns proprietary documents.
Require that the system be used and check inspect its use.
Track printouts from computer accounting system.
Have confidential and proprietary markings automatically put on every printed proprietary document.
Track and audit downloads of computer files.
Have the above control processes audited by management on random basis.
Set a disposal method for documents when they are no longer needed.
Limit access to source code and physical access to documents.
Copy 1997, John C. Smith
FOREIGN / COMPETITOR CONTACTS
Train employees how to protect proprietary data when traveling.
Discuss hazards and how to protect or detect methods such as:
Microphones in hotels, meeting rooms, and transportation.
Searches of rooms and briefcases by unknown persons.
Train on what to do when approached by representative of a competitor, foreign company, or country.
Require that employees report when they are asked to be a guest, a speaker, to serve on committee of foreign county or are put in a situation of working with a person who may be collecting information.
Debrief employees when they return from overseas trips.
Determine how to handle visitors taking photographs and notes while touring your facilities.
Determine how to handle employees who are being asked to lunch or other social functions by competitors.
MANAGERS & SUPERVISORS
Should be trained to recognize and report employees who manifest behavior that may lead to acts against an organization. Such behavior may be:
Angry at company/supervisor for being passed over for promotion, no raises, lack of respect, etc.
Unusually high fixation on making large sums of money, getting promoted
in a company, acquiring lot of stock from a start up company.
Employees acting strangely or with unusual contacts.
Management should continually reinforce that first line managers and supervisors will often the be first to learn of unusual behavior by employees and the most problems are caused by insiders.
REPORTING PROCESS - REWARDS
Create an environment where employees will report suspicious behavior or actions.
Have an anonymous reporting or call in process in place and ensure that
management takes this seriously.
Offer rewards for saving data in thefts or attempts.
Train managers, supervisors, and all staff on how to make reports and why it is important to react QUICKLY & QUIETLY..
INTELLIGENCE GATHERING METHODS
Obtaining your data from other companies - do legal non-disclosure agreements.
Hiring your key employees.
Sniffing data on networks.
Going through trash inside the building.
Monitoring unsecured faxes and telephones
Particularly true in other countries.
Voice gathering - sound directional equipment.
Foreign or competitor representatives who visit or tour your facilities.
Interns or students assigned to your facilities.
LOOK FOR WEAK LINKS
Many times the employees who make the least money have the most access in a company, security, maintenance, and janitors.
Is the company contracting for services. Are those employees bonded or backgrounded
Trash being put in unlocked dumpster.
Social engineering of non sophisticated employees.
Employees with gambling or drinking problems. Employees who hang around card clubs.
Allowing non-employees, employees of contractors too much access to sensitive areas or documents.
Allowing too many employees without the necessary need to know access to sensitive areas or documents.
Allowing work to be done that is not understood by a supervisor or management.
Unlimited access to copy machines or downloading of documents.
Allowing computer data to be sent out of the company without some type of check or monitoring.
Allowing employees to write papers or give presentations about the company or its products with the information going through a review process.
Not enforcing company policy.
Allowing engineers or other technical employees to use their own equipment, computers, or notebooks.
Not protecting customer information, strategic forecasts, or business plans.
Not running Crack or other tools that check for network vulnerabilities.
Not closing computer accounts of employees who have left the company.
Proprietary documents that are not marked or are printed from computer with adequate proprietary notice.
Allowing a proprietary document to moved, downloaded or printed from a
computer network without a warning that the material is proprietary.
Copy 2004, John C. Smith
CALIFORNIA STATE LAWS
These are the laws that are used in a majority of high technology cases. They can be downloaded from http://www.leginfo.ca.gov.calaw.html
499c PC - Trade Secret Theft - Trade secret means any information, including formula, pattern, compilation, program, device, method, technique, or process, that - Derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use. A Felony. See Calif. Penal Code for complete wording.
502 PC - Computer (Network) Related Crimes Illegal Intrusion- Primarily
(See Penal Code for Complete wording.)
(1) Access, alters, damages, deletes, destroys, or uses data, to defraud or obtain something of value.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data - from computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services. (Misdemeanor)
(4) Knowing accesses and alters damages, deletes, destroys any data on a computer or network
(5) Knowingly and without permission causes the disruption of computer services or denies or causes the denial of computer services to a computer, computer system, or computer network.
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. (Misdemeanor)
(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network. (Misdemeanor
If the computer used by the suspect is located in Sta Clara County we can prosecute even though the suspect broken into a system in another state.
641.3 PC Commercial Bribery - Felony - Any Employee who solicits, accepts, or agrees to accept money or any thing of value from a person other than his or her employer, other than in trust for the employer, corruptly and without the knowledge and consent of the employer, in return for using or agreeing to use his or her position for the benefit of that other person, and any person who offers or gives an employee money or any thing of value under those circumstances is guilty of commercial bribery. The money or thing of value has to exceed $100.
UNITED STATES CODE
Section 1832 Theft of Trade Secrets. - Whoever, with intent to convert
a trade secret, that is related to or included in a product that is produced
for or placed in interstate or foreign commerce, to the economic benefit
of anyone other than the owner thereof, and intending or knowing that the
offense will injure any owner of trade secret, knowingly — (steals, copies,
duplicates, sends, receives, buy, or possesses knowing it to be stolen.)
EXAMPLES OF CASES IN SANTA CLARA COUNTY (SILICON VALLEY)
The following are some of the more serious case of proprietary theft and network intrusions that the Santa Clara County District Attorney's Office has investigated.
Kevin M. used the name of a victim company manger and obtained a modem account. He uploaded his own code and obtained superuser status on several systems. He then download source code through cutouts and cellular phones.
BV used cracking tools obtained on the Internet to gain system administration status at an Ivy League University. He then inserted a back door login program into the operating system.
RY after leaving a company gains access to the network through a security hole. On two occasion he erases manufacturing database and makes hidden changes in system. Almost stops company operations for two days.
MI wanted to make more money, gave notice, then compressed victim company's source code. He e- mailed it to his account on a public provider and then to his home.
CVD was the manager of the computer center, used his employees to rewrite the company's source code and then sold it. He formed a company with the profit and was trying to sell the program overseas. Moved code via modem and tape. Trial took several weeks
Marc G. was caught trying to get on flight back to France after working
in a local software development company. He had taken enough papers to replicate
that company's program. Five tar (copy) commands were found on the company
system. Marc, a French Citizen, had been given his choice when he was
called up for the French draft, two years of French Military Service or two
years in an American Software Co.
WBS an angry employee in the of defense industry. He took few papers at a time and so by time he was fired, had an 18 inch high stack of papers about non classified part of a proprietary project. He also took copy of company's business plan. He was offering these to victim company's competitors to get a job.
INT wanted schematics and manufacturing/process information to help start up new competing company. Hired a victim employee as a consultant who brought the information needed to the new company.
During a search warrant in a case over disputed source code, we found a proprietary document that would allow the replication of the victim's product. The engineer with the document said it had been given to him when he was a scientist in the Soviet Union, within six months of the publication date. He was able to retrieve it after the fall of the Iron Curtain.
JW is an engineer who took processing data for product and used it to obtain consulting fees and to get a job in another country. We arrested him two days before he was to leave for his new job in South America. This information may have been being used as the basis of a partnership with a business in Europe.
T & G took documents and source code. We then find that the T was also at the same time serving as the Vice President of a company in Beijing. Further investigation revealed that T was sending documents to a company in Beijing.
HT while visiting a company with whom he has a business association, downloads their customer database into his laptop computer and sends it to his company in Europe.
F was employed as an engineer to develop computer instructions for manufacturing. He becomes angry and erases all of the programs on the company computers. We recovered the programs at his home.
AK acquires proprietary documents on his employer's new technology. He quits and obtains several jobs where it appears he was using the documents to make himself look good and advance in the new company.
RC breaks passwords on a network and using those accounts, sends messages to president of institution trying to get systems administrators fired.
A software engineer leaves company where he developed the nucleus of a software program. In an extremely short time, he produces a similar competing product. Many of the lines of code are the same.
Technician took prototype circuit boards out of new computers and sold them.
Raj an Indian electrical engineer was working as a security guard in an R&D facility for one company while working in several other companies that had similar product. He had not listed his EE degree on his application for security guard. Was stopped trying to get back into the R&D facility six months after he had walked off that job.
A local manufacturing company trying to do business with a Pacific rim company enters into a working agreement. When they stopped visitors from the other company from taking more and more notes and photos of their equipment, a representative of the foreign company tried bribery to get manufacturing details. Victim did not prosecute for fear of not being able to do business in that country.
A second local company discover that a company from the same Pacific rim county hired away a manager. That manager put together a team of former employees from the victim company. They developed a duplicate product to put on competing market in extremely short time.
Copy 2004, John C. Smith