DuPont sues employee for trade secrets data breach
Chuck Miller September 09, 2009
Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.
The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.
Meng was planning to take DuPont's proprietary information to Peking University in Beijing, which is involved in research on OLED technology, according to the report.
“When sensitive data is copied to an external hard drive, that typically is a policy violation,” Michael Maloof, CTO of TriGeo Network Security, told SCMagazineUS.com on Wednesday. “Why wasn't there an immediate alert when that external hard drive was attached?”
DuPont was hit by a similar incident several years ago, when a 10-year veteran of DuPont accessed more than 16,700 documents and more than 22,000 scientific abstracts, between August and December 2005, with the intention of giving them to Victrex, a DuPont rival. The culprit in that case, Gary Min, a native of China, eventually was sentenced to 18 months in prison.
“DuPont obviously did not learn much from the first case,” Maloof said. “Both these guys had access to sensitive data, and only long after the data was gone did they discover that the breach had occurred.”
A DuPoint spokesperson could not be reached for comment on Wednesday.
A database can be secure, but that doesn't help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.
“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com Wednesday. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”
Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.
“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don't forget about proprietary information databases.”
Thursday, September 24, 2009
Wednesday, September 16, 2009
Recent breaches show data theft prevention basics lacking
By Ron Condon, U.K. Bureau Chief13 Sep 2009 SearchSecurity.co.uk
Two new cases of stolen information this week underline the need for basic security measures; both data loss incidents could help bolster the case of security professionals struggling to justify their budget.
The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.
This week, the chief executive of NES, Malcolm Wright, was forced to issue a public apology and undertaking through the Information Commissioner's Office (ICO), both admitting what went wrong and pledging to employ better data theft prevention practices in the future.
In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."
Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.
The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.
The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.
In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."
Running with the database
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.
The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.
Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.
The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.
The court also found that Braachi had transferred the domain name theforecaster.com from First Conferences to his new business without permission.
Lessons learned
The stolen database case illustrates the following:
By Ron Condon, U.K. Bureau Chief13 Sep 2009 SearchSecurity.co.uk
Two new cases of stolen information this week underline the need for basic security measures; both data loss incidents could help bolster the case of security professionals struggling to justify their budget.
The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.
This week, the chief executive of NES, Malcolm Wright, was forced to issue a public apology and undertaking through the Information Commissioner's Office (ICO), both admitting what went wrong and pledging to employ better data theft prevention practices in the future.
In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."
Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.
The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.
The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.
In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."
Running with the database
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.
The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.
Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.
The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.
The court also found that Braachi had transferred the domain name theforecaster.com from First Conferences to his new business without permission.
Lessons learned
The stolen database case illustrates the following:
- The emergence of the insider threat
- The value of classifying sensitive data and files.
- The importance of technology that prevents confidential information from being emailed out, copied on to portable media, or even sent as an attachment to an instant message.
- The need to protect a company's collateral, including its domain name.
- The power of the Copyright and Rights in Database Regulations 1997.
First Class Protection for the Mid-Size Organization: Control Your Network with an Out of Box Solution
sponsored by ArcSight, Inc.
With little to no security expertise and few to no dedicated security administrators onboard, mid-size firms must find a way to secure their data without breaking the bank. Any security monitoring solution must do the "heavy lifting" and make the IT administrator's life easier through automation and built-in security expertise.
This paper describes the critical security and compliance challenges facing mid-size organizations today, and introduces a new compliance and security monitoring appliance. For organizations that face growing threats to their network and their critical information, yet have limited resources and expertise to address these threats, ArcSight Express provides a simple, automated, cost-effective solution. With this solution, security incident detection and notification is automated and IT personnel are able to focus on responding to important security incidents.
sponsored by ArcSight, Inc.
With little to no security expertise and few to no dedicated security administrators onboard, mid-size firms must find a way to secure their data without breaking the bank. Any security monitoring solution must do the "heavy lifting" and make the IT administrator's life easier through automation and built-in security expertise.
This paper describes the critical security and compliance challenges facing mid-size organizations today, and introduces a new compliance and security monitoring appliance. For organizations that face growing threats to their network and their critical information, yet have limited resources and expertise to address these threats, ArcSight Express provides a simple, automated, cost-effective solution. With this solution, security incident detection and notification is automated and IT personnel are able to focus on responding to important security incidents.
Guardium CTO Shares Best Practices for Database Security and Addressing Insider Threats at San Francisco ISACA Fall Conference
Guardium, the database security company, today announced its CTO, Dr. Ron Ben Natan, will be presenting at the 2009 San Francisco Information Systems Audit and Control Association’s (ISACA) Fall Conference. Dr. Ben Natan’s session, “Anatomy of Insider Data Breaches”, will be held on Monday, Sept. 21st from 3 to 4:30 p.m. at the Hotel Nikko.
Recent headlines showcasing massive breaches involving credit card information, as well as proprietary information, have heightened the industry’s awareness of insider threat. A recent survey by the Independent Oracle User Group (IOUG), reported unauthorized database access by inside administrators, or “super users,” often goes unnoticed inside organizations. These undetected intrusions can expose sensitive corporate and customer data and potentially cause billions of dollars in damage.
In his session, Dr. Ben Natan will detail practical examples of how insider breaches occur and discuss best practices for safeguarding critical enterprise databases against such attacks. Dr. Ben Natan will speak as part of the conference’s Strategies & Techniques track.
Dr. Ben Natan has more than 20 years of experience developing enterprise applications and security technology for blue-chip companies. Prior to Guardium, he worked for Merrill Lynch, J.P. Morgan, Intel and AT&T Bell Laboratories. He has also served as a consultant in data security and distributed systems for HSBC, Phillip Morris, Miller Beer, HP, Applied Materials and the Swiss Armed Forces. An expert on distributed application environments, application security, and database security, Dr. Ben Natan has authored 12 technical books including HOWTO Secure and Audit Oracle 10g and 11g (CRC Press, 2009) and Implementing Database Security and Auditing (Elsevier Digital Press, 2005), the standard texts in the field.
Dr. Ben Natan will share information regarding:
WHO: Ron Ben Natan, Ph.D., Guardium CTO
WHEN: Monday, September 21st from 3 to 4:30 p.m.
WHERE: 2009 San Francisco ISACA Fall Conference, Hotel Nikko, 222 Mason Street, San Francisco
Register today for the event.
About ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
About Guardium
Guardium, the database security company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center.
The company’s enterprise security platform is now installed in more than 450 data centers worldwide, including 5 of the top 5 banks; 3 of the top 5 insurers; top government agencies; 2 of the top 3 retailers; 15 of the world’s top telcos; 2 of the world’s favorite beverage brands; the most recognized name in PCs; a top 3 auto maker; a top 3 aerospace company; and a leading supplier of business intelligence software.
Guardium has partnerships with Accenture, ArcSight, BMC, EMC/RSA, IBM, McAfee, Microsoft, Oracle, Sybase and Teradata, with Cisco as a strategic investor, and is a member of IBM’s prestigious Data Governance Council and the PCI Security Standards Council.
Founded in 2002, Guardium was the first company to address the core data security gap by delivering a scalable, cross-DBMS enterprise platform that both protects databases in real-time and automates the entire compliance auditing process.
Guardium and “Safeguarding Databases” are trademarks of Guardium, Inc.
Guardium, the database security company, today announced its CTO, Dr. Ron Ben Natan, will be presenting at the 2009 San Francisco Information Systems Audit and Control Association’s (ISACA) Fall Conference. Dr. Ben Natan’s session, “Anatomy of Insider Data Breaches”, will be held on Monday, Sept. 21st from 3 to 4:30 p.m. at the Hotel Nikko.
Recent headlines showcasing massive breaches involving credit card information, as well as proprietary information, have heightened the industry’s awareness of insider threat. A recent survey by the Independent Oracle User Group (IOUG), reported unauthorized database access by inside administrators, or “super users,” often goes unnoticed inside organizations. These undetected intrusions can expose sensitive corporate and customer data and potentially cause billions of dollars in damage.
In his session, Dr. Ben Natan will detail practical examples of how insider breaches occur and discuss best practices for safeguarding critical enterprise databases against such attacks. Dr. Ben Natan will speak as part of the conference’s Strategies & Techniques track.
Dr. Ben Natan has more than 20 years of experience developing enterprise applications and security technology for blue-chip companies. Prior to Guardium, he worked for Merrill Lynch, J.P. Morgan, Intel and AT&T Bell Laboratories. He has also served as a consultant in data security and distributed systems for HSBC, Phillip Morris, Miller Beer, HP, Applied Materials and the Swiss Armed Forces. An expert on distributed application environments, application security, and database security, Dr. Ben Natan has authored 12 technical books including HOWTO Secure and Audit Oracle 10g and 11g (CRC Press, 2009) and Implementing Database Security and Auditing (Elsevier Digital Press, 2005), the standard texts in the field.
Dr. Ben Natan will share information regarding:
- The most common insider threats and how to prevent them
- Best practices for database monitoring and real-time protection
- Preventing unauthorized access to sensitive data with granular access controls
WHO: Ron Ben Natan, Ph.D., Guardium CTO
WHEN: Monday, September 21st from 3 to 4:30 p.m.
WHERE: 2009 San Francisco ISACA Fall Conference, Hotel Nikko, 222 Mason Street, San Francisco
Register today for the event.
About ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
About Guardium
Guardium, the database security company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center.
The company’s enterprise security platform is now installed in more than 450 data centers worldwide, including 5 of the top 5 banks; 3 of the top 5 insurers; top government agencies; 2 of the top 3 retailers; 15 of the world’s top telcos; 2 of the world’s favorite beverage brands; the most recognized name in PCs; a top 3 auto maker; a top 3 aerospace company; and a leading supplier of business intelligence software.
Guardium has partnerships with Accenture, ArcSight, BMC, EMC/RSA, IBM, McAfee, Microsoft, Oracle, Sybase and Teradata, with Cisco as a strategic investor, and is a member of IBM’s prestigious Data Governance Council and the PCI Security Standards Council.
Founded in 2002, Guardium was the first company to address the core data security gap by delivering a scalable, cross-DBMS enterprise platform that both protects databases in real-time and automates the entire compliance auditing process.
Guardium and “Safeguarding Databases” are trademarks of Guardium, Inc.
Subscribe to:
Posts (Atom)