Friday, July 10, 2009

Source Code Stolen by Insider at GS...Where Are Your Assets Tonight?

So the news is full of a source code theft by an insider (a "programmer") at Goldman Sachs, specifically some proprietary trading system code. Security industry analysts are talking about it (http://blogs.gartner.com/neil_macdonald/2009/07/07/security-no-brainer-7-if-you-have-intellectual-property-embedded-in-software-protect-it/) and it's a very current example of a couple of significant trends:

  • Enterprise security is now defending against organized crime, not merely casual hackers or disgruntled employees.
  • Insider threats are a tremendous problem.
A recent study executed by Cerias at Purdue found average IP theft levels from enterprises operating globally to be $4M/year, across over 900 companies. This is serious crime for serious money, and the opportunity for serious theft attracts the professionals.

How best to execute such thievery? Find new and innovative ways to penetrate network firewalls, avoid application firewalls, dodge data leak detection circuits, avoid application tamper detectors, and the like? That's an approach and it is actively used and every enterprise must utilize all of these security methods (and more) to fight against such attacks.

But there's an easier way, is there not? A bag of cash up front, with a promise of another bag of cash on delivery, to the right employee with access. Bingo bango bongo! Got the goods, everyone is happy. Well, except the company losing their assets.

A fascinating aspect of the Goldman Sachs story is the fact that their data leak prevent software was just enough security to help them know they'd been robbed...but not enough to catch the thief in the act and stop the theft. Why? Because he copied the source code to another computer inside the company, then took that computer (or disk drive) out with him. The DLP system noticed the unusual traffic of the source code, but since the code wasn't leaving the perimeter, didn't block its transfer. In the past, such a theft was rarely noticed. So I will acknowledge that what looks like a major trend might in fact be growing visibility of a long standing problem. I suspect both are the case.

What can be done? The only real answer is "more", in the way of security mechanisms. The core assets must be encrypted and decrypted only under managed legitimate usage situations. The applications operating on internal systems must be self protecting from tampering. The application firewalling must be complete. Data flows in general must be monitoring to look for unusual activitivies. Security practices must be rigorous in s/w development.

On the human side, the most pragmatic solution is a combination of training and awareness of the risks. Awareness takes two forms: awareness inside the company of the potential for insider execution theft, and awareness across all employees of the stringent security practices and the severe cost of getting caught executing any such theft. Faced with a high likelihood of detection and serious jail time, people are much less likely to have the discussion with the high tech mobster who just wants to chat. It's when they think it'll be easy and low risk that people start bowing to temptation.