‫ Responding to Various Types of Incidents- Section 4

ID: IRCAR201108111
Date: 2011-08-21
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes and Unauthorized access were studied in the previous sections. This section is assigned to a part of actions related to Intellectual Property.
Type 8: Intellectual Property
Intellectual property (IP) includes the creative ideas and expressions of the human mind that possess commercial value and receive the legal protection of a property right. IP rights enable owners to select who may access and use their property, and to protect it from unauthorized use.
IP is a key value for many organizations. It is imperative that organizations protect their IP and are prepared to apply the incident handling process to intellectual property.
Special Action 1: Inventory your intellectual property
Assign a person or department to regularly conduct and maintain an inventory of your organization's intellectual property (IP). The inventory should categorize the different types of IP (proprietary knowledge, trade secrets, patents, copyrights, trademarks, etc.) and be accessible only to those with a need to know. An organization must first know what it has in order to determine how to best protect it.
Special Action 2: Prioritize your intellectual property
Conduct regular risk assessments to identify your organization's critical IP. A risk assessment is a formal process that involves determining the probability that a given threat will exploit a particular vulnerability and the impact of the exploitation. Organizations may not be able to equally protect all of their IP. A well-done risk assessment will distinguish the crucial IP that must be strongly protected. Additionally, the risk assessment will enable organizations to respond appropriately to the misuse of specific IP. Misuse of critical IP should trigger a robust response while misuse of less critical IP may require less of a response.
Special Action 3: Assign financial value to your intellectual property
Regularly determine and document the value of your IP. The documentation should be accessible only by those with a need to know. Know how much it will cost your organization if specific IP is misused. If you have patents, franchises or copyrights for information you license, your organization will already have assigned a financial value to specific IP. Valuation of trade secrets should be based on the worth of cost savings, manufacturing efficiencies or strategic buying.
Knowing the value of IP is often necessary when discussing misuse incidents with law enforcement and when asking a court for damages. It is important to do this regularly as the value of certain IP may change over time.
Special Action 4: Uniquely identify your intellectual property
Use copyright notices, watermarks, or other forms of identification to uniquely identify your IP. Use methods that uniquely identify IP based on its distribution location or method. For instance, a book may have a unique serial number embedded in it as well as other techniques that link it to the purchasing organization. Carefully document this identification. Where possible, also create and securely store MD5 and SHA-1 signatures of your IP. These signatures can be used in the incident identification phase and be a part of detection methodologies.
Special Action 5: Implement intellectual property misuse detection methodologies
Conduct regular electronic and paper searches to discover misuse of your IP. Determine whether you have the necessary internal expertise to conduct such searches or need external assistance. A variety of commercial organizations provide customized IP searching services.
Special Action 6: Make it easy to report intellectual property misuse
Establish an easy method such as a simple phone number, web form or email address for persons to report misuse of your organization's IP. Implement a formal, documented process for handling the reports, including thanking the person reporting the misuse. The person(s) who initially receives such reports should follow formal, documented procedures that define how the reports are to be managed. Organizations that receive many reports should establish a triage process that allows rapid identification of misuse of critical IP.
Special Action 7: Stay current with intellectual property laws
Carefully monitor and understand the IP laws in all the countries your organization does business in, not just your home country. An organization must have a clear and complete understanding of its rights in order to make effective decisions about how to protect its IP. Determine whether you have the necessary internal expertise to do this or need additional external help.
Special Action 8: Implement legal protections for your intellectual property
Whenever possible, obtain patents, trademarks, copyrights, etc. for your IP. Implement the legal rights that apply to specific IP. Establish a formal, documented process for initially identifying IP, applying for IP protection and monitoring IP protection application status. Additionally, be sure to monitor the time frames for specific legal protections and reapply when appropriate (e.g. renewing a trademark).
Special Action 9: Establish an intellectual property management process
Implement a formal, documented process for the entire lifecycle of IP in your organization — IP creation, modification, storage, and distribution. This process will provide an overall framework, including policies, procedures, and specific cost effective security controls, for how your organization interacts with IP. The process should include clearly defined audit controls that carefully track and log IP, particularly its distribution.
Special Action 10: Establish an intellectual property policy
Establish and enforce a formal, documented policy that stresses to all employees the importance of protecting the organization's IP and the consequences of misusing IP. The policy might include the following requirements— use of the need to know principle, proper handling of trash, fax and copier controls, cleaning whiteboards at close of business, visitor management, file and document controls, sensitivity marking of documents, air gapped or segmented computer servers for critical information, and content screening on inbound and outbound internet traffic.
It is difficult for an organization to take action against an employee who misuses IP unless there is a formal policy that states what employees can and cannot do. The policy will also set a "tone" for your organization and may discourage some employees from misusing IP.
Special Action 11: Establish specific incident-response procedures for intellectual property misuse
Responding to misuse of your organization's IP will likely require a significantly different response than responding to other security incidents (e.g. denial of service or a compromised server). Create and maintain formal, documented procedures that are specifically for IP misuse incidents. The procedures should recognize that response will vary depending on where the IP misuse has occurred. For example, handling an IP misuse incident in the United States can require different actions than handling one in Bulgaria.
Special Action 12: Develop working relationships with your legal and public affairs staff
Responding to IP misuse can require organizations to take a variety of legal actions. BEFORE an IP misuse incident occurs, make sure your legal staff knows their role and that you understand their perspective and abilities. Know what IP expertise your internal legal staff has and when you'll need external proficiency. When possible, establish agreements with external lawyers that establish how quickly they must respond during an IP misuse incident.
Special Action 13: Develop working relationships with law enforcement
IP misuse response may require organizations to work with a variety of law enforcement agencies. BEFORE an IP misuse incident occurs, understand what types of IP misuse cases law enforcement will be interested in and how they will handle such cases. In general, law enforcement will not provide assistance unless the incident has caused significant financial damage to an organization.
Offer to educate local law enforcement on why it's important to protect IP and the methods your organization uses to protect its IP. Make sure you understand what information law enforcement will need to assist you.
Special Action 14: Thoroughly document identification of intellectual property misuse
Documentation of how misuse of your organization's IP is detected is critical. Proper documentation can spell success or failure in the courtroom. It can also assist in the identification of additional IP misuse. Additionally, careful documentation provides a blue print for others such as lawyers or law enforcement in the event they need to repeat the IP misuse identification.
Documentation should contain only facts. If you feel it is important to state opinions or assumptions, then clearly mark them as such within your documentation. This is particularly important when you create reports for legal, law enforcement, government or corporate officials.
Special Action 15: Check entire violator location for intellectual property misuse
Whether IP was found in a desk, workstation, web site or other place, check the entire location for other IP misuse. Try to keep this phase of the investigation as discrete as possible. If you are searching a web site, checking should be done offline with the use of offline browsing tools or the "cached" feature found on many search engines. It is important to identify all IP misuse as this will add to the total damage amount and can help persuade lawyers and law enforcement to take action.
When appropriate, also collect information on any violations of other organizations' IP you find. Notify the other IP owners of your findings and encourage them to take appropriate action. We must work together to protect our IP.
Related Links:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0