Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security Manager's Journal: A deal that's too good to be true

Mathias Thurman | May 6, 2014
My company is always looking for ways to save money. One maneuver -- outsourcing the development of a module of one of our software products -- almost cost us big time.

My company is always looking for ways to save money. One maneuver — outsourcing the development of a module of one of our software products — almost cost us big time.

Trouble Ticket

At issue: An offshore vendor might be stealing the company's source code.

Action plan: Quickly find a way to monitor the network, and then deploy an effective means of blocking USB ports.

We had chosen a provider in Southeast Asia, based not just on its extremely low cost but also on the quality of work we'd seen it deliver in the past, which was far superior to that of other low-cost, offshore locations. Recently, we decided to decrease the number of engineers working on the project, and the vendor ended up laying off one of the removed engineers. That laid-off engineer let us know that the vendor was using our source code to create a competing product. He either wouldn't or couldn't tell us many details, but he did say that our source code was being copied to USB drives to avoid detection and then being shared within the vendor company.

We had to act quickly to verify the accusation and stop the theft before all of our source code could be taken.

Our company policy is that vendors working in an R&D capacity must use hardware that we provide. That's a good first step, but my preference, naturally, would have been to use that hardware to implement precautions that would protect our intellectual property. Unfortunately, we don't do anything special with those laptops.

We also didn't have any monitoring equipment at this small office. Now that we badly needed to monitor its traffic, we decided to quietly reroute it to Singapore, a main hub for us where we had recently deployed data loss prevention (DLP) technology. Next, we surreptitiously deployed endpoint DLP agents to the PCs in the office of the suspect vendor. Now we had full visibility, both at the network layer and at the endpoint.

Block Those Drives

Within hours, we got a hit.

Two software engineers on the project were copying huge amounts of source code from their desktops (which shouldn't have been storing source code) to external USB drives.

We wanted to block that data and keep it off the USB drives. We looked at doing this via the BIOS, but that proved to be difficult. A technician would have to go to the site and configure the BIOS on all of the PCs in the vendor's office. Not only would that take a lot of time, but using BIOS to turn off the USB ports would also block legitimate items, such as USB mice, keyboards and cameras, and all of those would be needed.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.