Mobile Security MayhemGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-10-01T04:00:00Z, Lilly Chapa<p>​​Mobile device security organizations stepped up in a big way this summer to attempt to bring the U.S. federal government’s digital communications into the 21st century. </p><p>Companies such as BlackBerry—which last year stopped manufacturing cell phones—have been working with the government to create and disseminate software that protects mobile devices from eavesdropping or interception. </p><p>Between U.S. President Donald Trump’s issuance of the cybersecurity executive order that focuses on protecting federal networks and the U.S. National Security Agency’s (NSA) adoption of solutions like BlackBerry’s, the U.S. government is acknowledging the trend towards the mobile workplace—even when conducting classified business.</p><p>Trump caused headlines when he continued using his personal Android smartphone once he took office in January and, even after officially switching to a government-issued iPhone, gave his mobile number to world leaders. Experts agree that no mobile device can be completely secure, which is why sensitive phone calls have traditionally been conducted on secure phone lines in the White House or in the president’s private car. </p><p>Still, cell phones are undeniably ubiquitous, and the personnel in the upper echelon of the federal government are provided devices with expensive, cutting-edge technology to prevent intrusion, says ASIS International Defense and Intelligence Council Vice Chair Matthew Hollandsworth, CPP.</p><p>“As the technology and encryption capabilities get better and are reviewed and approved by NSA, there is a capability to talk on a cellular device at the top-secret level and get classified-level data,” Hollandsworth says. “It’s very uncommon right now because of the expense and the risk associated with it. If I have a cell phone in my pocket that I can talk classified on, and someone calls me and I’m on the train, I’ve got to watch what I say. Those are the types of risks that are associated with the mobile environment.”</p><p>While Trump undoubtedly has a team of experts monitoring his mobile device usage, the thousands of public sector employees and federal contractors who might deal with sensitive information via off-the-shelf mobile devices may pose a national security risk, notes Tony Anastasio, who does telecommunications work for the Defense Information Agency.</p><p>“Mobile phones, in my opinion, are very dangerous to anybody, especially government people, diplomatic officials, consulates, and embassies,” Anastasio tells Security Management. “There are so many vulnerabilities and exposures in these things.”</p><p>Anastasio has worked in the telecommunications industry around the world for more than 30 years and says there isn’t a good understanding of just how vulnerable mobile devices are to infiltration. </p><p>There are no federal requirements about what types of mobile devices can be used by federal employees and contractors or what they can be used for. The U.S. Department of Homeland Security (DHS) issued a report earlier this year assessing threats to the government’s use of mobile devices and noted, “DHS has no legal authority to require mobile carriers to assess risks relating to the security of mobile network infrastructure as it impacts the government’s use of mobile devices.” </p><p>Hollandsworth, who has managed IT security for federal agencies such as DHS as well as contractors, currently works as the director of corporate security at government contracting company American Systems. He says that in his 20 years in the industry, he has watched the evolution of how federal employees use mobile devices—and the dangers the changes have brought.</p><p>“It used to be that you had your cell phone and all it was was a phone,” Hollandsworth explains. “Nowadays, workers need to be more mobile, so you’ve got hot spots pulling up, wireless connectivity in just about every coffee shop around, and almost every federal employee, whether it’s a government contractor or staffer, has some sort of mobile equipment—a laptop, smartphone, tablet, or whatnot. When you start adding all of that up, you look at all the information now stored on those devices that are no longer in the direct control of the organization you’re working for…it does introduce quite a bit of additional risk.”</p><p>Both Hollandsworth and Anastasio say mobile device requirements for mobile employees run the gamut. As carrying around a personal cell phone all the time became the norm, some companies implemented bring-your-own-device policies that allowed employees to use their personal mobile devices for work as well. However, tensions over device privacy and ownership led most federal organizations to give employees government-issued devices to have more control over security.</p><p>“From a security perspective, people didn’t want to give up the access to their phones, they didn’t want things configured for them, they didn’t want people getting into their laptops—lots of privacy concerns there,” Hollandsworth explains. “From a company or government side, I think they want more control over the devices. If it’s a personal device, if something were to happen or information were to get on that device that needs to be cleaned, well there’s a concern—is it government owned or personally owned?”</p><p>Anastasio has experience with the issue. A company he worked for previously frowned upon his use of an Android device that he had rooted—a method allowing unfettered access to the device’s source code—but he says he pushed back. “I’d challenge them—they would say I couldn’t do that with my phone, but you’re going to control my personal phone? I don’t think so,” Anastasio explains. “These employees would say, ‘Hey, it’s my personal phone, I paid for it. Who has the right to tell me I can’t put my kid’s pictures on my phone?’ It’s a very personal thing.”</p><p>However, many government contractors—especially smaller startups that can’t afford a robust secure mobile device approach—have mobile requirements somewhere between issuing their own secure devices and demanding complete access to an employee’s personal device. </p><p>“We do enforce certain security standards no matter if it’s a personal device or we give it to them,” Hollandsworth says. “At my company, after we authorize you to connect up your laptop or smartphone we push down certain security settings so you have to change your password every so often. There’s a host of other settings we require for you to improve your connection.”</p><p>However, that might not be enough, Anastasio argues. “A lot of IT guys may not have a good understanding of mobile networks,” he notes. “They just breeze over, say that you can’t have Facebook or other generic apps, but they don’t always dig into the signaling side of the network.”</p><p>The reality of mobile device security is that regardless of whether it’s a locked-down, encrypted, government-issued device or an off-the-shelf consumer phone loaded with apps, it’s only as secure as the network it uses. Anastasio describes a myriad of ways networks can open phones to vulnerabilities, from Signalling System No. 7, which can allow phones to be hacked and render two-factor authentication useless, to fake cell towers that steal information when phones connect to them. </p><p>“Your mobile could be 100 percent clean with no software, malware, or apps, and you could just roam into a rogue cell site, and they can still collect your information,” Anastasio says.</p><p>The DHS mobile security report notes that the stakes for government employees using mobile devices are high. “Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” the report states. Because the use of mobile devices by the government is “an almost insignificant market share,” changes to mobile device security must be accomplished through legislation and regulation, the DHS report states. “The typical use of the devices outside the agency’s traditional network boundaries requires a security approach that differs substantially from the protections developed for desktop workstations.”  </p><p>One regulation coming down the pipeline is a new U.S. National Institute of Standards and Technology (NIST) standard for protecting sensitive information in nonfederal information systems—including mobile devices. The standard was first published in December 2015, and U.S. Department of Defense contractors have until December 2017 to become compliant. </p><p>“Within the contracting community, whatever type of system you’re using, whether it be your laptop or cloud computing or a mobile device, the government is putting into their contracts that you have to have certain security requirements implemented within your networks,” Hollandsworth says. He says the requirement, NIST SP 800-171, has 109 controls that dictate everything from physical protection of systems to access control, and it will tighten how federal contractors can use mobile devices to store intelligence.</p><p>Anastasio points out that regulations such as NIST’s and rules enforced by individual agencies are only effective if they are thoroughly and consistently enforced. “Most companies don’t want to touch mobile security,” he says. “They give you guidelines, and unless they pay for that bill on your cell phone, you still have your own personal phone right next to the one your company gave you.” Consistent education about mobile vulnerabilities is important. </p><p>Employers also need to keep in mind that classified information shared over mobile devices can be compromised in an old-fashioned way—via in-person eavesdropping or leaks. Anastasio cautions that people discussing classified information on their phones in a coffee shop or in an airport are just as much a risk as someone using an insecure mobile device. And even transcripts of Trump’s classified policy phone calls with world leaders were leaked in August.</p><p>Hollandsworth is getting a doctorate in leadership and says learning about how today’s generation will continue to grow as a mobile workforce underlines the importance of implementing a strategy to safely conduct government work on mobile devices. “The risk can only increase,” he says. “The desire and the need is going to continue to increase with having mobility, more power in your hand with a phone, and with that there’s a technology risk aspect that needs to be addressed.”  ​ ​</p>

Mobile Security Mayhem The Force Multiplier‘Catastrophic,’-Survey-Finds.aspx2017-05-31T04:00:00ZSecurity Incidents Caused By IoT Devices Could Be ‘Catastrophic,’ Survey Finds Warns Congress Of Security Threats to Government Mobile Devices Travel Tips Review: Secrets Spotlight: Internet of Things Toward Disaster Cameras: Fashion or Function? Glossary Stoppers the BYOD Revolution Could Allow Cell Phones to Detect Bioagents Devices't Touch that Dial: Considerations When Using Satphones in Conflict Zones Monitoring the Emergence of Mobile Malware Built to Mine Location Data Worry Criminals Use Smartphones To Monitor Radio Traffic$00.000025: The Going Rate On The Black Market For Your Email Address of Text Message Storage May Hinder Law Enforcement Warrant Necessary for Text Message Search

 You May Also Like... Secrets 2.0<p>​The enactment of the Defend Trade Secrets Act (DTSA) of 2016 in the United States creates a new paradigm and is a watershed event in intellectual property law. U.S. President Barack Obama signed the bill into law on May 11, 2016, and the DTSA now applies to any misappropriation that occurred on or after that date.</p><p>A trade secret is any technical or nontechnical information that can be used in the operation of a business or other enterprise and that is sufficiently valuable and secret to afford an actual or potential economic advantage over others.</p><p>The law allows trade secret owners to file a civil action in a U.S. district court for trade secret misappropriation related to a product or service in interstate or foreign commerce. The term “owner” is a defined statutory term. It means “the person or entity in whom or in which rightful legal or equitable title to, or license in, the trade secret is reposed,” according to the DTSA.</p><p>Under the DTSA, in extraordinary circumstances, a trade secret owner can apply for and a court may grant an ex parte seizure order (allowing property to be seized, such as a computer that a stolen trade secret might be saved on) to prevent a stolen trade secret from being disseminated.</p><p>With this development in the law, trade secret assets are no longer stepchild intellectual property rights. Trade secret assets are now on the same playing field as patents, copyrights, and trademarks. The DTSA reinforces that a trade secret asset is a property asset by creating this new federal civil cause of action.</p><p>And there is no preemption. The U.S. district courts have original jurisdiction over a DTSA civil cause of action, which coexists with a private civil cause of action under the Uniform Trade Secrets Act (UTSA). The UTSA—most recently amended in 1985—codified common law standards and remedies for trade secret misappropriation at the state level.</p><p>The DTSA also coexists with criminal prosecutions under the U.S. Economic Espionage Act of 1996 (EEA), which makes it a federal crime to steal or misappropriate commercial trade secrets with the intention to benefit a foreign power.​</p><h4>What the DTSA Means</h4><p>A trade secret asset must be managed like other property assets. However, trade secret asset management differs because it first requires the identification of the alleged trade secret asset. Because millions of bits of information within a company can qualify as proprietary trade secrets, it is critical to classify and rank trade secret assets.</p><p>Most companies focus on the protection phase of trade secret asset management without first identifying and classifying their trade secrets. This approach is doomed to fail without a thorough analysis. Unless the company knows what it’s protecting, there can be no effective protection. And all three phases—identification, classification, and protection—must occur before an accurate valuation of trade secret assets can be determined.</p><p><strong>Proof. </strong>Additionally, information assets must be validated in a court of law as statutory trade secret assets. There is no public registry for trade secret assets. The courts require proof of four things: existence, ownership, notice, and access. </p><p>The first element requires proof of existence of the trade secret asset. The litmus test for proving the existence of a trade secret has six factors: the extent to which the information is known outside the business; the extent to which the information is known inside the business; the extent of measures taken to guard the secrecy of the information; the value of the information to the business and to competitors; the amount of time, effort, and money expended to develop the information; and the ease or difficulty with which the information could be properly acquired or duplicated by others.</p><p>The plaintiff must show that he or she owns the trade secret. A misappropriator cannot be the owner of a trade secret.</p><p>However, a person who independently develops or independently reverse engineers the trade secret can be the owner of the trade secret. By using reverse engineering, an employee who has not been granted intellectual property rights in the trade secret asset may also be the lawful owner—instead of the employer.</p><p>For proof of notice, the plaintiff must show that the defendants had actual, constructive, or implied notice of the alleged trade secret. A former employee may use his or her general knowledge, skills, and experience. However, a former employee may not disclose or use the trade secrets of the former employer. Also, the former employer is prohibited from claiming that “everything we do is a trade secret.”</p><p>The court will take judicial notice that there is both unprotected and protected trade secret information in every company. If the line is unclear, the court will draw the line in favor of the former employee. </p><p>For proof of access, the plaintiff must prove that the defendant had access to the alleged trade secret. If the evidence shows that the defendant never had direct or indirect access to the trade secret, and there is no conspiracy claim, there cannot be misappropriation. This is because misappropriation requires proof of unauthorized acquisition, disclosure, or use of the trade secret by the alleged trade secret thief.</p><p><strong>Protection. </strong>The DTSA also requires that the trade secret owner take reasonable measures to protect the secrecy of trade secret assets. This is a much more challenging task today because trade secret assets are no longer at rest in a locked file cabinet in an engineer’s office. Today, trade secrets are in motion and in use via computer systems and networks with access points all over the world.</p><p>Companies must actively monitor the access and movement of critical trade secret assets throughout the corporate enterprise, or risk the serious consequences of forfeiting trade secret assets by failing to take the reasonable efforts necessary to protect these assets.</p><p>The point is illustrated by U.S. v. Lee (U.S. District Court for the Northern District of Illinois, 2009). A 52-year-old senior scientist, David Yen Lee, suddenly resigned from his job at Valspar on March 19, 2009, and bought a one-way ticket to Shanghai, scheduled to leave on March 27.</p><p>One of Lee’s coworkers discovered irregularities in Lee’s work computer. Upon further investigation, an unauthorized program called “Sync Toy” was uncovered in invisible Windows files. It showed that Lee downloaded 44 gigabytes of paint and coating formulas, product and raw material data, sales and cost data, and product development and test information.</p><p>The FBI was informed and brought in to investigate. The bureau raided Lee’s apartment and recovered the stolen trade secret assets before Lee’s flight left for Shanghai. Valspar’s security readiness was directed to protection against outside intrusions. However, there was little security in place to guard against trade secret theft by insiders and trusted employees. </p><p>To mitigate against future insider theft, Valspar set up an internal identification and classification system for trade secrets called the CPR (classify, protect, report) model. Valspar now tracks the movement of all critical trade secret assets within the various computer environments with triggers that are activated if unauthorized activities are detected.</p><p>The reasonable measures necessary for the protection of trade secret assets continues to grow as the risk of sensitive data loss increases by various means: unauthorized uploading of trade secret assets to an insecure cloud or Web application; unauthorized email communications disclosing trade secret information; unauthorized acquisition of highly classified trade secret assets onto USB drives; and undetected incoming malware, phishing emails, and corrupted Web software all facilitate foreign economic espionage and theft of corporate trade secret assets.</p><p><strong>Seizures. </strong>Companies cannot take advantage of the DTSA’s powerful seizure provisions unless effective trade secret asset management protocols are in place before the actual or threatened misappropriation occurs.</p><p>First, the owner must demonstrate, in a sworn affidavit or a verified complaint, that the ex parte seizure order is necessary and that a temporary restraining order is inadequate. Second, that immediate and irreparable injury will occur if the seizure is not ordered. Third, that the person the seizure would be ordered against has possession of the trade secret and property that is to be seized.</p><p>Once the ex parte seizure order is granted, the court must take custody of and secure the seized property and hold a seizure hearing within seven days. Individuals can also file a motion to have the seized material encrypted.</p><p>A court can issue an ex parte seizure order, according to the DTSA, “in extraordinary circumstances” to “prevent the propagation or dissemination of the trade secret” or to “preserve evidence.”</p><p>These circumstances exist when a trade secret thief is attempting to flee the country, if he or she is planning to disclose the trade secret to a third party, or if it can be shown that he or she will not comply with court orders. </p><p>The Valspar case is an excellent example of the necessity for ex parte seizure orders. However, the FBI will not always be there, and the window of time to protect against the loss of trade secret assets and destruction of the evidence will often be shorter than the eight-day period in the Valspar case. This is why a DTSA civil cause of action and an ex parte seizure order are so important to protect U.S. trade secret assets.</p><p>The protection of trade secret assets in these circumstances requires emergency actions. Once lost, a trade secret is lost forever. The DTSA requires that the trade secret Owner file suit, and provide verified pleadings and affidavits to successfully obtain a DTSA ex parte seizure order before the de­f­en­dants know the suit has been filed. </p><p>Otherwise, without the element of surprise, the defendants—often with several clicks of a computer mouse—can transfer the trade secrets outside the country and destroy the evidence of trade secret theft by running data and file destruction software.</p><p>Therefore, to take advantage of the robust provisions of the DTSA, the trade secret owner must be able to move faster than the trade secret thief. This will require that companies develop internal trade secret asset management policies, practices, and procedures. </p><p>The DTSA creates a new paradigm. If management waits until the trade secret theft occurs to identify what the trade secret is and investigate the evidence of misappropriation, the actual trade secret assets will be long gone before counsel can provide the U.S. district court with the proof necessary to obtain an ex parte seizure order.</p><p>The result: if the losses from the trade secret theft are severe, both the board of directors and senior executives of the company can be charged with malfeasance, including the willful failure to take reasonable measures to protect the corporate trade secret assets from insider theft or foreign economic espionage.​</p><h4>DTSA Application</h4><p>What are the next steps in view of the DTSA? Every organization is different. There are no one-size-fits-all solutions. Each trade secret asset manager must audit existing approaches to protecting trade secret assets, the resource allocations within the organization, and any budgeting issues with protecting trade secrets.</p><p>A fundamental first step should be the creation of An internal trade secret control committee (TSCC). The TSCC should be charged with the responsibility to adopt policies and procedures for the identification, classification, protection, and valuation of the company’s trade secret assets.</p><p>The next step should be the creation of an internal trade secret registry (TSR). This is a trade secret asset management system that can be deployed as a cloud-based solution, on a corporate server, or on a standalone work station. </p><p>The TSR should operate like a library card catalog storing necessary trade secret asset information with hash codes and block chaining (a database that sequences bits of encrypted information—blocks—with a key that applies to the entire database) to ensure the authenticity of the data stored in the TSR and to meet the required evidentiary standards in a trade secret misappropriation lawsuit.</p><p>Another necessary step is trade secret asset classification, the foundation of a successful trade secret asset management program. Asset classification allows trade secret assets to be identified and ranked, so that the level of security matches the level of importance of the trade secret asset. There are now automated trade secret asset management tools available to assist companies with the classification and ranking of trade secret assets.</p><p>Security, without identification and classification, is doomed to fail. In contrast, securing data after identification and classification of the trade secret assets makes it much easier for the internal security ecosystem to enforce trade secret protection policies and to prohibit unauthorized access, disclosure, or use.</p><p>Today, software tools can protect the company from mistakes that lead to the forfeiture of classified trade secret assets. If a user attempts to email a trade secret document to unauthorized recipients, the software program will immediately alert the user so the mistake can be corrected. Further, classified trade secret assets can be monitored. Administrators can track abnormal or risky behavior that otherwise cannot be tracked until the trade secret is compromised.</p><p>Developing a trade secret incident response plan (TSIRP) is another critical requirement. The flow of trade secret assets throughout the corporate enterprise should be tracked with built-in red flags, designed to trigger the TSIRP and notify outside counsel to proceed immediately to the courthouse to seek a DTSA ex parte seizure order before the bad actors can destroy the evidence or transfer the stolen trade secret assets outside the court’s jurisdiction.​</p><h4>Employee Management</h4><p>There are other best practices for trade secret assets now that companies are focusing on the various stages of identification, classification, protection, and valuation.</p><p>Building a trade secret culture from the top down, with required training and compliance with TSCC policies, practices, and procedures, is at the top of the list. Companies must promote a trade secret culture by prompting employees and users to stop, think, and consider the business value of proprietary, internal information they are creating, handling, and reviewing.</p><p>The new employee hiring process should include an investigation and certification by the new employee that no proprietary trade secret information of any previous employer is being brought to the company or is being stored electronically in his or her personal email system or other electronic storage locations.</p><p>The prospective new employee should sign an employment agreement with patent and trade secret assignment provisions. He or she should also receive and review the company’s required trade secret policies and procedures.</p><p>When an employee leaves the company, off-boarding procedures should include a mandatory trade secret exit interview. The interview should be conducted under strict procedures adopted by the TSCC, including execution of a trade secret acknowledgement at the conclusion of the interview certifying that all company devices, documents, and materials, including electronic copies, paper copies, and physical embodiments have been returned. It should also certify that all proprietary and confidential information, stored on any personal computer or mobile device, has been identified and preserved, returned, or deleted under the company’s instructions.</p><p>The enactment of the DTSA will usher in a new era. It requires trade secret owners to identify, classify, and protect trade secret assets as property assets. In time, the DTSA will become a precursor for new accounting systems that will provide valuations for trade secret property assets.  </p><p>--<br></p><p><em><strong>R. Mark Halligan</strong>, partner at FisherBroyles LLP, is recognized as one of the leading lawyers in trade secrets litigation in the United States by Legal 500 and Chambers USA: America’s Leading Lawyers for Business. He is also the lead author of the Defend Trade Secrets Act of 2016 Handbook and coauthor of Trade Secret Asset Management 2016: A Guide to Information Asset Management Including the Defend Trade Secrets Act of 2016.  ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Spotlight: Internet of Things<p><span style="line-height:15px;">For security professionals, the Internet of Things (IoT) raises basic questions: who will be responsible, what will be collected, where will the data be stored, when will security be involved in decision making, why are new devices being added, and how will they affect the daily functions and outcomes of the security department.</span></p><p><span style="line-height:15px;"><a href="" target="_blank">The following resources</a>, ASIS International Seminar and Exhibits education sessions, <em>Security Management </em>articles, and Council white papers, address these questions and offer practical responses and thoughts for t​he future marriage of IoT and security.</span></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465