In the hit-parade of security technology buzz words, Anti-virus and IDS (Intrusion Detection Systems) are in the top 5. After all, there are a lot of bad guys out there writing worms and trying to break in.

Stop for a second and ask yourself a question.

Is intrusion your key threat just because that's what the IT vendors are selling?

You know the joke about the cement factory in Poland. Every day, a worker leaves the factory at closing time with a wheel-barrow of sand. After a month of this, the guard finally asks the worker; "I know you're stealing something, I just can't figure out what the heck it is". The worker replies "I'm stealing wheel-barrows". That's extrusion: unauthorized transfer of your assets in broad daylight.

Digital asset extrusion, just like any other crime = motive+opportunity

Let's examine the sources of digital asset extrusion: trusted insiders, human error and criminals. Trusted insiders are your employees, your suppliers and your customers. Employees may be the software development group that was axed, and the sales rep that skims credit card transactions. Suppliers may be the DHL courier that flirts with the receptionist and the night security guard that copies documents. Outsourcing contractors are also threats. In the quest for operational efficiency, our industry outsources IT functions, but oddly, some banks and insurance companies outsource their information security functions even though their business is the most information-intensive industry on the planet. What about human error? One extra click in Outlook and a casual friend is on the distribution list together with the board in the middle of due diligence. Customers may not be direct threats, but many B2C Web sites are vulnerable to credit card theft by organized crime. Tens of thousands of stolen credit-card numbers are offered for sale each week on the Web. This black market e-business; where credit card prices fluctuate with supply and demand, costs the financial system over $1 billion a year and shows how easily personal information is being stolen and traded.

People do it because of anger and greed. Emotions are a powerful motivator and anger at being terminated will cause a person to act quickly and irrationally. A supplier trying to collect money may view extrusion of digital assets belonging to his customer as a way of "taking a hostage" that will ensure receipt of payment.

Employees are aware that extrusions can be traced when they use their office line or cell phone and in may prefer to use alternative channels such as instant messaging or P2P that are readily available in most offices, yet cannot be traced or tapped with conventional network facilities.

Corporate governance: Do you report extrusion events to the shareholders?

Most companies do not report extrusion to law enforcement agencies out of fear of the negative publicity and of competitors taking advantage of the bad news. However, as we will see in Part III - Sarbanes-Oxley section 409 requires timely reporting of extrusion events.

When a CEO considers the extrusion problem, he or she must must first gauge the damage to a valuable and hard-earned corporate brand and not employees perceived risk.

Two real-life case studies

In order to understand what digital assets people steal let's consider two brief case studies:

The speedy high-tech startup

A technology startup retained a company to do software development. Since the VP R&D adopted extreme programming methods, he demanded that all the work be done onsite. The VP also required that the onsite developers check-in all software updates to the source repository. Sadly, rapid romances don't always lead to stable marriages and in the middle of the project the supplier was sacked. The startup didn't pay their bill and one of the supplier's developers thoughtfully took a backup of the entire source tree, and extruded the files over a VPN the last day on the job. Exposure of the I/P to the investors was on the order of $3 million and was resolved after time-consuming and costly legal intervention between the parties.

The friendly P/I

A large credit card issuer with over 4 million card holders operates a call center. Private investigators working divorce cases socialize with call operators on their smoking break outside the building in the courtyard. On any given shift of 150 CSR's at least one has taken a bribe to extrude personal information from the CRM system to the P/I.

Extrusion happens in your office and during normal business hours. When an extruder needs a username and password, she may deploy social engineering to get the information. When a disgruntled programmer is terminated he may copy the project source repository in his last few hours at work over the company VPN.

Extrusion

Extrusion is the unauthorized transfer of a company's essential digital assets - credit cards, customer records, transactional information, source code and other classified information. The term "Extrusion" was coined by Tim Sullivan of Fidelis Security about a year ago as short-hand for "Trusted insider theft over the network".
In part II - we'll suggest some best practices for extrusion prevention and survey technology requirements.
In part III - we'll review the current state of legal and statuatory requirements in this country and in Europe.