Page 1 of 2
Two-factor authentication and tighter controls around intellectual property are the only ways to safeguard a company's critical assets, according to a longtime security expert.
Larry Brock, former chief information security officer at DuPont, saw the organization grow and struggle to keep pace with the evolving security landscape. Over his three decades at DuPont, Brock, a former National Security Agency official, helped roll out stronger authentication and gain control over data spread out over multiple business units and across disparate systems.
It was a constant struggle and one that DuPont dealt with daily, Brock said. With internal strife over former employees pilfering the company's databases of sensitive engineering research and external attackers attempting to copy engineering and design documents from the R&D team, Brock seemed to be under a constant barrage of attacks.
"We saw trade secrets spread out over many different areas, and on the technical side there is the foundational technology that comes out of the research and engineering of how to build a manufacturing facility to take that research information and turn it into a product," Brock said. "Our adversary realized it only needed to collect parts of the information and not all of it."
Brock, who now heads his own consultancy, Brock Cyber Security Consulting, will talk about data protection issues in a Webinar May 22 being sponsored by security vendor Verdasys. In 2007, DuPont reportedly lost hundreds of millions of dollars' worth of research documents when a former researcher accessed systems more than a dozen times to steal documents and other data. Several years later the firm was one of several hundred targeted under the Google Aurora attacks, believed to be a cyberespionage operation undertaken by China. When hacktivists leaked emails associated with the HBGary Federal data breach, Brock's name was referred to in an email between vendors about the Night Dragon cyberespionage attacks. Brock called the email breach an embarrassing time for everyone involved.
"I was getting strong support to improve our controls, and we had some pretty energetic discussions with these vendors," Brock said. "We were mostly upset with vendors trying to aggressively push their products and influence others."
Brock believes the massive size of DuPont and its various business units made it extremely difficult to tightly control its sensitive data and keep track of where it resided. DuPont had a data classification system that had been around for many years, Brock said. Top-secret level information was classified and executives thought it was tightly guarded.
"Clearly, when you get down to the individual within the business unit that owns the data, they understand the importance but, from a global or corporate perspective, we did not have an inventory," Brock said.