Getting outsourcing to practise what you preach

From an information security perspective, my company's offshoring strategy has been a nightmare. I have seen very little awareness of information security requirements among our offshore partners, and cultural differences extend to what constitutes intellectual property and how it should be handled.

But despite all the grief offshoring brings me, it's a practice we can't afford to abandon. Thus, I am in the midst of a world tour, visiting China, Korea, Singapore and Taiwan last month, heading to India this month and then making my way to Europe and Russia next month.

We have employees in each of these countries doing very important work for us, and without those relationships, we would have a hard time surviving in our industry. Our competitors are cutting the costs of the goods they produce by offshoring, and so we must conduct business in the same manner.

This fact of life can be hard to keep in mind, though, when I am constantly getting calls from our CIO and legal department telling me about suspicious behaviour of overseas employees and allegations of intellectual property theft. The same sorts of things can happen with local employees, of course, but there has been an increase in reports of such activity in certain overseas locations. Worse, the laws in these areas are not always clear or completely enforceable, so even if we do catch someone, there's not much we can do other than fire him.

These trips, then, are giving me an opportunity to make some firsthand observations about security practices at the various sites and to try to educate our overseas employees about the serious ramifications that come with ignorance of security policies.

On the East Asian leg of my tour, I visited some of our company's major customers. They regularly call our service technicians to conduct routine maintenance on our equipment, which is very sensitive and requires a considerable amount of calibration on a regular basis. I have talked before about the value and importance of the intellectual property that's contained in the service manuals used by our technicians and about my investigation into digital rights management (DRM) as a means of protecting this intellectual property. The service business generates a significant amount of revenue for my company; if the service manuals fall into the wrong hands, a third party or rogue employee could offer our customers discounted service, and we'd be out a lot of revenue.

But by being on the ground at customer sites, I learned how the service technicians really work and found out that simply instituting DRM without taking other measures will do nothing to protect our intellectual property. For the most part, the service technicians just print out a few pages of the PDF manual to bring into customer facilities. It seems that many of our customers have strict policies on bringing in laptops, CD-ROMs or other external media. In addition, the printed copies are easy to take notes on. So, security needs are crashing up against the operational needs of our technicians. Another complication is that some of the DRM technology I've been looking at requires an Internet connection to obtain policy information, yet all of the facilities I visited restrict Internet access.

As the Cookie Crumbles

Next up was security awareness training. Because of the workload of the employees, I was given only an hour, but I could have gone on for six hours on this topic. Needing to be brief, I first spoke about intellectual property. Needing to get my point across to people who don't have the best command of the English language, I started out with a basic definition and then related intellectual property to chocolate chip cookies. Everyone likes cookies, I said, and everyone has a favourite brand. But what makes one taste better than another? It's the recipe - the ingredients, the amounts and the baking temperature - and a cookie company's recipe must be kept secret from competitors; it is intellectual property. For my company, the recipe is the "bills of materials", the specifications of the components, which are intellectual in nature and set us apart from our competitors. I seemed to get my point across, and I had enough time left to discuss the need for basic awareness of issues such as virus protection, incident reporting, social engineering, our acceptable-use policy and wireless security.

At each site, I also conducted some limited vulnerability assessments. I had my laptop, which I dual-booted to Linux. On the Linux partition, I had a fresh install of Nessus, a freely available assessment tool, and I used it to run some scans of the local network, including desktops and servers. Nessus discovered ports that were responding on some of the desktops, which indicated that some users' machines might be infected with malicious code that operates by opening a port and waiting for a remote connection. I prepared a report and presented it to the local IT guy at each site.

I had also brought my handy PDA with AirMagnet software installed, which I used to detect several wireless access points connected to our network. We were able to find out which user had deployed these access points. As I suspected, the access points were available for a few dollars at a local market, and the user thought it would be convenient to be able to roam around the office without being tied to Ethernet ports. He didn't understand the security ramifications of installing rogue access points or the policy that we have in place prohibiting them. Apparently, that policy wasn't fully translated into the language he speaks.

With four countries behind me, this trip has already been worthwhile, and I anticipate that the same sorts of issues and challenges will arise as I continue my travels. v

"Mathias Thurman" is the nom de plume is a real security manager whose name and employer have been disguised for obvious reasons