BreachExchange mailing list archives
IP security checkpoint: Can inside counsel trust IP management providers to protect their data?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 9 Oct 2015 13:42:02 -0600
http://www.insidecounsel.com/2015/10/09/ip-security-checkpoint-can-inside-counsel-trust-ip As the sophistication of hackers has reached new heights, reports of corporate security breaches are occurring with greater frequency than ever before. Inside counsel in particular must ensure that all third-party vendors hosting sensitive intellectual property (IP) data are continuing to address new risks as the threat landscape continues to evolve. Providers of Trademark Watching and Clearance, Domain Name Registration Services, and IP Management Systems are all potential targets – just imagine the havoc that could ensue if any of the sensitive information stored within these systems were leaked? The good news is that ensuring that your vendors have deployed appropriate security measures and necessary functionality is actually a fairly straightforward task.
From a security standpoint, every vendor hosting your intellectual property
data should minimally be offering the following to protect your data: Two-Factor Authentication Any online system that requires only a single login and password to gain access is not secure. How can that be? Given the relative ease with which hackers have amassed credential information over the last several years via keyword loggers and malware, man-in-the-middle attacks, and vulnerabilities such as Heartbleed, it’s easy to understand why simple login and password combinations are no longer enough to protect valuable data. So, in addition to login and password combinations, vendors should make available two-factor authentication (2FA) which consists of a random generated one-time passcode (OTP) usually made available via a mobile app or device such as a key fob. If your vendor supports federated authentication via Single Sign-On (SSO) leveraging both SAML and ADFS open standards, you can achieve even higher levels of security, assuming that your corporate standards require a second form of authentication. SSAE 16 SOC2 Type 2 Reporting Third-party SSAE 16 Reporting can ensure that internal controls are adhered to both for the hosting environment, as well as for the application software. In particular, pay close attention to controls for security that certify that the system is protected against unauthorized access, use, or modification. Also be aware of controls for availability which certify that the system is available for operation and use as committed or agreed should be a primary focus. Encryption At Rest and In Transit Given the sensitive nature of IP data, all stored information should be encrypted using methods such as AES, RSA, and SHA-256. Encrypted data should remain encrypted unless access via credential information is granted. With this approach, even if a database breach were to occur, compromised information would remain encrypted. Network Vulnerability and Penetration Testing All vendors hosting your IP data should be regularly conducting third-party penetration testing to uncover vulnerabilities within their application and their network. If you are unsure whether your vendor is currently undertaking this effort, ask. Single Tenancy Single tenancy is when each customer’s application is supported by their own database instance and supporting infrastructure. Data is never comingled, and for this reason these applications are more secure than those of vendors who only offer multi-tenancy options. Granular User Rights Management Not everyone with access to your Trademark Watching and Clearance Platform, Domain Registrar Account, or IP Management System needs to see, or even should see, every piece of information it contains. In fact, limiting who has access and what they can update or modify should be standard practice. Functionality to easily manage all users, whether they have full access, read-only or no access to specific records and fields should exist. Audit Logging All online IP Management systems must provide full audit logging so that there is never any question regarding who submitted an order, requested a domain renewal, or marked a patent to lapse. All updates must be time-stamped and any approvals required must be logged within the system as well. This information should be easily accessible and un-editable. Documented Internal Policies, Guidelines and Physical Controls Don’t be afraid to ask your vendors to provide documentation of their internal security protocols. For instance, how do they engage with requests for password updates, do they conduct background checks for employees, and what types of physical controls are in place? These are just a few of the questions to consider asking your vendors. While this is certainly not an exhaustive list, it does provide a solid starting point for inside counsel who are evaluating whether their vendors are serious about protecting their IP data. Of course, in time, new threats will undoubtedly arise – but working with vendors committed to protecting proprietary data will help to mitigate risks, now and in the future.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- IP security checkpoint: Can inside counsel trust IP management providers to protect their data? Audrey McNeil (Oct 11)