Skip to content

Page027

Intellectual Property Attacks

Though attacks upon intellectual property have existed since at least the first profit-driven intellectual creation, the sophistication and volume of attacks have only increased with the growth of portable electronic media and Internet-based commerce. Well-known intellectual property attacks are software piracy and copyright infringement associated with music and movies. Both have grown easier with increased Internet connectivity and growth of piracy enabling sites, such as The Pirate Bay, and protocols such as BitTorrent. Other common intellectual property attacks include attacks against trade secrets and trademarks. Trade secrets can be targeted in corporate espionage schemes and also are prone to be targeted by malicious insiders. Because of the potentially high value of the targeted trade secrets, this type of intellectual property can draw highly motivated and sophisticated attackers.

Trademarks can fall under several different types of attacks including counterfeiting, dilution, as well as cybersquatting and typosquatting. Counterfeiting involves attempting to pass off a product as if it were the original branded product. Counterfeiters try to capitalize on the value associated with a brand. Trademark dilution typically represents an unintentional attack in which the trademarked brand name is used to refer to the larger general class of products of which the brand is a specific instance. For example: the word Kleenex is commonly used in some parts of the United States to refer to any facial tissue, regardless of brand, rather than the particular brand named version itself; this is an example of trademark dilution.

Two more recent trademark attacks have developed out of the Internet-based economy: cyber- and typosquatting. Cybersquatting refers to an individual or organization registering or using, in bad faith, a domain name that is associated with another person’s trademark. People will often assume that the trademark owner and the domain owner are the same. This can allow the domain owner to infringe upon the actual trademark owner’s rights. The primary motivation of cybersquatters is money: they typically intend to capitalize on traffic to the domain by people assuming they are visiting the trademark owner’s website. Typosquatting refers to a specific type of cybersquatting in which the cybersquatter registers likely misspellings or mistyping of legitimate domain trademarks.

Privacy

Privacy is the protection of the confidentiality of personal information. Many organizations host personal information about their users: PII (Personally Identifiable Information) such as social security numbers, financial information such as annual salary and bank account information required for payroll deposits, and healthcare information for insurance purposes. The confidentiality of this information must be assured.

One of the unfortunate side effects of the explosion of information systems over the past few decades is the loss of privacy. As more and more data about individuals is used and stored by information systems, the likelihood of that data being inadvertently disclosed, sold to a third party, or intentionally compromised by a malicious insider or third party increases. Further, with breaches of financial and health records being publicly disclosed, routinely numbering in the millions to tens of millions of records compromised, the erosion of privacy of some of the most sensitive data is now commonplace. Previously, stealing millions of financial records could have meant physically walking out with enough paper records to fill a tractor trailer; now all this data can fit onto a thumbnail-sized flash memory device.

Privacy laws related to information systems have cropped up throughout the world to provide citizens either greater control or security of their confidential data. While there are numerous different international privacy laws, one issue to understand is whether the citizen’s privacy protections are primarily opt-in or opt-out: does the citizen have to choose to do something to gain the benefit of the privacy law or is it chosen for them by default? For example: a company gathering personal data clearly states that the data can be sold to third party companies. Even though they clearly state this fact, albeit in fine print, the organization might require the individual to check a box to disallow their data being sold. This is an opt-out agreement because the individual had to do something in order to prevent their data from being resold. Privacy advocates typically prefer opt-in agreements where the individual would have to do something in order to have their data used in this fashion.