Last week, Oracle initiated a lawsuit against archrival SAP for allegedly stealing copyrighted software and customer support documents. The complaint, filed in a San Francisco federal court, details Oracle’s charges, includingclaims that the illicit incursions were launched from SAP’s recently acquired Texas-based subsidiary, TomorrowNow.
By Oracle’s reasoning, it was no accident the raids originated there: SAP needed the documentation to support the customers it had lured away from Oracle by promising lower-cost maintenance and support. When those clients signed on with SAP, the vendor found it didn’t know enough about Oracle to deliver what it promised — or so Oracle argues.
Over a five-month period, SAP downloaded more than 10,000 documents, according to the complaint.
It isn’t clear whether Oracle’s allegations against SAP are correct. However, it’s no secret that such incidents happen with regularity.
“Misappropriation of trade secrets is nothing new,” Peter Vogel, a partner with Gardere Wynne Sewell, told CRM Buyer.
Indeed, Oracle’s allegations against SAP made headlines primarily for the same reason that the Hollywood celebrity tiff-of-the-day makes the news: It’s fun to watch — and maybe we’ll learn something we shouldn’t or ordinarily wouldn’t about the parties involved.
The Tech Factor
Shady business practices have become far more dangerous — and easier to perpetrate — with the advent of enterprise technology. Just about every work process is in some way automated. Casual internal e-mails can mention a pending patent that a company wishes to keep secret. Sensitive customer data is a thin firewall away from hackers.
The irony, though, is that companies all too often find themselves victimized by fraudsters using the same tactics they use against consumers — that is, a mix of technology and some savvy social engineering.
Consider, for instance, what Oracle alleges SAP to have done. Assuming Oracle’s description of SAP’s activities is accurate, there is nothing technically that Oracle could have done to prevent the theft, Ron O’Brien, senior security executive at Sophos, told CRM Buyer.
“Given the fact that the logon and password were compromised, there is no security method that would lead me to believe that this could have been prevented,” he said.
Most likely, he said, the perpetrators would be caught for the same reason the alleged perpetrators against Oracle were caught: They downloaded a huge amount of data in a short period of time.
“Other than that, a customer downloading documentation is not going to trigger an alert of any kind,” O’Brien noted.
The Social Engineering Piece
Indeed, the compromised logon and password are what stand out in this story. That Oracle, a tech giant in its own right, would allow such a gap in its security methodologies is ironic but not uncommon, said Scott Braunzell, cybersecurity practice leader and senior managing director of Risk Control Strategies, a corporate security consulting firm.
“For companies to protect themselves against theft like this, they need to maintain a strict level of access control,” he told CRM Buyer. “This includes maintaining up-to-date passwords and culling lists of authorized people once they leave a firm.”
Security — and more specifically, access control — has been a growing focus of most tech applications over the last few years, especially in the face of new regulatory changes.
The most recent version of Oracle’s enterprise search application, for example, has embedded security features, a selling point the company highlighted when it introduced the platform.
In years past, companies were careless with internal security by storing proprietary data on “secret” servers and not coding documents appropriately. Introducing an enterprise search application would allow any employee to find that secret server and sensitive data — unless only authorized users were permitted to view certain content.
Oracle solved that problem by integrating the application with multiple user authentication systems and providing a hardened repository for storing the search index.
A Few Tips
In the case of SAP’s alleged spying, the fact that Oracle noticed that unusual amounts of data were being downloaded shows that it was actively monitoring its network, Braunzell said. However, there are measures that might help companies prevent a breach from reaching that stage.
Many companies make the same silly mistakes that people make when they try to protect their home computers or networks, technology attorney Vogel said. “They allow employees’ to use the same password year in and year out — or allow them to use easy-to-guess passwords like their spouse’s name.”
Also, too few companies provide ongoing training to employees to beware of phishing and other techniques used to gain illegal entry. “It is not uncommon for someone to pretend to be from the help desk to gain a password,” he observed.
It can happen at home too, in various ways — for example, a caller may pretend to be from your credit card company and ask for your social security number. When it happens on the job, though, the financial consequences can be multiplied exponentially.