The Newberry Group Blog

Archived Categories

Sort By: Title   |   Blog Date
Thursday, September 01, 2016

Technical Considerations for IP Theft - Part 6 in a 6 Part Series

(scroll down for parts 1-5)

Technical Considerations for IP Theft

Over the past 5 blogs, I have talked about IP theft and focused on two cases; one case that was done correctly and one case, which in my opinion could have been done better. Now I get to the question that organizations always ask after they have been through an IP case… Can IP theft be stopped or at least reduced?

Short answer is, no, theft of IP (intellectual property) can’t be completely stopped, but you can greatly reduce the ways that data is taken and the amount of data that is taken. On top of that, you can get alerted earlier that IP is being taken. There is no technology that is going to provide a silver bullet to solve all of your problems. To be honest, solving the problem does not even start with having the appropriate technology in place. It starts with those words that most people in IT hate; Policies and Procedures. Without strong, consistently enforced policies and procedures, putting in expensive monitoring technology could be a waste of time and money.

Review Your Policies

Most companies have at least some policies in place, but let’s be honest, how often do they get updated? How often is the employee handbook reviewed with employees? Do they just have to hand you a piece of paper saying they read it? How well versed is IT in the polices that are out there? Has IT seen these policies and agreed they are enforceable with the current technology that is in place? Is an after action review held after every incident of IP theft so policies and procedures can be reviewed and updated? Do you have policies in place that address BYOD (Bring Your Own Device), Cloud or Social Media? Or is it still not mentioned? If the answer is no, to any one of those questions – you may already have unwittingly made it easier for people to get away with stealing IP.

Policies are pretty easy. They are NOT paragraph after paragraph of bloated legal language. Policies need to be short and to the point. It is my opinion that a policy should be no longer than 3 sentences. With that being said, most policies can be written with one sentence. Think of this as a policy “Any device that connects to the corporate network will be monitored” or “ABC Company allows employees to use their own phone for work as long as they sign the BYOD agreement”. These are  both short and to the point. There is no question what they mean, however the meat of a policy is in the procedure that is attached to that policy. A policy may stay the same for years, but the procedures for that policy may change often. These procedures can be very detailed and in a lot of instances, are written based on the type of technology that the organization has in place to enforce the policy.

Now let’s jump to that new hire. Did they get a handbook or at least some corporate documentation when they started? While I am not an HR specialist, I have learned over the years that certain paperwork needs to be given to an employee or your IP theft case could potentially get thrown out. Some of the key documents that every employee needs to be given on the first day of their employment are:

  • Acceptable Use Policy
  • Email and Internet Usage Agreement
  • Confidentiality Agreement
  • Proprietary Information Agreement

And when an employee leaves:

  • Return of Company Property Document (Employee signs at departure)

Most of these documents are self-explanatory, but there are a few things that I want to highlight. Work with your legal counsel so the documents confer the message that the employee has “no right to privacy” and that the company has the “right to monitor”. Without these two statements, many types of technology that you could use to detect theft of IP would be an invasion of privacy in the workplace, and your case could potentially get thrown out. We also recommend that companies go one step further and create a logon banner for the computer or when a device first attaches to their network that states there is no right to privacy and they will be monitored. In addition, it is important that the policies also state that data is company property not just devices like so many people initially think.

Another important step is to make sure that you have a termination plan which ensures that everyone who leaves the organization, either voluntary or involuntary is handled the same way: access to all their accounts are shut off, devices that are the property of the organization are returned, and the return of company data and documents is verified. Suggestions for inclusion into the termination plan:

  • Creation of a “Return of Company Property Document” which would be  signed by employee upon termination or resignation and verified by IT,
  • Outline when IT is notified of an employee’s departure,
  • Outline when IT shuts off all access to all accounts the employee has access to.

You would be surprised how often this step is skipped because HR doesn’t tell IT right away when someone leaves.

  • Outline the creation of forensic images of all the electronic devices and network shares, including hard drives, corporate email, USB devices, home and public network shares,
  • Determine when you will ask for and create forensic images of any BYOD item that the employee was allowed to use while employed, this would be outlined in the BYOD agreement,
  • Determine a place to store all images which is a secure and fault tolerant location,
  • Outline who will wipe their work hard drive,
  • And after the drive has been wiped, when to re-install the corporate standard “gold” image.  If you don’t have a “gold” image, we suggest one be created and be used moving forward.

After you are done with the creation of a termination plan, it is time to create a forensic readiness plan. This plan is designed to outline, depending on the employee that leaves, what if any forensics investigation will be done on the employee’s devices that they returned, which were imaged during the termination process.

The last thing that needs to be in place is a corrective action and reporting plan. This plan is created with help from your human resources (HR) folks. Once you put technology in place to detect the theft of IP, it will also pick up “other issues” inside the organization that will need to be handled. IT and HR need to make sure that everyone is treated the same, no matter who they are. If you are not consistent in the ways you treat employees, you could face a wrongful termination claim in the future. Consistent enforcement of this plan will hopefully prevent that from happening.

Corporate security as a Tootsie-Pop[i]: IP Theft Detection Technology

Now that you have gotten your policies and procedures in order, it is time to think about what technology you might want to have in place to help with the detection of data leaving. I refer to corporations and their security as a Tootsie-Pop, you know with the hard crunchy shell and a soft gooey center.

Corporations spend millions to keep people out that don’t belong, with firewall and IDS/IPS devices. While these types of devices are very important for all organizations to have in place, they forget that sometimes, the largest danger is from within the organization, the trusted employees. I call this Internal Threat Management. 

For years, Internal Threat Management has been a manual process. Just as I outlined in my previous blogs, a corporation thought that they might have a problem for various reasons and they sent the devices for us to look through for signs of IP Theft. This manual detection process is a good start, but with anything that is manual there is a chance that something can get missed or the employee is technically savvy and was able to cover their tracks.

As technology has gotten more advanced, we are moving Internal Threat Management into a world where corporations are starting to be able to automatically prevent data from leaving. This advanced technology makes things easier to demonstrate corporate compliance, instills confidence in the organization, and most importantly, saves time and money. A lot of people for simplistic reasons, call this data loss prevention.

When you dig into data loss prevention, there are actually two main areas, Device Control and Network Content Monitoring.

Our first recommendation of technology to put in place is Device Control. Most employees that take IP with them on departure do so by using USB drives. Device control allows you to know what external devices have been hooked up to the system. Depending on the technology chosen, you will be able to:

  • See what files/folders have been copied on/off the device,
  • Allow or deny specific devices depending on a list of variables,
  • Make copies of all files that have been copied into a “safe area” so that they can be later viewed for investigation reasons (note: don’t make this the “C Drive” as it is easy to wipe),
  • Make devices read only,
  • Allow coping/moving of files based on a list of variables (i.e. block MS Word files, but allow photos),
  • Block coping of files based on keywords.

For example, a client of ours which has device control in place, upon the departure of an employee will pull up the device control logs for that employee to see what actually happened prior to the employee leaving. Those logs are then compared to the Return of Company Property Document to help with validation that all devices and IP has actually been returned.

Previously, I mentioned reverse IP theft, which is when a new employee brings that stolen IP from a previous employer in to use at your company. Another advantage of Device Control is that it can be setup so that it detects data coming onto your network, giving you a warning that reverse IP theft may be happening.

Network Content Monitoring is another type of technology we highly recommend to put in place to detect IP theft. This technology is a lot like an IDS/IPS device in that it watches network traffic. However, this technology watches traffic going in both directions for actual content. Meaning it is looking for readable text and looking for key words or concepts. Depending on the technology, it can also be setup to block content. We do not recommend that companies block. Blocking is very dangerous, as critical time sensitive documents may inadvertently get blocked due to content, so be very careful if you turn on blocking and be ready to respond to angry employees 24/7 when there are emails that don’t get sent.

For content monitoring, we highly recommend that you work with a 3rd party to monitor these logs so that no one with a potential conflict of interest is monitoring the logs. In addition, depending on the technology you choose, you might also identify HR related issues that need to be addressed which will call for utilizing your corrective action plan. Note: It is very important to have your updated policies and procedures in place before you turn on network monitoring. It will save time and headache in the long run.

Lastly – remember to do an after action report on every investigation of theft of intellectual property, no matter the result  After action reports (AAR’s) are formal documents that are essential in evaluating performance, identifying areas of improvement within your policies and procedures, and proposing adjustments and recommendations for your policies, procedures, and implemented technology.

As you can see, stopping IP from leaving your company is not as easy as flipping a switch. It takes many moving parts to make the system work properly. Having HR, IT, and Legal all involved is necessary for it to be successful along with the proper technology and forensic services.

Newberry Group provides an array of solutions that can assist an organization in minimizing the loss of IP. Some of these include:

  • Security Program and Policy Development. Newberry aligns your business practices with contemporary risk models and effective governance to protect and support sustained growth. We provide recommendations for your team to implement, or we can manage and guide the process of establishing best practices in your organization.
  • Forensic Analysis of new and departing employee activity. Through our New Hire Program and Departing Employee Program we analyze digital evidence to determine what data is coming in to and out of your organization. Just as you are concerned with theft of your IP, you should also be concerned with IP that has been stolen from a competitor that is brought in.
  • Forcepoint’s SureView Insider Threat detects suspicious activity, whether it is a hijacked system, rogue insider, or simply a user making a mistake. It ensures that your intellectual property or regulatory compliant data is not compromised.
  • ForeScout CounterACT for Network Access Control (NAC) is an automated security control platform that lets you see, monitor, and control everything on your network—all devices, all operating systems, all applications, all users. ForeScout CounterACT lets employees, contractors, and guests remain productive on your network while you protect critical network resources and sensitive data.
  • Forcepoint’s TRITON AP-DATA and AP-ENDPOINT extends data security controls to enterprise cloud applications and to your endpoints. Safely leverage powerful cloud services like Microsoft Office 365, Google for Work and, as well as protecting your sensitive data and intellectual property on Windows and Mac laptops, both on and off-network.

For more information about these products or any others that we offer, contact us at and we will be glad to have a discussion about what is best for you.

[i] Tootsie-Pop is a registered trademark of Tootsie Roll Industries and

Posted by: Jeremy Wunsch
 | permalink

Thursday, July 28, 2016

Technical Considerations When Working With Lawyers - Part 5 in a 6 Part Blog Series

As a forensic consultant, the phone is constantly ringing. Calls come from law firms and from corporations; you never know who you will be talking to when you pick up the phone.  More importantly, the other unknown when you pick up the phone is the level of technical knowledge the person you are talking with has.  Over the years, we have worked with people that we have had to educate on technology and in other instances we have dealt with technologically savvy individuals. I am not saying that your legal team needs to understand technology at the same level as your forensic consultant, but it is critically important to your case that whoever is involved, knows how to properly work a theft of IP case.

One of the first cases that I ever worked on for a theft of IP was with a senior partner of a mid-sized law firm.  While talking with him, it was readily apparent that his understanding of technology was fairly low. He would never ask questions and wanted me to believe that he completely understood technology he was dealing with.  As we worked together, I realized that I would have to mix case details with technology education, without making him realize I was teaching him.  Lucky for us, the lawyer on the other side knew even less about technology than the lawyer I was working with. My client won their case and everyone was happy, but I have to share one last question that I was asked by the lawyer I had been working with after the case was completed.  He asked - “What is a hard drive?”  I was shocked.  I didn’t know if I should laugh or cry, as we had been talking about data being stolen from hard drives throughout the entire case.  From that moment on, I paid very close attention to the technical knowledge level of everyone that I worked with.

Before I continue, a disclaimer. I’m not here to tell you which law firm or specific lawyer you should work with.  I’m not talking negatively about any specific firm or specific lawyer.  But as my years of experience have shown me, I have found it very important that when you are selecting counsel for a case; make sure to retain lawyers that truly understand technology and that your case is not the first time that they have been involved with theft of IP.   I would encourage asking for a list of theft of IP cases that they have taken to trial and ask for references.

And here is why.

Home Based Employee Case Study Continued:

I’m going to jump back in to our home based employee case study that we have been discussing in previous blog posts.  Again, I am not here to say this is a bad firm, nor am I hear to say that the lawyers at the firm that I worked with should not be used again for cases like this.  I want to point out opportunities to work the case differently, allowing the case to move along faster.  Perhaps more importantly, potentially reduce and maybe even eliminate legal fees for our client.

Let’s recap a few of the key things that happened after we gave our initial findings report to the original law firm:

·         Our client thought they would be better represented by having a law firm that was based in the location of the two employees that left.

·         The firm that they chose was a very large international firm.

·         The transition to the new law firm for our part of the case was not smooth. Weeks passed and no contact was made even though we were the only ones with “smoking gun” evidence in this case. 

·         Knowing that time was of the essence in order to get a TRO; concern was growing that I had not heard from the new law firm for weeks after I was told about the change.

·         When the new law firm called us, it as an associate of the senior partner that the corporation had hired, and we were told that they had received the report and that someone would get back to me.

·         Weeks went by and I received another call to “understand” the findings of the report.  To the law firm’s defense, because of the home based network that one of the employees had, it was not your typical report and the complexity of the report would have been difficult for all but the most technical lawyers to understand.

·         In the end, the new law firm opted not to pursue a TRO against the two departed employees.   They wanted to “play nice” assuming that the employees would just turn over their personal devices when requested to do so.

·         The employees each retained their own lawyers to fight turning over their personal devices and instead of heading to court to fight this battle of stolen IP, it was decided to opt for arbitration instead. 

·         Upon the decision to go through arbitration, we did not hear from the new law firm for the next 8 months.

So we pick up the story 8 months later. To be honest, we thought the case had settled and we were not notified, as our emails and phone calls were going unanswered.  Then out of the blue, I got a phone call from the associate at the firm.  We were told that they were in settlement discussions with both of the former employees and they needed our help finishing up writing a settlement agreement. I asked them to send what they had up to this point and I would make changes and recommendations to it.  What she told us next was very alarming.  We were told that the agreement was actually in final stages of development and both the arbitrator and the lawyers for the other sides had already seen it.  At this point, we knew we had a potential problem.

From the discussions 8 months prior, I had already figured out that both the associate and the senior partner at this firm had limited knowledge about technology.  Because of the very technical details of this case with this large home network, concern was growing over what we might see in a settlement agreement that had been drafted without our help.  When the document arrived, my suspicions were correct.  It was one of, if not the worst settlement agreement that I had seen in 20 years being a forensics examiner.  Here are some of the highlights:

1.       One employee admitted that he still had the virtual machine (VM) that contained corporate email but yet the settlement agreement stated that they agreed to take at face value the word of the former employees that they had no data in their possession.

2.       The employees agreed to send the computers to check for IP, but there was no timeline for when the machines needed to arrive at our facility for forensics investigation.

3.       In the initial reports, we listed countless devices that were used and might contain stolen IP, and they didn’t ask for most of those devices to be sent to be investigated.

4.       We were prohibited from telling our lawyers and our corporate client what devices were actually coming in.

5.       We were prohibited from telling our lawyers and our corporate client how much data we were searching on the devices that came in.

6.       We were prohibited from telling our lawyers and our corporate client if we were finding any stolen IP.

7.       We were prohibited from telling our lawyers and our corporate client how much stolen IP we had found.

8.       We had to redact our invoice to remove any identifiable information that would inform the lawyers or our corporate client anything relating to points 4-7.  Basically we were only able to hand them an invoice with a dollar amount and no supporting documentation.  Not the way we usually do business.

9.       Most importantly, the company that had their IP stolen had to pay.

Horrified does not even begin to describe how we felt about this agreement.  This agreement failed to take in to consideration the type of technology in question and how that technology can not only be used to store IP but how we as a digital forensics company can identify our corporate client’s data contained on the machines and drives.  We feared this agreement would end up being a very large and costly mistake. We raised our concerns with our client but they said they trusted the new law firm.

We suggested corrections/changes to technical aspects of the settlement agreement and at the same time, we created an internal protocol for how we were going to be handling the data that arrived from these two former employees.  We were able to change the settlement so that the individuals would have to turn over anything that they had in their possession or household that could store electronic information.  Items that this included were:

1.       All laptops/desktop computer (including ones belonging to kids/spouse)

2.       All USB devices that were used at the former employer, their new employer and at home (including kids/spouse).

3.       Cell/Smart phones that could store email or documents (including kids/spouse)

4.       Cloud based storage accounts

5.       Online email (ie, gmail, yahoo, etc)

6.       All NAS and DAS devices

7.       Their new work computer

8.       Their new work email and network shares

The reason we created that list is that we had evidence that the stolen IP had been moved and stored on some of the first 6 types of devices listed.  Based on our experience, we assumed that the data also made its way to the new work computer and network. It took a few more months, but the technical changes we suggested finally made their way into the settlement agreement.   Our requests to remove the language which did not allow us to effectively communicate was not granted so points 4-7 remained in the settlement agreement. I knew this was a disaster waiting to happen as we had never not been allowed to talk to our client about what was happening – especially when they were paying for the work.

Jumping ahead, some of the devices from the large home network started to show up.  Surprise! The devices we received had large amounts of storage space and they were all pretty full. We quickly realized that we would not be searching a few GB’s of data; we were going to be searching terabytes and terabytes of data (one device alone had 8 terabytes on it) blowing our price estimates out of the water.   But now we have a problem – we can’t tell our client any of this, but they are asking for an estimate of what the cost would be.  When we told them a dollar number, there was dead silence on the phone. Then there was anger.  Then there was a demand to tell us how we got that number and all we could say was there is a lot of data but I can’t tell you anything else because of the settlement agreement.  They had no idea the amount of data that we were being sent, and we had not even received 50% of the data yet.  It was finally beginning to sink in to them that this might not have been a very good settlement agreement. The project was immediately put on hold due to cost considerations.

We told them that there was not much we could do unless some part of our hands were untied.  The attorneys went back and got part of the settlement agreement removed so I could now tell them how many devices had come in and how much data was on each device. When we told them – their jaws dropped. But yet, I still could not tell them how much IP I was finding.

The law firm decided to have us search for very specific extensions to reduce costs.  While this might sound like a reasonable idea to reduce cost, we had already found IP in file formats that were images, audio and video.  The only way to search these types of documents is to actually put “eyes on the file”, meaning someone would have to take the time to review each one.   The law firm and the client decided in a cost benefit analysis it was not worth having someone review those non searchable files.

The law firm also decided to reduce the number of devices that were going to be delivered to us.  They had already agreed on doing the search and delete on a rolling production, meaning we would get a few machines to run the protocol on them and then send them back. Here is the problem with this scenario. If there were other machines still at their homes that were not sent to us, yet contained IP, they could very easily go ahead and move the files between machines.  In our initial protocol, we would have looked for this type of file movement, but our original protocol was scrapped. The law firm had limited understanding of what technology could do and at what cost.  They also decided not to take a look at all machines and devices in their household.  This meant all the former employees had to do was say a computer belonged to their spouse, and they wouldn’t have to send it in for inspection, even if it contained IP.

All along we were ringing alarms bells to our client as much as possible.  I even asked our corporate client, if you are not going to do it right, why even do it at all.  They went silent and couldn’t answer the question.  They finally came back to us confirming their trust in their law firm. Here is the sad reality.  We finished the project with the new protocol developed by the law firm, objected to by us. The law firm wasted their clients’ money and after all was said and done; we know that the two employees still have copies of IP that they took.

The mistakes that were made by the new law firm because of their lack of understanding in both technology and IP theft cases were some of the worst we have ever seen.  If you remember in my last blog post, the other case that I outlined had roughly 2000 documents stolen and they were awarded $14 million in damaged.   In this particular case, there were millions of documents stolen (we assume well over 8 million files were stolen) and we believe that some of them are probably still in the employee’s possession. In the end, our client was awarded nothing due to the settlement agreement, yet they had more than $1 million in legal and third party fees that they had to pay for out of pocket.

The choice not to listen to our expert advice and the decision to “play nice” backfired costing the corporation millions in legal and other associated fees and their competition is probably using their IP as we speak.  Had the law firm worked the case differently, understood the forensics process, and understood the capabilities of the technology, the company would have been able to have all the IP identified and removed and have the other side pay for it.

Moral of these stories - when you have a theft of IP case, do your due diligence. Do not assume that the law firm you currently utilize can handle a theft of IP case. Theft of IP is very serious and very costly. Make sure law firm treats it that way also.



Posted by: Jeremy Wunsch
 | permalink

Monday, June 27, 2016

Reverse IP Theft - Know What's Coming In To Your Organization. Part 4 in a 6 Part Blog Series

As you have been reading my blog series about theft of IP when an employee departs, I have mentioned that reports have said that about 50% of all departing employees take intellectual property with them to their new employer.  After all, chances are great that they got their new job because of the work that they did at their previous employer. 

We have been talking a lot about that departed employee and how to detect if and what data they may have taken.  But now let’s turn things around. Your company is the one that has hired an employee that stole Intellectual Property (IP) and they bring it inside your company.  How do you know they brought stolen IP in?  Do you have some type of legal exposure?  When they end up leaving your company, will they also steal IP from you?  The list of concerns with employees bringing stolen IP inside can go on and on.

Reverse Intellectual Property Theft is when a new hire brings stolen IP into your company.   Chances are that in your hiring process, asking questions about stolen IP is not something that people think to ask about.  Most companies that I have worked with rarely do much to discourage or stop IP from coming in until it is too late and they get caught.  One simple measure to help discourage new employees bringing in stolen IP is to incorporate some documentation regarding no disclosure or use of Confidential Information of Others. The intent of this language is to make sure that the new employee is aware they are not to bring into your organization IP from another company.  It should also address that they not use in the performance of their responsibilities at the Company any confidential or proprietary information, materials, trade secrets, intellectual property, or documents of a former employer or other third party that are not generally available to the public, unless the employee or the company has obtained written authorization from the former employer or third party for their possession and use In addition, you might consider making random checks of new hires machines to make sure that other companies IP has not been brought in and outlining consequences if they do bring it in. 

While this won’t stop you from getting sued if data makes its way onto your network, it should make an employee think twice before doing it.

Internal Employee Case Study Continued:

Now, let’s get back to our case studies. We are going to go back to the case study of that internal employee that left and went to work for the competition.  As you may remember we were able to prove multiple things up to this point.  The departed employee:

  • Used a sync function on some of the last days of employment.
  • The sync function appeared to sync IP to one or two USB devices.
  • Multiple USB devices (over 20) were used on the computer, and some were only used during his final days of employment.
  • We put in a request through the lawyers to get our hands on the 20+ USB devices, but only 4 arrived.
  • One of the USB devices that arrived was never used at his old work.
  • We asked for and received access to his home computer.
  • We identified that most of the USB devices had been used on both his home and old work computer.
  • The home computer showed us that the two USB devices that we were looking for where both used on the home computer after his last day of employment.
  • Data from his former company had been opened on his home computer after he started his new job.

It was at this point that the judge gave us access to his new work computer.  As I mentioned in the previous post, we performed the “New Hire Program” package on his new work computer.  This type of analysis is virtually the same as we perform when an employee departs but there is a key difference. We are now looking for data artifacts that show that data is moving onto, and not off of, the device that we are investigating.  We also continue to look for USB devices; we are still searching for IP.  However this time we are trying to match things up between the old employer’s computer, his home computer and his new employer’s computer. 

To correctly match everything up, we created a timeline for the three machines.  It is important to note that to do this correctly, you need to make sure that you take into account the time zone of the computer you are analyzing, as some data movement is not far apart.

When we started to look at his new work computer, we quickly identified that the key USB device had been used on the new work computer.  Knowing the date and the time that the key USB device was plugged in, we started searching the work computer for data that was created after that date.  Looking for files created within an hour of the time the device was plugged in; we found copies of files that appeared to be the stolen IP had been copied down to his new work computer.  While this was a nice nail in the coffin, we finish our investigation process and what we found shocked even the new company.

In-between his start date at the new company and the date we received his new work computer, he had already changed the IP taken from our client, his former employer, and updated it with his new employers company information and logos. For example: he took his former employers’ divisions business plan and executed a “find and replace” of the old company name to the new company name.  He opened presentations and changed all the footers and logos to the new company.  It was determined that he had repurposed roughly 100 of the 2000 files that he had taken by just removing the old companies name and logo.

We reported our finding to our client’s legal team and they reported what we had found to the new company. In turn the new company immediately fired the employee.  You might think the story ends there, but it does not.  We continued our investigation, as we needed to be able to confirm that the repurposed IP had not made its way to the corporate network or to anyone else inside this company. 

Unfortunately, we were able to confirm that data that he had brought with him had already been copied up to the corporate servers and more importantly we found that the data had been emailed out to the team he worked with, his boss and to his peers.   It was beginning to look like this data was spreading within the new company.

All of this information was provided to the court.  The judge in the case ruled that we needed to go into the new company and search their network shares, the computers of his boss, and all his peers to track down and delete all the IP that was stolen.  Due to the volume and the extent of what was found, this deletion of IP took much longer than expected as we found that the people he had sent the data to had forward the data to others in addition to saving it to their network shares.  Over time, the trail just kept growing and we kept on following it and deleting the data wherever it was found.

As the search for stolen IP continues, we start the analysis on his boss’s computer and boy, were we surprised at what we found. An examination of the boss’s computer found that he had stolen IP from our client years prior to him starting at the company.  We began to wonder if there was an insider that was sending the boss this information.  Through deeper analysis of this newly found “old” IP, and from conversations with our client, we discovered that the boss had been an employee of our client.  When he left, he also stole IP, brought it into and disseminated throughout the new company.  Once this information was given to the new company, he too was fired.

The Final Word of the Court:

Let’s jump forward in time.  This case was not just about making sure that the data was removed from the new company servers and laptops and those two employees getting fired.  Our client wanted the other company to reimburse them for all that they had spent on legal fees and all third party fees, including for the forensic work that had been done over the entire time period of this case.  They were also asking for damages in addition to expenses.  After a long trial, the judge ruled in favor of our client and awarded them over $14 million in damages and fees.  As you can imagine, our client was very happy with the outcome.

The company that hired these two employees on the other hand was not happy at all.  At no time did anyone in the organization think that hiring one individual would cost them over $14 million.  So to answer one of my original questions, yes, you do have legal exposure if you hire someone that brings in stolen IP to your company.

Both companies involved in this matter have now taken additional steps during the hiring process to let all new hires know that bringing in outside data from previous employers is not allowed and it is cause for immediate termination.  They have instituted simple forensic checks that give visibility to newly used USB devices and data that gets copied off of them. This data is randomly checked to make sure it is not from any of their previous employers.  Utilizing the New Hire Program is how they are hoping to never have to experience a situation like this again.

While you might think that awards like the court handed down are rare, they are not.  In most cases that I have been a part of, if we prove that data was stolen, it is very common for legal fees and other third party expenses to be awarded back to the company that had their data stolen.  We all know that legal fees are going up and cases like the ones I am presenting here are no longer considered anomalies.  As I mentioned, employees will continue to take IP out of and bring it into organizations.  And, with the increased legal action that is occurring as a result of the ease of identifying those malicious actions through expert forensic analysis, organizations are paying closer attention to the data flowing in and out of employees hands.

The moral of this cautionary tale: Take precautions and make sure stolen IP isn’t being brought into your company.  

Coming up – I will finish the story of the second case study. Stay tuned!

For more information on these services as well as other Forensic-related services we offer, please visit our website or email us at

Posted by: Jeremy Wunsch
 | permalink

Tuesday, June 07, 2016

Temporary Restraining Orders. Part 3 in a 6 Part Blog Series

In my last blog post, I began two case studies.  In both instances, we found that intellectual property had been taken when the employees left the company.   Following our process, we created the Departing Employee Report that outlined all of our findings.  We gave the report(s) to our clients and their external counsel.  It is at this point in the story that these two very similar cases went in completely different directions.

In most cases, after our client and their law firm have a chance to review our findings and determine a course of action we are typically asked to write either an affidavit or a declaration.  We take the information in our report(s) and put it into an accepted legal format (the affidavit or declaration) that can be presented in court. Which document we create depends on the law firm we are working with.  Typically one of these documents is presented with a TRO (temporary restraining order). 

When you hear TRO, many of you might immediate think of some type of harassment or abuse case.  However a TRO has other purposes as well.  One such instance that I have seen used over and over again in theft of Intellectual Property (IP) cases is requesting a TRO where the employee that left and took IP with them, not be allowed to go to work for the new company until the theft of IP case has been resolved in some manner.  Typically in these cases where this type of TRO is requested, the law firm and the forensic company must move quickly so that the legal team has the information that they need to file for a TRO. 

I cannot stress enough how important speed is when working a case like this.  Because if the new employee has already been working at the new company for a few months, there is a high likelihood that the information that was taken has already been disseminated around the new company and a TRO is less likely to be effective. While I am not saying that you can’t get a TRO after a few months, you can, but you will just have more hoops to jump through.  This scenario alone is a great reason to have a relationship established with a forensic company that excels at investigating IP theft cases.

Let’s get back to those two case studies.  While these two case studies are of two companies in completely different industries, they are very much alike from a forensic standpoint.  Data was taken upon employee departure, the departing employees went to work for the competitor and the companies hired external law firm to help.  In both of these cases we were initially hired by the same law firm, a law firm that we had worked with for years and had a well-established process with. 

Internal Employee Case Study Continued:

For this case, we wrote an affidavit to go with the TRO and the documentation went to both the departed employee and the departed employees “new” company.  The “new” company was a Fortune 100 company, they were large enough that their first response back to the TRO was “if we wanted that companies IP, we would have just bought them”.  At this point, the fun really started.

Along with the TRO, it was requested that the employee send all USB drives that they had used at our client’s company so that we could forensically examine them to find and remove our client’s IP.  If our client’s IP was found on any of the devices, the court would uphold the TRO and the employee would not be able to work until the case was resolved.

Based on the request, the former employee sent four USB drives.  As you may remember from the previous blog post, we were expecting over 20 to show up.   So the fact that we only got four devices surprised us and angered the legal team.    However, we still analyzed the 4 drives that we were given.  Once the serial numbers were identified, we realized that only 3 of the devices that were sent to us had been used at the former company.  The one extra USB drive was completely new to us.  In addition, the key USB device that we were looking for was not one of the four that was sent to us.

All of this information was sent to the court, along with a request to get access to the former employee’s home computer.  When the court learned that only 4 USB devices had been turned over, the court ordered that the home computer had to be sent to us for analysis.

A few days later, the home computer arrived and performed the full departing employee analysis on the home computer.  Undertaking a USB analysis on the computer, we were able to identify that most of the 20+ USB devices that we were looking for were also used on his home computer, along with several other USB devices that were used at home but not on his old work computer.   During this investigation, it was discovered that the one USB device that we didn’t have information on, showed up as being used on his home computer.  What was the most shocking/concerning to our client, was that the key USB device had been used on his home computer just after he had resigned.

Since we had a lot of information about this key USB device, we performed some special searches for files that we knew had, at one time, resided on that device which belonged to his former employer, our client.  We were able to determine that these files had been accessed and opened on his home computer, from that USB device after he had already started at the new company.   These facts were presented to the court. The court did two things, first they granted the TRO and the employee couldn’t work anymore until the case was settled and secondly, the court gave us access to his work laptop.  This upset his new company as they didn’t want to give up his work laptop. 

A few days after the court order, his new work laptop arrived in our forensic lab.  Once the device was in our lab, we performed the New Hire Program package on his machine.  Stay tuned to future blog posts to see what this uncovered and how both companies responded.

Home Based Employee Case Study Continued:

In the case of the home based employee for this case study, things took a completely different spin once we delivered to outside counsel the report and they showed our client that had the employees leave.  This company decided it would be in their best interest to change law firms and retain a firm in the state which the two former employees resided.  I have worked many cases where our clients have changed law firms mid investigation, but this change did surprise me because the original law firm had a well know reputation for successfully litigating IP theft matters and I knew nothing about the new firm besides the fact that they were a very large international firm.

Our client and the now former law firm had told me that our report had been sent to the new firm and that I would be hearing from them shortly.  Weeks passed and I had heard nothing.  Knowing that we were initially going down the path of a TRO for both these employees I was getting concerned that I had not heard from the new law firm.  

I contacted our client and let them know that I had not been contacted by the new law firm.  They were surprised and said someone would reach out to me within 24 hours.  Not one hour later, my phone rang.  It was an associate at the new law firm.  She said the partner asked her to touch base with me just to let me know that they got the initial report and they were working their way through it.

The clock was ticking for a TRO and it still took them two more weeks before they called again.  This time they actually asked me to step them through the report so that they could better understand what IP had been stolen.   This call ended up being the first of many phone calls to discuss the report and help better understand it.

In the end, the new law firm opted not to pursue a TRO against the two departed employees.   They decided to “play nice”, reasoning that the employees would willing turn over their personal devices for us to search and remove all IP associated with their former employer.  As you can imagine, that was not what happened.  The employees each retained their own counsel, which vigorously fought any request to turn over their personal devices. In the end, instead of utilizing the courts to litigate the stolen IP, the decision was made to continue the “play nice”. It was decided they would pursue arbitration instead.  It would be 8 months before I would hear from the new law firm again.

Where to Go From Here:

As you can see, two cases that were nearly identical at the start, have taken off in different directions. Is there are right or wrong way to take these cases?  I would say yes…  Over the next few blog posts, I will explain why as we continue with these two case studies. In addition, I will take a look at some things you can do to both prevent IP from being taken from your company and from new hires bringing stolen IP into your company.

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program and New Hire Program are fixed fee programs that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

 Next Blog: Reverse IP Theft

Posted by: Jerermy Wunsch
 | permalink

Wednesday, May 04, 2016

When The Threat Strikes. Part 2 of a 6 Part Blog Series

As I mentioned in my first blog post, the internal threat is very real and it strikes ALL companies. (Yes, even forensic companies that investigate internal threats.)  The smallest company that I have identified theft of IP during employee departure had 5 employees.  The largest client was a Fortune 100 company whose name all you would instantly recognize.  Even forensics companies are not immune. When I was the CEO at LuciData, I had a former forensic investigator leave and “take” IP with him to start a competing company. It happens all the time.  Numerous articles quote statistics that over 50% of departing employees take IP when they leave.

50% is a pretty large percentage of people.  Think of how many employees have left your company.   Think about what information they had access to.  Now assume that 50% did actually take information and brought it to a competitor. What would a competitor be able to do once they got their hands on that data?  What would the impact be to your company should that happen?  Loss of revenue, loss of competitive advantage?

Theft of your IP has happened to you with or without your knowledge. It might be happening right now and you don’t know it. In this blog and other blogs to follow; I am going to step through two examples of internal theft: an internal employee working at the office and a home based employee that was granted remote access to the network. The blogs will address what was done right and what could have been done better. 

There are always lessons to learn with departing employees, and most of those lessons deal with controlling your data better.

Internal Employee Case Study:

This was not the first time that our client had called us to investigate a potential theft of IP from a departing employee.   We had put in place a protocol to cover the first initial steps to investigate any departing employee that they suspected of taking IP.

As with all the other cases with this company, a “key employee” had departed, moved across the country to work for a competitor.  What caused our clients suspicion was that the competitor did not have a marketable “product” like the employee had been working on for our client, but the competitor was trying to get a foothold into that space.  The data that this employee had access to was incredibly valuable to the competitor.

As we were completing the initial first steps of the protocol and started digging into the data, there were red flags that we discovered that started to raise questions for us.  The first red flag we found was the sheer number of USB devices that had been used on the computer; including a few devices that were used during the last few days of his employment with our client.  While devices used on the last few days of employment don’t always point to a problem, for some of these devices, it was determined that it was the first time that they had ever been used.

The next red flag we saw was that a special folder sync function had been run.  This function was setup to sync multiple folders from the employee’s computer to what was labeled as “other device”.  This meant that it could sync to something like a network share or to a USB device, basically anything that wasn’t internal to the computer.

What was helpful to us was that this sync function left a log of the folders that it was syncing with, along with the last time that the sync took place.   Unfortunately, the folders that were synced were deleted by the former employee. Not to be deterred, using our forensics capabilities, we were able to recover the deleted folders and found just over 2,500 files in those folders that had been synced to other devices.  A copy of the recovered files list was given to the client to review and determine the “value” of the data.  We determined that most of the files contained documents that had “confidential” or “internal use only” written on the documents, leading us to believe these indeed would be very valuable documents to a competitor – a fact that was quickly confirmed by the client.. Our client asked us to immediately start working on determining if we could tell them where these documents went to (other devices, network share etc.)

Using time information from both the USB and the sync function logs we were able to determine that the data went to one or two USB devices on the same day the employee turned in his resignation notice.  We were able to determine the common name of the USB devices (like one gigabyte SanDisk) and we also had the serial number of the devices we could now start searching for.  This information was given to our client so their Information Technology department could determine if the devices still resided in the former employee’s office or some other place within the company.  When it was determined that the company did not have possession or access to these two USB devices and that the former employee most likely took them when he left, we helped our client’s counsel write the request for the former employee to turn over all USB devices that he used while employed at the company on that computer.  Based on our initial USB analysis, we were expecting 24 USB devices to be turned over.  With that request, the hunt for stolen IP began in earnest.

Home Based Employee Case Study:

In this case, we have a home based sales employee that was allowed to use his own personal computer for work purposes. His request to use his home based computer was granted by management even though it was in violation of company policy.  Because his personal laptop was a Mac, a request was made by the employee for a virtual machine partition to be placed on the machine so that he could use “normal” Microsoft Outlook for work related email. Again, a request granted by management and a violation of company policy.

When the employee left our client’s employment to go to work for a competitor, the company wisely asked for his computer to “image” it to make sure they had access to his email that was in the virtual partition.  However, this image was not a traditional forensic image. Luckily the image did capture all the data on the disk; which included all the Mac data and all the data in the Windows virtual machine.  Confident that they now had a copy of his email allowing them to answer any customer questions that might arise, they returned his personal computer back to him without deleting the virtual machine that contained years of corporate email.  They put the image on the shelf and did nothing with it.

Shortly after this first resignation, a 2nd sales employee resigned.  This employee was going to the same competitor as the first employee that left and this employee would reportto the first employee.  Concern was rising that something nefarious might be going on as the competitor they went to work for was the number one competitor of our client.  Losing both of these top sales people, was a grave concern in the very tight market that both these companies were in.  For the purpose of this blog post and so we can keep them straight, we will name the home based employee with the Mac, Bob and the employee that left second, Steve.

We were sent the work computer (which was a Windows computer) from Steve and we were sent the image of the home Mac computer that Bob used for work.  We initiated our departing employee protocol to determine if there might have been any visible signs of solicitation and to determine if any confidential data may have been taken by either of them.

While we did find signs that they were both communicating with each other, we didn’t find any signs that Bob asked Steve to leave and bring data with him.  At that point, our investigation turned strictly into theft of IP and we began to look at each of them individually.

Investigating both former employees’ computers, we determined that they both had USB drives hooked up to their computers.  Both of them used those USB drives on their final days of employment.  There were also signs that data may have been transferred over to those devices.  We worked with our client and their legal team to request that Steve hand over all the USB drives that he had used during his employment. This process was pretty straight forward with Steve’s computer, Bob and his computer was another story.

As we mentioned, Bob used his personal laptop for work.  This a machine was also used by family members.  Because of this, we were not completely sure the best way to ask for access to the devices, given the high likelihood that we would not be granted access to family member’s devices unless we could clearly prove that data had been transferred to that specific device.  This computer had been used for years and not only were there traditional USB storage devices that had been hooked up to it, but there were also iPhones, iPads and iPods that had been attached to this machine.  These devices, while traditionally used for other reasons, also have the ability to store data. 

Which devices were his, which belonged to his wife’s and his kids?  As the investigation continued into Bob’s computer, we started to notice references to network storage devices, like network attached storage (NAS) and references to Apple’s Time Machine backup, which appeared to backup his entire laptop.  Remember, Bob had the virtual machine that contained all his work email containing confidential information on this machine.  We realized that the work email was in the Time Machine backup, so we had to make sure to request access to that backup as well.  As it was becoming clear the type of home network that Bob had established, we realized that one of his NAS devices was syncing on a regular basis with his Mac.   If you are able to follow the trail - we now know that work email is stored in at least three locations – on his personal Mac in the company provided VM, the Time Machine Backup and on the NAS. 

We gave our client a file list of some of the files on the Mac image that contained the word “confidential”.  We handed over copies of documents, spreadsheets, PowerPoints and PDFs for them to look through.  It was quickly determined by our client those files were very key to the company, and Bob should never have been allowed to leave with that data still on his personal Mac that he used for work.  Like with Bob’s email, we were assuming that these files containing the documents, spreadsheets, PowerPoints and PDFs etc. were also on the Time Machine Backup and the NAS and potentially other USB devices.

At that point, the lawyers knew what we needed access to, but with Bob’s non-traditional home network this wasn’t going to be your normal legal request. This was going to be a case with many unexpected twists and turns.

Hurry up and wait.

As with all cases, once we find that IP may have been taken during employee departure we provide our reports, declarations and/or affidavits.  The lawyers then take over and it is hurry up and wait while the legal process runs its course.  Stay tuned to the next blog post to see what happened with these legal requests and the corresponding TROs (Temporary Restraining Order).

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program is a fixed fee program that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

Our Incoming Employee Package consists of 2 services. 1st, it verifies that policies and procedures are appropriate so new employees understand that under no circumstances should any IP from previous employers be brought with them.  2nd, at a predetermined time (usually 30-60 days after the employees start date), we will check the new hire’s drive for signs of external IP.  If data is found, you can take immediate steps to remediate the data before any litigation commences. 

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

 Next Blog:  Temporary Restraining Orders (TRO)

Posted by: Jerermy Wunsch
 | permalink

Friday, February 26, 2016

The hacker, the departing employee, the new hire. Which one can cost you more? Part 1 of a 6 Part Blog Series

After almost 20 years of doing computer forensic investigations, and specializing in investigating data breaches and IP theft, I have realized a few things. Hackers are here to stay and those employees you trust the most can hurt you the most.

The Hacker

Let’s start where most organizations are mistakenly focused, hackers.

Hackers are malicious but most are only looking to steal usernames and passwords but some do try to steal personally identifiable information (PII) to sell or they are looking to run some other type of scam with the stolen information.  Rarely, do hackers steal data to create a competing product or service.

Yes, hackers cause harm. They steal identities; people fall for their scams. Hacks have been a daily occurrence for some time now. Most firms spend a lot of time and money trying to prevent them and have a budget set aside for investigating them. 

But when we look back, what is the real cost to the organization of a hack?  Google “cost of a hack” and you will find countless examples of what it costs organizations.  But the numbers are all different.  The real answer is that nobody knows.  Realistically, unless you are part of some of the largest breaches in the world, the cost of a hack does not create a very large dent on the organizations profit and loss statement.  The “official statement” says, sorry we were hacked, change your passwords and move on.

The Departing Employee

This is my favorite person in the company.  They are leaving for that new job.  Why did they get that job?  You guessed it, because of what they did at your company. 

Organizations as a whole are still a trusting bunch.  “Oh, my employees would not maliciously take information with them.” We hate to be the bearer of bad news – they will and it is probably happening a lot more than you realize. In the thousands of cases we have done over the years, I can count on one hand the number of times during an investigation where we didn’t find the employee stealing intellectual property (IP) and taking it with them.

If the departing employee left to start their own competing business or worse yet – went to your #1 competitor – more than likely they have taken some of your IP (think customer lists, pricing data, product development details, business planning details to name a few) with them to help them hit the ground running.  It is time to start an investigation to see what they took.

When do you pull in legal?  It all depends on the organization and if legal is in-house or not.  But most pull in the legal team after it has been identified that IP may have been taken.  Another key question when pulling in the legal team is to ask “do you have an experienced legal team to help you during the investigation?”

The “experienced legal team” is a delicate subject, but it must be brought up. While the organization is going through the investigation, it cannot be stressed enough: make sure your legal counsel – both inside and outside counsel understand the technology, the terminology and the forensics process.

Beware of what I refer to as the “Legal Tech Lawyer”.  These are attorneys from firms that got their experience from going to a few conferences and listened to a few webinars yet consider themselves experts in technology cases. In addition, beware of outside counsel that does not have any actual experience in conducting cases that had computer forensics examinations in the area of IP theft. 

Having an experienced legal team;  especially experienced outside counsel that understand the process and what forensics technology can and cannot do will cost more per hour than an attorney that doesn’t, but in the end, it will be worth it.  Not understanding the life cycle of an investigation; the differences in terminology, understanding the limitations of technology and what to ask for during the investigation will most likely cause the organization to incur additional downstream investigation fees because the investigation is not streamlined.  Uneducated attorneys are less likely to ask pertinent questions, will have to do additional research to understand what they need to have done, may ask for things to be done that are not necessary, or miss finding critical evidence that is germane to your case.  All of this will likely result in increased legal fees.

Legal expenses tend to be a very large chunk of the total cost of an IP theft investigation. Choosing the right attorney (s) is critical not only to the success of your investigation; but also to keeping your costs from spiraling out of control, especially when you are going after a temporary restraining order (TRO), and requesting access to both their home and “new work” computers. 

Your New Hire

Let us introduce you to your most expensive hire; the new employee that you just hired away from your #1 competitor.  The employee that took IP from their previous employer, who brought IP with them and is currently using that IP in their new job with you.

You didn’t ask them to steal IP from their previous employer, but they did.  You hired them because of their experience and their past contacts and connections. They told you they can help you beat their former employer; what they didn’t inform you about is they are bringing data with them that will be housed inside your walls. 

This data now resides someplace on your network. It could be a little, it could be a lot. For example, maybe they took a PowerPoint presentation. They changed a few words and logos and now your next project is the exact same project they were working on at their previous company. They shared a copy with their boss.  Their boss shared it with their boss who presented it at the national sales conference.  You get the picture.

Now imagine this scenario. Their previous employer knows you have hired their employee and suspects that they have taken IP – lots of it. They hire a forensic company to look at the former employee’s work machine and they find IP was taken.  They suspect you now have it. They want it back or eradicated and they want monetary damages. 

The next thing you know, you are served with a TRO and litigation hold.  You are getting sued by your new hires former employer for theft of IP.  You know nothing about this, you didn’t ask them to take it, but they did.  Courts are starting to open up the doors to allow forensic companies to investigate inside the “new company” to verify that the previous company’s data is or is not inside the new company.  The Forensics Investigation Team has been allowed full access to email servers, network servers and storage, laptops and desktop, cell phones, tablets and cloud accounts that may have the stolen IP on them. 

If that happens to you; more than likely your organization will be responsible for the cost of that investigation. If IP is found, the costs ramp up even further.  The IP will have to be remediated and most likely the courts could issue some pretty large judgment against you.  We have had cases where the judgment in 1 IP theft alone was upwards of twenty ($20) million dollars that the “new company” had to pay the “former company” because the departed employee took IP with them and used it at the new company.  While judgements of this amount are not common, they do happen.  It is becoming more common to get judgements against the new company of a few million plus all third party fees (legal, computer forensics, court costs, etc).

What Can You Do To Be Proactive?

  1. Have an appropriate IT budget to spend on and implement monitoring solutions that watch internal employees in how they use the organizations data. Whether it is device control, DLP solutions or BYOD technology – having monitoring technology is a must these days. 
  1. Have current AUP (acceptable use policy) and any other corporate policies governing the use of corporate data.  Nothing is more painful than learning that you allow employees to take whatever they want.
  1. Be consistent in enforcing those policies.  Precedent is a big word in the legal community and I have seen many cases lost on precedent.
  1. Ask the right questions of legal team on their experience level in conducting forensics investigations.
  1. Get an experienced Digital Forensics team that understands IP theft considerations for departing and incoming employees.

How can you protect yourself?

There are economical ways to forensically determine what data and or IP was taken from an organization or brought into an organization. An excellent program will:

  • Have a well-defined AUP covering both incoming and outgoing IP.
  • Consist of defined computer investigation service packages that identify and report on employee data activity
  • Be able to identify data that was taken from your network as well as brought in to your network.


Hackers are here to stay.  Most companies are well prepared to defend against hacks and have budgeted for such an event.

Employees will also continue to take IP.  It is not a question of if IP theft will happen, it is a matter of when and at what cost to the organization. Most companies are not as well prepared to investigate theft of IP. Nor have they budgeted for what the potential investigation might cost them or what the effects of a theft might be – loss of revenue, loss of clients, loss of productivity, business interruption – the list goes on and on.

Does an investigation have to break the bank to learn what IP might be taken? No, it does not.  Investigations can be streamlined, simplified and be cost effective if an organization has the proper team and services in place prior to kick off of an event.

As to the initial question that we started with, “The hacker, the departing employee, the new hire.  Which one can cost you more?” Stay tuned to future posts to learn, but I can tell you, it isn’t the hacker.

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program is a fixed fee program that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

Our Incoming Employee Package consists of 2 services. 1st, it verifies that policies and procedures are appropriate so new employees understand that under no circumstances should any IP from previous employers be brought with them.  2nd, at a predetermined time (usually 30-60 days after the employees start date), we will check the new hire’s drive for signs of external IP.  If data is found, you can take immediate steps to remediate the data before any litigation commences. 

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

Next Blog:  Newberry Group’s Departing Employee Program.

Posted by: Jeremy Wunsch
 | permalink

Tuesday, August 19, 2014

Keeping Student Data Secure in Education

As students and teachers alike are embracing online learning tools, a need for better internet security in schools is becoming more apparent. The recent report on tech adoption in education by the Consortium for School Networking (CoSN) and the New Media Consortium (NMC), highlights this trend of hybrid learning models that “blend the best of classroom instruction with the best of Web-based delivery.” However, the report also points out that the safety of student data is considered a “difficult challenge” and “solutions are elusive.”

While internet security is a pervasive issue for all industries, schools deserve some extra attention. Along with the increased need for bandwidth to access online courses and tools, students and teachers are all too quick to share personal information through the internet. Schools need to carefully plan their network security in much the same way they plan their physical security. There has to be a good balance between access and security.

The solutions for balancing the security of student data with providing the right level of access required in today’s learning environment don’t have to be “elusive.” There is a full suite of solutions, such as network access controls or web filters, that are available at affordable prices and can offer the necessary protection for K-12 schools up through universities.

So what should you look for in a solution? Here are some good starting points:

  • URL Filtering – In 2013, 85% of malicious links used in web or email attacks were located on compromised legitimate websites. Controlling which websites can be accessed can limit the possibility of malware infecting your network.
  • Secure Data Transfer – An estimated 6% of all PCs will suffer at least one episode of data loss per year. 20% of all laptops suffer hardware related data loss in the first three years. A good IT strategy implements an off-site backup solution for important data. In an education environment, that would include student records. Securing this transfer of data is necessary as not only can the physical data be accessed but the transmissions of that data can also be intercepted.
  • Mobile Device Security – On average, network administrators are only aware of 80% of the devices on the network. In an educational setting, where nearly every student has a mobile device with the ability to connect to a local network, this figure is most assuredly much lower. Utilizing an agentless solution that discovers devices as soon as they access the network will protect vital information such as student records and institutional data while allowing the proper access necessary for the learning environment.
  • Bandwidth – With the inclusion of streaming media in today’s curriculum and the distribution of network resources across a geographically separated campus, load balancing bandwidth is essential to providing consistent access for both students and faculty
  • Efficient Configuration – School IT departments are minimally staffed. And often, the staff is simply challenged by time and resources just to maintain let alone implement and improve the network. Solutions that are easy to configure and maintain yet provide robust security features are a must.

Posted by: Gerald Kennedy
 | permalink

Wednesday, July 23, 2014

How to Choose Security Solutions for Mobile Healthcare - Part 2

To read Part 1 of this series, click here.

According to the HIMSS Analytics 3rd Annual Mobile Survey, the top benefit to having mobile tech in facilities is increased access to patient information, and the ability to view data from a remote location. But this means there are thousands of devices accessing a provider’s network. In order to select a proper security solution that not only meets HIPAA requirements but offers the protection for medical device end points in use, medical IT Administrators must look at a number of factors:

  • What is on my network? This is the first and most important step in providing a secure IT enterprise. Many IT administrators believe they know what devices are on their network. However, healthcare facilities are littered with transient devices such as personal phones and tablets, patient monitors and diagnostic tools that have unique and often antiquated operating systems. These devices may only show up on IT networks once a week or perhaps once a month. It can be a daunting task to know exactly what is connected to the IT enterprise.
  • Controlling BYOD. Practitioners, nurses, and administrative staff often use their own unregulated devices, such as phones and tablets, to record data and communicate with staff and patients. Add to that the fact that many facilities offer open WiFi to their patients and guests. This creates a massive amount of end points that are not monitored and leave the IT enterprise vulnerable to malware, viruses, and advanced persistent threats. Survey findings shows that 32% of hospitals are not even using technology to enforce their BYOD policies.
  • End Point Compliance. Knowing what is on the network is one thing. Keeping known devices compliant is something else entirely. Security of an IT Enterprise is only possible through awareness. Once the devices are discovered IT administrators must be certain that they remain compliant. Having the ability to confirm applications and disable those that are unauthorized, verify whether or not the devices meets established security policies, knowing if the device is compliant with the latest security patch and antivirus definitions is essential.
  • Cost vs. Risk. While the Federal Government provides some mandates that direct medical IT Administrators to protect patient data, the healthcare IT network remains largely susceptible to your average hacker. It is up to each healthcare IT Administrator to protect the physical network to the degree they feel necessary to secure data and network end points. Healthcare budgets, like many vertical industries, are balanced toward production vs. protection. In the HIMSS Analytics survey, lack of funding was the most common barrier to implementing a security solution. An effective solution with low cost of ownership is necessary. And while incentive programs such as EHR Incentive Program may seem to add balance to this in favor of the healthcare facilities, the incentive received is certainly not equivalent to the cost of losing patient data.

Network administrators can’t secure what they can’t see. It is imperative that administrators have access to real-time visibility of everything on their network and be able to control what is on their network at all times. When choosing a solution that meets all of these requirements, look for one that is simple to install on your network, without the need for agents or client software.

If you’d like to talk more about end point security solutions or need help, get in touch with us!

Posted by: Gerald Kennedy
 | permalink

Monday, July 21, 2014

How to Choose Security Solutions for Mobile Healthcare – Part 1

The last time I visited to the doctor, he recorded everything on a tablet device. While it’s convenient, mobile security is always at the forefront of my mind. I was doing a bit of reading on mobile security and came across the Medicare and Medicaid (CMS) Electronic Healthcare Records (EHR) Incentive Program. This program gives healthcare providers a financial incentive for demonstrating the meaningful use of certified EHR technology or for adopting, implementing, or upgrading EHR technology. EHR technology allows providers to easily record and share patient data so that it’s consistent and readily available throughout the provider chain. This is certainly a great benefit to all healthcare providers as well as patients. No need to transfer records and records can be updated in real time through hand held devices, patient monitors, or diagnostic tools connected to the network.

However, broader access to electronic databases and the use of additional devices to access that data only adds to the already vulnerable IT environment within the healthcare industry. IT components within healthcare are already severely susceptible to hacking and advanced persistent threats. Medical device end points, such as monitors and diagnostic tools, could have severely outdated operating systems that don’t lend themselves to standard patching processes. Even personal healthcare devices, such as insulin pumps, have known vulnerabilities as demonstrated by Jerome Radcliffe when he hacked his own insulin pump. These weaknesses, coupled with the fact that medical practitioners regularly bring their own smartphones and tablets and are often unregulated at many facilities, leaves a provider network open and vulnerable.

The HIPAA Security Rule provides standards for the securing of electronic health information. These rules are in place to protect patient data through access control, audit controls, integrity controls, and transmission controls. While important, they rely on the provider to select and implement the necessary security solutions to prevent a data breach. And without proper security for personal and medical end point devices, it is only one finger in a dam that has many holes.

Stay tuned for Part 2 later this week where I discuss the factors to consider when looking at different security solutions.

UPDATE: Part 2 is live! Check out: How to Choose Security Solutions for Mobile Healthcare - Part 2

Posted by: Gerald Kennedy
 | permalink

Monday, June 09, 2014

Case Study: Optimizing Barracuda Load Balancer to Meet Web Application Demands

Barracuda Load BalancerChallenge:

A regional energy cooperative wanted a way to provide seamless application availability for their customers and scalable performance for future growth demands. Their current Barracuda Load Balancer and Oracle ERP solutions were deployed by a 3rd party using a method that would significantly impact performance and scalability in their  virtualized environments.  With a deadline on the horizon, they needed a solution that offered both flexibility and availability while minimizing complexity.


Newberry conducted a network and infrastructure assessment and found that the current Load Balancer and ERP deployment would only meet a fraction of the organization’s web application demands.  Newberry’s engineer worked closely with the customer to fine tune their Barracuda Load Balancer and rebuild their Oracle ERP system from the ground up while keeping the principles of scalability and application uptime at the forefront.


Newberry enhanced the organizations ability to manage and scale critical application environments by:

  • Creating custom Load Balancer services and rules to automate application failover, rewrite URL requests for cross-platform compatibility with Oracle, and utilized URL redirection to simplify end user navigation during their initial orientation.
  • Tuning the Load Balancer’s application layer for session persistence and Layer 7 health monitoring.
  • Clustering the Load Balancers together using High Availability for seamless failover and web application availability.
  • Identifying I/O performance bottlenecks in virtual and networking environments.
  • Redesigning the customers ERP architecture by reducing complexity and adding additional nodes which resulted in doubling the amount of concurrent users and sessions available.
  • Training and knowledge transfer with System and Network Administrators covering operations, maintenance and advanced troubleshooting.

Why Newberry Group?

As one of the few Barracuda partners that can support the entire product line beyond what was required by this customer, Barracuda immediately turned to Newberry to make this project a success. Newberry’s Barracuda-certified engineers brought their in-depth knowledge, experience and passion for technology that was needed to exceed the demands of this time critical project.

Posted by: Nicholas Trifiletti
 | permalink

Page size: