It's 10 p.m., Do You Know Where Your Source Code Is?

Last week a hacker by the name of 'Tama Tough' claimed he was going to release the full source code for Symantec Corp's flagship product, Norton Antivirus software. With open-source software, all the source code is always available for everyone to see, but in this case Tama Tough was threatening to disclose the commercial closed source code.
The ramifications of this threat, especially since there is an implied disclosure of source code, were huge. For example:
- If the code was published any secrets in the code could have become a problem for Symantec
- Access to source code means cyber criminals could add malicious code and compile it into a product that mimics the look and feel of the original but is designed to do a number of very bad things that are is almost impossible for end users to detect. (Beware of buying software from anything other than a trusted source because the deal with not be a good deal for you.)
- The raw logic of the program would have been exposed and, given this knowledge, an expert would probably find new kinds of vulnerabilities
Even though the disclosure didn't happen, the security implications of an intellectual property breach are enormous. This threat is a wake up call for everyone - when was the last time you reviewed your source code security protection?
If it's been a while, here are a few questions to help you get started:
- Do you know every single place this source code exists; both in operation and backups?
- What safeguards do you have in place to protect your source code and how would you know if it was taken?
- If your source-code was stolen, what is the plan to keep the business operational and your customers safe?
- Finally, do you have a plan to manage the crisis of public perception an event like this could cause considering the 24X7 news cycle and social communications channels?
If you don't have clear, specific answers to all of these questions, you have just been put on notice. Symantec just reminded all of us that it's time to revisit the security protection around intellectual property. If you've got that under control, spend some time looking at business continuity and crisis communication plans to make sure they include this scenario and involve support, sales and marketing and legal teams.
This is a tabletop exercise you really need to work into your schedule in the near future. It is the type of event that requires a companywide response and the more prepared you are, the better chance you have of containing the damage.
The problem with being a successful business is that you become more attractive to a better class of cyber criminals. It's the classic good news / bad news problem. The good news is that your intellectual property is recognized as having significant value. The bad news is that now you are attracting the attention of more sophisticated cyber criminals.
Be proactive and be the hero and leader when this type of event happens; be reactive and be the goat. Your move.








