Earlier this year, Tesla filed suit against former engineering employee, Guangzhi Cao, accusing him of stealing trade secrets (Tesla’s Autopilot source code). In a court filing from Monday (July 8), Cao admitted to uploading .zip files containing the Autopilot source code to his personal iCloud account.
Additionally, Cao is accused of bringing the code to Chinese competitor, Xiaopeng Motors (AKA Xmotors or XPeng), which is backed by industry-giant Alibaba. This is a prime example of the havoc insider threats can wreak on companies.
Tesla former engineer Guangzhi Cao, accused of stealing AP source code, now works at Xpeng as head of perception. Coincidence? https://t.co/IasSlPRSEH
— Ray (@ray4tesla) July 11, 2019
Experts Comments:
Jeff Nathan, Principal Researcher at Exabeam:
“Insiders with access to privileged information represent a greater risk to a company’s security. In this particular case, a former Tesla employee admitted to uploading confidential Autopilot source code to a personal iCloud account before leaving to work for a competitor.
Tesla is not alone. Managing cloud applications and services is an ongoing and common challenge for enterprises. With more enterprises deploying critical resources within their cloud services, the threat landscape can extend to a larger attack surface that could be outside of security’s traditional span of control.
In many organisations, cloud credentials might be outside the scope of internal network security policies and controls. For example, it’s not unusual for software developers to provision their own cloud services and define their own credentials. They then proceed to create applications within their self-provisioned cloud services. Should a developer leave the company, the standard off-boarding policies might not include removing their cloud-based resource access. The former employee can continue to access the cloud resources, and the company would be completely unaware of the security risk.
However, advancements in cloud-based security management solutions have helped close this gap. Some modern SIEM solutions now use machine learning capabilities to track individual users’ behaviour across the entire company network and identify anomalous events. Now, security teams can easily and immediately discover who is using cloud resources to upload sensitive corporate information or illicitly access cloud applications and revoke their credentials–improving cloud security for the modern enterprise.”
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“This is indeed an ideal case to be solved by Data Loss Prevention (DLP) products. There was no need for this employee to be using their own iCloud for data storage even if the original intent was non-malicious. This should’ve been detected and blocked, either by identifying the important files and selectively blocking them or by a blanket ban on iCloud. Simply allowing this to happen has exposed Tesla to potential data loss. Closing the doors to private cloud hosted services is a proactive approach to preventing data loss.
“Yes, it’s great that Tesla can get information from Apple to help their case, but the data is gone and now it’s in the wild for Tesla’s competitors to use. Implementing DLP visibility solutions are also a great reactive measure to retrospectively identify and confirm a specific employee’s malicious intent. This information can enhance any court proceedings and get a positive outcome for the victim.
“Prevention is better than reaction however, so focusing on forcing employees to use approved and secure channels is the preferred approach. You don’t have to make yourself ineffective, just provide a sufficient set of tools that you can control, rather than allowing people to use services completely outside of your control.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.