Preventing Industrial Espionage Since the methods used by industrial spies are the same as those used by traditional spies, the countermeasures used to prevent traditional espionage can prevent industrial espionage , espionage , industrialThere is a great deal that commercial organizations can learn from Department of Defense security practices , espionage , industrialWhile I am not advocating total adherence to DoD standards, companies must employ a level of countermeasures that are justified by the potential losses that the company can suffer , espionage , industrialFor many firms, the potential losses can easily be valued in the billions of dollars , espionage , industrialInformation security efforts must therefore address comprehensive countermeasures, that are as comprehensive as the methods employed against them , espionage , industrialThere are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security , espionage , industrialThis paper introduces the concept of comprehensive security , espionage , industrialIt is strongly recommended that other papers follow up on the following concepts , espionage , industrial

Technical Security

Technical security countermeasures reduce the vulnerabilities present in electronic systems , espionage , industrialAs many other papers at this conference address, countermeasures ensure the confidentiality, integrity, and availability of computer systems and networks , espionage , industrialA good technical security effort also protects other electronic systems such as voice mail , espionage , industrialThe technical issues are well known and are satisfactorily addressed elsewhere , espionage , industrial

Operational Security

Operational security addresses the business processes in use by a company that could compromise information through non-technical means , espionage , industrialFor example, the DoD policy concerning information access only on a “Need to Know” basis helps prevent the unnecessary proliferation of information , espionage , industrialLikewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems, reduces the potential for the compromise of information , espionage , industrialOther operational security issues include enforcing your own security policies on your vendors and suppliers , espionage , industrialIt would make no sense to perform background checks on your own employees, while contractor employees, who have free access to your facilities, go unchecked , espionage , industrialOperational security is a complicated issue, and requires a thorough study of the way a company does business , espionage , industrialThis includes the marketing progress, which presents a major vulnerability due to the exuberance a sales people trying to close a deal by offering sensitive information , espionage , industrialCompanies must examine the entire research, development, manufacturing, and sales process for potential ways that information could be compromised , espionage , industrialThere must be a clear understanding of who to disclose information to, and under what conditions and controls , espionage , industrialA strong security awareness program is the foundation for a strong operational security program , espionage , industrialPeople must know what information they should protect, and specifically how to protect it , espionage , industrialEveryone should be encouraged to report any questionable circumstances, and know who to report it to , espionage , industrialSecurity managers cannot assume that security issues are common sense when there is no baseline for common knowledge , espionage , industrialOperational security issues must be further elaborated and studied in other forums , espionage , industrial

Physical Security

As previously discussed, a large number of information compromises occur due to simple breaking and entering, and theft , espionage , industrialPhysical access to facilities should be carefully regulated and controlled , espionage , industrialThis includes limiting the access of visitors and contractors, as well as your own employees , espionage , industrialNobody should have a free roam of all corporate facilities , espionage , industrial

All employees must wear access badges that indicate their status, such as employee, temporary, visitor, or contractor , espionage , industrialThis feature helps to reduce the threat of people overstating their authority , espionage , industrialObviously, there should be an operational security policy that encourages all people to look at badges , espionage , industrialAnother physical This subject issue to be addressed is the control of garbage , espionage , industrialThere have been numerous incidents of serious information compromises that have occurred solely from the content of an organization's garbage , espionage , industrialThe U.S , espionage , industrialmilitary has several units devoted to trash intelligence, and invests millions of dollars in the proper disposal of classified waste , espionage , industrialCompanies that have very high value information must also consider the control of their garbage , espionage , industrialSecurity programs must also stress the use of available protection mechanisms , espionage , industrialLocks on office doors and file cabinets frequently go unused in many organizations , espionage , industrialClean desk policies, that require all sensitive information to be locked up, must also be enforced , espionage , industrialThere are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time , espionage , industrialThese products prevent the exploitation of computers that are not properly turned off when not in use , espionage , industrial

Personnel Security

There must be a thorough investigation of all people with potential access to sensitive information , espionage , industrialSince most information might be sensitive to different departments within an organization, it should probably be a blanket policy to have a background check performed on all employees , espionage , industrialThe term employees is used broadly to include anyone with physical access to facilities or information , espionage , industrialFacilities include any computer terminal that has access to corporate information , espionage , industrialMany organizations do not consider the access and opportunities that seemingly minor employees, such as janitors, clerical workers, and This subject guards, have to steal information , espionage , industrialA recent edition of 2600: The Hacker's Quarterly had an article on how to obtain a job as a janitor , espionage , industrialCriminal elements understand the potential of low level positions, and it is time for This subject managers to address that potential , espionage , industrialSystems administration staff should also establish a strategic relationship with the Human Resources department , espionage , industrialIt is critical to be aware of any pending employee departures that could be under less than amicable circumstances , espionage , industrialAlso, systems administrators must lock the accounts of departed employees on the day that they leave the company , espionage , industrial

Case Study

The case study for the presentation addresses a penetration test performed against a large high technology firm at their request , espionage , industrialThe goal of the test was to simulate an industrial espionage attack, within the funding parameters , espionage , industrialA comprehensive attack strategy was used to simulate an attack as accurately as possible , espionage , industrialThe attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking , espionage , industrialThe results were staggering , espionage , industrialWithin one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider , espionage , industrialThis was accomplished in a company that has a tremendous technical This subject program , espionage , industrialThe This subject manager understands their vulnerabilities, and wanted an independent assessment of the vulnerabilities to demonstrate the seriousness of the problem , espionage , industrialA detailed description of the case study will be presented , espionage , industrial