PeopleHacking intelligence

Subject: Business Intelligence Countermeasures
Description: Preventing and reducing the impact of industrial espionage
Category: Security Awareness Training

Click here to see the Topic List

The top link contains info about

intelligence
Security Awareness Training

The Federal Bureau of Investigation estimates that U.S.

Corporations lose $100 Billion annually due to industrial espionage.

While many people believe that the espionage is committed by well financed organizations that can only be stopped by national agencies, that is very incorrect.

Industrial espionage usually exploits simple and very preventable vulnerabilities to produce tremendous results.

By focusing on comprehensive security, and not just technical security, information security professionals can significantly hamper adversary attempts to steal their

organization's information assets.

The presentation that describes this paper presents a case study of an actual industrial espionage attack against a large U.S.

corporation.

The theft of sensitive information from U.S.

corporations is the goal for many foreign nations and companies.

Adversaries do not care about what form the information takes.

Whether information is in electronic format or is thrown away in the trash, it is irrelevant as long as the information is compromised.

Unfortunately for most corporate security programs, there is a preoccupation with technical security that leaves information very vulnerable to basic espionage methods.

Information security professionals focus their efforts on what they know best.

When they allocate their limited budgets, the division of funds reflects their perceived needs, which are basically technical security mechanisms.

Firewalls and other Internet security mechanisms are the hottest selling products.

While firewalls go a long way in preventing the traditional computer hackers from intruding into a corporate computer network, they do nothing to stop the most significant source of computer crime: Insiders.

Two recent studies show that insiders were responsible for more than 70% of information related thefts [1, 3].

The threat prevented by firewalls is minimal, because a focused attack will bypass the strongest protection mechanisms.

Information comes in many forms, and must be protected in all of its' forms.

Information security is not computer security.

While computer security is an integral part of a good security program, it is only a part.

Comprehensive security includes physical, personnel, operational and technical security.

Industrial spies know how to bypass any strong part of a security program to attack an organization at its' weakest point.

Industrial espionage and corporate intelligence are massively prevalent in today's business world.

It is not unusual for a corporation to hire a spy or spies to investigate their competition and their hold on the market share.

This business intelligence is both helpful and harmful because while sometimes it is merely getting the new sales plans of your company, it could be getting the patent filings of your brand new invention.

One form of this espionage might get the corporation a little jump on your plans, the other could destroy you entirely.

This is terrifying news because few have the security implemented to thwart these attacks on your privacy and protect your information.

While most consider security to be entirely involving firewalls and system administratiors who spend long hours using encryption, all of that can be bypassed by the people hacker.

If I call up your company and begin asking for simple information like the name of a sales representative who supposedly contacted me or for the head of your information technology department, that should be a legitimate request, right? To the people hacker, that is the first step to invading your privacy.

Preventing Industrial Espionage Since the methods used by industrial spies are the same as those used by traditional spies, the countermeasures used to prevent traditional espionage can prevent industrial espionage.

There is a great deal that commercial organizations can learn from Department of Defense security practices.

While I am not advocating total adherence to DoD standards, companies must employ a level of countermeasures that are justified by the potential losses that the company can suffer.

For many firms, the potential losses can easily be valued in the billions of dollars.

Information security efforts must therefore address comprehensive countermeasures, that are as comprehensive as the methods employed against them.

There are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security.

This paper introduces the concept of comprehensive security.

It is strongly recommended that other papers follow up on the following concepts.

Technical Security

Technical security countermeasures reduce the vulnerabilities present in electronic systems.

As many other papers at this conference address, countermeasures ensure the confidentiality, integrity, and availability of computer systems and networks.

A good technical security effort also protects other electronic systems such as voice mail.

The technical issues are well known and are satisfactorily addressed elsewhere.

Operational Security

Operational security addresses the business processes in use by a company that could compromise information through non-technical means.

For example, the DoD policy concerning information access only on a “Need to Know” basis helps prevent the unnecessary proliferation of information.

Likewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems, reduces the potential for the compromise of information.

Other operational security issues include enforcing your own security policies on your vendors and suppliers.

It would make no sense to perform background checks on your own employees, while contractor employees, who have free access to your facilities, go unchecked.

Operational security is a complicated issue, and requires a thorough study of the way a company does business.

This includes the marketing progress, which presents a major vulnerability due to the exuberance a sales people trying to close a deal by offering sensitive information.

Companies must examine the entire research, development, manufacturing, and sales process for potential ways that information could be compromised.

There must be a clear understanding of who to disclose information to, and under what conditions and controls.

A strong This subject awareness program is the foundation for a strong operational This subject program.

People must know what information they should protect, and specifically how to protect it.

Everyone should be encouraged to report any questionable circumstances, and know who to report it to.

Security managers cannot assume that This subject issues are common sense when there is no baseline for common knowledge.

Operational This subject issues must be further elaborated and studied in other forums.

Physical Security

As previously discussed, a large number of information compromises occur due to simple breaking and entering, and theft.

Physical access to facilities should be carefully regulated and controlled.

This includes limiting the access of visitors and contractors, as well as your own employees.

Nobody should have a free roam of all corporate facilities.

All employees must wear access badges that indicate their status, such as employee, temporary, visitor, or contractor.

This feature helps to reduce the threat of people overstating their authority.

Obviously, there should be an operational This subject policy that encourages all people to look at badges.

Another physical This subject issue to be addressed is the control of garbage.

There have been numerous incidents of serious information compromises that have occurred solely from the content of an organization's garbage.

The U.S.

military has several units devoted to trash intelligence, and invests millions of dollars in the proper disposal of classified waste.

Companies that have very high value information must also consider the control of their garbage.

Security programs must also stress the use of available protection mechanisms.

Locks on office doors and file cabinets frequently go unused in many organizations.

Clean desk policies, that require all sensitive information to be locked up, must also be enforced.

There are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time.

These products prevent the exploitation of computers that are not properly turned off when not in use.

Personnel Security

There must be a thorough investigation of all people with potential access to sensitive information.

Since most information might be sensitive to different departments within an organization, it should probably be a blanket policy to have a background check performed on all employees.

The term employees is used broadly to include anyone with physical access to facilities or information.

Facilities include any computer terminal that has access to corporate information.

Many organizations do not consider the access and opportunities that seemingly minor employees, such as janitors, clerical workers, and This subject guards, have to steal information.

A recent edition of 2600: The Hacker's Quarterly had an article on how to obtain a job as a janitor.

Criminal elements understand the potential of low level positions, and it is time for This subject managers to address that potential.

Systems administration staff should also establish a strategic relationship with the Human Resources department.

It is critical to be aware of any pending employee departures that could be under less than amicable circumstances.

Also, systems administrators must lock the accounts of departed employees on the day that they leave the company.

Case Study

The case study for the presentation addresses a penetration test performed against a large high technology firm at their request.

The goal of the test was to simulate an industrial espionage attack, within the funding parameters.

A comprehensive attack strategy was used to simulate an attack as accurately as possible.

The attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking.

The results were staggering.

Within one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider.

This was accomplished in a company that has a tremendous technical This subject program.

The This subject manager understands their vulnerabilities, and wanted an independent assessment of the vulnerabilities to demonstrate the seriousness of the problem.

A detailed description of the case study will be presented.

Industrial espionage and corporate intelligence are massively prevalent in today's business world.

It is not unusual for a corporation to hire a spy or spies to investigate their competition and their hold on the market share.

One form of this espionage might get the corporation a little jump on your plans, the other could destroy you entirely.

This is terrifying news because few have the This subject implemented to thwart these attacks on your privacy and protect your information.

While most consider This subject to be entirely involving firewalls and system administratiors who spend long hours using encryption, all of that can be bypassed by the people hacker.

The Federal Bureau of Investigation estimates that U.S.

Corporations lose $100 Billion annually due to industrial espionage.

While many people believe that the espionage is committed by well financed organizations that can only be stopped by national agencies, that is very incorrect.

Industrial espionage usually exploits simple and very preventable vulnerabilities to produce tremendous results.

By focusing on comprehensive This subject, and not just technical This subject, information This subject professionals can significantly hamper adversary attempts to steal their

organization's information assets.

The presentation that describes this paper presents a case study of an actual industrial espionage attack against a large U.S.

corporation.

The theft of sensitive information from U.S.

corporations is the goal for many foreign nations and companies.

Adversaries do not care about what form the information takes.

Whether information is in electronic format or is thrown away in the trash, it is irrelevant as long as the information is compromised.

Unfortunately for most corporate This subject programs, there is a preoccupation with technical This subject that leaves information very vulnerable to basic espionage methods.

Information This subject professionals focus their efforts on what they know best.

When they allocate their limited budgets, the division of funds reflects their perceived needs, which are basically technical This subject mechanisms.

Firewalls and other Internet This subject mechanisms are the hottest selling products.

Two recent studies show that insiders were responsible for more than 70% of information related thefts [1, 3].

The threat prevented by firewalls is minimal, because a focused attack will bypass the strongest protection mechanisms.

Information comes in many forms, and must be protected in all of its' forms.

Information This subject is not computer This subject.

While computer This subject is an integral part of a good This subject program, it is only a part.

Comprehensive This subject includes physical, personnel, operational and technical This subject.

Industrial spies know how to bypass any strong part of a This subject program to attack an organization at its' weakest point.

If you still need info about

INTELLIGENCE SECURITY AWARENESS TRAINING