Preventing Industrial Espionage Since the methods used by industrial spies are the same as those used by traditional spies, the countermeasures used to prevent traditional espionage can prevent industrial espionage , people , hacking , hackersThere is a great deal that commercial organizations can learn from Department of Defense security practices , people , hacking , hackersWhile I am not advocating total adherence to DoD standards, companies must employ a level of countermeasures that are justified by the potential losses that the company can suffer , people , hacking , hackersFor many firms, the potential losses can easily be valued in the billions of dollars , people , hacking , hackersInformation security efforts must therefore address comprehensive countermeasures, that are as comprehensive as the methods employed against them , people , hacking , hackersThere are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security , people , hacking , hackersThis paper introduces the concept of comprehensive security , people , hacking , hackersIt is strongly recommended that other papers follow up on the following concepts , people , hacking , hackers Technical Security Technical security countermeasures reduce the vulnerabilities present in electronic systems , people , hacking , hackersAs many other papers at this conference address, countermeasures ensure the confidentiality, integrity, and availability of computer systems and networks , people , hacking , hackersA good technical security effort also protects other electronic systems such as voice mail , people , hacking , hackersThe technical issues are well known and are satisfactorily addressed elsewhere , people , hacking , hackers Operational Security Operational security addresses the business processes in use by a company that could compromise information through non-technical means , people , hacking , hackersFor example, the DoD policy concerning information access only on a “Need to Know” basis helps prevent the unnecessary proliferation of information , people , hacking , hackersLikewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems, reduces the potential for the compromise of information , people , hacking , hackersOther operational security issues include enforcing your own security policies on your vendors and suppliers , people , hacking , hackersIt would make no sense to perform background checks on your own employees, while contractor employees, who have free access to your facilities, go unchecked , people , hacking , hackersOperational security is a complicated issue, and requires a thorough study of the way a company does business , people , hacking , hackersThis includes the marketing progress, which presents a major vulnerability due to the exuberance a sales people trying to close a deal by offering sensitive information , people , hacking , hackersCompanies must examine the entire research, development, manufacturing, and sales process for potential ways that information could be compromised , people , hacking , hackersThere must be a clear understanding of who to disclose information to, and under what conditions and controls , people , hacking , hackersA strong security awareness program is the foundation for a strong operational security program , people , hacking , hackersPeople must know what information they should protect, and specifically how to protect it , people , hacking , hackersEveryone should be encouraged to report any questionable circumstances, and know who to report it to , people , hacking , hackersSecurity managers cannot assume that security issues are common sense when there is no baseline for common knowledge , people , hacking , hackersOperational security issues must be further elaborated and studied in other forums , people , hacking , hackers Physical Security As previously discussed, a large number of information compromises occur due to simple breaking and entering, and theft , people , hacking , hackersPhysical access to facilities should be carefully regulated and controlled , people , hacking , hackersThis includes limiting the access of visitors and contractors, as well as your own employees , people , hacking , hackersNobody should have a free roam of all corporate facilities , people , hacking , hackers All employees must wear access badges that indicate their status, such as employee, temporary, visitor, or contractor , people , hacking , hackersThis feature helps to reduce the threat of people overstating their authority , people , hacking , hackersObviously, there should be an operational security policy that encourages all people to look at badges , people , hacking , hackersAnother physical This subject issue to be addressed is the control of garbage , people , hacking , hackersThere have been numerous incidents of serious information compromises that have occurred solely from the content of an organization's garbage , people , hacking , hackersThe U.S , people , hacking , hackersmilitary has several units devoted to trash intelligence, and invests millions of dollars in the proper disposal of classified waste , people , hacking , hackersCompanies that have very high value information must also consider the control of their garbage , people , hacking , hackersSecurity programs must also stress the use of available protection mechanisms , people , hacking , hackersLocks on office doors and file cabinets frequently go unused in many organizations , people , hacking , hackersClean desk policies, that require all sensitive information to be locked up, must also be enforced , people , hacking , hackersThere are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time , people , hacking , hackersThese products prevent the exploitation of computers that are not properly turned off when not in use , people , hacking , hackers Personnel Security There must be a thorough investigation of all people with potential access to sensitive information , people , hacking , hackersSince most information might be sensitive to different departments within an organization, it should probably be a blanket policy to have a background check performed on all employees , people , hacking , hackersThe term employees is used broadly to include anyone with physical access to facilities or information , people , hacking , hackersFacilities include any computer terminal that has access to corporate information , people , hacking , hackersMany organizations do not consider the access and opportunities that seemingly minor employees, such as janitors, clerical workers, and This subject guards, have to steal information , people , hacking , hackersA recent edition of 2600: The Hacker's Quarterly had an article on how to obtain a job as a janitor , people , hacking , hackersCriminal elements understand the potential of low level positions, and it is time for This subject managers to address that potential , people , hacking , hackersSystems administration staff should also establish a strategic relationship with the Human Resources department , people , hacking , hackersIt is critical to be aware of any pending employee departures that could be under less than amicable circumstances , people , hacking , hackersAlso, systems administrators must lock the accounts of departed employees on the day that they leave the company , people , hacking , hackers Case Study The case study for the presentation addresses a penetration test performed against a large high technology firm at their request , people , hacking , hackersThe goal of the test was to simulate an industrial espionage attack, within the funding parameters , people , hacking , hackersA comprehensive attack strategy was used to simulate an attack as accurately as possible , people , hacking , hackersThe attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking , people , hacking , hackersThe results were staggering , people , hacking , hackersWithin one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider , people , hacking , hackersThis was accomplished in a company that has a tremendous technical This subject program , people , hacking , hackersThe This subject manager understands their vulnerabilities, and wanted an independent assessment of the vulnerabilities to demonstrate the seriousness of the problem , people , hacking , hackersA detailed description of the case study will be presented , people , hacking , hackers
|