Preventing Industrial Espionage Since the methods used by industrial spies are the same as those used by traditional spies, the countermeasures used to prevent traditional espionage can prevent industrial espionage , privacy , consultant , protectThere is a great deal that commercial organizations can learn from Department of Defense security practices , privacy , consultant , protectWhile I am not advocating total adherence to DoD standards, companies must employ a level of countermeasures that are justified by the potential losses that the company can suffer , privacy , consultant , protectFor many firms, the potential losses can easily be valued in the billions of dollars , privacy , consultant , protectInformation security efforts must therefore address comprehensive countermeasures, that are as comprehensive as the methods employed against them , privacy , consultant , protectThere are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security , privacy , consultant , protectThis paper introduces the concept of comprehensive security , privacy , consultant , protectIt is strongly recommended that other papers follow up on the following concepts , privacy , consultant , protect Technical Security Technical security countermeasures reduce the vulnerabilities present in electronic systems , privacy , consultant , protectAs many other papers at this conference address, countermeasures ensure the confidentiality, integrity, and availability of computer systems and networks , privacy , consultant , protectA good technical security effort also protects other electronic systems such as voice mail , privacy , consultant , protectThe technical issues are well known and are satisfactorily addressed elsewhere , privacy , consultant , protect Operational Security Operational security addresses the business processes in use by a company that could compromise information through non-technical means , privacy , consultant , protectFor example, the DoD policy concerning information access only on a “Need to Know” basis helps prevent the unnecessary proliferation of information , privacy , consultant , protectLikewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems, reduces the potential for the compromise of information , privacy , consultant , protectOther operational security issues include enforcing your own security policies on your vendors and suppliers , privacy , consultant , protectIt would make no sense to perform background checks on your own employees, while contractor employees, who have free access to your facilities, go unchecked , privacy , consultant , protectOperational security is a complicated issue, and requires a thorough study of the way a company does business , privacy , consultant , protectThis includes the marketing progress, which presents a major vulnerability due to the exuberance a sales people trying to close a deal by offering sensitive information , privacy , consultant , protectCompanies must examine the entire research, development, manufacturing, and sales process for potential ways that information could be compromised , privacy , consultant , protectThere must be a clear understanding of who to disclose information to, and under what conditions and controls , privacy , consultant , protectA strong security awareness program is the foundation for a strong operational security program , privacy , consultant , protectPeople must know what information they should protect, and specifically how to protect it , privacy , consultant , protectEveryone should be encouraged to report any questionable circumstances, and know who to report it to , privacy , consultant , protectSecurity managers cannot assume that security issues are common sense when there is no baseline for common knowledge , privacy , consultant , protectOperational security issues must be further elaborated and studied in other forums , privacy , consultant , protect Physical Security As previously discussed, a large number of information compromises occur due to simple breaking and entering, and theft , privacy , consultant , protectPhysical access to facilities should be carefully regulated and controlled , privacy , consultant , protectThis includes limiting the access of visitors and contractors, as well as your own employees , privacy , consultant , protectNobody should have a free roam of all corporate facilities , privacy , consultant , protect All employees must wear access badges that indicate their status, such as employee, temporary, visitor, or contractor , privacy , consultant , protectThis feature helps to reduce the threat of people overstating their authority , privacy , consultant , protectObviously, there should be an operational security policy that encourages all people to look at badges , privacy , consultant , protectAnother physical This subject issue to be addressed is the control of garbage , privacy , consultant , protectThere have been numerous incidents of serious information compromises that have occurred solely from the content of an organization's garbage , privacy , consultant , protectThe U.S , privacy , consultant , protectmilitary has several units devoted to trash intelligence, and invests millions of dollars in the proper disposal of classified waste , privacy , consultant , protectCompanies that have very high value information must also consider the control of their garbage , privacy , consultant , protectSecurity programs must also stress the use of available protection mechanisms , privacy , consultant , protectLocks on office doors and file cabinets frequently go unused in many organizations , privacy , consultant , protectClean desk policies, that require all sensitive information to be locked up, must also be enforced , privacy , consultant , protectThere are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time , privacy , consultant , protectThese products prevent the exploitation of computers that are not properly turned off when not in use , privacy , consultant , protect Personnel Security There must be a thorough investigation of all people with potential access to sensitive information , privacy , consultant , protectSince most information might be sensitive to different departments within an organization, it should probably be a blanket policy to have a background check performed on all employees , privacy , consultant , protectThe term employees is used broadly to include anyone with physical access to facilities or information , privacy , consultant , protectFacilities include any computer terminal that has access to corporate information , privacy , consultant , protectMany organizations do not consider the access and opportunities that seemingly minor employees, such as janitors, clerical workers, and This subject guards, have to steal information , privacy , consultant , protectA recent edition of 2600: The Hacker's Quarterly had an article on how to obtain a job as a janitor , privacy , consultant , protectCriminal elements understand the potential of low level positions, and it is time for This subject managers to address that potential , privacy , consultant , protectSystems administration staff should also establish a strategic relationship with the Human Resources department , privacy , consultant , protectIt is critical to be aware of any pending employee departures that could be under less than amicable circumstances , privacy , consultant , protectAlso, systems administrators must lock the accounts of departed employees on the day that they leave the company , privacy , consultant , protect Case Study The case study for the presentation addresses a penetration test performed against a large high technology firm at their request , privacy , consultant , protectThe goal of the test was to simulate an industrial espionage attack, within the funding parameters , privacy , consultant , protectA comprehensive attack strategy was used to simulate an attack as accurately as possible , privacy , consultant , protectThe attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking , privacy , consultant , protectThe results were staggering , privacy , consultant , protectWithin one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider , privacy , consultant , protectThis was accomplished in a company that has a tremendous technical This subject program , privacy , consultant , protectThe This subject manager understands their vulnerabilities, and wanted an independent assessment of the vulnerabilities to demonstrate the seriousness of the problem , privacy , consultant , protectA detailed description of the case study will be presented , privacy , consultant , protect
|