privacy > PeopleHacking

privacy

Subject: Business Intelligence Countermeasures
Description: Preventing and reducing the impact of industrial espionage
Category: Security Awareness Training

1. spy
2. intelligence
3. security
4. people
5. espionage
6. privacy

consultant

protect

privacy

There are wide spread reports of former Soviet Bloc intelligence operatives acting as freelancers to the highest bidders, as well as foreign intelligence agencies refocusing their efforts on U.S.

companies as opposed to the U.S.

Government.

These intelligence organizations bring their tried and true methods with them.

Unfortunately, most corporate corporate security managers privacy are not aware of the threats and the methods they employ.

Intelligence gathering methods are more effective on companies than they are on governments, because companies do not have the appropriate countermeasures in place.

Legal Methods

There are several forms of industrial espionage that are legal.

legal.

These methods include privacy the purchase of companies or products, and has the net result of transferring technology to the previous competitor.

There are many examples of foreign firms buying U.S.

companies to acquire critical technologies.

The threat to U.S.

national competitiveness is very serious, however there is little that can can be done by a corporate security manager to prevent privacy this type of information acquisition.

Another legal method of acquiring U.S.

technology involves pressuring companies into giving up their technology.

Basically, this involves the blackmail of U.S.

companies by foreign countries.

In order for a company to do business in the privacy the foreign country, the company must train native workers in a critical technology.

It is then up to the company to decide if the cost of doing business with the country is worth it.

At this time, a corporate security manager may or may not be involved in the decision.

Obviously Obviously from an information protection perspective, privacy the answer is obvious.

From a business perspective, it is much less clear.

The practice of joint ventures with competitors also provides a huge opportunity for U.S.

companies to give up sensitive information.

During the process of expanding the state-of-the-art, a company must divulge its' its' knowledge of privacy the state-of-the-art.

In some cases, a joint venture may be the only method for a company to enter a foreign market.

Again, there is a Cost/Benefit Analysis to be performed prior to entering into such a venture.

Open source information (OSI) also provides a wealth of knowledge for for industrial competitors.

OSI takes a variety of forms including newspaper articles, corporate Annual Reports, patent filings, court papers, and marketing information.

For example, most requests to review patent filings privacy are by foreign nationals and third party research firms.

By reviewing OSI, competitors can determine a tremendous amount of information about about a company and their products.

privacy The losses are tremendous and unfortunate, especially when a company does not realize that they are giving away all of their information.

The hiring away of employees also results in the transfer of knowledge to a competitor.

While many former employees do not intend to to divulge sensitive information, privacy the transfer of the knowledge is inevitable.

In the performance of day to day activities, it is impossible not to take into account the knowledge that a person has developed.

For example, if a person is trying to price a job for their present company, it is is impossible for them not to consider privacy the pricing structure of their former employer, who is now competing for the same job.

Many companies use trade shows and conferences to elicit information from competitors.

Typically, corporations send their researchers and marketing staff to these events to either stay abreast of the privacy the latest research or sell services or products.

These people usually give out information better than they collect it.

Companies involved with industrial espionage also send information collection specialists to these events.

They usually act like potential customers or fellow researchers to elicit information from people that are all to willing willing to give it up.

Through advanced training these collection specialists have perfected privacy the art of drawing out as much information as possible.

Foreign countries make it a habit to contact natives of their country that have had contact with a targeted company.

These natives are requested to divulge information that privacy that they have obtained from the company.

It is typical for individuals to have more loyalty to their native land as opposed to a foreign company that they have worked for.

These people are readily recruited by foreign intelligence services, and the knowledge that they divulge is quickly passed to foreign foreign companies and countries.

In some cases a foreign intelligence service may recruit a national to work for a U.S.

firm.

They will assist in obtaining a job for privacy that person, and help in any way possible.

The individual may not realize that they will be contacted at a later time time to compromise information.

privacy

Illegal Methods

Many of the previous methods appear to border on criminal activity.

It is a fine line between a foreigner divulging information to their native country and a U.S.

citizen selling the information to that country.

Many industrial espionage cases involve the use of of insiders to steal information.

privacy The cooperation of insiders can occur in many ways, depending on the circumstances.

As with traditional espionage cases, the recruitment of moles is frequently used.

Moles are employees of a targeted company, or someone with access to the company, that agree to cooperate with the criminals, criminals, usually in exchange for money.

These people abuse privacy the access that they have to steal information, or possibly just hand over information that they already have access to.

They are well established within the target, and can typically move through the organization unchecked.

Moles may be recruited by the industrial industrial espionage organization, or may volunteer their services.

It is not unheard of for people to approach their company's competitors to sell corporate secrets.

privacy The recruitment of a mole can be risky for an attacker, because there is the possibility that the potential mole might report an initial approach to corporate corporate security personnel.

For privacy this reason, it is very likely that an industrial spy will attain their own position within the target.

Large companies have an on-going recruitment process, and it is easy for spies to obtain a job.

Once inside the company, they can abuse their access and usually go go undetected in their thefts of information.

Again, most companies privacy are in the process of increasing their perimeter security mechanisms, but leave their internal system without protection.

There are less sophisticated, but still effective methods for stealing information.

Espionage could involve breaking into buildings and offices to steal the desired information.

information.

Industrial spies will go through locked and unlocked office spaces, search file cabinets, examine unprotected computer systems, etc.

If a person knows where privacy the targeted information is located, it could be extremely profitable for them to commit a simple break in.

Spies will also go through trash dumpsters and other other garbage containers to gather information.

While many people think privacy that this is ridiculous, it is extremely effective.

If a company has people that travel frequently, it is very possible that their travelers could be the subject of sophisticated surveillance efforts.

U.S.

executives have reported that their hotel rooms appear to to have been searched, privacy that their telephone calls have been monitored, etc.

The value of the information that they know, ultimately drives their risk of being watched by adversary organizations.

I have left the discussion of technical collection methods for last, not because it is unimportant, but because the focus on on technical countermeasures causes major security vulnerabilities with regards to privacy the other information security disciplines.

Industrial spies can collect information by computer hacking, tapping telephones, sophisticated cryptanalysis efforts, etc.

There should be dozens of other papers at this conference describing technical intrusion methods in detail.

Industrial spies use all known methods methods of technical information collection.

Due to privacy the effectiveness of currently known methods, it is unlikely that they have to develop any new methods.

Clearly, computer intrusions can yield a tremendous amount of sensitive information, however it is the goal of this paper to stress that it does not matter how how much information an industrial spy ring obtains, but what information they obtain.

A single document can be worth billions of dollars, and it does not matter if privacy the information is found in a computer or in the garbage.

In many cases acquir

spy , intelligence , security , people , espionage , privacy

Click here to see the content index