Preventing Industrial Espionage Since the methods used by industrial spies are the same as those used by traditional spies, the countermeasures used to prevent traditional espionage can prevent industrial espionage , security , awareness , awareness training , development , consultantThere is a great deal that commercial organizations can learn from Department of Defense security practices , security , awareness , awareness training , development , consultantWhile I am not advocating total adherence to DoD standards, companies must employ a level of countermeasures that are justified by the potential losses that the company can suffer , security , awareness , awareness training , development , consultantFor many firms, the potential losses can easily be valued in the billions of dollars , security , awareness , awareness training , development , consultantInformation security efforts must therefore address comprehensive countermeasures, that are as comprehensive as the methods employed against them , security , awareness , awareness training , development , consultantThere are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security , security , awareness , awareness training , development , consultantThis paper introduces the concept of comprehensive security , security , awareness , awareness training , development , consultantIt is strongly recommended that other papers follow up on the following concepts , security , awareness , awareness training , development , consultant Technical Security Technical security countermeasures reduce the vulnerabilities present in electronic systems , security , awareness , awareness training , development , consultantAs many other papers at this conference address, countermeasures ensure the confidentiality, integrity, and availability of computer systems and networks , security , awareness , awareness training , development , consultantA good technical security effort also protects other electronic systems such as voice mail , security , awareness , awareness training , development , consultantThe technical issues are well known and are satisfactorily addressed elsewhere , security , awareness , awareness training , development , consultant Operational Security Operational security addresses the business processes in use by a company that could compromise information through non-technical means , security , awareness , awareness training , development , consultantFor example, the DoD policy concerning information access only on a “Need to Know” basis helps prevent the unnecessary proliferation of information , security , awareness , awareness training , development , consultantLikewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems, reduces the potential for the compromise of information , security , awareness , awareness training , development , consultantOther operational security issues include enforcing your own security policies on your vendors and suppliers , security , awareness , awareness training , development , consultantIt would make no sense to perform background checks on your own employees, while contractor employees, who have free access to your facilities, go unchecked , security , awareness , awareness training , development , consultantOperational security is a complicated issue, and requires a thorough study of the way a company does business , security , awareness , awareness training , development , consultantThis includes the marketing progress, which presents a major vulnerability due to the exuberance a sales people trying to close a deal by offering sensitive information , security , awareness , awareness training , development , consultantCompanies must examine the entire research, development, manufacturing, and sales process for potential ways that information could be compromised , security , awareness , awareness training , development , consultantThere must be a clear understanding of who to disclose information to, and under what conditions and controls , security , awareness , awareness training , development , consultantA strong security awareness program is the foundation for a strong operational security program , security , awareness , awareness training , development , consultantPeople must know what information they should protect, and specifically how to protect it , security , awareness , awareness training , development , consultantEveryone should be encouraged to report any questionable circumstances, and know who to report it to , security , awareness , awareness training , development , consultantSecurity managers cannot assume that security issues are common sense when there is no baseline for common knowledge , security , awareness , awareness training , development , consultantOperational security issues must be further elaborated and studied in other forums , security , awareness , awareness training , development , consultant Physical Security As previously discussed, a large number of information compromises occur due to simple breaking and entering, and theft , security , awareness , awareness training , development , consultantPhysical access to facilities should be carefully regulated and controlled , security , awareness , awareness training , development , consultantThis includes limiting the access of visitors and contractors, as well as your own employees , security , awareness , awareness training , development , consultantNobody should have a free roam of all corporate facilities , security , awareness , awareness training , development , consultant All employees must wear access badges that indicate their status, such as employee, temporary, visitor, or contractor , security , awareness , awareness training , development , consultantThis feature helps to reduce the threat of people overstating their authority , security , awareness , awareness training , development , consultantObviously, there should be an operational security policy that encourages all people to look at badges , security , awareness , awareness training , development , consultantAnother physical This subject issue to be addressed is the control of garbage , security , awareness , awareness training , development , consultantThere have been numerous incidents of serious information compromises that have occurred solely from the content of an organization's garbage , security , awareness , awareness training , development , consultantThe U.S , security , awareness , awareness training , development , consultantmilitary has several units devoted to trash intelligence, and invests millions of dollars in the proper disposal of classified waste , security , awareness , awareness training , development , consultantCompanies that have very high value information must also consider the control of their garbage , security , awareness , awareness training , development , consultantSecurity programs must also stress the use of available protection mechanisms , security , awareness , awareness training , development , consultantLocks on office doors and file cabinets frequently go unused in many organizations , security , awareness , awareness training , development , consultantClean desk policies, that require all sensitive information to be locked up, must also be enforced , security , awareness , awareness training , development , consultantThere are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time , security , awareness , awareness training , development , consultantThese products prevent the exploitation of computers that are not properly turned off when not in use , security , awareness , awareness training , development , consultant Personnel Security There must be a thorough investigation of all people with potential access to sensitive information , security , awareness , awareness training , development , consultantSince most information might be sensitive to different departments within an organization, it should probably be a blanket policy to have a background check performed on all employees , security , awareness , awareness training , development , consultantThe term employees is used broadly to include anyone with physical access to facilities or information , security , awareness , awareness training , development , consultantFacilities include any computer terminal that has access to corporate information , security , awareness , awareness training , development , consultantMany organizations do not consider the access and opportunities that seemingly minor employees, such as janitors, clerical workers, and This subject guards, have to steal information , security , awareness , awareness training , development , consultantA recent edition of 2600: The Hacker's Quarterly had an article on how to obtain a job as a janitor , security , awareness , awareness training , development , consultantCriminal elements understand the potential of low level positions, and it is time for This subject managers to address that potential , security , awareness , awareness training , development , consultantSystems administration staff should also establish a strategic relationship with the Human Resources department , security , awareness , awareness training , development , consultantIt is critical to be aware of any pending employee departures that could be under less than amicable circumstances , security , awareness , awareness training , development , consultantAlso, systems administrators must lock the accounts of departed employees on the day that they leave the company , security , awareness , awareness training , development , consultant Case Study The case study for the presentation addresses a penetration test performed against a large high technology firm at their request , security , awareness , awareness training , development , consultantThe goal of the test was to simulate an industrial espionage attack, within the funding parameters , security , awareness , awareness training , development , consultantA comprehensive attack strategy was used to simulate an attack as accurately as possible , security , awareness , awareness training , development , consultantThe attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking , security , awareness , awareness training , development , consultantThe results were staggering , security , awareness , awareness training , development , consultantWithin one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider , security , awareness , awareness training , development , consultantThis was accomplished in a company that has a tremendous technical This subject program , security , awareness , awareness training , development , consultantThe This subject manager understands their vulnerabilities, and wanted an independent assessment of the vulnerabilities to demonstrate the seriousness of the problem , security , awareness , awareness training , development , consultantA detailed description of the case study will be presented , security , awareness , awareness training , development , consultant
|