Preventing Industrial Espionage Since the methods used by industrial spies are the same as those used by traditional spies, the countermeasures used to prevent traditional espionage can prevent industrial espionage , spy , industrial , corporate , businessThere is a great deal that commercial organizations can learn from Department of Defense security practices , spy , industrial , corporate , businessWhile I am not advocating total adherence to DoD standards, companies must employ a level of countermeasures that are justified by the potential losses that the company can suffer , spy , industrial , corporate , businessFor many firms, the potential losses can easily be valued in the billions of dollars , spy , industrial , corporate , businessInformation security efforts must therefore address comprehensive countermeasures, that are as comprehensive as the methods employed against them , spy , industrial , corporate , businessThere are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security , spy , industrial , corporate , businessThis paper introduces the concept of comprehensive security , spy , industrial , corporate , businessIt is strongly recommended that other papers follow up on the following concepts , spy , industrial , corporate , business

Technical Security

Technical security countermeasures reduce the vulnerabilities present in electronic systems , spy , industrial , corporate , businessAs many other papers at this conference address, countermeasures ensure the confidentiality, integrity, and availability of computer systems and networks , spy , industrial , corporate , businessA good technical security effort also protects other electronic systems such as voice mail , spy , industrial , corporate , businessThe technical issues are well known and are satisfactorily addressed elsewhere , spy , industrial , corporate , business

Operational Security

Operational security addresses the business processes in use by a company that could compromise information through non-technical means , spy , industrial , corporate , businessFor example, the DoD policy concerning information access only on a “Need to Know” basis helps prevent the unnecessary proliferation of information , spy , industrial , corporate , businessLikewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems, reduces the potential for the compromise of information , spy , industrial , corporate , businessOther operational security issues include enforcing your own security policies on your vendors and suppliers , spy , industrial , corporate , businessIt would make no sense to perform background checks on your own employees, while contractor employees, who have free access to your facilities, go unchecked , spy , industrial , corporate , businessOperational security is a complicated issue, and requires a thorough study of the way a company does business , spy , industrial , corporate , businessThis includes the marketing progress, which presents a major vulnerability due to the exuberance a sales people trying to close a deal by offering sensitive information , spy , industrial , corporate , businessCompanies must examine the entire research, development, manufacturing, and sales process for potential ways that information could be compromised , spy , industrial , corporate , businessThere must be a clear understanding of who to disclose information to, and under what conditions and controls , spy , industrial , corporate , businessA strong security awareness program is the foundation for a strong operational security program , spy , industrial , corporate , businessPeople must know what information they should protect, and specifically how to protect it , spy , industrial , corporate , businessEveryone should be encouraged to report any questionable circumstances, and know who to report it to , spy , industrial , corporate , businessSecurity managers cannot assume that security issues are common sense when there is no baseline for common knowledge , spy , industrial , corporate , businessOperational security issues must be further elaborated and studied in other forums , spy , industrial , corporate , business

Physical Security

As previously discussed, a large number of information compromises occur due to simple breaking and entering, and theft , spy , industrial , corporate , businessPhysical access to facilities should be carefully regulated and controlled , spy , industrial , corporate , businessThis includes limiting the access of visitors and contractors, as well as your own employees , spy , industrial , corporate , businessNobody should have a free roam of all corporate facilities , spy , industrial , corporate , business

All employees must wear access badges that indicate their status, such as employee, temporary, visitor, or contractor , spy , industrial , corporate , businessThis feature helps to reduce the threat of people overstating their authority , spy , industrial , corporate , businessObviously, there should be an operational security policy that encourages all people to look at badges , spy , industrial , corporate , businessAnother physical This subject issue to be addressed is the control of garbage , spy , industrial , corporate , businessThere have been numerous incidents of serious information compromises that have occurred solely from the content of an organization's garbage , spy , industrial , corporate , businessThe U.S , spy , industrial , corporate , businessmilitary has several units devoted to trash intelligence, and invests millions of dollars in the proper disposal of classified waste , spy , industrial , corporate , businessCompanies that have very high value information must also consider the control of their garbage , spy , industrial , corporate , businessSecurity programs must also stress the use of available protection mechanisms , spy , industrial , corporate , businessLocks on office doors and file cabinets frequently go unused in many organizations , spy , industrial , corporate , businessClean desk policies, that require all sensitive information to be locked up, must also be enforced , spy , industrial , corporate , businessThere are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time , spy , industrial , corporate , businessThese products prevent the exploitation of computers that are not properly turned off when not in use , spy , industrial , corporate , business

Personnel Security

There must be a thorough investigation of all people with potential access to sensitive information , spy , industrial , corporate , businessSince most information might be sensitive to different departments within an organization, it should probably be a blanket policy to have a background check performed on all employees , spy , industrial , corporate , businessThe term employees is used broadly to include anyone with physical access to facilities or information , spy , industrial , corporate , businessFacilities include any computer terminal that has access to corporate information , spy , industrial , corporate , businessMany organizations do not consider the access and opportunities that seemingly minor employees, such as janitors, clerical workers, and This subject guards, have to steal information , spy , industrial , corporate , businessA recent edition of 2600: The Hacker's Quarterly had an article on how to obtain a job as a janitor , spy , industrial , corporate , businessCriminal elements understand the potential of low level positions, and it is time for This subject managers to address that potential , spy , industrial , corporate , businessSystems administration staff should also establish a strategic relationship with the Human Resources department , spy , industrial , corporate , businessIt is critical to be aware of any pending employee departures that could be under less than amicable circumstances , spy , industrial , corporate , businessAlso, systems administrators must lock the accounts of departed employees on the day that they leave the company , spy , industrial , corporate , business

Case Study

The case study for the presentation addresses a penetration test performed against a large high technology firm at their request , spy , industrial , corporate , businessThe goal of the test was to simulate an industrial espionage attack, within the funding parameters , spy , industrial , corporate , businessA comprehensive attack strategy was used to simulate an attack as accurately as possible , spy , industrial , corporate , businessThe attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking , spy , industrial , corporate , businessThe results were staggering , spy , industrial , corporate , businessWithin one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider , spy , industrial , corporate , businessThis was accomplished in a company that has a tremendous technical This subject program , spy , industrial , corporate , businessThe This subject manager understands their vulnerabilities, and wanted an independent assessment of the vulnerabilities to demonstrate the seriousness of the problem , spy , industrial , corporate , businessA detailed description of the case study will be presented , spy , industrial , corporate , business