Printer Friendly

Counterespionage techniques that work.

A comprehensive preventive program for safeguarding proprietary information is the answer for corporations serious about information security.

WHATEVER ELSE THE COLLAPSE OF COMmunism may engender, one immediate effect is the creation of a new world order of industrial espionage. Businesses now face some experienced foes as Eastern European countries redirect the resources of their massive intelligence agencies from the political to the corporate spy arena.

Equally formidable and more numerous threats exist at home where competitors, disgruntled employees, political terrorists, and blackmailers are ready to steal and use corporate information with potentially staggering consequences to their victims.

All too often security risks are taken seriously only after information is lost. The reaction is a flurry of expensive and mostly ineffective countermeasures. A well-conceived, comprehensive, and sustainable preventive program for safeguarding proprietary information (SPI) is the answer for corporations serious about securing their information assets.

Businesses should seek out a corporate information officer (CIO) to develop and manage the SPI program if the size of the program warrants the cost of a full-time professional. Otherwise, the security manager can hire an information protection consultant.

An in-house CIO may cost $50,000 to $60,000 before benefits, while contracting out may cost about $10,000 for a small company the first year, with an incremental cost of about $5,000 yearly thereafter.

In both cases, the CIO should have information management skills and be well versed in trade secret protection. An electronics degree helps ensure that the CIO can evaluate security and communications equipment, computers, and technical surveillance countermeasures (TSCMs).

To coordinate company-wide policies, top management should form a SPI task force, with guidance from the CIO or a consultant. Task force members should include the security manager, the CIO or consultant, corporate counsel, and managers from research and development, data processing, records, communications, and human resources.

The CIO's or consultant's expertise helps the task force avoid common mistakes--getting bogged down in poorly understood legal and technical details or making decisions that are incomplete and untimely.

A prime example is one task force's decision to cover the conference room walls with lead sheets to stop bugging by radio transmitters. It never occurred to the group during security planning to shield the door and window openings or the floor and ceiling.

Task force members should begin by asking employees in each department where proprietary information is located. They should list the results of their survey in terms of risk and potential damage if this information is lost. This list, with locations and risk rankings, is the foundation of a SPI policy and the related budget proposal to top management.

The proposed policy must be realistic, manageable, enforceable, fundable, and include compliance auditing. It should be flexible enough to handle changing circumstances and concentrate resources on the highest risks.

An overly technical approach that ignores everyday, commonsense security presents welcome opportunities to information thieves.

Spies do not have to resort to sophisticated information-stealing techniques when a target company carelessly gives away information. Therefore, it is not sensible to spend a lot of money on security officers and systems to protect information that is eventually discarded in unguarded outdoor trash bins or is discussed in public by unaware employees.

A SPI Policy

* Employee awareness. Most information assets are lost through employee carelessness. Companies must create an employee handbook that clearly spells out staff responsibility in safeguarding corporate information.

For example, such a handbook would spell out how telephone requests for company information should be handled. Employees can be instructed to redirect these inquiries to personnel trained in safeguarding the company's trade secrets.

The staff should be taught that business matters must never be discussed in public places, such as in airplanes or restaurants where they can be deliberately or inadvertently overheard. Laptop computers should not be used nor documents read in public where they can be "shoulder surfed."

Signed employee nondisclosure forms that list specific categories of information secrets increase awareness, deter deliberate theft, and provide legal proof that the employee knew what trade secrets were not to be divulged.

* Document classification. A document control system should be designed to protect corporate documents, drawings, charts, plans, and strategies for the useful life of each item.

The security manager should teach department managers how to review and properly classify all documents. The company can provide rubber stamps, red ink pads, and instructions to the originators of proprietary information. If any question exists as to whether information is proprietary, employees should be told that it is best to stamp it proprietary.

* Offices. Engineering and executive offices should always be locked when they are not in use to discourage browsing, theft, and the planting of eavesdropping devices.

Keys to office doors should be kept secure. The first places a thief looks for office keys are in secretaries' desks and under their computer keyboards. Keeping proprietary documents and computer disks in locked cabinets greatly reduces theft opportunities. A clean desk top is a good security procedure.

* Maintenance work. Management can designate security personnel to monitor maintenance work done in executive offices or other sensitive areas.

Visitors should be required to sign a logbook when they enter and leave the facility. A printed reminder in the logbook can highlight their responsibility to keep proprietary information secret. Barriers can be used to restrict visitors' access, as can "no visitors" signs and escorts.

* Meeting rooms. Paging systems, background music speakers, and unused wiring can be used for eavesdropping. The security team should remove all such devices and wiring from meeting room walls, ceilings, and floor spaces.

A mirror and light affixed to a flexible handle can be used to search for recording or transmitting devices in heating and air-conditioning ducts.

After the search, when the duct grills are replaced, their orientation and screw-head positions can be designated with ultraviolet markers. A quick inspection with an ultraviolet light will indicate panels that are removed after the search.

Meeting rooms must be locked when not in use to decrease the possibility of listening devices being planted prior to board and strategy meetings. Meeting materials should be removed from unattended boardrooms during breaks and immediately after presentations.

If blackboards or flip chart presentations face outside windows, the blinds should be closed to prevent observation with binoculars or telephoto lenses. Meeting members should be made aware that loud or amplified voices can carry into adjacent office spaces.

It is difficult to detect if audiovisual equipment has been modified to transmit room audio to an outside monitoring post. If kept on wheeled tables, this equipment can easily be unplugged and removed when not in use. Telephones and speaker phones should be unplugged and removed.

* Quiet room. When the expense--which may range from $15,000 to $200,000--is justified by the risk, an acoustical and radio frequency-shielded quiet or war room can be designed and constructed for private meetings and corporate electronic communications.

The room should incorporate intrusion-monitoring sensors and CCTV cameras. Removable ceiling, floor, and wall panels will also simplify physical inspections.

* Communications equipment. Cellular or cordless telephones must not be used to discuss sensitive business matters. These devices, often found in executive offices and homes, are radio transmitters, frequently monitored by both hobbyists and professional information brokers.

Popular Communications reports that embarrassing or compromising taped cellular and cordless telephone conversations "...have ended up being used for political purposes, or in the news media, even for blackmail."(1)

* Electronic mail or voice mail. These methods are also taboo for sending private information. As noted in a Journal of Commerce article, "Fax Pirates Find It Easy to Intercept Documents,"(2) personal identification numbers (PINs) are too easily discovered, giving the eavesdropper access to proprietary messages.

Sensitive documents should be sent only on high-level encryption faxes to defeat interception equipment. Users should lock up the fax machines and make sure fax copies are secured as well.

Executives must also recognize the risks of phone company fax reception and storage services, similar to voice mail. The subscriber dials the fax number and enters a PIN access code to receive stored faxes. An eavesdropper who obtains the PIN code can obtain the faxes.

* Video encryption. Teleconferencing is growing in popularity as is videotaping corporate meetings and training sessions for worldwide distribution. Unfortunately, satellite teleconferencing signals can be received by millions of home satellite dish owners, some of whom may have deliberately tuned in to learn corporate secrets. Videotapes can be secretly borrowed, copied, and returned without the owner's knowledge of the action.

To be practical, video encryption systems should fully scramble both the audio and video signals with extremely secure techniques. Security managers evaluating equipment for purchase should be aware that descrambled video is not all high quality. Some equipment provides a fuzzy, jerky, descrambled product that is difficult to watch and, for that reason, is a poor security investment because top managers will not use it.

* Corporate telephone exchanges. Private branch exchanges (PBXs) are located in a company's telephone closets where wires, mounted neatly and predictably upon row after row of terminal blocks, lead off to corporate offices and other areas of interest to the eavesdropper.

These rooms must be, but seldom are, securely locked and physically secured. Keeping the eavesdropper out is easier and safer than trying to find his or her dirty work. Intrusion detectors and video recording can offer significant telephone closet protection.

In one case, where a surveillance team found evidence that an executive's phone line had been tampered with, a motion detector was installed in the shared, multiuse, telephone closet from which it sent nonalarm, report-only signals to an alarm central station.

After two weeks, the central station's records revealed a pattern of early morning visits to the telephone closet on Mondays and Thursdays. Surveillance was set up, and the eavesdropper was caught.

As a preventive measure, an escort policy should be in place for outsiders like service technicians who may need to work in telephone closets.

Computer-driven PBXs or switches present numerous opportunities for eavesdroppers. Using an on-site or off-site control terminal, the information thief can hide invisible wiretaps amidst millions of a PBX system's software instruction codes. For example, the clandestine instructions could cause a second line to connect to a target phone line and terminate into a hidden tape recorder.

Unless guarded against, PBX instructions can also be modified remotely through ubiquitous service modems. Service modems should be disconnected when not in use as a preventive measure.

An appropriately trained investigator from the corporate security office should regularly print out the user configuration instructions. Paying particular attention to extension numbers likely to be targeted, the investigator will look for modified instructions that could be related to eavesdropping.

The PBX switch has another set of coded instructions, called the operating system code, that is not as easy to inspect as the user configuration instructions. Some PBXs do not provide access for users to read or print out their operating system code.

Companies with such systems should arrange for the PBX manufacturer to run periodic comparisons of the operating system code. If differences are detected when the current code is compared to a known clean master tape, the manufacturer's software engineers can disassemble the code to determine its purpose.

If a PBX does not have the ability to dump the operation system code, the company should write over the existing code, using a master tape that has been absolutely protected from corruption.

Since the results of these PBX investigations could reveal corporate communications' employee involvement in the eavesdropping, security personnel and outside engineers must be used for these investigations.

Corporate telecommunications are best safeguarded when the communications department is under the vice president in charge of security.

PBXs randomly use one of many lines from the telephone company central office for any given call. Since the eavesdropper can never be sure which outside line his or her target's call will be on, he or she is usually constricted to wiretapping on-site, inside the PBX, or between the PBX and the target phone. If the potential payoff is large enough, however, the eavesdropper may go to the trouble of monitoring dozens of outside lines or telephone microwave links.

Outside lines are sometimes wired directly to a telephone to bypass the PBX in the mistaken belief that this is more secure. Actually, a direct outside line extends the vulnerability beyond the confines of the building to the outside wires between the building and the telephone central office where there is little chance of protection.

Contrary to the claims of some manufacturers and countermeasures experts, digital phones are not inherently secure. It is relatively simple to reconvert the digital audio signal back to voice. Companies should use the same care in protecting digital systems as they do for analog voice systems.

Even though it is expensive to supply secure encryption devices to every individual who needs them, voice scrambling can be an excellent solution within limitations and with additional safeguards.

Some scramblers are easily defeated. Simple frequency inversion scrambling is better than nothing. Variable split-band inversion systems offer real-time voice protection when they use many split-point combinations that are frequently varying. Digital encipherment equipment is the most secure but produces an annoying time delay between speaking and listening.

Most scrambler telephone handsets, like those used in US government secure telephone programs, are vulnerable to the insertion of a radio transmitter that bypasses the scrambling circuitry and transmits both sides of clear voice (plain text) audio to a nearby receiver and recorder.

A room bug could pick up the target's half of a scrambled telephone conversation, enabling the eavesdropper to infer successfully what is said on the other side.

Telephone scramblers should be backed up with physical protection, radio frequency sweeps, and area searches for room bugs.

* Computer systems. Passwords are the most common defense against computer intrusion, but to be effective they demand good control procedures. Passwords should be as complex as the user can memorize but never less than six random alphanumeric characters.

The company must change passwords regularly and close them out as soon as the users leave the organization. Management should train users to log off terminals before leaving them unattended. This procedure can be backed up with an automated log-off program. It should be policy for staff to disconnect modems when they are not in use.

A secure encryption system can be employed to protect confidential files, especially before transmitting them by modem over a telephone line. Encrypting files, however, does not always provide sufficient protection.

Encryption techniques found in popular software packages may not be reliable. Some encryption-breaker software manufacturers claim their products, which retail for under $200, will break many well-known and widely used encryption programs.

Fortunately, not all software programs must be protected. Encryption can be restricted to only vital files to reduce time and expense.

Viral scanners are important but are not the total answer for preventing virus attacks. Other simple precautions are available, such as write-protecting floppy disks, so that programs cannot be altered. Complex antiviral procedures can be used, such as relabeling operating system utility files that a virus may use as a tool to wreak havoc.

The best antiviral safeguard may be to assume that the user is going to be hit and, therefore, must prepare properly for a fast recovery while minimizing cost and inconvenience. It's important for staff to back up computer files frequently that can be used to reconstruct data infected by a virus.

Erasing data files from hard disks removes file labels but does not remove the information, which can still be accessed by an interested party. To wipe sensitive files clean, operators can use available utility programs to overwrite the entire file with a pattern of meaningless characters. After overwriting, the operators can confidently erase the file from the computer's hard disk.

Audit trails that track computer network activity are worthwhile only if regularly analyzed for suspicious events. They are most valuable when they are an integral part of a disciplined program of detection, autoalerting questionable activity, planned response, and evenhanded enforcement of the security policy.

* Laptop computers. Portable computers are attractive to thieves who can easily resell them. Laptop owners, however, may be more concerned about the information contained in the laptop than the loss of the hardware. This information may either be of value to a competitor or embarrassing if it gets into the hands of the media.

If not backed up elsewhere, the lost information can take many expensive hours to reconstruct. Corporate laptop users should lock them out of sight when idle.

* Trade shows and presentations. Sales material, trade show exhibits, and professional presentations should be reviewed for sensitive information by responsible department heads. Employees should be instructed not to say anything at trade shows or in their outside presentations that they would not say to a competitor.

During shows, participants should not leave demonstration equipment or sensitive documents unattended in booths. New design samples have been stolen during transport in and out of shows.

Security should plan what equipment or material is to be protected and personally carry these items in and out of the show.

* Foreign travel. Foreign travel increases the risks of information loss because of the many foreign governments now unleashing their huge intelligence-gathering resources against visiting business executives.

The user of telephone voice encryptors should assume room bugs are listening to his or her half of the telephone conversation.

Encrypted faxes and laptop computer modems defeat audio bugs, but they still must be protected from hidden video cameras used to record key strokes, screen information, or written materials.

With the proper precautions, the right equipment with data encryption standard equivalent or higher level encryption security can safely send and receive data files and memos via foreign telephone systems. Before purchasing such equipment, the company should make sure that it is legally exportable.

Left unattended, such as in a hotel room, communications equipment can be bugged or replaced with a bugged look-alike that will transmit plain text data to a remote monitoring location. A locked hotel door cannot be considered security.

Corporate executives who travel must minimize the chances for tampering by ensuring the physical security of hardware. As an additional precaution, they can use a barely discernible scratch pattern to identify encrypted communications equipment. Before using the equipment, a company official should ensure that it is the right instrument. Written memos, documents, and computer disks should be kept with the individual.

A Technical Surveillance Policy

SECURITY MANAGERS SOMETIMES SEND inadequately prepared employees to TSCM training courses. TSCM trainee prerequisites should include at least two years of electronic schooling, with experience in communications equipment, television, and computers.

Unless they are to be supervised by a TSCM professional on their return, employees sent to such courses should not be expected to do competent TSCM work.

A superficially trained employee will likely miss clandestine signals or inaccurately interpret them. A TSCM trainee needs months of study and experience after a countermeasures course to gain proficiency. In this quickly changing field, the technician always requires continued professional development to stay up to date reguarding technology.

It is risky for a company to rely on stand-alone TSCM equipment to protect it from bugs and taps. Conversations often become less guarded when privacy expectations exist in spite of possible equipment nonperformance.

Stand-alone TSCM equipment purchases are best made when assisted by a TSCM specialist who can read beyond sales literature and inform the user of the limitations and risks.

Equipment, such as a $30 to $50 telephone tap alert, is not sensitive enough to provide practical protection. Other equipment may not cover all possibilities of attack; it may be too insensitive, missing signals, or too sensitive, repeatedly giving false alarms.

Knowing the limitations of TSCM equipment allows the security manager to recognize if the TSCM company depends too much on its equipment at the expense of other mundane but necessary work.

Time domain reflectrometers (TDR) and nonlinear junction (NLJ) detectors are good examples. TDR's send a radar-like pulse down a telephone line. The pulse reflections, which indicate line irregularities and their distances from the test point, are displayed on a monitor screen or printed on a strip of chart paper.

Line irregularities must be relatively large to cause a discernable reflection. A TDR may not always reveal a properly designed wire tap on a telephone line.

In addition to TDR testing, the time-consuming physical inspection of the entire line from the telephone through satellite telephone closets to the PBX is necessary and should be insisted on by the security manager.

NLJ detectors recognize the presence of diodes and transistors used in electronic equipment, including eavesdropping devices. Suspecting the use of an NLJ detector, the eavesdropper expects that less attention will be given to a physical search. He or she can then place the transmitting or recording device out of the short range of the NLJ detector. If hidden within office electronic equipment, the equipment masks the presence of the bug from the target by giving the detector the same indications as the bug.
Contracted TSCM Services
Sample cost of program for manufacturing company with 50
* Evaluation and formulation of
 security policy, including devel-
 opment of handbook and
 nondisclosure forms 3,200
* An electronic security system 1,320
* New locks, lockable files, and a
 metal gate 1,320
* Antiviral and computer access
 security upgrades 900
* 100 employee handbooks 950
* Two future semiannual compli-
 ance audits and reviews 1,400
* Installation of no visitor signs 76
* Custom-made visitor log 27
* Initial countermeasures sweep 825
TOTAL: $9,678
* Estimated cost of employee par-
 ticipation: less than $1,500 $1,500
* Expected annually recurring
 cost: $450
* Estimated loss prior to program: $130,000

The use of high-tech equipment by a TSCM team does not by itself ensure a competent sweep. Furthermore, even a competent sweep can miss an eavesdropping device.

Standardization in American alarm systems, telephone installations, and other wiring aid the information thieves. They know what to expect during a midnight tour of a target's telephone closet.

Rob the thieves of this advantage by creating unexpected, nonstandard wiring in vulnerable offices. While the details cannot be published, the general concepts are that thieves think they recognize what they see, and their electric tests confirm it. However, after installing the eavesdropping equipment, they never receive the information they want.

Michael Hansen, CPP, is a principal with Northwest Countermeasures Company in Beaverton, OR. He is a member of ASIS.

1Tom Kneitel, "Risky Business," Popular Communications, June 1, 1992, p. 42.

2Journal of Commerce, September 7, 1990.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:information security in corporations
Author:Hansen, Michael
Publication:Security Management
Date:Sep 1, 1992
Previous Article:Foiling the new corporate spy.
Next Article:Clear the air with TSCM.

Related Articles
The cloak-&-dagger communicator.
Espionage 101 ... and much more.
Countering the threat of espionage.
Intelligence policy in a changing world.
Commercial Espionage: 79 Ways Competitors Can Get Any Business Secrets.
With friends like these ...: Ed Blanche reports on allegations of Israeli espionage on its closest ally, the United States. (Current Affairs).
ISRAEL - Oct. 23 - Army Officer Accused Of Spying For Hizbollah.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters