51
BUSINESS ESPIONAGE THREATS AND COMPREHENSIVE, OVERLAPPING MULTIDIMENSIONAL COUNTERMEASURES BRUCE WIMMER, CPP; BILL SCHENKELBERG; ART LESSER
1
B U S I N E S S E S P I O N A G E T H R EAT S A N D C O M P R E H E N S I V E , OV E R L A P P I N G M U LT I D I M E N S I O N A L C O U N T E R M EA S U R E S
B R U C E W I M M E R , C P P ; B I L L S C H E N K E L B E R G ; A R T L E S S E R
2W H O …
Bruce Wimmer, CPP, G4S CRS = Human Threats/Countermeasures
Bill Schenkelberg, Wapack Labs = Cyber Threats (IT)/Countermeasures
Art Lesser, Merit Security = Technical Threats/Countermeasures
3
HUMAN AND TRADITIONAL THREATS
4HUMAN THREATS – Modus Operandi:
HUMAN THREATS – Modus Operandi :
• Hiring away or recruiting selected employees (in place) who take info with them[cyber]
• Some employees leave to form new business [technical devices left behind or cyber]
• Planting spies as employees or contractors inside the target business (insider ‘plants’)
• Breaking into business areas to steal information/items (sometimes misunderstood as theft of items for resale value)
• In-person or telephonic social engineering to gain access to facilities (and hence information) or to obtain information even if only to use it to better socially engineer later
• Trash cover and document theft
5
HUMAN THREATS – Modus Operandi (continued):
• Stealing/removing things (including samples, prototypes, laptops, removable drives, printer/copier drives) [cyber and technical]
• Social Engineering or Piggy-Backing into company to place listening devices/transmitters [technical]
• Insiders (employees, contractors [cleaners, security, etc]) exploiting and/or expanding access to sensitive business related information or planting devices in offices or meeting rooms or using existing electronic equipment [technical]
• Breaking into/manipulating locks to allow access to server rooms, telephone closets, etc. to make monitoring possible [technical and cyber]
• Social Engineering or Insiders getting into server rooms, telephone closets and manipulating printer/copiers [cyber and technical]
6
HUMAN THREATS – Modus Operandi (continued):
• Travel to high threat countries (hotel rooms, client or partner/local offices) [technical and cyber] = My “DIRTY DOZEN” list of countries (PR China, Russia, Japan, South Korea, Cuba, France, Israel, Taiwan, Vietnam, India, Venezuela and Brazil)
• Eavesdropping by human ear in a room, lounge, restaurant aircraft or vehicle [technical too]
• Going on facility tours or attending functions at a facility and observing or “wandering” around
• Using overt or covert cameras and photographing equipment, processes, notes, presentations, etc. [technical]
7
CYBER/IT THREATS
8T O P C Y B E R
T H R E AT S
Phishing Attacks
9
9https://pentagontours.osd.mil/Tours/
10
10
Insider Threat
11
11
Denial of Service (DDoS)
12
12
Malware
13
13
Weak Credentials
BetaNews.com
14
TECHNICAL THREATS
15
TSCM?
Electronic Countermeasures
Bug Sweeps
What Is
What you don’t know You don’t know
And it can hurt you
16
Threats (Vulnerabilities)
RF Analysis
Telecommunications Devices and Wiring
Non-RF (Tape Recorder)
Sensitive Documentation (CDP)
Wireless Analysis
IoT
17
Privacy &
Confidentiality
Safeguarding
Who is vulnerable?
Why are they vulnerable?
What can be compromised?
18
Aspects of TSCM
Radio Frequency (RF) Devices
Telecommunication
Non-RF Devices
Documents/Clean Desk Policy (CDP)
Wireless Analysis
Internet of Things (IoT)
19
Specific Threats
20
R.F. DEVICES
21
R.F. DEVICES
22
Non R.F. Devices
Bugs or Planted Recording Devices(Do not emit R.F.)
23
Telecommunications
Eavesdropping using telephone lines/devices
CAT Cables - 8 - Wire
Phones have 2 microphones and 2 speakers
24
How do we protect ourselves from all these Threats?
COUNTERMEASURES
25
HUMAN COUNTERMEASURES
26
HUMAN THREAT COUNTERMEASURES
• Background screening (pre-employment and on-going/updated); thorough due diligence for all suppliers, partners and contractors (know who you are dealing with and who they deal with or who really owns them) – Do NOT hire or partner with problems!
• Legal agreements for staff and contractors (non-compete, non-disclosure, etc.)
• Termination/resignation protocols including review of legal agreements when someone leaves
• Employee education and awareness training; including specialized training for reception area staff, sales, staff who organize/arrange and attend meetings, travelers and senior management
• Employee reporting methods/requirements (hotlines, etc.); encourage reporting!
27
HUMAN THREAT COUNTERMEASURES (continued)
• Challenging/reporting of individuals who are in controlled areas without displaying a badge; leadership sets the example and standard
•Document destruction that includes cross-cut pulverizing; destruction by a third-party should be on-site, witnessed/monitored
• Spot checks of open trash
• Tiger/Red Team testing; hold people accountable
• Limiting tours or unescorted time in a facility or office
28
HUMAN THREAT COUNTERMEASURES (continued)
• Need-to-know information controls and determination of “highest consequence” information and equipment
• Identified and clearly marked/identified sensitive information ; clearly delineated, marked and labeled with levels of “classification”
•Access controls/locks (including offices) and openly displayed identification badges; internal area Intrusion Detection Systems
• Escort and “no lone” zone programs
• Clean desk program; no documents left on common printer or copier; locked offices, desks and storage
• Travel security program that includes business espionage Threats and Countermeasures education and awareness
29
CYBER COUNTERMEASURES
30W H AT T O D O - P H I S H I N G
•Understand that Phishing remains a top threat to networks. Senior management or privileged account owners are often the target of spear-phishing attacks.Look for spoofed email addresses and suspicious links. Know your supply chain.
Understand
Set continuing threat/vulnerability training and education. Once is not enough. If applicable and reasonable, use advanced anti-phishing software
Set
Make sure all IT personnel are watching for phishing attacks and how employees respond to the attacks. Vet the use of cell phone integration with the company network.
Vet
Perform Red Team tests; not to embarrass, but for awareness.Perform
Robotics in supply chain
31W H AT T O D O – I N S I D E R T H R E AT S
•Understand that “insider threats” are real and one of the most difficult to detect.
Understand
Set strict parameters for network access. Based on the “need to know” principal.
Set
HR must work with C-Suite and HR to mitigate potential insider threats.Vet
Perform HR audits to spot potential insider threats. i.e.: Routine Background checks.
Perform
Robotics in supply chain
32W H AT T O D O – D D O S
•DDoS attacks - non-standard use of old vulnerabilities, new botnets, cryptocurrencies madness, high-profile DDoS attack (or not) with a political subtext, & activism/hacktivism.
Understand
Set dedicated IT personnel to monitor the network for signs of intrusion and infection. Keep networks separated to avoid lateral movement.
Set
Develop strict prevention and mitigation strategies (NIST standards)Vet
Perform monitoring or outsource to a security company SOC.Perform
Robotics in supply chain
33W H AT T O D O – M A LWA R E
•Understand that malware infection is on the rise and getting worse. Understand
Set solid anti-virus programs and daily updates. Set
Vet the anti-virus apps before and during use. Take heed to the warnings.Vet
Perform updates and develop a Blacklist inclusion program.Perform
Robotics in supply chain
34W H A T T O D O – W E A K P A S S W O R D S
•People are creatures of habit and seek simple processes (and solutions). Understand
Set programs to force proper password usage. Deny easy passwords. Make employees change passwords often. 2 party authentication.
Set
Vet habitual users who have password issues (unintended insider threat).Vet
Perform monitoring to detect password altercations.Perform
Robotics in supply chain
35
TECHNICAL COUNTERMEASURES
36
Counter Measures and
Detection MethodsR.F. Devices
Non R.F. Devices
Telecommunications Devices and Wiring
CDP
© 2018 Private and Confidential, Merit Security
37
Audit
© 2018 Private and Confidential, Merit Security
38
R.F. DETECTOR
DEVICES
39
NonR.F. DetectionHidden or Dormant Devices
Non Linear Junction Detectors
40Telecommunications
Detection
Telephone Line Detector and Analyzer
Low Voltage Wiring
41
Electronic Inspection
42
© 2018 Private and Confidential, Merit Security
Clean Desk
Policy
Sensitive documents, CDP
Passwords under keyboard
Tape recorder under desk
Thumb drives
Peripheral storage devices
43
© 2018 Private and Confidential, Merit Security
Physical
InspectionMiscellaneous devices not found by electronic means
44
SUMMARYRadio Frequency Devices
Very Low Frequency Devices
Telecommunications and Wiring
CDP
Physical
45
THREATS/COUNTERMEASURES
• Real-World Case Example - where it all came together!
• Global Company
• Guarding and physical security -- Insider
• Cyber Security
• Technical
• Value of a Risk Assessment and Education/AwarnessTraining
46
THREATS/COUNTERMEASURES
• There are, in fact, numerous Threats and, hence,
Countermeasures that overlap and do not fit exclusively into a single Human, Cyber or Technical silo.
• The best way to counter Business Espionage is a comprehensive and multidimensional program that includes Human, Technical and Cyber Countermeasures.
47THREATS/COUNTERMEASURES
Ancient African Proverb:
“If you want to go fast, go alone. If you want to go far, slow down and go together."
48
Thank you!QUESTIONS??
49
BRUCE WIMMER, CPP
Senior Director
G4S Corporate Risk Services
Email: [email protected]
Mobile: 352 238-0392
