7
7 January 2008 Computer Fraud & Security It seems reasonable to start with the question ‘What is Industrial espio- nage’? This may seem a stupidly simple question, which has an obvious answer – companies spy on other compa- nies! Unfortunately, to presume that would be a gross over-simplification. Espionage, as most people understand it, is one country spying on another country to obtain political or mili- tary advantage. Industrial espionage, also known as corporate or business espionage, is spying that is conducted for commercial rather than national security purposes. However, it may be carried out by governments, companies and by other types of private organisa- tions such as pressure groups. In the most straightforward cases, it is corpo- rations spying on competitors to gain a market advantage, which probably entails the theft (or copying) of trade secrets and/or confidential or valuable information for use. In less commonly reported or understood scenarios, it may be a government spying on a corporation to gain information that will be of benefit to its own national military, industrial or commercial base. The types of material that are most often targeted are companies’ research and development, designs, formulas, manufacturing processes and future plans. Corporate spies There have been a number of well- documented cases where company-to- company industrial espionage has been alleged, with a recent example being the cause of a dispute in Formula 1 motor racing between Ferrari and McLaren. The row resulted in the McLaren team being found guilty and fined US$100 million, together with other sanctions. An interesting footnote to this event was that once the verdict of the enquiry had been announced, the transcripts of the hear- ings were published on the Internet. A number of highly sensitive documents on the inner workings of the techni- cal strategies adopted by the rival teams were exposed. This happened because the documents were released in .pdf form with the sensitive sections blacked out and they did not under- stand that a simple cut and paste of the blacked out areas to a text editor would reveal the underlying text. Other cases of industrial espionage that have made the news include the well publicised 2006 reports of three people who were convicted in the US of plotting to steal trade secrets from the soft drink maker Coca-Cola and trying to sell them to its main com- petitor, Pepsi. Unfortunately for the three plotters, Pepsi notified the FBI, which then set up a sting operation that resulted in them being caught. Again, in the US, it was recently reported that Wal-Mart regularly sent its department managers into Kmart, one of its main competitors, to elec- tronically scan equivalent products and the prices at which they were being offered, so that the information could be used to re-price their own products at a lower price. While you may argue that this information is publicly available, it demonstrates how, even at this level, organisations will gain and use whatever information they can on their competitors to gain advantage. Other examples include the dispute between Volkswagen AG (VW) and General Motors (GM), which accused Jose Ignacio Lopez de Arriortua, a former GM purchasing chief, of steal- ing its trade secrets when he left GM in 1993 to move to VW. A settlement was reached in 1997 when VW agreed to pay US$1 billion to GM. Nation states An example of espionage by a nation state against both governments and companies is a range of attacks origi- nating from China called Titan Rain. The attacks, which started in 2005, show the massive scale that such activ- ity can take. The case involved Chinese hackers, some believed to be from the People’s Liberation Army (PLA), attacking the computer networks of US military and government sites, British government departments, and also those of Germany. Alex Neill of the Royal United Services Institute, was quoted as saying that cyber attacks by the Chinese had been going on for at least four years. Two years later in 2007, the American Intelligence website report- ed that China had allegedly tried to hack into highly classified government computer networks in Australia and New Zealand. The report stated that this was part of a broader internation- al operation by the Chinese to glean Dr Andrew Jones, Head of Security Technology Research, BT Security Research Centre, Adjunct, Edith Cowan University Dr Andy Jones looks at how espionage has never been easier. Industrial espionage in a hi-tech world Andrew Jones ESPIONAGE

Industrial espionage in a hi-tech world

Embed Size (px)

Citation preview

Page 1: Industrial espionage in a hi-tech world

7January 2008 Computer Fraud & Security

It seems reasonable to start with the question ‘What is Industrial espio-nage’? This may seem a stupidly simple question, which has an obvious answer – companies spy on other compa-nies! Unfortunately, to presume that would be a gross over-simplification. Espionage, as most people understand it, is one country spying on another country to obtain political or mili-tary advantage. Industrial espionage, also known as corporate or business espionage, is spying that is conducted for commercial rather than national security purposes. However, it may be carried out by governments, companies and by other types of private organisa-tions such as pressure groups. In the most straightforward cases, it is corpo-rations spying on competitors to gain a market advantage, which probably entails the theft (or copying) of trade secrets and/or confidential or valuable information for use. In less commonly reported or understood scenarios, it may be a government spying on a corporation to gain information that will be of benefit to its own national military, industrial or commercial base. The types of material that are most often targeted are companies’ research and development, designs, formulas, manufacturing processes and future plans.

Corporate spies

There have been a number of well-documented cases where company-to-company industrial espionage has been alleged, with a recent example being

the cause of a dispute in Formula 1 motor racing between Ferrari and McLaren. The row resulted in the McLaren team being found guilty and fined US$100 million, together with other sanctions. An interesting footnote to this event was that once the verdict of the enquiry had been announced, the transcripts of the hear-ings were published on the Internet. A number of highly sensitive documents on the inner workings of the techni-cal strategies adopted by the rival teams were exposed. This happened because the documents were released in .pdf form with the sensitive sections blacked out and they did not under-stand that a simple cut and paste of the blacked out areas to a text editor would reveal the underlying text.

Other cases of industrial espionage that have made the news include the well publicised 2006 reports of three people who were convicted in the US of plotting to steal trade secrets from the soft drink maker Coca-Cola and trying to sell them to its main com-petitor, Pepsi. Unfortunately for the three plotters, Pepsi notified the FBI, which then set up a sting operation that resulted in them being caught.

Again, in the US, it was recently reported that Wal-Mart regularly sent its department managers into Kmart, one of its main competitors, to elec-tronically scan equivalent products and the prices at which they were being offered, so that the information could be used to re-price their own products at a lower price. While you may argue that this information is publicly

available, it demonstrates how, even at this level, organisations will gain and use whatever information they can on their competitors to gain advantage.

Other examples include the dispute between Volkswagen AG (VW) and General Motors (GM), which accused Jose Ignacio Lopez de Arriortua, a former GM purchasing chief, of steal-ing its trade secrets when he left GM in 1993 to move to VW. A settlement was reached in 1997 when VW agreed to pay US$1 billion to GM.

Nation states

An example of espionage by a nation state against both governments and companies is a range of attacks origi-nating from China called Titan Rain. The attacks, which started in 2005, show the massive scale that such activ-ity can take. The case involved Chinese hackers, some believed to be from the People’s Liberation Army (PLA), attacking the computer networks of US military and government sites, British government departments, and also those of Germany. Alex Neill of the Royal United Services Institute, was quoted as saying that cyber attacks by the Chinese had been going on for at least four years.

Two years later in 2007, the American Intelligence website report-ed that China had allegedly tried to hack into highly classified government computer networks in Australia and New Zealand. The report stated that this was part of a broader internation-al operation by the Chinese to glean

Dr Andrew Jones, Head of Security Technology Research, BT Security Research Centre, Adjunct, Edith Cowan University

Dr Andy Jones looks at how espionage has never been easier.

Industrial espionage in a hi-tech world

Andrew Jones

ESPIONAGE

Page 2: Industrial espionage in a hi-tech world

8Computer Fraud & Security January 2008

military secrets from Western nations and that experts believed that China had also targeted the US, Canada, Germany and Japan as part of its global intelligence gathering effort.

In the UK, in June 2005, the National Infrastructure Security Coordination Centre (NISCC), which is now called the Centre for the Protection of the National Infrastructure (CPNI) issued a warn-ing saying: “Parts of the UK’s criti-cal national infrastructure are being targeted by an ongoing series of email-borne electronic attacks. While the majority of the observed attacks have been against central government, other UK organisations, companies and individuals are also at risk.” It also said the majority of the attacks were originating in the Far East. Roger Cummings, the director of NISCC, stated: “Foreign states are probing the CNI for information.” A warning was later issued by the US, which specifi-cally named China as the originator of the attacks.

It is interesting that the CPNI identifies espionage as one of the four threats to the national infrastruc-ture and says: “Espionage against UK interests continues from many quarters. In the past, espionage activ-ity was typically directed towards obtaining political and military intel-ligence. This remains the case, but in today’s hi-tech world, the intel-ligence requirements of a number of countries also include new commu-nications technologies, IT, genetics, aviation, lasers, optics, electronics and many other fields.” In other words, the targets have moved from being just government departments to include research and industry. The CPNI definition goes on: “The UK is a high priority espionage target and a number of countries are actively seeking UK information and mate-rial to advance their own military, technological, political and economic interests.”

LossesIf we accept that the threat to busi-ness, in addition to government, is real, and there is no reason to doubt it, what is the potential scale of the problem? Any sort of quantifica-tion of the problem is hard to find. Organisations, in the main, do not know that they have been spied upon and even if they do discover the espionage, there is a significant reluc-tance to report it and it is difficult to put a value on the cost of the attack. In 2006, Derek Quinn of Radio Canada International (RCI) gave an indication of the scale of the prob-lem in a quote from a report issued by the Canadian Security Intelligence Service (CSIS) by former long-time agent Michel Juneau-Katsuya. This report estimated that the cost of industrial espionage to Canada in 1996 was in the region of C$1 bil-lion per month. The report went on to indicate that in the decade since, the improved communications and globalisation of the economy have made the problem worse. Another source, a 2004 annual report to the US Congress on Foreign Economic Collection and Industrial Espionage, estimates that the cost of such activities was anywhere between US$100 billion – US$250 billion annually, but given the difficulty in estimating the cost of a single case of industrial espionage, these figures can only be loose estimates.

It should come as no surprise that in an increasingly competitive global market place, one country’s loss will be another country’s gain and that some countries will use whatever resources they have to create advantage for their national industries.To quote Christian Nevell Bovee, a 19th century author and lawyer, “Formerly when great fortunes were only made in war, war was business; but now when great fortunes are only made by business: business is war!”

Long-term effectsThe effects will not only be seen in terms of the migration of jobs from one region to another, but also in terms of lost corporate and tax rev-enues. This, if it occurs on a large scale, has the potential to adversely affect a government’s ability to main-tain its spending programmes that may include the maintenance of military capability, social benefit or healthcare.

When friends become foesWhile the emphasis at the moment is on the threat from China, increas-ing globalisation of commerce could potentially turn countries that have traditionally been considered allies into economic enemies. According to a 2006 report that was obtained by the CanWest news group under Access to Information laws, the CSIS has identi-fied a minimum of 24 countries that present a threat to Canada in terms of industrial espionage. The list includes Russia, China, the US, France, Britain and Germany. According to CanWest,the report says there are also new threats from foreign governments-in-waiting, governments-in-exile and ter-rorist groups.

Some indication of how long this has been going on can be gained from a July 1995 report to the US Congress, in which the CIA’s National Counter Intelligence Center said: “…because they are so easily accessed and inter-cepted, corporate telecommunications, particularly international telecom-munications, provide a highly vulner-able and lucrative source for anyone interested in obtaining trade secrets or competitive information.” The report went on to point out that: “Because of the increased usage of these links for bulk computer transmission and electronic mail, intelligence collectors find telecommunication intercepts cost-effective.”

ESPIONAGE

Page 3: Industrial espionage in a hi-tech world

9January 2008 Computer Fraud & Security

FranceAccording to Schweizer, a US author, another country that is “one of the most aggressive collectors of eco-nomic intelligence in the world,” is France. The author accuses the French Government of infiltrating numer-ous American companies including IBM, Texas Instruments, and Corning, which, among other things, produce cutting edge fibre-optics, semiconduc-tors and advanced materials for the telecommunications industry. The author highlights the establishment of the Ecole de Guerre Economique (EGE) (School of Economic Warfare) as an example of the French attitude to the issue. Hulnick, an ex-CIA analyst, believes that one of the reasons why the French are among the leaders in economic espionage is the prevalence of state-owned enterprises in France, which creates a climate in which government interests can overlap with company interests.

This raises the question then, of just how easy is it for someone to steal information? With the long history of physical security, companies have always taken steps to ensure that it is difficult to remove documents from their buildings that could be passed to a competitor. However, in the modern technology environment the protection of information is becoming increasingly difficult. There are now a number of other ways to steal information, from sending it out of the organisation in email attachments, to carrying it out on a laptop or in a USB or memory stick, to accessing it by remote access from home, and even through the use of cell-phones. With companies increasingly dependant on exchanging information via the Internet, stealing sensitive information has never been easier.

Information broker

As with anything else, the value of information in business creates the

opportunity to make money both legally and illegally. Among other things, this has given rise to the infor-mation broker, a middle-man who will obtain information from one source and sell it to organisations that want it. At one end of the spectrum this is a perfectly legitimate and well-establishedand respected business that has its own trade representation in organisations such as the Society of Competitive Information Professionals, but at the other end it can be criminal. This just adds to the complexity of the prob-lem. Now we have countries spying on behalf of their national industries as well as for military and political secrets, companies trying to steal other companies’ sensitive information and independent brokers who will buy information from anyone if they think that there is a market for it. The prob-lem that this causes is that the person who has obtained the information no longer needs to have a direct connec-tion with the organisation that could benefit from it. They can now operate through a third party making the iden-tification of the source of an informa-tion leak more difficult.

We all have our own preconceptions of the type of people that will be involved in industrial espionage, but as with some of the successful practitioners in other areas, the good ones do not necessarily fit the profiles. After all, all of the best spies for governments were well placed and trusted by their employers, as you wouldn’t be much of a spy if you weren’t. During the cold war, most of the spies that were identified in the west held government security clearances!

An example of the sort of people who have been caught carrying out industrial espionage are a married couple from Israel, who were convicted and jailed in 2006 for creating and selling compu-ter worms that were used to carry out industrial espionage. According to the indictment at their trial, the couple, who managed a company called Target-Eya, developed the malware and marketed it to a number of private investigators who installed it on the computers of the rivals of their clients.

Techniques

So what techniques are being used today for industrial espionage? The

The spies that lie behind virtual espionage are often invisible.

ESPIONAGE

Page 4: Industrial espionage in a hi-tech world

10Computer Fraud & Security January 2008

advent of the computer and its use by all types of organisations has revolu-tionised industrial espionage. In the past the techniques ranged from break-ing and entering an establishment and stealing or photographing significant documents (remember the Minox cam-era?), to planting a person to work in the organisation and paying an existing employee to betray the organisation and a whole host of other techniques. Since the computerisation of a vast range of aspects of business and per-sonal life, the way in which these tech-niques are used has changed and many new techniques have been developed to take advantage of the new environ-ment. The volumes and types of infor-mation that are now stored electroni-cally means that protecting data has become more difficult.

It is, unfortunately, a reality that in the majority of cases, the security of information is reactive – it responds to each of the new methods that are used to attack it once the attacks become known. Put another way, it is normally only after a successful attack has been detected that new measures are put in place to prevent a recurrence. The down side of this is that an attack may be successful and remain undetected for a considerable period.

In addition to all of the old and established methods, one of the tech-niques that takes advantage of the new technologies that are currently being used is the theft of laptops and other computers. A number of informal surveys by Securityfocus.com in 2001 indicated that between 10% to 15% of laptops were stolen with the intention of selling the data that they contained. In 2002, the Computer Security Institute/FBI Computer Crime and Security Survey estimated that the average financial loss resulting from the theft of a laptop was in the region of US$89 000, and only a small per-centage of that cost was actually relat-ed to the cost of the stolen hardware. An example of this was the case in

2006 of a US sailor who was charged with espionage after stealing a laptop that contained classified information and attempting to sell the contents to foreign governments. Another example was the 2003 theft of two computers from the intelligence centre at Sydney International Airport in Australia. In this case, two men bluffed their way into the top-security mainframe room, spent two hours dismantling two computers, which it was claimed held thousands of confidential files, including top-secret communications between customs investigators and other government organisations, which they put on trolleys and wheeled out of the building.

Spyware

Another technique that is being used extensively at the moment is that of the planting of spyware or keyloggers. Spyware is software that is installed surreptitiously on the target computer, usually to monitor the user’s behaviour or collect an array of information and store or transmit it to a designated site. A keylogger does just what its name implies, it logs the keystrokes of the user and is normally used to capture information such as user names and passwords. An example of this came in 2005, when Peter Warren, a UK journalist, reported that the Japanese Sumitomo Bank in London had its computers bugged by the cleaners with keystroke loggers for a gang hoping to steal £220 million.

Back doors

The technique favoured by many people attempting to gain access to computer systems at the moment is the planting of software that creates a back door on the computer that allows it to be controlled by the miscreant. Once they have control of the computer, they can copy the information they want, monitor what is going on and

use the computer for their own ends, perhaps even using it to spy on the target company’s competitors and get it blamed.

Steganography

If the person has access to the compu-ter (one of your trusted staff ), a tech-nique that can be used to get informa-tion out is the hiding of information in other, apparently innocent files. This is known as steganography (secret writing) and gives the miscreant the opportunity to send files that appear to be totally innocent – perhaps a music clip or a picture that also contains large quantities of sensitive informa-tion. Although there are no detected cases of steganography happening in industrial espionage, it is probably only a matter of time.

Surveillance

Then there are techniques such as wire and fibre tapping and wireless signal interception, where the signal being transmitted is intercepted en-route. Alternatively there is also the good old-fashioned technique of surveil-lance using modern technology such as directional microphones, laser micro-phones, telephone tapping and the bugging of rooms. If you think that this type of activity is not happening, a recent example of bugging was dis-covered last year. During a takeover of one company, which can’t be named, by another, a sweep of the conference room that was to be used for the dis-cussions on the new organisation was carried out. Although no devices were found, wiring that belonged to four hastily removed devices was discovered. Clearly word had got out that the ‘bug sweep’ was about to take place.

Another example was reported in 2005 when the Manchester United football team discovered that its dressing room talks about team tactics had been bugged during a crucial match against Chelsea.

ESPIONAGE

http://Securityfocus.com
Page 5: Industrial espionage in a hi-tech world

11January 2008 Computer Fraud & Security

Tapes of the talks were subsequently offered to The Sun newspaper.

One question that is of significance is how often is this happening – is it something that we need to have at the top of our priority list or is it some-thing that, in terms of risk, is an event that would cause the organisation significant harm, but is a relatively uncommon event? This will depend in part on the type of activity that the organisation is involved in and the competitiveness of that sector. The reality is that it is difficult to tell, as there is little empirical evidence.

Necessary prevention measuresThere are a range of measures that can be taken to reduce the likelihood of becoming a target for industrial espio-nage and minimise the effects if you are attacked. These start with making sure that information security risk assessments have been carried out and that all of the normal physical, person-nel, procedural and electronic security measures have been implemented. Unfortunately, in information security, the most widely accepted convention has been that we need to keep the bad people out of our systems and we have relied heavily on perimeter defences, often to the detriment of internal measures. When the purpose of an attacker is to carry out industrial espi-onage rather than hacking or targeting the systems themselves, this often falls far short of achieving what is required.

The internal segmentation and com-partmentalisation of networks will inev-itably have an impact on the business processes and impose a heavy load on the management of the systems. In the physical environment, this is not viewed as being overly intrusive. We accept controlled access zones and separation of certain functions, but staff appear to be less tolerant of being denied access to information that is available, but for which they do not have authority.

Cryptography has been available for a number of years and while the cost of using it was initially significant, the cost of acquisition and management is now at a more realistic level. It is still largely true that even laptop computers carried outside the corporate protected envi-ronment are not normally encrypted. There have been a number of high pro-file examples of laptop computers that did not have their hard disks encrypted and that contained a significant volume of sensitive information being stolen, yet businesses are still not utilising what is now commonly available software. While the theft of these computers give an indication of the value of informa-tion that is available, it does not give a realistic indication of the quantity of information that is stolen through espionage when the computer itself is not stolen.

Deteriorating safeguards

With most of our valuable information now stored and processed on informa-tion systems, it is here that the greatest changes have taken place. When pen and ink or typewriters were used to capture the valuable information of an organisation, we had to worry about the physical security and the security of personnel. For the most part, this could be addressed and the effectiveness of the measures could be visually checked, for example, are the locks on the doors adequate and are the keys that operated them controlled properly. For highly sensitive material, it could be stored in such a way that no one individual had access to it by measures such as the ‘two man rule’ where two separate locks had to be released and the keys were held by two different, trusted individuals.

The individuals who had access to the material were checked and their credentials verified. They could be monitored, and if they attempted to remove documents or materials, they were likely to be detected by physical checks at access points.

When information systems were first introduced, the security systems were modified to cater for the new technology and the means of copying or removing information were tightly controlled. Items such as floppy disks and in due course, the mobile phone, were banned from areas where sensitive material was processed or stored.

Unfortunately, as the information and communication technologies developed and became more ubiqui-tous and integrated into our personal and business lives, gaps started to appear in the procedures. For exam-ple, the person with the highest level of access to the information on the computer was no longer the trusted expert who ‘owned’ the information, even though it still appeared to be so. Now the system administration staff regularly had unrestricted access to it – after all, they were the people who were responsible for managing the operation of the systems and the storage of information and helping the user to gain the maximum ben-efit from it. The gap here occurred because the computer systems staff were considered to be technicians and the control of their access to sensitive information is not always recognised or properly controlled. For example, on systems where infor-mation is stored and access would be subject to the two-man rule, this should have also been applied to the system administrators. In addition, all the other members of staff who did not have a need to know the mate-rial would probably have been using the same network, which created the potential for them to gain access to the sensitive information, either by accident or omission of the security measures or by malicious intent.

Another gap occurred when the type of technology that, in the past was considered to be of too high a risk was introduced. For example, items such as laptop computers and mobile phones became so integrated into the normal

ESPIONAGE

Page 6: Industrial espionage in a hi-tech world

12Computer Fraud & Security January 2008

business process that it was no longer feasible to prevent their use in areas where sensitive information was in use. Most organisations would find it a sig-nificant impediment to exclude them these days. Once the first generation of these devices were accepted, the gap widened at a rapid rate as the function-ality of these devices increased. Modern mobile phones have a significant data storage capability, together with high resolution cameras and can commu-nicate using infrared, Bluetooth and Wi-Fi in addition to the expected GSM connection. The laptop that in many cases is the only computer an employee will use, now also has all, or most, of that functionality. USB storage devices, micro drives and flash memory cards have replaced the humble floppy disk and, in addition to being much smaller and easier to hide, also have significantly greater storage capacities.

Climbing the ladder

A third issue has been the social change that has taken place. In the past, people tended to work for an organisation with the intention of a full career with it and as a result, there was a higher degree of loyalty and also of self-interest. After all, if the company was disadvantaged or went out of business, that person’s job was likely to go as well. In recent times, there has been a move to a more mobile work force, with career development and salary advance-ment being gained by moving to a new company and position every three years or so. With this comes the reduction in loyalty and ‘ownership’ and also, of course, some of the cor-porate knowledge will inevitably also move with the individual.

All of these changes contribute to an increasingly difficult environment in which information that is of value and importance to an organisation must be protected.

In reality, what can be done is to put into place the appropriate security measures across all aspects of the envi-ronment. This must be an integrated approach that covers the physical secu-rity of the establishments, the personal security of staff, the procedural meas-ures that are put in place and the elec-tronic security measures that are addi-tional to all of the other types of meas-ures. This may seem a strange way to describe electronic security. However, it is only if we are using information and communications technology in an environment that has the appropriate physical security measures and where the staff have the appropriate security clearances and who understand the procedures that they should follow and that we can have any confidence that the measures we have taken will be effective. Some of the basic electronic measures that can be put in place are to ensure that the organisations’ inter-nal networks are not visible to people outside. Sensitive information should be stored in a secure manner and only held for as long as it is required. It makes sense, wherever it is possible, to store it in an encrypted form whether it is on the computer or on the off-line storage media. Particular attention should be paid to laptop computers and any material that is likely to leave the secure confines of the organisa-tion. In order to protect against the potential loss of sensitive information, a suitable regime of backups and off site storage should be arranged. With a suitable access control and auditing system, the ability to identify attempts to access information to which staff are not authorised or to tamper with sensitive data should be deterred or detected.

Espionage levels are highA 2003 survey by Pricewaterhouse–Coopers found that 46% of the fast-est growing companies suffered from

information breaches or businessespionage during the preceding 12 – 24 months. As a result of these breaches, 83% of the victims suffered finan-cial losses. The survey identified that hackers were the cause of 61% of the attacks, current employees the source of seven percent and competitors the source of two percent.

Laptop theft

It is not uncommon to hear of a corporate executive having their lap-top stolen and the effects can be far reaching. One example was the theft, in 2005, of an unencrypted laptop computer of a service provider of the Bank of America. The laptop con-tained information on the bank’s Visa Buxx prepaid debit cards for teenagers and as a result of the theft the bank had to warn customers that their bank account numbers, routing transit num-bers, names and credit card numbers may have been compromised. In 2005 the Bank of America had already noti-fied its account holders of a potential identity theft. In March, information about 60 000 of its customers had been stolen by an identity theft ring. A month before, the bank had also lost data tapes containing the credit card account records of 1.2 million US federal employees.

While the loss of the laptop may be considered unfortunate, three incidents of losses of large volumes of customer data within one year, as a result of a number of separate inci-dents, would indicate that anyone attempting to carry out corporate espionage against the bank would have a good indication of how and where the data was stored and trans-ported and would know that it was not stored in an encrypted form that would make access difficult.

In April 2006 the security company ScanSafe reported that over the Easter period, 25% of the security threats reported were aimed at stealing

ESPIONAGE

Page 7: Industrial espionage in a hi-tech world

13January 2008 Computer Fraud & Security

financial data and that attacks aimed at the theft of information had risen by 410%. In July of that year, Shena Crowe, the San Francisco coordinator for the FBI’s InfraGuard said: “Theft of trade secrets is a very big problem.” The FBI coordinator went on to warn that industrial espionage and targeted data theft are on the increase and pre-dicted an increase in the number of “targeted laptop thefts.” According to FBI research at that time, the volume of laptop theft had doubled over the previous year and was the third costli-est form of computer-related crime, after malicious software attacks and the unauthorised access to information.

It is a sad fact that if you carry a laptop computer you are vulnerable to either theft or having your data copied. Laptops have been stolen from all sectors of the community, both government and business. While some of these will have been the result of opportunity thefts, there are some indications that some are being specifically stolen for the data that they contain.

Victims with much to lose

In December 1999, Bono, lead singer of the band U2, had a laptop stolen from his car that contained months of work on song lyrics. In another incident, in March 2000, a British MI5 agent, placed his laptop on the floor between his legs at the Underground ticket counter in Paddington Station in London, only to have it stolen. The reports of the incident stated that “The information in the computer does not constitute a threat to national secu-rity and is extremely well protected. It is Irish-related information, but not highly sensitive intelligence relevant to either ter-rorism or the peace process.” In a third incident, in September 2000, the chairman of Qualcomm, Irwin Jacobs, had his lap-top stolen while he was at a conference at a hotel in Irvine, California.

Conclusion

In conclusion, the reality is that the current threat to sensitive corporate information is now at a level that has probably never been

seen before. At the same time the informa-tion is also very exposed, with the informa-tion stored on networks that are themselves under attack. Steps that could be taken to improve the security of the sensitive information are often not implemented, either because of the difficulty of doing so, through the perceived cost or because the problem has not been understood. If organisations are to remain competitive and be successful, they are going to have to take greater precautions with the protec-tion of their ‘crown jewels’.

In looking at the examples above most people will probably have a wry smile at the misfortunes of those who have suffered, but I suspect that many of us would squirm in discomfort at the thought of it happening to us. The reality is that it has become increasingly easy to carry out industrial espionage as organisa-tions have used technology to enhance their operations. There is now so much personal and corporate information avail-able in electronic form that the biggest problem facing the perpetrator conduct-ing the espionage is where to start looking for the information that they need.

Security baselines to give you momentum as you move into the New Year

Here are six more to help you gain some traction and build momentum in 2008:

� Network security control.� Internet security control.

� Web security control.� Telecommunications and remote

access control.� E-commerce security controls.� Wireless and mobile computing

security controls.

The baseline controls included in this column, and the previous one, originated in the Information Protection Assessment Kit, a product developed by the author Richard Power during his time with the Computer Security Institute, which no longer exists. The original content was developed with significant input from several leaders in the security field, including Tom Peltier,

Richard Power and Dario Forte

In our last column, we provided you with security baselines for business process controls, end user controls and mergers, acquisitions and divestitures.

Richard PowerDario Forte

WAR & PEACE IN CYBERSPACE


Hi-Tech Architecture Hi Tech Industries: Automotive, Aircraft & Aerospace

Hi-Tech Architecture Hi Tech Industries: Automotive, Aircraft & Aerospace

Documents
Hi tech, low-tech or no-tech D

Hi tech, low-tech or no-tech D

Education
Prodotti Hi-Tech

Prodotti Hi-Tech

Documents
CATALOG Hi-Tech® Fuse Products - library.e.abb.com · 030 –033 Hi-Tech® OS shorty back-up 034 Hi-Tech® FACT system 035 –043 Hi-Tech® EXT back-up 044 –052 Hi-Tech® FX full-range

CATALOG Hi-Tech® Fuse Products - library.e.abb.com · 030 –033 Hi-Tech® OS shorty back-up 034 Hi-Tech® FACT system 035 –043 Hi-Tech® EXT back-up 044 –052 Hi-Tech® FX full-range

Documents
Hi tech daycloud

Hi tech daycloud

Technology
Hi-TECH 700

Hi-TECH 700

Documents
HI-TECH, HI COMFORT

HI-TECH, HI COMFORT

Documents
Hi Tech Profile

Hi Tech Profile

Documents
HI-TECH PROJECTS

HI-TECH PROJECTS

Documents
Israel Hi–Tech Industry Michael Admon Director Hi-Tech Department Michael Admon Director Hi-Tech Department

Israel Hi–Tech Industry Michael Admon Director Hi-Tech Department Michael Admon Director Hi-Tech Department

Documents
Magnus Hi- Tech

Magnus Hi- Tech

Documents
Hi-Tech Cradles

Hi-Tech Cradles

Business
HI-TECH JUGAAD

HI-TECH JUGAAD

Documents
HI-TECH PERFORMANCES

HI-TECH PERFORMANCES

Documents
Hi- Tech Enterprises

Hi- Tech Enterprises

Business
Hi-Tech Expo

Hi-Tech Expo

Business
The PwC Israel 2012 Hi-Tech Exit Report $5.5B Israeli hi ... · Hi-Tech Exit Report $5.5B Israeli hi-tech exits in 2012. Rubi Suliman, Partner, High-Tech Leader, PwC Israel ... weighing

The PwC Israel 2012 Hi-Tech Exit Report $5.5B Israeli hi ... · Hi-Tech Exit Report $5.5B Israeli hi-tech exits in 2012. Rubi Suliman, Partner, High-Tech Leader, PwC Israel ... weighing

Documents
Hi-tech Pipes

Hi-tech Pipes

Documents
Colour. Brown HI-TECH Pool Equipments HI-TECH Eco Lifeguard … · 2019-10-18 · Pool Equipments HI-TECH Eco Lifeguard Chair HI-TECH 1.8m high for full view entire pool and deck

Colour. Brown HI-TECH Pool Equipments HI-TECH Eco Lifeguard … · 2019-10-18 · Pool Equipments HI-TECH Eco Lifeguard Chair HI-TECH 1.8m high for full view entire pool and deck

Documents
Hi Tech Explosion

Hi Tech Explosion

Documents
Hi tech, low-tech or no-tech B

Hi tech, low-tech or no-tech B

Documents
Articoli HI-TECH

Articoli HI-TECH

Documents
Hi tech architecture

Hi tech architecture

Education
Hi -tech solutions

Hi -tech solutions

Technology
Hi-tech Textile

Hi-tech Textile

Documents
Neuroshima - Hi- Tech

Neuroshima - Hi- Tech

Documents
Catalogo hi tech

Catalogo hi tech

Lifestyle
Hi tech hi touch

Hi tech hi touch

Business
THE HI-TECH INDUSTRY IN ISRAEL · Defining the Hi-Tech Industry 5 Hi-Tech Industry Segmentation 6 The Primary Segments of the Hi-Tech Industry 6 Hi-Tech Industry Segments 8 Internet

THE HI-TECH INDUSTRY IN ISRAEL · Defining the Hi-Tech Industry 5 Hi-Tech Industry Segmentation 6 The Primary Segments of the Hi-Tech Industry 6 Hi-Tech Industry Segments 8 Internet

Documents
Hi-TECH 230

Hi-TECH 230

Documents