Successfully reported this slideshow.
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
S...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
C...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
O...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
W...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
A...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
T...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
A...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
A...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
H...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
W...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
E...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
E...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
S...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
V...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
W...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
P...
Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
P...
Upcoming SlideShare
Loading in …5
×

Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your Business Secrets and Intellectual Assets

1,598 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your Business Secrets and Intellectual Assets

  1. 1. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 SCIP Atlanta Chapter Meeting Securing Your Perimeter: Preventing Loss, Theft, and Misappropriation of Your Business Secrets & Intellectual Assets October 1, 2013
  2. 2. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Contact Information 2 Derek Johnson, CFA Chief Executive Officer +1 608-268-3470 Derek.Johnson@AuroraWDC.com John Thomson Chief Research Officer +1 770-519-2560 John.Thomson@AuroraWDC.com
  3. 3. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Operations Security Process 1. Identify Critical Information 2. Analyze the Threat 3. Analyze Vulnerabilities 4. Assess Risk 5. Apply Protection & Countermeasures 3
  4. 4. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 What Needs to Be Protected?  Intellectual Property/Trade Secrets  Bidding strategies  Cost & margin information  Customer lists  Formulas  Merger/acquisition plans  Negotiating strategies  International marketing/entry plans  Personnel records  Product development roadmaps  Recruiting strategy  Travel itineraries  Location of sensitive R&D facilities  Competitive intelligence reports/analysis  What else? Can vary from company to company…. 4
  5. 5. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Activists Foreign Governments Competitors Customers Hackers, Criminal Elements Regulators Vendors Lobbyists, Trade, Special Interest Groups Market Research & CI Firms Trade Groups Consultants Financial Analysts Headhunters Journalists External Threats to Company Information It’s not just your competitors… 5
  6. 6. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Threat Matrix Example Apple Inc. Domestic Foreign LegalIllegal  Traditional Competitors  Emerging Competitors  Suppliers/Vendors  Wireless Carriers & Customers  Technology Partners  Apps Developers  Tech Bloggers  Patent Trolls  Equity & Industry Analysts  CI & MR Firms  Journalists  Special Interest/Trade Groups  Headhunters  Regulators  Private Investigators & Attorneys  Tech Consultants & Integrators  Careless or disgruntled employees  Former employees  Labor Unions  Hackers & cyber criminals  Social Engineers  Aggressive /Unethical CI Firms  Security Researchers/Consultants  Activists  Organized Crime  NSA  Terrorists  Disgruntled employees  Malicious Apps Developers  H-1B employees from threat countries (i.e. China)  Hackers & cyber criminals  Foreign Competitors (i.e. China, S. Korea, etc.)  Foreign Governments: China, Russia, Germany, France, Israel, S. Korea, Japan, etc.  WikiLeaks  Terrorists & Activists targeting U.S. interests  Intelligence firms/corporate espionage operatives  Organized Crime  Security researchers/consultants  Malicious Apps Developers  Employees in threat countries  Traditional Competitors  Emerging Competitors  Suppliers/Vendors  Customers  Technology Partners  Apps Developers  Tech Bloggers  Analysts  CI & MR Firms  Journalists  Headhunters  Regulators  Tech Consultants & Integrators  Foreign Governments  Special interest/trade groups 6
  7. 7. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Assessing Vulnerabilities  Identify, Quantify, and Prioritize your organization’s vulnerabilities  Catalog your company’s critical information elements  Assign “value” and prioritization to each element  Identify vulnerabilities or potential threats for each element  Think like the “hunter” – view your organization from the adversary’s perspective.  Assess current information handling procedures.  Test your defenses to determine vulnerabilities – i.e. “red team” operations & penetration testing 7
  8. 8. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Assessing Risk Vulnerability to Threat Very High High Moderate Low Devastating Severe Noticeable Minor ImpactofLoss Risk Matrix Assigning risk levels to each identified vulnerability Source: American Society for Industrial Security (ASIS) 8
  9. 9. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 HUMINT techniques used by the pros to obtain information on your company The “Human” Factor 9
  10. 10. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 What Needs to be Collected? Who Might Have The Information (or know someone who has it)? Source Assessment & Selection Source Research Approach Development Source Contact  Profile the source  Determine background, interests, hobbies  Assess personality & motivators Source Identification & Targeting HUMINT Collection Planning Process  Break out KITS/KIQS into specific info requirements.  Identify information gaps  Brainstorming source types, companies, potential job titles  Research & identification of specific names  Develop initial source list  Develop the approach, determine motivators to leverage  Conversation planning  Choose elicitation techniques & placement  Plan for follow up  Telephone, e-mail, face-to-face, LinkedIn.  One or multiple conversations  Keep door open for follow up & further development  Obtain referrals 10
  11. 11. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Elicitation Elicitation: Obtaining information via carefully planned conversation where the target is not aware that he/she is being exploited for intelligence purposes Exploits Several Human Tendencies  Natural tendency to correct others or prove someone wrong.  Need for recognition & desire to be viewed as an expert in their field.  Tendency to discuss things that are not their direct concern, tendency towards gossip, & general inability to keep secrets.  Occupational habits of wanting to teach, advise, correct, or challenge someone.  Tendency towards self-effacement.  Tendency towards indiscretion when not in control of emotions or when there is a sympathetic/listening ear being offered.  Tendency of some professionals to share confidence with or show off their expertise to another professional. Tendency to underestimate the value of info or your ability to understand that info. Common Approaches/Techniques  Conversational Hourglass  Direct statements vs. questions  Two way conversation (vs. “interview”)  Rapport building  Technique Examples:  Simple flattery  Naïve mentality (ego suspension)  Mutual interests  Opposing stand or partial disagreement  Quid pro quo  Exploiting the instinct to complain  Quotation of “reported facts”  Disbelief or skepticism  Criticism  Oblique references  Provocation or jocularity Sources: The Centre for Operational Business Intelligence, Phoenix Consulting, DeGenaro & Associates 11
  12. 12. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Elicitation Video: Elicitation Examples 12
  13. 13. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Social Engineering Social Engineering: Getting people to do things they wouldn’t ordinarily do for a stranger via misrepresentation, deception, & psychological manipulation Source: “The Art of Deception”, Kevin Mitnick Leverages Six Psychological Motivators  Authority – Tendency to comply with a request from a person in authority.  Likeability – Tendency to comply when the requestor is likeable or has similar interests/beliefs.  Reciprocation – Tendency to comply when given the promise (or assumption) of getting something in return.  Consistency – Tendency to comply after having made a public commitment, endorsement, or promise (i.e. company security policies).  Social Validation – Tendency to comply when doing so appears in line with what others are doing.  Scarcity – Tendency to comply when it is believed the object sought is in short supply and others are competing for it. Common Approaches  Posing as a fellow employee or company exec, partner, vendor, customer, law enforcement, regulator, or anyone in authority.  Using insider lingo to gain trust.  Sending a virus or Trojan as an e-mail attachment or getting the victim to visit an infected website.  Using a false pop-up password window.  Capturing victim’s keystrokes via a keylogger.  Leaving an infected flash drive or CD around the workplace or dropping it with the mail room or receptionist for intra-office delivery. Setting up e-mail, voicemail, or infected sites to appear internal. Asking for a file to be transferred to an apparent internal location.  Pretending to be from a remote office and asking for email or system access locally. 13
  14. 14. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Video: Real-Life Social Engineering Attack Social Engineering 14
  15. 15. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Warning Signs  Refusal to give callback number  Out-of-ordinary request  Claim of authority  Stresses urgency  Threatens negative consequences of non- compliance  Shows discomfort when questioned  Name dropping  Compliments or flattery  Flirting  Asks you to open a file or click on a hyperlink Warning Signs of a Social Engineering Attack Warning Signs of Elicitation  Attempt to establish rapport, common interests, use of flattery  Lack of direct questions & specificity  Heavy use of silence  Offer of quid pro quo  Statement of “reported” facts  Use of naiveté  Provocation, disbelief, opposing stand  Refusal to sign an NDA (only applies to ethical collectors) 15
  16. 16. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Protection Plan Suggestions  AWARENESS TRAINING!!  Constant and ongoing, customized towards all disciplines within the company  Develop an OPSEC & information security culture within the company (i.e. “Scared Quiet”)  Understand your threats & vulnerabilities, & what needs to be protected  Develop and enforce information security guidelines & policies for dealing with external entities seeking information.  Work with IT regarding use of VPN’s and anonymous browsing capabilities for travelers.  Corporate Threat Assessment /Watch Team  Represented by multiple departments (CI, Security, IT, Legal, HR, Operations)  Mark & secure all confidential documents & products  Limit access to sensitive information & prototypes  Special briefings & guidelines for international travelers (or all travelers, for that matter)  Assume all overseas communications are being intercepted  Assume all overseas hotel rooms are bugged  Utilize NDAs and non-compete agreements  Information security audits & guidelines for vendors/partners  Closely investigate all potential partners  Set up a hotline (telephone, e-mail, intranet) for reporting suspicious calls & activity  Investigate (and act on) suspicious activity  Run simulated attacks against your own company to assess vulnerabilities. Never make it easy or cheap for an adversary 16
  17. 17. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013 Protection & Countermeasures  Culture of secrecy. Everything is strictly “need to know”.  Immediate termination for even minor info security violations. Spouses & family are viewed as security risks.  “Silos within Silos” - “Cell” workgroup structure - highly compartmented, each cell doesn’t know what other cells are working on. Only senior execs know the whole “puzzle”. Workers prohibited from discussing their work with other employees.  “Scared Silent” security lecture for every new hire.  Workspaces are highly monitored. Prototypes are chained to desks and laser etched, with locator chips.  Swift & aggressive investigations of information leaks.  Uses a variety of components manufacturers to better track leaks. Security assessments & audits of 3rd party vendors.  Physical access to company areas is highly restricted and compartmented based on badge. No one has access to every area.  Separate NDAs for individual projects.  Remote data erasing and geolocation for lost or stolen employee laptops/smartphones/devices.  Confidential documents have secret watermarks to better track back to the leaker.  Plainclothes security officers lurk the nearby bars watching for careless employees.  Corporate org charts do not exist  Employees hired into “dummy” positions and aren’t told what their real job will be until their first day of employment.  Security Operations Center fields reports of suspicious activities and aggressively investigates all incidents.  Corporate Threat Assessment Team, identifying and monitoring new and existing threats.  Rolling 3-year security roadmap  Aggressive internet monitoring of employee activity and potential leaks.  Close coordination with law enforcement agencies around the globe.  Ongoing penetration testing. Apple‘s InfoSec Practices (Extreme measures) >$42 million annual Information Security budget, >8,000 identified vulnerabilities 17

×