USB Storage Keys
RISK RATING: 3 d
How: Transfer electronic files onto plugged-in USB storage devices
Why: Low cost; easily concealed; portable; zero configuration; plug and play with any computer
Why not: Storage space limited though increasing
Mitigation: Disconnect USB ports; confiscate keys
Monitor important file activity/transfers
Comments: Keys quickly turning into a scourge because of their cost and form factor. Managing this
threat should be a top priority.
USB Copier
Risk Rating: 3 d
How: Transfer data from one USB key to another without a computer
Why: Portable; concealable; zero configuration; allows proliferation of stolen data
Why not: Relatively new technology; hard to find
Mitigation: Confiscate copiers
Ban possession and use onsite
Comments: USB copiers not yet well known but they will be. CSOs should prepare. While banning USB copiers could help, once keys holding critical data are taken offsite, theyre easily copied.
Laptop Hard Drive
Risk Rating: 3 sg
How: Transfer network files onto local hard drive
Why: Laptops ubiquitous and taking them
offsite not unusual or suspicious behavior;
massive storage space allows large-scale data theft
Why not: Likely to leave digital footprints of computer and file use if confiscated
Mitigation: Monitor file use and activity
Many commercial programs classify and encrypt data, block unauthorized file transfers and alert security if important files are tampered with; also consider LoJack-like devices for laptops
Adopt laptop check-in and check-out policies and rules of use for laptops outside the office
Comments: Classic security/productivity clash. As useful as laptops are, they create numerous risks to intellectual property, including losing them. Prepare for policy battles.
Laptop Applications
Risk Rating: 2 sg
How: Transfer IP out of company through e-mail, IM, Web-based remote access, FTP, other applications
Why: Create immediate access outside company; physical removal not necessary; quick transaction; can make it look like normal online activity
Why not: Require an accomplice (knowing or unwitting) person or machine to receive data; likely to leave audit trail
Mitigation: Use products to inspect and prevent transactions
Ban hard-to-control apps like IM
Monitor applications and file transfer activity
Comments: Risk rating is 2, not 3, because of wide variety of defenses available. Biggest challenge isnt the mechanics of stopping the crime but the clash of productivity and openness with the need to secure. Some companies will easily ban IM, others will have a user revolt. And you cant ban e-mail, yet surveillance of e-mail is an imperfect option too.
Camera
Cell Phone
Risk Rating: 3 sg
How: Take pictures of notes, whiteboards, labs, other sensitive data
Why: Discreet; can capture handwritten data; portable; concealable; physical removal unnecessary
Why not: Low image quality; limited storage space
Mitigation: Ban camera cell phones from use on premises
Where appropriate, search bags for camera cell phones upon building entry
Employees should report unusual behavior with cell phones
Comments: Many companies already ban camera cell phones, especially in research areas or at sensitive meetings. Policy shouldnt be hard for users to accept, as there are many equally useful mobile phones without cameras. Searches should start with visitors and extend to employees working in high-risk environments.
Wireless Router
Risk Rating: 2 sg
How: Scan for and link to unsecured wireless networks and devices for unauthorized access
Why: Remote snooping; targets hard-to-control ad hoc connections (e.g., at a convention or coffee
shop)
Why not: Inefficient; no guarantee access will yield anything; wireless increasingly encrypted
Mitigation: Preconfigure all wireless devices to encrypt and hide wireless network connections
Bar wireless devices from accessing all networks except trusted ones
Comments: Wi-Fi threat is most pressing outside the office, where theres less control over user behavior. Key is smart configuration up front to prevent ad hoc connections.
Antenna
Risk Rating: Radio 1 sg
Bluetooth 1 d
How: Intercept wireless microphone transmission or Bluetooth device transmissions
Why: Audio can be captured from far away; equipment readily accessible at electronics stores; situations that utilize wireless mics (e.g., offsite meetings at hotels) can yield important information
Why not: Requires some knowledge of radio/wireless transmissions; equipment conspicuous
Mitigation: Encrypt wireless microphones
Bluetooth wireless should have specific security added
Suspicious-looking people with antennas should be reported?
Design/set up lecture rooms to be acoustically secure; use pink noise generators
Comments: Really two threats. Radio wireless is best mitigated with encryption and isnt changing much. Bluetooth wireless, while it requires more sophisticated equipment to exploit, is increasing because of the amount of Bluetooth wireless being used in PDAs and other gadgets.
Digital Audio Recorder
Risk Rating: 2 d
How: Record audio of conversations with concealed device
Why: Can capture hours of high-quality audio; easily concealed or stashed bug-style
Why not: Requires proximity; may have to leave device unattended, which risks detection; some knowledge of acoustics required
Mitigation: Searches preceding important meetings; bug sweeps in high-risk environments
Comments: Risk of audio capture increasing because devices are shrinking, approaching bug size. Thus treat them as such.
VoIP Telephone
Risk Rating: 1 d
How: Tap and record data streams from IP-based phone calls; phish using VoIP applications
Why: New technology not well understood or secured; tapping and recording applications available on Web; users inherent trust in phone makes a good social engineering target
Why not: Requires expertise to exploit; VoIP deployments still relatively rare
Mitigation: Devote resources to understanding VoIP and how to secure it Block access to and use of tapping and recording applications like Cain & Abel
Comments: Threat is escalating rapidly as more VoIP is deployed; CSOs concerned about having to protect against new threats. (See VoIP Security: The Basics.)
Paper
Risk Rating: 2 sg
How: Dumpster-dive or printer-dive for sensitive documents
Why: Provides a hard copy without exactly stealing; group printers easily accessible
Why not: Inefficient unless you know when and where sensitive data is printed or thrown out;
Dumpster-diving conspicuous behavior; may require knowledge of trash protocols
Mitigation: Shred all paper trash; require users to enter a personal PIN at a group printer for retrieval
Employees should report suspicious "diving" behavior around trash, printers
Comments: Decidedly low-tech but still common and effective. Shredding policies will require some user training/acceptance.
Spotting Scope/Binoculars
Risk Rating: 1 sg
How: Spot information on whiteboards, in notebooks and elsewhere from a distance
Why: Magnification technology powerful/advanced, allows spotting from long distances; no expertise required; can be used to capture handwritten (as opposed to digitally stored) information
Why not: Must memorize or capture data in some other way; can look conspicuous
Mitigation: Move whiteboards, labs, other places with sensitive data out of spaces with long lines of sight, particularly where exposed to outside windows visible to adjacent buildings; use whiteboard shutters; employ clean-desk policy
People on or near premises with binoculars should be reported as suspicious
Comments: Threat similar to a high-powered camera but this requires much less expertise. Some binoculars can now capture what they see, like a digital camera. Higher threat in urban environments with buildings close together.
Zoom Camera (digital or film)
Risk Rating: 1 sg
How: Capture notes, whiteboards, meetings and other sensitive information from a distance
Why: Excellent image quality; can capture IP from off premises; digital camera can immediately turn
image into electronic file
Why not: Expensive; requires expertise, beneficial lines of sight; not discreet
Mitigation: Have employees report suspicious photography in and around site
Make meetings and offices with sensitive information unavailable to long lines of sight; implement clean-desk policy
Use whiteboard shutters
Comments: Old-school threat that requires high expertise, so its rarer than some others. Again, risk increases in urban settings where windows of tightly packed buildings face each other.
iPod/MP3 Player
Risk Rating: 2 d
How: Transfer files using storage space on portable music players
Why: Offer more storage than USB keys; ubiquitous and hard to control; nonstandard files can be stored and not seen in menu
Why not: Personal music players expensive and sometimes require software to be installed for file
transfer
Mitigation: Ban use of music players on work systems; ban installation of music player software on
work systems
Encrypt sensitive files
Comments: Again, many workers will balk at an iPod ban. Consider prohibition only in settings where IP
theft risk is highest.
Blank CD/DVD Media
Risk Rating: 2 f
How: Burn data onto blank CDs or DVDs
Why: Portable; inconspicuous; relatively high-volume storage
Why not: Time-consuming to burn CDs; requires long periods of access to data
Mitigation: Disable CD burners Ban CD burning applications
Comments: Once state-of-the-art IP theft but declining rapidly as better, more efficient methods come
along, like USB keys. Still a threat, especially with employees leaving a company who want to burn large amounts of data onto CDs or DVDs to take with them. ##
For another look at threat vectors, see the diagram Protecting Joe's Office. What other vectors might cost your company its intellectual property?