Stop (IP) Thief!

USB Storage Keys

RISK RATING: 3 d

How: Transfer electronic files onto plugged-in USB storage devices

Why: Low cost; easily concealed; portable; zero configuration; plug and play with any computer

Why not: Storage space limited though increasing

Mitigation: Disconnect USB ports; confiscate keys

Monitor important file activity/transfers

Comments: Keys quickly turning into a scourge because of their cost and form factor. Managing this

threat should be a top priority.

USB Copier

Risk Rating: 3 d

How: Transfer data from one USB key to another without a computer

Why: Portable; concealable; zero configuration; allows proliferation of stolen data

Why not: Relatively new technology; hard to find

Mitigation: Confiscate copiers

Ban possession and use onsite

Comments: USB copiers not yet well known but they will be. CSOs should prepare. While banning USB copiers could help, once keys holding critical data are taken offsite, theyre easily copied.

Laptop Hard Drive

Risk Rating: 3 sg

How: Transfer network files onto local hard drive

Why: Laptops ubiquitous and taking them

offsite not unusual or suspicious behavior;

massive storage space allows large-scale data theft

Why not: Likely to leave digital footprints of computer and file use if confiscated

Mitigation: Monitor file use and activity

Many commercial programs classify and encrypt data, block unauthorized file transfers and alert security if important files are tampered with; also consider LoJack-like devices for laptops

Adopt laptop check-in and check-out policies and rules of use for laptops outside the office

Comments: Classic security/productivity clash. As useful as laptops are, they create numerous risks to intellectual property, including losing them. Prepare for policy battles.

Laptop Applications

Risk Rating: 2 sg

How: Transfer IP out of company through e-mail, IM, Web-based remote access, FTP, other applications

Why: Create immediate access outside company; physical removal not necessary; quick transaction; can make it look like normal online activity

Why not: Require an accomplice (knowing or unwitting) person or machine to receive data; likely to leave audit trail

Mitigation: Use products to inspect and prevent transactions

Ban hard-to-control apps like IM

Monitor applications and file transfer activity

Comments: Risk rating is 2, not 3, because of wide variety of defenses available. Biggest challenge isnt the mechanics of stopping the crime but the clash of productivity and openness with the need to secure. Some companies will easily ban IM, others will have a user revolt. And you cant ban e-mail, yet surveillance of e-mail is an imperfect option too.

Camera

Cell Phone

Risk Rating: 3 sg

How: Take pictures of notes, whiteboards, labs, other sensitive data

Why: Discreet; can capture handwritten data; portable; concealable; physical removal unnecessary

Why not: Low image quality; limited storage space

Mitigation: Ban camera cell phones from use on premises

Where appropriate, search bags for camera cell phones upon building entry

Employees should report unusual behavior with cell phones

Comments: Many companies already ban camera cell phones, especially in research areas or at sensitive meetings. Policy shouldnt be hard for users to accept, as there are many equally useful mobile phones without cameras. Searches should start with visitors and extend to employees working in high-risk environments.

Wireless Router

Risk Rating: 2 sg

How: Scan for and link to unsecured wireless networks and devices for unauthorized access

Why: Remote snooping; targets hard-to-control ad hoc connections (e.g., at a convention or coffee

shop)

Why not: Inefficient; no guarantee access will yield anything; wireless increasingly encrypted

Mitigation: Preconfigure all wireless devices to encrypt and hide wireless network connections

Bar wireless devices from accessing all networks except trusted ones

Comments: Wi-Fi threat is most pressing outside the office, where theres less control over user behavior. Key is smart configuration up front to prevent ad hoc connections.

Antenna

Risk Rating: Radio 1 sg

Bluetooth 1 d

How: Intercept wireless microphone transmission or Bluetooth device transmissions

Why: Audio can be captured from far away; equipment readily accessible at electronics stores; situations that utilize wireless mics (e.g., offsite meetings at hotels) can yield important information

Why not: Requires some knowledge of radio/wireless transmissions; equipment conspicuous

Mitigation: Encrypt wireless microphones

Bluetooth wireless should have specific security added

Suspicious-looking people with antennas should be reported?

Design/set up lecture rooms to be acoustically secure; use pink noise generators

Comments: Really two threats. Radio wireless is best mitigated with encryption and isnt changing much. Bluetooth wireless, while it requires more sophisticated equipment to exploit, is increasing because of the amount of Bluetooth wireless being used in PDAs and other gadgets.

Digital Audio Recorder

Risk Rating: 2 d

How: Record audio of conversations with concealed device

Why: Can capture hours of high-quality audio; easily concealed or stashed bug-style

Why not: Requires proximity; may have to leave device unattended, which risks detection; some knowledge of acoustics required

Mitigation: Searches preceding important meetings; bug sweeps in high-risk environments

Comments: Risk of audio capture increasing because devices are shrinking, approaching bug size. Thus treat them as such.

VoIP Telephone

Risk Rating: 1 d

How: Tap and record data streams from IP-based phone calls; phish using VoIP applications

Why: New technology not well understood or secured; tapping and recording applications available on Web; users inherent trust in phone makes a good social engineering target

Why not: Requires expertise to exploit; VoIP deployments still relatively rare

Mitigation: Devote resources to understanding VoIP and how to secure it Block access to and use of tapping and recording applications like Cain & Abel

Comments: Threat is escalating rapidly as more VoIP is deployed; CSOs concerned about having to protect against new threats. (See VoIP Security: The Basics.)

Paper

Risk Rating: 2 sg

How: Dumpster-dive or printer-dive for sensitive documents

Why: Provides a hard copy without exactly stealing; group printers easily accessible

Why not: Inefficient unless you know when and where sensitive data is printed or thrown out;

Dumpster-diving conspicuous behavior; may require knowledge of trash protocols

Mitigation: Shred all paper trash; require users to enter a personal PIN at a group printer for retrieval

Employees should report suspicious “diving” behavior around trash, printers

Comments: Decidedly low-tech but still common and effective. Shredding policies will require some user training/acceptance.

Spotting Scope/Binoculars

Risk Rating: 1 sg

How: Spot information on whiteboards, in notebooks and elsewhere from a distance

Why: Magnification technology powerful/advanced, allows spotting from long distances; no expertise required; can be used to capture handwritten (as opposed to digitally stored) information

Why not: Must memorize or capture data in some other way; can look conspicuous

Mitigation: Move whiteboards, labs, other places with sensitive data out of spaces with long lines of sight, particularly where exposed to outside windows visible to adjacent buildings; use whiteboard shutters; employ clean-desk policy

People on or near premises with binoculars should be reported as suspicious

Comments: Threat similar to a high-powered camera but this requires much less expertise. Some binoculars can now capture what they see, like a digital camera. Higher threat in urban environments with buildings close together.

Zoom Camera (digital or film)

Risk Rating: 1 sg

How: Capture notes, whiteboards, meetings and other sensitive information from a distance

Why: Excellent image quality; can capture IP from off premises; digital camera can immediately turn

image into electronic file

Why not: Expensive; requires expertise, beneficial lines of sight; not discreet

Mitigation: Have employees report suspicious photography in and around site

Make meetings and offices with sensitive information unavailable to long lines of sight; implement clean-desk policy

Use whiteboard shutters

Comments: Old-school threat that requires high expertise, so its rarer than some others. Again, risk increases in urban settings where windows of tightly packed buildings face each other.

iPod/MP3 Player

Risk Rating: 2 d

How: Transfer files using storage space on portable music players

Why: Offer more storage than USB keys; ubiquitous and hard to control; nonstandard files can be stored and not seen in menu

Why not: Personal music players expensive and sometimes require software to be installed for file

transfer

Mitigation: Ban use of music players on work systems; ban installation of music player software on

work systems

Encrypt sensitive files

Comments: Again, many workers will balk at an iPod ban. Consider prohibition only in settings where IP

theft risk is highest.

Blank CD/DVD Media

Risk Rating: 2 f

How: Burn data onto blank CDs or DVDs

Why: Portable; inconspicuous; relatively high-volume storage

Why not: Time-consuming to burn CDs; requires long periods of access to data

Mitigation: Disable CD burners Ban CD burning applications

Comments: Once state-of-the-art IP theft but declining rapidly as better, more efficient methods come

along, like USB keys. Still a threat, especially with employees leaving a company who want to burn large amounts of data onto CDs or DVDs to take with them. ##

For another look at threat vectors, see the diagram Protecting Joe’s Office. What other vectors might cost your company its intellectual property?