USB Storage KeysRISK RATING: 3 dHow: Transfer electronic files onto plugged-in USB storage devicesWhy: Low cost; easily concealed; portable; zero configuration; plug and play with any computerWhy not: Storage space limited though increasingMitigation: Disconnect USB ports; confiscate keys Monitor important file activity\/transfersComments: Keys quickly turning into a scourge because of their cost and form factor. Managing this threat should be a top priority.USB CopierRisk Rating: 3 dHow: Transfer data from one USB key to another without a computerWhy: Portable; concealable; zero configuration; allows proliferation of stolen dataWhy not: Relatively new technology; hard to findMitigation: Confiscate copiers Ban possession and use onsiteComments: USB copiers not yet well known but they will be. CSOs should prepare. While banning USB copiers could help, once keys holding critical data are taken offsite, theyre easily copied.Laptop Hard DriveRisk Rating: 3 sg How: Transfer network files onto local hard driveWhy: Laptops ubiquitous and taking them offsite not unusual or suspicious behavior; massive storage space allows large-scale data theftWhy not: Likely to leave digital footprints of computer and file use if confiscatedMitigation: Monitor file use and activity Many commercial programs classify and encrypt data, block unauthorized file transfers and alert security if important files are tampered with; also consider LoJack-like devices for laptops Adopt laptop check-in and check-out policies and rules of use for laptops outside the officeComments: Classic security\/productivity clash. As useful as laptops are, they create numerous risks to intellectual property, including losing them. Prepare for policy battles.Laptop ApplicationsRisk Rating: 2 sg How: Transfer IP out of company through e-mail, IM, Web-based remote access, FTP, other applicationsWhy: Create immediate access outside company; physical removal not necessary; quick transaction; can make it look like normal online activityWhy not: Require an accomplice (knowing or unwitting) person or machine to receive data; likely to leave audit trailMitigation: Use products to inspect and prevent transactions Ban hard-to-control apps like IM Monitor applications and file transfer activityComments: Risk rating is 2, not 3, because of wide variety of defenses available. Biggest challenge isnt the mechanics of stopping the crime but the clash of productivity and openness with the need to secure. Some companies will easily ban IM, others will have a user revolt. And you cant ban e-mail, yet surveillance of e-mail is an imperfect option too.Camera Cell PhoneRisk Rating: 3 sg How: Take pictures of notes, whiteboards, labs, other sensitive dataWhy: Discreet; can capture handwritten data; portable; concealable; physical removal unnecessaryWhy not: Low image quality; limited storage spaceMitigation: Ban camera cell phones from use on premises Where appropriate, search bags for camera cell phones upon building entry Employees should report unusual behavior with cell phonesComments: Many companies already ban camera cell phones, especially in research areas or at sensitive meetings. Policy shouldnt be hard for users to accept, as there are many equally useful mobile phones without cameras. Searches should start with visitors and extend to employees working in high-risk environments.Wireless RouterRisk Rating: 2 sg How: Scan for and link to unsecured wireless networks and devices for unauthorized accessWhy: Remote snooping; targets hard-to-control ad hoc connections (e.g., at a convention or coffee shop) Why not: Inefficient; no guarantee access will yield anything; wireless increasingly encryptedMitigation: Preconfigure all wireless devices to encrypt and hide wireless network connections Bar wireless devices from accessing all networks except trusted onesComments: Wi-Fi threat is most pressing outside the office, where theres less control over user behavior. Key is smart configuration up front to prevent ad hoc connections.Antenna Risk Rating: Radio 1 sgBluetooth 1 d How: Intercept wireless microphone transmission or Bluetooth device transmissionsWhy: Audio can be captured from far away; equipment readily accessible at electronics stores; situations that utilize wireless mics (e.g., offsite meetings at hotels) can yield important informationWhy not: Requires some knowledge of radio\/wireless transmissions; equipment conspicuousMitigation: Encrypt wireless microphones Bluetooth wireless should have specific security added Suspicious-looking people with antennas should be reported? Design\/set up lecture rooms to be acoustically secure; use pink noise generatorsComments: Really two threats. Radio wireless is best mitigated with encryption and isnt changing much. Bluetooth wireless, while it requires more sophisticated equipment to exploit, is increasing because of the amount of Bluetooth wireless being used in PDAs and other gadgets.Digital Audio RecorderRisk Rating: 2 dHow: Record audio of conversations with concealed deviceWhy: Can capture hours of high-quality audio; easily concealed or stashed bug-styleWhy not: Requires proximity; may have to leave device unattended, which risks detection; some knowledge of acoustics requiredMitigation: Searches preceding important meetings; bug sweeps in high-risk environmentsComments: Risk of audio capture increasing because devices are shrinking, approaching bug size. Thus treat them as such.VoIP TelephoneRisk Rating: 1 d How: Tap and record data streams from IP-based phone calls; phish using VoIP applicationsWhy: New technology not well understood or secured; tapping and recording applications available on Web; users inherent trust in phone makes a good social engineering targetWhy not: Requires expertise to exploit; VoIP deployments still relatively rareMitigation: Devote resources to understanding VoIP and how to secure it Block access to and use of tapping and recording applications like Cain & AbelComments: Threat is escalating rapidly as more VoIP is deployed; CSOs concerned about having to protect against new threats. (See VoIP Security: The Basics.)Paper Risk Rating: 2 sg How: Dumpster-dive or printer-dive for sensitive documents Why: Provides a hard copy without exactly stealing; group printers easily accessibleWhy not: Inefficient unless you know when and where sensitive data is printed or thrown out; Dumpster-diving conspicuous behavior; may require knowledge of trash protocolsMitigation: Shred all paper trash; require users to enter a personal PIN at a group printer for retrieval Employees should report suspicious "diving" behavior around trash, printersComments: Decidedly low-tech but still common and effective. Shredding policies will require some user training\/acceptance.Spotting Scope\/Binoculars Risk Rating: 1 sg How: Spot information on whiteboards, in notebooks and elsewhere from a distanceWhy: Magnification technology powerful\/advanced, allows spotting from long distances; no expertise required; can be used to capture handwritten (as opposed to digitally stored) informationWhy not: Must memorize or capture data in some other way; can look conspicuousMitigation: Move whiteboards, labs, other places with sensitive data out of spaces with long lines of sight, particularly where exposed to outside windows visible to adjacent buildings; use whiteboard shutters; employ clean-desk policy People on or near premises with binoculars should be reported as suspiciousComments: Threat similar to a high-powered camera but this requires much less expertise. Some binoculars can now capture what they see, like a digital camera. Higher threat in urban environments with buildings close together.Zoom Camera (digital or film) Risk Rating: 1 sg How: Capture notes, whiteboards, meetings and other sensitive information from a distanceWhy: Excellent image quality; can capture IP from off premises; digital camera can immediately turn image into electronic fileWhy not: Expensive; requires expertise, beneficial lines of sight; not discreetMitigation: Have employees report suspicious photography in and around site Make meetings and offices with sensitive information unavailable to long lines of sight; implement clean-desk policy Use whiteboard shuttersComments: Old-school threat that requires high expertise, so its rarer than some others. Again, risk increases in urban settings where windows of tightly packed buildings face each other.iPod\/MP3 PlayerRisk Rating: 2 d How: Transfer files using storage space on portable music playersWhy: Offer more storage than USB keys; ubiquitous and hard to control; nonstandard files can be stored and not seen in menuWhy not: Personal music players expensive and sometimes require software to be installed for file transferMitigation: Ban use of music players on work systems; ban installation of music player software on work systems Encrypt sensitive files Comments: Again, many workers will balk at an iPod ban. Consider prohibition only in settings where IP theft risk is highest.Blank CD\/DVD Media Risk Rating: 2 f How: Burn data onto blank CDs or DVDsWhy: Portable; inconspicuous; relatively high-volume storageWhy not: Time-consuming to burn CDs; requires long periods of access to dataMitigation: Disable CD burners Ban CD burning applicationsComments: Once state-of-the-art IP theft but declining rapidly as better, more efficient methods come along, like USB keys. Still a threat, especially with employees leaving a company who want to burn large amounts of data onto CDs or DVDs to take with them. ##For another look at threat vectors, see the diagram Protecting Joe's Office. What other vectors might cost your company its intellectual property?