ISMI Protection of Information PDF
Document Details
Uploaded by OverjoyedLucchesiite
null
ISMI
Tags
Summary
This document is a unit from the ISMI® Security Management Body of Good Practice, specifically focusing on the protection of information, which is part of a security management certification program. It covers various aspects including threats to information, information as an asset, sensitive information, where information is held, and the adversaries.
Full Transcript
Unit 11 – Protection of Information The ISMI® Security Management Body of Good Practice Unit 11 Protection of Information The International Security Management...
Unit 11 – Protection of Information The ISMI® Security Management Body of Good Practice Unit 11 Protection of Information The International Security Management For candidates who are studying for the ISMI® Institute Certified Security Manager (CSM®) examination 20-22 Wenlock Road, or 1|Page London N1 7GU the ISMI®©Certified Security Management Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, Professional® Level 6 Accrediteduploading or webhosting permitted. [email protected] (Ofqual- 3.0 (0923) Regulated) Diploma. +44 207 206 1207 Unit 11 – Protection of Information About ISMI® The International Security Management Institute (ISMI®) provides low-cost, high-quality distance- learning education and certifications in security management. The flagship programme, the Certified Security Management Professional (CSMP®) Level 6 Ofqual-Regulated Diploma, is ISMI®’s premier qualification. ISMI® is managed by a core team of professional security management specialists with over 30 years in delivering security management education, and is supported by a large team of practitioners who make up the Professional Assessment Board (PAB). Members of the PAB are full-time security managers and consultants, which ensures that course materials remain up to date and relevant. Both the CSM® and CSMP® designations provide assurance that the holder has evidenced skills and competence in the practice of security management, with the latter indicating advanced-level proficiencies. Copyright This work is protected under international copyright law. Unauthorised use, copying, sale or sharing of this document is strictly forbidden without the express permission of the International Security Management Institute (ISMI®) and ISMI Certification Ltd. In the event of breach of these terms, ISMI Certification Ltd reserves the right to take legal action to seek damages against parties involved. 2|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information About the ISMI® Security Management Body of Good Practice The 12-volume.pdf ISMI® Security Management Body of Good Practice is the single resource for the Certified Security Manager (CSM®) examination and the primary resource for the Certified Security Management Professional (CSMP®) Level 6 Ofqual-Regulated Diploma. The BoGP is divided into 12 volumes, as follows: Unit 1: Security Risk Analysis Unit 2: Crime Prevention Unit 3: Managing the Security Function Unit 4: Leadership and Management Core Skills Unit 5: Security Design, Evaluation and Surveying Unit 6: Perimeter Protection Unit 7: Protecting Buildings Unit 8: Access Management Unit 9: Video Surveillance (CCTV) Unit 10: Facility Counterterrorism Unit 11: Protection of Information Unit 12: Protection of at-Risk Personnel Only those who are formally registered, or have been formally registered, on either the Certified Security Manager (CSM®) programme or the Certified Security Management Professional (CSMP®) Level 6 Ofqual-Regulated Diploma are permitted to be in possession of this resource. Sharing of this resource outside of the ISMI® community of registered learners is prohibited and is a breach of copyright. 3|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information (Intentional Deletion) 4|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information (Intentional Deletion) 5|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Unit 11 - Contents About This Unit................................................................................................................................10 Part I – The Challenges Introduction..................................................................................................................................... 12 - Overview.........................................................................................................................12 - Threats to information.................................................................................................... 12 - Competitive Intelligence................................................................................................. 14 - Cyber Sabotage...............................................................................................................14 - The CIA Triad...................................................................................................................15 - Are you sufficiently prepared to meet the threat?.........................................................16 - The Threat Tempo........................................................................................................... 18 Specific Idiosyncrasies of Information as an Asset......................................................................... 19 - Overview.........................................................................................................................19 - Valuing information........................................................................................................ 19 - The information lifecycle................................................................................................. 20 - Information theft and the law.........................................................................................21 - Proactive legal approaches to intellectual property protection..................................... 21 Determining What Is Sensitive Information....................................................................................22 - Overview.........................................................................................................................22 - Proprietary information and trade secrets..................................................................... 22 - Personal data...................................................................................................................24 - Types of data at risk........................................................................................................ 25 Where Information is Held..............................................................................................................26 - Personal knowledge and know-how...............................................................................26 - In hardcopy......................................................................................................................27 - In IT Systems....................................................................................................................27 - In digital media................................................................................................................28 - In the Cloud.....................................................................................................................28 - In communication........................................................................................................... 29 The Adversaries...............................................................................................................................30 - Overview.........................................................................................................................30 - Employees.......................................................................................................................30 - Former employees.......................................................................................................... 31 - Competitors.....................................................................................................................31 - Business partners............................................................................................................ 32 - Foreign governments...................................................................................................... 32 - Information brokers........................................................................................................ 33 - Journalists........................................................................................................................34 - Activists...........................................................................................................................34 6|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information - Extremists........................................................................................................................35 - Organised criminal gangs................................................................................................35 The Threats...................................................................................................................................... 37 - Overview.........................................................................................................................37 - Negligence.......................................................................................................................37 - Cyberspace – A shift in threat.........................................................................................38 - Inadvertent disclosure.................................................................................................... 39 - Technical surveillance..................................................................................................... 40 - Pathogens........................................................................................................................41 - Denial of service attacks.................................................................................................. 41 - Reverse engineering........................................................................................................ 42 - Social engineering........................................................................................................... 42 - Phishing...........................................................................................................................43 - Hacking............................................................................................................................44 - Bin raiding.......................................................................................................................44 - Data slurping...................................................................................................................46 - The Cloud........................................................................................................................46 - Wi-Fi hotspots.................................................................................................................47 - Whistleblowing................................................................................................................47 - Phoney job offers............................................................................................................ 48 The Insider Threat............................................................................................................................49 - Defining the insider threat..............................................................................................49 - Sources and motivations of malicious insiders...............................................................49 - Tactics adopted by malicious insiders.............................................................................50 - Mitigating the risk posed by malicious insiders..............................................................50 7|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Part II – Protection Principles The Starting Point............................................................................................................................53 - Overview.........................................................................................................................53 Policy................................................................................................................................................54 - Overview.........................................................................................................................54 - ISO 27001........................................................................................................................54 - Policy statement example...............................................................................................55 - Policy elements...............................................................................................................55 - Specific policies...............................................................................................................56 - Dissemination of the policy.............................................................................................56 - Further information........................................................................................................ 56 Awareness Training..........................................................................................................................57 - Overview.........................................................................................................................57 - SATE programmes........................................................................................................... 57 - Awareness methodology................................................................................................. 58 Basic Protection Principles...............................................................................................................61 - Overview.........................................................................................................................61 - Security culture...............................................................................................................61 - Protection according to the domains – Knowledge and know-how...............................62 - Protection according to the domains – Hardcopy..........................................................63 - Protection according to the domains – The digital domains.......................................... 64 - Protection according to the domains – Communications security................................. 65 - The need-to-know principle............................................................................................65 - Non-disclosure agreements............................................................................................65 - Clear desk policy..............................................................................................................66 - Background screening..................................................................................................... 67 Operational Security (OpSec)........................................................................................................... 68 - Overview.........................................................................................................................68 - Good housekeeping........................................................................................................ 68 - Access control and “need to go”.....................................................................................68 - Loose talk........................................................................................................................68 - Outside events................................................................................................................68 - Contractors......................................................................................................................68 Information Classification................................................................................................................69 - Overview.........................................................................................................................69 - Considerations when classifying.....................................................................................69 - Example classification system.........................................................................................70 - DIN 66399........................................................................................................................71 - Operational security and classification........................................................................... 71 - Personal data and classification......................................................................................71 - A different perspective.................................................................................................... 72 Protecting Data on Information Systems.........................................................................................73 8|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information - Overview.........................................................................................................................73 - Adding “I – Triple A” to the CIA Triad.............................................................................73 - Essential protective approaches.....................................................................................74 - Passwords........................................................................................................................74 - Flash drives......................................................................................................................75 - Web browsing.................................................................................................................75 - Bring your own devices (BYOD).......................................................................................77 - Encryption.......................................................................................................................77 - Hard drive disposal.......................................................................................................... 78 - Home PCs........................................................................................................................78 - Laptops............................................................................................................................78 Technical Surveillance Countermeasures........................................................................................81 - Overview.........................................................................................................................81 - Listening devices.............................................................................................................81 - Countering telephone surveillance.................................................................................82 - Countering IT surveillance...............................................................................................82 - Faraday cages and SCIFs.................................................................................................. 83 Miscellaneous Considerations......................................................................................................... 85 - Prototypes and models................................................................................................... 85 - Disposal of production materials....................................................................................85 - Security of Information in the supply chain.................................................................... 85 - Visitors and access to sensitive areas.............................................................................86 - Shredders........................................................................................................................87 - Photocopiers...................................................................................................................88 - Hotel conference rooms.................................................................................................. 88 - General conduct while overseas.....................................................................................89 - Incident Response and Investigations.............................................................................................91 - Overview.........................................................................................................................91 - Preparing for an incident................................................................................................91 - Responding to an incident..............................................................................................91 - Reasons for investigations..............................................................................................92 - Considering outcomes..................................................................................................... 92 - Parties to the investigation.............................................................................................93 - Follow up after an incident.............................................................................................93 Bibliography and Further Reading................................................................................................... 94 Disclaimer......................................................................................................................................... 96 9|Page © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information About This Unit Unit Purpose The purpose of this unit is to equip you with an appreciation of the many threats to information, the attack vectors for information compromise, and to assist you to develop the ability to create and lead an effective information security management programme. Unit Outcomes and Assessment Criteria Unit Outcomes Assessment Criteria 11.1 Be able to advise on information threats a. Compile an analysis of the threats to and vulnerabilities. information. b. Critically evaluate the weaknesses of current approaches to information security. c. Formulate information security awareness programmes. 11.2 Be able to implement measures to a. Integrate information protection protect information in non-digital form. principles into regular business activities. b. Develop enhanced means to protect information in non-digital form. c. Generate measures to reduce the risk of technical surveillance. 11.3 Be able to recommend approaches to a. Transform awareness of threats to protect information in digital form. sensitive information in digital form and devices. b. Prescribe programmes for the improved protection of sensitive information in digital form and devices. The assessment questions in the Unit Workbook will be based directly on the above assessment criteria. 10 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Part I – The Challenges 11 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Introduction Overview Knowledge, know-how and information are the crown Most organisations believe their jewels of many organisations. Calder and Watkins information systems are secure; the (2012) emphasise that information and intellectual brutal reality is that they’re not. capital is often worth more to an enterprise than its physical assets. Referred to collectively as intellectual property, Wilding (2006) notes that although vital to the wellbeing of commercial organisations, IP is often poorly protected. This is a view echoed by Calder and Watkins (2012), who note that most organisations believe their information systems are secure; the brutal reality is that they’re not. The purpose of this module is to set out some of the myriad of risks to information and to present a range of means to manage these risks. Information security can only be achieved through a layered approach, taking into account the many dimensions for exploitation. The module will examine information risks and information security in general. An in-depth study of information systems security is, however, beyond the scope of this reference. Unlike physical assets, information assets are present in many different forms and require multiple and overlapping means of protection. A fundamental principle of the protection of tangible assets is protection in depth, employing concentric rings of protection. With physical (tangible) assets this can be represented in a two-dimensional diagram. Information security, however, requires a multi- dimensional approach as the threat sources (adversaries) and the methods used are very diverse. Threats to Information Information is of significant value to adversaries, who wage a relentless, usually unseen and undetected, campaign to obtain your most sensitive data. Methods can include plain theft, solicitation, inadvertent disclosure and hostile interception. The Internet, one of the most valuable tools in allowing businesses to efficiently and economically communicate with their markets, is also a primary means of attack and espionage, and the ambiguity of national borders and legal jurisdictions pose an almost insurmountable challenge. Some commentators have described the threats to information residing on the Internet as an epidemic http://www.bbc.co.uk/news/technology- 13626104. Espionage by foreign government agencies seeking to give their domestic companies economic advantage in the global market is carried out on an unimaginable scale. Aside from the well-publicised stories about telephone and computer communications intercept, a number of foreign governments collect information about targets via a multitude of means, including front companies, which may engage in joint ventures or become a supplier to the target. 12 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Government-level espionage is not confined to traditional adversaries. There have been many instances of accusations of industrial espionage between European and US companies, or between US and Asian companies. The intelligence services of countries that may appear ostensibly to be allies have long “waged war” in cyberspace in an effort to steal each other’s economic and industrial secrets so that they can be put to domestic economic advantage. History shows us that superpowers wax and wane, and there can be no doubt that information and know-how will be a key determinant in maintaining – or achieving – global economic dominance. Moreover, computers and their associated technology make it simple for employees and ex- employees to walk away with trade secrets. And there is almost no limit to what can be stolen. What might have required an employee to exit through security with many boxes of documents twenty years ago (For a case study see http://www.nytimes.com/1997/01/10/business/vw-agrees-to-pay- gm-100-million-in-espionage-suit.html ) can now be taken in an instant by flash drives or uploaded to a personal Cloud from the workstation desktop. The simple fact is that the speed of innovations in information technology is outdistancing our capacity to provide effective safeguards – and the risks of information theft by flash drives is fast being overtaken by risks of staff copying sensitive data to personal Cloud accounts. Nasheri (2005) highlights the problem that What Is Cyberspace? today’s information age requires businesses to compete on a worldwide basis, sharing sensitive Clemente (2013) observes that although information with appropriate parties yet cyberspace is sometimes categorised as a protecting that information against competitors, discrete sector, in practice it is so deeply vandals, suppliers, customers and foreign embedded into sectors such as energy and governments. transport as to make any separation meaningless. Cyberspace can be visualised Information thieves are able to operate in instead as a thin layer or nervous system running through all other sectors, enabling cyberspace with a degree of anonymity, privacy, them to communicate and function. impunity and global access. Unlike a traditional crime, no physical presence is necessary and there may be no evidence of the theft. It is likely that the greater part of economic espionage falls into one of the following categories: Employees stealing information from their employers. Companies stealing information from competitors. Foreign governments stealing information about companies. OSAC, the US Government’s Overseas Advisory Council, (1994) notes that the majority of competitive information theft cases which occur in the United States involve a company's own employees. You should not overlook, also, the significant threat posed by organised criminal gangs seeking to steal information – especially that stored in IT systems – for the purpose of identity theft. 13 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Competitive Intelligence It is easy to confuse espionage with competitive intelligence (CI), especially since espionage is so weakly defined in law. The majority of large companies have CI departments. CI, according to Nasheri (2005) takes a broad view of the market and how a particular company hopes to position itself. It relies on techniques such as recruitment, strategic and tactical surveillance, product sampling and profiling of target company personnel. It also examines the strengths and weaknesses of competitors. However, there is often a fine line between the legitimate and ethical collection of competitive information and the covert acquisition of proprietary business information. Cyber Sabotage Threats to information are not limited solely to information theft. Corruption of data, or denying access to data can provide as much, if not greater, impact on the operational continuity of a business than the theft of information. The UK Government’s Cyber Security Breaches Survey 2017 found that 46% of companies surveyed had experienced at least one breach in the previous twelve months. It also found that the most common outcomes of a breach are a temporary loss of access to files or networks (23%), and software or systems becoming corrupt or damaged (20%). This is demonstrated most clearly by the 2017 “WannaCry” global cyber security incident, in which ransomware software infected more than 230,000 computers in over 150 countries, encrypted the contents of those machines, and demanded a ransom be paid before the computer was made operational again. In this breach no data was stolen, yet scores of companies had their business operations interrupted, in some cases for months afterwards. A multi-billion dollar criminal economy exists in which the skills and capabilities for computer hacking can be bought and sold. Through these commoditised tools criminals can quickly identify vulnerable systems, gain access to them, and use them for their own criminal purposes. Typically, the cybercriminal will seek to make financial gain from their compromised systems, either by using this system to send spam emails, or to install malicious software either to generate cryptocurrency or to encrypt the data on the system and demand a ransom from the system owner. As the use of “smart” technologies, and computer based systems for industrial control continues to proliferate and become increasingly connected threats to information bring with them real-world consequences. In 2014 the German Federal Office for Information Security (BSI) reported that a blast furnace at a German steel mill had suffered “massive damage” after the systems controlling it were breached. Power outages were experienced in Ukraine in December of 2015 after three power distribution companies were compromised by malicious software. Collectively the three qualities of information known as the Confidentiality, Integrity and Availability (CIA) form the foundation of information security and this triad is discussed throughout this module. 14 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The CIA Triad The main requirements for information protection can be summarised with the abbreviation CIA, as follows: Confidentiality The characteristic whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorised individuals or systems can view information, confidentiality is breached. Information could be accidentally disclosed by computer misrouting, inadequate protection, viruses and Trojans, lost flash drives, poor destruction of old equipment, etc. Here, access control and encryption are fundamental. To protect the confidentiality of information, a number of measures are used, including: Information classification Secure document storage Application of general security policies Education of information custodians and end users Cryptography (encryption) Confidential information may include business sensitive information such as trade secrets and personal private data relating to living persons. Integrity Ensuring that information is not altered, modified or manipulated in any unauthorised way. The integrity of information is threatened when it is exposed to corruption, damage, destruction, alteration, substitution, or other disruption of its authentic state. This can occur inadvertently, or deliberately (direct or indirect), when data is being entered, stored or transmitted. Data can be modified by fraudsters, SCADA processes can be modified by hackers or pathogens (for example “Duqu”, the intelligence-gathering Trojan designed to harvest information about SCADA vulnerabilities for subsequent analysis and exploitation, discussed in Module 10). Many computer viruses and worms are designed to corrupt data. This damage may be undetected. Even after the malware has been removed, the corruption can remain, often unnoticed. To manage inadvertent threats to integrity, systems employ a variety of automated error control, intrusion detection/protection, access control, automated integrity checking and malware protection techniques. But deliberate manipulation or alteration of data, such as by a manager changing figures to conceal a fraud, or by a security guard replacing digitised CCTV images to conceal a crime, may be 15 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information more difficult to detect. Automated fraud red flagging software may be useful. Availability Ensuring the continued and uninterrupted accessibility to information to those who require it. Authorised users need to be able to access data in a usable format on demand. A user may be a person or another computer or resource. Threats to availability include (but are not limited to) natural disasters, fires and explosions, poor back-up protocols, malware, which can corrupt or destroy files, DDoS attacks, file or media corruption, exploits, hacking and failure to back up data to a protected central fileserver (or the Cloud). Availability may also be denied by the theft of hardware, especially laptops. Are You Sufficiently Prepared to Meet the Threat? An essential precursor to protecting against information leakage is recognising that the problem exists, and this is a stumbling point for many boards, which may not appreciate the scope and methods of information targeting. Thus, when a new product fails to meet expectations (see product life cycle diagram, right), fingers are pointed at Marketing, Distribution, Quality, R&D etc. Rarely is consideration given to the possibility that information may have leaked to an adversary, perhaps giving that adversary a competitive pricing edge by obviating its need to carry out its own expensive R&D. ONCIX, the US Office of the National Counterintelligence Executive (www.ncix.gov), publishes regular updates on the extent of corporate espionage against the United States and provides a number of good practice publications for free download. Ten years ago, ONCIX published the following findings in its annual report: The greatest losses and threats involve information about manufacturing processes, ICT (information communications and technology), scarce natural resources, aerospace, clean energy projects, and pharmaceuticals. The Internet and information systems have significantly increased the risks to corporate proprietary information. 16 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information From the insider perspective, on-site contract employees and joint-venture (JV) partners may pose the greatest threat to proprietary information. The majority of companies do not effectively safeguard proprietary information. The majority of companies do not effectively safeguard proprietary Most companies lack a mechanism and process information. by which to assess the value of proprietary information. It is likely that many of the above observations continue remain ineffectively mitigated to this day and that developments in the way we use technology and increased sophistication of attackers has further shifted the balance in favour of the adversary. Furthermore: Cyberspace offers greater security to the perpetrator in cases involving insiders. Workers increasingly draw few distinctions between their home and work lives, and will expect free access to any information they want, anytime, from anywhere. Chris Davy CB, a former leading UK investigator into industrial espionage who has worked with major UK companies makes the following observations in regard to information protection and vulnerabilities: “In many British companies the security of “In many cases where leaks have information rests precariously on the honesty, occurred and I have been called in to integrity and care of the staff, and nothing else.” investigate, I would have to describe “In many cases where leaks have occurred and I the level of information protection as have been called in to investigate, I would have to reckless”. describe the level of information protection as reckless”. At the information systems level, the picture is no better. Ponemon (2012) finds that employees exacerbate existing and create new vulnerabilities by routinely engage in the following top-ten risky practices: 1. Connecting computers to the Internet through an insecure wireless network. 2. Not deleting information on their computer when no longer necessary. 3. Sharing passwords with others. 4. Reusing the same password and username on different websites. 5. Using generic USB drives not encrypted or safeguarded by other means. 6. Leaving computers unattended when outside the workplace. 7. Losing a USB drive containing confidential data and not immediately notifying their organisation. 8. Working on a laptop when traveling and not using a privacy screen. 9. Carrying unnecessary sensitive information on a laptop when traveling. 10. Using personally-owned mobile devices that connect to their organisation’s network. 17 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The Threat Tempo In his report on Emerging Cyber Threats to the United States before the US House of Representatives, Frank J. Cilluffo (2016) observes that: “The threat tempo is magnified by the speed at which technologies continue to evolve and by the fact that our adversaries continue to adapt their tactics, techniques and procedures in order to evade and defeat our prevention and response measures.” The continual increase in performance and decrease in size of computing devices leads to new technologies and novel uses for technology. This brings with it smart watches, health tracking devices, network connected thermostats and household appliances that can be controlled from a smartphone. Each new innovation introduces different ways in which information can be stored, processed and breached. While the use of mobile phones within a secure area may be prohibited, does this policy apply to smart watches? Similarly, adversaries rapidly find means to exploit new technologies, and new ways to exploit existing technologies. This trend will continue. As the pace of Internet-connected devices and systems continues, attacks and attack methods will become ever more audacious and attack consequences ever more severe. The security industry will be perpetually playing “catch-up”. Due to the rapidly changing nature of this aspect of information systems security you may wish to carry out your own research as it will surely impact on the security of any physical protection system (e.g. CCTV, access management, IDS) that you decide to migrate to an IP-based system. To help you understand this further, it is recommended you read the following Online Library articles: How hackers will exploit the Internet of Things in 2017. The “secure” Wi-Fi standard has a huge dangerous flaw. 175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher. [intentionally blank] 18 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Specific Idiosyncrasies of Information as an Asset Overview Sensitive information takes many forms, from the spoken word, through hardcopy to computer data. Some information, such as hardcopy, is relatively easy to protect, given the will to do so. Other forms of information, such as knowledge, know-how, computer data and communications present significant protection challenges. The intangible nature of much information means that it is virtually impossible for an organisation to take stock of all its information assets. Even if all of the files on a computer network could be checked and classified, nobody in the owning organisation knows how much sensitive information and of what nature is in peoples’ heads, or has been passed on to other parties. Valuing Information You have learned from the security risk analysis module that there are two approaches to valuing regular assets. The first, and simplest, is the book value – the cost of replacement. This, however, is inadequate for the purpose of a risk analysis. A better method is to assess the criticality of an asset and its relative value to the operation in relation to how it fits into an asset cluster. Does it have redundancy? Is the mission critically dependent on its presence? In this way you will see that even relatively low value components such as copper wire can have value to the enterprise multiple times that of the replacement value. In practice, determining the relative value of regular assets can be quite challenging. But these challenges seem very basic when trying to determine the value of information. One of the unique aspects of this kind of asset is that even when it is stolen it usually remains in the possession of the owner as “theft” usually involves some form of copying, sharing or disclosure. This makes it very difficult to detect and prosecute for information theft. Common, but not wholly satisfactory, approaches to valuing information include: The time it took to create the information, or the time it would take to recreate it. This can be applied to information which has been destroyed, accidentally or maliciously. The damage to an organisation in terms of reputation damage, loss of clients, fines from regulatory bodies etc. Fines are sometimes a concern where personal data has been compromised. The clean-up costs during and following an incident should also not be underestimated. This could include notifying customers that their data has been breached, hiring expensive data forensics specialists and lost revenue caused by IT system downtime. The loss to the organisation of essential know-how that has been removed, computer files corrupted, or key personnel have left. The organisation may have impaired capacity to continue. The value to the party who benefits from your loss. This may be a competitor, former employee, supplier etc. 19 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information A common view is that the best way of assessing the value of an asset is by considering the damage and consequences that are likely to occur in the event of its compromise. This is frequently referred to as “business impact assessment.” All three aspects of the CIA triad should be taken into consideration, and a loss of information security may impact one or multiple aspects at the same time. For example, consider a patient's medical notes in a hospital, which could be either in hard or soft copy: Confidentiality can be breached if these notes are viewed by an unauthorised person, copied inappropriately or emailed to the wrong person. In this case, the business impact could be a breach of data privacy laws, leading to fines and censure from a regulator. Integrity can be breached if the notes are illegible, or if the notes of one patient are mistakenly included within the folio of another patient. In this case, the business impact could be severe – the patient could be given incorrect medication or treatment. Availability can be breached if the notes are not accessible to the doctor when required. It could be that the IT system is unavailable, or that paper records have been mislaid. In this case, the business impact could be a delay to the patient’s treatment. Related to the above is the temporal value of information, which is addressed in the section below on the information lifecycle. The Information Lifecycle Information may take various forms throughout its lifecycle. When creating information, it is important to envisage this. For example: Notes from a sensitive meeting may initially be in handwriting. What ultimately happens to the notebook? Is it accounted for? Is it properly disposed of? From the notebook, it may then be converted into a computer note, stored on a network, or on a personally-owned device. Who ensures that the note is encrypted? Do users have access to encryption or are they aware that such a facility exists within Microsoft Office and do they use it? Are their laptops encrypted? What happens to the computer’s hard drive when it is disposed of? Are there accounting procedures and records of hard drive disposal? Is there a means to know whether sensitive information has ever been transferred onto a thumb drive? How secure is the thumb drive1? Meeting attendees may discuss the points of the meeting with other parties, who may, themselves, share on the information. Is every party subject to a non-disclosure agreement (NDA)? Information may be sent to another party. What controls do they have in place to protect it? What options for redress do you have in place if these controls are not applied or not 1 Note that the module uses the terms thumb drives, flash drives, data sticks etc. interchangeably. 20 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information effective? Is it sent in encrypted form? On how many computers does it now reside? Has it been sent outside the organisation to another domain? Does it now reside on smartphones? Information Theft and the Law In the UK theft of personal data may be prosecuted as an offence under the Data Protection Act 1998, and if an individual is offered money to steal personal data, bribery offences may also be applicable. However, there is no effective law relating to industrial espionage. This makes it very difficult to prosecute for information theft. Most legal approaches in the UK focus on civil law to prevent employees using information obtained during the course of their employment for other purposes. And even if there were criminal recourse, how would an organisation go about convincing a court that it owns the information when it probably has no inventory of what information it owns and where all of the information is? In the US, there are laws on economic espionage, but fundamental to proving the case is the defendant being able to demonstrate that it took reasonable steps to secure the lost or compromised trade secret. In reality, many companies’ appreciation of “reasonable” may not meet the litmus test for courts or law. The fact is that in many companies, information is not comprehensively protected. Another way of looking at the information lifecycle is in temporal terms – its dynamic value at any particular time. For example, product launch information will often be highly sensitive in the period leading up to the launch, but once the product is launched it may have no value. The same may be true of unique designs in the pre-patent phase of development. Civil law protection is addressed in the following section. Proactive Legal Approaches to Intellectual Property Protection In some instances it is necessary to put intellectual property (IP) or information into the public domain in order to do business. And in some cases information is the organisation’s product. In such cases there are legal approaches (under civil law) that can be employed. Primarily, these are patents, trademarks and copyrights. These terms have slightly different parameters depending on the legal jurisdiction in which they are used. For example, patents may need to be registered in every market country. Most companies employ or retain teams of IP legal experts to advise on this. Patents – A patent is a means of protection that can apply to inventions, formulations, unique physical designs etc. Granting of a patent excludes other parties copying that invention or design. A patent typically has a life of 20 years, and is non-renewable. As an illustrative example http://www.ipo.gov.uk/types/patent.htm provides a good perspective on the UK approach to patents. Trademarks – A trademark is a word, phrase or logo, or other graphic symbol used by a manufacturer to distinguish their products from others (ASIS, 2007). The UK Intellectual Property Office (2012) notes 21 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information that if you have a registered mark, you have the right to use your mark on the goods and services in the classes for which it is registered. You also have the legal right to take action against anyone who uses your mark or a similar mark on the same, or similar goods and services to those that are set out in the registration. Copyrights – A copyright is a means of protecting creative works. For balance, we will illustrate copyright by presenting a Canadian perspective. According to the Canadian Intellectual Property Office (2013) copyright applies to all original literary, dramatic, musical and artistic works provided the conditions set out in law have been met. Each of these general categories covers a wide range of creations, including: Literary works: books (for example, the CSMP training materials) pamphlets, computer programs and other works consisting of text; Dramatic works: motion picture films, plays, screenplays, scripts, etc.; Musical works: musical compositions with or without words; and Artistic works: paintings, drawings, maps, photographs, sculptures, plans, etc. For a detailed explanation of copyright refer to http://www.cipo.ic.gc.ca/eic/site/cipointernet- internetopic.nsf/eng/h_wr02281.html Determining What Is Sensitive Information Overview Information is part of the broader family of intellectual property (IP), a mix of tangible and intangible assets that may or may not be in the public domain. As discussed, IP that is in the public domain is usually protected by legal means; unique designs are protected by patents, slogans and symbols may be protected by trademarks, while printed, artistic and recorded product may be protected by copyright. Sensitive information which an organisation seeks to keep confidential may be broken down into two groups: Proprietary information. Personal data. Proprietary Information and Trade Secrets Proprietary information is sensitive information that is not public knowledge and over which the possessor asserts ownership. In the business community, proprietary information relates to the structure, products, financial data, test results, business methods etc. of the organisation and which gives the organisation certain competitive advantages. It is usually protected in some way against casual or general disclosure and the person to whom the information is entrusted is generally duty- bound to refrain from making unauthorised use of the information. 22 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information There is some blurring of the boundaries between what constitutes proprietary information and what is a trade secret. For example, some definitions of proprietary information include that which is protected by legal means (copyrights, patents, trademarks), while the World Intellectual Property Organization’s (WIPO - http://www.wipo.int) definition of trade secret is very close to the definition of proprietary information above: Confidential business information which provides an enterprise a competitive edge may be considered a trade secret. Trade secrets encompass manufacturing or industrial secrets and commercial secrets. The unauthorised use of such information by persons other than the holder is regarded as an unfair practice and a violation of the trade secret. The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. In the United States trade secrets are defined as: All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processed, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public. It is argued that corporate trade secrets and proprietary information represent the most valuable economic and business resource for gaining competitive advantage and market share in a free market, global economy. In an effort to protect US trade secrets, especially against foreign exploitation, the US introduced the The Economic Espionage Act 1996, which criminalises the theft or misappropriation of trade secrets, providing exceptionally heavy penalties for violators. The primary impact of loss of proprietary information is potential damage to the business’ competitive edge and benefit to another party. 23 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information A particular type of valuable proprietary information that is frequently overlooked is the technical “As with any operation, every attack has a information describing IT systems and the business budget; making organisations significantly information describing the organisation itself. This hard targets will often drive attackers elsewhere or cause them to reconsider information may be published inadvertently within job their priorities.” adverts for technical staff, or within employee’s online profiles. Guidance should be given to employees to CPNI 2016 PIANOS Report ensure such information does not leak. The UK’s Centre for the Protection of National Infrastructure elaborates on this concept in their report, Protecting Information About Networks, the Organisation and its Systems (PIANOS) (CPNI 2016): “In order to achieve their objectives attackers must understand the environment they are attacking, which means that regardless of the organisation targeted much of the information sought is the same. Attackers target information about the systems and networks they are attacking, and by defending this information organisations can hinder the actions of attackers.” Personal Data Personal data refers to any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, from the information, which may include names, residences, email addresses, occupations, bank details, telephone numbers etc. The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an IT system, on a CCTV system etc. Many organisations store – and assert ownership over – such data stored in employee or client databases. In this regard there can be some crossover with the definition of proprietary information, however it is important to recognise that in many jurisdictions the “data subject” is regarded as the owner of the data, and the company processing the personal data is merely a custodian of it and must respect the rights conferred to the data subject by legislation. The EU General Data Protection Regulation (GDPR) replaces previous EU data privacy legislation and is hugely significant. It sets out detailed rights of data subjects and is extra-territorial in its reach. This means that any company providing goods and services (irrespective of whether payment is required), or which monitors the behaviour of data subjects within the EU, even if that company is not based in the EU, is required to comply with the requirements of the GDPR. It brings with it substantial fines for improper handling of personal data; up to €20million or 4% of a corporation’s annual global turnover. The regulation was adopted in 2016 and becomes enforceable from 25 May 2018. A detailed analysis of data protection law is beyond this scope of this module; however, some reference documents are provided in the ISMI® Online Library. As a quick reference guide, the law firm DLA Piper provides a useful website summarising and comparing data protection laws around the world: https://www.dlapiperdataprotection.com 24 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information A key differentiator between proprietary information and personal data is the impact on the organisation if personal data is lost or compromised. At very least this could be loss of customer confidence, but in some sectors, especially finance where such loss has to be disclosed, this could be a multi-million dollar fine and public humiliation. All it takes is for a thumb drive to be lost or for an unencrypted laptop to be stolen. Moreover, there are Internet sites such as http://datalossdb.org/ to which registered users can upload their own reports of organisations losing personal data. Reports on the site indicate the company, the nature and extent of the loss, and the media. Typical media losses include stolen PCs and laptops, stolen or lost external drives, hacking, carelessly disposed-of documents, malicious email, exposure on a website, stolen documents etc. Organised criminal gangs seeking to carry out identity theft pose a significant risk to personal data. In specific regard to the targeting of personal data, the 2012 Trustwave Global Security Report drew the following conclusions: The food and beverage industries were top targets. The majority of cybercriminal attacks are against personal data (89%). Attacks have a high success rate. Weak passwords are a problem. The most common password used is Password1. The most likely time to receive an email with a malicious attachment is 0800-0900 EST (1300- 1400 GMT). Only 16% of investigated companies self-detected attacks. Remaining 84% were alerted by information from an external entity: regulatory, law enforcement or public. Malware resided for an average of 173.5 days within the victim's environment before detection occurred. Types of Data at Risk It is difficult to state categorically which types of data are at risk in your organisation. Much will depend on the objectives and sophistication of the adversary and the nature of your business. Some common categories to which you should consider providing enhanced protection include: Customer lists Unique methodologies or techniques Research and development details Processes Marketing plans Codes Product launches Sensitive quality information Staff records Ways to improve or streamline business Future expansion or downsizing plans Negotiating positions Financial and pricing details that are not Executive travel plans for public release Marketing / strategic plans Product formulation or designs Scientific information (eg. seismology) Prototypes Contracts 25 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Pricing plans and agreements Staff and customer personal information Agreements with distributors Tenders Client information Forecasts Complaints or known product Payroll shortcomings Customer secrets Specific technology details Research has shown pricing information to be one of the most commonly-targeted categories by competitors. Where Information Is Held Personnel Knowledge and Know-How Considerable sensitive information and know-how is in employees’ brains. It should be appreciated that such employees may also be of value to competitors, and key to protecting information in this domain is to ensure that employees are content. The business environment is very dynamic and many employees will not stay with the same employer for more than five years. Wilding (2006) draws attention to the difficulty in protecting knowledge under such circumstances, emphasising the particular problems in controlling or preventing the transfer of knowledge between employees and other parties. People may leave an organisation but retain significant knowledge about its methods, operations, processes and relationships. Such knowledge may not only be proffered to third parties but also be misused to defraud the organisation, to blackmail, sue or embarrass it. Nasheri (2005) notes the changing relationship between employer and employee and draws attention to the dramatic increase of employees departing with their employers’ trade secrets. Therefore, there need to be measures in place to protect the knowledge gained by employees from unauthorised use or disclosure. This is addressed beginning on Page 55. 26 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information In Hardcopy Computerisation means that the percentage of sensitive information held in hardcopy is ever reducing, but overall increases in the amount of information held by organisations means that the volume of hardcopy stored will continue to be significant. Hardcopy can be in many forms, ranging from ledgers and files, through desk diaries to personal notebooks. The latter may be a particular concern, especially if used in a research and development or laboratory test context. While there may be measures to protect sensitive hardcopy contained in files, there is often less control over what is sent for disposal. It is not uncommon for sensitive misprints, drafts and print overruns to inadvertently get into the regular waste bin, nor is it uncommon to find sacks of sensitive waste waiting around to be shredded. Hardcopy security is addressed beginning on Page 56. In IT Systems IT systems have brought unimaginable benefits to organisations. Most organisations couldn’t function economically and competitively without the benefits of IT. However, IT systems have the major disadvantage that they are capable of allowing the loss of theft of enormous quantities of sensitive information in a single action – literally in a one-second keystroke, and the interconnectivity of systems means that today’s employees often have access to vast amounts of sensitive data at their fingertips. Despite there being many and varied solutions to data theft or data loss from IT systems, remarkably few organisations put into effect adequate safeguards. These are addressed beginning on Page 57. Industrial control system is a term used generally to describe control systems and associated instrumentation used in industrial production environments (Wikipedia). These systems may contain trade secret information relating to recipes, the product process itself or sensitive information pertaining to the safety and security in some CNI environments. In this environment, integrity and availability of information is paramount to ensure that operators can maintain safe control and visibility of the state of the system. There are particular nuances to be considered in securing industrial systems. These are discussed in a good practice framework published by CPNI in the UK and by the DHS in the USA: https://www.ncsc.gov.uk/guidance/operational-technologies and https://ics-cert.us- cert.gov/Recommended-Practices 27 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information In Digital Media The fact that consumer digital media is virtually identical to business digital media provides huge cost savings for organisations. Moreover, BYOD (bring your own devices) is becoming the rule rather than the exception, allowing for permitted interconnectivity between personal devices and company systems. It is little use banning personal flash drives as today’s smartphones provide identical data-syphoning functionality if connected to an IT system. This enables those with access and malicious intent to copy across to personal media phenomenal amounts of sensitive data. For example, 64 GB of flash memory (typical for smartphones with microSD cards and thumb drives) can store the equivalent of literally millions of pages of documents. Vast quantities of data can be transferred to flash media in the time it takes for a colleague to go and make a cup of coffee. In the Cloud The Cloud has led to a revolution in the way in which companies manage and store data. The ubiquity of the Internet means that vast amounts of data no longer need to be held on fileservers, PCs and laptops owned by the company, as long as users can access the Internet. Instead, data can be stored in virtual cyberspace, which in reality is “someone else’s computer”. Among the most significant security risks associated with Cloud computing is the tendency to bypass information technology departments, and Cloud computing introduces significant new avenues of data attack. Moreover, The Cloud is in parallel a consumer product, allowing those with personal Cloud accounts (and this is increasingly most employees) to upload their organisation’s data to personal accounts out of reach of the organisation. While day-to-day issues of IT security remain unresolved, the introduction of concepts such as BYOD and the Cloud require IT security professionals to consider these new risks and articulate business cases for appropriate and pragmatic controls to enable the organisation to take advantage of Cloud services (which is becoming increasingly mainstream), while making it difficult for the data thieves quietly go about their work and take advantage of the conundrum and confusion. 28 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information In Communication Information in communication has always been at risk. Rooms and telephone sets and lines can be bugged with relative ease by unsophisticated adversaries, and many governments have maintained the ability to intercept long-distance telephone calls since the beginning of the telephone. The huge advances in telecommunications technology in recent years, especially digitisation of communications, have played directly into the hands of countries which have highly developed intelligence collection capabilities. Mobile phones can be specifically targeted and not only intercepted but can also be used as remote listening devices. Computers connected to public networks (Wi-Fi hotspots, including hotels) can be intercepted. Wireless communication should be recognised as inherently less secure than wired communications as the signals are broadcast. Security controls in place should take this into account. Even the communication between a keyboard and its host computer can be intercepted to reveal keystrokes. Countermeasures for this are presented in various sections of this module. 29 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The Adversaries Overview It is often said that there are four adversary routes to information disclosure: Outsiders. Insiders with malicious intent. Insiders by inadvertent disclosure. Insiders colluding with outsiders. However, these neat categories sometimes oversimplify the adversary landscape. The lines between white-collar information theft, economic espionage and legitimate intelligence gathering are very blurred. In relation to intelligence gathering, for example, Hasheri (2005) notes that intelligence gatherers can be competitors, vendors, investigators, business intelligence consultants, the press, labour negotiators and government agencies. Employees It is a fact that in most companies the security of information depends more on the day-to-day actions of the staff than on technology. In cases where information theft has come to light (and most cases don’t come to light), huge vulnerabilities in the information protection regime have been exposed. Hasheri (2005) cites an ASIS study that reports trusted insiders posing the greatest risk to the divulgence of Historically, the contract between an employer and employee involved an trade secrets. This point is echoed by Wilding (2006) exchange of “loyalty for security”. Today’s who states that information theft is predominantly an rapidly changing business environment insider risk, with vastly more confidential information has made the promise of job security a removed from their workplace by employees than by thing of the past. This has resulted in a hackers. growing lack of loyalty amongst many employees. With a transient workforce Contented employers are far less likely to target and a breakdown in traditional loyalties, information than are disgruntled employees. many employees regard the proprietary However, many contented employees are often data belonging to their employers as looking for the next employment opportunity, and currency with which to barter in the jobs there is a reasonable statistical risk that they will market. target sensitive information on their way out. Source, Wilding (2006) An insider working on behalf of an outside party poses a particularly pernicious threat, as here we see the factors of opportunity and accessibility of the insider combining with the directed targeting (and often pressure, perhaps through bribery, job offer or blackmail) of the outside party. Again, this point is supported by Wilding (2006), who identifies employees as obvious targets for industrial spies, criminals and hackers. It is important here not to overlook contractors, who will have often circumvented your own background screening processes, and may have access to the corporate network. Insiders may be cultivated by outsiders or they may be inserted as a mole. Means of cultivation include 30 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information exploiting a grievance or a moral concern, offer of a new job, bribery, blackmail etc. Moles can be inserted into the company as regular employees, contractors or as temporary employees. There is no shortage of young people, in particular, who will accept an offer of this kind of “James Bond” excitement. Typical target posts for temping (temporary) staff moles include IT administration and secretarial. These are temping positions which are relatively easy to obtain and which allow for significant access to large amounts of sensitive information. Hasheri (2005) notes that there have been cases where foreign intelligence services (FIS) have tried to recruit employees of the same ethnicity, appealing to their love of their native homeland. This problem is echoed by OSAC (1994), which notes that with specific regard to US businesses overseas a local or foreign employee who is otherwise a good corporate citizen may feel the pressure of patriotism or intimidation by an all powerful government agency to provide competitive information belonging to his/her American employer. Former Employees Wilding (2006) emphasises the risk posed by former employees who had trusted access to information systems. A significant number of external attacks against information systems are committed by former employees, contractors or aggrieved parties who formerly had been given authorised access to the systems under attack and thereby gained inside knowledge of the targeted systems and network. Sometimes, departing employees leave virtual back doors through which they can access the system after departure. Additionally, legitimate access of a leaver is often not revoked in a timely manner, giving them ongoing access after their departure. Competitors Hasheri (2005) notes that corporations have been spying on one another for decades. They may use legitimate competitive intelligence techniques (as described in the competitive intelligence description on Page 15) or more covert tactics such as trying to elicit information from employees, former employees, or offering jobs to employees of competitors. Reverse engineering is also another common tactic. The situation is most extreme at the international level, where the state intelligence apparatus of many nations (FIS) aggressively target the commercially secret information of other nations’ competitors. This is relatively common where there is a branch of the target company in the FIS host country, in which case telephone calls and Internet communications are sometimes intercepted. In some cases, offices are bugged, and it is not unknown for listening devices to be placed in vehicles and residences of targets. Sometimes the approach to a competitor comes from the employee, who has, perhaps, amassed sensitive information which they now want to use to their advantage in securing a better job with the competitor. In approaching a competitor, the offer of IP may not be explicit, but assumed. ONCIX has identified JV partnerships as a route through which competitors may seek to obtain sensitive information. Another route is common contractors, or a contractor who is perhaps disaffected at losing a long-term contract with one company and which then approaches a competitor with confidential information. 31 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information From time to time, competitors may use information brokers (described below). Business Partners Business partners can be suppliers, distributors, customers, JV partners, government agencies, etc. It is in our nature to trust business partners as, to all extents and purposes, it appear that we share common goals. For the most part, this trust is not misplaced. However, business partnerships present a perfect opportunity for the adversary to exploit, and as much as we may want to trust the partner as an entity, how much do we know – and how much does it know – about its individual employees to whom our sensitive information is entrusted. In the context of information security, business partners should extend to hotels. Not only do FIS cultivate hotel staff to work on behalf of their national interest in helping to collect intelligence against guests, but they may also seed the staff with their own employees, who trawl through hotel and conference rooms copying laptop data, photocopying sensitive documents and planting listening devices and covert cameras. Foreign Governments It is sometimes said that there aren’t strategic alliances, only strategic interests. A host government that can welcome you into the country with open arms may at the same time be conducting an intensive intelligence operation against your employer’s trade secrets. This may lead to divided loyalties. Many employees of foreign companies, if asked by a member of their domestic intelligence service to collect intelligence against their foreign employer, would acquiesce on the grounds that serving the national interest prevails over serving the interest of the foreign employer. FIS may go to extraordinary lengths to spy on business travellers, and you should be aware that the fact that you may see the destination country as “friendly” is no guarantee that it won’t spy on your travelling executives. Some countries’ FIS intercept 100% of SMS messages and emails transmitted or received over smartphones roaming on their domestic networks. They may also: Plant listening devices in hotel and meeting rooms. Listen in to phone calls. Engineer meetings. Circumvent your laptop security when connected to Wi-Fi networks, such as in a hotel. Access laptops when in hotel safes. Seize laptops and smartphones of travellers at airports, even if in transit. Hack into smartphones and use them as listening devices. Hack into laptops and activate the webcam or microphone. Additional methods of espionage reported by the FBI in its annual report to congress (Wilding, 2006) include: Agent recruitment and the placement of agents within companies. The coercion of current and former employees. Surreptitious entry to offices, laboratories and manufacturing plants. 32 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Theft of computers. Some FIS will also attempt to hack directly into your corporate network, and many networks of large companies have fallen victim to this. Physical distance is no obstacle, and this can be done by FIS on one side of the world to a company on the other side. Many companies have no idea that they have been penetrated. Companies that make up the nation’s critical national infrastructure (CNI) are particularly at risk. CNI sectors were identified in Module 10. The extent to which FIS will go to obtain specifically desired information knows little bounds. For example, at security trade shows it is reasonable to assume that from time to time there will be exhibitor booths set up by “companies” that are fronting for a FIS. FIS will also set up consulting firms to work with a particular target. Other FIS “overt” tactics, according to Wilding (2006), may include: The aggressive pursuit of joint ventures, mergers and acquisitions. The use of temporary research students with access to the target site’s facilities. Scientific or technological exchanges. Direct requests for information. Contrived visits to sensitive facilities, often on the pretext of potential custom. The acquisition of technology or entire companies (eg. subcontractors, suppliers). The exploitation of overseas distribution agreements. And with the blurring of the boundaries between government employees and contractors, the latter are often subcontracted to perform specific intelligence-gathering roles – sometimes the same international companies that may be employed by you as service providers. In specific regard to FIS recruiting your employees, OSAC (1994) points out that an employee's rank in the company is not necessarily commensurate with the interest of an agent of FIS. Researchers, key business managers, and corporate executives can all be targets, but so can support employees such as secretaries, computer operators, system administrators, technicians, and maintenance people. The latter frequently have good, if not the best, access to competitive information. Additionally, their lower pay and rank may provide fertile ground for manipulation by FIS. Information Brokers Information brokers trade in information. Many operate legitimately. Some don’t. The oil and gas industry is one of a number of sectors which suffers from information brokers seeking to gain information of value to tendering contractors. Methods may range from open-source data gathering, through computer-based data mining, to targeted social engineering (see Page 37) of specific employees. Information brokers generally do not skulk about in the shadows. They often blend in with business settings, and can be found where one would normally expect to encounter fellow professionals. They are usually highly intelligent, articulate, social and adept at networking. They may appear at conferences and seminars networking with delegates, or at exhibitions representing companies which may be a front for another entity, perhaps a foreign government. In terms of tactics and ethicality, information brokers can be viewed on a continuum. At the one end 33 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information are those who work perfectly legitimately, harvesting information from genuine open sources. At the other end are those who may use trickery, deceit and social engineering to ensnare the unsuspecting employee. Wilding (2006) notes that those who exploit regular employees can be insidious and difficult to defeat, as they usually bypass traditional firewall and information security perimeter defences. Journalists Journalists come in many different shades, political allegiances and agendas. Many journalists become journalists not because they like writing but because they seek an outlet to express strong views. In addition to regular journalism, we now have to contend with so-called “citizen journalism” – the ability of regular citizens to reach out to literally millions of readers via the Web or social media (see http://journalism.about.com/od/citizenjournalism/a/whatiscitizen.htm ). A particular characteristic of Web-based journalism is that stories often invite readers to publish comments, meaning that an adverse story about your organisation can gain significant momentum through its readership. Journalists are less interested in the theft of information and more interested in its leakage – placing sensitive information in the public domain, perhaps out of individually subjective views on what constitutes “in the public interest”. As such, they may represent a significant threat to your information, and they may approach your employees. Trade sector journalists are usually those who are most interested in your business, and who probably represent the least threat. However, your contractors, unless bound by a non-disclosure agreement, may use them to publish advertorials, presenting the benefits that they have brought to your operations as a case study. Journalists writing for the “alternative media” (or indie media) usually have an anti-corporate bias and will see a sinister side to almost all business operations, and seek to expose it to their readers via Web- based media. An example from the UK is http://www.corporatewatch.org Regular “mainstream” journalists follow these posts to see if news of “national public interest” breaks. Journalists are adept at getting to the story – even when there is no real story – so their skill set is particularly attractive to intelligence agencies. They are often spied on by intelligence agencies, and may monitor social media feeds to get a scoop on leaked data or hacked sites. Journalists may also be in the pay of FIS or may be undercover FIS agents. Activists Those who may be opposed to the activities of your organisation may seek to gain information by various means. Activists can be within the local community or can belong to broader movements, such as environmentalists, anti-capitalist, anti-vivisection etc. MI5, The UK Security Service (2006) warns that many CNI organisations are familiar with the continuing threat from insiders acting for commercial or personal gain, for the purposes of espionage, or to pursue the aims of single issue groups such as animal rights extremists. Activists may seek to join the workforce to gain information, or
