The document summarizes a presentation given at an SCIP chapter meeting on securing intellectual property and business secrets. It discusses identifying critical information, analyzing threats, vulnerabilities, and risks. It then covers operational security processes and protection measures including compartmentalization, monitoring, investigations and counterintelligence practices. Specific techniques of human intelligence collection like elicitation and social engineering are also outlined.

1. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
SCIP Atlanta Chapter Meeting
Securing Your Perimeter:
Preventing Loss, Theft, and Misappropriation of Your
Business Secrets & Intellectual Assets
October 1, 2013

2. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Contact Information
2
Derek Johnson, CFA
Chief Executive Officer
+1 608-268-3470
Derek.Johnson@AuroraWDC.com
John Thomson
Chief Research Officer
+1 770-519-2560
John.Thomson@AuroraWDC.com

3. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Operations Security Process
1. Identify Critical
Information
2. Analyze the
Threat
3. Analyze
Vulnerabilities
4. Assess Risk
5. Apply
Protection &
Countermeasures
3

4. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
What Needs to Be Protected?
 Intellectual Property/Trade Secrets
 Bidding strategies
 Cost & margin information
 Customer lists
 Formulas
 Merger/acquisition plans
 Negotiating strategies
 International marketing/entry plans
 Personnel records
 Product development roadmaps
 Recruiting strategy
 Travel itineraries
 Location of sensitive R&D facilities
 Competitive intelligence reports/analysis
 What else?
Can vary from company to company….
4

5. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Activists
Foreign
Governments
Competitors
Customers
Hackers,
Criminal Elements
Regulators
Vendors
Lobbyists, Trade,
Special Interest
Groups
Market Research
& CI Firms
Trade Groups
Consultants
Financial Analysts
Headhunters
Journalists
External Threats to Company Information
It’s not just your competitors…
5

6. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Threat Matrix Example
Apple Inc.
Domestic Foreign
LegalIllegal
 Traditional Competitors
 Emerging Competitors
 Suppliers/Vendors
 Wireless Carriers &
Customers
 Technology Partners
 Apps Developers
 Tech Bloggers
 Patent Trolls
 Equity & Industry Analysts
 CI & MR Firms
 Journalists
 Special Interest/Trade
Groups
 Headhunters
 Regulators
 Private Investigators &
Attorneys
 Tech Consultants &
Integrators
 Careless or disgruntled
employees
 Former employees
 Labor Unions
 Hackers & cyber criminals
 Social Engineers
 Aggressive /Unethical CI Firms
 Security Researchers/Consultants
 Activists
 Organized Crime
 NSA
 Terrorists
 Disgruntled employees
 Malicious Apps Developers
 H-1B employees from threat countries (i.e. China)
 Hackers & cyber criminals
 Foreign Competitors (i.e. China, S. Korea, etc.)
 Foreign Governments: China, Russia, Germany,
France, Israel, S. Korea, Japan, etc.
 WikiLeaks
 Terrorists & Activists targeting U.S. interests
 Intelligence firms/corporate espionage operatives
 Organized Crime
 Security researchers/consultants
 Malicious Apps Developers
 Employees in threat countries
 Traditional Competitors
 Emerging Competitors
 Suppliers/Vendors
 Customers
 Technology Partners
 Apps Developers
 Tech Bloggers
 Analysts
 CI & MR Firms
 Journalists
 Headhunters
 Regulators
 Tech Consultants &
Integrators
 Foreign Governments
 Special interest/trade groups
6

7. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Assessing Vulnerabilities
 Identify, Quantify, and Prioritize your organization’s
vulnerabilities
 Catalog your company’s critical information elements
 Assign “value” and prioritization to each element
 Identify vulnerabilities or potential threats for each
element
 Think like the “hunter” – view your organization from the
adversary’s perspective.
 Assess current information handling procedures.
 Test your defenses to determine vulnerabilities – i.e. “red
team” operations & penetration testing
7

8. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Assessing Risk
Vulnerability to Threat
Very High High Moderate Low
Devastating
Severe
Noticeable
Minor
ImpactofLoss
Risk Matrix
Assigning risk levels to each identified vulnerability
Source: American Society for Industrial Security (ASIS)
8

9. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
HUMINT techniques used by the pros to
obtain information on your company
The “Human” Factor
9

10. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
What Needs
to be
Collected?
Who Might
Have The
Information
(or know
someone who
has it)?
Source
Assessment &
Selection
Source
Research
Approach
Development
Source
Contact
 Profile the source
 Determine
background,
interests, hobbies
 Assess
personality &
motivators
Source Identification & Targeting
HUMINT Collection Planning Process
 Break out
KITS/KIQS into
specific info
requirements.
 Identify
information gaps
 Brainstorming source
types, companies,
potential job titles
 Research &
identification of
specific names
 Develop initial
source list
 Develop the
approach,
determine
motivators to
leverage
 Conversation
planning
 Choose elicitation
techniques &
placement
 Plan for follow up
 Telephone, e-mail,
face-to-face,
LinkedIn.
 One or multiple
conversations
 Keep door open
for follow up &
further
development
 Obtain referrals
10

11. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Elicitation
Elicitation: Obtaining information via carefully planned conversation where the
target is not aware that he/she is being exploited for intelligence purposes
Exploits Several Human Tendencies
 Natural tendency to correct others or prove
someone wrong.
 Need for recognition & desire to be viewed
as an expert in their field.
 Tendency to discuss things that are not
their direct concern, tendency towards
gossip, & general inability to keep secrets.
 Occupational habits of wanting to teach,
advise, correct, or challenge someone.
 Tendency towards self-effacement.
 Tendency towards indiscretion when not in
control of emotions or when there is a
sympathetic/listening ear being offered.
 Tendency of some professionals to share
confidence with or show off their expertise
to another professional.
Tendency to underestimate the value of info
or your ability to understand that info.
Common Approaches/Techniques
 Conversational Hourglass
 Direct statements vs. questions
 Two way conversation (vs. “interview”)
 Rapport building
 Technique Examples:
 Simple flattery
 Naïve mentality (ego suspension)
 Mutual interests
 Opposing stand or partial disagreement
 Quid pro quo
 Exploiting the instinct to complain
 Quotation of “reported facts”
 Disbelief or skepticism
 Criticism
 Oblique references
 Provocation or jocularity
Sources: The Centre for Operational Business Intelligence, Phoenix Consulting, DeGenaro
& Associates
11

12. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Elicitation
Video: Elicitation Examples
12

13. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Social Engineering
Social Engineering: Getting people to do things they wouldn’t ordinarily do for
a stranger via misrepresentation, deception, & psychological manipulation
Source: “The Art of Deception”, Kevin Mitnick
Leverages Six Psychological Motivators
 Authority – Tendency to comply with a
request from a person in authority.
 Likeability – Tendency to comply when the
requestor is likeable or has similar
interests/beliefs.
 Reciprocation – Tendency to comply when
given the promise (or assumption) of getting
something in return.
 Consistency – Tendency to comply after
having made a public commitment,
endorsement, or promise (i.e. company
security policies).
 Social Validation – Tendency to comply
when doing so appears in line with what
others are doing.
 Scarcity – Tendency to comply when it is
believed the object sought is in short supply
and others are competing for it.
Common Approaches
 Posing as a fellow employee or company
exec, partner, vendor, customer, law
enforcement, regulator, or anyone in
authority.
 Using insider lingo to gain trust.
 Sending a virus or Trojan as an e-mail
attachment or getting the victim to visit an
infected website.
 Using a false pop-up password window.
 Capturing victim’s keystrokes via a keylogger.
 Leaving an infected flash drive or CD around
the workplace or dropping it with the mail
room or receptionist for intra-office delivery.
Setting up e-mail, voicemail, or infected sites
to appear internal. Asking for a file to be
transferred to an apparent internal location.
 Pretending to be from a remote office and
asking for email or system access locally.
13

14. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Video: Real-Life Social Engineering Attack
Social Engineering
14

15. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Warning Signs
 Refusal to give callback number
 Out-of-ordinary request
 Claim of authority
 Stresses urgency
 Threatens negative consequences of non-
compliance
 Shows discomfort when questioned
 Name dropping
 Compliments or flattery
 Flirting
 Asks you to open a file or click on a
hyperlink
Warning Signs of a Social
Engineering Attack Warning Signs of Elicitation
 Attempt to establish rapport, common
interests, use of flattery
 Lack of direct questions & specificity
 Heavy use of silence
 Offer of quid pro quo
 Statement of “reported” facts
 Use of naiveté
 Provocation, disbelief, opposing stand
 Refusal to sign an NDA (only applies to
ethical collectors)
15

16. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Protection Plan Suggestions
 AWARENESS TRAINING!!
 Constant and ongoing, customized towards all disciplines within the company
 Develop an OPSEC & information security culture within the company (i.e. “Scared Quiet”)
 Understand your threats & vulnerabilities, & what needs to be protected
 Develop and enforce information security guidelines & policies for dealing with external entities
seeking information.
 Work with IT regarding use of VPN’s and anonymous browsing capabilities for travelers.
 Corporate Threat Assessment /Watch Team
 Represented by multiple departments (CI, Security, IT, Legal, HR, Operations)
 Mark & secure all confidential documents & products
 Limit access to sensitive information & prototypes
 Special briefings & guidelines for international travelers (or all travelers, for that matter)
 Assume all overseas communications are being intercepted
 Assume all overseas hotel rooms are bugged
 Utilize NDAs and non-compete agreements
 Information security audits & guidelines for vendors/partners
 Closely investigate all potential partners
 Set up a hotline (telephone, e-mail, intranet) for reporting suspicious calls & activity
 Investigate (and act on) suspicious activity
 Run simulated attacks against your own company to assess vulnerabilities.
Never make it easy or cheap for an adversary
16

17. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Protection & Countermeasures
 Culture of secrecy. Everything is strictly “need to know”.
 Immediate termination for even minor info security violations. Spouses & family are viewed as security risks.
 “Silos within Silos” - “Cell” workgroup structure - highly compartmented, each cell doesn’t know what other cells are working
on. Only senior execs know the whole “puzzle”. Workers prohibited from discussing their work with other employees.
 “Scared Silent” security lecture for every new hire.
 Workspaces are highly monitored. Prototypes are chained to desks and laser etched, with locator chips.
 Swift & aggressive investigations of information leaks.
 Uses a variety of components manufacturers to better track leaks. Security assessments & audits of 3rd party vendors.
 Physical access to company areas is highly restricted and compartmented based on badge. No one has access to every area.
 Separate NDAs for individual projects.
 Remote data erasing and geolocation for lost or stolen employee laptops/smartphones/devices.
 Confidential documents have secret watermarks to better track back to the leaker.
 Plainclothes security officers lurk the nearby bars watching for careless employees.
 Corporate org charts do not exist
 Employees hired into “dummy” positions and aren’t told what their real job will be until their first day of employment.
 Security Operations Center fields reports of suspicious activities and aggressively investigates all incidents.
 Corporate Threat Assessment Team, identifying and monitoring new and existing threats.
 Rolling 3-year security roadmap
 Aggressive internet monitoring of employee activity and potential leaks.
 Close coordination with law enforcement agencies around the globe.
 Ongoing penetration testing.
Apple‘s InfoSec Practices (Extreme measures)
>$42 million annual Information Security budget, >8,000 identified vulnerabilities
17