The document summarizes a presentation given at an SCIP chapter meeting on securing intellectual property and business secrets. It discusses identifying critical information, analyzing threats, vulnerabilities, and risks. It then covers operational security processes and protection measures including compartmentalization, monitoring, investigations and counterintelligence practices. Specific techniques of human intelligence collection like elicitation and social engineering are also outlined.
Falcon Invoice Discounting: The best investment platform in india for investors
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your Business Secrets and Intellectual Assets
1. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
SCIP Atlanta Chapter Meeting
Securing Your Perimeter:
Preventing Loss, Theft, and Misappropriation of Your
Business Secrets & Intellectual Assets
October 1, 2013
2. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Contact Information
2
Derek Johnson, CFA
Chief Executive Officer
+1 608-268-3470
Derek.Johnson@AuroraWDC.com
John Thomson
Chief Research Officer
+1 770-519-2560
John.Thomson@AuroraWDC.com
3. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Operations Security Process
1. Identify Critical
Information
2. Analyze the
Threat
3. Analyze
Vulnerabilities
4. Assess Risk
5. Apply
Protection &
Countermeasures
3
4. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
What Needs to Be Protected?
Intellectual Property/Trade Secrets
Bidding strategies
Cost & margin information
Customer lists
Formulas
Merger/acquisition plans
Negotiating strategies
International marketing/entry plans
Personnel records
Product development roadmaps
Recruiting strategy
Travel itineraries
Location of sensitive R&D facilities
Competitive intelligence reports/analysis
What else?
Can vary from company to company….
4
5. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Activists
Foreign
Governments
Competitors
Customers
Hackers,
Criminal Elements
Regulators
Vendors
Lobbyists, Trade,
Special Interest
Groups
Market Research
& CI Firms
Trade Groups
Consultants
Financial Analysts
Headhunters
Journalists
External Threats to Company Information
It’s not just your competitors…
5
6. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Threat Matrix Example
Apple Inc.
Domestic Foreign
LegalIllegal
Traditional Competitors
Emerging Competitors
Suppliers/Vendors
Wireless Carriers &
Customers
Technology Partners
Apps Developers
Tech Bloggers
Patent Trolls
Equity & Industry Analysts
CI & MR Firms
Journalists
Special Interest/Trade
Groups
Headhunters
Regulators
Private Investigators &
Attorneys
Tech Consultants &
Integrators
Careless or disgruntled
employees
Former employees
Labor Unions
Hackers & cyber criminals
Social Engineers
Aggressive /Unethical CI Firms
Security Researchers/Consultants
Activists
Organized Crime
NSA
Terrorists
Disgruntled employees
Malicious Apps Developers
H-1B employees from threat countries (i.e. China)
Hackers & cyber criminals
Foreign Competitors (i.e. China, S. Korea, etc.)
Foreign Governments: China, Russia, Germany,
France, Israel, S. Korea, Japan, etc.
WikiLeaks
Terrorists & Activists targeting U.S. interests
Intelligence firms/corporate espionage operatives
Organized Crime
Security researchers/consultants
Malicious Apps Developers
Employees in threat countries
Traditional Competitors
Emerging Competitors
Suppliers/Vendors
Customers
Technology Partners
Apps Developers
Tech Bloggers
Analysts
CI & MR Firms
Journalists
Headhunters
Regulators
Tech Consultants &
Integrators
Foreign Governments
Special interest/trade groups
6
7. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Assessing Vulnerabilities
Identify, Quantify, and Prioritize your organization’s
vulnerabilities
Catalog your company’s critical information elements
Assign “value” and prioritization to each element
Identify vulnerabilities or potential threats for each
element
Think like the “hunter” – view your organization from the
adversary’s perspective.
Assess current information handling procedures.
Test your defenses to determine vulnerabilities – i.e. “red
team” operations & penetration testing
7
8. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Assessing Risk
Vulnerability to Threat
Very High High Moderate Low
Devastating
Severe
Noticeable
Minor
ImpactofLoss
Risk Matrix
Assigning risk levels to each identified vulnerability
Source: American Society for Industrial Security (ASIS)
8
9. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
HUMINT techniques used by the pros to
obtain information on your company
The “Human” Factor
9
10. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
What Needs
to be
Collected?
Who Might
Have The
Information
(or know
someone who
has it)?
Source
Assessment &
Selection
Source
Research
Approach
Development
Source
Contact
Profile the source
Determine
background,
interests, hobbies
Assess
personality &
motivators
Source Identification & Targeting
HUMINT Collection Planning Process
Break out
KITS/KIQS into
specific info
requirements.
Identify
information gaps
Brainstorming source
types, companies,
potential job titles
Research &
identification of
specific names
Develop initial
source list
Develop the
approach,
determine
motivators to
leverage
Conversation
planning
Choose elicitation
techniques &
placement
Plan for follow up
Telephone, e-mail,
face-to-face,
LinkedIn.
One or multiple
conversations
Keep door open
for follow up &
further
development
Obtain referrals
10
11. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Elicitation
Elicitation: Obtaining information via carefully planned conversation where the
target is not aware that he/she is being exploited for intelligence purposes
Exploits Several Human Tendencies
Natural tendency to correct others or prove
someone wrong.
Need for recognition & desire to be viewed
as an expert in their field.
Tendency to discuss things that are not
their direct concern, tendency towards
gossip, & general inability to keep secrets.
Occupational habits of wanting to teach,
advise, correct, or challenge someone.
Tendency towards self-effacement.
Tendency towards indiscretion when not in
control of emotions or when there is a
sympathetic/listening ear being offered.
Tendency of some professionals to share
confidence with or show off their expertise
to another professional.
Tendency to underestimate the value of info
or your ability to understand that info.
Common Approaches/Techniques
Conversational Hourglass
Direct statements vs. questions
Two way conversation (vs. “interview”)
Rapport building
Technique Examples:
Simple flattery
Naïve mentality (ego suspension)
Mutual interests
Opposing stand or partial disagreement
Quid pro quo
Exploiting the instinct to complain
Quotation of “reported facts”
Disbelief or skepticism
Criticism
Oblique references
Provocation or jocularity
Sources: The Centre for Operational Business Intelligence, Phoenix Consulting, DeGenaro
& Associates
11
12. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Elicitation
Video: Elicitation Examples
12
13. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Social Engineering
Social Engineering: Getting people to do things they wouldn’t ordinarily do for
a stranger via misrepresentation, deception, & psychological manipulation
Source: “The Art of Deception”, Kevin Mitnick
Leverages Six Psychological Motivators
Authority – Tendency to comply with a
request from a person in authority.
Likeability – Tendency to comply when the
requestor is likeable or has similar
interests/beliefs.
Reciprocation – Tendency to comply when
given the promise (or assumption) of getting
something in return.
Consistency – Tendency to comply after
having made a public commitment,
endorsement, or promise (i.e. company
security policies).
Social Validation – Tendency to comply
when doing so appears in line with what
others are doing.
Scarcity – Tendency to comply when it is
believed the object sought is in short supply
and others are competing for it.
Common Approaches
Posing as a fellow employee or company
exec, partner, vendor, customer, law
enforcement, regulator, or anyone in
authority.
Using insider lingo to gain trust.
Sending a virus or Trojan as an e-mail
attachment or getting the victim to visit an
infected website.
Using a false pop-up password window.
Capturing victim’s keystrokes via a keylogger.
Leaving an infected flash drive or CD around
the workplace or dropping it with the mail
room or receptionist for intra-office delivery.
Setting up e-mail, voicemail, or infected sites
to appear internal. Asking for a file to be
transferred to an apparent internal location.
Pretending to be from a remote office and
asking for email or system access locally.
13
14. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Video: Real-Life Social Engineering Attack
Social Engineering
14
15. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Warning Signs
Refusal to give callback number
Out-of-ordinary request
Claim of authority
Stresses urgency
Threatens negative consequences of non-
compliance
Shows discomfort when questioned
Name dropping
Compliments or flattery
Flirting
Asks you to open a file or click on a
hyperlink
Warning Signs of a Social
Engineering Attack Warning Signs of Elicitation
Attempt to establish rapport, common
interests, use of flattery
Lack of direct questions & specificity
Heavy use of silence
Offer of quid pro quo
Statement of “reported” facts
Use of naiveté
Provocation, disbelief, opposing stand
Refusal to sign an NDA (only applies to
ethical collectors)
15
16. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Protection Plan Suggestions
AWARENESS TRAINING!!
Constant and ongoing, customized towards all disciplines within the company
Develop an OPSEC & information security culture within the company (i.e. “Scared Quiet”)
Understand your threats & vulnerabilities, & what needs to be protected
Develop and enforce information security guidelines & policies for dealing with external entities
seeking information.
Work with IT regarding use of VPN’s and anonymous browsing capabilities for travelers.
Corporate Threat Assessment /Watch Team
Represented by multiple departments (CI, Security, IT, Legal, HR, Operations)
Mark & secure all confidential documents & products
Limit access to sensitive information & prototypes
Special briefings & guidelines for international travelers (or all travelers, for that matter)
Assume all overseas communications are being intercepted
Assume all overseas hotel rooms are bugged
Utilize NDAs and non-compete agreements
Information security audits & guidelines for vendors/partners
Closely investigate all potential partners
Set up a hotline (telephone, e-mail, intranet) for reporting suspicious calls & activity
Investigate (and act on) suspicious activity
Run simulated attacks against your own company to assess vulnerabilities.
Never make it easy or cheap for an adversary
16
17. Confidential and Proprietary – Not Intended for Distribution Beyond SCIP Chapter Attendees: Meeting Date October 1, 2013
Protection & Countermeasures
Culture of secrecy. Everything is strictly “need to know”.
Immediate termination for even minor info security violations. Spouses & family are viewed as security risks.
“Silos within Silos” - “Cell” workgroup structure - highly compartmented, each cell doesn’t know what other cells are working
on. Only senior execs know the whole “puzzle”. Workers prohibited from discussing their work with other employees.
“Scared Silent” security lecture for every new hire.
Workspaces are highly monitored. Prototypes are chained to desks and laser etched, with locator chips.
Swift & aggressive investigations of information leaks.
Uses a variety of components manufacturers to better track leaks. Security assessments & audits of 3rd party vendors.
Physical access to company areas is highly restricted and compartmented based on badge. No one has access to every area.
Separate NDAs for individual projects.
Remote data erasing and geolocation for lost or stolen employee laptops/smartphones/devices.
Confidential documents have secret watermarks to better track back to the leaker.
Plainclothes security officers lurk the nearby bars watching for careless employees.
Corporate org charts do not exist
Employees hired into “dummy” positions and aren’t told what their real job will be until their first day of employment.
Security Operations Center fields reports of suspicious activities and aggressively investigates all incidents.
Corporate Threat Assessment Team, identifying and monitoring new and existing threats.
Rolling 3-year security roadmap
Aggressive internet monitoring of employee activity and potential leaks.
Close coordination with law enforcement agencies around the globe.
Ongoing penetration testing.
Apple‘s InfoSec Practices (Extreme measures)
>$42 million annual Information Security budget, >8,000 identified vulnerabilities
17