Corporate Espionage/Theft of Proprietary Information

In this day and age, every company in every business sector is vulnerable to the threat of corporate espionage and theft of proprietary information. Global Investigations works tirelessly to protect our clients’ intellectual property. Corporate espionage is on the rise around the world, and individuals, business, and countries are using any ethical or unethical means to acquire data that will give them a competitive or financial advantage over their competition. SCIP(Strategic Competitive Intelligence Professionals), estimates that $2 billion was spent on corporate espionage in 2010 alone, and the threat is growing.

In 2010, it was further estimated that US companies lost more than $300 billion to theft of trade secrets and other valuable corporate data. Reporting of computer intrusions and data loss has declined over the past few years, however, due to companies’ fear of negative publicity and/or class-action lawsuits. Companies are reluctant, too, to advertise the very security flaws they are trying to repair.

The corporate spy has many different methods of stealing other people's data.

The keylogger. Like most technology, software and hardware keyloggers have advanced in recent years. Ghost Keylogger, to name just one, is designed to capture and transmit all keystrokes on a targeted computer via email. Software like Ghost Keylogger is password protected and encrypted to protect the data; it is easy to use and can be used remotely, so it is growing in popularity. Hardware keyloggers were once easy to spot, as they had to be installed between the computer and its keyboard, but now there are physical keyloggers built directly into keyboards.

EoP (ethernet over power) devices. Wireless networking is an important tool for most businesses and individuals, but it is also a weak point in our security infrastructure. Unauthorized wireless access was on the decline thanks to upgrades in software and hardware security, but there is now a new technology, Ethernet over Power (EoP) (visit Homeplug.org for more information), thatwill allow an insider to covertly access and scan a corporate network. By inserting a network cable into a modem or router, and then plugging into an electrical outlet, an individual can turn a building’s electrical wiring into a 56-bit DES encrypted network that cannot be sniffed or detected like wireless. By using a second EoP device, an intruder can be anywhere in a building and casually search for and steal data without revealing his physical location. If an EoP device is discovered, it will most likely beoverlooked as a power supply or some sort of surge protector

AP (access point)software.By using simple wifi phishing techniques, an attacker can capture limitless amounts of valuable personal and corporate data with very little effort. Free access point (AP) software, such as HostAP8, SoftAP9, or wifiBSD10, is easy to download and use on a laptop or PDA to impersonate any legitimate wireless hotspot.An illegitimate AP clone can be quickly set up in any hotel, airport, conference center, or Starbucks. Once an unsuspecting user is connected to the fake AP, a spy then has a platform from which to capture account information, credit card numbers, user names and passwords, confidential emails and any other information that passes through the "evil twin" AP. Unfortunately, personal firewalls offer no protection from this type of wireless threat, but specialized software like Motorola’s AirDefensesoftware can protect users from wireless-specific vulnerabilities while accessing hotspots.

USB drives.Portable USB drives can carry vast amounts of data in very small packages, making USB drives one of the easiest ways to sneak data in and out of the work place. USB wristbands, Swiss Army knives, and keychains are difficult for the average security guard to spot. Aneffective, but not foolproof, countermeasure to data theft by USB is to disable the USB (and FireWire) ports in the system’s password protected BIOS.Software like DriveLock can add another layer of security to systems by restricting the use of ports (USB, Firewire, serial and parallel and external devices (floppies, CD/DVD-ROMs, etc), making it nearly impossible to export data.

When traveling abroad, it is important to be aware that privacy and security are not guaranteed in hotel rooms. Foreign governmental agencies and corporations are known to bug hotel phone lines and to enter unoccupied rooms in order to copy or steal any information of value. If confidential material or valuables must be left in a hotel room, the room safe is the often not the best choice: a safe’s key is rarely changed, and once it has been copied, that safe can be opened by anyone who can access the room. One alternative to the room safe is to place valuables in a zip lock bag and pin it to the very top, reverse side of the drapes, making sure the bag is not visible from outside the window. Given enough time, a spy can find anything hidden in a room, but if nothing of value is found quickly in the usual hiding places (inside luggage, behind the TV, under the mattress, inside of shoes), the attacker tends to move on.

If a laptop containing sensitive company information must be left unattended in a hotel room, steps should be taken to minimize the possibility of the hard drive’s contents being accessed or copied. With the right equipment, a standard laptop hard drive can be copied in under ten minutes, but using hard drives with integrated AES cryptographichardware modules, like those found in a Classified PC, can prevent the unauthorized copying of a laptop’s hard drive by requiring pre-boot authentication. If the laptop is stolen, additional integrated security mechanisms will zero out the encryption key and make retrieval of any personal or corporate data from the hard drive next to impossible.

Here are four ways to prevent your valuable data from falling into the wrong hands:

1. Identify what information is sensitive and classify it as such, taking the necessary steps to protected it. Information such as R&D processes and innovations or new market strategies are easily identified as “sensitive.” However, other information such as personnel files, pricing structure, and customer lists are often overlooked and left unprotected.

2. Conduct a risk assessment to identify vulnerabilities. Assess, too, the probability that someone will exploit those vulnerabilities and obtain sensitive information.

3. Establish, review, and update security policies and appropriate safeguards, both procedurally and technologically, to thwart attempts to exploit vulnerabilities and gain access to valuable company data.

4. Train all employees. Users, managers and IT staff all need to be trained to identify the business information that needs to be safeguarded, in techniques that can be used to gain access to sensitive data, and what procedures should be taken to report compromises or suspected attempts to solicit sensitive information.

We are a member of InfraGard, the collaborative effort between the FBI and the private sector that shares and analyzes information in order to prevent hostile attacks against the United States. By identifying local, state, and national vulnerabilities, individual InfraGard members are increasing protection against criminal activities in cities and towns, corporate environments, and personal lives.

Global Investigations & VIP Security Services: Al Adams Moreno