... 99, 100, coming ready or not!

"Phone companies know where their customers' cellphones are, often within a radius of less than 100 feet. That tracking technology has rescued lost drivers, helped authorities find kidnap victims and let parents keep tabs on their kids. But the technology isn't always used the way the phone company intends. One morning last summer, Glenn Helwig threw his then-wife to the floor of their bedroom in Corpus Christi, Texas, she alleged in police reports. She packed her 1995 Hyundai and drove to a friend's home, she recalled recently. She didn't expect him to find her. The day after she arrived, she says, her husband "all of a sudden showed up." According to police reports, he barged in and knocked her to the floor, then took off with her car. The police say in a report that Mr. Helwig found his wife using a service offered by his cellular carrier, which enabled him to follow her movements through the global-positioning-system chip contained in her cellphone ..."

Wall Street Journal, 3rd August 2010

[Thanks to Monty Solomon for reporting this via the RISKS mailing list.]

Beyond awareness

According to Domain-B, Deloitte's information security of 60+ Indian organizations raised an interesting point:

"Optimistically, information security awareness and training is among the top three security initiatives indicated by the resspondents [sic]. However, most security awareness programmes start with an e-learning module, which raises awareness and knowledge, but does not necessarily alter behaviour."

It amuses me that so many organizations think they can just splash out some money on an e-learning package about information security, and that's it.  Compliance box ticked.  Management off the hook.  They've 'done something'.  Let's all live happily ever after.

I'm not saying that e-learning packages are worthless, quite the opposite in fact.  They are a valuable part, supplement or addition to a comprehensive security awareness program, the point being that, taken in isolation, watching a somewhat stilted video session and maybe answering ten lame security questions is only good for compliance with equally lame laws, regulations and contractual commitments that don't specify an effective awareness program.  It will not magically make your employees act more securely overnight, making a big splash in their lives.  Without the support of other suitable security awareness activities and materials, it will barely create a ripple.

The e-learning packages I've seen on the market are not cheap, and the costs escalate further if you want customized content specific to your organization rather than the purely generic, bland and often out-dated stuff usually provided.  If this purchase sucks the guts out of your security awareness budget, you're in trouble.

Mind you, if your idea of security awareness was a stern once-a-year lecture to staff by A Big Nob, then e-learning would definitely be a step up.  So would creating a security incident just to make people aware that they are vulnerable, or forcing everyone to sign a piece of paper that says they know of the existence of the security policies.  If you are purely doing this for compliance reasons, these are all probably good enough.  They won't, however, actually make your information assets any more secure in a real sense.

The thing that is desperately missing from e-learning packages is the human interaction that comes from putting a decent presenter/teacher/trainer/awareness expert up in front of a class of adults - or a team meeting - or a board meeting - or whatever.  They can not only spout the stuff on the slides but react to the audience, take questions and comments, and most of all turn those little sparks of interest and enjoyment into the flames of passion.  Motivation is a very personal thing.  Think about this the next time you see an evangelist on any topic doing his/her thing on stage.  Their energy and ethusiasm is infectious, and the central message is memorable.  If they're good, people will be thinking and talking about the experience for days if not weeks afterwards.  Would you be quite so excited about having completed an e-learning module?

As a profession, I'm sure we could learn much more from the evangelists, sales people, motivational speakers and even passionate politicians.

PS  I would have preferred to cite the Deloitte report directly if only I could locate it on the web ... sorry.

Security unplugged

Aren’t wireless networks wonderful? So convenient to use, flexible and cheap to deploy, they’re great!  No longer are we tied to our desks by the network, keyboard and mouse  cables.  Wireless technologies enable laptops and other mobile computers to be connected to the corporate networks and the Internet, while distant locations can be linked-up using microwave radio over point-to-point or satellite links.  Travelers use public WiFi hotspots or 3G USB sticks to keep up with email and social networks while on the move, and use GPS geolocation/mapping systems to find their way.  Organizations use RFID tags to monitor valuable items, track their mobile inventories and manage logistics.  Most of us these days rely heavily on our mobile phones and PDAs which are, in fact, sophisticated digital radios using the 3G and other wireless networks.  Many of us have Bluetooth headsets and other gizmos.  Wireless is literally all around us.  

While wireless technologies have tremendous business and personal benefits such as convenience and ease of use, there are some serious information security risks that need to be adequately addressed to avoid eroding or completely negating the benefits.  Simply buying a WiFi access point from a local retailer, plugging it into the network and carrying on as before is probably not A Good Idea as far as network security is concerned, yet this is pretty much how many home WiFi networks are set up in practice.  Scary!

Hackers enjoy the benefits of wireless technologies too, whether that’s connecting to the Internet via someone’s insecure WiFi setup or via a 3G modem.  WEP and WPA encryption schemes and MAC address filtering are no real impediment to WiFi hackers intent on stealing credit card numbers from retail outlets, while insecure Bluetooth headsets are evidently an open invitation to snoop on the conversations of random passers-by.  Furthermore, radio interference whether accidental or deliberate can disrupt wireless circuits.

This month's security awareness materials explore the information security gotchas undermining a variety of widely-used wireless technologies, discussing the security countermeasures necessary to bring the risks under control without destroying the undoubted business benefits that wireless brings.  

Physical security in the office

Rebecca Herold has written an excellent list of typical physical security issues in the average office, or indeed other information-rich workplaces. She suggests conducting physical security reviews out-of-hours. I have done this kind of review hundreds of times myself, as part of "installation audits" using ISO/IEC 27002 as a benchmark for the kinds of controls expected. Doing them in the daytime or out-of-hours makes little difference - if anything, during the daytime the number of issues is magnified by the things employees typically do while at work, such as:

• Leaving work-in-progress all over their desks and screens, not just while they are actively working on it but while they go to coffee or lunch;
  
  
• Leaving desks, filing cabinets, and even safes open;
  
  
• Chatting merrily away to each other on on the phone about sensitive personal or commercial matters, with no regard to who else might be listening;
  
  
• Leaving personal stuff (mobile phones, PDAs, USB sticks, wallets/purses, home keys etc.) unattended on the desk ...

This kind of stuff makes good photographic evidence for the audit report and presentation to management, along with photos of open doors, leaky patches, overloaded wiring, poor signage, excessive flammable materials, blah blah blah. 

Exposing such large amounts of valuable commercially- and personally-confidential to risk represents a substantial vulnerability to industrial espionage, sabotage, information theft, privacy, health-and-safety and more. Individually, these are mostly rather trivial issues. Collectively, however, a the risk accumulates if these matters are not brought to management's attention and proactively addressed, on an ongoing basis. The clear-desk/clear-screen policy, for example, can make a big difference ... but only if managers take the trouble to achieve conformity, not least setting a good example themselves.

More history of industrial espionage

An article in Psychology Today, of all places, recounts several more old industrial espionage stories, making the point that this cloak-n-dagger stuff has been going on for thousands of years.  Major incidents have changed the course of history.

All the Tea in China

All the Tea in China recounts a nineteenth Century industrial espionage story, concerning the British plant collector Robert Fortune. Fortune collected (stole?) tea plants from China to launch the British tea plantations in India, so ending the Chinese stranglehold on the world's supply of tea.

Richard A. Clarke warns US about industrial espionage

Richard A. Clarke evidently has a knack for writing contentious books on information and national security topics.  His latest co-authored book, Cyber War: The Next Threat to National Security and What to Do About It, prompts the federal government and corporate America to wake up to the threat.

Writing about the book for Bloomberg BusinessWeek, Rochelle Garner says one of Clarke's key messages is:

"Get serious about industrial espionage. Clarke says many companies aren't aware of how common trade-secret theft has become, partly because the federal government doesn't keep track of the financial consequences. He says the U.S. needs to be more like the U.K. More than a year ago, the security agency MI5 told the biggest 300 companies in Britain to assume their computers had been hacked by the Chinese and then met with executives to discuss the breaches it knew about and how to prevent future ones."

As with many other US authors, the implication seems to be that US readers should be concerned about foreign competitors, while seemingly ignoring the threat from those nearer home. I find this rather xenophobic but typically American position strange. The reality is that competitive intelligence and industrial espionage techniques are used by all the industrial nations, and most likely a high proportion of the third world too. US companies should be concerned about spies and infiltrators from all sources including insiders, other US and foreign companies, home and foreign governments, the criminal underworld, 'analysts', hackers and 'free agents' who will happily exploit valuable information on anybody/anything to make a fast buck. It's not all about the Chinese.

Skulduggery in the auto industry

A short piece about competitors using industrial espionage to steal information about cars under development suggests that the practices are widespread. The article specifically mentions:

• Information obtained and disclosed through networks of moles, friends and acquaintances
• Use of helicopters to spy on a rival's road tests
• Intelligence functions within the organization
• Social engineering
• Hidden microphones & cameras
• 'Clandestine visits to sensitive places'
• Reverse engineering i.e. dismantling a new vehicle to find out how it is made

[That's a far from exhaustive list.  I wrote about others in our latest newsletter and awareness materials.]

I find it intriguing that stories of this nature have been circulating for years.  There's one on the go now about Chery and GM.  On the rather weak basis that there's no smoke without fire, there does seem to be a particular fascination with industrial espionage in the auto industry.  Why is that, I wonder?  Perhaps for some reason the people involved in the industry are more 'ethically challenged' than others (I find that rather hard to believe!).  Maybe the sheer industrial scale of automotive manufacturing makes it difficult to secure the plant and the people against this cloak-and-dagger stuff (true, but the auto industry is hardly unique in this regard).  Or is it just that the stories catch the fertile imagination of the motoring press, making a positive feedback loop that implies a general acceptance and widespread use of such underhand techniques?

High-stakes commercial competition between the main manufacturers is probably a contributing factor: it costs a large fortune to design and develop a new car design, and each manufacturer relies on a rather small range of models for their ongoing commercial success.  But again, the auto industry is hardly unique: many other industries and markets are just as intensely competitive, if not more so. 

I wonder whether national interests play a part?  Such massive industrial enterprises are undoubtedly strategically and economically important to the countries that have them, so it is conceivable that nation states might tacitly accept if not condone and support the use of industrial espionage.  The same would surely apply to the aerospace and defense industries, and others such as pharmaceuticals, finance, hi-tech, utilities ('critical national infrastructure') and more ... come to think of it, I've worked in all of those industries and can't recall any such incidents in the course of my career.  Either I have led a very sheltered professional life, or it has been going on right under my nose all these years ... or perhaps it is just not as common in practice as the news media would have us believe.

PS  Another, more legitimate way of obtaining valuable intellectual property is to buy foreign auto companies.