I spend a great deal of my time dealing with highly sensitive, highly confidential information. Over the years I have noticed that many of the institutions I have worked with have gone to great pains and considerable expense to make certain their computer systems have state of the art firewalls and "hacker-proof" encoding systems. Nonetheless, they continue to leak data like a sieve!
How can this be? Simple, they are guarding the air conditioner duct instead of the front door.
So, what do I know about it? My knowledge of the field is pretty backdoor in nature.
First of all, I work a lot with people who love nothing more than to stir up hate and discontent wherever they go. They will intentionally uncover and publish sensitive information. It is fun for them. In order to find out why they do these things I do a lot of debriefing with them when an incident occurs.
Second, I have two brothers who made carriers out of law enforcement. One of my brothers served many years as a state trooper and another as a sheriff's deputy. They were both extremely successful in the investigation facet of the job and I am about to tell you why. Then you can see if you are vulnerable to the same kind of attack.
The sources of data loss, in no particular order, are as follows.
1. Waste Archeology.
Simply speaking, someone who really wants to know your secrets will go through your trash. And guess what? It is completely legal. Buy a $ 20.00 shredder, and use it.
Seriously, if you have a wireless system it is pretty simple to eaves drop via laptop from the coffee shop next door.
Be extremely wary of maintenance crews and repair staff you have not called in. Check ID's. Also, be aware of someone who comes in asking a lot of questions. You may be surprised what the reception staff will tell someone who smiles and asks nicely.
4. Hacking in.
Do you know the easiest way to hack in to a secure system? Steal the password taped to the computer screen at Ed's work station. Trust me, I see it every day. You know what else? Most people use the same password for every system they need to access.
5. Cordless phones.
Remember most cordless phones and cells are basically fancy radios. If it puts out a signal, the signal can be picked up with a scanner.
6. Ticking bombs.
Answering machines, voice mail, fax machines anything that requires an access code can be beaten (remember the password taped to the computer?).
Never discuss sensitive information in a public restaurant! If I wanted to know about a corporations business, I go to the snack bar at lunch and read the paper over coffee. You will not believe the things you hear (if you're in education, teacher lounges are hair raising!).
8. Brain cramps.
Unlocked cabinets, offices, desks, paper work left out, answering stupid questions over the phone. Hello?
Face it, some folks will sell you out for the right price. The right price might be as simple as someone asking, "So, what confidential things are you working on these days?" You really would not believe what people have told me in answer to that question. Keep sensitive information on a need to know basis.
10. Describing a spy.
The typical spy is a short, fat, tall, thin man, with curly, bald hair. She often wears provocatively conservative clothing and is liberally conservative. In other words, ANYBODY is the typical spy.
Now I will expound upon each section individually.
One of the first areas I mentioned in breaches in security was "rifled" trash. I believe this to be foremost method of stealing confidential information. In reality it is not even stealing. In California Versus Greenwood the Supreme Court held the Constitution does not prohibit warrant less search and seizure of garbage left for collection outside the curtilage (the enclosed area immediately surrounding a home or dwelling) of a home. This could include places of business.
Here are some pro-active steps you can take.
1. Do not transfer confidential documents to recycling vendors.
2. If you have a copier, install a shredder next to it.
3. Purchase a cross-cut shredder for extremely sensitive documents.
4. Destroy all waste paper.
5. Get shredders for each individual. People will not wait in line to use a bulk shredder.
6. DO NOT KEEP CARDBOARD BOXES OF UNINVENTORIED OLD DOCUMENTS LYING AROUND.
Remember, James Bond is not interested in your secrets.
That being said, competitors, disgruntled employees, ex-spouses and other wreakers of havoc are interested in your secrets.
There are many methods of "bugging" out there.
The five main categories are, in alphabetical order: Acoustic, Optical, RF, Tie-In, and Ultrasonic.
1. Acoustic – low tech glass to the wall, ventilation, electrical out-let, out side the window, stand by the door, close proximity listening.
2. Optical – high end and expensive.
3. RF – radio frequency and receiver devices.
4. Tie-in – hooking directly in to a phone line. The box is usually easily accessible on an exterior wall.
5. Ultrasonic – think transmitter, receiver but with audio pressure rather than radio waves.
The most prevalent and dangerous of this is alphabetically and most destructively listed first. Always be aware of your immediate surrounding when discussing confidential information.
Always check the identification of persons who pop in to do technical work around your office. This is especially true if you PERSONALLY have not called them for service. These folks are known as "spooks".
You see, "Spooking" is a hide in plain site method of gaining access to confidential information
It seems carrying a clipboard will gain a spook access to most places, even those with confidential data to protect.
But, there are other common tools the spook may carry to increase their appearance of authenticity: 2-way Radio, Maglight, Construction worker hard hat, and my personal favorite the attention tone cell phone. Now, this particular ruse means the spook has a partner but is anything more impressive than that tone from the "base office" checking the technicians' status?
However, the most powerful, by far, access granting technique (I mean this will get you in anywhere) is a set of Dickies. Yes, Dickies. The same things you wore for summer jobs in high school and college. They are a virtual cloak of invisibility in our culture.
Most common guises:
1. Telephone / communications technicians – (typically wearing blue / grey Dickies)
2. Computer service technicians – (polo shirt and tan Dickies pants)
3. Copy machine technicians – (polo shirt and blue Dickies pants)
4. Custodians – (typically anyone with a set of blue / grey Dickies is granted cart blanche access)
5. Messenger services – (typically wearing brown Dickies)
6. A / C heating technicians – (typically wearing blue-green Dickies)
The beauty of this type of "spooking" is nobody ever challenges these folks. And if some particularly diligent person does question them, the spook goes into his, "fine with me, but it will be at least four weeks until I can get back here. We're really backed up." That is usually enough to intimidate even the most on top of things staff member.
I do not usually recommend testing out these surveillance techniques, the power of the Tricky Dickie is not to be believed unless you actually see it in action. So, get your lazy brother-in-law a set of Dickies and send him through your office. You will not believe the results. Afterwards, get the lazy bum to do your yard work so you get your moneys worth from the Dickie investment.
There are many ways of stealing computer files. As a matter of fact there is a whole niche market dedicated to nothing more than developing and distributing new types of spy ware. Then there is another niche market dedicated to selling protection against these pieces of malware. Folks, I talking millions of dollars each year, connected to these two enterprises. Would it surprise you to know that many of the same people writing the protection software also write the malware?
Any who, how to these insidious pieces of data stealing malware get into your systems? Simple, you or one of your associates, put them there.
I know what you're thinking, "Not me! I would never do such a self destructive thing. Neither would anyone I work with." And, at least intentionally, you're right. But, take look at the most common avenues of entry and think through your response again.
Most Common Sources of Spyware:
1. Screen savers
3. Clip Art
5. Email attachments
6. Unprotected web browsing (cookies)
7. Peer to Peer applications (mp3 files)
10. Involuntary Download (may present as a fictitious error you must click to correct)
So, have you EVER added any of this to your system, even to an email? I know me too.
Oh well, as MaElla (my grandmother) used to say, "Once bitten, twice shy."
What have we learned?
Basically, do not put anything unverified on your system, even if it is really, really cool.
Bye the way, does anyone know where MaElla got "Once bitten, twice shy"?
First and foremost, never use a cordless phone for anything other than the convenience of answering a call. Switch to a corded line for any specific communications.
Monitoring cordless and cellular phone calls has become a million dollar hobby in America. Some even sell their monitored conversations on line. Think ex-girlfriend sites.
Mobile phones are an even greater liability. Not only are means available to monitor the conversations, but it is not particularly difficult to track the location of the parties based on their signal. Now, that is scary.
This tracking will become even easier when newer 3G phones come online because their base stations are even closer together.
What can you do?
1. Use a regular line for increased security.
2. Dedicate a secure line in your office for sensitive communication. They are not cheap. Or-Com offers one that has fair reviews for about $ 300.00.
3. Use first names on non-secure lines.
4. Speak in general terms on non-secure lines.
If you think these precautions a completely paranoid, you may be right. On the other hand, browse Spy Emporium for an overview of just a few of the surveillance devices available.
If you work with confidential data, and you use any of the following pieces of technology, it is just a matter of time until your confidentiality is compromised.
1. Disposable roll fax machines.
Used rolls contain copies of every item the machine has received.
2. Unattended fax machines.
Fax machines left on are excellent sources for stealing confidential data. When I expect a fax, I alert the office staff to put it in a folder in my in-box.
3. Dictation machines.
If you use dictation machines and leave tapes on the secretaries' desk to be transcribed do not be shocked when a tape goes missing (Tell the truth, this has already happened has not it?).
5. Answering machines.
Most are accessible with a 3 or 4 digit code. Most people do not change the factory set "3, 4, and 5." These are easy to hack.
6. Cordless microphones.
Crystal clear signals for about 1,300 feet or a quarter mile.
One of the most popular and reliable methods for gathering information from an organization is to "scout the perimeter." Although, this is not as sexy as the "mission impossible" methods, it is very popular and very effective.
Here are your most frequent weak spots.
1. The company lunch room. Many people actually carry confidential files with them to review over lunch.
2. The neighborhood coffee klatch. This is true for the same reason as above.
3. The guy who is always at the newsstand when you pick up your paper. You know the one you discuss current office events with because he does not know the people anyway.
4. The chatty new friend your spouse just made. Think about this when discussing business with your spouse.
5. Any off-site meeting places. Luncheon rooms, county offices, etc.
Next to going through the trash, the most vulnerable area for exploitation is the human brain.
The major offenders:
1. Unsecured offices, cabinets, drawers and doors.
2. Files left on the desk over night.
3. Group passwords.
4. Company phone directories.
5. Desktop rolodexes.
Another source of compromised confidential information is the office traitor. Most people have a price. The price may have been paid the last time they were insulted, degraded or unappreciated at the office. One the other hand, there may be an actual monetary price for which a trusted associate can be turned.
Here are some of the characteristics you may need to be on the look out for.
1. Those passed over for raises, passed over for promotion.
2. Those experiencing significant financial difficulty.
3. Those who gamble.
4. Those that employ recreational pharmaceuticals (including alcohol).
5. Those involved in labor and management disputes.
6. Those that seem to always be on the lookout for the next big deal.
Basically, if you take a look at the qualifications for a field agent for the CIA you can build a fair profile of what an office spy may "look like."
1. A Bachelors Degree, rarely more.
2. Solid academic record, not outstanding.
3. Interest in inter-business and international affairs.
4. Solid interpersonal skills.
5. Solid communication skills.
6. Frequent traveler.
7. Interest in foreign languages.
8. Prior residence outside the area.
9. Possible prior military experience.
10. Experience in business and / or economics (but with deficit skills in their own finance management).
11. The person is usually between the ages of 21-35.
12. Previous work in law enforcement or corrections.
13. May be considered a loner, not a joiner.
14. No police record.
15. Hobbies include martial arts, scuba, hunting, proficiency with firearms, chess, math, avid reader, may write prolifically or play a musical instrument, etc.
16. The person may be interested in training manuals and field guides.
In other words, just about anybody who would make a good employee. The key is to look for unusual groupings of these skills. Most people will meet 3 or 4 of the criteria. Those who meet 6 or more should be considered possible candidates.
This section completes a ten part series concerning confidentiality and security.