1 Computer Security Fundamentalsby Chuck Easttom Chapter 7 Industrial Espionage in Cyberspace

2 Chapter 7 Objectives Know what is meant by industrial espionageUnderstand the low-technology methods used Understand how spyware is used Know how to protect a system Chapter 7 Objectives Know what is meant by industrial espionage. Understand the low-technology methods used to attempt industrial espionage. Be aware of how spyware is used in espionage. Know how to protect a system from espionage. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

3 Introduction Espionage Is NOT: Its ultimate goal:Sophisticated glamour Exciting adventure Its ultimate goal: Collecting information Without fanfare Without knowledge of target Secrecy is prevalent, on the part of both the perpetrator and the target. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

4 Introduction (cont.) EspionageNOT done only by governments and terrorists Spies for political and military goals Also done by private companies Industrial espionage. Billions of dollars. Companies fear to reveal they are targets. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

5 What Is Industrial Espionage?Spying to find out valuable information: Competitor’s projects, client list, research data While the goal is different than military espionage, the means are the same: Electronic monitoring, photocopying files Industrial Espionage The use of spying techniques to find out key information that is of economic value: A competitor’s newest project, their client list, or research data Although the end is different than that of military espionage, the means are the same: Electronic monitoring, photocopying files, and so forth. Former intelligence officers are found in corporate espionage. Fortunately, former intelligence officers are also found in corporate security. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

6 Information as an AssetInformation can be a real asset. Billions are spent on research and development. How to value your information: VI = C + VG Information can be a real asset. Companies spend billions on research and development. VI (value of information) = C (cost to produce) + VG (value gained) $200,000 of salaries plus benefits and overhead + $1,000,000 in anticipated revenue from result = $1,200,000 VI Obviously, VG will be magnified in a court case. In everyday commerce, does your company value its information assets enough to protect them adequately? © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

7 Information as an Asset (cont.)Information is as much an asset as anything else. Worth more than the hardware and software that houses it. Much more difficult to replace. For example, a college degree is a single piece of paper. You paid more for the degree than the paper cost. You paid for the information you received. Doctors, lawyers, and engineers are all consultants for their expert information. Information is a valuable commodity. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

8 Information as an Asset (cont.)Data has value for two reasons: Time and effort spent to create and analyze it. Data often has intrinsic value. A proprietary process, invention, or algorithm A competitive edge Data stored in computer systems has value for two reasons: 1. Much time and effort is spent to create and analyze the data. 2. Data often has intrinsic value. A proprietary process, invention, or algorithm has obvious value. Data that provides a competitive edge is also inherently valuable. Copyrights, trade secrets, and patents must be protected. They can be the foundation upon which a company is built—for example, pharmaceutical companies, Coca Cola, and so forth. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

9 Information as an Asset (cont.)Asset identification Listing the organization’s assets Tutorial covering information security considerations Most technicians will go to work in a smaller corporation, not IBM or General Motors. We need to know how to scale for the small- to mid-size company. This is a helpful tool. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

10 How Does Espionage Occur?Espionage can occur in two ways Easy low-tech way Employees simply take the data. Social engineering. Technology-oriented method Spyware Cookies and key loggers © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

11 How Does Espionage Occur? (cont.)Espionage can occur in two ways: Easy low-tech way Employees divulge sensitive data. Disgruntled employees. Motives vary. Easy low-tech way: Employees (existing or former) may knowingly or unknowingly divulge sensitive data. Disgruntled employees are the greatest security risk to an organization. The motives vary. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

12 How Does Espionage Occur? (cont.)Espionage can occur in two ways: Easy low-tech way Information is portable. CDs, flash drives Social engineering. . Just because a person is wearing some kind of badge—visitor or vendor— does not mean they are who they appear to be or their briefcase contains nothing of yours. Memory drives can be concealed in pens. Social engineering is low tech and often successful. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

13 How Does Espionage Occur? (cont.)Espionage can occur in two ways Technology-oriented method. Any monitoring software can be used. Spyware Keystroke loggers Capturing screenshots Espionage can occur in two ways: Technology-oriented method: Any monitoring software can be used in corporate espionage, for example, spyware and keystroke loggers. Capturing screenshots of sensitive information or logon information is easier today than ever before. That 32M pen drive can hold a key logger. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

14 Protecting Against Industrial EspionageCannot make system totally secure Employ antispyware software. Use firewalls and intrusion-detection systems. Implement security policies. Encrypt all transmissions. Of no use against internal sabotage What steps can I take to alleviate the danger? Nothing can make the system completely secure. Eighty percent of your problems will be internal. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

15 Protecting Against Industrial Espionage (cont.)How to lessen risk of internal espionage Give out data on a “need-to-know” basis. Ensure no one person has control over all critical data at one time. Limit portable storage media and cell phones. How to lessen risks of internal espionage: Do previously mentioned steps. Give out data on a “need-to-know” basis. For key personnel, use a rotation system or dual control so no one person has control over all critical data at one time. Limit portable storage media and cell phones. Have cell phones and other hardware checked at the front security desk. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

16 Protecting Against Industrial Espionage (cont.)How to lessen risk of internal espionage: No documents/media leave the building. Do employee background checks. Scan PCs of departing employees. Lock up tape backups, documents, and other media. Encrypt hard drives of portable computers. How to lessen risk of internal espionage: Prohibit documents/media leaving the building. Do employee background checks. When employees leave the company, scan their PC for any inappropriate data. Keep tape backups, documents, and other media under lock and key. If portable computers are used, encrypt the hard drives. Check employee references. Too often, this is not done. Check on any college credits and certifications. HR often does not follow up on this, and as a result, many job seekers falsify their resumes. Any prospective employee who does this cannot be trusted. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

17 Protecting Against Industrial Espionage (cont.)How to lessen risks of internal espionage Encryption software © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

18 Real-World Examples of Industrial EspionageProfessor Hao Zhang Stealing trade secrets from universities Giving secrets to Chinese government In May 2015, Professor Hao Zhang of Tianjin University and five other individuals were arrested and charged with stealing trade secrets for use by universities controlled by the Chinese government. The secrets stolen included research and development on thin-film bulk acoustic resonator (FBAR) technology. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

19 Real-World Examples of Industrial Espionage (cont.)Houston Astros Team and scouting information Allegedly stolen by competitor In 2015 the Houston Astros baseball team's scouting and team information database was stolen. It is alleged that it was stolen by members of the St. Louis Cardinals. The Houston Astros have a proprietary internal computer system they named Ground Control. It has notes on players and potential trading of players. The Astros general manager, Jeff Luhnow, had previously worked for the Cardinals, and when he came to work for the Astros, he also brought alone some of his staff. Initial reports are that either Mr. Luhnow or one of his staff used a password similar to what he had used with the Cardinals. This allowed someone associated with the Cardinals to guess the password and access the Houston Astros database © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

20 Real-World Examples of Industrial Espionage (cont.)General Motors GM alleges that eight former employees transferred proprietary information to Volkswagen. GM sued in criminal court under RICO. GM sued in civil court for damages. Industrial espionage not restricted to technology companies. Racketeer Influenced and Corrupt Organizations Act (RICO) © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

21 Real-World Examples of Industrial Espionage (cont.)Interactive Television Technologies, Inc. A break-in resulted in theft of data. Years of research and substantial financial investment Other companies shortly came out with competing products. A search for the company on the web revealed nothing. They appear to be out of business. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

22 Real-World Examples of Industrial Espionage (cont.)Bloomberg, Inc. BI provided services to a Kazakhstan. company; gave them software needed to use BI’s services. A KS employee, Oleg Zezev, illegally entered BI’s computer system. He sent an to Michael Bloomberg threatening extortion. View the whole story here: © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

23 Real-World Examples of Industrial Espionage (cont.)Avant Software Charged with attempting to steal secrets from a competitor. A former consultant for Avant took a job with Cadence. There were allegations on both sides. The criminal case was pled out. View the whole story here: © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

24 Industrial Espionage and YouMost companies decline to discuss the issue. Larry Ellison, CEO of Oracle Corporation, has openly defended his hiring of a private detective to dumpster-dive at Microsoft. View the whole story here: © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace

25 Summary Industrial espionage exists and will grow into an even larger problem. There are a variety of methods by which espionage can take place. An employee revealing information is the most common. Compromising information systems is an increasingly popular method of espionage. © 2016 Pearson, Inc Chapter 9 Industrial Espionage in Cyberspace