Economic espionage

14.09.2013 counterintelligence, cyber crime, cyber security, Economic espionage, espionage, information security, INSA, insider threat, Risk assessment, security, security threats Comments Off on Message to Government and Private Sector: YOU are the reason for insider threats

Message to Government and Private Sector: YOU are the reason for insider threats

spy v spyEveryone is missing the boat on the insider threat issue – INSA too…to paraphrase James Carville, “It’s leadership stupid.”

Government and private sector organizations are the primary reason for insider threats – senior leaders and the boardroom grow them internally.

With very minor exception, NO ONE COMES TO WORK FOR YOU ON DAY ONE WITH THE INTENT TO HURT YOU, steal your secrets, or sell your intellectual property.

It’s how you treat them, over time, that turns them into insider threats.

  • You put them in the wrong jobs;
  • You fail to trust them;
  • You make it hard for them to do their jobs;
  • You put asshole/untrained managers over them;
  • You treat them like furniture;
  • You , threaten their existence in your companies and agencies;
  • You kill their spirit; and
  • Then, you wonder why they decide to hurt you.

Want to reduce/eliminate the insider threat? Treat you staff the way you did on day one:

  • Welcome them as a human being;
  • Be aware of how they are cared for in your organization;
  • Show them you care about them and their families;
  • Give them a future;
  • Put r-e-a-l leaders over them;
  • Give them a voice; and
  • Pay them well.

In other words, treat them as you would want to be treated.

Now, why is that so hard?

And, why do NONE of the plans I have seen for combatting the insider threat even mention poor leadership as a factor?

INSAonline.org | 9.12.13 Assessing Insider Threat Programs of U.S. Private Sector http://www.insaonline.org/i/f/pr/9.12.13_InsiderThreat_WP.aspx

 

24.12.2012 counterintelligence, cyber security, Economic espionage, law enforcement, public safety, security, Tips Comments Off on Signs, signs, everywhere are signs: We have to take better care of each other

Signs, signs, everywhere are signs: We have to take better care of each other

signsPop quiz…what do the following have in common:

  • Bradley Manning, US Army soldier who released 750,000 documents to wikileaks
  • Jacob Tyler Roberts, another young man who shot up an Oregon mall
  • Adam Lanza, young man who killed 26 at a Newtown, CT school
  • Marijana Bego, NYC art gallery owner who jumped to her death yesterday

The answer? One or more people knew something was wrong BEFOREHAND.

I am now convinced that EVERY incident, whether it is a tragic shooting, a terrorist act, espionage, or a sole suicide, there were signs ahead of time that something was not quite right with the individual(s) involved.

So what can we do? We have to take better care of each other. When we see signs that someone isn’t quite the way they used to be, call them on it. Ask questions. Take action BEFORE something bad happens.

Scared that you’ll embarrass them? scared you’ll embarrass yourself? If so, just think how you will feel if you don’t take action and something even worse happens…how will you feel then?

  • In Bradley’s case, the Army knew there were reasons NOT to put him in a position of trust, and they did anyway!
  • In Jacob’s case, his own roommate said he acted weird and talked about moving and selling his possessions!
  • In Adam’s case, the school district security officer knew he had disabilities!
  • And, in Marijana’s case, many people around her knew she was erratic and not happy.

I would hate to be in any of those person’s shoes…

so, for 2013, let’s try and take better care of each other, and vow to intervene early, maybe we can save a life.

Merry Christmas and Happy New Year

r/Chuck

 

11.10.2012 computer security, counterintelligence, cyber crime, cyber security, Economic espionage, espionage, information security, insider threat, leadership, security, security threats Comments Off on Why can’t Johnny be good? The making of an insider threat

Why can’t Johnny be good? The making of an insider threat

“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”

While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.

On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force (ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.

r/Chuck

27.09.2010 computer security, cyber security, Economic espionage, SCADA, security Comments Off on Web ‘superbug’ threatens Chinese national security – Stuxnet SCADA Attack

Web ‘superbug’ threatens Chinese national security – Stuxnet SCADA Attack

Caught this article in Times of India  (PTI, Sep 27, 2010, 01.29pm) website today…funny it didn’t make any of the U.S. cyber security sites…here’s a couple snippets…

“A sophisticated malicious computer software, is attempting to infiltrate factory computers in China’s key industries, threatening the country’s national security, cyber experts have warned.”

“Called Stuxnet, the worm was first discovered in mid-June and was specially written to attack Siemens supervisory control and data (SCADA) systems commonly used to control and monitor industrial facilities – from traffic lights and oil rigs to power and nuclear plants, the state-run Global Times daily reported quoting experts.”

“Globally, the worm has been found to target Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, the report said. According to Wang, there might be large financial groups and nations behind the malicious software.”

“Eugene Kaspersky, co-founder of security firm Kaspersky said the Stuxnet worm could prove that “we have now entered the age of cyber-warfare. – He believes that Stuxnet is a working – and fearsome – prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.”

Read more: Web ‘superbug’ threatens Chinese national security – The Times of India http://timesofindia.indiatimes.com/tech/news/internet/Web-superbug-threatens-Chinese-national-security/articleshow/6635680.cms#ixzz10lUJux3C

27.08.2010 Economic espionage, infragard, security, security threats Comments Off on Maryland InfraGard Presents: “Need to Know” Security/Threats Awareness Event

Maryland InfraGard Presents: “Need to Know” Security/Threats Awareness Event

This event, generously hosted by DCS Corp, one of Southern MD’s most engaged community stakeholders, is being jointly produced by the Maryland InfraGard Chapter, the Southern Maryland Industrial Security Awareness Group, the U.S. Department of Homeland Security, the Maryland Coordination & Analytic Center (MCAC) and Southern MD Regional Information Center (RIC), in cooperation with regional authorities.

  • DATE: September 21, 2010
  • TIME: 8:00 am – 1:00 pm
  • LOCATION: DCS Corp, 46641 Corporate Drive, Lexington Park, MD (There is plenty of free parking available.)

REGISTRATION: You must be registered to attend. Go to http://securesouthmd.eventbrite.com. The Deadline to register is Friday, September 17th. Admission is FREE and open to U.S. Citizens (bring valid photo ID).

SPEAKERS:

Ex-KGB Major General (ret.) Oleg Danilovich Kalugin — former Chief of KGB Foreign Counter-Intelligence whose job it was to penetrate all hostile intelligence and security forces worldwide. Now one of Russia’s “Most Wanted,” General Kalugin just celebrated his 7th year as a U.S. Citizen. He is the ultimate insider, whose fascinating autobiography, SPYMASTER*, documents secrets from his 32-year career.

* Pre-Order your autographed copy of SPYMASTER by September 17 – a limited number of copies are available for personal inscription — an historic takeaway and remarkable value at $20. Proceeds benefit InfraGard Maryland Members Alliance, a MD chartered 501(c)(3) nonprofit, in its mission of public-private partnering for critical infrastructure protection, and programs like these. Ordering & payment details are on the registration site, or contact M. L. Kingsley at MLKingsley@msn.com to arrange your personally inscribed copy. Subject to supply, copies will also be available for purchase by cash or check at the 9/21 event.

Noted Cyber Guru Dr. Gary Warner — voted Nation’s top Cyber-blogger – See http://garwarner.blogspot.com/ “Cyber Crime and Doing Time” – Dr. Warner is the Director of cutting-edge Computer Forensics Research at the University of Alabama, Birmingham.

Plus, representatives from InfraGard, the FBI, MCAC, and RICs will speak on reporting suspicious activity, information sharing ventures and private sector partnerships.

This jointly presented forum represents an unparalleled gathering of public safety, law enforcement & intelligence authorities, to teach the crucial lessons of situational awareness, promote learning and sharing between essential stakeholders using a collaborative process to improve intelligence sharing and, ultimately, to increase our collective ability to predict, prevent, and preempt terrorist activity and manage the consequences of a diverse number of threats.

For more information about InfraGard, and to join, go to www.infragard.net and/or www.infragardmembers.org, or contact Special Agent Lauren Schuler, FBI Baltimore’s InfraGard Coordinator, at 410-265-8080 or Lauren.F.Schuler@infragard.org.

We hope to see you there!

15.11.2009 counterintelligence, Economic espionage, security, security threats, Technology, Uncategorized Comments Off on It’s 2pm on Sunday: Do you know where your data is?

It’s 2pm on Sunday: Do you know where your data is?

It seems the Los Alamos National Laboratory (LANL)  is  in the news again. Just when you’d think they addressed the vulnerabilities that Wen Ho Lee exploited back in 1999 (Lee has his own Wikipedia page now), they got slammed again in 2006 when local police found a thumb-drive with classified information on it at local residence involved in a local narcotics investigation.  Well now the U.S. Government Accountability Office (GAO) just release an audit report of LANL that reported:

infosec los alamos october 2009LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory’s classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.

 

While LANL got slammed for losing information on its  “classified” network…what about all of the unclassified information that’s floating around out there? I feel it is just as important to make sure all of the sensitive but unclassified case information, organization proprietary information, or intelligence data that contains Personally Identifiable Information (PII) is protected as well–would you want to be the person explaining to their boss what data was just lost on that USB drive you left at the airport restaurant?

While I was at the International Association of Chiefs of Police Conference in Denver last month, I ran across a security item that really caught my eye–it was a standard, run of the mill 4GB USB thumb drive, but this one was unique–it had a built in PIN keypad, encrypted all data with AES encryption, and you didn’t have to plug it in to the computer first before unlocking it.  I got to thinking…if every law enforcement officer and intelligence analyst who had a legal, bonafied reason for copying sensitive data  onto portable media like CD-ROMs, SD cards, or unsecured thumb drives had one of these, they could sleep better at night knowing that the information on the thumb drive wouldn’t be compromised if it were lost or stolen, or than an unauthorized person who happend to get access to the drive couldn’t stick it in their computer and access the information it holds.

classified secure usbThe item is called the Classified Secure Flash Drive. It’s a 4GB thumb drive with a built in 5-key keypad for entering a 1-10 digit PIN.  There is NO software required on the desktop/laptop to create or enter the PIN and all data on it is secured with 256 bit AES encryption. Those of you who know me know that I do not want to become another big IT vendor; however, I have decided to make these (and other innovative, niche technologies) available to agencies through NOWHERETOHIDE.ORG.  For Federal agencies; the manufacturer has developed a FIPS 140-2 compliant version with a built in 10-key keypad; they are in the midst of the validation process now.

10.11.2009 counterintelligence, Economic espionage, espionage, law enforcement, security, security threats Comments Off on Economic Espionage: Spies, damn spies, and the real threat (Part 1 of 2)

Economic Espionage: Spies, damn spies, and the real threat (Part 1 of 2)

When  most people think of spies, they think of the Rosenbergs who gave up atomic research in 1942, John Walker who gave up Naval radio communications in the 1980s, or the likes of  Aldrich Ames and Bob Hanssen who compromised CIA and FBI programs (respectively).  But, have you ever heard of Ho, Yang or Min?

  • Chester Ho, a naturalized U.S. citizens, was arrested after stealing the plant cell culture technology from Bristol-Myers Squibb–nearly $15 million loss
  • Hwei-Chen Yang was arrested after stealing adhesive trade secrets from Avery Denison–nearly $60 million loss
  • Yonggang Min walked out the door of Dupont with more than 16,000 documents from DuPont’s electronic library–nearly $600 million loss

While the Rosenbergs, Ames and Hanssen were guilty of National Security Espionage, Ho, Yang and Min were clearly engaged in Economic Espionage, or “the act of theft or misappropriation of (commercial) trade secrets.” What makes this particularly significant is the fact that the potential for economic espionage exists in virtually every corner of our way of life–government agencies, small companies, large corporations, colleges, universities, overseas research and development laboratories, and economic espionage is largely driven by one of three motives:

  1. Profit;
  2. Patriotism to home country; or
  3. Desire to achieve academic/scientific notoriety.

While the majority of the threat can come from any of the 108 countries actively seeking to collect information about American innovations, and (a sub-set) of the 30,000,000 non-immigrant visitors to our nation every year, the threat can also come from within; companies in like sectors would love to know what the others in that sector are working on–new prescription drug? Next Ipod? Alternative fuel technologies?

So, who can threaten your innovations and intellectual property?

  • Insider threats–people working for you;
  • People and companies that you partner with;
  • Subcontractors providing services
  • University students doing research for you;
  • Visitors that have an interest in what you do; or
  • Competitors who seek to do you harm.

Interesting side note:  75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon’s CERT program in a July 2006 study were committed by current employees. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. “In between the time they have another offer and the time they leave is when they take the information”

At the end of the day, you (and your organization’s leaders) are responsible for the survival of your organization, and only you can really know “Who’s in Your House” and what they are doing. The other way to put it is that if something bad happens, only you will be standing there explaining to your board of directors and shareholders what happened.

So what can you do to protect yourself? I suggest five key strategies:

  • Ask the right questions;
  • Do the math;
  • Trust, but verify;
  • Use the velvet rope and black cloth; and
  • Educate, communicate and reward.

1. Ask the Right Questions

Corporate presidents and CEOs should regularly ask their security officers the following five questions:

  1. What technologies/projects are most at risk?
  2. Why are others interested in it?
  3. Who are the specific threats?
  4. Where are the vulnerabilities?
  5. How are we stopping them from getting it?

Establish a good idea of what an adversary might be after, why they’re after it, and what your organization is doing to protect it from compromise. For larger organizations, with many projects, you should go through this exercise with each program/product.

2. Do the Math

You cannot protect everything, so develop a strategy to identify and protect those projects and technologies that can cause the most dire consequences to your bottom line. I suggest dividing up your organization’s projects/products into three piles.

  • Pile One = those projects that the future of your company rests on or those that you risk jail time for compromise;
  • Pile Two = Those projects that are important, but expendable; and
  • Pile Three = Those projects that are commodities or already in the open source.

 Here is some sample criteria to help you decide which pile a project may belong in:

Sample Criteria for Pile One

  • Classified or sensitive national security project
  • New research and development effort
  • Loss would mean significant loss of revenue and new CEO

Sample Criteria for Pile Two

  • Company future doesn’t hinge on product survival
  • No significant IP or trade secrets involved
  • Product at the middle of “S” curve

Sample Criteria for Pile Three

  • No IP or trade secrets involved
  • Commodity type product or service; top of the “S” curve
  • Already in the public domain

Remember: Focus on Pile One FIRST–do not be tempted to go after the low-hanging furit in piles two or three.

To be continued…In Part 2 of 2, I’ll finish with Key Strategies 3, 4 and 5.

As always, comments and houghts are welcome.

Chuck Georgo, chuck@nowheretohide.org

Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice President of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.