Editor’s note: Dexter Mills, Jr. of Micol Information Security in Durham is an expert in technical surveillance countermeasures.Have you ever come into a courtroom or important negotiations feeling as well prepared as you could possibly be only to have your every move perfectly countered by the opposition, almost as if they knew everything you were going to say or do?
Has the very important contents of a supposedly secret meeting been found out by your closest competitor?
Is your company being narrowly outbid on a consistent basis?
Has an industry rival determined the most opportune time to launch a hostile takeover?
The examples given above could merely be very peculiar coincidences or they may indicate that someone has been secretly gathering intelligence on you. An information gathering campaign could be conducted in a variety of ways using competitive intelligence, dumpster diving, bribed employees, computer penetrations or by other technical means. When I say “other technical means” I am referring to electronic eavesdropping.
A look around most offices or homes shows that an eavesdropper has everything needed to succeed. Think about it. In our place of business or residence, there is electricity to power devices and sensitive microphones to pick up the desired audio in every day products like telephones, computers and intercoms. Also, a quick trip to the local electronics store will reveal numerous products that make it easy to get the information out of the target area via telephone wires, electrical lines, computer cables and other unused conductors. In addition, all of the new wireless products such as Bluetooth, WLAN’s, and the distributed antennas systems we have installed that make our life so much easier simply add to the vulnerabilities.
Just think. Up until now we have only mentioned ways an eavesdropper could exploit the existing infrastructure or equipment found in today’s modern office environment. What about products that have been specifically designed to covertly gather information?
Check out the threats
If you are still having a hard time believing that these types of devices actually exists, go to your favorite search engine and type in “Covert Surveillance, Bugs or Wiretaps”. Better yet, browse through the local phone book. There is a good chance that you will find something of interest under “Surveillance, Detectives, or Private Investigators”. This is not to say that all private detectives are involved in this kind of activities. Most are ethical, hard working and out there trying to make an honest living.
The products sold on the Internet or the spy shop up the street can come in a variety of shapes and sizes. Some are simply re-tasked consumer goods such as alarm clocks, electric pencil sharpeners or picture frames that have surveillance devices installed in them. They are not professional grade, but nevertheless very effective.
On the other hand, if a professional has designed and/or installed a surveillance device into a target then the stakes have just been raised. The question is are you and your company prepared to stop these attacks?
If it has not already been impressed upon you, an information gathering campaign whether by legal or illegal means, can be launched to determine your current knowledge base, intentions, capabilities or desires. Your level of security and the adversary’s determination will usually determine which way is best to gather the sought after information.
For instance, if proprietary information is left on a desk, copier or fax machine in plain view for anyone to walk by and look at or take then we have made the eavesdropper’s job that much easier. If these same documents are not properly discarded (shredding) or if our passwords can be easily guessed or even written down on a sticky note which is attached to a computer monitor, then more sophisticated means may not be needed.
Physical security is only a start
If your organization has good physical security such as trained guards, reliable alarm systems, and high security locks then you are off to a good start. In addition if your company has up to date information security policies and employee training then you are really ahead of the curve. Before you start celebrating, that is only part of the solution.
A strong counter-espionage/counter-eavesdropping program must also be in place. We all know how important computer/network security is nowadays. Effective deterrents such as firewalls, virtual private networks, encryption, virus protection, end user training and regular audits are some things that should be addressed.
Unfortunately, the highly recommended and effective countermeasures mentioned above will not protect your organization’s important information from other kinds of technical attacks such as electronic eavesdropping.
If your company is in an industry that relies heavily on research and development, a leader in its field, or simply has knowledge that is not publicly available then you are at risk.
If information is being gathered by technical means, then it is highly unlikely that you will ever know it without regular counter-espionage inspections. Without a thorough and comprehensive counter-espionage program, the loss of your company’s information could continue indefinitely.
Micol Information Security is a Durham-based firm that provides technical surveillance countermeasures surveys, wireless network vulnerability analysis and information, and security audits. For more information, visit: www.micolinfsec.com