7 – Meeting Chameleons
Off-site meetings, conventions, trade shows, seminars, etc. present business snoops with excellent opportunities for infiltration and information collection. Alert your people to the problems.
A business counterespionage security briefing should include the following advisories…
- Off-site meetings are prime targets for snoops.
- Spy methods used may be unethical or illegal.
- Security will control meeting room access (24 hours).
- Technical Surveillance Countermeasures (TSCM) will be employed.
- Attendees must wear ID badges at all times.
- Never leave your laptop or briefcase unattended.
- Leave written proprietary information with Security when not being used.
- Proprietary data should remain within the secured area.
- Do not discuss business in public areas.
- Be very suspicious of strangers who befriend you.
- Report suspicious activity to Security immediately.
- Define “Proprietary Information” for your employees. “It is information which is not general knowledge and is related to the company’s products, methods, customers, plans, etc. It is any information which would cause the loss of profit, or a competitive advantage, if it fell into the wrong hands.”
8 – The Silver Platter
Sometimes we just give information away.
How many of the following poor security examples apply to someone you know?
- Leaving offices, desks and file cabinets unlocked.
- Locking the boss’s office but leaving the key in the unlocked secretary’s desk.
- Posting, sharing, or using simpleton passwords.
- Being listed in directories that seem to provide everything but salary.
- Posting credit card, social security and unlisted phone numbers in Rolodex files left on desktops. (The Rolodex file seems to be our technical cockroach. It may never die.)
- Answering probing questions over the phone from people you don’t really know.
- Discussing sensitive topics with known gossips.
- Leaving confidential paperwork out overnight.
The list gets longer the more you think about it.
9 – Business Phone Attacks
Feature-rich business phones provide snoops with a variety of powerful eavesdropping options. The phones themselves provide: electrical power; built-in microphones and speakers which can serve dual purposes; and ample hiding space for bugs and taps.
Basic business counterespionage telephone security tips…
- Provide high-level security for equipment rooms and wiring closets.
- Restrict direct dialing into administrative features.
- Some dangers of unauthorized phone system admin programming access include.
— Complete deprogramming of the switch.
— Secret reprogramming to allow access to…
— free calls,
— voice mail,
— executive override features (which allow forced access to busy extensions),
— bridge tap creation (allows silent monitoring from other extensions),
— hands-free intercom (allows room monitoring from other phones),
— and monitoring of call logs.
General business counterespionage recommendations for phone systems…
- Secure the on-site phone system programming terminal and manuals.
- Protect access to the admin programming with a strong password.
- Be sure the System Administrator is trustworthy.
- Conduct periodic TSCM inspections for taps, and intercept devices.
- Conduct surprise audits of the software settings.
- Remove all unused wiring from sensitive areas.
- Make sure that voicemail and switch access passwords are high quality.
- Ask phone system users to report all suspicious calls and voice mail aberrations to the security department immediately. In addition to snooping, these may also be indications of hackers trying to enter to steal services.
Voice over Internet Protocol (VoIP) telephones present their own special set of security problems, including:
- Denial of Service (DoS) attacks.
- Spam over Internet Telephony (SPIT).
- Service theft.
- SIP registration hijacking.
- VoIP directory harvesting.
- Voice Phishing, or Vishing
Some business counterespionage tips for securing VoIP business phone systems:
- Install all security measures suggested by the manufacturer. Keep security patches current.
- Enterprise systems should augment their systems with VoIP security hardware.
- Route calls through a Virtual Private Network (VPN) when possible. This is a good solution for inter-company calls.
Tip: Do-it-yourself tip phone security:
- Encrypt calls using a service like Silent Circle. They have an app with options which they describe as… “Silent Phone includes unlimited member to member encrypted voice, video, conference calling, file transfer and messaging. Silent World extends the reach of your Silent Phone subscription to unlimited inbound calls from anyone, anywhere and outbound calls to non-members using credits.”
Note: Some of the above also offer enterprise solutions. Have your IT director to do some research at their end to see if this would be valuable for your organization.
This article about encrypting the data on the phone might also be of interest, in case the phone is lost, stolen, etc. How to Encrypt the Data on Your Android Phone or iPhone
10 – Treason
Another type of spy – the trusted employee – is one of the most dangerous and hardest to spot.
The most likely employees to become spies are employees who may…
- Be disgruntled, possibly related to insufficient raises, promotions, etc.
- Have debts due to gambling habits, unavoidable personal circumstances, or drug use.
- Be involved with labor / management issues.
- Have personal associations or loyalties to outsiders.
- Have entrepreneurial personalities.
Business counterespionage tips to protect yourself from the treasonous employee…
- Inspect for eavesdropping devices. Employees have the time and opportunity to place and monitor bugs.
- Selectively drop uniquely identifiable bits of information and watch to see where they surface.
- Conduct background checks on all new employees, and periodic checks on anyone with access to sensitive information.
- Check previous employments carefully.
- Uncover and verify periods of employment not mentioned by employees and applicants.
- Living beyond their means may indicate extra income paid by the recipient of your business secrets.
The good news…
Espionage is preventable. Knowing a snoop’s most likely tactics is the first step toward protecting yourself. You now have enough knowledge to begin that process confidently. As always, if you have any questions feel free to contact me, Kevin D. Murray.
Kevin D. Murray CPP, CISM, CFE, CDPSE is a business counterespionage consultant and TSCM specialist with over four decades of experience.
Murray Associates is an independent security consulting firm, providing eavesdropping detection and counterespionage services to business, government and at-risk individuals.
Headquartered in the New York metropolitan area, a Murray Associates team can assist you quickly, anywhere in the United States, and internationally.