Inforamtion Security CPP Study Guide V1

1
CPP Review - 2006
Information Security
John Hewitt, CPP, CIPM Senior Security Manager T
rammell Crow Company
214-438-8861
2
Information Security Part V
Proprietary Information
Information over which the possessor asserts
ownership and which is related to the activities
or status of the possessor in some special way

All Proprietary Information is confidential, but
not all confidential information is proprietary.
3
Information Security
Proprietary Information
Property Concept regards the information as ha
ving independent value if it amounts to a trade
secret Fiduciaries Imposition of duties upo
n certain classes of people, other than the owner
not to use or divulge info without owners
consent.
4
Information Security
Proprietary Information
There are 3 broad threats to proprietary
information
It can be lost through inadvertent disclosure I
t can be deliberately stolen by an outsider
It can be deliberately stolen by an insider
5
Information Security
Trade Secret
A trade Secret is a process or device for
continuous use in the operation of the business

For trade secret protection, must prove
Secrecy
Value Use in the owners business
6
Information Security
Trade Secret
The following are not trade secrets
Salary information Rank surveys Customer usage e
valuation Profitability margins Unit costs Pers
onnel changes

7
Information Security
Trade Secret

Trade Secret information is entitled by law to
more protection than other kinds of proprietary
information

8
Information Security
Trade Secret/Patent

A trade secret remains secret as long as it
continues to meet trade secret tests but the
exclusive right to patent protection expires
after 17 years

9
Information Security
Competitive Intelligence Gathering

The most important function of competitive
intelligence gathering is to alert senior
management to marketplace changes in order to
prevent surprise
10
Information Security
Competitive Intelligence Gathering

A rich source of information is in the
information provided to government regulators
Never reveal information to anyone that you woul
d not reveal to a competitor

11
Information Security
Industrial Espionage


Industrial espionage is the theft of information
by legal or illegal means. It is more dangerous
than inadvertent disclosure by employees in that
highly valuable information is stolen for release
to others who plan to exploit it.

12
Information Security
Industrial Espionage
The vulnerability assessment is conducted from
the perspective of the competitor and considers
What critical information exists The period of
time when the information is critical.
This may be a short period or may be for the life
of a product The identity of employees and indire
ct associates who have access to the information



13
Information Security

Eavesdropping Tactics / Equipment

Wiretapping - is the interception of
communication over a wire w/o participants
consent and requires physical entry into the
communication circuit Bugging - interception of
communication w/o participants consent by means
of electronic devices and w/o penetration of a
wire.
14
Information Security

Carbon microphone commonly used in a stand
ard telephone handset Crystal microphone generat
es a small electrical current when the crystal is
vibrated by sound waves Contact microphone insta
lled on a common wall with the target area
Eavesdropping Tactics / Equipment


15
Information Security

Spike microphone installed in a hole in the c
ommon wall (not fully through)
Dynamic microphone movement of a small wire near
a permanent magnet converts sound into electrical
energy. Good eavesdropping device which operates
as a loudspeaker in reverse
Eavesdropping Tactics / Equipment


16
Information Security


Eavesdropping Tactics / Equipment

Pneumatic cavity device has a specially designed
small cavity which picks up surface vibrations.
(Glass tumbler effect) Condenser microphone hig
h fidelity use. Fragile and sensitive
Electret microphone used primarily in P.A. and au
dio recording. (Extremely small)

17
Information Security


Eavesdropping Tactics / Equipment

Omnidirectional microphone used in conferences.
Picks up sound from many directions around the
room Cardioid microphone picks up sound from dir
ectly in front of mic Parabolic microphone gath
ers audio energy and directs it to a conventional
microphone in the center of a dish-type
reflector

18
Information Security

• A radio frequency (RF) device. Consists of
• A microphone
• A transmitter
• A power supply
• An antenna and,
• A receiver

19
Information Security
Telephone Eavesdropping

• Digital systems - originally thought to be
  secure
  
• Digit stream can be recorded and converted to
  analog and speech.
  
• The control system is available from an on-site
  terminal or from off-site through the network.
  (Remote Maintenance Access Terminal) (RMAT)

20
Information Security
Eavesdropping Threat

• Risk for the electronic eavesdropper is low
• electronic eavesdropping is easily committed
• chances are low that victim will find the device
• chances low, if found, can be tied to
  eavesdropper
  
• prosecution of eavesdropping cases is rare and,
• the reward far outweighs the risk

21
Information Security
Miscellaneous

• Audio masking
• generation of noise at the perimeter of the
  secure area to cover or mask conversation. Music
  is not used white or pink noise is not as
  easily filtered from the tape

22
Information Security
New
Information Technology Security
Virus Any hidden computer code that copies
itself onto other programs.
Trojan Horse Code that has been downloaded
attached to unsuspecting programs, that later
damage or affect data.
Bomb Code inserted by programmers into
legitimate software. (1) sensitive to a time
schedule, triggered by date/time. (2) Triggerd by
an event, copying a file or opening a program,
etc.
Trapdoors / Back doors Intentionally created
and inserted when developing software, IE
Microsofts XP, etc.
23
Information Security
Information Technology Security
Cookie Monster / Cookies Data maintained form
your PC for resource sharing, by use of text
files sent to the machine via each website.
Allows data such as credit card information to be
collected, by unauthorized parties.
Theft of Hardware The unlawful taking of PC or
laptop with the intent of gaining access to a
company network or other vital information, or
sensitive data.
24
Information Security
Fax Security
Security Products
Tamperproof security enclosures for fax machines
Automated fax distribution systems, stores
documents in employee mail boxes, employees can
access with a PIN.
Encryption Transmitting and receiving to
prevent reading an intercepted fax.
25
Information Security
Cellular Phones
Cellular and cordless telephones, digital and
anolog, transmit RF signals which can be
intercepted.
Digital signals, thought to be sure can be taped
and converted back to analog signals for use by
an interloper.
When a cellular phone is turned on, it transmits
a mobile Identification number (MIN) and an
electronic serial number which identify cellular
set. These signals can be cloned for illicit use.
26
Information Security
Test
27
1. Any formula, pattern, device or compilation of
information which is used in ones business and
which gives him an opportunity to gain an
advantage over competitors who do not know or use
it is

• a. A monopoly
• b. An unfair trade practice
• c. A trade secret
• d. A patent

28
1. Any formula, pattern, device or compilation of
information which is used in ones business and
which gives him an opportunity to gain an
advantage over competitors who do not know or use
it is

• a. A monopoly
• b. An unfair trade practice
• c. A trade secret
• d. A patent

29
2. Probably the main reason for loss of sensitive
information is

• a. Inadvertent disclosure
• b. Deliberately stolen by outsider
• c. Industrial espionage
• d. Deliberately stolen by insider

30
2. Probably the main reason for loss of sensitive
information is

• a. Inadvertent disclosure
• b. Deliberately stolen by outsider
• c. Industrial espionage
• d. Deliberately stolen by insider

31
3. The primary tool of pre-employment screening
is the

• a. Interview
• b. Application form
• c. The investigation
• d. The investigator

32
3. The primary tool of pre-employment screening
is the

• a. Interview
• b. Application form
• c. The investigation
• d. The investigator

33
4. Competitive intelligence gathering is a
legitimate activity which is engaged in by many
firms throughout the world. The most important
function of competitive intelligence is to

• a. Alert senior management to marketplace
  changes in order to prevent surprise
  
• b. Alert senior management as to the personal
  habits of competitive senior management
  
• c. Alert government intelligence agencies to
  marketplace changes
  
• d. Alert senior management to changes in
  protocol in foreign countries

34
4. Competitive intelligence gathering is a
legitimate activity which is engaged in by many
firms throughout the world. The most important
function of competitive intelligence is to

• a. Alert senior management to marketplace
  changes in order to prevent surprise
  
• b. Alert senior management as to the personal
  habits of competitive senior management
  
• c. Alert government intelligence agencies to
  marketplace changes
  
• d. Alert senior management to changes in
  protocol in foreign countries

35
5. The instrument used to monitor telephone calls
by providing a record of all numbers dialed from
a particular phone is called

• a. A wiretap
• b. A bug
• c. An electronic surveillance
• d. A pen register

36
5. The instrument used to monitor telephone calls
by providing a record of all numbers dialed from
a particular phone is called

• a. A wiretap
• b. A bug
• c. An electronic surveillance
• d. A pen register

37
6. A clandestine listening device, generally a
small hidden microphone and radio transmitter is
known as

• a. A bug
• b. A wiretap
• c. A tempest
• d. A beeper

38
6. A clandestine listening device, generally a
small hidden microphone and radio transmitter is
known as

• a. A bug
• b. A wiretap
• c. A tempest
• d. A beeper

39
7. A microphone with a large disk-like attachment
used for listening to audio from great distances
is known as

• a. Contact microphone
• b. Spike microphone
• c. Parabolic microphone
• d. Moving coil microphone

40
7. A microphone with a large disk-like attachment
used for listening to audio from great distances
is known as

• a. Contact microphone
• b. Spike microphone
• c. Parabolic microphone
• d. Moving coil microphone

41
8. Sound waves too high in frequency to be heard
by the human ear, generally above 20 KHZ are
known as

• a. Microwaves
• b. Ultrasonic
• c. High frequency
• d. Short-wave

42
8. Sound waves too high in frequency to be heard
by the human ear, generally above 20 KHZ are
known as

• a. Microwaves
• b. Ultrasonic
• c. High frequency
• d. Short-wave

43
9. Two methods of protection against telephone
line eavesdropping are apparently reliable. The
first method is dont discuss sensitive
information and the other is

• a. To use a wire tap detector
• b. To use a radio jammer
• c. To use an audio jammer
• d. To use encryption equipment

44
9. Two methods of protection against telephone
line eavesdropping are apparently reliable. The
first method is dont discuss sensitive
information and the other is

• a. To use a wire tap detector
• b. To use a radio jammer
• c. To use an audio jammer
• d. To use encryption equipment

45
10. The unauthorized acquisition of sensitive
information is known as

• a. Industrial espionage
• b. Embezzlement
• c. Larceny
• d. False pretenses

46
10. The unauthorized acquisition of sensitive
information is known as

• a. Industrial espionage
• b. Embezzlement
• c. Larceny
• d. False pretenses

47
11. Proprietary information is

• a. Information which must be so classified under
  government order
  
• b. Private information of highly sensitive
  character
  
• c. Defense data which must be classified
  according to federal regulations
  
• d. Anything that an enterprise considers
  relevant to its status or operations and does
  not want to disclose publicly

48
11. Proprietary information is

• a. Information which must be so classified under
  government order
  
• b. Private information of highly sensitive
  character
  
• c. Defense data which must be classified
  according to federal regulations
  
• d. Anything that an enterprise considers
  relevant to its status or operations and does
  not want to disclose publicly

49
12. A trade secret is

• a. Any formula, pattern, device or compilation of
  information which is used in ones business and
  which gives that business an opportunity to gain
  an advantage over competitors who do not know or
  use it
• b. All information about a company which the
  company desires to protect
  
• c. Information of a company which is registered
  as such with the Patent Office
  
• d. Information so designated by the government

50
12. A trade secret is

• a. Any formula, pattern, device or compilation of
  information which is used in ones business and
  which gives that business an opportunity to gain
  an advantage over competitors who do not know or
  use it
• b. All information about a company which the
  company desires to protect
  
• c. Information of a company which is registered
  as such with the Patent Office
  
• d. Information so designated by the government

51
13. The control software of a Private Board
Exchange (PBX) can be accessed and compromised by
calling the telephone number of a device on the
PBX from a computer and modem. The name of this
PBX device is the

• a. Time Domain Reflectometer
• b. Remote Maintenance Access Terminal
• c. Current Carrier Signaling Port
• d. Internal and Remote Signal Port

52
13. The control software of a Private Board
Exchange (PBX) can be accessed and compromised by
calling the telephone number of a device on the
PBX from a computer and modem. The name of this
PBX device is the

• a. Time Domain Reflectometer
• b. Remote Maintenance Access Terminal
• c. Current Carrier Signaling Port
• d. Internal and Remote Signal Port

53
14. Which of the following is generally not true
in regard to proprietary information?

• a. Secret information does not have to be
  specifically identifiable
  
• b. Secret information must be such that it an be
  effectively protected
  
• c. The more narrowly a business defines what it
  regards as secret, the easier it is to protect
  that body of information
  
• d. It is difficult to protect as a trade secret
  that which can be found in publicly accessible
  sources

54
14. Which of the following is generally not true
in regard to proprietary information?

• a. Secret information does not have to be
  specifically identifiable
  
• b. Secret information must be such that it an be
  effectively protected
  
• c. The more narrowly a business defines what it
  regards as secret, the easier it is to protect
  that body of information
  
• d. It is difficult to protect as a trade secret
  that which can be found in publicly accessible
  sources

55
15. With respect to trade secrets, it may be
decided that its disclosure by another was
innocent rather than wrongful even in the case
where the person making the disclosure really was
guilty of malice or wrong intent. This situation
may occur when

• a. There is absence of evidence that an owner
  has taken reasonable precautions to protect
  confidential information
  
• b. The trade secret was not registered
• c. The trade secret did not involve national
  defense information
  
• d. The trade secret was not in current use

56
15. With respect to trade secrets, it may be
decided that its disclosure by another was
innocent rather than wrongful even in the case
where the person making the disclosure really was
guilty of malice or wrong intent. This situation
may occur when

• a. There is absence of evidence that an owner
  has taken reasonable precautions to protect
  confidential information
  
• b. The trade secret was not registered
• c. The trade secret did not involve national
  defense information
  
• d. The trade secret was not in current use

57
16. The class of person under a duty to safeguard
a proprietary secret is known as

• a. Agents
• b. Principals
• c. Fiduciaries
• d. Business Associates

58
16. The class of person under a duty to safeguard
a proprietary secret is known as

• a. Agents
• b. Principals
• c. Fiduciaries
• d. Business Associates

59
17. Which of the following is not a correct
statement, or a general rule, involving the
protection of proprietary information?

• a. By operation of common law employees are
  presumed to be fiduciaries to the extent they
  may not disclose secrets of their employers
  without authorization
• b. As a class, employees are the largest group of
  persons bound to secrecy because of their status
  or relationship
  
• c. Other than employees, any other persons to be
  bound to secrecy must agree to be so bound
  
• d. Any agreements to be bound must always be in
  writing and are not implied from acts

60
17. Which of the following is not a correct
statement, or a general rule, involving the
protection of proprietary information?

• a. By operation of common law employees are
  presumed to be fiduciaries to the extent they
  may not disclose secrets of their employers
  without authorization
• b. As a class, employees are the largest group of
  persons bound to secrecy because of their status
  or relationship
  
• c. Other than employees, any other persons to be
  bound to secrecy must agree to be so bound
  
• d. Any agreements to be bound must always be in
  writing and are not implied from acts

61
18. Probably the chief reason for the loss of
information about sensitive operations is

• a. Deliberately stolen by an outsider
• b. Loss by fire or other disaster
• c. Deliberately stolen by insider
• d. Lost through inadvertent disclosure

62
18. Probably the chief reason for the loss of
information about sensitive operations is

• a. Deliberately stolen by an outsider
• b. Loss by fire or other disaster
• c. Deliberately stolen by insider
• d. Lost through inadvertent disclosure

63
19. The term eavesdropping refers to

• a. Wiretapping only
• b. Bugging only
• c. Both wiretapping and bugging
• d. Mail covers

64
19. The term eavesdropping refers to

• a. Wiretapping only
• b. Bugging only
• c. Both wiretapping and bugging
• d. Mail covers

65
20. A microphone which has the characteristics of
requiring no power source to operate it, is quite
small, relatively difficult to detect, and is
offered by equipment suppliers in such items as
cuff links and hearing aides is known as

• a. Carbon microphone
• b. Dynamic microphone
• c. Contact microphone
• d. Parabolic microphone

66
20. A microphone which has the characteristics of
requiring no power source to operate it, is quite
small, relatively difficult to detect, and is
offered by equipment suppliers in such items as
cuff links and hearing aides is known as

• a. Carbon microphone
• b. Dynamic microphone
• c. Contact microphone
• d. Parabolic microphone

67

• This presentation was designed to be used in
  accordance with other study materials and was not
  intended to be used solely as a study guide. This
  presentation does not contain all material from
  the Information Security section of the CPP
  Study Guide . The presentation was intended to
  give you the Golden Nuggets which will assist
  you with taking the CPP Exam. Thanks, John
  Hewitt, CPP - 5/23/ 2006.

68
Information Security
John Hewitt, CPP, CIPM
Recommended for study CPP Study Guide 12th
Edition