Sensitive Information

1
Sensitive Information

• CPP Study Group
• Linda Kirksey, CPP

2
Proprietary Information

• Information over which the possessor asserts
  ownership and which is related to the activities
  or status of the possessor in some special way.

3
Trade Secret

• Information including a formula, pattern,
  compilation, program, device, method, techniques
  or process that

4
Trade Secret

• 1. Derives independent value, actual or
  potential, from not being generally known to, and
  not being ascertainable by proper means, by other
  persons who can obtain economic value from its
  disclosure or use, and
• 2. Is the subject of efforts that are reasonable
  under the circumstances to maintain its security.

5
Trade Secret

• Entitled by law to more protection than other
  kinds of proprietary information.
• I.E. Company can protect against threatened
  disclosure of a trade secret by injunction.

6
Trade Secret

• To protect a trade secret, must prove all of the
  following elements
• The information is identifiable by group or type
• The information is not available in public
  sources
• It may be disclosed only to persons with a duty
  to protect it
• Persons to whom the information is disclosed must
  know that it is secret
• The owner must be able to prove positive action
  taken to protect the information from disclosure.

7
Trade Secret

• The quantity of secret information or data should
  be as small as possible
• For an established trade secret the owner may get
  protection through the fiduciary status or
  through a written agreement with the employee
• The most serious internal threat to trade secrets
  is the employee
• All sensitive information is not a trade secret

8
Patent

• A government grant conveying and securing the
  exclusive right to make, use, and sell an
  invention for a term of seventeen years.

9
Patent

• Distinctions between patents and trade secrets
• Requirements for obtaining a patent are specific
• A much lower level of novelty is required
• A trade secret remains secret as long as it
  continues to meet trade secret tests
• A exclusive right to patent protection expires
  after 17 years

10
Legal Disclosure

• Two concepts are recognized with regard to
  proprietary information
• Property concept - information has independent
  value if it is a trade secret
• Fiduciaries, special positions of trust and
  confidence cannot divulge without the consent of
  owner.

11
Legal Disclosure

• To protect the property of proprietary
  information, owner has the right to
• Sue
• Recover profits under equity theory ofunjust
  enrichment
• Restrain in another from the use of the property
• Retain the exclusive use of the property.
• Two general forms of relief are money and
  injunction

12
Legal Disclosure

• Prior to instituting litigation, consider
• The owner may have to expose the very secrets
  he is trying to protect
• The cost may be too high
• The trade secret owner may lose the case

13
Protecting Information from Loss

• A. Data concerning production of goods or
  gaining and retaining customers should b
  considered sensitive information requiring
  protection
• B. Inadvertent disclosure by a person authorized
  to have the information is the major cause of
  information loss
• C. Theft of information by an outsider
• D. Information Brokers

14
Protecting Information from Loss

• Categories would include
• Competitive Intelligence Collection and
  Industrial Espionage
• Basic rule for all employees - Never reveal
  information to anyone that you would not reveal
  to a competitor.

15
Proprietary Information Protection Programs

• Identify and group at least two categories of
  information
• 1. That which is critical to the ongoing
  viability of the enterprise
• 2. That which should not be released to the
  public

16
Proprietary Information Protection Programs

• The smallest possible bodies of information are
  desired.
• Designate employees authorized to classify
  information
• Mark the information or data
• Provide for control of information
• Educate employees on the need and procedures for
  the protection

17
Proprietary Information Protection Programs

• Countermeasures to be implemented
• Clear policy and procedural statements
• Pre-employment screening
• procedures for review of incumbent employees
• Nondisclosure and secrecy agreements
• Physical security measures
• System or regular audits or internal inspections
• Awareness programs
• Continuous monitoring

18
Eavesdropping

• Defined as knowingly and without lawful authority
  entering into a private place with intent to
  listen surreptitiously to private conversations
• Installing or using outside a private place any
  device for hearing, recording, amplifying, or
  broadcasting sounds originating in is such place
  which sounds would not ordinarily be audible and
  without consent
• Installing or using any device for the
  interception of any telephone, telegraph, or
  other wire communication without the consent of
  the person

19
Eavesdropping

• Eavesdropping by wiretapping is the interception
  of communication over a wire without the consent
  of participants and requires physical entry into
  the communication circuit
• Eavesdropping by bugging is the interception of
  communication without the consent of the
  participants by means of electronic devices and
  without penetration of a wire

20
Eavesdropping

• A pen register or dialed number recorder is a
  device used to monitor telephone calls by
  providing a record of all numbers dialed from a
  particular phone. It provides both the date and
  time a call was made

21
EavesdroppingWired Microphones

• Carbon microphone
• Crystal microphone
• contact microphone
• Spike microphone
• Dynamic microphone

• Pneumatic cavity device
• Condenser microphone
• Electret microphone
• Omnidirectional microphone
• Carioid microphone
• Parabolic microphone
• Shotgun microphone

22
EavesdroppingWireless Microphone

• A radio frequency device (RF) consisting of a
  microphone, transmitter, power supply, antenna
  and receiver.

23
Eavesdropping

• Current Carrier Device - carries radio signals
  over virtually every type or wire path. Signal
  is usually blocked by power transformers
• Light Transmission - Laser beam focused on a
  window pane. The vibrating glass modulates a
  reflected laser beam
• Electromagnetic Radiations - Detected
  electromagnetic energy is generated by electronic
  information processing devices. Detection is
  possible for several hundred feet. The Faraday
  cage or Tempest shielding is used for very
  sensitive equipment.

24
Telephone Eavesdropping

• Interception from the lines. Information
  acquired includes voice, facsimile, teletype or
  data.
• Two common methods
• Direct physical connection anywhere on the
  line between the target area and the telephone
  central office
• Inductive coupling which does not require a
  physical connection

25
Telephone Eavesdropping

• Use of telephone equipment in the target area.
  Requires physical entry into the target area.
• 1. Wiring alteration of the telephone set
  requires technical knowledge
• 2. Drop-in radio transmitter
• 3. Infinity transmitter (harmonica bug) an be
  accessed using any other telephone. Not used
  in electronic telephone switch systems.

26
Telephone Eavesdropping

• Digital Systems - originally thought to be secure
• 1. Digit stream can be recorded and converted
  to analog and speech.
• 2. The system is computer controlled and the
  control system is available from an on-site
  terminal or from off-site network. (Remote
  Maintenance Access Terminal (RMAT))
• 3. Controller can electronically add an
  extension bridge a line

27
Technical Countermeasures Sweeps

• A. Physical search - detailed, time consuming
  expensive task conducted in specific areas only.
  Required for a complete countermeasures survey.
• 1. All furniture is movedand examined.
• 2. Baseboards are examined for signs of
  modification.
• 3. Walls are examined in detail for holes,
  mismatched paint, new plaster.
• 4. All wiring traced and accounted for. Any wire
  not in use is removed.
• 5. Light switches and fixtures are pulled out
  and examined.
• 6. Ventilation duct covers are removed
  and ducts examined.
• 7. Space above a dropped
  ceiling (plenum) is examined.

28
Technical Countermeasures Sweeps

• B. Telephone search - done by a technician
  familiar with the specific equipment
• 1. Handsets are examined for drop-in transmitters
  or wiring alteration..
• 2. All cables are inspected for unusual
  attachments or bulges.
• 3. Junction boxes and wiring closets are examined
  and all connections verified,
• 4. Telephone distribution room
  wiring is verified.

29
Technical Countermeasures Sweeps

• Electronic search - No remote device or
  techniques can guarantee to find a well installed
  device installed by an experienced technician

30
Technical Countermeasures Sweeps

• 1. Time domain reflectometry - an electronic
  picture of a telecommunications line at a given
  time which is compared to the same line at a
  future time.
• 2. Telephone analyzer - electronic analysis of
  the telephone set and of the telephone line for
  wiring modification or an installed radio
  transmitter

31
Technical Countermeasures Sweeps

• 3. Field strength meter - measures the relative
  radio frequency energy present at a give point.
  Not as good as the countermeasures receiver.
• 4. Countermeasures radio receiver - searches a
  large part of the radio spectrum to isolate and
  identify a signal.
• 5. Spectrum analyzer - displays a large part of
  the RF spectrum and the corresponding side bands.
  Used in conjunction with the countermeasures
  receiver to find all signals and give a visual
  analysis of the signal.

32
Technical Countermeasures Sweeps

• 6. Metal detector - not very reliable.
• 7. Non-Linear Junction Detector - Transmits a
  microwave signal. A semiconductor reradiates the
  beam at a multiple (harmonic) of the original
  frequency. Will find a semiconductor device
  which is dead. Now considered very reliable.

33
Fax SecurityCellular and Cordless Telephones

• The information sent and received on fax machines
  operated in an open area and those which are
  operational in other than normal business hours
  is subject to compromise. Make sure procedures
  for security of fax communications have been
  implemented.
• Cellular and cordless telephones, analog and
  digital, transmit RF signals which can be
  intercepted.
• Digital signals, can be taped and converted back
  to analog for use
• A cellular telephone transmits a mobile
  identification number and electronic serial
  number which identify the cellular telephone set.
  The signals can be intercepted and cellular
  telephone cloned for illicit use

34
Special Considerations

• A. Partitions, floors, ceilings - use non-porous
  material and/or staggered stud construction.
• B.Windows and doors - Double pane windows with
  drapes. Solid doors with rubber or felt gaskets.
  Better is two doors in series, properly sealed.
• C. Cracks, holes and ducts - seal all openings.
  Line the ducts and install acoustic baffles.
• D.Audio Masking - generation of noise at the
  perimeter of the secure area to cover or "mask"
  conversation. Music is not used. "White" or
  "Pink" noise is not as easily filtered from the
  tape.
• E. Encryption - available for most types of
  communications. A unit at each end of the call
  alters the communication and renders it useless
  to an interceptor. Also available as Variable
  path Encryption (VPE) (scrambling)

35
The End