By Peter C Crussell & Emma Page
|
|
|
Most companies are unaware of how easy it is to bug another. When a large multi-national company is the victim of a bugging scandal then it makes headline news. (Photo by Audiotel International Ltd.) |
INFORMATION SECURITY
Until recently, most employees of large organisations viewed Information Security as a technical process carried out by Security and IT Personnel. Provided that restricted information remained within the company, Information Security was considered an operations function that did not require the attention of the rest of the organisation.
Today, concerns about Information Security have moved from the security operation to the boardroom. Many organisations are now conducting audits of their Information Security, evaluating options, considering consequences and implementing structural and operational changes.
It was inevitable that, over time, Information Security would be reviewed to improve the effectiveness and efficiency of information protection. Recent incidences of Industrial Espionage such as the Phillip Greenwood Marks & Spencer takeover bid have accelerated that review process because of security concerns. As organisations analyse and amend their processes, they achieve not only a greater level of security, but also a greater confidence in knowing their information is safe.
In making decisions about Information Security, there are a range of tools to choose from that provide different levels of security. Obvious measures such as a good CCTV and Access Control System prevent information thieves from having the opportunity to steal information. Shredding facilities, computer passwords and lockable cabinets all protect or destroy confidential documentation, preventing it from being copied or stolen. The least understood and potentially most damaging form of information theft, that of electronic eavesdropping, is an area where little action is taken.
THE ELECTRONIC EAVESDROPPING THREAT
|
|
|
Be prepared for the continuing battle with those wishing to take unfair advantage of your organization. (Photo by Audiotel International Ltd.) |
In the days of the Cold War, spying and audio-surveillance were something of an elite profession limited to government agencies. Equipment was made especially for these agencies and training kept exclusive and highly secret.
In more recent times, with information becoming increasingly accessible and technology advancing rapidly, anyone has the potential to become a commercial spy. The Internet provides a 24-hour gateway to thousands of websites providing in-depth instructions on which listening or ¡®bugging¡¯ devices to purchase and effective deployment methods. Entering keywords such as ¡®spy shop¡¯ into major search engines produces millions of results.
This information is not just limited to hearsay and speculation. Authoritative sources such as ex-MI5 and CIA agents are often seen in the media sharing covert surveillance techniques. Methods which just a few years ago were closely guarded secrets are now common knowledge.
It is little wonder then that a recent U.K. Department of Trade and Investment report estimated that ¡®in 2004, 68% of U.K. businesses will suffer at least one malicious security breach, rising to 91% for larger companies1).¡¯ This can be seen reflected in recent cases in the media such as the Marks & Spencer takeover.
ELECTRONIC LISTENING DEVICES
|
|
|
With technology becoming increasingly sophisticated, microphones can be found the size of match-heads and recording devices can take shape as everyday objects such as pens and wristwatches. (Photo by Audiotel International Ltd.)
|
The bug market in the U.K. alone is worth tens of millions of pounds. Back in 1996 Privacy International reported that ¡®an estimated 200,000 bugs and covert cameras were sold in the U.K. each year2)¡¯, today the number is probably double that! One London Company alone claims to have 4,500 regular customers and has taken 47,000 enquiries about listening devices in an 18-month period3).
Specialist retail outlets, mail order catalogues and Internet Websites are home to a vast number of companies selling listening devices, from top of the range specialist equipment to simpler devices costing as little as a few tens of pounds. Even the most expensive of devices can be seen as inexpensive in comparison to the value of the information sought.
With technology becoming increasingly sophisticated, microphones can be found the size of match-heads and recording devices can take shape as everyday objects such as pens and wristwatches. Leading suppliers offer customized services allowing customers to choose virtually any object to conceal their device. One of the latest examples, publicised in the media, is concealed in a commercial drinks bottle. Mobile phones are such a part of everyday life they are rarely given a second thought, yet they are increasingly being used as listening devices and covert cameras.
Advanced devices are now available which can be controlled remotely from an outside location. Such devices can be deactivated when necessary such as out-of-office hours and during routine sweeps. This not only cuts down on battery usage, thereby prolonging the life of the bug, but also makes devices harder to find.
CORRECTIVE AND PROTECTIVE MEASURES
There are a number of security procedures that can be put in place to prevent electronic eavesdropping attacks. These procedures fall into two main categories -- Corrective Measures and Protective Measures.
With Industrial Espionage widespread many organisations already undertake corrective measures against eavesdropping but this is often a reaction to discovery of an aggressive action by a third party by which time the damage is already done. The possible reasons for this are firstly most companies are unaware of how easy it is to bug another and therefore, feel they are not at risk, and for those companies who do realise the threat probably don¡¯t realise that there is effective and affordable equipment commercially available. When a large multi-national company is the victim of a bugging scandal then it makes headline news such as the bugging of Unilever by its rival which was headline news in 2001.
Intruder alarms, Access Control and CCTV are now common place security measures and in an ideal world, a perfect access control system would make installation of listening devices impossible, however, many swipe cards are low security and simple to copy, threats may come from within, your own staff, contract staff, etc. As a result of this there are several measures that you can use to protect your premises bearing in mind than no one method used in isolation should be considered to be suitable protection.
Areas where sensitive material will be discussed should be identified along with the individual employees who need to be part of those discussions and evaluation of the value of the information both to the company and to a third party such as a competitor should be made.
Simple, basic measures can be used such as closing blinds and/or curtains during meeting to prevent the use of laser microphones or lip-readers using binoculars, however, if your competitor is really determined to bug your premises then in reality it should be a reasonably simple task for them to identify someone with access to your building who could plant a device for a small financial reward. It is important, therefore, to minimise the risk by vetting staff and contractors. How often do you vet contract staff? For instance if you are having the offices redecorated do you know who is actually on site? Are they monitored by your security guard all the time? The answer is probably not.
A company is only as safe as its weakest link, so areas of weakness should be identified as this may highlight where an attack is most likely to come from and importantly, educate your staff, make people aware of the value of the information and don¡¯t discuss sensitive information in public places.
In the same way that an intruder alarm will only minimise the risk of a house or building being broken into the measures described above will not stop the determined buggist, therefore, it will be necessary to take other action to ensure the safety of your spoken word by doing regular, systematic searches of areas where sensitive information will be discussed; board rooms; meeting rooms; coffee rooms.
Eavesdropping devices come in a variety of different forms and the Countermeasures equipment available has traditionally been designed to be specific for a particular type of device. This has meant that an investment in several different pieces of equipment was necessary, making the cost of equipment high; however, there is now commercially available equipment on the market that amalgamates several detection techniques in one unit making simple detection both affordable and easy to perform.
Alternatively there are several companies that offer a service of ¡®sweeping¡¯ rooms for listening devices with personnel trained in both physical and electronic search routines. Any search for electronic eavesdropping would include the following classes of device:
Whilst an exhaustive physical search would eventually find offending devices, this would be so time consuming that it would be impractical. Equipment used by Sweep Teams would most likely include (depending on level of threat):
Radio Transmission Detectors
Non-linear Junction Detector (NLJD)
Can find hidden electronic devices even if they are not active or powered.
Burst Transmission Detector
For non-continuous transmitters e.g., GSM Phones
Cable Checker
Helps to identify anomalies in telephone and computer network cable.
Physical Search Tools
-
Basic Toolkit
-
Tamperproof labels to put on power sockets, phone sockets, light switches, etc. after they have been thoroughly inspected and tested.
Even with the technical capability of the latest offerings from Technical Surveillance Counter Measures (TSCM) manufacturers, physical search is still vitally important and shortcuts should never be taken, as to do so would mean that no guarantees could be made about the security of the room or building if this is not done sufficiently well or not done at all.
When looking for a reputable company or organisation to perform ¡®sweeps¡¯ of rooms or buildings extreme caution is required as there is currently no operational regulator, watchdog or ombudsman to guard you from opportunist ¡®s weep¡¯ companies. There are plans being discussed and devised at the moment to introduce legislation which means that, in future, individuals and companies offering ¡®sweep¡¯ services will need to be licensed by the Security Industry Association. This association was launched in 2003 with the specific aim of regulating and licensing the private security industry and it is currently expected that this legislation will be introduced within the next few years.
THE BATTLE IS NOT OVER YET!
Having had my offices ¡®swept¡¯ for listening devices can I now guarantee to be safe? Unfortunately not.
Having your offices ¡®swept¡¯ every 3 or 6 months is not the end of the story. With the potential for listening devices to be deployed in between searches; measures may need to be taken on a daily basis to minimise the risk of uninvited ¡®listeners¡¯ being present at your board meeting, strategy meeting, development planning meeting, patent meeting, etc.
Equipment has become available, at an affordable price, in the last year from the U.K. to help organizations cope with the ongoing threat of eavesdropping by enabling them to conduct their own searches with simple-to-use equipment that does not require extensive training or previous experience. This might be used for a quick check of a room immediately prior to an important meeting; or even a hotel conference area when away from your normal premises. Use of this equipment can determine quickly if a room is at threat and procedures can be set up to deal with this if a threat is thought to be present. Already many companies, particularly in the private sector such as Financial, Insurance, Law, Retail, have taken the decision to make an investment for the sake of their security.
If you need continuous ¡®real-time¡¯ protection then networked distributed systems are becoming available that are able to monitor an area continuously for a range of radio signals in many locations; providing an alarm to the operator when unusual activity is detected. All this from the comfort of the operator¡¯s PC that could be located in another building, city or even country.
Be prepared for the continuing battle with those wishing to take unfair advantage of your organization, whether it takes the form of a sophisticated electronic device remotely controlled to make it particularly difficult to detect, a mobile phone ¡®carelessly¡¯ left behind in your office or an unexpected gift of a bug disguised as pen.
The chances of being ¡®attacked¡¯ are significantly higher than most of us believe, which is why so many companies and organisations are making investments in protecting their spoken words.
You do not know when it will be you.
|
END NOTE
1) Price Waterhouse Coopers report for the U.K. Department of Trade and Industry: ¡°2004 DTI Information Security Breaches Survey¡± www.pwcglobal.com/images/gx/eng/about/svcs/grms/2004Exec_Summ.pdf
2) Privacy International, 1996 report. www.privacyinternational.org/survey/technologies.html
3) SIP Services International. www.sip-international.co.uk/debuggingPage4.htm |
Peter C Crussell is the Commercial Manager of Audiotel International Ltd.
Emma Page is the Marketing Officer in the Corporate Communications and Development Department, University of Northampton.
For more information, please send your e-mails to swm@infothe.com.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.
|
