There has been a lot in the media recently about cyber warfare and the risk to intellectual property when travelling to certain parts of the world. Various cyber operators have engaged in malicious activity against public and private sector organisations, despite the fact that 88% of executives in a recent Deloitte survey didn’t perceive their company was vulnerable to attack . The apparent objective of this activity has been the theft of intellectual property, trade secrets and business sensitive information. Their aim is to establish a foothold and then move laterally through the target networks. That is a critical reason why IT Security Departments should examine current and historical security logs for evidence of malicious activity.
What should you look for at home?
There are several tools at the disposal of cyber operators. Among the most insidious are targeted spear-phishing campaigns, which move laterally within a network to acquire specific data and often manage to maintain an undetected presence on the target network for months or years. Malware is used to enable control of target networks and is normally launched via such a targeted spear-phishing email campaign. Tools will sometimes be downloaded to target systems during an actual system attack in order to evade local security measures and to achieve the compromise of additional computers on the target network. Second-level domains may be registered to facilitate cyber operators compromising and controlling target systems.
And when abroad?
The game always changes when we are away from our secure operating environments and having to deal remotely. The nature of the risk and also the form of attack are different. So, let us look at what is best corporate practice. This approach should help us develop some sound strategies.
Is your IP at risk in some countries?
The answer is ‘yes’, without any qualification. What does this mean? It means that if you lose control of your laptop, smart phone, tablet or other device for any length of time, you should assume its contents have been copied and undertake consequence analysis. No ifs, no buts, game over. We cannot be any clearer than that.
What mitigation strategies are available?
Best practice internationally is to take in a clean laptop for work purposes. As far as smart phones are concerned, there appears to be a divide between taking in a clean temporary one or using one’s own. Employees should be advised not to take any personal consumer devices into high risk countries and use only company-supplied devices with encryption installed and practical guidance provided. The most critical thing is to maintain 24/7 physical control of laptops and mobiles. Clearly, that is a greater problem with a laptop (going to dinner, engagements, etc.) as hotel safes are not secure locations. At minimum, they should be encased in secure pouches with tamper-evident seals. On balance, it is best to leave them at home.
Should you limit the data that may be carried into high risk countries?
Increasingly, best practice is not to take in hard copy sensitive data or unencrypted USB memory sticks, CDs or DVDs. If you do, the problem remains one of maintaining 24/7 physical control of this material. Fail in that requirement for the briefest of opportunities and you must regard the material as compromised. Again, secure pouches with tamper-evident seals are a minimum.
What security advice should you give travellers?
• Brief travellers thoroughly on the security risks they will face and how this must influence their behaviour;
• Assume any conversation can (not may) be overheard, so any discussion involving sensitive issues needs to involve precautions;
• If a traveller loses control of a portable device for any length of time, assume it is compromised, don’t connect it to the network and notify corporate security;
• Alert travellers to ‘red flag’ issues:
What are red flag issues from a company viewpoint?
• gifts offered to government officials in breach of local or international law;
• gifts to or from a party involved in a tendering process;
• any gift that appears excessive;
• any gift of cash;
• travel expenses for a government official where there is no legitimate business purpose;
• travel or entertainment expenses for the spouse of a government official;
• payment made to a government entity in cash rather than by company cheque or EFT;
• donation to a charitable cause affiliated with a government official or a customer;
• improper expenses;
• vague description on invoice of services provided; and
• refusal to sign a confidentiality agreement.
The list is not exhaustive (leaving drinks unattended so they risk being spiked, accepting offers to go to dubious premises for a knock-out deal on electronics or jewellery, offers of ‘company’, etc. are surely too obvious?), but it gives a flavour of the things for which those travelling on the company’s behalf should be alert and the things that should concern you. Do you have guidance for your travellers? Do you brief them? Do they know the company’s code?
Should the company test devices on return for electronic compromise?
Yes, this should be done, at least on a sampling basis. For any hardware that was out of the traveller’s immediate control for any length of time, testing should be automatic. Most companies will not have the in-house capacity to undertake this, but it may readily be outsourced. Good practice would be to sample 100% of laptops belonging to executives and a lesser percentage for the frequent travellers. Some use EnCase software to create an MD-5 Hash of the baseline and when the laptop is returned to the company’s IT department, they run an MD-5 Hash and compare the results. Others use Anubis, which analyses malware or md5 deep and hashdeep.
Finally…
A company’s intellectual property is likely more valuable than all its physical assets. For much of the IP, you can lock it up, encrypt it, handle it securely and dispose of it safely. Firewalls and patents are a first wall of protection and are essential, but it is people who are handling the IP. A company’s culture and security awareness training is critical to prevent IP leaks. That training needs to be targeted to meet the particular risks faced by different categories within the company and tailored to the needs of different employees: executives, travellers, sales people. One size does not fit all, but your IP is worth it.
Gerard Walsh
Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.
Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.
