AdvertisementFeatureEsotericLtd January2017_riskuk_mar15 10/01/2017 11:28 Page 39
Advertisement Feature
Innovation Brings Risks… Are You Prepared? t the outset, it’s important to remember that information comes in many forms: paper, conversational as well as digital. It’s therefore imperative that any information security regime incorporates more than just the standard network system tests and considers the risks to information from other traditional and innovative corporate espionage threats. Technological advancements are now so fastpaced – and readily adopted – that it appears we no longer question the next innovation presented to us. Most organisations look upon innovation as a positive influence to aid business processes, communication platforms and cost-reductions. However, innovation isn’t solely resting in the hands of the innocent. Devices used to gain intelligence from an organisation are also constantly evolving, and at a tremendous pace. More recent technological advancements have seen us having to counter frequency hopping, spread spectrum, adaptive power and high throughput devices, at the same time as we watch camera technology reduce in size to less than 1 mm.
A
High-speed to light-speed For years, we’ve heard security providers warn of the dangers posed by public Wi-Fi. Even so, employees have become complacent and overly confident in their device security. The false sense of security a network password affords actually allows access with no real authentication and provides a simple and attractive opportunity for the hacker to gain free entry to unsecured devices on the network. Not only do aggressors piggyback on other networks, but as seen during the Rio Olympic Games, hackers are setting up fake/malicious Wi-Fi ‘hotspots’ designed to capture personal information. There are now more avenues than ever that threat actors can and will exploit. In a survey conducted by Osterman, almost half (43%) of those employees questioned admitted to accessing sensitive corporate data on unsecured public networks, such as those in airports, coffee shops, hotels and offsite meeting rooms. This in itself represents a huge challenge for the security manager to rectify as the solution relates to human behaviour. Organisations need to ensure that adequate security restrictions are in place to prevent open Wi-Fi use and restrict file access on BYOD while also conducting awareness programmes to address the behavioural issues. Looking ahead, we also need to consider the impact of the next generations of data transfer.
The latest Wi-Fi to evolve uses the 5 GHz frequency range which is far less congested than the 2.4 GHz range we currently see. It’s capable of a throughput of up to 500 Mbps and will soon be upgraded to Wi-Gig with speeds of up to 7 Gbps. It’s the speed of service that’s of greatest concern: the damage that can be done, the volume of data that can be intercepted and extracted and the malware that can be downloaded all in such a limited time, without the usual warning signs seen in current networks (such as reduced speeds and increased processor activity). Without these ‘flags’, the mindful user is no longer a line of defence and strict control measures by security managers will be an absolute must to prevent interception.
Consideration of Li-Fi Evolution doesn’t stop with speed. The future threat in this arena is Li-Fi. The visible light spectrum is 10,000 times larger than the entire RF spectrum and provides huge potential for data transfer. Researchers have reached data rates of over 10 Gbps (which is more than 250 times faster than superfast broadband). Li-Fi is also expected to be ten times cheaper than WiFi, although it’s not capable of passing through solid structures like walls, for example. These enhancements in technology will certainly require skilled specialists to detect – and ensure protection from – aggressors. Let’s take a look at 4G and 5G. Most devices now operate with 4G capability and the
As a business, we spend most of our working day gathering, processing and disseminating information. Today, information is probably the most valuable asset of any organisation. Now, there must be a heightened degree of awareness in terms of how this myriad detail is managed and secured. Emma Shaw notes the main points to be observed
AdvertisementFeatureEsotericLtd January2017_riskuk_mar15 10/01/2017 11:28 Page 40
Advertisement Feature
encryption it provides is a key security benefit. You might presume that the latest iteration, 5G – which is being field-trialled in Tokyo – would have further enhanced protocols. 5G will be entering commercial use in the near future and is capable of over 100 Mbps throughput. So, you might well ask, what’s the risk? Looking towards the US, both FBI and NSA departments have stated concerns over China’s participation in America’s 5G network. AT&T and Verizon are key players in that network’s development, but need the support of equipment manufacturers like Huawei and ZTE Corporation to be successful. Both are Chinese entities with an extensive history – as played out in the media – of espionage accusations levelled by the US Government. Assessing more current threats, 4G technology has been evolving. Devices like the 4Gee Action Cam are capable of streaming live HD video on 4G networks. High resolution video is no longer dependant on terrestrial Internet bandwidth. Only the most advanced of detection equipment is capable of discovering illicit devices with this capability. It’s clear that organisations need to look towards specialist countermeasure providers in order to ensure sensitive business discussions are conducted in ‘clean’ areas.
Man-In-The-Middle? The long-running nuclear talks were a magnet for the world’s intelligence agencies as they sought to find out more about the Iranian nuclear programme and the negotiating positions of the six nations involved. When such high profile global interests come to the stage, it’s expected that they’ll be a magnet for worldwide intelligence agencies. Swiss prosecutors (OAD) discovered data gathering malware, bugging devices at one of the venues and surveillance signals so prevalent that diplomats vacated the venues to make phone calls in an attempt to avoid all of the microwave interference. One of the major threats today is mobile phone interception, the processes behind which are fairly simple. A false Base Transceiver Station (BTS) will clone a legitimate mobile phone mast and present itself as the strongest available signal to localised mobile phones, causing the phones to connect to the false BTS. The encryption that’s provided by the mobile phone provider is bypassed as the operator becomes the ‘Man-In-The-Middle’ and can listen-in to calls, track incoming and outbound activity and even emulate the phones. A false BTS can be fixed or portable. This is a real and highly effective threat. Users may
notice the phone battery life falling or signal fluctuations, but that’s no real indicator of the true situation. The only real detection is by way of the very latest specialised equipment, designed to recognise a false BTS, and of course a skilled operative capable of locating and analysing the threat.
Capability of a ‘bug’ Traditionally, the capability of a ‘bug’ and its location was capped by the power source it used. For short term espionage attacks, device battery life may extend to 30 days with intermittent record and forward functionality. For more long-term devices, a permanent power supply is required, which invariably means connection to cabling within the target building infrastructure. While posing a challenge for inhouse security teams to locate, this is resolved through the technical solutions employed in a countermeasures survey. However, we now have new advancements to contemplate. Lithium-Sulphur, solid state batteries, hydrogen fuel cells and air batteries (which run on water) are all developing at a rapid pace. Indeed, billions of dollars are being invested on R&D procedures. Batteries are now lasting significantly longer and are much smaller than in days of old. For example, an air battery is capable of powering a device for four times the duration of its lithium-ion equivalent and is set to be available at a fraction of the cost. As this technology develops still further, illicit devices will reduce in size while their effective duration increases. It takes a highly-skilled and well-informed engineer to locate such concealed devices using a range of physical and technical solutions. Battery life continues to push the boundaries, but there are emerging threats that don’t have such constraints. Tribo-Electric Nano Generator (TENG) involves technology originally designed for use in hearing aids. The vibrations of everyday noise are turned into electrical energy. This can then charge the internal capacitor so that it becomes a self-powered microphone. This means a deep plant device is no longer dependent on large or external power sources. No longer can an organisation depend on tracing cabling intercepts/junctions as an indicator of deep plant bugs. Detection is made possible thanks to experienced engineers using advanced technical and physical methods.
Countering the threat The present economic climate, the changing threat landscape and advancements in the way in which we all do business today means that companies have never been more vulnerable to
AdvertisementFeatureEsotericLtd January2017_riskuk_mar15 10/01/2017 11:30 Page 41
Advertisement Feature
acts of espionage. The threat is broad and the solution must be equally so if we’re to effectively address the risk. Ultimately, it’s the case that a combination of technical and nontechnical measures is going to be required in order to identify and subsequently mitigate an organisation’s vulnerabilities. The best way in which an organisation can protect its proprietary information is by educating its employees about what’s held by the business which is deemed valuable. If all employees understand what needs to be protected, they can better understand how and from whom to protect it.
Physical security measures Further, ensuring that appropriate physical security measures are in place – such as access control solutions, clear desk policies for all members of staff, tailgating prevention and employee vigilance – can go a long way towards preventing unauthorised access to privileged information. With the introduction of personal liability for directors in connection with corporate governance issues and compliance, most highperforming organisations have their offices swept for listening devices once or twice every year. This frequency of process may need to be increased if a business finds itself confronted by a heightened period of risk such as in a preresults announcement phase or during high levels of M&A activity. The chances are that your company is most likely already the target of some form of deliberate corporate espionage activity. Such activity has the ability to negatively affect share prices. In addition, it may well undermine confidences and could compromise client security and confidentiality. When companies lose control of proprietary information, it’s fair to say that there can be serious consequences.
Corporate compliance Cultivating a position whereby your organisation can promote the fact that it has considered every eventuality is proactive. Not only does this ensure corporate compliance, but also assists in new business acquisition from increasingly security-conscious corporate clients as well as offering an additional level of comfort to your existing client base. As stated at the outset, information comes in many forms. A security regime that encompasses all disciplines – including physical, personnel, operational and technical security – really is the only effective solution. Organisations need to look at their defences and ensure that sensitive information is well protected. They must employ a level of countermeasures appropriate to the risks and potential losses confronted by the business.
Esoteric Ltd Esoteric Ltd is a specialist Technical Surveillance Countermeasures (TSCM), bug sweeping and covert surveillance company working discreetly with corporations, Government departments and high-net worth individuals on the global stage to safeguard private information and conversations from illicit eavesdropping devices and bugs. Many of today’s organisations face increasing threats from acts of terrorism, crime, espionage, single-issue pressure groups and improper or corrupt behaviour by members of staff. The single greatest asset held by most organisations is information and, with this in mind, a growing number of businesses now take proactive steps to protect that information and so deter criminals before any damage can be done. To discuss your concerns and how Esoteric Ltd can assist with solving them please contact us on (telephone) 01483 740423, e-mail us at: mail@esotericltd.com or visit our website for more information: www.esotericltd.com
Emma Shaw MBA CSyP FSyI FCMI: Managing Director of Esoteric Ltd
Project1_Layout 1 09/01/2017 17:05 Page 1
͞ ŽƚŚ ƚƌĂĚŝƟŽŶĂů ĂŶĚ ĐLJďĞƌ ĞƐƉŝŽŶĂŐĞ ĐŽŶƟŶƵĞ ƚŽ ƉŽƐĞ Ă ƚŚƌĞĂƚ ͘͘͘ ǁŝƚŚ ƚŚĞ ĐŽŵŵĞƌĐŝĂů ƐĞĐƚŽƌ ǀĞƌLJ ŵƵĐŚ ŝŶ ƚŚĞ ĨƌŽŶƚ ůŝŶĞ͟ >ŽƌĚ ǀĂŶƐ ŽĨ tĞĂƌĚĂůĞ < > ĨŽƌŵĞƌ ŝƌĞĐƚŽƌ 'ĞŶĞƌĂů͕ ƌŝƟƐŚ ^ĞĐƵƌŝƚLJ ^ĞƌǀŝĐĞ
:ƵƐƚ ŚŽǁ ĐŽŶĮĚĞŶƟĂů ŝƐ LJŽƵƌ ĐŽŶĮĚĞŶƟĂů ŝŶĨŽƌŵĂƟŽŶ͍
dŚĞ ƐŝŶŐůĞ ŐƌĞĂƚĞƐƚ ĂƐƐĞƚ ŚĞůĚ ďLJ ĂŶ ŽƌŐĂŶŝƐĂƟŽŶ ŝƐ ƚŚĞŝƌ ŝŶĨŽƌŵĂƟŽŶ͘ /ƚƐ ƉƌŽƚĞĐƟŽŶ ŝƐ ĐƌƵĐŝĂů ƚŽ ƚŚĞ ƐƵĐĐĞƐƐ ŽĨ ĂŶLJ ďƵƐŝŶĞƐƐ͘ ƐŽƚĞƌŝĐ ƐƉĞĐŝĂůŝƐĞƐ ŝŶ ƉƌŽǀŝĚŝŶŐ ĞŶĚͲ ƚŽͲĞŶĚ ƐŽůƵƟŽŶƐ ƚŽ ĂĚĚƌĞƐƐ ƚŚĞ ŝƐƐƵĞƐ ŽĨ ĐŽƌƉŽƌĂƚĞ ĞƐƉŝŽŶĂŐĞ͕ ĐŽŵƉĞƟƟǀĞ ŝŶƚĞůůŝŐĞŶĐĞ ŐĂƚŚĞƌŝŶŐ ĂŶĚ ƚŚĞŌ ŽĨ ŝŶĨŽƌŵĂƟŽŶ ĂŶĚ ŝŶƚĞůůĞĐƚƵĂů ƉƌŽƉĞƌƚLJ͘ Our core services include: ͻ dĞĐŚŶŝĐĂů ^ƵƌǀĞŝůůĂŶĐĞ ŽƵŶƚĞƌŵĞĂƐƵƌĞƐ ͬ ůĞĐƚƌŽŶŝĐ ƵŐ ^ǁĞĞƉŝŶŐ ͻ ĐĐƌĞĚŝƚĞĚ d^ D dƌĂŝŶŝŶŐ ĂŶĚ ƐƉŝŽŶĂŐĞ ǁĂƌĞŶĞƐƐ ƌŝĞĮŶŐƐ ͻ WŚLJƐŝĐĂů ^ĞĐƵƌŝƚLJ ZĞǀŝĞǁƐ ͬ WĞŶĞƚƌĂƟŽŶ dĞƐƟŶŐ ͻ ^ĞĐƵƌŝƚLJ ^ƚƌĂƚĞŐLJ ĞǀĞůŽƉŵĞŶƚ ĂŶĚ ^ƵƉƉŽƌƚ ͻ ŽǀĞƌƚ /ŶǀĞƐƟŐĂƟŽŶƐ ĂŶĚ ^ƵƌǀĞŝůůĂŶĐĞ ͻ LJďĞƌ ƐƉŝŽŶĂŐĞ ZĞƐƉŽŶƐĞ ĂŶĚ ZĞǀŝĞǁ ͻ ŽŵƉƵƚĞƌ ͬ DŽďŝůĞ ĞǀŝĐĞ &ŽƌĞŶƐŝĐ /ŶǀĞƐƟŐĂƟŽŶƐ ͻ dƌĂǀĞůůĞƌ WƌŽŐƌĂŵŵĞ ;ŝŶĐůƵĚŝŶŐ ƐƚĞƌŝůĞ ĞƋƵŝƉŵĞŶƚͿ ͻ Z& ĂŶĚ ^ŽƵŶĚ ƩĞŶƵĂƟŽŶ dĞƐƟŶŐ
ƐŽƚĞƌŝĐ ŝƐ Ă ŐůŽďĂů /^Kͬ/ ϮϳϬϬϭ ĂŶĚ LJďĞƌ ƐƐĞŶƟĂůƐ ĂĐĐƌĞĚŝƚĞĚ ĐŽƵŶƚĞƌĞƐƉŝŽŶĂŐĞ ĂŶĚ d^ D ĐŽŵƉĂŶLJ͕ ƉƌŽǀŝĚŝŶŐ ĐŽŶĮĚĞŶƟĂů ƐĞƌǀŝĐĞƐ ƚŽ Ă ƌĂŶŐĞ ŽĨ ďŽƚŚ ƉƵďůŝĐ ĂŶĚ ĐŽŵŵĞƌĐŝĂů ƐĞĐƚŽƌ ĐůŝĞŶƚƐ ĂƌŽƵŶĚ ƚŚĞ ǁŽƌůĚ͘ ƐŽƚĞƌŝĐ DŝĚĚůĞ ĂƐƚ ƉƌŽǀŝĚĞƐ Ă ĨƵůů ƐƵŝƚĞ ŽĨ ĐŽƵŶƚĞƌͲƐƵƌǀĞŝůůĂŶĐĞ ƐĞƌǀŝĐĞƐ ƚŽ ĐůŝĞŶƚƐ ŝŶ ƚŚĞ D E ƌĞŐŝŽŶ͘ Ăůů ƵƐ ƚŽĚĂLJ ƚŽ ĚŝƐĐƵƐƐ ĂŶLJ ƌĞƋƵŝƌĞŵĞŶƚƐ LJŽƵ ŚĂǀĞ Žƌ ƚŽ ĐŚĂƚ ƚŚƌŽƵŐŚ ŚŽǁ ƐŽƚĞƌŝĐ ŵŝŐŚƚ ƐƵƉƉŽƌƚ LJŽƵ͘
Esoteric Ltd
Esoteric Middle East
нϰϰ ;ϬͿ ϭϰϴϯ ϳϰϬ ϰϮϯ ŵĂŝůΛĞƐŽƚĞƌŝĐůƚĚ͘ĐŽŵ ǁǁǁ͘ĞƐŽƚĞƌŝĐůƚĚ͘ĐŽŵ
нϵϳϭ ϱϲ ϯϴϵϵ ϰϯϲ ŵĂŝůΛĞƐŽƚĞƌŝĐ͘ĂĞ ǁǁǁ͘ĞƐŽƚĞƌŝĐ͘ĂĞ