Upload
gervais-cox
View
236
Download
1
Tags:
Embed Size (px)
Citation preview
Sensitive InformationSensitive Information
Sample Questions
1. Any formula, pattern, device or compilation of information which is used in one’s business and which gives him an opportunity to gain an advantage over competitors who do not know or use it is:
• a. A monopoly
• b. An unfair trade practice
• c. A trade secret
• d. A patent
1. Any formula, pattern, device or compilation of information which is used in one’s business and which gives him an opportunity to gain an advantage over competitors who do not know or use it is:
• a. A monopoly
• b. An unfair trade practice
• c. A trade secret
• d. A patent
2. Probably the main reason for loss of sensitive information is:
• a. Inadvertent disclosure
• b. Deliberately stolen by outsider
• c. Industrial espionage
• d. Deliberately stolen by insider
2. Probably the main reason for loss of sensitive information is:
• a. Inadvertent disclosure
• b. Deliberately stolen by outsider
• c. Industrial espionage
• d. Deliberately stolen by insider
3. The primary tool of pre-employment screening is the:
• a. Interview
• b. Application form
• c. The investigation
• d. The investigator
3. The primary tool of pre-employment screening is the:
• a. Interview
• b. Application form
• c. The investigation
• d. The investigator
4. Competitive intelligence gathering is a legitimate activity which is engaged in by many firms throughout the world. The most important function of competitive intelligence is to:• a. Alert senior management to marketplace
changes in order to prevent surprise• b. Alert senior management as to the personal
habits of competitive senior management
• c. Alert government intelligence agencies to marketplace changes
• d. Alert senior management to changes in protocol in foreign countries
4. Competitive intelligence gathering is a legitimate activity which is engaged in by many firms throughout the world. The most important function of competitive intelligence is to:• a. Alert senior management to marketplace
changes in order to prevent surprise
• b. Alert senior management as to the personal habits of competitive senior management
• c. Alert government intelligence agencies to marketplace changes
• d. Alert senior management to changes in protocol in foreign countries
5. The instrument used to monitor telephone call by providing a record of all numbers dialed from a particular phone is called:
• a. A wiretap
• b. A bug
• c. An electronic surveillance
• d. A pen register
5. The instrument used to monitor telephone call by providing a record of all numbers dialed from a particular phone is called:
• a. A wiretap
• b. A bug
• c. An electronic surveillance
• d. A pen register
6. A clandestine listening device, generally a small hidden microphone and radio transmitter is known as :
• a. A bug
• b. A wiretap
• c. A tempest
• d. A beeper
6. A clandestine listening device, generally a small hidden microphone and radio transmitter is known as :
• a. A bug
• b. A wiretap
• c. A tempest
• d. A beeper
7. A microphone with a large disk-like attachment used for listening to audio from great distances is known as:
• a. Contact microphone
• b. Spike microphone
• c. Parabolic microphone
• d. Moving coil microphone
7. A microphone with a large disk-like attachment used for listening to audio from great distances is known as:
• a. Contact microphone
• b. Spike microphone
• c. Parabolic microphone
• d. Moving coil microphone
8. Sound waves too high in frequency to be heard by the human ear, generally above 20 KHZ are known as:
• a. Microwaves
• b. Ultrasonic
• c. High frequency
• d. Short-wave
8. Sound waves too high in frequency to be heard by the human ear, generally above 20 KHZ are known as:
• a. Microwaves
• b. Ultrasonic
• c. High frequency
• d. Short-wave
9. Two methods of protection against telephone line eavesdropping are apparently reliable. The first method is “don’t discuss sensitive information” and the other is:• a. To use a wire tap detector
• b. To use a radio jammer
• c. To use an audio jammer
• d. To use encryption equipment
9. Two methods of protection against telephone line eavesdropping are apparently reliable. The first method is “don’t discuss sensitive information” and the other is:• a. To use a wire tap detector
• b. To use a radio jammer
• c. To use an audio jammer
• d. To use encryption equipment
10. The unauthorized acquisition of sensitive information is known as:
• a. Industrial espionage
• b. Embezzlement
• c. Larceny
• d. False pretenses
10. The unauthorized acquisition of sensitive information is known as:
• a. Industrial espionage
• b. Embezzlement
• c. Larceny
• d. False pretenses
11. Proprietary information is:
• a. Information which must be so classified under government order
• b. Private information of highly sensitive character
• c. Defense data which must be classified according to federal regulations
• d. Anything that an enterprise considers relevant to its status or operations and does not want to disclose publicly
11. Proprietary information is:
• a. Information which must be so classified under government order
• b. Private information of highly sensitive character
• c. Defense data which must be classified according to federal regulations
• d. Anything that an enterprise considers relevant to its status or operations
and does not want to disclose publicly
12. A trade secret is:
• a. Any formula, pattern, device or compilation of information which is used in one’s business and which gives that business an opportunity to
gain an advantage over competitors who do not know or use it
• b. All information about a company which the company desires to protect
• c. Information of a company which is registered as such with the Patent Office
• d. Information so designated by the government
12. A trade secret is:
• a. Any formula, pattern, device or compilation of information which is used in one’s business and which gives that business an opportunity to
gain an advantage over competitors who do not know or use it
• b. All information about a company which the company desires to protect
• c. Information of a company which is registered as such with the Patent Office
• d. Information so designated by the government
13. The control software of a Private Board Exchange (PBX) can be accessed and compromised by calling the telephone number of a device on the PBX from a computer and modem. The name of this PBX device is the:
• a. Time Domain Reflectometer
• b. Remote Maintenance Access Terminal
• c. Current Carrier Signaling Port
• d. Internal and Remote Signal Port
13. The control software of a Private Board Exchange (PBX) can be accessed and compromised by calling the telephone number of a device on the PBX from a computer and modem. The name of this PBX device is the:
• a. Time Domain Reflectometer
• b. Remote Maintenance Access Terminal
• c. Current Carrier Signaling Port
• d. Internal and Remote Signal Port
14. Which of the following is generally not true in regard to proprietary information?• a. Secret information does not have to be
specifically identifiable• b. Secret information must be such that it
can be effectively protected• c. The more narrowly a business defines what
it regards as secret, the easier it is to protect that body of information
• d. It is difficult to protect as a trade secret that which can be found in publicly
accessible sources
14. Which of the following is generally not true in regard to proprietary information?• a. Secret information does not have to be
specifically identifiable• b. Secret information must be such that it
can be effectively protected• c. The more narrowly a business defines what
it regards as secret, the easier it is to protect that body of information
• d. It is difficult to protect as a trade secret that which can be found in publicly
accessible sources
15. With respect to trade secrets, it may be decided that its disclosure by another was innocent rather than wrongful even in the case where the person making the disclosure really was guilty of malice or wrong intent. This situation may occur when:
• a. There is absence of evidence that an owner has taken reasonable precautions to
protect confidential information• b. The trade secret was not registered• c. The trade secret did not involve national
defense information• d. The trade secret was not in current use
15. With respect to trade secrets, it may be decided that its disclosure by another was innocent rather than wrongful even in the case where the person making the disclosure really was guilty of malice or wrong intent. This situation may occur when:
• a. There is absence of evidence that an owner has taken reasonable precautions to protect confidential information
• b. The trade secret was not registered• c. The trade secret did not involve national
defense information• d. The trade secret was not in current use
16. The class of person under a duty to safeguard a proprietary secret is known as:
• a. Agents
• b. Principals
• c. Fiduciaries
• d. Business Associates
16. The class of person under a duty to safeguard a proprietary secret is known as:
• a. Agents
• b. Principals
• c. Fiduciaries
• d. Business Associates
17. Which of the following is not a correct statement, or a general rule, involving the protection of proprietary information?
• a. By operation of common law employees are presumed to be fiduciaries to the extent they may not disclose secrets of their employers without authorization
• b. As a class, employees are the largest group of persons bound to secrecy because of their status or relationship
• c. Other than employees, any other persons to be bound to secrecy must agree to be so bound
• d. Any agreements to be bound must always be in writing and are not implied from acts
17. Which of the following is not a correct statement, or a general rule, involving the protection of proprietary information?
• a. By operation of common law employees are presumed to be fiduciaries to the extent they may not disclose secrets of their employers without authorization
• b. As a class, employees are the largest group of persons bound to secrecy because of their status or relationship
• c. Other than employees, any other persons to be bound to secrecy must agree to be so bound
• d. Any agreements to be bound must always be in writing and are not implied from acts
18. Probably the chief reason for the loss of information about sensitive operations is:
• a. Deliberately stolen by an outsider
• b. Loss by fire or other disaster
• c. Deliberately stolen by insider
• d. Lost through inadvertent disclosure
18. Probably the chief reason for the loss of information about sensitive operations is:
• a. Deliberately stolen by an outsider
• b. Loss by fire or other disaster
• c. Deliberately stolen by insider
• d. Lost through inadvertent disclosure
19. The term “eavesdropping” refers to:
• a. Wiretapping only
• b. “Bugging” only
• c. Both wiretapping and “bugging”
• d. Mail covers
19. The term “eavesdropping” refers to:
• a. Wiretapping only
• b. “Bugging” only
• c. Both wiretapping and “bugging”
• d. Mail covers
20. A microphone which has the characteristics of requiring no power source to operate it, is quite small, relatively difficult to detect, and is offered by equipment suppliers in such items as cuff links and hearing aides is known as:
• a. Carbon microphone
• b. Dynamic microphone
• c. Contact microphone
• d. Parabolic microphone
20. A microphone which has the characteristics of requiring no power source to operate it, is quite small, relatively difficult to detect, and is offered by equipment suppliers in such items as cuff links and hearing aides is known as:
• a. Carbon microphone
• b. Dynamic microphone
• c. Contact microphone
• d. Parabolic microphone
21. A microphone which is normally installed on a common wall adjoining a target area when it is impractical or impossible to enter the area to make a microphone installation is:
• a. Carbon microphone
• b. Dynamic microphone
• c. Contact microphone
• d. Parabolic microphone
21. A microphone which is normally installed on a common wall adjoining a target area when it is impractical or impossible to enter the area to make a microphone installation is:
• a. Carbon microphone
• b. Dynamic microphone
• c. Contact microphone
• d. Parabolic microphone
22. Which of the following is not true with regard to electronic eavesdropping:
• a. A listening device installed in a wire will cause a crackling sound, click or other noise than can be heard on the line
• b. An effective countermeasures survey to detect evidence of electronic eavesdropping in telephone equipment must be conducted by a person technically familiar with such equipment
• c. All wiring should be traced out and accounted for in a countermeasures survey
• d. In a countermeasures survey to detect electronic eavesdropping. A physical search should be utilized as well as an electronic search
22. Which of the following is not true with regard to electronic eavesdropping:
• a. A listening device installed in a wire will cause a crackling sound, click or other noise than can be heard on the line
• b. An effective countermeasures survey to detect evidence of electronic eavesdropping in telephone equipment must be conducted by a person technically familiar with such equipment
• c. All wiring should be traced out and accounted for in a countermeasures survey
• d. In a countermeasures survey to detect electronic eavesdropping. A physical search should be utilized as well as an electronic search
23. In designing a proprietary information protection program, the area of greatest vulnerability is:
• a. Personnel files
• b. Marketing data
• c. Employees
• d. Computers
23. In designing a proprietary information protection program, the area of greatest vulnerability is:
• a. Personnel files
• b. Marketing data
• c. Employees
• d. Computers
24. Two of the three most common methods of information losses are inadvertent disclosure and industrial espionage. Which of the following is the third:
• a. Newspaper articles
• b. Television
• c. Magazine articles
• d. Theft by an insider
24. Two of the three most common methods of information losses are inadvertent disclosure and industrial espionage. Which of the following is the third:
• a. Newspaper articles
• b. Television
• c. Magazine articles
• d. Theft by an insider
25. Which of the following statements is incorrect with regard to an information security program?
• a. A good information security program will provide absolute protection against an enemy spy
• b. The information security program is an attempt to make theft of sensitive information
difficult, not necessarily eliminate it
• c. A trust relationship must be established and maintained with employees
• d. The good will and compliance of employees is crucial for success
25. Which of the following statements is incorrect with regard to an information security program?
• a. A good information security program will provide absolute protection against an enemy spy
• b. The information security program is an attempt to make theft of sensitive information
difficult, not necessarily eliminate it
• c. A trust relationship must be established and maintained with employees
• d. The good will and compliance of employees is crucial for success
26. Vital records normally constitute the following percentage of the company’s total records:
• a. 2%
• b. 5%
• c. 10%
• d. 15%
26. Vital records normally constitute the following percentage of the company’s total records:
• a. 2%
• b. 5%
• c. 10%
• d. 15%
27. A specially constructed microphone attached directly to an object or surface to be protected and which responds only when the protected object or surface is disturbed is known as:
• a. Parabolic microphone
• b. Special audio microphone
• c. Contact microphone
• d. Surreptitious microphone
27. A specially constructed microphone attached directly to an object or surface to be protected and which responds only when the protected object or surface is disturbed is known as:
• a. Parabolic microphone
• b. Special audio microphone
• c. Contact microphone
• d. Surreptitious microphone
28. “Social engineering” is:• a. The conversation involved in the beginning of a
romantic relationship• b. A function of the personnel department in which
like persons are teamed together in workshops or seminars for maximum productivity
• c. The subtle elicitation of information without revealing the true purpose of the call
• d. The specific design of a business structure to facilitate the interaction of the inhabitants
28. “Social engineering” is:• a. The conversation involved in the beginning of a
romantic relationship• b. A function of the personnel department in which
like persons are teamed together in workshops or seminars for maximum productivity
• c. The subtle elicitation of information without revealing the true purpose of the call
• d. The specific design of a business structure to facilitate the interaction of the inhabitants
29. A former employee, who had access to your trade secret information, is now employed by a competitor and is apparently using the trade secret information to gain market share. There are several serious factors you should consider before you institute litigation in the matter. Which of the following is not a serious factor to be considered?• a. You may have to expose the very secrets you are
attempting to protect
• b. The cost of the litigation may exceed the value of the secret information
• c. You may lose your case
• d. Other employees may leave the company and attempt to use trade secret information in the business of a new employer
29. A former employee, who had access to your trade secret information, is now employed by a competitor and is apparently using the trade secret information to gain market share. There are several serious factors you should consider before you institute litigation in the matter. Which of the following is not a serious factor to be considered?• a. You may have to expose the very secrets you are
attempting to protect
• b. The cost of the litigation may exceed the value of the secret information
• c. You may lose your case
• d. Other employees may leave the company and attempt to use trade secret information in the business of a new employer
30. Electromagnetic radiation is detectable electromagnetic energy is generated by electronic information processing devices. Which of the following is used to protect very sensitive equipment?
• a. A current carrier device
• b. Pneumatic cavity shielding
• c. Tempest shielding
• d. Pen register shielding
30. Electromagnetic radiation is detectable electromagnetic energy is generated by electronic information processing devices. Which of the following is used to protect very sensitive equipment?
• a. A current carrier device
• b. Pneumatic cavity shielding
• c. Tempest shielding
• d. Pen register shielding
Significant NotesSignificant Notes
Sensitive Information
The basis for any industrial espionage prevention program is
protection of information
There are many kinds of information which a company would like to keep in a confidential status but not all such information could be classified as “trade secrets”
One definition of “trade secret” is “information including formula, pattern, compilation, program, device, method, technique or process that;
a. Derives independent economic value, actual or potential, from not being generally known to and not being readily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use, and
b. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
“Proprietary information” is information of value owned by or entrusted to a company which relates to the operations of the company and which has not been disclosed publicly
A “trade secret” is part of a company’s proprietary information but not all propriety information necessarily fits the definition of “trade secret” information
Generally “trade secrets” are given a higher degree of legal protection than other proprietary information
There are three basic requirements of a “trade secret”
a. Must be of competitive advantageb. Must be secretc. Must be used in the business of
the owner
Information must meet the following requirements to fit the definition required of a “trade secret”
a. Must be specifically identifiableb. Cannot be found in publicly accessible sourcesc. Should be disclosed by owner only to those under a
duty to protect secrecyd. Persons afforded knowledge of secret information
must know it to be confidentiale. The owners must be able to show they have
instituted adequate protective measures to safeguard secrecy of date
Unless the owner of a trade secret can furnish proof of diligent care in the protection of a trade secret, such trade secret may be lost
Patent laws provide that an inventor who first develops a new machine, manufacturing process, composition or matter, plan or design that is sufficiently novel and useful can apply for and receive an exclusive right to that invention for a period of 17 years
“Inadvertent disclosure” probably is the chief reason for loss of information about sensitive operations
One method important in protection of sensitive information is installing an effective “awareness program” to assure all employees are aware of the existence of sensitive data in the company and their responsibilities in protecting such
Another important protective device is the use of “nondisclosure agreements”(employee patent and
secrecy agreements) from employees in which the employees acknowledge their fiduciary responsibility
A “non-competitive agreement” is agreement on part of employee upon leaving employment of one company that the employee will not accept employment with a defined competitor for a stated period of time
A telephone instrument may also be utilized as a listening device
In an electronic countermeasure survey, note that light switches and electrical outlets are favorite places to install listening devices
Most loss of proprietary information occurs because of negligence
One very important protective measure used to safeguard sensitive data is to disclose such only in a need-to-know basis
Theft of sensitive information through industrial espionage methods or other methods of outside theft accounts for a smaller loss than through negligence; however, the loss through outside theft is more dangerous because the data stolen is usually the most valuable
One of the biggest problems in designing a proprietary information protection program is caused by the large amount of vital data processed and analyzed electronically
Employees are the greatest vulnerability in a proprietary information protection program. Accordingly, an employee awareness program is necessary whereby they are educated with regard to their responsibilities in protecting sensitive data.
Definitions
• Proprietary Information– Information over which the possessor
asserts ownership and which is related to the activities or status of the possessor in some special way
Definitions
• Patent
– A government grant conveying and securing the exclusive right to make, use, and sell an invention for a term of years (seventeen)
Trade Secret• A trade Secret is a process or device for
continuous use in the operation of the business
• For trade secret protection, must prove– Secrecy– Value– Use in the owner’s business
Trade Secret
• Trade Secret information is entitled by law to more protection than other kinds of proprietary information
Trade Secret• The following are not trade secrets:
– Salary information
– Rank surveys
– Customer usage evaluation
– Profitability margins
– Unit costs
– Personnel changes
Trade Secret / Patent
• A trade secret remains secret as long as it continues to meet trade secret tests but the exclusive right to patent protection expires after 17 years
Trade Secret / Patent
• Since anyone can purchase a patent, there are not industrial espionage targets in a patented invention
• Trade Secrets are targets
Proprietary Information
• Two approaches used to deal with P.I.:• “Property Concept”
– regards the information as having independent value if it amounts to a trade secret
• “Fiduciaries” – Imposition of duties upon certain classes of
people, other than the owner not to use or divulge info without owner’s consent.
Proprietary Information
• There are 3 broad threats to proprietary information:
– It can be lost through inadvertent disclosure– It can be deliberately stolen by an outsider– It can be deliberately stolen by an insider
Competitive Intelligence Gathering
• The most important function of competitive intelligence gathering is to alert senior management to marketplace changes in order to prevent surprise
Competitive Intelligence Gathering
• A rich source of information is in the information provided to government regulators
• Never reveal information to anyone that you would not reveal to a competitor
Industrial Espionage
• Industrial espionage is the theft of information by legal or illegal means. It is more dangerous than inadvertent disclosure by employees in that highly valuable information is stolen for release to others who plan to exploit it.
Protection Programs
• The vulnerability assessment is conducted from the perspective of the competitor and considers:– What critical information exists– The period of time when the information is
critical. This may be a short period or may be for the life of a product
– The identity of employees and indirect associates who have access to the information
Eavesdropping Tactics & Equipment
• “Wiretapping” - is the interception of communication over a wire w/o participants consent and requires physical entry into the communication circuit
• “Bugging” - interception of communication w/o participants consent by means of electronic devices and w/o penetration of a wire.
Eavesdropping Tactics & Equipment
• Eavesdropping is a psychological traumatic experience for the victim.
• It is the most devastating of espionage techniques.
Wired microphones
• Carbon microphone – commonly used in a standard telephone handset
• Crystal microphone– generates a small electrical current when the
crystal is vibrated by sound waves
• Contact microphone– installed on a common wall with the target area
Wired microphones
• Spike microphone– installed in a hole in the common wall
(not fully through)
• Dynamic microphone– movement of a small wire near a permanent
magnet converts sound into electrical energy. Good eavesdropping device which operates as a loudspeaker in reverse
Wired microphones
• Pneumatic cavity device– has a specially designed small cavity which picks
up surface vibrations. (Glass tumbler effect)
• Condenser microphone– high fidelity use. Fragile and sensitive
• Electret microphone– used primarily in P.A. and audio recording.
(Extremely small)
Wired microphones
• Omnidirectional microphone– used in conferences. Picks up sound from many
directions around the room
• Cardioid microphone– picks up sound from directly in front of mic
• Parabolic microphone – gathers audio energy and directs it to a
conventional microphone in the center of a dish-type reflector
Wireless microphones
• A radio frequency (RF) device. Consists of:
– A microphone
– A transmitter
– A power supply
– An antenna; and,
– A receiver
Light transformation
• 1. Infrared light wave transmissions use light waves invisible to the human eye. Sound waves are converted to electronic impulses and the pulses are used to modulate infrared light waves. Similar to a TV remote
Light transformation
• 2. Laser (Light Amplification by Stimulated Emission of Radiation) transmission of sound does not require any equipment in the surveillance area. A laser beam focused on a window pane or a reflective object in the room. The vibrating glass modulates a reflected laser beam. Rarely used due to interference.
Light transformation
• 3. Fiber optic laser transmission uses a communications grade glass fiber, filled with laser light, routed through the surveillance area. Sound waves cause the fiber to vibrate slightly, altering the laser light.
Electromagnetic radiation
• Detectable electromagnetic energy is generated by electronic information processing devices. Detection is possible for several hundred feet. The “faraday cage” or “tempest shielding” is used for very sensitive equipment.
Telephone eavesdropping
• Digital systems - originally thought to be secure:
• Digit stream can be recorded and converted to analog and speech.
• The control system is available from an on-site terminal or from off-site through the network. (Remote Maintenance Access Terminal) (RMAT)
The Eavesdropping Threat
• Risk for the electronic eavesdropper is low:– electronic eavesdropping is easily committed– chances are low that victim will find the device– chances low, if found, can be tied to eavesdropper– prosecution of eavesdropping cases is rare; and,– the reward far outweighs the risk
Miscellaneous• Plenum
– space above a dropped ceiling
• Variable Path Encryption (VPE)• is particularly useful to secure cellular signals.
A call is made to a toll-free number of the VPE provider. A unit attached to the cellular set and a unit at the VPE provider alter the communication between them. The signal is sent in the clear from the VPE provider to the intended destination of the call
Miscellaneous
• Time domain reflectometry– an electronic picture of the telephone
line at a given time which is compared to the same line at a future time
Miscellaneous
• Audio masking– generation of noise at the perimeter
of the secure area to cover or mask conversation. Music is not used; “white” or “pink” noise is not as easily filtered from the tape