logo4.gif (3238 bytes)

Electronic Espionage Detection and Prevention
WB01563_.gif (506 bytes)

SpectrumGraph1.gif (19532 bytes)

Home

Background & Experience

Equipment & Resources

New Technology

Training Courses

Partner with TSCM Technical Services-- Special information for Security  and Investigative Firms

How do I get a price quotation for your services?

Contact TSCM Technical Services

Hints, Suggestions, and Interesting historical info

 

 

 

Non-Electronic Weaknesses and Vulnerabilities

This section features examples of non-electronic situations corporate spies could exploit to obtain information from a company or a situation.  We always evaluate the areas we work in for more than just electronic ways information can be taken.

Document Protection

Look at the pictures of the paper shredder receptacles below. The one on the left is the output from a 1/4" strip cut shredder cutting up one page.  The one on the right shows one page having been run through an inexpensive cross cut shredder.  The one on the left has 34 pieces; the one on the right has approximately 360.  Which one offers at least a minimum degree of security?  Strip cut shredders don't begin to provide protection until 25 or more sheets have been cut.

 shredders.jpg (10977 bytes)

If you must use strip cut shredders, shred everything, particularly if the shredder is the type that sits on top of a waste  paper can.   Shredding only sensitive papers red flags them as being important if everything else in the can is whole.  Then stir the contents to further jumble the results.

Have shredders placed where they are convenient to use.  By secretarial desks, in executive offices, next to copy machines, by network printers.   If shredders are not conveniently accessible, they won't be used.  If a multitude of shredders is not feasible, consider a centralized shredding function with secure containers placed throughout the facility.

Test your shredder.  Inspect the output to make sure pages are being shredded.  The picture below shows a page we ran through the client's high volume shredder. It only creased the page and didn't shred it at all.  Not much protection here.

Document Destruction Services

Some businesses use document destruction services.  These services provide containers for storage of sensitive documents.  If you use this type of document destruction method, check the containers!  

We've found that frequently they are secured by a 4-pin or a 6-pin tumbler lock.  These locks are not pick resistant and can be opened quite quickly.  

Other containers don't have a barrier to prevent documents from being pulled out.

If your containers have either of these features, you have very little protection.

 

Be certain to lock away sensitive information when it is not in use.   Let me cite a couple of examples of what not to do:

  • One large consumer products company went through a lot of effort to package their annual world-wide marketing plan in nice looking binders.  The executives were proud of how it looked and most left them out on their credenzas or on their coffee tables.  Anyone strolling through the offices could have picked up a copy.  Offices were not locked after hours and the cleaning crew was supplied by the building management.  They left floor access doors ajar for convenience.

  • Another company created a detailed executive protection manual.   In it were the home addresses of all of the key executives.  Also included were the locations of their vacation homes.  Far additional benefit of the protection guys, you could find the alarm system access codes for each residence, local law enforcement response times and corporate security response plans for a variety of scenarios. 

    It was a detailed plan and showed the kind of effort the security department put out, but it was left out in plain sight on an executive's coffee table.

  • In the corporate counsel's office in a publicly traded company we found a letter, the only letter on the guy's desk.  It was from a law firm representing a major investor.  It said "we have reviewed the financial information you sent last week and, frankly, we do not have a clue how you can avoid Chapter 11."  There was one locked door between this office and the parking lot and not barriers at all between the night shift and the office. 

    The company did survive, but what might have happened if this letter was made public?   Anyone from the night shift could have strolled into the office.

Log off the network and shut down the PCs at the end of the day.   I can't say how many times we've seen sensitive information on the computer monitor because the user didn't close a document or how many times we've been able to download files from the company's network because the PC was still logged on.

Physical Security Matters.  Repeat this twice.  This applies to both locks and keys and to security systems.  Here are some examples of serious weaknesses we uncovered during various surveys:

  • The client's elevator lobby was required by fire code to have an emergency egress switch to override the access controlled doors into their offices.  The switch was a break-glass type and when the glass was broken, the spring loaded switch would close a contact and unlock the door.  It turns out that the bezel holding the glass could be unscrewed from its housing.  Unscrewing the bezel a few turns allowed the switch to open enough to cause the door to unlock, allowing anyone in the public area of the elevator lobby to enter their premises after hours undetected.  Scary.

  • The client, a large law firm, had recently invested a great deal of money in new file cabinets that were equipped with electronic combination locks.  This would the files to be locked at all times, since the default state of the cabinet lock was secure.  However, the default combinations had never been changed.  If you wanted to open the top file drawer, you pushed "1".  If you wanted to open the next one down, you pushed "2".  And so on.  Get the picture?  The client thought they were adding a level of security, but the net effect was nil without proper implementation.

  • The alarm system installer for the small business wanted to save some time and aggravation.  Rather than pulling the cable from the magnetic contacts on the front door through the fiberglass insulation filled ceiling on the interior of the office space, he ran them in the suspended ceiling in the public hallway outside the offices.

  • The door to the telephone equipment room was a solid core fire resistant slab type door.  It was equipped with a heavy duty lock set with a pick resistant high security core.  However, the jamb wasn't installed very well and there was too much of a gap between the jamb and the door.  With a  good tug on the lockset, you could free the latch from strike and stroll on in.

These are only a few of the examples of potential problems  we have identified during our surveys.  Protecting a business against theft of information or of physical property is requirement these days. 

 

 

Send mail to info@tscmtech.com with questions or comments about this web site.
Copyright © 2000-2005 TSCM Technical Services
Last modified: March 23, 2006