CPP Review - 2006 John Hewitt, CPP, CIPM Senior Security Manager Trammell Crow Company 214-438-8861...

CPP Review - 2006

John Hewitt, CPP, CIPM

Senior Security Manager

Trammell Crow Company

214-438-8861

Information Security

Information Security – Part V

Proprietary Information

Information over which the possessor asserts ownership and which is related to the activities or status of the possessor in some special way

All Proprietary Information is confidential, but not all confidential information is proprietary.



“Property Concept” regards the information as having independent value if it amounts to a trade secret

“Fiduciaries” Imposition of duties upon certain classes of people, other than the owner not to use or divulge info without owner’s consent.



It can be lost through inadvertent disclosure

It can be deliberately stolen by an outsider

It can be deliberately stolen by an insider

There are 3 broad threats to proprietary information:


Trade Secret

A trade Secret is a process or device for continuous use in the operation of the business

For trade secret protection, must prove Secrecy Value Use in the owner’s business


Trade Secret

The following are not trade secrets:

Salary informationRank surveysCustomer usage evaluationProfitability marginsUnit costsPersonnel changes


Trade Secret

Trade Secret information is entitled by law to more protection than other kinds of proprietary information


Trade Secret/Patent

A trade secret remains secret as long as it continues to meet

trade secret tests but the exclusive right to patent protection expires after 17 years


The most important function of competitive intelligence gathering is to alert senior management to marketplace changes in order to prevent surprise

Competitive Intelligence Gathering


Competitive Intelligence Gathering

A rich source of information is in the information provided to government regulators

Never reveal information to anyone that you would not reveal to a competitor


Industrial Espionage

Industrial espionage is the theft of information by legal or illegal means. It is more dangerous than inadvertent disclosure by employees in that highly valuable information is stolen for release to others who plan to exploit it.


Industrial Espionage

The vulnerability assessment is conducted from the perspective of the competitor and considers:

What critical information exists

The period of time when the information is critical.

This may be a short period or may be for the life of a product

The identity of employees and indirect associates who have access to the information


“Wiretapping” - is the interception of communication over a wire w/o participants consent and requires physical entry into the communication circuit

“Bugging” - interception of communication w/o participants consent by means of electronic devices and w/o penetration of a wire.

Eavesdropping Tactics / Equipment



Carbon microphone

commonly used in a standard telephone handset

Crystal microphone

generates a small electrical current when the crystal is vibrated by sound waves

Contact microphone

installed on a common wall with the target area



Spike microphone

installed in a hole in the common wall (not fully through)

Dynamic microphone

movement of a small wire near a permanent magnet converts sound into electrical energy. Good eavesdropping device which operates as a loudspeaker in reverse



Pneumatic cavity devicehas a specially designed small cavity which picks up surface vibrations. (Glass tumbler effect)

Condenser microphonehigh fidelity use. Fragile and sensitive

Electret microphoneused primarily in P.A. and audio recording. (Extremely small)



Omnidirectional microphone

used in conferences. Picks up sound from many directions around the room

Cardioid microphone

picks up sound from directly in front of mic

Parabolic microphone

gathers audio energy and directs it to a conventional microphone in the center of a dish-type reflector


A radio frequency (RF) device. Consists of:

– A microphone– A transmitter– A power supply– An antenna; and,– A receiver




• Digital systems - originally thought to be secure:• Digit stream can be recorded and converted to analog and

speech.• The control system is available from an on-site terminal or

from off-site through the network. (Remote Maintenance Access Terminal) (RMAT)

Telephone Eavesdropping



• Risk for the electronic eavesdropper is low:

– electronic eavesdropping is easily committed

– chances are low that victim will find the device

– chances low, if found, can be tied to eavesdropper

– prosecution of eavesdropping cases is rare; and,

– the reward far outweighs the risk

Eavesdropping Threat



• Audio masking

– generation of noise at the perimeter of the secure area to cover or mask conversation. Music is not used; “white” or “pink” noise is not as easily filtered from the tape

Miscellaneous



Information Technology Security ** New**

Virus – Any hidden computer code that copies itself onto other programs.

Trojan Horse – Code that has been downloaded attached to unsuspecting programs, that later damage or affect data.

Bomb – Code inserted by programmers into legitimate software. (1) sensitive to a time schedule, triggered by date/time. (2) Triggerd by an event, copying a file or opening a program, etc.

Trapdoors / Back doors – Intentionally created and inserted when developing software, IE : Microsoft’s XP, etc.



Cookie Monster / Cookies – Data maintained form your PC for resource sharing, by use of text files sent to the machine via each website. Allows data such as credit card information to be collected, by unauthorized parties.

Information Technology Security

Theft of Hardware – The unlawful taking of PC or laptop with the intent of gaining access to a company network or other vital information, or sensitive data.



Fax Security

Security Products

Tamperproof security enclosures for fax machines

Automated fax distribution systems, stores documents in employee mail boxes, employees can access with a PIN.

Encryption – Transmitting and receiving to prevent reading an intercepted fax.



Cellular Phones

Cellular and cordless telephones, digital and anolog, transmit RF signals which can be intercepted.

Digital signals, thought to be sure can be taped and converted back to analog signals for use by an interloper.

When a cellular phone is turned on, it transmits a mobile Identification number (MIN) and an electronic serial number which identify cellular set. These signals can be cloned for illicit use.



Test


1. Any formula, pattern, device or compilation of information which is used in one’s business and which gives him an opportunity to gain an advantage over competitors who do not know or use it is:

• a. A monopoly

• b. An unfair trade practice

• c. A trade secret

• d. A patent


1. Any formula, pattern, device or compilation of information which is used in one’s business and which gives him an opportunity to gain an advantage over competitors who do not know or use it is:

• a. A monopoly• b. An unfair trade practice• c. A trade secret• d. A patent


2. Probably the main reason for loss of sensitive information is:

• a. Inadvertent disclosure

• b. Deliberately stolen by outsider

• c. Industrial espionage

• d. Deliberately stolen by insider


3. The primary tool of pre-employment screening is the:

• a. Interview

• b. Application form

• c. The investigation

• d. The investigator


4. Competitive intelligence gathering is a legitimate activity which is engaged in by many firms throughout the world. The most important function of competitive intelligence is to:

• a. Alert senior management to marketplace changes in order to prevent surprise

• b. Alert senior management as to the personal habits of competitive senior management

• c. Alert government intelligence agencies to marketplace changes

• d. Alert senior management to changes in protocol in foreign countries


5. The instrument used to monitor telephone calls by providing a record of all numbers dialed from a particular phone is called:

• a. A wiretap

• b. A bug

• c. An electronic surveillance

• d. A pen register


6. A clandestine listening device, generally a small hidden microphone and radio transmitter is known as :

• a. A bug

• b. A wiretap

• c. A tempest

• d. A beeper


7. A microphone with a large disk-like attachment used for listening to audio from great distances is known as:

• a. Contact microphone

• b. Spike microphone

• c. Parabolic microphone

• d. Moving coil microphone


8. Sound waves too high in frequency to be heard by the human ear, generally above 20 KHZ are known as:

• a. Microwaves

• b. Ultrasonic

• c. High frequency

• d. Short-wave


9. Two methods of protection against telephone line eavesdropping are apparently reliable. The first method is “don’t discuss sensitive information” and the other is:

• a. To use a wire tap detector

• b. To use a radio jammer

• c. To use an audio jammer

• d. To use encryption equipment


10. The unauthorized acquisition of sensitive information is known as:

• a. Industrial espionage

• b. Embezzlement

• c. Larceny

• d. False pretenses


11. Proprietary information is:

• a. Information which must be so classified under government order

• b. Private information of highly sensitive character

• c. Defense data which must be classified according to federal regulations

• d. Anything that an enterprise considers relevant to its status or operations and does not want to disclose publicly


12. A trade secret is:

• a. Any formula, pattern, device or compilation of information which is used in one’s business and which gives that business an opportunity to gain an advantage over competitors who do not know or use it

• b. All information about a company which the company desires to protect

• c. Information of a company which is registered as such with the Patent Office

• d. Information so designated by the government


13. The control software of a Private Board Exchange (PBX) can be accessed and compromised by calling the telephone number of a device on the PBX from a computer and modem. The name of this PBX device is the:

• a. Time Domain Reflectometer

• b. Remote Maintenance Access Terminal

• c. Current Carrier Signaling Port

• d. Internal and Remote Signal Port


14. Which of the following is generally not true in regard to proprietary information?

• a. Secret information does not have to be specifically identifiable

• b. Secret information must be such that it an be effectively protected

• c. The more narrowly a business defines what it regards as secret, the easier it is to protect that body of information

• d. It is difficult to protect as a trade secret that which can be found in publicly accessible sources


15. With respect to trade secrets, it may be decided that its disclosure by another was innocent rather than wrongful even in the case where the person making the disclosure really was guilty of malice or wrong intent. This situation may occur when:

• a. There is absence of evidence that an owner has taken reasonable precautions

to protect confidential information

• b. The trade secret was not registered

• c. The trade secret did not involve national defense information

• d. The trade secret was not in current use


15. With respect to trade secrets, it may be decided that its disclosure by another was innocent rather than wrongful even in the case where the person making the disclosure really was guilty of malice or wrong intent. This situation may occur when:

• a. There is absence of evidence that an owner has taken reasonable precautions to protect confidential information

• b. The trade secret was not registered

• c. The trade secret did not involve national defense information

• d. The trade secret was not in current use


16. The class of person under a duty to safeguard a proprietary secret is known as:

• a. Agents

• b. Principals

• c. Fiduciaries

• d. Business Associates


17. Which of the following is not a correct statement, or a general rule, involving the protection of proprietary information?

• a. By operation of common law employees are presumed to be fiduciaries to the extent they may not disclose secrets of their employers without authorization

• b. As a class, employees are the largest group of persons bound to secrecy because of their status or relationship

• c. Other than employees, any other persons to be bound to secrecy must agree to be so bound

• d. Any agreements to be bound must always be in writing and are not implied from acts


18. Probably the chief reason for the loss of information about sensitive operations is:

• a. Deliberately stolen by an outsider

• b. Loss by fire or other disaster

• c. Deliberately stolen by insider

• d. Lost through inadvertent disclosure


19. The term “eavesdropping” refers to:

• a. Wiretapping only

• b. “Bugging” only

• c. Both wiretapping and “bugging”

• d. Mail covers


20. A microphone which has the characteristics of requiring no power source to operate it, is quite small, relatively difficult to detect, and is offered by equipment suppliers in such items as cuff links and hearing aides is known as:

• a. Carbon microphone

• b. Dynamic microphone

• c. Contact microphone

• d. Parabolic microphone


This presentation was designed to be used in accordance with other study materials and was not intended to be used solely as a study guide. This presentation does not contain all material from the “Information Security” section of the CPP Study Guide© . The presentation was intended to give you the “Golden Nuggets” which will assist you with taking the CPP Exam. Thanks, John Hewitt, CPP - 5/23/ 2006.

Recommended for study: CPP Study Guide – 12th Edition



CPP Review - 2006 John Hewitt, CPP, CIPM Senior Security Manager Trammell Crow Company 214-438-8861...

Documents

Transcript of CPP Review - 2006 John Hewitt, CPP, CIPM Senior Security Manager Trammell Crow Company 214-438-8861...