Helen was a model employee at Alt Telco (as we shall call them). Loyal and fiercely ambitious, she only sparingly shared need-to-know information with her own colleagues. She was the last person you’d expect to brief the rival salesforce at Big Telco (as we shall call them) with damaging details about Alt’s unprofessionalism in providing support to customers. Yet that’s exactly what she did when she told a headhunter how many people were in her team, how big her marketing budget was, and what projects she’d recently worked on.
Worse still, there never was a dream career move. The headhunter was really from a new breed of competitive surveillance companies and he’d bought her confidence for the price of a cup of coffee and rent of a hotel suite.
Posing as a recruitment consultant is one of the new scams that competitive surveillance (CS) agencies use to obtain information for their clients. Getting inside a firm is often a dirty business, so the service comes at a great price. It is not uncommon for a corporation to pay millions a year for a constant stream of competitive information on its rivals. Which naturally breeds all kinds of new cunning and ingenious schemes if you have the resources to fund them.
If you work for a major corporation, your company probably uses CS. You won’t know about it because, unless you’re a marketing strategist, you don’t need to know. But the evidence will be there in the company balance sheet, hidden under a heading like “Research” or “Recruitment.”
As a security expert, you will need to know the tactics used to stop your own company’s intelligence leaking out. So how do agencies go about stealing information? Disciples of Kevin Mitnick will be unsurprised to hear that very little information technology is used, because humans are a much more complex mix of intelligence and frailties than even the wobbliest IT infrastructure. “You really do have to ask: ‘Who needs hackers when you’ve got human vanity?’,” jokes Simon Clark, consultant at security consultancy Katapult-IT.
Besides, buying people’s confidence is a lot cheaper. Once that’s gained it’s not long before a target is telling an agent everything they need to know, and more.
It’s not unknown for a competitive surveillance company to set up a few shell companies as various types of partners. By applying to become a reseller partner for an IT manufacturer (like Cisco or 3Com), it is possible to access confidential information. Imagine that a rival of Cisco commissions a surveillance company to find out about its channel strategy. This information would include the number of account managers, the profit margin on sales, the discounts offered, the structure of the co-op marketing scheme and the rewards scheme. This is all valuable intelligence.
The bogus market analyst
As a large corporation, your company needs to generate goodwill. The more it schmoozes with market analysts and the media, the better its chances of being allowed to present the image it would like the market to have.
Every listed company is in thrall to the market analysts, who can wipe millions off their stock valuations by downgrading their expectations. Analysts being only human, there’s a degree of emotional bias involved. So any listed company will provide teams of people dedicated to making the analyst’s job easier. Consequently, there is a culture of obedience among the analyst relations staff. Competitive surveillance agencies know this and exploit it. Agent A will call corporation B, pretending to be a well-known analyst. An analyst is trusted with sensitive information, the most that’s asked of them normally being to sign some kind of non-disclosure agreement.
It is very simple to identify a bogus analyst: regard everyone as an impostor until they can prove otherwise. Imposing this discipline is another matter, however, because the risk of upsetting an analyst is often enough to persuade someone at the bottom of the public relations food chain not to carry out any checks. That is something that a bogus caller will play up on.
Often, a bogus analyst will need to keep up a front with a web site. Contact a suspect company at the address given on the web. If you don’t hear from it in two days, you can reasonably assume the company has a hidden agenda.
Some intelligence agencies even pretend to be journalists, assuming the identity of someone known to a company. Although journalists are often objects of suspicion, there are business journalists who have earned the trust of companies, usually by not writing anything nasty about anyone. It can be worth impersonating someone who is trusted to observe confidentiality agreements.
Sometimes they don’t even bother to impersonate a real journalist, but create a false identity. There are so many journalists out there, it’s difficult for any PR professional to keep tabs on them all.
As we’ve seen, people who wouldn’t trust their friends with information will frequently tell a complete stranger everything, if they are convinced they can help their career. Often you do not need even to pretend to be a headhunter, just put an advert in the paper.
We’ve all, at some stage, sent resumés off in pursuit of a dream assignment and never heard anything back. Perhaps the job advertised demands a mix of skills and experience that is unique to someone working for your employer. Now you think about it, many of them asked for specific details about your work. The chances are you were glad to supply confidential information, because the job or the money offered were too good to ignore. You probably never gave a second thought to the fact that the company never contacted you. This is why bogus job ads are a cheap and painless way of gaining intelligence.
Employees give away secrets
Now CEO and president of California-based Advantage SCI, Elsa Lee spent 20 years as a counterintelligence officer in the U.S. and has seen a variety of ways in which employees give away their employers’ secrets.
Seduction and exploitation are popular methods, says Lee. Having used sex, drugs, money or alcohol to get a hold on someone, a counter-intelligence officer can then move on to blackmail when they want to put more of a squeeze on their supply of information. Social engineering is an established pattern of techniques (summarized in the panel, above) but aggressive surveillance, like all security threats, is always evolving.
“The planning phase [of a surveillance scam] can be extensive and sophisticated and require resources such as funding and a mastery of certain skills,” says Lee. Some of the companies who have been exploited include defense contractors, oil companies, financial and trading companies, and companies with multiple patents.
She offers the following advice on mitigating this type of risk: “You need a security strategy that includes a good inventory of your trade secrets, the value of those trade secrets, and a list of everyone with access to them.”
More importantly, you must stay on top of the situation, concludes Lee. “It won’t work without frequent sensitizing of exploit attempts and a method for reporting and investigating them.”