Return to: Index of "Release and Statements by Bureua of Consular Affairs" || Index of "Consular and Travel Information" ||
Electronic Research Collections Index ||
ERC Homepage
U.S. Department of State
96/06/10 Quick Security Guidelines: Guidelines for Protecting
U.S. Business Information Overseas
Released by the Bureau of Public Affairs
Published by The Overseas Security Advisory Council (OSAC)
November 1995
INTRODUCTION
Each day America becomes driven more and more by information.
Proprietary information is our chief competitive asset, vital to
both our industry and our society. Our livelihood and, indeed,
our national strength depend on our ability to protect industrial
and economic data.
This pamphlet outlines some steps that may be taken to protect
information and to raise the general level of awareness to the
threat by Americans living, working, or traveling abroad.
WHAT INFORMATION SHOULD BE PROTECTED?
Any information that provides a U.S. company with a competitive
edge over its competitors, creative or innovative, whose loss
would negatively impact an investment in time, product, finances,
plants, or personnel should be protected.
It could be a trade secret, patent information, or intellectual
property; a simple improvement in the way a certain American
industry produces a product or does business; a technical
modification, new technique, personnel policy, or management
concept; or employee human resources information.
COMPANY EMPLOYEES
Current government and industrial security studies and surveys
reveal that the majority of competitive information theft cases
that occur in the United States and overseas involve a company's
employees, contractors, vendors, and suppliers.
An employee's rank in the company is not necessarily commensurate
with the interest of a foreign intelligence agency, who besides
targeting researchers, key managers, and corporate executives,
will target:
-- Secretaries
-- Computer operators
-- Technicians
-- Maintenance personnel
The latter frequently have good, if not the best, access to
competitive information.
Application of need-to-know procedures will help. Carefully
compartmentalizing competitive information on that basis provides
two advantages: it slows or stops an information thief, and it may
provide an indicator of an employee seeking to obtain competitive
information beyond his or her need to know.
When local laws allow, it is prudent to conduct background
investigations on prospective employees. A comprehensive
background investigation can provide, prior to offering an
applicant employment with a company, the best information
concerning the person's social, education, military, credit, civil
and criminal litigation, and employment histories.
VENDORS, CONTRACTORS, AND SUPPLIERS
Recent U.S. Government and security industry surveys regarding
safeguarding of proprietary information revealed that vendors,
contractors, and suppliers accounted for almost 15 percent of all
disclosures, misappropriation, and thefts of U.S. business
competitive information. Generally these groups should be:
-- Controlled, documented, and required to wear a photo
identification
-- Escorted throughout the general premises by the person they
are visiting
-- Restricted from unnecessary admittance to high-security areas,
or escorted at all times
-- Required to sign nondisclosure and confidentiality agreements
VISITOR TOURS
Public tours of buildings containing competitive information
should be discouraged. Similarly visitor tours of high-security
areas should be prohibited.
All requests for tours by academic, industrial, fraternal, social,
or media groups should be passed to security departments for
background checks.
WORKPLACE VULNERABILITIES
U.S. businesses or research locations overseas are principal
targets of those seeking to compromise competitive information. If
possible, locate corporate offices in facilities totally
controlled by the corporation.
Location, Location, Location
Site location and construction should be the best that will allow
for normal and prudent security measures.
Normal security steps dictate that building perimeters and
internal sensitive areas be secure, and that the general public,
unescorted visitors, and unauthorized personnel be restricted from
research, production, and business areas where competitive
information is used.
Prudent security steps dictate that existing security controls
should always be reviewed for improvement or modification and that
an awareness program, as well as policy and guidelines be
established to protect competitive information.*
FACILITIES PERIMETER
All windows, external and internal doors, and high-security areas
should be provided with intrusion alarm monitoring. Alarm systems
should be supplemented by lighting, as discussed below. The alarm
signal must be communicated to a location where a speedy and
appropriate response can be provided.
The entire perimeter of any office building that serves as a
perimeter barrier should be adequately illuminated during hours of
darkness. Other perimeters, such as walls, fences, and natural
barriers, should be illuminated to both detect and deter persons
attempting to gain unauthorized access to the building. Adequate
interior night lights should be left on whenever the building is
not occupied.
Security personnel should control:
-- Perimeter and internal sensitive area access
-- Keys and locks supervision
-- Access card supervision
-- Employee, visitor, contractor, and vendor identification
badges
High-Security Areas
High-security areas include, but are not limited to: design
studios, strategic planning areas, engineering and research
facilities, mailrooms, telephone switching rooms, computer
facilities, and other similar areas. In general, office safeguards
and possible restriction to a high-security level should be
provided for:
-- Designated photo copiers
-- Encrypted telecommunication equipment
-- Facsimile machines and other reproduction equipment. If this
cannot be done, the equipment should be provided with access
control devices to prevent unauthorized usage.
-- Executive offices, research labs and work areas
-- Lockable file cabinets and desks and vaults to secure
competitive information
-- Keys, combination locks, and access cards to maintain the
effectiveness of these devices
Certain offices or portions thereof may require designation as
high-security areas if:
-- Highly sensitive competitive information is present.
-- Access is limited and entry is restricted to only those
persons who possess special identification and who are
specifically permitted entry.
-- A higher level access control device is used above that
operating at the perimeter of the building.
-- A procedure, such as a receipt and copy accountability system,
is established for the authorized removal of all competitive
information, blueprints, drawings, and other documents contained
in these areas.
Storage Facilities
Provide secure facilities for the storage of competitive
information such as desks, offices, safes, vaults, filing
cabinets, etc.
Clean-Desk Policy
-- Encourage a clean-desk policy for all offices during non-
business hours.
-- Require a clean-desk policy in high-security
areas.
Cleaning and Maintenance
Cleaning and maintenance should be done during times when
responsible company supervisors are present to monitor such
activity.
Disposal of Competitive Information
COMPETITIVE INFORMATION MUST BE DESTROYED WHEN NO LONGER NEEDED.
Each work area must have adequate shredding capabilities or
controlled disposal functions. Make each functional area
responsible for verifying that competitive information is properly
disposed.
COMMUNICATIONS
Easily accessed and intercepted telecommunications present a
highly vulnerable and lucrative target for anyone interested in
obtaining competitive information. Increased usage by businesses
of these links for bulk computer data transmission and electronic
mail makes telecommunications intercept efforts cost effective for
intelligence collectors worldwide.
U.S. companies should:
-- Assume that all overseas telecommunications are intercepted,
recorded, and organized into reports and reviewed for economic
intelligence.
-- "Button-up" all competitive information communications to
maintain their competitive edge.
Threats
U.S. companies should be aware of, and sensitize their employees
overseas to, the fact that:
-- All foreign telephone systems are either owned or controlled
by the host government. This allows the government to easily
monitor transmissions of selected U.S. corporations.
-- Intelligence agencies of third-party nations, terrorists, and
criminals monitor electronic transmissions.
-- Business and technical data obtained from U.S. corporations
may be, and often are, provided to foreign competitors and
potential customers.
-- Personal information obtained may be used to kidnap executives
for financial gain or
political purposes.
-- Electronic equipment, such as facsimile machines, telephones,
and desktop computers, may be altered to make electronic
monitoring easier.
Vulnerabilities
Telecommunications monitoring may be done at a phone company's
switching facilities; phone lines may be tapped or bugged; or
microwave transmissions may be intercepted anywhere between the
two microwave towers.
Telephones do not necessarily cease transmitting once they are
hung-up. Conversations taking place near a phone may be
transmitted to the foreign state's telephone system switching
facility and can be monitored anywhere between the phone and that
facility.
Many telecommunications transmissions will contain "key words"
used to identify information of interest to a third party. A key
word can be the name of a technology, product, project, or
anything else that may identify the subject of the transmission.
Encryption should be the first line of defense since it is easier
for foreign intelligence services to monitor lines than to place
"bugs," however, encryption will provide little, if any, security
if a careful examination for audio "bugs" elsewhere in the room is
not conducted.
Most international U.S. corporate telecommunications are not
encrypted. Some countries do not allow encryption of
telecommunications traffic within their borders, but it should be
considered, where feasible, for any transmission of competitive
information.
About half of all overseas telecommunications are facsimile
transmissions which, because they are emanations, may be
intercepted by foreign intelligence services since many of the
foreign telephone companies are foreign owned.
In addition, many American companies have begun using what is
called electronic data interchange, a system of transferring
corporate bidding, invoice, and pricing data electronically
overseas. This type of information is invaluable to many foreign
intelligence services that support their national businesses.
Video Conferences
The threat is essentially the same as that to other types of
telecommunications. Adversaries can purchase or replicate specific
equipment used by an American company and then either tap into the
line or use other means to monitor both audio and video.
Although encryption is available for some video conferencing
installations, many countries do not allow any type of encryption
and others allow only that type which they can break.
Electronic Transmissions
Most foreign common carriers are government controlled or owned.
Trade secrets, data, marketing strategies, and personnel
information that are discussed or sent over host country telephone
lines are easily obtained by foreign interests.
Electronic Media Path
Electronic data is recovered easiest when a signal is not
multiplexed or mixed with other data signals, i.e., data
transmitted from a telephone
instrument to a telephone switch. Only a minimal investment is
required to retrieve data not masked with other voice or data. For
this reason, it is better to use standard dial-up versus dedicated
lines.
Data and voice that is routed on major transmission paths--such as
microwave or satellite transmission--have less likelihood of being
monitored by hackers or low-cost monitoring operations, because
the cost of sifting through such a volume of information to access
one
target is often cost prohibitive. However, a well-financed
intelligence gathering operation may find satellite or microwave
transmissions the best intercept opportunity, since they can be
monitored at great distances with little or no threat of
detection.
Suggested Telecommunication Countermeasures
Below is a list of suggested actions that may be taken in order to
improve the security of your telecommunications transmissions.
-- Whenever possible, use your corporate transmission facilities
instead of those of the host government.
-- Encrypt electronic transmissions whenever possible. Computer
links, facsimile transmissions, E-mail, and voice transmissions
can all be encrypted.
-- The National Institute of Standards and Technology (NIST)
conducts validations of products for conformance to cryptographic
standards for encryption and publishes the results quarterly in
the "Validated Products List."
Subscriptions are available from:
National Technical Information Service
U.S. Department of Commerce
5285 Port Royal Road
Springfield, VA 22161
-- Neutralize the vulnerability of telephones. A small, company-
controlled switch installed within the facility can help ensure
that conversations are not transmitted through handsets that are
"hung-up," and also can serve to decrease the threat of covert
line access.
-- Avoid "key words" or phrases that may be used by intelligence
agencies and others to search recorded conversations for subjects
of interest. Examples would be project names, product names, the
names of persons of interest (e.g. heads of state, CEOs, etc.) and
classification labels such as sensitive and "company
confidential."
-- Positively identify all parties participating in phone
conversations or receiving the facsimile transmissions.
-- Always keep at least one phone and facsimile machine secured
in a container equipped with a combination lock, and restrict
access to the combination. This will help maintain the integrity
of that equipment.
-- Check connecting lines to telecommunication devices
(telephones, computers, fax machines, etc.) monthly to ensure that
the line has not been replaced or modified by unauthorized
personnel.
-- Placing stickers on phones warning of hostile monitoring will
be helpful to maintain awareness.
COMPUTER TECHNOLOGY
Computers can pose enormous security problems. While they contain
great volumes of information, they also concentrate it, and if not
protected, they can make the task of the information thief much
easier.
When the facility is located overseas, the following additional
security issues should be considered.
Access
Because one cannot assume that employment practices are the same
from country to country, it is not always possible to dictate what
employees can do or where they can go.
For example, in some countries you are not permitted to log the
fact that a specific person accessed a specific data set at a
certain time on a certain date, because such a log could be
misused to inappropriately monitor work habits, speed, and
productivity.
Similarly, in some countries, there are resident fire marshals in
the facility who do not work for the enterprise, but are
authorized access to each and every part of the physical facility.
Magnetic Media Control
Managers must be sensitive to mailing or physically carrying
magnetic media between countries.
The information on magnetic media may be vulnerable during
interaction with the local customs authorities, which could be far
more damaging to a business.
In either mailing or carrying, accountability is lost once the
material is turned over to local customs personnel to be
"cleared." Often, the time involved, as well as the other details
of what "cleared" means, are not always spelled out to private
industry.
Distributed Printer Control
Physical access to printers used within a computing center is
usually well controlled. However, small, powerful, printing
facilities, which can be readily hooked-up with printed output
routed directly to such devices by any employee, are coming
increasingly into use. It is strongly recommended that attention
be given to ensuring that:
-- Printed output may be picked up only by the information owner
or his or her representatives.
-- Printers are placed in a room having a controlled-access
system.
Cellular PCs
The cellular portable computer is relatively new technology,
having unique security considerations that one might easily
overlook. The system is essentially a personal computer with an
integrated modem, which is a device used to change signals
understood by telephone technology into signals understood by
computers, and vice versa. There is also a built-in cellular
telephone that allows a person with a single action to place a
call to a computer system, connect the personal computer to it,
and interact with a host computer. Sometimes overlooked with this
technology is the fact that cellular telephones:
-- Use radio frequencies to communicate
-- Are vulnerable to unauthorized interception, recording, and
subsequent analysis. Monitoring equipment is readily available to
foreign intelligence services and to the more sophisticated
business espionage agent.
Virus Contamination and Detection
Although it is a standard precaution to take
special care when receiving a PC program from someone because of
the possibility of virus contamination, it is exponentially
greater during
foreign travel.
Answering the questions in the checklist below can identify
opportunities to improve the security of your computer software
and hardware.
Computer Security Checklist
International Travel
-- Does the local power supply match your system's requirements?
-- Are electrical power transformers, filters, surge protectors
or uninterruptible power supply (UPS) units available to protect
your equipment?
-- Does the government impose restrictions on the import of
computer hardware and software into the country?
Environment
-- Will the computer be used in a low humidity area where damage
from static electricity may be sustained?
-- Are carpets treated?
-- Are humidifiers available?
-- Will the computer be used in a hot, dusty climate?
-- Are office temperature controls sufficient?
-- Are dust covers available?
Physical Security
-- Is the work area kept clear of soft drinks, coffee and other
liquids, that, when accidentally spilled, may damage equipment?
-- Are diskettes physically labeled and handled as directed by
the manufacturer? Are sensitive diskettes sufficiently write-
protected to avoid accidental or malicious damage or destruction?
-- Are backup copies stored off-site?
-- Is the computer sufficiently protected from acts of sabotage,
tampering, and theft?
-- Are modems (particularly those with an automatic answer
feature) disconnected or powered off when not in use?
-- Are printer ribbons, sensitive printouts, and diskettes
burned, shredded, or degaussed as appropriate to prevent
inadvertent information disclosure?
System Security
-- Are spare, user-serviceable parts available in the event of
failure?
-- Are backup copies of software and data produced periodically?
-- Has a backup system (contingency) been identified to continue
critical operations in the event of a failure or disaster? Has it
been tested?
-- Are sufficient controls in place to prevent violation of
manufacturers' copyrights and license agreements?
-- Are software controls present to authenticate individual
system users?
-- Are passwords changed frequently and are they easily guessed?
-- Is a security erase or file scrub program present on the
system that will overwrite sensitive data on the hard disk when a
file is deleted? Is it used?
-- Are system hardware and software controls present to
authenticate individual system users?
Virus Protection
-- Are software and data diskettes received from reliable,
trustworthy sources?
-- Is software received from outside sources scanned for computer
viruses with current virus detection software?
Computer Security Guidance
Under the Computer Security Act of 1987, the National Institute of
Standards and Technology (NIST) develops standards and guidelines
for the protection of sensitive information.
For a listing of available documents, including
ordering information, request a free copy of
Publications List 91 from the following:
CSL Publications Technology Building
Room B64
National Institute of Standards
and Technology
U.S. Department of Commerce
Gaithersburg, MD 20899
EFFECTS OF TELECOMMUNICATIONS ON COMPUTER SECURITY
Telecommunications technology provides for
electronic "highways" that now enable a person to directly access
a computer system on another continent. Many U.S. corporations are
dependent for their very survival on data being stored and
processed on these computer systems. It is therefore mandatory
that access control security software and procedures are
implemented for any computer interfacing with a network or
telephone system. Hacking into computers is now a standard tool
for those involved in espionage and computer crime. Once an
intruder has gained entry, he or she may be able to view, change,
or destroy valuable company data and information. Electronic
terrorism, placing a corporation's information assets at risk,
also is possible.
Consider the following tips to reduce the possibility of
unauthorized access through networks:
-- Apply access control software and procedures to the
corporation's networks; keep the intruder off the "highway."
-- Ensure that the corporation's computer systems are protected.
-- Mandate that all users change passwords at least once every 60
days, allow no more than three consecutive invalid passwords
before suspending a user ID, and ensure that all passwords are at
least six characters in length. Also, encourage employees to use
passwords that do not relate to their lives (names of family,
pets, sports teams, etc.). Hackers often gain entry by simply
guessing passwords.
-- Control the phone numbers to the corporation's networks and
computer systems as competitive information. Minimize their
distribution and notify corporate employees that the numbers
should be guarded.
-- Test corporate networks for the existence of unauthorized
modems that could provide access to eavesdroppers.
-- Encrypt computer-to-computer sensitive transmissions,
including electronic mail.
-- Require all personnel to agree in writing before they are
granted access to corporate networks and computer systems, that
they will keep competitive information confidential, and that they
will abide by the corporation's information protection standards.
AT HOME
Many of the same principles that apply to maintaining a safe and
secure office apply equally to a residence. These elements will
vary depending on the foreign environment and the associated risk
factors. As a general rule, competitive information should not be
taken home. However, should it become necessary, the level of
protection afforded competitive information in the home must be
equal to or greater than the standard of protection it is afforded
in the office.
A favorite technique of information thieves is the examination of
trash containers. Consequently, the disposal of competitive
information should not be done at home. Such materials should be
transported to the workplace where they may be properly destroyed.
HOME SECURITY CHECKLIST
Access to residential buildings where competitive information is
located must be limited to only authorized persons. This will
require appropriate locking devices and an alarm system that will
detect an attempted intrusion and alert authorities and other
responsible parties. A specific area or areas within the residence
should be designated for working on competitive information.
Access should be limited to authorized family and service
personnel. Such information, when left unattended, should be
secured in an appropriate container. Control of the keys for these
containers should be limited.
Cleaning activities should be done only when competitive
information items are cleared from the area, secured, or when the
area is monitored by the owner, custodian, or user of the
information.
Residences and residential buildings should have appropriate:
-- Access controls to restrict unauthorized persons and
vehicles
-- Locking devices on exterior windows and doors
-- Intrusion-control alarm systems where possible
-- Procedures for the positive identification of visitors and
utility personnel prior to entry
Within the residence, the work area should include the following
life and safety equipment:
-- Flashlight
-- First-aid kit
-- Emergency radio and/or cellular phone
-- Fire and smoke alarms
-- Safehaven
Specific areas for competitive information work should include:
-- Limited access to only authorized persons
-- Lockable desk and computer equipment and files
-- Procedures imposed for access safeguards on computer equipment
-- Storage of authorized company software on designated computer
-- An appropriate shredder
-- Limited cleaning conducted only in the presence of the
employee or other responsible person
BUSINESS TRAVEL
Travel With a Laptop Computer
Business personnel who travel should adopt normal and prudent
computer safeguards while traveling.
NEVER:
-- Leave a laptop unattended while in an airport terminal,
checking in and out of hotels, or at a business location
-- Operate a computer while in public areas such as airport
waiting rooms, cafeterias, or snack bars
-- Check a laptop with luggage. Laptops should always be stowed
in carry-on baggage that will stay with the traveler at all times
-- Check a laptop in a temporary airport or train station storage
locker even for a short time
Working in Hotels With a PC
Hotel rooms are not secure. Leaving important company information
in your room, even in a locked briefcase or PC, is an invitation
for material to be copied or photographed while you are out. Hotel
vaults are not much better. Foreign intelligence officers can gain
access without you becoming aware of the compromise.
Reduce hard copy material as much as possible and carry what you
must take on your person, possibly on disk, or secure it in a
company vault.
U.S. business travelers should not assume that the U.S. standards
in telecommunication security will be the case when traveling
overseas. The quality of service, as well as the technical
standards and conventions used, vary dramatically from country to
country.
Scientific Conferences
Historically, scientific conferences and trade association
meetings have been targeted by some foreign intelligence agencies.
Today these meetings are still targeted, but the goal is to learn
economic information that will improve the position of our foreign
competitors. Individuals collecting this type of information may
be managers, corporate officers, sales people, and other business
people, scientists, engineers, and other technical personnel.
There is a growing trend for foreign corporations to employ former
intelligence officers for industrial work. Protect yourself by
practicing discretion and remembering that not only time, but
information, is money.
Eavesdropping
INFORMATION OF COMPETITIVE VALUE SHOULD NOT BE DISCUSSED IN PUBLIC
PLACES.
Discussions on airplanes are overheard by those around you.
Eavesdropping can result in gathering meaningful information in a
radius of 6-8 seats. Recent revelations in the media specifically
mention valuable information gathered by eavesdropping on
conversations held on aircraft and in bars and restaurants.
Destruction of Information Waste
-- Keep unwanted material until you can dispose of it securely.
-- Paper should be burned or shredded. If shredded, the type of
shredder should cut horizontally and vertically.
-- Floppy disks should be cut in small pieces and discarded.
Necessary Communications
-- Avoid sending facsimiles or conducting sensitive conversations
on local or international telephone lines.
-- Fax, telex, and data systems are all vulnerable to
interception, particularly in overseas hotels.
-- On important issues, go to the extra trouble of identifying
company travelers for the purpose of carrying information rather
than entrusting it to less secure electronic means.
Be Alert!!!
Be aware of new acquaintances who probe for information or attempt
to place you in a compromising situation. In an unusual situation,
have an American colleague present. The watchword in travel while
in foreign countries is discretion.
ADDITIONAL INFORMATION
We hope this pamphlet provided you with some basic information you
should consider in dealing with important issues. For a more
detailed discussion, please review our expanded version,
Guidelines for Protecting U.S. Business Information Overseas,
available through the Overseas Security Advisory Council.
(###)
To the top of this page