CPP Review - 2006
Information Security
John Hewitt, CPP, CIPM
Senior Security Manager
Trammell Crow Company
214-438-8861
Information Security – Part V
Proprietary Information
Information over which the possessor asserts ownership
and which is related to the activities or status of the
possessor in some special way
All Proprietary Information is confidential, but not
all confidential information is proprietary.
Information Security
Proprietary Information
“Property Concept”
regards the information as having independent value
if it amounts to a trade secret
“Fiduciaries”
Imposition of duties upon certain classes of people,
other than the owner not to use or divulge info
without owner’s consent.
Information Security
Proprietary Information
There are 3 broad threats to proprietary information:
It can be lost through inadvertent disclosure
It can be deliberately stolen by an outsider
It can be deliberately stolen by an insider
Information Security
Trade Secret
A trade Secret is a process or device for continuous use in
the operation of the business
For trade secret protection, must prove
Secrecy
Value
Use in the owner’s business
Information Security
Trade Secret
The following are not trade secrets:
Salary information
Rank surveys
Customer usage
evaluation
Profitability margins
Unit costs
Personnel changes
Information Security
Trade Secret
Trade Secret information is entitled by law to more
protection than other kinds of proprietary
information
Information Security
Trade Secret/Patent
A trade secret remains secret as long as it continues to meet
trade secret tests but the exclusive right to patent
protection expires after 17 years
Information Security
Competitive Intelligence Gathering
The most important function of competitive
intelligence gathering is to alert senior management to
marketplace changes in order to prevent surprise
Information Security
Competitive Intelligence Gathering
A rich source of information is in the information
provided to government regulators
Never reveal information to anyone that you would
not reveal to a competitor
Information Security
Industrial Espionage
Industrial espionage is the theft of information by legal or
illegal means. It is more dangerous than inadvertent
disclosure by employees in that highly valuable information
is stolen for release to others who plan to exploit it.
Information Security
Industrial Espionage
The vulnerability assessment is conducted from the
perspective of the competitor and considers:
What critical information exists
The period of time when the information is critical.
This may be a short period or may be for the life of a product
The identity of employees and indirect associates who have
access to the information
Information Security
Eavesdropping Tactics / Equipment
“Wiretapping” - is the interception of communication over a
wire w/o participants consent and requires physical entry
into the communication circuit
“Bugging” - interception of communication w/o participants
consent by means of electronic devices and w/o penetration
of a wire.
Information Security
Eavesdropping Tactics / Equipment
Carbon microphone
commonly used in a standard telephone handset
Crystal microphone
generates a small electrical current when the crystal is
vibrated by sound waves
Contact microphone
installed on a common wall with the target area
Information Security
Eavesdropping Tactics / Equipment
Spike microphone
installed in a hole in the common wall (not fully through)
Dynamic microphone
movement of a small wire near a permanent magnet converts
sound into electrical energy. Good eavesdropping device
which operates as a loudspeaker in reverse
Information Security
Eavesdropping Tactics / Equipment
Pneumatic cavity device
has a specially designed small cavity which picks up
surface vibrations. (Glass tumbler effect)
Condenser microphone
high fidelity use. Fragile and sensitive
Electret microphone
used primarily in P.A. and audio recording.
(Extremely small)
Information Security
Eavesdropping Tactics / Equipment
Omnidirectional microphone
used in conferences. Picks up sound from many directions
around the room
Cardioid microphone
picks up sound from directly in front of mic
Parabolic microphone
gathers audio energy and directs it to a conventional
microphone in the center of a dish-type reflector
Information Security
A radio frequency (RF) device. Consists of:
–
–
–
–
–
A microphone
A transmitter
A power supply
An antenna; and,
A receiver
John Hewitt, CPP, CIPM
Information Security
Telephone Eavesdropping
• Digital systems - originally thought to be secure:
• Digit stream can be recorded and converted to analog and
speech.
• The control system is available from an on-site terminal or
from off-site through the network. (Remote Maintenance
Access Terminal) (RMAT)
John Hewitt, CPP, CIPM
Information Security
Eavesdropping Threat
• Risk for the electronic eavesdropper is low:
– electronic eavesdropping is easily committed
– chances are low that victim will find the device
– chances low, if found, can be tied to eavesdropper
– prosecution of eavesdropping cases is rare; and,
– the reward far outweighs the risk
John Hewitt, CPP, CIPM
Information Security
Miscellaneous
• Audio masking
– generation of noise at the perimeter of the secure area to
cover or mask conversation. Music is not used; “white”
or “pink” noise is not as easily filtered from the tape
John Hewitt, CPP, CIPM
Information Security
Information Technology Security
** New**
Virus – Any hidden computer code that copies itself onto other programs.
Trojan Horse – Code that has been downloaded attached to unsuspecting
programs, that later damage or affect data.
Bomb – Code inserted by programmers into legitimate software. (1) sensitive
to a time schedule, triggered by date/time. (2) Triggerd by an event, copying a
file or opening a program, etc.
Trapdoors / Back doors – Intentionally created and inserted when developing
software, IE : Microsoft’s XP, etc.
John Hewitt, CPP, CIPM
Information Security
Information Technology Security
Cookie Monster / Cookies – Data maintained form your PC
for resource sharing, by use of text files sent to the machine
via each website. Allows data such as credit card
information to be collected, by unauthorized parties.
Theft of Hardware – The unlawful taking of PC or laptop with
the intent of gaining access to a company network or other
vital information, or sensitive data.
John Hewitt, CPP, CIPM
Information Security
Fax Security
Security Products
Tamperproof security enclosures for fax machines
Automated fax distribution systems, stores documents in
employee mail boxes, employees can access with a PIN.
Encryption – Transmitting and receiving to prevent
reading an intercepted fax.
John Hewitt, CPP, CIPM
Information Security
Cellular Phones
Cellular and cordless telephones, digital and anolog,
transmit RF signals which can be intercepted.
Digital signals, thought to be sure can be taped and
converted back to analog signals for use by an interloper.
When a cellular phone is turned on, it transmits a mobile
Identification number (MIN) and an electronic serial
number which identify cellular set. These signals can be
cloned for illicit use.
John Hewitt, CPP, CIPM
Information Security
Test
John Hewitt, CPP, CIPM
1.
Any formula, pattern, device or compilation of information
which is used in one’s business and which gives him an opportunity
to gain an advantage over competitors who do not know or use it is:
•
•
•
•
a.
b.
c.
d.
A monopoly
An unfair trade practice
A trade secret
A patent
John Hewitt, CPP, CIPM
1.
Any formula, pattern, device or compilation of information
which is used in one’s business and which gives him an opportunity to
gain an advantage over competitors who do not know or use it is:
•
•
•
•
a.
b.
c.
d.
A monopoly
An unfair trade practice
A trade secret
A patent
John Hewitt, CPP, CIPM
2. Probably the main reason for loss of
sensitive information is:
•
•
•
•
a.
b.
c.
d.
Inadvertent disclosure
Deliberately stolen by outsider
Industrial espionage
Deliberately stolen by insider
John Hewitt, CPP, CIPM
2. Probably the main reason for loss of
sensitive information is:
•
•
•
•
a.
b.
c.
d.
Inadvertent disclosure
Deliberately stolen by outsider
Industrial espionage
Deliberately stolen by insider
John Hewitt, CPP, CIPM
3. The primary tool of pre-employment
screening is the:
•
•
•
•
a.
b.
c.
d.
Interview
Application form
The investigation
The investigator
John Hewitt, CPP, CIPM
3. The primary tool of pre-employment
screening is the:
•
•
•
•
a.
b.
c.
d.
Interview
Application form
The investigation
The investigator
John Hewitt, CPP, CIPM
4.
Competitive intelligence gathering is a legitimate activity
which is engaged in by many firms throughout the world. The most
important function of competitive intelligence is to:
• a.
• b.
• c.
• d.
Alert senior management to marketplace
changes in order to prevent surprise
Alert senior management as to the personal
habits of competitive senior management
Alert government intelligence agencies to
marketplace changes
Alert senior management to changes in
protocol in foreign countries
John Hewitt, CPP, CIPM
4.
Competitive intelligence gathering is a legitimate activity
which is engaged in by many firms throughout the world. The most
important function of competitive intelligence is to:
• a.
• b.
• c.
• d.
Alert senior management to marketplace
changes in order to prevent surprise
Alert senior management as to the personal
habits of competitive senior management
Alert government intelligence agencies to
marketplace changes
Alert senior management to changes in
protocol in foreign countries
John Hewitt, CPP, CIPM
5.
The instrument used to monitor telephone calls by
providing a record of all numbers dialed from a particular
phone is called:
•
•
•
•
a.
b.
c.
d.
A wiretap
A bug
An electronic surveillance
A pen register
John Hewitt, CPP, CIPM
5.
The instrument used to monitor telephone calls by
providing a record of all numbers dialed from a particular
phone is called:
•
•
•
•
a.
b.
c.
d.
A wiretap
A bug
An electronic surveillance
A pen register
John Hewitt, CPP, CIPM
6.
A clandestine listening device, generally a small
hidden microphone and radio transmitter is known as :
•
•
•
•
a.
b.
c.
d.
A bug
A wiretap
A tempest
A beeper
John Hewitt, CPP, CIPM
6.
A clandestine listening device, generally a small
hidden microphone and radio transmitter is known as :
•
•
•
•
a.
b.
c.
d.
A bug
A wiretap
A tempest
A beeper
John Hewitt, CPP, CIPM
7.
A microphone with a large disk-like attachment
used for listening to audio from great distances is known
as:
•
•
•
•
a.
b.
c.
d.
Contact microphone
Spike microphone
Parabolic microphone
Moving coil microphone
John Hewitt, CPP, CIPM
7.
A microphone with a large disk-like attachment
used for listening to audio from great distances is known
as:
•
•
•
•
a.
b.
c.
d.
Contact microphone
Spike microphone
Parabolic microphone
Moving coil microphone
John Hewitt, CPP, CIPM
8.
Sound waves too high in frequency to be heard by
the human ear, generally above 20 KHZ are known as:
•
•
•
•
a.
b.
c.
d.
Microwaves
Ultrasonic
High frequency
Short-wave
John Hewitt, CPP, CIPM
8.
Sound waves too high in frequency to be heard by
the human ear, generally above 20 KHZ are known as:
•
•
•
•
a.
b.
c.
d.
Microwaves
Ultrasonic
High frequency
Short-wave
John Hewitt, CPP, CIPM
9.
Two methods of protection against telephone line
eavesdropping are apparently reliable. The first method
is “don’t discuss sensitive information” and the other is:
•
•
•
•
a.
b.
c.
d.
To use a wire tap detector
To use a radio jammer
To use an audio jammer
To use encryption equipment
John Hewitt, CPP, CIPM
9.
Two methods of protection against telephone line
eavesdropping are apparently reliable. The first method
is “don’t discuss sensitive information” and the other is:
•
•
•
•
a.
b.
c.
d.
To use a wire tap detector
To use a radio jammer
To use an audio jammer
To use encryption equipment
John Hewitt, CPP, CIPM
10.
The unauthorized acquisition of sensitive information
is known as:
•
•
•
•
a.
b.
c.
d.
Industrial espionage
Embezzlement
Larceny
False pretenses
John Hewitt, CPP, CIPM
10.
The unauthorized acquisition of sensitive information
is known as:
•
•
•
•
a.
b.
c.
d.
Industrial espionage
Embezzlement
Larceny
False pretenses
John Hewitt, CPP, CIPM
11.
Proprietary information is:
• a. Information which must be so classified under
government order
• b. Private information of highly sensitive
character
• c. Defense data which must be classified
according to federal regulations
• d. Anything that an enterprise considers
relevant to its status or operations and
does not want to disclose publicly
John Hewitt, CPP, CIPM
11.
Proprietary information is:
• a. Information which must be so classified under
government order
• b. Private information of highly sensitive
character
• c. Defense data which must be classified
according to federal regulations
• d. Anything that an enterprise considers
relevant to its status or operations and
does not want to disclose publicly
John Hewitt, CPP, CIPM
12.
A trade secret is:
• a.
Any formula, pattern, device or compilation of
information which is used in one’s business and which
gives that business an opportunity to gain an advantage over
competitors who do not know or use it
• b. All information about a company which the
company desires to protect
• c. Information of a company which is registered as such with
the Patent Office
• d. Information so designated by the government
John Hewitt, CPP, CIPM
12.
A trade secret is:
• a.
Any formula, pattern, device or compilation of
information which is used in one’s business and which
gives that business an opportunity to gain an advantage
over competitors who do not know or use it
• b. All information about a company which the
company desires to protect
• c. Information of a company which is registered as such with
the Patent Office
• d. Information so designated by the government
John Hewitt, CPP, CIPM
13.
The control software of a Private Board Exchange
(PBX) can be accessed and compromised by calling the
telephone number of a device on the PBX from a computer
and modem. The name of this PBX device is the:
•
•
•
•
a.
b.
c.
d.
Time Domain Reflectometer
Remote Maintenance Access Terminal
Current Carrier Signaling Port
Internal and Remote Signal Port
John Hewitt, CPP, CIPM
13.
The control software of a Private Board Exchange
(PBX) can be accessed and compromised by calling the
telephone number of a device on the PBX from a computer
and modem. The name of this PBX device is the:
•
•
•
•
a.
b.
c.
d.
Time Domain Reflectometer
Remote Maintenance Access Terminal
Current Carrier Signaling Port
Internal and Remote Signal Port
John Hewitt, CPP, CIPM
14.
Which of the following is generally not true in
regard to proprietary information?
• a.
Secret information does not have to be specifically identifiable
• b. Secret information must be such that it an be effectively
protected
• c.
The more narrowly a business defines what it regards as secret,
the easier it is to protect that body of information
• d. It is difficult to protect as a trade secret that which can be found
in publicly accessible sources
John Hewitt, CPP, CIPM
14.
Which of the following is generally not true in
regard to proprietary information?
• a.
Secret information does not have to be specifically identifiable
• b. Secret information must be such that it an be effectively
protected
• c.
The more narrowly a business defines what it regards as secret,
the easier it is to protect that body of information
• d. It is difficult to protect as a trade secret that which can be found
in publicly accessible sources
John Hewitt, CPP, CIPM
15.
With respect to trade secrets, it may be decided that its disclosure by
another was innocent rather than wrongful even in the case where the person
making the disclosure really was guilty of malice or wrong intent. This
situation may occur when:
• a.
• b.
• c.
• d.
There is absence of evidence that an owner
has taken reasonable precautions to protect
confidential information
The trade secret was not registered
The trade secret did not involve national
defense information
The trade secret was not in current use
John Hewitt, CPP, CIPM
15.
With respect to trade secrets, it may be decided that its disclosure by
another was innocent rather than wrongful even in the case where the person
making the disclosure really was guilty of malice or wrong intent. This
situation may occur when:
• a.
• b.
• c.
• d.
There is absence of evidence that an owner
has taken reasonable precautions to protect
confidential information
The trade secret was not registered
The trade secret did not involve national
defense information
The trade secret was not in current use
John Hewitt, CPP, CIPM
16.
The class of person under a duty to safeguard a
proprietary secret is known as:
•
•
•
•
a.
b.
c.
d.
Agents
Principals
Fiduciaries
Business Associates
John Hewitt, CPP, CIPM
16.
The class of person under a duty to safeguard a
proprietary secret is known as:
•
•
•
•
a.
b.
c.
d.
Agents
Principals
Fiduciaries
Business Associates
John Hewitt, CPP, CIPM
17.
Which of the following is not a correct statement, or a
general rule, involving the protection of proprietary information?
• a.
• b.
• c.
• d.
By operation of common law employees are presumed to
be fiduciaries to the extent they may not disclose secrets of
their employers without authorization
As a class, employees are the largest group of persons
bound to secrecy because of their status or relationship
Other than employees, any other persons to be bound to
secrecy must agree to be so bound
Any agreements to be bound must always be in writing
and are not implied from acts
John Hewitt, CPP, CIPM
17.
Which of the following is not a correct statement, or a
general rule, involving the protection of proprietary information?
• a.
• b.
• c.
• d.
By operation of common law employees are presumed to
be fiduciaries to the extent they may not disclose secrets of
their employers without authorization
As a class, employees are the largest group of persons
bound to secrecy because of their status or relationship
Other than employees, any other persons to be bound to
secrecy must agree to be so bound
Any agreements to be bound must always be in writing
and are not implied from acts
John Hewitt, CPP, CIPM
18.
Probably the chief reason for the loss of information
about sensitive operations is:
•
•
•
•
a.
b.
c.
d.
Deliberately stolen by an outsider
Loss by fire or other disaster
Deliberately stolen by insider
Lost through inadvertent disclosure
John Hewitt, CPP, CIPM
18.
Probably the chief reason for the loss of information
about sensitive operations is:
•
•
•
•
a.
b.
c.
d.
Deliberately stolen by an outsider
Loss by fire or other disaster
Deliberately stolen by insider
Lost through inadvertent disclosure
John Hewitt, CPP, CIPM
The term “eavesdropping” refers to:
19.
•
•
•
•
a.
b.
c.
d.
Wiretapping only
“Bugging” only
Both wiretapping and “bugging”
Mail covers
John Hewitt, CPP, CIPM
The term “eavesdropping” refers to:
19.
•
•
•
•
a.
b.
c.
d.
Wiretapping only
“Bugging” only
Both wiretapping and “bugging”
Mail covers
John Hewitt, CPP, CIPM
20.
A microphone which has the characteristics of requiring no
power source to operate it, is quite small, relatively difficult to detect,
and is offered by equipment suppliers in such items as cuff links and
hearing aides is known as:
•
•
•
•
a.
b.
c.
d.
Carbon microphone
Dynamic microphone
Contact microphone
Parabolic microphone
John Hewitt, CPP, CIPM
20.
A microphone which has the characteristics of requiring no
power source to operate it, is quite small, relatively difficult to detect,
and is offered by equipment suppliers in such items as cuff links and
hearing aides is known as:
•
•
•
•
a.
b.
c.
d.
Carbon microphone
Dynamic microphone
Contact microphone
Parabolic microphone
John Hewitt, CPP, CIPM
This presentation was designed to be used in accordance
with other study materials and was not intended to be used
solely as a study guide. This presentation does not contain
all material from the “Information Security” section of the
CPP Study Guide© . The presentation was intended to give
you the “Golden Nuggets” which will assist you with taking
the CPP Exam. Thanks, John Hewitt, CPP - 5/23/ 2006.
John Hewitt, CPP, CIPM
Information Security
John Hewitt, CPP, CIPM
Recommended for study: CPP Study Guide – 12th Edition