Corporate Espionage by Ira Winkler Book Review

Despite being published in 1997, this has been by far my favorite professional book since starting my cybersecurity journey.

With the exception of floppy disks being cutting edge technology, almost every point, story, and concept is still valid today and I am so glad that I have my Sec+ to help me understand his points even better.

Part 1 is background, Part 2 is case studies, Part 3 is recommended actions. I recommend reading this over a length of time-while the book is short, there is a lot of information to parse through. The level of reading is approachable to a beginner, but I think I'm reading this at a good time with enough background knowledge and work experience to fully appreciate the book.

Winkler doesn't use a lot of jargon and explains technical exploits clearly.

• Corporate intellectual property may have disinformation strewn into them to sabotage theft-reminds me of Paper Towns (which I learned through John Greene's book Paper Towns)
• honeypots, penetration testing, CIA triad have all been staple concepts for a long time. Facinating!
• The main reason why employees fail to recognize and rectify careless handling of information is because of a perceived value of information mismatch: Thieves can use pieces of information with a wider context, especially if done slowly.
• Value discussion directs risk management for business entities
• Even broken products and drafts can show a lot, whether physical, electronic, or paper. Failing to delete or destroy these is a risk.
• Largest companies with the biggest and overwhelming industry market share face largest and most well equipped competitors
• Smallest companies have the most competitors
• Midsize face a double whammy and also tend to be less cognizant of the threat, using their size to justify the belief that they aren't a big enough fish to be sought after
• Case study: Starbucks in Japan. Japan's largest gourmet coffee chain send an investigator that visited every west coast store to determine real estate, quality, and processes to develop “marketing and sales campaigns to cement customer loyalty before Starbucks’s arrival”
• U.S. Intelligence stays out of the business arena, but other nations have no qualms about jumping into corporate espionage. I wonder how much has changed since 9/11 and the formation of DHS?
• It is a well-known Russian TTP To target 3rd and 4th party vendors and suppliers
• Used as an indicator, late night pizza delivery in DC are the first to know of a crisis because of increase in deliveries to important govt buildings—this reminds me of the Wafflehouse index. The Wafflehouse Index is an assessment on the severity of a storm based on Wafflehouse locations remaining open in a threatened area
• Within various Russian spy agencies that filled the void following the fall of the USSR/collapse of the KGB, there is budget competition with rewards to the best performing agencies. This leads to a culture of secrecy and aggressiveness within the community.
• Difference between China and Russia's corporate spies? Chinese have ethnic devotion to homeland whereas Russians switched to relying on monetary incentives
• U.S. corporate managers are inclined to believe no one would spy on them, but foreign companies think differently due to culture.
• "Friendly" nations are a greater risk
• Some countries are known to bug and videotape hotels commonly frequented by American Corporate representatives
• Historically, France has been known to encourage and incubate the growth of hackers. I think this is an interesting point: while they saw an opportunity to gain talent, we did the exact opposite and punished the early hacker talent
• “misrouted bank transactions” aren't reported due to fear of public's loss of confidence, which could lead to bank collapse
• Media and press are also threats. Public release leaks could undercut markets. I think about Taylor Swift's crew and how seriously they take securing new releases, and I also think about Lady Gaga and Bradley Cooper's "A Star is Born" remake where the filming "audience" actors wasn't allowed to even hear what the songs were as they themselves were being filmed in a concert for the film.
• Reverse social engineering is a term for when victims come to attacker instead of the opposite way around. An example of this is posting ‘the help desk # has changed’ and redirecting IT trouble call requests to be manipulated.
• A mandatory policy of giving out names and department over the phone can be fodder for social engineering attacks. Automatically caller ID within the organization and indication of a caller outside of the physical workplace can cut down on this.
• Sales and marketing give info out for free in honest enthusiasm. A fake potential buyer could dangle a sale and more information is revealed. “Salespeople are supposed to give out protection, not protect it”. There are countries known for doing this to American salespeople and unless the salesperson has seen it before, I wouldn't expect them to know.
• Help wanted ads and job postings over-provide information that can be used as a script in a future attack.
• Case study: an American employee who kept loudly exclaiming in public over the phone who kept emphasizing the country he got to go to on behalf of a defense contractor. Americans are loud and this one was insecure and couldn't keep this information to himself.
• Technical professionals are especially vulnerable to women and those who take interest in their work. Case study indicates when both are involved it increases the chances of a successful breach.
• Basic Human Weakness:

-Well meaning cooperators

-confused and overwhelmed folks who will follow the lead of whoever seems to know what they're doing

-path of least resistance just want to go home type of folks who won't report possible incidents

• Natural disasters and acts of God do more damage than espionage
• Workplace IDs and sensitive documents: pictures on IDs no longer match the people as they change hair color, glasses, etc. Guards also may not be trained to spot sensitive documents unless it's blatantly obvious (color coded files/folders. What happens when confidential papers are taken out of work in a different colored folder?).
• Employees' rude attitudes to guards=causes them to be less effective at searches or checks. It's human nature to not want to be burdensome and be snapped at. A good company policy/culture should not tolerate such behavior as it reduces effectiveness.
• Unusual copy machine usage can be an indication of theft. Winkler recommends employee ID numbers for tracking who is making significant numbers of copies and search for abnormalities
• Nice to see floppy disks being explained as a new method of holding data and exfiltration. Oh how things have changed.
• In and out desk folder boxes: even turning sensitive material face down attracts attention as out of the norm
• At the time, PBX (Corporate VOIP) were a thing, hackers are still fairly new, and people were still getting electrocuted sometimes when power spikes happen while on the phone. I can't imagine that happening today!
• Choosing fire extinguishing agent: Fire suppression system shouldn't damage electronics
• Biggest threat (besides Acts of God and Weather) is current and former insiders, and people who target to obtain an open job without being thoroughly screened are given keys to the kingdom
• I learned about TEMPEST and exploiting electromagnetic signals
• Winkler recommends insisting on contracted companies that fulfil security and janitorial needs to have the exact same stringent background checks as employees. I think that while this is a simple and straightforwarded rationality, this could easily be missed. It's the same concept as anyone wearing a reflective vest at a concert or staff uniform at a large: people's brains ignore them and they are easily missed.