Wyche Innovation Centre,
Complete Technical Surveillance Counter Measures (TSCM) Presentation
Assure Technical’s complete presentation on Corporate Technical Surveillance at the March 2014 Enterprise Security & Risk Management Conference in London
Contact Us Today for a confidential discussion regarding your requirements
Good afternoon, everybody. I thought I’d start off with just a little bit of an introduction to myself. I’m assuming Technical Surveillance Counter Measures is relatively new to probably 50 or 60% of the audience today. My background is Military, 14 years Military and I’ve done 14 years hard labour in the corporate Technical Surveillance Counter Measures arena, really.
Assure Technical have asked me to come today to talk about Technical Surveillance Counter Measures and the agenda, really, is to understand the corporate threat from Technical Surveillance, to overview Technical Surveillance Counter Measures and to use the 2012 Olympics as case study, really.
Why the 2012 Olympics as a case study? Well, that was the first time that U.K. Government ever put what is a counter intelligence role out to tender to the corporate world to provide that kind of service. The tender itself, obviously, a long process and very interesting from an operator’s perspective because it gave us the first view of what Government perceived to be threat within the Technical Surveillance arena that was, or should be mitigated at a Government level and that gave me a unique standpoint to be able to assess that at a Corporate level as well.
Okay. So, a bit tongue and cheek slide pictures really, I’ve never watched this program. But, the first thing we have to look at is common perception and what people commonly perceive the threat from Technical Surveillance to be. That’s the first starting point for any audit and it is also the first starting for any problem as far as I am concerned, because the common perception around Technical Surveillance and how to defeat Technical Surveillance is often learned through Hollywood. It’s what people see in movies, it’s what people see on the television, and it’s what they read on the internet. The actual full grounding of threat, vulnerability, and mitigation of the risk that’s created there in is usually a completely separate story, really.
Okay. People also perceive the threat to be purely Commercial. Commercial devices and the kind of quick plant, what we would call quick plant devices (images of quick plant bugging devices revealed). This is a kind of thing that you can see that you can buy on eBay, a mixture of the kind of mouse with the GSM engine inside that allows people to dial in and listen to conversations. Wired microphone sets that you can buy down at Maplin’s for a tenner. The double plug socket, which you can buy again on eBay for £50 or £60. I’m not saying that these devices shouldn’t be worried about the Ecuadorian embassy found a big problem with the double plug socket and also a little bit of a problem finding it for a while.
Things like phone chargers. The last gentleman was talking about bringing your own devices. With your own devices come your own accessories. With your own accessories come your own risks. For example, this small thing, I think it’s again about £60 off eBay. That phone charger has GSM engine inside that can be dialled into anywhere around the world and allow the attacker to listen into conversations. The usual thing – what people might think of as a bug, the thing of the centre and the bottom on the left – all readily available, all very Commercially available devices. Anybody with small motive, a small budget can afford these but they are very effective attacks, extremely effective attacks.
Just because of the last bring your own device talk, I’ll talk a little bit about the phone charger – the phone charger attack. Again, about £60 off eBay. It’s a sealed unit and there is the same SIM card already inside. It’s a roaming SIM card so whoever buys it doesn’t even need to put a SIM card in and it’s fully sealed. You wouldn’t be able to tell the difference between that and any other phone charger that was in your area, be it a secure area or insecure area. For me to guarantee to find that, I would need probably a minimum of £70,000 to guarantee to find that and a maximum of about £100,000, okay? So don’t write off the Commercial threat.
Okay. So that’s obviously a picture of me, when I’ve had a shave and removed my glasses (picture of James Bond revealed). The reality of threat in the Commercial world is very different. The reality of threat that I see every day, every week of my working life is that Technical Surveillance attacks veer towards Government level attacks and veer towards Government level technology. Most of the people that I speak to on a business front, daily, perceive that they either don’t have a threat from Technical Surveillance, or that their Technical Surveillance threat is what we saw before. Disgruntled employees, people leaving and putting in something that was found on eBay.
That’s just not what we find. We don’t find that at all. We find that, especially in the competitive market type attack – let’s say if you got – if a deal is worth £1 million. Deals worth a £1 million. is a worth a 10% investment to gain the intelligence to win that deal. You can get an awful lot of spying for that money, an awful lot of spying.
You can hire ex-government employees with all of tradecraft and skills that they need to attack your Company. You can hire a team of them and they will have the kind of technology that a normal Corporate sweep team just cannot find. That’s been proven a number of times. Those was an incident not so long ago and I think it was a divorce case, but there was shares involved and that kind of thing.
There was pictures in the paper of a few guys attacking a house. Those guys were ex-military and ex-police Technical Surveillance officers. If you look at the equipment that they used, that was police equipment and military equipment that left their work and the arena when they did. So the reality of threat is often far greater.
Okay. Now that we’ve looked at the kind of, the very, very basics of threat and vulnerability, we’ll just look at Technical Surveillance Counter Measures as itself as a service. So I think this is the kind of D.O.D definition of TSCM, but what it doesn’t take into consideration is communication security and IT security.
Now, I’m not going to step up my depth and start talking about IT security. That’s not my realm, however, I think when we take a look at the next slide, we see how they fit together. And this is the biggest vulnerability that I perceive in the Corporate world which is visioned from what I’ve seen in the kind of Government world.
You have your physical security and your physical security budget. You have your IT security and your IT security budget. You put them together and there’s always a gap. There are devices, which are manufactured specifically for that gap, devices which will not be found by standard physical security, devices which cannot be found by standard IT and cyber defence.
I’ll give an example and it’s a brief example. We have a thing back in the workshop which is called a passive sniffer and it’s a small box about this big. It has four ports. Two ports with double communication, two ports with one-way communication. That can sit quite happily on a wired network and sniff the packets from that network. If we attach a 3G device into there, 3G technical surveillance device, we can open a direct 3G tunnel to sniff packets from that network. The cost of that is £50. The ability needed to put that in – anybody could put it in, okay?
So the reality is that TSCM, while it might seem a little bit James Bond, it might seem a little bit will never happen to us, there is a gap and there is a gap in most people’s security strategies.
Okay. This slide covers the type of corporate TSCM searches there are, or what people may sell their services as.
People sell sweeps, surveys. Sweeps and surveys very reactive usually. ‘Oh, we think we might have a problem, oh, we got a board meeting coming up, we need to secure this area.’ That’s not something that people treat their IT security like or that physical security like. You know, if you think about building security, what security managers don’t say ‘it is looking a little bit rough this weekend, we might get some locks on the door’. Or, look at their IT security and think ‘well, we might have a firewall on Fridays and Saturdays’, yeah? So we need to look at it as a holistic part of information assurance.
Corporate espionage threat briefs – Again, previously when I talked about people’s perceptions, people’s perception of threat in the Technical Surveillance world. Buyers of a service aren’t in the correct position to quality assure what they require and quality assure the service that they are buying in unless they understand the threat and the vulnerability. Therefore, the first stage of any assurance in Technical Surveillance Counter Measures is to understand the threat and the Corporate espionage threat brief really is the way to start that process.
Training – again – I know a lot of companies and there’s probably a lot here who have their own in-house teams. We need to look at how those teams are managed – are they doing it every day? Yeah? What kind of training have their received? It’s the training that’s required as an ongoing process. And what quality assurance should we be laying across that training to ensure we mitigate the threat. Not just the threats from yesterday and today, but the emerging threats.
Secured meetings – How many people in the room, I won’t ask for a show of hands, how many people in the room have meetings outside of their secure areas? How many people remove sensitive information, willingly from that secure environment out to nice location like hotel or something like that and then carry on the process of storing, creating, or communicating that valuable information?
A bit like today. If I look at today, I’m wearing the radio mic. That radio mic is analogue. Therefore anybody from outside of here can quite happily receive that on something that bought from Maplin, eBay, something like that. Even the small bits of information, that could be useful, all intelligence as a value. So process again around securing meetings. Making sure that meetings at external areas where communication happens is covered.
What range of equipment is available and what’s required to do a survey? I can tell you now, if anybody that talked to me for half an hour 121 would realise that what you see in the movies just isn’t true. We have, as a team, invested initially £250,000 in equipment to survey for all known threats.
Threat changes day by day, week by week, year by year. We have to re-invest another £75,000 a year to keep up with that threat. The equipment that we purchase can’t be purchased on eBay or Maplin. A lot of it is controlled equipment.
Okay, and we’ll match that off with the Olympic case study. When you look at this, you will see what all we’ve done now is transfer what we learned from the Government side of life into the Commercial world and it’s proven very successful. We have around 14 finds a year. That’s 14 finds a year in organisations just like yours.
Okay, so we used eight operators, that’s eight fully trained ex-military personnel, security cleared, trained and experienced. Over 150 years worth of experience in our full organisation in Technical Surveillance Counter Measures. It was a two year project, a two year project of sweeping and then returning to sweep areas, month after month, with the £250,000 worth of hardware and it’s a lot to carry.
This is the kind of cycle that we had to go through. Sweeping, Technical Surveillance Counter Measures, isn’t about turning up and saying this area is clear, yup. It’s far more than that again, it’s not about putting a lock on the door just when you need it.
So reconnaissance, it’s necessary work of time analysis. How long is it going take? What am I going to need? Who do I need? Do I need any special kind of people to do the systems that are there?
Threat assessment and vulnerability assessment. This should be done for every single area for every single case, otherwise we don’t understand the threat. We can’t calculate the vulnerability and risk, therefore, we can’t mitigate against that risk.
And the planning phase. Operational phases – in the Olympics, we used phase one as phase two strategy, whereby phase one was the empty building, so the empty royal box, the empty secure rooms, before anybody who moved into them. In that case, we look for deep plant devices, devices which have been built into the fabric of the building. Phase two when people start to work there, covers all kind of threat vectors.
And recovery. The most important phase, I think. Reporting, okay? Mitigation of any vulnerabilities or threats which we have identified, maintenance and then planning for the next round. So if we had 12 or 14 secure areas look after, each one of those steps is followed through to the planning stage where we plan for the second phase of that sweep.
Okay. Thanks very much for listening. If you got any questions now, I’ll be glad to take them down there.