Home » Skills » COMSEC: Get Security

Secrecy

No public posts in this group. You must register or login and become a subscriber in order to post messages, and view any private posts.
a skill ( something you can learn how to do using Skillpedia ) by lxpk Tue, 2006-11-28 14:00

Secrecy is harder than you think. Keeping secrets is difficult.

Not Taking Secrecy Seriously Enough

Most people do not take secrecy seriously enough. Many find the urge to talk about exciting things irresistable because they have not learned to enjoy the responsibility and privelege of keeping secrets safe. The impulse to divulge juicy gossip to friends, family and coworkers is a powerful one.

Taking Secrecy Seriously

To take secrecy seriously, you need to take pride in thinking like an operative who never brags or gossips about secret matters. Tell only those people who have a need to know the information. The less people know a secret, the more valuable it is. 

Taking Secrecy Too Seriously

Secrecy is a balancing act between security and confusion. Democratic groups tend towards transparency and openness. It is important that secrecy be balanced with openness. Paranoia can cause problems just as easily as actual insecurity or secrecy compromise.

Historical Examples Of Secrecy

Polish Solidarity was very successful as an open and democratic movement under Communist Polish rule. They earned widespread support and won economic relief and political freedoms for their members. But they failed to anticipate the danger of a crackdown. People suggesting contingency plans for leadership preservation, stashing of printing presses and resistance organizing in the event of police state oppression were ridiculed. When the fist came down it was too late and the government's special forces had already smashed the movement's leadership and dissolved years of progress.

The lesson of history is that even peaceful activists under permissive conditions need to have contingency plans ready for the worst happening.

Basic Secrecy

Everyone needs to be security consciouss and understand how to handle information with discretion.

Questions To Ask

  • How do you classify the sensitivity of particular kinds of information?
    • What harm could result from its compromise?
    • What benefit could be derived from making the information public?
    • What level of threat is perceived and from whom?
  • What level of security are appropriate for what levels of sensitivity?
    • What combination of measures balances security with operational efficiency?
    • Who can you tell and what can you tell them?
      • Be careful about who you share information with.
      • Even if someone is your friend now, circumstances could change. What harm could the information do if they turned against you or carelessly allowed it to pass to someone else?

Classification

People and groupls divide up information between secret, sensitive, private and public.

Obvious Examples:

  • some things are secret (no one will ever know)
  • credit cards are sensitive (no one else should know)
  • personal details are private (no one else needs to know)
  • publically known details are public (anyone can know).

Security policies are just words unless they are second-nature to all group members.

Some groups with many casual participants may not teach COMSEC to everyone, but anyone with serious involvement should receive a grounding in the org's security policies so that they permeate the culture.

Protocols

Protocols are security procedures that everyone in an organization should follow to maintain security and certify their credentials.

Infiltrators

Leaks

Example: Secrecy At Apple

Apple uses nondisclosure agreements, family silence, canary traps, project code names, team member aliases, need-to-know cell structure compartmentalization, faked prototyping:

"Here's how Jobs keeps secrets. Like every company in the Valley, Apple uses nondisclosure agreements and code names. There's no point telegraphing to the competition what you're up to if you don't have to.

Jobs also keeps information on a need-to-know basis. Different product groups are told only what they must know to finish their parts of the product. It's a classic cell structure, like a spy organization. The executive team members are the only ones who know the big picture.

Take the iPod name. The only department in Apple that knew the name of the iPod ahead of its unveiling was the graphics department, because it designed the product packaging and advertising materials. Everyone else referred to its code name, "Dulcimer."

And then there are the rumors of hardware prototypes disguised in big polycarbonate boxes to hide their final shape. One ex-Apple executive told me that the hardware is put in big boxes to make it easy to debug, just like a Radio Shack project box. It doesn't hurt that no one can see what the final product will look like -- especially when prototypes are shipped to outside partners for testing or development -- but that's not their primary purpose.

Some of Apple's secrecy measures get a little extreme. When Jobs hired Ron Johnson from Target to head up Apple's retail effort, he asked him to use an alias for several months lest anyone get wind the Mac maker was working on retail stores. Johnson was listed on Apple's phone directory under a false name, which he used to check in to hotels.

Apple's head of marketing, Phil Schiller, said he's not allowed to tell his wife or kids what he's working on. His teenage son, an avid iPod fan, was desperate to know what his dad was cooking up at work, but daddy had to keep his trap shut because he might get canned.

Even Jobs himself is subject to his own strictures: He took an iPod hi-fi boombox home for testing, but kept it covered with a black cloth. And he listened to it only when no one else was around.

Why is Apple so secretive? Many think it's a quirk of Jobs' control freakery, but it's simply good business and good marketing.

Jobs makes millions of dollars in free advertising every time he steps onto a stage to reveal a new product. It's called "event marketing," and he learned it from his marketing mentor, John Sculley, who Jobs recruited to be Apple's CEO in 1983.

Sculley made product announcements an event, a piece of theater, and the press happily rolled the TV crews to cover it. And since the unveiling of the original Mac in 1984, Jobs has used the same strategy.

If everyone knows what the product is ahead of time, it's not news. And that's why Jobs keeps his million-dollar secrets."

Article: Steve Jobs, Spymaster in Wired News  

Canary Trapping

 

"Canary traps are widely used to uncover industrial espionage. A private investigator once told me about a Silicon Valley company in the mid-'80s that had a problem losing key customers to the competition. The investigator had several lists of customers made up, each sprinkled with bogus phone numbers. Different lists were given to different people. The investigator just waited to see which of the phony phone lines he'd set up began ringing."

Promoting Security Culture

Weather you are a COMSEC specialist or just a voice of caution, there are a variety of ways to promote security culture.

On The Keeping Of Secrets

 

Posters

Posters around offices are a good way to promote security culture.

Example Posters

In WWII, posters reminded soldiers not to chat about sensitive military matters.

SOMEON~1.jpgCARELE~1.jpg AWARDC~1.jpg ACAREL~1.jpg

Links

 

‹ Safe PasswordsupSecurity Updating ›
»