 |
|
With those words, author Ira Winkler throws down the gauntlet against the hype and hysteria generated by the popular media over the state of information security in American companies. Corporate Espionage doesn't deny that real and potentially costly gaps exist, but it does challenge the notion that there are thousands of brilliant hackers around the world who can discover new system vulnerabilities and develop tools to exploit them.
Winkler, director of technology for the National Computer Security Association, estimates that there are probably only a couple of hundred "genius" hackers who can reliably discover network and operating system security holes, and perhaps five times that number of programmers who can write tools to exploit that knowledge. Once those tools reach the Internet, however, he estimates there might be as many as 50,000 garden-variety hackers who can use those tools to break into systems. The bad news is that the sheer volume of unoriginal but sophisticated break-in attempts means that the serious attackers, often in the employ of business competitors or foreign intelligence services, get lost in the hordes of freshmen trying out the latest software they found on the Internet.
The first section of the book walks the reader through the basics of establishing an information control regime: identifying valuable information (Winkler emphasizes that computerized information is not uniquely valuable in and of itself), assessing risk, determining value, identifying threats (both internal and external), and spotting vulnerabilities. This last task is often the most difficult -- no one wants to admit they're not doing all they can to guard their employer's secrets. Consequently, companies often hire outside "tiger teams" to explore the firm's security environment, which is made up of a company's physical, personnel, and informational elements.
Corporate Espionage's next section presents several case studies of successful corporate espionage operations, including one Winkler performed for a chemical manufacturer, as well as incidents from Intel, Boeing, and other companies. The author goes into a fair amount of detail about how the attacks were conducted, especially as to how he exploited human targets, so these chapters warrants careful study.
The final section wraps up the book with recommendations for how companies can take to secure their information. These steps address the vulnerabilities and threats described in the previous chapters, but Winkler wisely keeps his advice general. As the authors of Computer Crime (a related book reviewed elsewhere on this site) state, each company must make its own choices based on its unique culture and capabilities.
In the end, what distinguishes Corporate Espionage from Computer Crime and Leonard Fuld's classic Competitor Intelligence (updated in 1996) is Winkler's willingness to go into detail and illustrate exactly what can be done with a telephone, computer, and some software purchased commercially or downloaded off the Internet.
-- Curtis D. Frye (cfrye@teleport.com)
| Readability |
|
| Originality |
|
| Organization |
|
| Accuracy |
|
| Consistency |
|
| Depth |
|
| Timeliness |
|
| Editing |
|
| Design |
|
| Overall Value |
|
Explanation of ERCB rating scale: No stars = unacceptable, 1 Star = marginal, 2 Stars = average, 3 Stars = above average, 4 Stars = exceptional.