Business Loss Due to Disclosure of Confidential Information

Some organizations have found their bids for projects coming in at just above the competition on a consistent basis. This could be due to coincidence or to unauthorized disclosure. It is always a concern when sensitive information is passed over wires or air space.

Following are some techniques for securing confidential voice transmissions:

  • Use a scrambling device such as SecureLogix Telewall, which has built-in encryption capability (the same device is required on both ends). The advantage of a trunk rather than handset-based approach is that the entire office or plant can be set up for encrypted conversations, assuming the other end (e.g., headquarters or a sister location) has a Telewall as well. The Motorola KG-95 also encrypts at the trunk level, unlike the older AT&T Surity 3600, which encrypts only from one handset to another. The Motorola product is shown in Exhibit 1. These devices, which enable point-to-point and multi-party encryption, protect the conversation from origin to destination (i.e., no intermediate points of clear conversation). Faxes can be protected as well. They typically have a secure/non-secure button that allows the telephone to be used in either mode, as required.

Exhibit 1: Motorola End Crypto Unit, CI-13 (Courtesy of Motorola, Inc.)

    • Use IP encryption if the voice conversation is converted to IP traffic before transmission beyond the premises. The Borderguard NetSentry devices, for example, use DES (Data Encryption Standard), 3DES (triple DES), and IDEA (International Data Encryption Algorithm) to scramble any data going across the wire. Note that with the increasing power of microchips, it is much easier for determined hackers (or governments) to break codes. The following quote, found on an Internet security page (http://www.jumbo.com/pages/utilities/dos/crypt/sfs110.zip.docs.htp), illustrates how quickly algorithms once thought secure have become as antiquated as iron safes:

      Use of insecure algorithms designed by amateurs. This covers the algorithms used in the majority of commercial database, spread-sheet, and word processing programs such as Lotus 123, Lotus Symphony, Microsoft Excel, Microsoft Word, Paradox, Quattro Pro, WordPerfect, and many others. These systems are so simple to break that the author of at least one package which does so added several delay loops to his code simply to make it look as if there was actually some work involved.

    • Use an enterprisewide dialing plan to ensure that all calls go through the least cost and least public route. Calls that go over leased lines (tie lines) are easier to secure than calls going over the public switched telephone network (PSTN). Encryption equipment can be placed at both ends and the voice traffic can be converted to IP. Typically, dialing plans are implemented to facilitate ease of use for employees as well as least-cost routing. However, they also increase (at least to some extent) security. A dialing plan is implemented by making changes to every PBX in the organization's network so the user dials the same number to reach an individual regardless of what location the call is made from. For example, if Mary Doe's number is 789-1234 and she is located in a Memphis, Tennessee office, then she can be reached from London or Sydney by dialing 789-1234 (with no preceding country codes, etc.). The PBX has all the logic built in to convert the numbers to the appropriate route. A dialing plan also has the side benefit of increasing contact between the telecom staffs of various locations, resulting in an exchange of security information.

    Keep in mind that the U.S. Commerce Department as well as most international governments have significant regulations on the level of encryption used. The French government, in particular, has stringent laws against encrypting without permission.

No comments: