Privacy & Individual Rights
Commerce, Security, & the Law
Net Culture, Art, & Literature
International Affairs & National Security
Ethics, Rhetoric, & Metaphysics
Science Fiction Other Resources
Other Book Review Sites
|"Kevin Mitnick wasn't particularly talented; he was just a good liar."
With those words, author Ira Winkler throws down the gauntlet against the hype and hysteria generated by the popular media over the state of information security in American companies. Corporate Espionage doesn't deny that real and potentially costly gaps exist, but it does challenge the notion that there are thousands of brilliant hackers around the world who can discover new system vulnerabilities and develop tools to exploit them.
Winkler, Director of Technology for the National Computer Security Association, argues that there are probably only a couple of hundred "genius" hackers who can reliably discover network and operating system security holes, and perhaps five times that number of programmers who can write tools to exploit that knowledge. Once those tools reach the Internet, however, he estimates there might be as many as 50,000 garden-variety hackers who can use those tools to break into systems. The bad news is that the sheer volume of unoriginal but sophisticated break-in attempts means that the serious attackers, often in the employ of business competitors or foreign intelligence services, get lost in the hordes of freshmen trying out the latest software they found on the Internet.
The first section of the book walks the reader through the basics of establishing an information control regime: identifying valuable information (regardless of form...Winkler emphasizes that computerized information is not uniquely valuable in and of itself), assessing risk, determining value, identifying threats (both internal and external), and spotting vulnerabilities. This last task is often the most difficult -- no one wants to admit they're not doing all they can to guard their employer's secrets. As a result, companies often hire outside "tiger teams" to explore the firm's security environment, which is made up of a company's physical, personnel, and informational elements.
Corporate Espionage's next section presents several case studies of successful corporate espionage operations, including one Winkler performed for a chemical manufacturer, as well as incidents from Intel, Boeing, and other companies. The author goes into a fair amount of detail about how the attacks were conducted, especially as to how he exploited human targets, so these chapters bear careful study.
The final section wraps up the book with recommendations for how companies can take to secure their information. These steps address the vulnerabilities and threats described in the previous chapters, but Winkler wisely keeps his advice general. As the authors of Computer Crime (a related book reviewed elsewhere on this site) state, every company must make their own choices based on their unique culture and capabilities.
In the end, what distinguishes Corporate Espionage from Computer Crime and Leonard Fuld's classic Competitor Intelligence (updated in 1996) is Winkler's willingness to go into detail and illustrate exactly what can be done with a telephone, computer, and some software purchased commercially or downloaded off the Internet.
Curtis D. Frye (firstname.lastname@example.org) is the editor and chief reviewer of Technology and Society Book Reviews. He worked for four years as a defense industry analyst at The MITRE Corporation in McLean, VA, and is the author of Privacy-Enhanced Business, from Quorum Books.