I-OnAsia's three in-house teams of Technical Surveillance Counter-Measures (TSCM) ‘bug-sweep’ specialists work globally. We perform sweeps, usually alongside of security audits and penetration tests, assessments of insider threats and vulnerabilities to third party eavesdropping. At times, I-OnAsia supplies additional products and services to reduce risks of information loss for key meetings or events, such as sophisticated noise machines and Faraday tents, and temporary security staff.
We built out our TSCM capabilities over a decade ago. Asia is a technology hub, with lots of savvy cyber-criminals. Our investigative practice has always been strong in the areas of intellectual property protection and litigation support and event and executive security.
TSCM is an essential security service. Executive residences are increasingly seen as more permanent work-spaces and should be swept. Courts are re-opening and businesses are returning to work, increasing the need for secure environments. Business travel and corporate meetings are resuming, and giving rise to new needs.
Informed by our case experiences and global threats, I-OnAsia has developed a unique approach to TSCM bug sweeps. After many years of sweeps, we’ve taken a moment to provide a list of questions we suggest clients could be asking from their TSCM providers.
What can you tell us about our leadership’s commitment to information security and our organization’s information security culture?
TSCM sweeps are usually performed in executive offices. So, TSCM specialists should be able to make some observations about the level of leadership buy-in to any information security program.
Perhaps a critical security technology is tellingly disabled… or a key processes is being circumvented… or personnel are missing… or a statement is made during a TSCM sweep that a C-suite executive has actively made a values statement about information security.
As they say, “Culture eats strategy for breakfast.” A good TSCM sweep will consider how leadership culture makes an organization vulnerable to information loss and ask questions to gauge the state of play.
What was your preliminary assessment of the key threats to our information security via electronic eavesdropping, and what data did you rely on to prepare that assessment?
It is best practice for the TSCM specialist to have performed preparatory research about the threat environment before arriving on-site. The TSCM specialist should have spent time thinking about the types of internal and external threats to information security at the site, and have created some shorthand notes for how and where indicators of risk levels may be observed at the site.
In light of your initial assessment, what were your first impressions of the site? What first caught your eye that either protects or exposes us to the types of threats to information security?
First impressions matter, particularly when formed by an experienced professional who has the advantage of specialized training and years spent in the field.
Please provide a scenario for an attack that exploits the existing setups of our communications technology, electrical wiring, or some other area of facilities design as was observed, which you recommend the CSO and CISO cooperate in discussing how the threat could be discovered, monitored, or mitigated.
Baseball fans know how two infielders on the same team might make an error, dropping a ball in a critical gap because they are trying to avoid contact with each other or assume the other player has the ball. A TSCM sweep sometimes identifies vulnerabilities for exploits in gaps where the CSO and CISO are not communicating.
Where are the most difficult and easiest places where a trusted insider could place a hidden listening device or camera?
Sometimes the simplest questions are the best. If a TSCM sweep is only performed once a year at a site, these questions can be incorporated into more frequent check-ins by the in-house security team.
In your opinion, which of the areas swept are most & least vulnerable to electronic surveillance and why?
Sometimes similar questions yield different answers.
Tell me about the shape of things above the drop ceilings in different rooms. What would you do to reduce any noise leakage, where?
It is our experience that there is almost never enough done to address challenges above drop ceilings.
Perhaps it is because the whole experience is just nasty and inconvenient. Shavings from the tiles get in your eyes and down your back. Dust can get all over executive workspaces. Ladders are hard to secure. Building managers don’t see what your problem is all about.
Tell me more about our interior doors and windows. Can you identify areas where noise leakage needs to be addressed?
It is VERY rare for information security to be a consideration in corporate office interior design. Glass doors, modern hinges with air gaps, grand windows without film, and other challenges should be noted.
The TSCM specialist should be encouraged to recommend low/medium/and higher cost solutions.
During your sweep, did you see any written passwords on post-its, confidential information on white-boards, or similar vulnerabilities that could be used as exploits?
Why not ask? You might be surprised at what the TSCM sweep specialist saw during the review.
Did you audit policies or procedures designed reduce the risks of electronic surveillance? What is your assessment of the effectiveness of access control to the swept space? Are there additional improvements that you would recommend?
As above, a holistic approach to a TSCM sweep would include some auditing of security technology, policies and procedures.
Are there cameras or other surveillance technologies used internally that create information leakage vulnerabilities? Can you comment on whether we should avoid certain types of access control or security monitoring technologies in certain spaces?
Security CCTV systems are always getting better. More pixels! Better sound! Smaller and not a cosmetic eyesore! Sometimes individuals and companies purchase and install the latest and greatest CCTV systems without asking if they are creating new vulnerabilities.
With the advent of new smart home technologies, this is an important question to ask. Smart televisions in corporate conference rooms, smart speaker systems in creator and developer spaces, BYOB headsets, and other tech can sometimes create vulnerabilities.
A good TSCM report will touch on these issues.
Is there a vulnerability that you previously identified that still isn’t fixed this go-round?
Was there a countermeasure you expected to see but could not see or that was not working correctly?
Sometimes clients do not have the budget, bandwidth or buy-in to address a vulnerability initially. It is always good to review prior observations.
(And if you are really counting, we know we offered more than ten questions! Our aim is always to deliver above expectations!)
* To learn more about I-OnAsia's TSCM sweep services, please contact us.*