Announcement

Collapse
No announcement yet.

IT and Physical Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    N. A. Corbier
    Senior Member

  • N. A. Corbier
    replied
    Considering my company current does technical security, including risk assessment and integrated IT/Physical Security assessment and solutions deployment, I'd say that alot of companies don't connect "IT" and "Security."

    They think that "security" is installing a COTS (Commercial Off the Shelf) firewall from Black Box and that'll secure their network. They went NUTS over Sarbane-Oxley, and still scream "Where's the ROI on this process?" Here's a hint, guys: There is no ROI, its to prevent another Enron, and most government requirements are there because the industry failed to govern itself.

    I've seen stupidity such as spending 2,000,000 dollars on network infrastructure security, pretty Dell boxes, the latest version of Windows 2003, and then any idiot can walk into the unlocked server room. The armed security guards that patrol the property, highly trained and expensive, have no orders about non-authorized employees running around the server room with a USB keydrive, downloading the HR files or other secrets. They just see "employee in the server room" and note it down on their chronological log.

    There are also threats such as social engineering attacks. How many times, Bill, have you walked up to the secretary and had her give you interesting information like passwords, internal PBX lines, or other data, just by BSing her? Employees need to be trained in dealing with social engineering attacks, both internal, external, and middleman.

    Oh, and I've went through an office, running at high speed, ripping off every password post-it note I can, screaming passwords to get the point across. On difficult issues, sometimes shock and awe do best, after you've outlined the problem and begun the solution process - retraining employees and graphically showing them what can happen.

    Because, "You should rotate passwords" dosen't sink in, but backing up their user directory, then deleting everything in it. After it sinks in, they're eager to learn to protect their own work.

    Leave a comment:


  • Crinsol
    replied
    Well Done!

    Bill,

    I don't know you and I am a new member to this forum, but I must say that your AAR is one of the better ones I have read in a long time.

    It is heartwarming to see a risk assessment professional view security as a whole and provide common sense reasoning.

    Thanks!

    Leave a comment:

  • Bill Warnock
    Senior Member

  • Bill Warnock
    replied

    Leave a comment:

  • Bill Warnock
    Senior Member

  • Bill Warnock
    started a topic IT and Physical Security

    IT and Physical Security

    I wanted to share with the readership some typical Information Technology/Physical Security deficiencies noted on surveys or inspections I?ve conducted. For obvious reasons, the locations and facilities are not identified. They are shared in the hope they will be of benefit to interested parties visiting infosecuritywatch. Reader comments are most welcome. Installment number one:

    Combinations to cipher locks were not changed at least semi-annually or when workers departed the area. Observed at a right angle, you could observe cipher buttons used were slightly depressed. Working with these buttons, in a matter of minutes I was able to unlock doors and gain access to protected areas.

    Operational personnel were not always present when I gained entrance to the area.

    Operational and file passwords were taped to monitor faces, affixed to desktops, credenzas or cubical walls.

    During daily breaks and lunch periods, HIPPA protected documents were not properly secured in that they were strewn about at workstations, credenzas or atop file cabinets. Operational personnel were not in attendance.

    Emergency red colored mushroom switches were not installed at all exists.

    Above ceiling area and below raised floor water sensors were not installed in all IT facilities visited.

    Automatic fire suppression systems were not installed in all IT facilities visited.

    Zoned duress switches were not installed in all IT facilities visited.

    IT facilities employing programmers, organic or outsource, writing code were not governed by corporate or IT policies, verbal or written. Examination revealed programming and/or code writing was not always straightforward in that there were instances of individual flair in such coding and/or programming.

    First and second echelon supervisors did not inspect product output for presence of unauthorized subroutines.

    Written instructions or policies were not given to all employees concerning the use of the internet.

    Neither management nor IT supervision established written policies concerning the downloading of software from the internet. Policies or procedures were not established concerning employees bringing software packages into the facility to be used in corporate operations.

    Operational personnel interviewed determined they did not know what actions should be taken or to whom to report virus or hacker attacks. Written policies and procedures were silent on these aspects.

    NIST approved anti-virus programs were not in-place at all facilities visited.

    Written policies and procedures were not established for those employees working on corporate projects from their places of residence.

    More in the next installment.

    Enjoy the day,
    Bill

Leaderboard

Collapse
Working...
X