Well Done!

Bill,

I don't know you and I am a new member to this forum, but I must say that your AAR is one of the better ones I have read in a long time.

It is heartwarming to see a risk assessment professional view security as a whole and provide common sense reasoning.

Thanks!

Considering my company current does technical security, including risk assessment and integrated IT/Physical Security assessment and solutions deployment, I'd say that alot of companies don't connect "IT" and "Security."

They think that "security" is installing a COTS (Commercial Off the Shelf) firewall from Black Box and that'll secure their network. They went NUTS over Sarbane-Oxley, and still scream "Where's the ROI on this process?" Here's a hint, guys: There is no ROI, its to prevent another Enron, and most government requirements are there because the industry failed to govern itself.

I've seen stupidity such as spending 2,000,000 dollars on network infrastructure security, pretty Dell boxes, the latest version of Windows 2003, and then any idiot can walk into the unlocked server room. The armed security guards that patrol the property, highly trained and expensive, have no orders about non-authorized employees running around the server room with a USB keydrive, downloading the HR files or other secrets. They just see "employee in the server room" and note it down on their chronological log.

There are also threats such as social engineering attacks. How many times, Bill, have you walked up to the secretary and had her give you interesting information like passwords, internal PBX lines, or other data, just by BSing her? Employees need to be trained in dealing with social engineering attacks, both internal, external, and middleman.

Oh, and I've went through an office, running at high speed, ripping off every password post-it note I can, screaming passwords to get the point across. On difficult issues, sometimes shock and awe do best, after you've outlined the problem and begun the solution process - retraining employees and graphically showing them what can happen.

Because, "You should rotate passwords" dosen't sink in, but backing up their user directory, then deleting everything in it. After it sinks in, they're eager to learn to protect their own work.

Crinsol, N.A. Corbier:
There is so very much in due dilligence that makes you wonder what are these folks doing. I was once told if I went into the breakroom and looked into, (almost slipped up) a certain cupboard there would be a listing of current passwords. I got this from a homeless person after several mornings of buying coffee and Egg Mac Muffin. That is the scary part. After 40 years in this business, you develop, if you want to, a sixth sense as who will tell you something. People in sensitive jobs just can't keep their mouths shut.
I took both the security and IT managers to the breakroom. The facial expressions were priceless.
One of my mottos: "If you never look you will never find."
Thanks for the complements, I do try.
Two more installments to come.
Enjoy the day,
Bill

these are great

Bill, keep 'em coming. I'm enjoying these assessment notes.

Geoff

Thank you Geoff, here comes installment number four.

In many sites visited, written instructions were not issued to employees concerning the use of the Internet. One or two employees at a few sites visited openly acknowledged visiting ****ographic web sites and downloaded the material on company computers. They further acknowledged it was an ?open secret? and their ?bosses? knew.

In numerous sites visited, good housekeeping practices were not practiced, workplaces were cluttered up, and dust and debris were not kept away from all computers and peripherals.

In almost all sites visited, cords, wires and cables were not properly ?dressed? and kept away from foot traffic.

At many sites visited, computer cases did not have adequate ventilation and were not always standing on firm bases.

In many sites visited, eating, drinking and/or smoking were observed in the proximity of computers, printers, scanners, and keyboards. Telltale evidence of spilled food, drink, cigarette stubs and ashes existed. Food and drink can ruin equipment and smoke particles can adhere to electronic components disrupting or degrading their function.

At several sites visited, the movement of powered up computer equipment was observed.

At several sites visited, street level areas were not screened in all instances from viewing computer screens or other activities.

At numerous sites visited, written disposition instructions for PCs or laptops no longer needed by the organization were either nonexistent or at best vague. The, who, and at what management level, issuing these instructions was not immediately apparent. For the most part, neither supervision nor operational personnel could explain sanitizing methods to be employed when equipment was no longer of use to the organization. The most frequent answer to the question was, ?We turn over this equipment to supply and services.? When supply and services or its equivalent was queried, the most frequently offered response was the ?old stuff? was either sold or donated to schools or universities.

At almost all sites visited, no one in the IT management structure certifies as excess equipment has been properly prepared for sale, donation or destruction.

Observation: Since costs of hard drives have steadily declined, destroying a drive is the recommended solution to preclude compromise.

In many sites visited, it was learned when emergency power was needed, storms, major power failures and the like, prime movers (engines) failed to operate or operated only briefly. In several instances, close inspection revealed diesel fuel had gelatinized indicative of lack of testing. In all instances, building management maintained meticulous records as required by NFPA 110, Standard for Emergency and Standby Power Systems, indicating monthly testing of the prime mover and quarterly testing under full electrical load. Several inspected sites revealed the generator was not designed to handle nonlinear loads and harmonics. Further the systems were not designed so those harmonic disturbances were reduced before they reached the generator. None of the generators were oversized to handle varying currents and frequencies. Additionally, only in rare instances wee harmonic filters used to reduce triplen harmonics (third and ninth-order harmonics) before reaching the generator.

Observation: During the massive northeastern power outage several years ago this was a common theme, emergency power failed! This along with numerous cell tower failures for the same reason is indicative of IT and physical security management incompetence bordering on criminal negligence.

If these four installments seemed vague of specifics, it was intentional on my part so as not to compromise the inspection/survey promise of confidentiality. There is a caveat and an important one. If the ****ography cited above had involved children, and management took no action, the survey team would be required to report same to federal authorities under the provisions of Title 18 United States Code, Sections 4, Misprision of a Felony and 2251, Sexual Exploitation of Children. Failure to do so would subject the knowledgeable team members to federal prosecution.

When a consultant undertakes a survey in any discipline, he or she is bound by ethics to inform the organization being visited that discovery of obvious criminal conduct will be reported to competent law enforcement if the client fails to do so. If the client cannot accept this condition, decline to accept the job! The words of one of our fellows, John M. Ruth come to mind, ?If you don?t want to see the genie, don?t rub the lamp.?

Enjoy the day,
Bill

As far as the dressing of cables and cords, a little anecdotal from the IT World:

In the middle 90s, before Microsoft embraced the web, Microsoft's Primary Website server was located underneath an engineer's desk. The engineer would routinely kick the server accidently, disconnecting its power.

Microsoft.com was taken off line by an inadvertant foot under a desk. Its not just terrorists, hackers, bad IT managers, and other forms of internal and external threats. Its bad housekeeping and stupidity.

Also, never forget, P2P File Sharing from company networks presents the company to the RIAA on a silver platter.

As perceptions gained from IT and Physical Security surveys concludes, there are details critical to both disciplines that at times are overlooked. To maintain secure IT and Physical Security environments, there are some of the questions we should ask prior to starting a survey/inspection that will greatly assure success. It is strongly recommended questions such as these be asked of the client in a reasonably secure off-site location. From what is gleaned, unrecognized intrusions may have occurred. Free from compromise is why a neutral site should be selected. In the security business, the game is always afoot. Take precise notes. So we begin:

Who owns the building?
If American owned, what is the status of the owner?
Are there any underworld or other dubious connections?
Are all the owner?s agents disclosed, partially disclosed or undisclosed?
From whom was this information obtained? Is it reliable?
If foreign owned, are the owner?s agents disclosed, partially disclosed or undisclosed?
If foreign owned, is that government friendly to the United States?
From whom was the information obtained? Is it reliable?
It must be remembered government real estate records are in many instances inaccurate or outdated.
Is the client the sole tenant?
If not, who are the other tenants?
Determine the missions and functions of the other tenants to determine if their interests could be inimical to the best interests of the client.
If located in a multi-tenant building, do dedicated or multi-tenant electrical transformers serve the client?s spaces?
If the client?s space or spaces are serviced by joint use transformers, it is strongly recommended full range power conditioners be used for individual electronic media equipment or that in clusters as determined by the power needs.
If the client shares a transformer with another client, all electronically produced media can be obtained by other clients serviced by the transformer in a phenomenon called ?inductive coupling.? Simply stated, every keystroke on an electric typewriter, word processor, PC or laptop and facsimile or modem transmission is susceptible to interception without the client?s knowledge.
The client might reply, ?But all my traffic is encrypted or ciphered!? Your reply should be, ?Specialized computer programs can easily break all but the most complex encryption and cipher systems.?
After the surveyor has digested the information gained from these questions, it may be beneficial that a comprehensive technical surveillance countermeasures (TSCM) inspection completed, analyzed and corrections completed prior to starting the IT/Physical Security survey. If clandestine devices are discovered, removed and damage assessments made, further harm can be mitigated. Your survey should wrap up any loose ends.
Enjoy the day,
Bill

Chris, John thanks for the emails. Having answered yours, I'd like to share it with the rest of the security community.

Question: Why sould I concern myself with checking code for unauthorized sub-routines and can they be that dangerous?

Answer: Unauthorized or unrecognized sub-routines can be used to exploit the system in that at a certain specified time, days or months later, one or more of these sub-routines are energized, form a specific job function. They can change date, delete date or for that matter entire files and then disappear. Instructions can be written to eliminate these sub-routines after the damage has been done.
Fire an employee for misconduct. He has been under suspicion for some time but you need the "goods" to get rid of him or her. Knowing their time in the company is short lived, they can write a sub-routine. Knowing the ax is about to fall, the sub-routine is activated and several months after their departure, "bang" their goes one or more accounts or a system crash.
Enjoy the day,
Bill

Physical security and information technology disciplines talk to each other and now work together as the goals are the same, produce and secure the product. Simple enough, the two disciplines are now at the same table.

However, in conducting surveys and readings, two troubling factors always seem to rear their ugly heads ? building management and facilities maintenance. These two functions are critical to health and success of both PS and IT. If the electrical system cannot be maintained in good working order, IT and security systems do not perform optimally.

Why did your server go down, your computers go down? Answers range from a shrug of the shoulders, to they do that every now and then, to Mr. Warnock, I flat don?t know.

Circuit checking in many instances is a joke. Circuit breaker panels are either unmarked or misleading in the extreme. Typical board directories entries: Lights and receptacles. OK, lights and receptacles where?

Plugs held in receptacles by having their spades pinched or spread wide.
Electrical noise in normal, dedicated and isolated ground circuits is off the charts.

The answer to when bonding and grounding surveys were last conducted and the results leave all four disciplines glassy eyed.

It is my understanding when the emergency generator was last required it failed to operate. Why was that? No answer! I check. Battery terminals on the prime mover (diesel engine) were either disconnected or badly corroded. The two hour holding tank is empty or the main underground storage tank is empty or the fuel is gelatinized. Records indicate regular fuel deliveries. Records also indicate monthly testing of the prime mover and quarterly running under full load. The gang of four cannot or will not tell you what loads are connected to the emergency system. The transfer switch or switches have blank circuit directories. Look for red covers on light switches and receptacles until you are blue in the face. These red colored are used to indicate circuits connected to emergency power.

You would think after the massive northeast power outage of a couple of years ago when few emergency power system functioned, we would have learned our lessons.

In my judgment, ?what we have here is a failure to communicate.? Not only is there a lack of communication between PS and IT but with building management and facilities maintenance also. Were I the tenant, I would demand to know two things: One. Where did the money for diesel fuel purchased, but not delivered, go since that line item is charged as part of agency lease or rental? Two. Will remedial action be taken to preclude further falsification of emergency generator records?

As for my surveys, in all instances, remedial actions were taken.

For security professionals, such as we, these are but two things among a myriad of others we must stay on top of to assure mission success.

Enjoy the day,
Bill

Some home-office professionals have an emergency generator in addition to an UPS attached to computers and other necessary equipment to run the home-office efficiently. Others have full home power sources that activate automatically when power is disrupted in a seamless operation.
Other home-offices with emergency generators have transfer switches while others merely plug emergency generated power directly to the circuits they need to keep the business. The latter generator use is dangerous.
To assure accuracy, the following information is from my electric cooperative.

?The purpose of the transfer switch is that it transfers the generator?s output of electricity to the house only, without a transfer switch the electricity would not only feed power to the house but backfeed through the power line coming into your house. With this in mind, I will start off with basic electricity. High-voltage transmission wires are carried on insulators on the top cross members of power poles. Voltage on your street could be 7,200 volts or higher. This voltage is reduced through a pole mounted or underground transformer reducing the voltage coming into your home to two wires with 120 volts each which equals 240 volts and a ground wire. Without a transfer switch the generator will not only supply power to your house, but also backfeed through the transformer, that is the 240 volts will go through the transformer in the opposite direction and increase the voltage coming out of transformer to 7,200 volts down the power line. So if there is a power outage and the line technician believes the line is dead, they could be injured by the 7,200 volts coming from the generator.?

Unless the home-office enjoys a separate pole mounted or underground transformer, the same security mentioned in my previous posting apply. If in doubt, ask your electric service provider.
Enjoy the day,
Bill

That happened to a company and the story was aired on a forensics crime show. Despite his best efforts to cloak himself against accusation/prosecution, they still "nailed" him!