Don't forget to lock the office ...

... especialy if you are a banker.

A 5 year old boy who discovered that his local bank branch was closed but unlocked was awarded a paltry £10 (US$20) by HSBC, one of the world's largest banks that makes obscenely large annual profits, for letting them know. HSBC say the electronic door lock system failed. I presume bank staff neglected to check the lock, in other words the bank's security procedures also failed.

And yet another bad office day

A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m. Although the deleted data were later retrieved (whether from backups or by 'undeleting' them is not stated), the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage.

Deliberate or accidental sabotage by backup operators are tough threats to control against. They have both physical and logical access to servers and their data, often work unsupervised out-of-hours, and are mostly relatively junior staff. Trust is the primary control, though many would argue that it is no control at all, merely blind faith in many cases. The risks can be reduced by various security control measures, such as:
- Alternating backup operators
- Combining on- and off-site backups
- Tightly controlling physical access to backup storage and especially archives
- Closer management supervision and/or physical monitoring of trusted employees working in the data center
- Better training and automation of backup processes, reducing the need to give backup ops unrestricted logical access to data
- Better HR processes for monitoring employees in such trusted positions and more respect for the valuable jobs they perform.

New security standard for teleworkers

NIST security standard SP800-114 is a new User’s Guide to Securing External Devices for Telework and Remote Access.

"Many people telework (also known as telecommuting), which is the ability for an organization’s employees and contractors to conduct work from locations other than the organization’s facilities. Teleworkers use various devices, such as desktop and laptop computers, cell phones, and personal digital assistants (PDA), to read and send email, access Web sites, review and edit documents, and perform many other tasks. Most teleworkers use remote access, which is the ability of an organization’s users to access its nonpublic computing resources from locations other than the organization’s facilities. Organizations have many options for providing remote access, including virtual private networks, remote system control, and individual application access (e.g., Web-based email)."

The 14,000 customers of an ISP who lost their email accounts (see our previous blog entry) could have avoided disaster by taking the 46 pages of free but sound advice in SP800-114. Its scope is much broader than data backups, covering aspects such as securely configuring and maintaining operating systems, using VPNs for remote access etc.

Another bad day at the office

A software error during routine maintenance caused an ISP, Charter Communications, to delete the contents of 14,000 customer email accounts.

"Charter gives each new Internet user a free e-mail account, but some customers opt to use other accounts instead. So every three months the company deletes inactive accounts, Lamont said. "During this maintenance we erroneously deleted active accounts along with the others," Lamont said. "It's never happened before. They are taking steps to make sure it never happens again."

The news article doesn't mention whether the "software error" was an unfortunate and evidently untested change to the maintenance scripts (indicating a hole in their change management processes), a genuine bug in the code (possible I guess), or a simple human error by an operator/systems manager (seems entirely possible). Since the lost email accounts disappeared forever in a puff of logic, it seems the ISP had no backups of customer data - not just 'no recent backups' but 'no backups whatsoever' (a gaping hole as far as their customers are concerned but no doubt a legitimate money-saving measure from the ISPs perspective).

This incident cost the ISP $50 credits to the affected customers, presumably rather less than 14,000x$50 ($700k) as some will defect before using up all their credit. The reputational damage could be even costlier, although the truth is that such unfortunate incidents can and indeed occasionally do strike most organizations.

The Silicon Valley piece ends rather lamely with "Computer experts advise backing up all important e-mail.", implying in effect that customers are to blame for losing their emails. In some ways that is true (presumably any small businesses or power users will have been using local emaiil clients such as Outlook to download and read their emails and so should have local backup copies) but I would advise Charter Comms to look long and hard at its information security arrangements.

Computer data more valuable than coins and equipment

An office breakin story (highlit by InfoSec News) appears to indicate a targeted theft of computers for the valuable data they contained, rather than the hardware itself.

"PICKY thieves have led one private education centre to believe that industrial espionage might be the motive for a recent break-in. Early this week, three of the CES group's computers - containing the personal details and contacts of its 30,000 students - were stolen from its Eu Tong Sen Street office. Surprisingly, 10 other computers in the same location, some of them newer than the stolen items, and other expensive equipment like scanners were left untouched. The thieves' specific choices have led CES group chairman Desmond Lim, 35, to suspect that they could have been looking for the information stored in these computers for business reasons. ... And while the computer stolen from the administration room might have been the oldest, it was also the only one with all the students' data, said Camford Business School principal Indra Padmakumara, 30, whose school is part of the CES group. The other three computers in that room were not taken, she said. Nor were they tampered with. The door to Mr Lim's room was forced open, although a brand new projector, a digital camera and a box full of coins, all lying within plain view, were not taken."

Look around you and think: how much valuable data is stored on your office systems? Are the disks and offline storage media encrypted? Are there sufficiently strong access controls protecting the office itself?

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

When losing the office key codes makes headline news

When a vehicle maintenance contractor's car was stolen, thieves removed a clipboard with a sheet of paper listing access codes for pushbutton locks on 73 Police station yards in West London. The contractor disclosed the loss and all the numbers were changed within 11 hours, but this was yet another embarrassing security blunder for HM Government. Questions have been posed about why a civilian had access to such sensitive information and why he failed adequately to secure it. The relatively poor security afforded by mechanical pushbutton locks would be another concern although thankfully Police stations have multiple overlapping layers of physical security.

Awareness module

Offices are the “information factories” where most of an organization’s intellectual property gets created and processed, and a lot of information assets are stored. They are the knowledge workers’ natural habitat. Some of us practically nest in our cubicles.

Numerous information security risks affect offices, including IT/computer security and telephony risks from viruses, power glitches, IT/network capacity and reliability issues, physical security risks such as thefts, fires and floods, and process-related risks e.g. if untrustworthy visitors are not properly authenticated on arrival or are allowed to wander freely around the offices.

Despite us having covered office security issues in many other NoticeBored modules, almost all of the materials have been written from scratch for this one, bringing them all together in a context that most employees will relate to.

Read more about January’s NoticeBored security awareness module and get in touch if we can interest you in a subscription to NoticeBored, the modular security awareness service. Happy new year!