To illustrate the points we have covered so far, I’d like to share a real-life story with you that happened to me a few months ago. We were hired by the CIO of a large bank in Texas to perform an internal and external penetration test and site assessment. What happened within the first 45 minutes will hopefully shock you. We have been talking about the first steps in building an Information Security Program that really works, and most importantly we are beginning to lay down the foundation of a “layered” security approach. This story will clearly illustrate why that is a good idea.
When I begin to perform a site assessment, I will usually arrive at the bank’s main administrative office 30 minutes before opening. While in the parking lot, I can easily check for wireless devices, and drive around the building looking for possible entrances. I especially look for employee entrances, designated smoking areas, and external telco closet doors. As the traffic begins to pick up in the morning, and the branch is fully open, I will attempt to “piggy-back” an employee into the institution.
So this is how I began at my client's site. After following an employee into the back door I found myself in the hallway of the building, but all the doors in the hallway were locked! Foiled. I tried the stairway, as this was a two story building, I thought I might get lucky. No luck, stairway was locked. I found the elevator, I tried to go the 2nd floor . . . no luck . . . keycarded. Next I pressed “B” for Basement. Viola! I was now heading downstairs, which, by the way, is where the data center was.
Once downstairs, I again started checking doorways. The doorway to the data center was locked and keycarded, I wasn’t going to be that lucky today! But, lo and behold, the stairway was not locked. I went into the stairway, and made my way to the second floor. On the second floor, I found the onsite hackers dream, the TRAINING ROOM! Yes! A room full of exploitable computers, just waiting for keyloggers and pstoreview (a program that gives me all of the usernames and passwords that someone has entered into Internet Explorer). Better yet, the machines were turned on, and logged in! I closed the door slightly, to gain a “moment of obscurity” as they call it in the CIA, cracked my knuckles, plugged in my USB with pstoreview and began . . .
I started with poking around the Network Neighborhood. I immediately found a server with an interesting name “mail-old”. Hmm, that looks promising. I browsed over to “mail-old” looked for some shares, found one called “users”. Went into the users folder, found the President of the Bank’s user folder, opened that (yes, I was surprised I could get this far), and found the CIOs annual performance review, complete with Salary and performance history. Total time: 30 minutes in the parking lot, 15 minutes onsite. It turns out that “mail-old” was a server that was used for a large file transfer, and then abandoned. The entire bank file system had been copied here a month earlier. Customer data, loan files, account numbers . . . all were mine for the taking. Luckily they were paying me for this.
This little story clearly identifies how a layered security model is supposed to work, and how each layer could have stopped me, or slowed me down enough to make my attempts unsuccessful. This is what security is all about – you’ll never make a system 100% secure. 100% secure = 0% usable. 100% usable = 0% secure. Somewhere in between is the right spot, but it is a continuum. Any system can be broken, as long as you have the time and resources to work on it. Our job as security experts is to increase the work factor for the attack to such high levels that attack is near impossible or not worth the effort.
In this example these are only some of the “layers” that could have thwarted my attempt:
- Having a keycard that prevented access to the basement. (The stairway door had to remain open as it is the only exit from the basement.)
- Training all employees to challenge un-badged or unknown people.
- Calling the police when a suspicious person is sitting in the parking lot of your bank for 30 minutes with a laptop.
- Segregating the Training and Production networks.
- Removing old files from the network.
- Keeping all file shares restricted to an “as needed” basis.
- Not allowing training PCs to log in automatically.
- Not leaving PCs logged in un-attended, or using auto-logoff features.
- Restricting training PCs from browsing the Network Neighborhood.
The next few blogs will cover the building of the layers needed to create an Information Security Program that really works . . . .
I welcome all comments!