Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Go All The Way: Full Protection Requires Full Security

With all the daily reports on how companies are experiencing security breaches in their networks, it would appear hackers are taking over. Since January of this year, those in the security business believe that hacking big companies is now in the norm. NASDAQ, HP, Sony and governments agencies, as examples, are not weathering hacker intrusions any better.

With all the daily reports on how companies are experiencing security breaches in their networks, it would appear hackers are taking over. Since January of this year, those in the security business believe that hacking big companies is now in the norm. NASDAQ, HP, Sony and governments agencies, as examples, are not weathering hacker intrusions any better. Canada’s melting pot of sensitive financial data was penetrated— the Canadian Financial Department where all our income tax data is stored.

The United States government reported last December that for 18 minutes it’s Internet prefixes (IP) had been hijacked and sent to other sites. This didn’t cause any outages simply because the internet is designed to be redundant meaning having another way to get to the data you’re looking for. More than likely, someone may have been sniffing the re-routed traffic for a long period, potentially exposing classified US military and government correspondence. That incident could explain some of the breaches these past months. Where were the countermeasures and safeguards?

Employee ID Badge Still Active Readers of my article on how companies are cutting back on spending will have the answer ready at hand: those countermeasures and safeguards are probably outdated and remain so because one; CEOs feel indifferent about protecting the networks, and two; whatever protection they have doesn’t cost as much as modern protection measures. We can take this one step further, and say that even if the protection is up to, or near, par, it may not go all the way. For example, our story of a Montreal-based financial company that made it a point to limit access to their systems at different levels, forgot or assumed that the security agency responsible for building access needed to be informed of those fired, or potential disgruntled employees.

It works likes this:

In many downtown buildings, access cards, or magnetic swipe cards, are given to all employees. These cards are mostly used for access into the buildings after working hours. Building security agents usually set up security barriers with the objective to force late night workers to pass through a main desk and swipe the card.

The security personnel manning this desk will see the employee’s name, where he or she works, start date and in some cases, hours permitted in the building. As a second precaution, elevators can only be accessed after hours by using the cards. This prevents unauthorized, or fired employees from gaining access.

What if the fired employee’s card is still active? Obviously, the former employee still has access to the building and perhaps his old office. It would seem to many that once an employee is let go his access is denied.

In the case of our Montreal-based company, one employee had access to all floors for more than six weeks before access was denied.

How did this happen?The security company responsible for the cards or magnetic swipes lagged behind in denying access. Once the individual was fired, the notice was sent to the security company, and in this case it sat in someone’s inbox for weeks.

Advertisement. Scroll to continue reading.

So here is how the fired employee gains access after hours. Imagine the conversation between the former employee and the unknowing security agent sitting at a main desk. The former employee swipes his still active card.

“Good evening, Sir,” says the security agent. “I have some work to do upstairs,” says the former employee, as he swipes his card. On the computer screen his picture appears with an access box reading “active.” “Well then, have a good evening,” says the innocent security guard.

In the elevator, the former employee swipes his card across the reader, and again the security agent sees the picture, the name and the “active” box.

Once the former employee reaches his floor and swipes his “inactive” card across the reader next to the main door, and walks in…anything can happen. A disgruntled employee has access. Whether this person has the know-how to get past the inner-security of his former company depends on their motivation.

Downstairs at the security desk everything is normal. In the command center nothing out of the ordinary has occurred.

Two hours later the former employee leaves the same way he arrived.

“Work done?” asks a new security guard. “Yes, I managed to get some work done,” and he swipes his card. “Have a good evening,” the security agent says and checks the computer screen.

How long before the former employee’s card is deactivated? What damage will be done if this employee continues to enter at will, unchecked and unbothered? Companies would have no idea until after the system is hacked.

Does this scare anyone? It should.

It used to be “loose lips sink ships” but these days when it comes to keeping company information under wraps, it’s “slack security sinks companies.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.