Security Experts:

Go All The Way: Full Protection Requires Full Security

With all the daily reports on how companies are experiencing security breaches in their networks, it would appear hackers are taking over. Since January of this year, those in the security business believe that hacking big companies is now in the norm. NASDAQ, HP, Sony and governments agencies, as examples, are not weathering hacker intrusions any better. Canada’s melting pot of sensitive financial data was penetrated-- the Canadian Financial Department where all our income tax data is stored.

The United States government reported last December that for 18 minutes it’s Internet prefixes (IP) had been hijacked and sent to other sites. This didn’t cause any outages simply because the internet is designed to be redundant meaning having another way to get to the data you’re looking for. More than likely, someone may have been sniffing the re-routed traffic for a long period, potentially exposing classified US military and government correspondence. That incident could explain some of the breaches these past months. Where were the countermeasures and safeguards?

Employee ID Badge Still Active Readers of my article on how companies are cutting back on spending will have the answer ready at hand: those countermeasures and safeguards are probably outdated and remain so because one; CEOs feel indifferent about protecting the networks, and two; whatever protection they have doesn’t cost as much as modern protection measures. We can take this one step further, and say that even if the protection is up to, or near, par, it may not go all the way. For example, our story of a Montreal-based financial company that made it a point to limit access to their systems at different levels, forgot or assumed that the security agency responsible for building access needed to be informed of those fired, or potential disgruntled employees.

It works likes this:

In many downtown buildings, access cards, or magnetic swipe cards, are given to all employees. These cards are mostly used for access into the buildings after working hours. Building security agents usually set up security barriers with the objective to force late night workers to pass through a main desk and swipe the card.

The security personnel manning this desk will see the employee’s name, where he or she works, start date and in some cases, hours permitted in the building. As a second precaution, elevators can only be accessed after hours by using the cards. This prevents unauthorized, or fired employees from gaining access.

What if the fired employee’s card is still active? Obviously, the former employee still has access to the building and perhaps his old office. It would seem to many that once an employee is let go his access is denied.

In the case of our Montreal-based company, one employee had access to all floors for more than six weeks before access was denied.

How did this happen?The security company responsible for the cards or magnetic swipes lagged behind in denying access. Once the individual was fired, the notice was sent to the security company, and in this case it sat in someone’s inbox for weeks.

So here is how the fired employee gains access after hours. Imagine the conversation between the former employee and the unknowing security agent sitting at a main desk. The former employee swipes his still active card.

“Good evening, Sir,” says the security agent. “I have some work to do upstairs,” says the former employee, as he swipes his card. On the computer screen his picture appears with an access box reading “active.” “Well then, have a good evening,” says the innocent security guard.

In the elevator, the former employee swipes his card across the reader, and again the security agent sees the picture, the name and the “active” box.

Once the former employee reaches his floor and swipes his “inactive” card across the reader next to the main door, and walks in…anything can happen. A disgruntled employee has access. Whether this person has the know-how to get past the inner-security of his former company depends on their motivation.

Downstairs at the security desk everything is normal. In the command center nothing out of the ordinary has occurred.

Two hours later the former employee leaves the same way he arrived.

“Work done?” asks a new security guard. “Yes, I managed to get some work done,” and he swipes his card. “Have a good evening,” the security agent says and checks the computer screen.

How long before the former employee’s card is deactivated? What damage will be done if this employee continues to enter at will, unchecked and unbothered? Companies would have no idea until after the system is hacked.

Does this scare anyone? It should.

It used to be “loose lips sink ships” but these days when it comes to keeping company information under wraps, it’s “slack security sinks companies.”

view counter
Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler