Aird, as quoted in the Quote of the Day mailing list (
wrote: "If...you can't be a good example,
then you'll just have to be a horrible warning."
Recently, a consumer-products firm with world-wide operations
invited one of the authors to a casual tour of one of the company's
main sites. The site, located in an office park with several large
buildings, included computers for product design and testing, nationwide
management of inventory, sales, and customer support. It included
a sophisticated, automated voice-response system costing thousands
of dollars a month to operate; hundreds of users; and dozens of
T1 (1.44 Mbits/sec) communications lines for the corporate
network, carrying both voice and data communications.
company thought that it had reasonable security - given the
fact that it didn't have anything to lose. After all, the
firm was in the
No government secrets or high-stakes stock and bond trading here.
After our inspection,
the company had some second thoughts about its security. Even without
a formal site audit, the following items were discovered during
our short visit.
the company's terminal and network cables were suspended
from hangers above false ceilings throughout the buildings. Although
smoke detectors and sprinklers were located below the false ceiling,
none were located above, where the cables were located. If there
were a short or an electrical fire, it could spread throughout a
substantial portion of the wiring plant and be very difficult, if
not impossible, to control. No internal firestops had been built
for the wiring channels, either.
Several of the fire extinguishers scattered throughout
the building had no inspection tags, or were shown as being overdue
for an inspection.
Network taps throughout the
buildings were live and unprotected. An attacker with a laptop computer
could easily penetrate and monitor the network; alternatively, with
a pair of scissors or wirecutters, an attacker could disable portions
of the corporate network.
An attacker could get above the false ceiling through
conference rooms, bathrooms, janitor's closets, and many
other locations throughout the building, thereby gaining direct
access to the company's network cables. A monitoring station
(possibly equipped with a small radio transmitter) could be left
in such a location for an extended period of time.
Many of the unused cubicles had machines that were
not assigned to a particular user, but were nevertheless live on
the network. An attacker could sit down at a machine, gain system
privileges, and use that machine as a point for further attacks
against the information infrastructure.
The company had no controls or policies on modems,
thus allowing any user to set up a private
connection to bypass the firewall.
Several important systems had their backup tapes
unprotected, left on a nearby table or shelf.
None of the equipment had any inventory-control
stickers or permanent markings. If the equipment were stolen, it
would not be recoverable.
There was no central inventory of equipment. If
items were lost, stolen, or damaged, there was no way to determine
the extent and nature of the loss.
Only one door to the building had an actual guard
in place. People could enter and leave with equipment through other
When we arrived outside a back door with our hands
full, a helpful employee opened the door and held it for us without
requesting ID or proof that we should be allowed inside.
Strangers walking about the building were not challenged.
Employees did not wear tags and apparently made the assumption that
anybody on the premises was authorized to be there.
Internal rooms with particularly sensitive
equipment did not have locks on the doors.
Although the main computer room was protected with
a card key entry system, entry could be gained from an adjacent
conference room or hallway under the raised floor.
Many special-purpose systems were located in workrooms
without locks on the doors. When users were not present, the machines
were unmonitored and unprotected.
The network between two buildings
consisted of a bidirectional, fault-tolerant ring network. But the
fault tolerance was compromised because both fibers were routed
through the same, unprotected conduit.
The conduit between two buildings could be accessed
through an unlocked manhole in the parking lot. An attacker located
outside the buildings could easily shut down the entire network
with heavy cable cutters or a small incendiary device.
by walking through this company's base of operations, we
discovered that this company would be an easy target for many attacks - both
complicated and primitive. The attacker might be a corporate spy
for a competing firm, or might simply be a disgruntled employee.
Given the ease of stealing computer equipment, the company also
had reason to fear less-than-honest employees. Without adequate
inventory or other controls, the company might not be able to discover
and prove any wide-scale fraud, nor would they be able to recover
insurance in the event of any loss.
the fact that the company thought that it had "nothing
to lose," an internal estimate had put the cost of computer
downtime at several million dollars per hour because of its use
in customer-service management, order processing, and parts management.
An employee, out for revenge or personal gain, could easily put
a serious dent into this company's bottom line with a small
expenditure of effort, and little chance of being caught.
the company had a lot to lose.
What about your site?