Wednesday, July 9, 2008

3 Controls to Secure Corporate Offline Computers

Information Security has many aspects that are easily overlooked. A frequent major security hole is the offline equipment which is temporarily or permanently out of use. Such equipment is not subject to frequent scrutiny, and information theft from such equipment can go unnoticed for months, or if done properly, never.

Example scenario:

A person working in the position as sales analyst leaves the company. Since his position needs to be filled with a person of strong expertise, HR takes several months to evaluate and recruit the new employee for this position.

All work related resources (PC, scanner, document cabinet) of the former employee are maintained on the same desk, in an open-space office, with 15 people working in the same area.

After 3 months, a new hire is brought in to take over the functions of sales analyst. Being his first day of work, an IT technician is present to reconfigure the PC, set-up the user's account and e-mail.
When the technician tries to boot-up the PC, it gives the legendary "no system disk or disk error" message. When he opens the PC to remove the defective part, he finds out that there is no disk in the PC. He immediately alerts IT management, internal audit and information security.

After 2 weeks of investigation, with the inclusion of the police the thief is found to be a co-worker from the another office on the floor. He was in the process of negotiating terms of employment with a competitor company. To increase his value and get a better deal, knowing that the sales analyst PC is unmonitored, he offered to deliver the sales analysis and plans of the current company.
He took out the hard drive of the analysts PC, wanting to copy the data but didn't return it before the new employee arrived.

The sales analysts PC was left virtually unattended and unmonitored for more then 3 months. Although technically it was within a secure environment (the office), this environment cannot protect you from an insider attack.
What's worse, there are simple and cheap protective measures which would have prevented this incident.

In order to prevent incidents as described above, you should implement the following 3 controls on offline computers within your organization

1. Place a tamper-evident seal on the chassis opening point of all PC-s when they are issued to users. This seal must break upon any attempt to open the PC. The serial number of the seal should be recorded on the handover document in two copies - one for IT, one for the user. In case of IT intervention, the new seal serial number should be ammended in the intervention log and archived with the original handover document
2. In case of returning the PC to IT jurisdiction, the PC's configuration should be compared to the documented inventory of the PC as written in the handover document.
3. Implement a procedure for securing of unused equipment:
* All equipment which is not in use must be removed and placed in safe storage under IT's jurisdiction.
* If the PC is to be reinstalled, IT should backup any data onto a DVD and wipe the hard drive using a multi-pass tool before reinstalling the PC and handing it over to another user. The DVD backup should be delivered to the manager of the department where the information originated.
* If the PC is to be re-used as-is, IT should remove the PC into safe storage until it is delivered back to the user.
* As a special case, the PC's of top management, security officers and/or auditors should not be stored under jurisdiction of IT. Instead, they should be stored in safe storage under the jurisdiction of internal audit.