When assessing corporate security, you need to approach it with the attitude that you are an outsider and want access. You must learn to view your network and your corporate facility from the outside, the same way as a potential attacker does. Performing internal scans is a good thing, but you also need to assess your external security. Is your network an easy mark for attackers? Is your corporate facility secure? Are employees safe? Can you gain access to valuable assets inside your network from the outside with minimal effort?
Some companies hire outside security consultants who, as part of their service, attempt to breach corporate security just as real attackers would. They phish, they probe, they attempt to tailgate, they call into the office with legitimate-sounding requests, and they also attempt to gain physical access to employee areas and secured data centers.
This type of security "audit" needs to be performed on a regular basis, with quarterly being a standard frequency.
If you think about it, you'll find that there are many ways into your facility through doors, windows, garages, and WiFi. Physical security is important, but your WiFi signal might allow access to everything on your network from the parking lot or from across the street. You need to take a walk around your facility, inside and out, to assess possible security breach points. Here's how I do it.
Doors, windows, and other physical entry points
The easiest way into most buildings is to simply walk in. I've entered many secure facilities by tailgating when someone badged themselves in and promptly walked through the doors. Once inside, it's a matter of pleading ignorance and acting innocent to gain access to restricted areas. I'm not saying that you should try this at home, but I'm just saying that people are pretty careless about physical security. You know it's true.
Annual security training that users blast through just to complete it isn't going to work. As a sysadmin, you need to walk the perimeter of your facility and check your weak entry points. You also need to have drills that involve your users when you identify those weak points.
Outer perimeter checklist
- Doors, locks, electronic access
- Windows and glass breakage alarms
- Roof and fire escape access
- Other points of entry and access
For example, at one location where I worked, you had to show a badge from your car to the security guard. You could hold up just about anything and they would wave you through. I haven't had access to that location in more than four years and I could still get onto the property by knowing that detail. The next major security flaw is that once on the property, you're supposed to badge in to gain access to the building. However, if you are observant, you'd notice that there is a "smoker's door" that is always unlocked. Inside the building, you are restricted to a guest WiFi network, but if you're clever and bring an Ethernet cable with you, you can enter any room and plug into the network.
Some good training and better procedures could keep intruders out of this supposedly secure facility. Remember that you're not just checking access for random strangers and attackers; you need to check access for those who have intimate knowledge of your facilities, such as former employees, cleaning staff, and maintenance workers.
You need to ask yourself the question, "How would I get in if I really wanted to without authorized access?"
Takeaway: Plug the physical access security holes in your facility to ensure the protection for your employees and your computing assets.
Cleaning and maintenance services
It's funny how often we set up extreme security for employees who are compelled to follow the rules but leave gaping security holes in favor of those outsiders we implicitly trust. For this example, I'll return to the secure facility I mentioned above. We had badged access, retina scanners, and secure elevators required to access a particular data center at this location. However, the cleaning and maintenance crews didn't have to badge or scan their retinas to gain access. They had keys to unlock the doors next to all of the secure ingress/egress points. Those doors existed in case of failures in the security systems, which did happen fairly often. In fact, one set of secure "man traps" was permanently broken/disabled, so we just walked past it.
The solution is simple. Anyone who enters your facility that isn't an employee either needs to have an escort or they need to be given a temporary badge. Furthermore, their movements need to be restricted via that badge. For cleaning crews, you need to require some sort of vetting of these individuals and issue badges rather than passkeys to log their movements.
Takeaway: Apply the same security measures to everyone.
Security cameras also help to deter would-be criminal activity. Well-placed cameras are an excellent security tool. I suggest that you deploy cameras on a separate VPN to isolate their traffic from other corporate networks. With external cameras, an attacker could remove the camera and tap into the network via the Ethernet (or other) connection. Be sure to enable some type of authentication for camera access.
Aim cameras to cover all points of entry, including secure doors, windows, and other access points. Motion-activated cameras are the most efficient because they only record while there is movement, saving valuable disk space and time when searching for a compromised facility entrance.
Takeaway: Cameras are your eyes and possibly your ears when you can't be everywhere at once.
WiFi and Hotspots
WiFi access means mobility and access for a wide range of devices. It's a huge asset to authorized users. The problem is generally not authorized users but those who are not authorized. Unauthorized users can be thwarted or at least slowed down by requiring a complex password or two-factor authentication to access your corporate wireless network. Also, never leave the default WiFi password on your wireless access point. You should also require a password for guest wireless access. Never allow anonymous access to your WiFi network. Your guest network should be on a separate, isolated VLAN from your corporate traffic.
You should perform wireless "scans" on an ongoing basis—meaning once a week or more, if you can automate the process. Scan for rogue network devices, user-created hotspots, and any unauthorized behavior, such as a clever user setting up a wireless access point that has a similar name (SSID) to the corporate ones.
One method of keeping rogue wireless access points off of your network is to allow only your brand of wireless access points (WAPs) on the network. This method is enforced by using MAC address filtering. This won't prevent some rogue devices or hotspots, but it removes the general possibility of someone attaching their own WAP that doesn't match your filter.
You should walk around the outside of your building with a laptop or other scanning device to check for corporate WiFi signals that extend beyond your exterior walls. Windows are the biggest source of leaks beyond the safe perimeter of your internal network.
Note: Some businesses allow wireless access in outdoor common areas. If this is the case, you'll have to make adjustments to your exterior scans to allow for certain signals to be available.
Just like auditing your physical facility defenses, you must think like an attacker when performing this wireless scanning exercise. Scan for unsecured network connections that might have been set up by a rogue user or even a corporate user. These network connections may allow clandestine access to the corporate network from outside of your walls. Similar to wardriving, this "war walking" exercise is meant to discover unauthorized access. To properly perform this task, you should create a WiFi signal map (heat map) around your building(s), showing the areas where there is potential for illicit access.
Takeaway: WiFi is a necessary service but one that shouldn't be taken for granted.
Trash and disposal
Those with malicious intent also check out the things you throw away. They search for private documents, pay stubs, personally identifiable information (PII), email printouts, diagrams, and computing hardware such as hard drives and CD/DVDs that may contain your data. The best solution is to shred all security-sensitive documents. Remove all data from writable drives and destroy all hard drives, USB thumb drives, SD cards, and CD/DVDs prior to disposal.
By destroying the data and the physical media, you are ensuring that no one can recover the data from it. If I'm a potential attacker, dumpster diving is one of the first ways I will gather information about your company and its employees. In a very short time, I can acquire names, email addresses, phone numbers, signatures, and more from the things you throw away. You might have liability associated with any leaked data, so be sure to be as diligent in asset disposal as you were when acquiring and maintaining your assets.
Takeaway: Destroy all media before you dispose of it.
Security is a pain for everyone. No one loves complying with it or performing the tasks necessary to maintain it. As a sysadmin, you have to protect those who either cannot protect themselves or those who refuse to protect themselves. You also have an obligation to protect corporate assets from outsiders, attackers, accidents, and malicious insiders. Your responsibility doesn't stop at the wall, the window, or the door. You're also responsible for protecting the WiFi signals that breach the confines of your office and your garbage until its in the hands, trucks, recycling centers, and landfills of the Department of Sanitation.
[ Want to learn more about security? Check out the IT security and compliance checklist. ]