Story: A Failed Site Inspection

Catherine Aird, as quoted in the Quote of the Day mailing list (qotd-request@ensu.ucalgary.edu), wrote: "If...you can't be a good example, then you'll just have to be a horrible warning."

Recently, a consumer-products firm with world-wide operations invited one of the authors to a casual tour of one of the company's main sites. The site, located in an office park with several large buildings, included computers for product design and testing, nationwide management of inventory, sales, and customer support. It included a sophisticated, automated voice-response system costing thousands of dollars a month to operate; hundreds of users; and dozens of T1 (1.44 Mbits/sec) communications lines for the corporate network, carrying both voice and data communications.

The company thought that it had reasonable security - given the fact that it didn't have anything to lose. After all, the firm was in the consumer-products business. No government secrets or high-stakes stock and bond trading here.

What We Found ...

After our inspection, the company had some second thoughts about its security. Even without a formal site audit, the following items were discovered during our short visit.

Fire hazards

• All of the company's terminal and network cables were suspended from hangers above false ceilings throughout the buildings. Although smoke detectors and sprinklers were located below the false ceiling, none were located above, where the cables were located. If there were a short or an electrical fire, it could spread throughout a substantial portion of the wiring plant and be very difficult, if not impossible, to control. No internal firestops had been built for the wiring channels, either.
• Several of the fire extinguishers scattered throughout the building had no inspection tags, or were shown as being overdue for an inspection.

Potential for eavesdropping and data theft

• Network taps throughout the buildings were live and unprotected. An attacker with a laptop computer could easily penetrate and monitor the network; alternatively, with a pair of scissors or wirecutters, an attacker could disable portions of the corporate network.
• An attacker could get above the false ceiling through conference rooms, bathrooms, janitor's closets, and many other locations throughout the building, thereby gaining direct access to the company's network cables. A monitoring station (possibly equipped with a small radio transmitter) could be left in such a location for an extended period of time.
• Many of the unused cubicles had machines that were not assigned to a particular user, but were nevertheless live on the network. An attacker could sit down at a machine, gain system privileges, and use that machine as a point for further attacks against the information infrastructure.
• The company had no controls or policies on modems, thus allowing any user to set up a private SLIP or PPP connection to bypass the firewall.
• Several important systems had their backup tapes unprotected, left on a nearby table or shelf.

Easy pickings

• None of the equipment had any inventory-control stickers or permanent markings. If the equipment were stolen, it would not be recoverable.
• There was no central inventory of equipment. If items were lost, stolen, or damaged, there was no way to determine the extent and nature of the loss.
• Only one door to the building had an actual guard in place. People could enter and leave with equipment through other doors.
• When we arrived outside a back door with our hands full, a helpful employee opened the door and held it for us without requesting ID or proof that we should be allowed inside.
• Strangers walking about the building were not challenged. Employees did not wear tags and apparently made the assumption that anybody on the premises was authorized to be there.

Physical access to critical computers

• Internal rooms with particularly sensitive equipment did not have locks on the doors.
• Although the main computer room was protected with a card key entry system, entry could be gained from an adjacent conference room or hallway under the raised floor.
• Many special-purpose systems were located in workrooms without locks on the doors. When users were not present, the machines were unmonitored and unprotected.

Possibilities for sabotage

• The network between two buildings consisted of a bidirectional, fault-tolerant ring network. But the fault tolerance was compromised because both fibers were routed through the same, unprotected conduit.
• The conduit between two buildings could be accessed through an unlocked manhole in the parking lot. An attacker located outside the buildings could easily shut down the entire network with heavy cable cutters or a small incendiary device.

"Nothing to Lose?"

Simply by walking through this company's base of operations, we discovered that this company would be an easy target for many attacks - both complicated and primitive. The attacker might be a corporate spy for a competing firm, or might simply be a disgruntled employee. Given the ease of stealing computer equipment, the company also had reason to fear less-than-honest employees. Without adequate inventory or other controls, the company might not be able to discover and prove any wide-scale fraud, nor would they be able to recover insurance in the event of any loss.

Furthermore, despite the fact that the company thought that it had "nothing to lose," an internal estimate had put the cost of computer downtime at several million dollars per hour because of its use in customer-service management, order processing, and parts management. An employee, out for revenge or personal gain, could easily put a serious dent into this company's bottom line with a small expenditure of effort, and little chance of being caught.

Indeed, the company had a lot to lose.

What about your site?