Printer Friendly

Just when you thought your company was safe....


LAST YEAR DURING A MEETING of a local computer security interest group, I listened to our guest speaker expound on the many strengths and capabilities of his company's security system. He described overlapping measures of closed-circuit television cameras, computer-controlled door access, and photo ID badges. Finally I raised my hand and asked, "How do you know your systems are working?" The speaker looked puzzled.

One aspect of security management should be an ongoing program of security test and evaluation, or ST&E. I was somewhat surprised that few security practitioners at the meeting had ever heard of ST&E. Some were amazed that anyone would actively try to penetrate his or her own company's security protections.

ST&E is not new. The concept is used frequently and successfully by the military. While stationed at the Air Force computer security program office in the early 1980s, I worked extensively on documentation intended to make ST&E an integral part of the risk analysis requirements for Air Force computer installations.

During this period, the Army was using a "tiger team" approach, using teams of experts on the various security systems to be tested. These groups had the unique mission of using their knowledge and skill to attack security systems at selected computer installations to find ways that could be used by an enemy to penetrate or destroy key data processing facilities. The results of their efforts, documented in great detail, were analyzed to determine where problems existed and how they could be resolved.

In civilian industry, tiger teams are practically unheard of. Except for corporations involved in classified national defense contracts requiring compliance with highly restrictive government security regulations, most companies are not inclined to concern themselves with the expense and complications represented by this approach to ST&E.

Nevertheless, corporate security practitioners can greatly enhance the effectiveness of security by examining security systems from the point of view of a burglar or an angry activist. It is better to find the holes and plug them yourself before a hostile intruder or dishonest employee finds them and exploits them, leaving you to explain to management how the impossible happened. The concept of ST&E should not be mistaken for a formal risk analysis. Rather, it is an ongoing tool to augment the results of the formal risk analysis and to accomodate a constantly changing security environment.

To illustrate the types of discoveries that ST&E can bring to light, the following examples of actual penetration tests are offered. I do not imply my methods or techniques are the best, but they have proven useful and have opened the eyes of a number of facilities' managers to weaknesses they had never noticed.

Computer-assisted penetration. Shortly after occupying a new computer center, I came in at night to test the access control systems. The company had invested a sizable sum in a cardkey system to control entry into the facility and into the numerous suites within the facility. On the surface, the system seemed to be excellent, and our security was a point of corporate pride.

I had noticed on the ceilings, just inside every entrance, a small sensor unit. After careful observation, I found whenever anyone walked under one of these sensors, a small red light would come on in the sensor, and the door would unlatch immediately.

Unsure whether the device was triggered by motion or by body heat, I rolled a chair under one of the sensors. Nothing happened. Next, I used a stick to slide a cup of hot coffee under the sensor. Bingo! I discovered the sensor was infrared - that it was triggered by body heat.

During my late night testing, I contrived to use crude tools consisting of a yardstick with a two-inch nail imbedded in the end and a cheap butane lighter. I heated the nail and quickly slid the yardstick under the door as far as it would go. I slowly moved it around until the sensor on the inside ceiling found the warmth. With automated efficiency, the system immediately unlocked the door. I was admitted into our sanctum sanctorum with the willing assistance of the very system that was was supposed to keep the bad guys out.

The simple technique allowed me to gain access to every suite in our facility without leaving a trace in the automated access control reports. Needless to say, reporting this gaping hole to the facility manager resulted in immediate action to eliminate this unintentional flaw. However, if the penetration attempt had not been tried, the technique could have been exploited endlessly by criminals or employees.

The accessible bolt. Everyone knows that to ensure the security of an area you mount doors so hinge bolts are either welded or inaccessible from the outside. However, many times secure door installations are mounted with excessive gaps between the door and the frame, particularly where the locking bolt fits into the jamb.

During one after-hours penetration test, I found I was able to circumvent the sophistication of the cardkey system by inserting the blade of a pocket knife into the door gap. By applying firm pressure to the bolt with the knife blade, I was able to slide the bolt out just far enough to allow me to pull the door open.

In a similar test, I demonstrated to some skeptical managers how a child could penetrate their cardkey protected offices. In their installations, the solenoid-operated door bolt meshed with recessed receptacles beneath the doors, but again, the doors had been hung with sufficient space beneath them for me to insert the tip of my ballpoint pen into the gap and under the bolt.

Still a third penetration technique that proved to be child's play involved exploiting the breaker bars installed on the inside of many standard, nonemergency doorways to facilitate easy exits. I found that by gently bending a narrow piece of flat iron into an L and inserting it through the gap between the door and the jamb, I could pull the tool straight back so the curved end pulled against and activated the breaker bar.

In the above instances, access to controlled areas was gained in less than 60 seconds without damaging the security systems or leaving a trace. These flaws in secure door installations can be remedied by installing metal strips in door edges to reduce the gap or by installing steel covers over the exposed bolt area. In doing so, however, care must be taken so covers cannot be removed from the outside.

The bogus maintenance worker. One computer installation I tested a few years ago fell victim to a problem that is probably more widespread than most of us would like to admit. This problem is based on the fact that most people are basically trusting of others.

When confronted with an individual who appears to be on a bona fide mission (in a uniform or business suit or carrying a briefcase, clipboard, or toolbox), employees tend to believe the person is there to do a job and they should not interfere. Most times, a strong corporate visitor control program will nip this kind of penetration in the bud, but often, if the attempt is timed right, access can be gained merely by being convincing in the role.

In the case of this installation, the penetration was timed to coincide with a shift change. Dressed in khakis and carrying an impressive toolbox, an assistant rang the access phone at the loading dock and identified himself as being from refrigeration maintenance. He explained the preceding shift had reported a malfunctioning cooler in the computer room.

The newly arrived shift supervisor checked his log and said there was no log entry about the call. After a few minutes of "I just drove 12 miles out here in the middle of the night to look at your cooler" and "It doesn't matter to me, but I have to bill you for the call anyway," the shift supervisor decided he had better let the repairman take a look, just in case the previous shift had forgotten to log the report.

The repairman was escorted to the machine room, where he was left to work on the cooler. He puttered with some tools for about 30 minutes before leaving. No one noticed he was leaving empty-handed.

It was the next shift that discovered his toolbox sitting next to the computer system with a note that read, "This is a simulated bomb. It was planted in your computer room at 11:30 pm and was timed to explode at midnight. If this had been a real bomb your facility would have been destroyed!" A similar toolbox and note were behind the building next to the power transformer, which fed electrical power to the entire facility.

This was supposedly a secure facility. They had policies to prevent such a penetration from occurring. They had procedures requiring constant escort of all computer room visitors. They had everything but compliance.

Follow-up interviews revealed security was always lax during the night shifts because no one believed there was a real threat. Since management never hassled guards about security at night, it wasn't taken seriously. Needless to say, that attitude disappeared in a hurry, and management began to show much greater interest in late night operations. The company even built a securely lighted and alarmed enclosure to protect the power transformer.

These are just a few of the more dramatic experiences I've had with ST&E. In a well-managed facility, routine testing of security systems and procedures can be a boring task and might even seem to be a waste of time, but don't be lulled into a sense of euphoria. Cultivate the habit of looking at every entrance, every window and crawl-space, every communications conduit and electrical power feedline, and ask yourself, "What would it take to get through there, disrupt communications lines, or disable power?"

As soon as you are convinced you have done all you can to ensure the security of your facility, that is when a motivated aggressor is going to stumble onto something you missed. While you are dislocating your arm patting yourself on the back, this individual is going to remind you that there is no such thing as perfect security.

About the Author . . . Al Foster is data security administrator for US West Information Technology in Englewood, CA. He is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:ongoing program of security test and evaluation
Author:Foster, Al
Publication:Security Management
Date:Sep 1, 1989
Previous Article:Crisis? Call the ad hocracy.
Next Article:A menu for success.

Related Articles
Protocols for bedside testing.
Drug Testing.
Safety first: an OSHA Primer: exposure control is a growing concern for security personnel.
New techniques and technologies bring basic theories up to date.
"Checking up" on staff health education.
NIC's Performance Measurement System.
Facial Recognition.
Identifying and Exploring Security Essentials.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters