Oh, boy, reading this Wall Street Journal story, “Ten Things Your IT Department Won’t Tell You” brought back some memories of personnel who went to great lengths to get around security requirements!
Back around the mid-1990’s there was a large multinational company that had many different service and product offerings; different business units. Around that time each business unit was implementing their own Novell fileservers and hiring their own personnel to run those Novell servers.
The Novell servers were all on the network, and were in direct access to the mainframe. But, the servers were physically located in a secured room with backup power, cooling, and the whole nine yards. The IT department was focused on just the network architecture/maintenance and the mainframe, but not Novell server administration and support. (Yes, hindsight is 20/20, but that’s another discussion.)
The company had very strict, but justified risk-based, policies regarding the connection of the corporate network to any other outside network. They had procedures the business units had to follow if they felt one of their business partners needed to have access to the corporate network, and they had several feasible options for allowing authorized connections.
One of the Novell administrators, in one of the business units that had many different business partners, did not like to be slowed down by rules and was always agitated when following the procedures.
“I could easily set the connections up myself,” he would say.
“Yes, I’m sure that you are quite technically capable, and that is a possibility, but is against our security policies…” was the reply, followed by what was intended to be an awareness-raising discussion, but that was always met with rolling eyes and heavy sighs.
The information security department referred to the particular Novell admin as “Cowboy [name withheld for obvious reasons].” 🙂
Upon one occasion Cowboy submitted a request that information security had to turn down. He wanted to connect one of his business unit’s business partners, (which also happened to be a competitor of another of the company’s business units) directly to his Novell server and use no firewall, and give the partner 24×7 access; all using one ID that would be shared by around 24 of the business partner staff.
Umm…no.
Information security documented some reasonable alternatives to connect the business partner and sent it to Cowboy, along with copies to Cowboy’s business unit VP, as well as to the corporate CIO and the Sr. VP, to whom information security reported. It also outlined the risks involved with Cowboy’s requested connection.
Cowboy didn’t like it. He complained to his VP.
His VP talked with the CIO and the Sr. VP, and ultimately agreed to one of the proposed alternatives that information security had provided.
Cowboy fumed. He didn’t like it. He said it was unreasonable to make such a valued business partner jump through such hoops.
Fast forward a couple of months…
The IT team was seeing unusual activity in one subnet on a recurring basis; bandwidth surges were impacting response times for everyone on the network during these timeframes.
Around the same time Facilities Management was puzzled about some damage to some ceiling tiles.
Hmm…
2+2=Cowboy!
Turns out, Cowboy knew that network cables ran in the ceilings above the dropped ceiling panels. Apparently, sometime when no one was around, he had removed the panels above his cubicle and examined the wiring long enough to identify where to patch in a cable, from a modem that was on his desk, to his Novell server. The cable ran up the wall, and was hidden by a tall voluminous fern…I like to call it physical steganography. 🙂
I don’t know the technical details for *HOW* he did this, and I still can’t understand how he made it work without others around noticing…although they probably actually did and just chose to deny knowledge. He sure did amaze the network admins.
Well, he *DID* say he could easily set up the connections himself, didn’t he!
It was revealed that he’d leave the modem on whenever the business partner needed to send files, or access files from his business unit’s Novell server.
However, who knows where the business partners actually went when they were connected.
No, the Wall Street Journal article does not talk about this particular type of skirting around security controls. However, it does talk about how to do the following while at work:
1. HOW TO SEND GIANT FILES
2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON’T LET YOU DOWNLOAD
3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS
4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP
5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME
6. HOW TO STORE WORK FILES ONLINE
7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL
8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON’T SPRING FOR A BLACKBERRY
9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY
10. HOW TO LOOK LIKE YOU’RE WORKING
Yes, as I read through this article I thought about all the next generation Cowboys out there who were probably drooling as they read this.
Sure, the article tries, in backwards way, to point out the risks. But then it still talks about how to get around corporate security controls. I’m sure it gave some folks some ideas that perhaps they had not thought of before. When people want to do something they think is important to them, and they find out how to get around security, many will do it even knowing the risks to the company and to themselves. Cowboys everywhere are surely appreciative, thank you ma’am.
Hoever, this article should highlight to information security practitioners some vulnerable areas that they need to address.
If you haven’t thought about how to address these issues, do it before you get your own Cowboys rootin’ and tootin’ up your network and data files with all sorts of damaging, and potentially illegal, activities; putting your organization at risk of noncompliance, lawsuits, penalties and very bad press, just to name a few bad impacts.
Tags: awareness and training, Information Security, insider threat, IT compliance, policies and procedures, privacy, risk management, third party security