In previous posts, I described how I gained access to the data center area and then the data center proper.
I had bypassed door #1 and door #2.
My new colleagues were not happy.
After all, they’d never had much security or a pesky security manager.
Overall, I think I was nice about it. I demonstrated the problems instead of calling meetings, sending emails, and issuing reports.
I actually caused activities to occur or fail. In most situations, I think that’s more effective. In most of the instances at this company, it was.
Before I discuss the results of my charades, let’s consider the purpose of a security function.
In short, I love to say, “Security serves the business, not the other way around.”
(Now that I’m in audit, I say the same about the audit department.)
According to me*, the purpose of a security department is go ahead of the rest of the pack and determine how the business can operate at the lowest risk and still be effective. Sometimes, you raise some serious flags and issue some dire warnings.
But security should never be an enforcer or a parking brake. Security pros should identify risks and provide management with advice and solutions, but ultimately, management has to make the decisions and take the responsibility.
So back to the 2 data center failures…..
As far as the various size doors from which everyone obtained their mainframe reports, they never changed a thing for several years. They reasoned that no one else would ever think of entering through those doors. They said I only thought of it because I’m a security guy.
I asked them if a GOOD security guy would think of it, wouldn’t a BAD security guy do the same? The risk just wasn’t worth it, they said. No big enough to worry about.
I didn’t like it, but it wasn’t my biggest priority either. Besides the most likely person to exploit this vulnerability was an insider, which before Edward Snowden, few people worried about.
Did they fix the walls so that no one could climb through the ceiling and into the data center proper? No, they didn’t do anything about this either.
They presented the following points:
- To climb over the wall, you first had to enter the data center. While I demonstrated that could be done easily, they already had dismissed that risk as not very likely. Since only 1 person had snuck through the report doors in 10 years (that they knew about anyway), they refused to get too excited about it.
- To climb over the wall, one had to realize the walls were too low, and you really needed a ladder. I’m sure I could have stacked up enough stuff to climb over without a ladder, but the ladder made it much faster and easier.
- Since getting into the data center proper required exploiting 2 different vulnerabilities, compromise was less likely. And to do it fast meant you had to have a ladder handy or BYOL (bring your own ladder, which was even less likely).
- During the day, the data center area usually had someone in it, even over lunch. I had been really lucky to find no one there that day–I noticed over the next several months that I never found it empty again, even at lunch. That may have been by design, but either way, I never found it empty again.
Again, I didn’t like the results. Years ago, the data center was constructed out of an existing area, and in those days, you didn’t put a lot of thought into data center design. Management had weighed the risk against the benefit and the cost of remediating the data center walls, and they decided the cost and mess it would cause wasn’t worth it.
As for the tape system, it did not have a configurable login. Eventually, the system would get replaced and a more modern system would require a login.
Absolutely not. According to me*, the positive outcomes were as follows:
- IT and management starting thinking more about risks they had never thought about before. And not just the ones I had raised.
- No ladder was ever left unattended in the data center area again. Or anywhere else, as someone checked whether you could enter locked offices the same way. You could.
- Sensitive materials were not left out for others to find as much. The game had changed, and no one wanted to be known as “Mack’s latest victim.” Employees started to realize that bad things could really happen.
- Servers were no longer left logged on in the data center.
- Management emphasized that security needed to be considered on the front end of projects and decisions, and the culture shift began.
- I quickly established my reputation as someone who could be called upon to think creatively and be an attacker’s advocate. Also, while employees didn’t like me poking my nose around, they also realized I could be reasonable; I wasn’t going to demand that EVERYTHING GET FIXED NOW! I showed I had some business sense, too.
- I started getting calls asking for advice. And even better, other employees started identifying risks they encountered and either dealt with them or notified me.
Do you agree or disagree? Would you have handled any of this differently? If so, why? Please comment.
* This is my more humorous way of saying, “in my humble opinion”. When you say it the way I do, you aren’t hiding what you really mean. If you think about, it really means the same thing as IMHO; saying “IMHO” instead is just a kind of sly way of forcing your opinion on others. I prefer to be upfront and call a shovel a shovel.