I'm not so sure that Company X is average. I think Company X might be better than average, to judge by my experience at several employers and clients.

The following story about Company Y is based on a real company I experienced recently, thinly disguised. Now I jot it down like this, it actually sounds really awful. But they thought they had balanced security, good enough without "going over the top", and nowhere I've examined in detail was all that much better.

Company Y has 4 offices in 4 different counties. With about one hundred personnel the office in this account was the smallest, but included company headquarters. The IT department was in a different county. Like many companies, Company Y leased one whole floor of a multi-story building. It had no particular relationship to most of the other tenants, except the one on the floor immediately below which did once successfully tender for a contract from Company Y.

> Company X's physical (building) security includes badges for all employees,

In Company Y's building, the building manager issued door swipe cards which many employees wore on cords around their necks because it was the latest corporate fashion statement: when you went out for a latté it said "I am a sarariman for a big corp". But the cards didn't have photos or anything like that because that's what the plebs on the assembly line had to wear, and the clients didn't have to wear them either because they're big shots and it would be embarrassing to suggest that they weren't instantly recognized by all employees. So in the end, the only people who actually ended up wearing a badge in this office were the janitor and the electrician, which was odd because they'd been around since Noah was a boy and everyone DID know them by sight.

> locked doors

Some of the internal doors were locked but it was open plan so there were few. In fact once you got past reception you could go anywhere except the network cupboard, the stationery store, and the plant room. There were also some locked cupboards but it was mostly cheap IKEA stuff you could open with a quick twist of a screwdriver. Every employee also had a lockable set of drawers, but few actually had the key for them, so most were unlocked. In any case they were wheeled for easy removal and were made from plastic coated chipboard. The locks were flimsy 3 pin tumbler locks.

> security guards,

The building management paid for a security guard to check the place twice a night. He came around at fairly regular times about 8 hours apart, and only had access to check the exterior doors to the building, which is just as well because the one the smokers always propped open had a broken door retractor and didn't quite close by itself. Of course if someone was working late and happened to exit via that door just after the guard's first visit, it would often stay open until the guard came around again at 3 am.

> and restricted access.

During work hours, to get from the street to someone's desk you needed to pass exactly one door with any kind of security. After hours, you also needed to swipe a card to get in the building lobby and to take the lift to any floor except first. However on several floors including the building lobby and Company Y's floor, there were unsecured bathrooms in which a person could hide whilst the security mode was changing over.

The type of swipe card controlled doors on Company Y's floor, between the lift and the office proper, has a known, published security flaw. Spare swipe cards were kept in a locked but flimsy drawer on the receptionist's desk, which was in the lift lobby.

> Employees, however, tend to hold doors open for others

Yep, they certainly do. Additionally, after swiping a card a door stayed unlocked plenty long enough to tail gate even without being seen. The roller door to the underground car park was worse, it stayed open for three minutes, and the timer reset whenever anything interrupted its photocell. This was to avoid lawsuits for scratching someone's auto, I guess. It also meant that an intruder had three minutes to walk up to the door, cover the photocell, and keep it open as long as he liked. But then another building tenant hired a few dozen temps for several months, and asked that the car park security be turned off so they could get in and out. So then anyone could get in and out of the car park, and the only security it offered was shielding a criminal from view. Fortunately, while I was no muggings happened in the car park, just stealing from cars

> and don't tend to check the photos on IDs when doing so.

What photos?

> Dumpster areas were gated but unlocked, leaving them open to potential dumpster divers

The trash was actually kept in a "secure area", that is, down in the car park. (See above.) Except on trash collection night. See, the minimum clearance in the car park was too low for the garbage truck, so the cleaners would prop something against the photocell to keep the roller door open, and wheel the dumpsters up to the sidewalk one at a time, and leave them there overnight (which is illegal) for collection at 7 am the following day.

> Phone security is standard, allowing internal transfers and outgoing calls with blocked IDs.

Yep. And there was some kind of black magic used to make the other company offices in other counties look like they were on the same local PABX.

Each digital phone also had a voicemail account associated with the phone, so you got the same voicemail account from that phone regardless of where you plugged it in. Most people used the default PIN for voicemail.

> Remote access is through a VPN with SecureID,

They thought about SecureID but the tokens looked too expensive, so remote access was through a VPN with regular CHAP password authentication. However it only got you into a DMZ, in the form of a Cisco VLAN. So, if all the Cisco rules were set up right, and no exploits against IOS were known, you couldn't do too much damage. If you had an exploit for IOS though, Company Y was pwned.

> the use of which requires permission from a superior

Worse, it required permission from the IT department, a bunch of jerks who applied this authority not to -- say -- inspect your laptop for security problems, but to avoid work^W^W^W jerk you around^W^W^W prioritize their work load.

> and inactive accounts were suspended within 30 days.

There was no mechanism to inform IT when an employee quit. They might spot inactive accounts by monitoring access logs, but I doubt it as they were lazy^H^H^H^H overworked.

> Wireless access points in the buildings also fall under these restrictions.

The WiFi access points could be picked up outside at least as far as the coffee shop. It hooked straight into the local office LAN. It had WAP (weak) encryption, but with some sort of proprietary add-on which changed the key every few hours. (This was considered adequate when it was set up, but WAP cracking has now advanced to the point where 20 minutes of interception is enough.) You needed IT permission to use it, and to have the special client installed.

> As for hardware, remote drives are used, but employees were instructed not to store

> confidential information on the drives.

No, because networked drives were backed up but individual workstations were not, so employees were instructed to store everything important on the network drives, and as little as possible on the local machine. Many stored everything on both, just in case the network went down.

> Laptops were common, but only roughly 30% of users lock them with the provided cables.

No cables were provided, although a few employees bought their own. Some employees locked the laptop in their desk drawer, but the docking station made it kind of obvious where to look, and the drawers were flimsy.

> Shared drives on the internal network are protected by group permissions.

Nope. Shared drives were of 3 types, personal home drives (used almost exclusively by the email clients) which were accessible only by a particular user; Read Only to Everyone (for software distribution); and Full Access to Everyone (shared groups). However the network paths to different groups' shared drives were "secret"...

> On the system level, the company runs weekly virus scans.

Company Y was on the ball here. Every machine had real time virus monitoring, signature updates by push install, administrative reporting of the current state of all virus scanners, plus daily scans. Unfortunately on the oldest machines the daily scans take about 3 hours because of a particular piece of bloatware which had multiple thousands of files, and they were scheduled to run at 9 pm in order to be finished before backups ran. This was an absolute pain in the neck if you had to work back late for an important deadline, so many users had figured out how to disable the daily scan (which was really a bit pointless when you had real time protection on constantly), which caused the administrative monitor to be constantly on "red alert".

> Security teams have reduced administrative rights on machines so employees can't

> install rogue programs.

When the SOE model was found to be unworkable, instead of managing every user's software requirements IT just quietly reinstated administrative rights for most employees.

> Password requirements are fairly standard, requiring a variety of characters,

> changed every few months.

There was a software enforced (Windows NT) password policy. It was: minimum of 5 characters, maximum age 4 weeks (the default), minimum age 1 week, remember last 24 passwords (the most allowed), no complexity requirements. I can't understand what the hell this was meant to achieve. Apart from forcing occasional password changes, it basically said "you can use really weak passwords if you like, but if you suspect someone shoulder-surfed when you updated your password you're not allowed to change it again for a week".

This applied ONLY to Windows logon passwords. Every other password protected system on the network had no password policy, and there were critical systems where the password was trivially guessed, was shared by many people, or had not been changed for years.

> Software comes standard for each machine.

It used to, but it was a dumb idea. Except in the call center (which was in a different county), nearly every office employee was a specialist with unique requirements. Having a standard software install proved to be not merely a drain on productivity, but in many cases actually stopped employees working at all so they had to bring in their own systems to get any work done.

However, rather than simply making the policy more flexible, IT decided it was all too hard and just delivered an SOE but with admin rights restored to the users, so they could individually add what they needed.

> Screen savers are password protected, but not always locked.

They were, but the timeout setting was under user control, and most had them set for a very high value (often the maximum, 9999 minutes) to avoid being annoyed by it kicking in whilst reading something.

> Most machines are open to Internet access, with the exception of some site blocking.

Yes.

> Passwords can be saved in browsers, however.

Yes.

> Email suffers from frequent server problems,

No, actually. Email administration was quite efficient.

> webmail is not always secure,

There was no corporate webmail, and many popular free webmail services were blocked by the proxy.

> and IM use internally is rampant.

Not at corporate HQ, anyway.

> CallerID spoofing would be a very simple way to get a password reset.

Yes. In fact the one and only time I needed a password reset at Company Y, I did it from a phone in a conference room, because I didn't want my co-workers to hear that I'd done such a luserish thing. The help desk reset my password, from an unassigned phone, without any ID at all.

On another occasion I had a job for the IT department which resulted in one of them ringing me and asking for my password over the phone. I asked for his number so I could at least check it against the internal directory and ring him back, and he took offence! He eventually grudgingly agreed to this minimal precaution, did what he needed to do, then rang me again to say he was finished and that he had "reset your password for you" since it had been exposed over the phone. But he didn't mean he had used the administrative reset facility, rather, whilst logged in as me he had simply changed it to "password". And remember, this site had a minimum password age policy! So as punishment for questioning his authority I was forced to use "password" as a password for a week.

> Security training is available for home network usage

Nope. The only useful IT security information was on an unauthorized wiki put up by the web developers.

> and basic encryption, but departments differ in their use of these tools.

Absolutely not. In fact back in the SOE days, encryption software was one of the things that was forbidden. Never mind that as a business necessity we HAD to exchange highly confidential email with external clients. So we set up our own unofficial PGP infrastructure, and had to keep it hidden from the IT department. Later they at least acknowledge that we had the right to use it, but they took no interest and in fact none of them even understood it.

> It's tough enough to keep up with the latest technology

> patches, and filters with corporate budget cuts.

Actually, Company Y had record profits that year.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1860/482#482