Thoughts on premise security.

[Alvin Oga]

On Fri, 17 Oct 2003, Michael T. Halligan wrote:

> I'm building a secured call center for a customer of mine, and security
> is our top concern due to the sensitive nature of the data our callcenter
> reps will be dealing with.  The office is less than ideal, but workable,
> for this type of environment. It's less than ideal because it's not a 
> 100% sealed off from the rest of the company, there will be 2 executives,
> 2 programmers, and myself on a part-time basis in the office as well. Eventually
> as we expand the call center will be moved into an office that will have a mantrap
> and security guard to inspect everybody before they enter and exit, but for now
> there are compromises to be made.
> 
> Here are some of the steps I'm taking to ensure the best security I ca,
> let me know if you've got any ideas.

sounds like fun
 
> 1. None of the callcenter people can bring anything in and out of the building
> except lunch.  Lunch is to be carried in clear plastic bags we're assigning
> to them, and which will be inspected every time they enter or exit the premise.

provide free lunch ... $5/person  for lunch is minimal costs compared to
the risk of stuff/data leaving the office
	- free vending machines for water, drinks, ...

> 2. Nobody in the callcenter gets a PC on their desk.  They get a wyes terminal
> connected to a citrix server, which allows them to do their work.  The usb ports
> on the wyse terminals have been physically disconnected on the inside, as well
> as glue-gunned. Tamper-proof security tape has been put on all seams of the
> terminal.

good .. :-)

but no such thing as tamper-proof ...  if the seal is broken ... its too
late that they could have connected a usb device to the reconnected wires
	( takes some skill to get that far though )

> 3. The call center application, citrix server, and dumb terminals, are all physically
> connected to a switch that nothing else connects to. No internet access.

good ...

> 4. Only the ceo, coo, and myself will have access to the combination for the safe
> where the keys to the pcs and keys to the wiring closet/server room. a log must
> be filledout every time the electronic safe is opened, and every time the datacenter
> is entered.

make it an automated log... people willalways forget to log their use of
the key

automated log, they have to enter a code or swipe a card key to get access
to the room w/ the safe etc where the key is kept
	$ 100 card swipe box .. rs232 interface
	
> 5. The pcs for corporate staff all have tamper proof tape covering all the seams, locked
> cases, chained to desks. 

and no cdrw drive 
no floppy
no active firewire connections
no active usb connections
no active sound/microphone ports
	( you'd be surprised how many secure servers had these devices )

"no crt to take picures of with your cell phone or digital camera" :-)
	
> 6. Cameras on every doorways, recorded onto a hard drive, backed up weekly and stored for
> 7 years at an offsite secured storage company.

backup daily .. :-) or hourly ...

if someone is gonna tamper with the system security, you do NOT want to
allow them a week to figure out how to erase the evidence before that info
is sent off somewhere else

the recording device ( with camera connection ) has no login consoles ...
( not even local login .. you have to reboot it to get a console ?? )
	which sets off all kinds of alarms ??

> 7. Address of office is not advertised anywhere, all mail goes to a post office box.

good 

same for business cards ??  and reverse phone number lookups

and what happens if they disclose the physical address of where they work??
 	- does the spouses also get to sign the NDA and other "keep it
	secret documents" ?  or lose the job ... and financial penalties
	( motivation )

> 8. All corporate email goes to a relay at the datacenter, which then relays mail to
> the office. All outgoing mail has headers rewritten so that the ips of our corporate
> office are not advertised.

:-)

> 9. All phonecalls are recorded, indexed by case number (callcenter advocate must enter
> in a case # within first 60 seconds of an incoming call or call is disconnected, outgoing
> calls must be entered with a case number before they can be made.), and archived for 7 years.

all this is automated by the pbx .. not manually logged ... :-)
 
how do you disable / disallow cell phones and personal calls inside the
secure area ??
	- cell phones have camera's now days

	- how do you detect that a cell phone has gotten in and is turned on


> 10. For programmers to push code onto app server, they do a build, put it on a cd, give it
> to me, and I walk it into the datacenter and install the build. All the cds are archived
> and signed by the programmer & myself.

and you test it on a duplicate identical clone server, to confirm those
changes works and wont break anything ??
	- all testing is automated to confirm its functionality as
	it was before its upgrade

> 11. Janitorial staff gets background checked and bonded, as well as supervised while they
> work.

check on the validity and get listed as a co-insured  on the bonds and
insurance policy
	- if you're not on the policy, you can't collect on it

> 12. All employees are very thorougly background checked.

using your own resouce and info .. not phone and address they gave you

> 13.  Biometrics & card scanners on every door.

fun stuff
 
> 14. Copier requires case #. 

copies w/out connectivity

or if it does have connectivity, a copy of each "start copying" button
also forces a copy to be sent to the "camera servillance" server
 
have a camera pointing at the copier .. :-)

> 15. All faxes and emails sent and received are sent through one central "communications station"
> where the controller has to approve everything, and often have a lawyer approve everything
> as well.

:-)
 
> 16. Windows are sealed and shaded with film.

with anti-emi deterants looking thru glass
 
> 17. All possible eavesdropping spots we could find have been soundproofed (pretty intense.. basically
> all walls got hit with stehocopes while pople talked at loud volumes to make sure there was no way
> to listen through doors/hallways).

and the air conditioning ducts.. 

and electical outlets and light switches and phone wires

and the steel beams and pipes that conduct sound ... :-)

and all the wires (any metal) in and above the ceiling  and floors 

> 18. Everything except mailserver gets shut down at 6pm via a password protected reboot switch that
> can only be accessed by ceo, coo, director of ops, and myself.  

and a motion detector, light sensor and sound sensor and emi sensor and 
weight sensors  and infared laser beams etc gets turned on 

> 19. Telephones cannot be used until user has both authenticated via rsa onto their terminal, and 
> entered a password to turn their telephone on. 

:-)

> So that's tthe basics anyways. I'm doing everything here from specs, purchasing, implementation of all
> corporate, call center, and web/colo work, so I'm doing my best to cover all of the bases. They
> basically said "be as paranoid as you can", so I'm trying that. Any other good paranoias I've missed?

where is the backups kept????
	- it should be equally secure or even more secure than the
	data/call center

do you have at lest 3 servers for each function,
	- what happens when the one server dies for whatever reason
	( you need a hot swap replacement within seconds )
	
	- what happens when the incoming t1 dies ??
	- what happens when the switch is hacked/dies
	- what happens when the camera system dies

	- what happens when building loses power
	- what happens when the building loses its air conditioning

	- what happens when the rsa authentication server dies
	- what happens when the pbx is hacked

	- what happens when the fire dept or police dept says
		"evacuate the bldg now" !!!

	- what happens when the copper leaves the secure office and goes
	to the central building incoming telephone connection
	( just like on tv .. easy enough to do w/ the right equipment )

	
so many ways to be paranoid ..

c ya
alvin