Thoughts on premise security.

jimd at starshine.org jimd at starshine.org
Sat Oct 18 19:15:06 PDT 2003


On Fri, Oct 17, 2003 at 03:50:41PM -0700, Michael T. Halligan wrote:

> I'm building a secured call center for a customer of mine, and
> security is our top concern due to the sensitive nature of the data
> our callcenter reps will be dealing with.  The office is less than
> ideal, but workable, for this type of environment. It's less than
> ideal because it's not a 100% sealed off from the rest of the company,
> there will be 2 executives, 2 programmers, and myself on a part-time
> basis in the office as well. Eventually as we expand the call center
> will be moved into an office that will have a mantrap and security
> guard to inspect everybody before they enter and exit, but for now
> there are compromises to be made.

> Here are some of the steps I'm taking to ensure the best security I ca,
> let me know if you've got any ideas.

> 1. None of the callcenter people can bring anything in and out of the
> building except lunch.  Lunch is to be carried in clear plastic bags
> we're assigning to them, and which will be inspected every time they
> enter or exit the premise.

 Unless you have them stripped searched each day in and out ... this
 seems like it's only a cosmetic measure.

> 2. Nobody in the callcenter gets a PC on their desk.  They get a
> wyes terminal connected to a citrix server, which allows them to do
> their work.  The usb ports on the wyse terminals have been physically
> disconnected on the inside, as well as glue-gunned. Tamper-proof
> security tape has been put on all seams of the terminal.

 "Tamper-proof" tape isn't.  It may be tamper *evident* but how tamper
 "proof" can it be if it's just tape.  That may seem like a nit-pick
 but let's be more precise in this terminology here.

 Assuming that this is really tamper *evident* tape (and not made of
 some supernaturally tough material that couldn't be cut open with a
 razor, hacksaw or pocket butane torch) ...

 ... how are you checking for tampering?  Is a supervisor checking the
 tape every day prior to signing the employee's time card (and allowing
 them out of the building)?

> 3. The call center application, citrix server, and dumb terminals,
> are all physically connected to a switch that nothing else connects
> to. No internet access.

> 4. Only the ceo, coo, and myself will have access to the combination for
> the safe where the keys to the pcs and keys to the wiring closet/server
> room. a log must be filledout every time the electronic safe is opened,
> and every time the datacenter is entered.

 Is there a security guard stationed to enforce (and notarize?) this
 logging?  What measures are taken for prevents tampering to the logs?

> 5. The pcs for corporate staff all have tamper proof tape covering
> all the seams, locked cases, chained to desks.

 see earlier distinction on "tamper proof" vs. "tamper evident" (or
 "tamper apparent").

> 6. Cameras on every doorways, recorded onto a hard drive, backed up
> weekly and stored for 7 years at an offsite secured storage company.

 Only one hard drive?  How are the cameras physically secured and 
 why aren't their signals/recording duplicated to two independent 
 systems?  Do the cameras have a local (flash) cache?

 What procedures are in place to handle the apparent failure of a
 camera?  Have you tested those by unplugging a camera and timing how
 long it takes for a warm body to investigate?  Are these tests
 specified in your routine security auditing procedures?

> 7. Address of office is not advertised anywhere, all mail goes to a
> post office box.

> 8. All corporate email goes to a relay at the datacenter, which then
> relays mail to the office. All outgoing mail has headers rewritten so
> that the ips of our corporate office are not advertised.

 How are the contents of each outgoing bit of mail vetted?
 The use of Citrix suggests an MS Windows based application, how are
 incoming bits of e-mail sanitized?

> 9. All phonecalls are recorded, indexed by case number (callcenter
> advocate must enter in a case # within first 60 seconds of an incoming
> call or call is disconnected, outgoing calls must be entered with a
> case number before they can be made.), and archived for 7 years.

> 10. For programmers to push code onto app server, they do a build,
> put it on a cd, give it to me, and I walk it into the datacenter and
> install the build. All the cds are archived and signed by the programmer
> & myself.

 Is an independent team performing a code audit of a copy of these
 prior to installation/updates?

> 11. Janitorial staff gets background checked and bonded, as well as
> supervised while they work.

> 12. All employees are very thorougly background checked.

> 13.  Biometrics & card scanners on every door.

 If there are doors without live guards, how are you checking the
 clear plastic lunch backs (etc)?  Biometric and card scanners tell you
 (at best) who went in (and out)?  Not what they carried with them nor
 who accompanied them.

> 14. Copier requires case #.

 How do you ensure that all copies made are accounted for?  (Filed,
 mailed with approval, or shredded)?  What's the point of logging the
 copying event if there's not control over the resulting copies?

> 15. All faxes and emails sent and received are sent through one central
> "communications station" where the controller has to approve everything,
> and often have a lawyer approve everything as well.

> 16. Windows are sealed and shaded with film.

> 17. All possible eavesdropping spots we could find have been
> soundproofed (pretty intense.. basically all walls got hit with
> stehocopes while pople talked at loud volumes to make sure there was
> no way to listen through doors/hallways).

 TEMPEST defenses?  EM emissions sweeps?  (I know I'm starting to sound
 silly here --- or spooky; but without some idea of your threat model
 what else can I say?)

> 18. Everything except mailserver gets shut down at 6pm via a password
> protected reboot switch that can only be accessed by ceo, coo, director
> of ops, and myself.

> 19. Telephones cannot be used until user has both authenticated via rsa
> onto their terminal, and entered a password to turn their telephone on.

 So, what prevents them from leaking sensitive information after they've
 authenticated to the phone system?  Is the list of numbers restricted
 or correlated to the incident/case numbers?  To get even spookier what
 would prevent our hypothetical employee/spy from calling the restricted
 number at a time when an associate has tapped into that line and then
 transmitting sensitive data view some sort of low bandwith acoustic
 sub carrier (so it sounded a bit like static)?

 Of course the real key is: what prevents the turncoat employee from
 simply memorizing key pieces of data and leaking that?  Are there any
 canaries (honey tokens: false accounts, cases, etc in the system that
 are there purely to detect leaks)?

> So that's tthe basics anyways. I'm doing everything here from specs,
> purchasing, implementation of all corporate, call center, and web/colo
> work, so I'm doing my best to cover all of the bases. They basically
> said "be as paranoid as you can", so I'm trying that. Any other good
> paranoias I've missed?

 I've pointed out a few that I think are obvious.  Given some incentive
 I'm sure I could think of a few more.  Given some background I might
 even keep them reasonable.  Shooting in the dark like this just puts
 me in the Austin Powers plot brainstorming frame of mind.

 If you have the budget for it; hire a couple of professionals to go
 over the whole plan *again* (independently of one another).

-- 
Jim Dennis



More information about the Baylisa mailing list