Friday, December 5, 2014

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 2 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

Issue 9 - Inadequate security of network path and access control systems

Yes we are jumping around a bit that's just because we have been really tied up with some clients this week. So here goes...

The number 9 issue on the top 10 list of items missed during audits is something most auditing companies never even check. When doing audits one of the items we check as part of our TSCM sweeps are the network, phone and cable paths. What we are referring to here are network cables that actually are accessible outside of your building, telephone connections in shared closets or alert system components in public areas that can be manipulated without gaining physical access to your secure space.

How many times have you been in a building and seen a closet labeled "Telecom Closet" or some similar title? These areas are troublesome for many of our clients that lease space in buildings. One of the things we have had to do at some client locations is request separate telephone lines and communications lines be brought directly into our customer space. We also insist on full metal conduits into the building as to prevent wire tapping and similar physical attacks on the lines. Full metal conduits also prevent some really neat tricks in which you don't even have to cut the phone lines to be able to monitor them.

At one bank recently we noted that in the walk in area beside the ATM was a network jack on the wall. When we tested the network jack it was connected directly to the customers network switch and the port was active. The port gave us an IP address and through passive network monitoring we are able to run wireshark and get at a ton of very sensitive information to include the domain information for network that the tellers in the branch were logging into. With some arp poisoning we were able to capture login credentials, needless to say the client disabled the port after the audit.

One important thing to note: 95% of the companies that we initially audit are not even aware of the TSCM threats that exist. Many times our audits are eye opening as we can tell who is in a building, login information to networks, etc, etc. just because they are not aware of some of these attack vectors. I can't tell you the number of wireless networks we find. It's very surprising and somewhat easy to obtain access to these networks when we do stumble upon these links.

So there you have it. Check your cable paths and make sure your devices are not going into shared space. If you really want to ensure the security of your communications here are a few other tips.

1. Do not use fax machines to send medical, PII or sensitive information over the telephone network. While most people think telephone networks are secure there are many stops along the way whereas your competition can get at your information and reconstruct your faxes, emails, etc.

2. Do not allow employees to bring personal electronic devices into areas that house PII or PHI. It has been proven that this is an attack vector that can be exploited.

3. Ensure cable paths are properly secured.

4. Do not use wireless handsets even if they are DECT "secure". DECT can be reconstructed it just takes the know how and tools to do it.

5. Do not send PII over wireless networks.

6. Do not allow third party vendors into any network that houses PII, PHI or PCI.

Have a great day folks and be sure to look for the next article in this series.

No comments:

Post a Comment