18 Common Security and Privacy Work Area Vulnerabilities

Now Available:

Featured Resources:

In 1990 when I was an internal auditor I was tasked with determining the overall information security posture of my company. One of the things that I decided would be a good thing to do was to go to the offices Saturday and Sunday evening when there would be the fewest personnel around. I wanted to look at their work areas to see what type of information security risks I could find that were a result of the work habits of the personnel.

A computer security investigation for the human realm!

Oh, boy; it was an eye opening experience! Plus a huge task considering I had around 5 different buildings occupied by around 10,000 people that I reviewed, seemingly nonstop, Saturday and Sunday from the early evenings into the wee early hours of the mornings with the help of a just couple of other auditors.

Needless to say I didn't get to all the areas; I focused on what I determined would be the most high-risk areas first. However, I still found so many vulnerabilities it filled pages. It became a significant basis for what would become the organization’s first set of information security policies...which I wrote as a result of the audit. But that is another story.

Over the years I have refined the process quite a bit. It is now much more streamlined and targeted based upon first doing an assessment of the areas that present the greatest risk to systems and information.

Doing these after-hours walkthroughs allows organizations to get out where their personnel work and see what kinds of risks exist to information when no one is around. Look at all the privacy breaches that occur because of personnel not following policies, or making mistakes in their work areas! These are highly vulnerable areas for information security incidents and privacy breaches.

After-hours walkthroughs can usually be done during the work-week within specific business areas in around two to four hours by a team of reviewers. Partnering with the physical security department and having them come along increases the time investment value and security value greatly by not only having physical security risks identified at the same time, but also giving the information security folks a chance to raise information security awareness for the physical security folks and vice versa.

Some people, actually more than one information security officer and privacy officer, have said to me over the years, “But the risks are so little at night! No one is around, with the exception of the security guards, cleaning staff, maintenance workers and employees who may be working late.” Yes, these folks very well COULD be in the area. I have seen many instances of security guards doing bad things with the information they have found, along with the cleaning staff, maintenance workers and employees. So when you think about it this is a very large number of people, isn’t it?

For the September 2007 issue of the CSI Alert I wrote about this topic in, "CSI: Humanity"

Within the article I discuss the 18 most common vulnerabilities I have found while doing these reviews over the years, along with 5 compelling reasons to do the walkthroughs.

If you read it, please let me know what you think! I would be particularly interested in hearing if you have additional vulnerabilites to add to my list of the top 18.

Categories

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.

Comments

That's a pretty inclusive list! I know if I were to target a company for more than just a spur-of-the-moment attack, one of the first things I'd pick up on site is a company directory, present on almost every desk.

I'd also think about whether desktops are locked down. Laptops are smaller and more mobile, but some desktops are getting pretty small themselves. The desktop in my cube here is roughly 2.5 times larger than a solid laptop. It could easily slip into my backpack without effort.

Posted by: LonerVamp | September 27, 2007 3:03 PM

Very scary stuff. Made me think back to my time at a local Verizon office where ads for Yellow Pages were sold. I doubt anyone locked their filing cabinets, and if they did the keys were left in the lock, or in the top desk drawer (where I always leave mine!) In a couple of nights an enterprising criminal could have the PII AND the credit card info for just about every business in an entire region.

Posted by: John G. | September 28, 2007 9:40 AM

Now Available:

Featured Resources:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert