Corporate Security Maturity & Vulnerabiliites

Security is always a high priority mindshare wise but perhaps amongst the least practiced –on top of it many believe that they have the best possible secure environrments. Ira Winkler writes about a pre-assessment security audit that he and his team performed for a large Fortune 500 enterprise. He narrates how he was able to access key information starting all the way form CEO’s passwords, "acquired" information critical to the company's success, such as financial information, key project status, multibillion-dollar proposals and other insider information and accessed information that could have compromised the CEO's personal safety, such as the tail number of the private jet he uses to fly into high-risk areas. He writes that public search revealed a wide variety of information about the contracts the company was pursuing, as well as details on its corporate facilities. Most troubling, maps of some facilities in high-risk areas, which could help malicious parties target the company and its people could be found along with a corporate phone directory intended for internal use.. This directory detailed all the company's facilities and listed the names of all employees, their titles and their offices. This would have immense value for our future social engineering attacks. The team was able to uncover information about the company's generic technical architecture by looking at trade Web sites and postings to newsgroups by the company's IT staff - it turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. He warns that some companies knowingly hire convicted computer criminals to uncover security holes, in the hopes of reaping benefits from their expertise and warns that this as a big mistake. As the espionage simulation shows, access can be gained to just about all the information inside the company. This included data that could be valuable in a wide variety of crimes, such as industrial espionage and insider trading, as well as data that could cost people their lives, such as the CEO's aircraft tail number and flight itinerary into hostile environments. He advises that enterprises should insist that vendors perform background checks or only use people with clearance to do such work. This requirement should be included in any company's requests for proposals and contracts. The gapswere in three main areas and the lessons learned are quite valuable indeed. Quite scary indeed and a must focus area for all CIO's, IT security experts and even the CEO.Many CIOs' offices track and display service-level agreement trend charts that measure how well the IS organization is meeting the IT demands of business units. Similarly, security frameworks with metrics that can define proactive and reactive security service delivery levels need to be created and enterprises should implement the measurement capability that is necessary to demonstrate performance against these metrics. Decisions on security staffing, technology deployment and overall spending should be tied to visible improvements in performance against these service levels and ought to be a direct responsibility of the CIO.