Caveats of strong perimeter security

Having a perimeter security is one of the imperatives of a well implemented information security policy. But having a too strong perimeter security can also backfire, and create a security hole for which the organization is rarely aware.

The US customs officers have the right to search and copy all electronic devices if they deem the traveller as suspicious. Washington post did a great text on US border security

Here i would like to include my favorite quote from Leon, the scene of the Fat Man assassination: "Somebody's coming up. Somebody serious."
I can guarantee that this method will yield nothing on an expert attacker. Since the US customs started the laptop searches, a lot of companies require their employees to wipe their laptops prior to travel to the US, and to use VPN to access confidential data. This method is deemed much more secure for the companies, since even if this data is intercepted, only minute segments of information will be revealed , compared to the full contents of a corporate laptop.

For any illegal activity, a most probable rule is that information should only be contained in one's head, not in one's laptop. Even if access to information is needed, it will be accessed through the Internet, after initial entry into the premises (country) is achieved. There are very simple and free ways to transfer data via Internet services:

  1. Steganography in images, MP3's, even ordinary program files, containing pieces of encrypted information.
  2. FTP of encrypted fragments files (Encrypted, reordered and broken up in small out of sequence fragments)
  3. Encrypted VPN access to remote site/server to content written in code or obscure language
Now, let's apply this methodology to a private company enforcing strong perimeter security. Naturally, full body search or copying data from a visitors laptop is ridiculous, and it won't be applied. What other methods are applied, they will do little good if once you allow an intruder past the perimeter you apply very little measures to deter any wrongdoing.

Here are two very simple examples

Example 1 - Unsecured Network Access inside the Corporation
  1. A serious man enters the company premises carrying a bag
  2. Security checkpoint will check bag contents and conclude a visitors laptop on premises, but will definitely allow the laptop to be taken in.
  3. If the premises contain visitor accessible LAN outlets or unencrypted Wireless LAN inside the building, the serious man will connect, and collect information or launch an attack from the inside.
  4. Upon vacating the premises, the serious man will again be subject to checkup, and again, he will have nothing out of the ordinary.
Example 2 - Unsecured Documentation
  1. A serious man enters the company premises carrying a bag
  2. Security checkpoint will check bag contents and conclude visitor branded documentation, and definitely allow the contents to be taken in.
  3. The premises contain paper recycling bins, which are user accessible, or employee awareness is lacking so empty offices are left unlocked.
  4. The serious man is able to collect any number of internal documents from the bins or empty offices and place them inside his own branded envelope.
  5. Upon vacating the premises, the serious man will again be subject to checkup, and again, he will have nothing out of the ordinary, his own documentation are not unusual
Just as in the case of US border security, a company strong perimeter security will do little to increase the overall company security if it stops at the door. The company has to apply a commensurate level of security across the entire organization and make it as hard to stop as possible. This is the only way to capture the really serious men.

Related posts
Datacenter Physical Security Blueprint
DHCP Security - The most overlooked service on the network
5 Rules to Home Wi-Fi Security

Talkback and comments are most welcome

No comments:

Designed by Posicionamiento Web