30-Second Security Assessment
Jan 5th, 2009 by sherri
You can tell a lot about a company’s information security posture in 30 seconds. As a security consultant, I’m often amazed at how much I can infer from a simple walk between the front door and the conference room.
If you see many computers of the same make and model with the same type of label, this means the organization probably has a centralized asset purchasing and tracking system. It’s likely that the each of these computers is running the same operating system, which is centrally managed and patched. (Bonus points if there’s a barcode on the label.)
More commonly, you’ll see some computers that are the same, and then a couple of “random” computers that are totally different, without standard nametags. This indicates a partially centralized asset management system– there’s probably a central IT group that receives funding and deploys systems, but over the years other groups have purchased and deployed their own computers. If you were to scan this company’s network, you would probably see many systems running the standard OS at the same patch level, and then a smattering of other operating systems at a variety of patch levels. There are also probably issues with backups, because non-centrally-controlled systems are generally not backed up regularly. It is highly unlikely that this network would have 802.1x authentication (difficult without centralized management).
Keep your eyes peeled for VoIP phones. Often these run web servers by default, and they are usually on a separate VLAN. Also watch for visible wireless access points, of course – people tend to put them where the antennae stick up. If it’s a cheap Linksys or some other model they sell at Best Buy, you know it’s not part of a centrally managed, authenticated network.
Sometimes you might see old or unused computers sitting on top of filing cabinets or in corners. This indicates an absent or ineffective equipment retirement and disposal system, which is how old company hard drives end up on eBay. It also means that the incident response system is crippled, because without effective asset tracking, you can’t detect lost or stolen equipment in a timely manner.
“Dirty desk, dirty network,” says a friend of mine. On your way past cubicles and offices, note unattended screens and unattended desks cluttered with paper. You can infer a lot about corporate security awareness from a quick glance at how employees leave their screens and desks while they’re away. If screens are unlocked and papers are left out, you can social engineer the hell out of that organization, because the only thing that defeats social engineering is user awareness.
A game that was played for a while at one of my previous jobs was sending a embarressing email out from unlocked computers to the IT Department. It wasn’t played outside of IT, but it was to show the IT group why locking your computer was important. I didn’t play this game, and was never a unwilling participant, but I wanted to say that the game ended when somebody decided to send one of these emails from the Director of IT Security’s workstation.
You never know what you’re going to get with 30 seconds, and a unlocked workstation. If USB storage is allowed, you could do alot of damage.