Recently, Gabriel Leperlier – Verizon’s head of European advisory services for the payments cards industry (PCI) – visited a press briefing in London, where he talked through some of the worst-case scenarios he encountered when investigated payment card data security and compliance breaches. These breaches include hidden routers, dodgy security providers, secret modems and more.
Here are 6 IT security nightmares that were spotted by Verizon in the last few years – Take note and learn from the lessons!
When a Printer Is Not Just a Printer
At a military facility in the Asia-Pacific region, an infosec professional noticed unusual network traffic that appeared to be coming from a freshly ordered fleet of printers. According to Leperlier, “A few weeks or months after delivery one of the system admins realised that there was some very strange traffic on the network. He said to the firewall team, ‘this is strange, I can see some traffic between the printers and even between printers and other systems’.”
He took it upon himself to investigate further and disassembled one of the printers by hand. What he found provided a big wake-up call. He located a modem inside the device which was transmitting everything the printer’s rogue software could collect on the network to a foreign country!
The message to take away from this incident is that you can have all the technology and IT security control in the world – but without skilled and thorough employees (or contractors), your business is at risk.
Server Room Access for Everyone
While checking the IT security access on another company’s system, Verizon noticed that the CEO, CIO and other C-suite executives and cleaners had full access to the server room. Leperlier understood why the cleaners had access – they had to clean every room – but he wondered why the CEO needed access to this room (hint: he didn’t).
This case highlights the need not just for technology to keep information secure, but for clearly defined policies. Access should always be granted only to those who need it, not just because they are senior. Senior personnel get compromised too – in fact, they are one of the primary targets for compromise by hackers.
Staff Workarounds 1
A Verizon team visited a gift shop (which was part of a wider shopping complex) to check the access to a payment terminal system. This terminal was accessed by a badge, and only the manager could access the most sensitive information. This information was given to the Verizon team by two staff members – who went on to say that the manager was on holidays and then proceeded to open a draw that contained her access card!
Leaving the card behind was intended to be helpful while the manager was away, but it actually compromised the security of the store. According to Leperlier, this indicates the importance of a good working knowledge of security culture at every level of the organisation, from the IT team to operations to managers and even staff on the shop floor. Staff need to understand they can’t just create their own workarounds to information access issues and the company needs to make arrangements for issues like how to take holidays without compromising security.
One Character Passwords
4 years ago, Leperlier interviewed an IT security officer who was managing a physical access control system. When Leperlier asked about the process of providing greater levels of system access, the interviewee opened up a new security application and typed in a one character password to enter.
Leperlier couldn’t believe that this IT officer would rely on a one character password, so he asked him to log in again. Sure enough, he hit one key on the keyboard and was granted access. “Is that a one character password?” Leperlier asked. “Yes,” the interviewee responded, “That’s why I don’t like people looking at me when I’m logging in!” In his (poor) defence he went on to say “it’s one character, but it’s a special character!”.
We probably don’t need to say it, but having a one character password, even if it’s a special character, is terrible information security practice – passwords should be complex and include capital letters, numbers and special characters.
Servers in the Bathroom
A couple of years ago, a retail company that operated partly out of Mexico suffered a security incident and requested an on-site audit. Verizon realised that this company was relying on an unknown security provider, and when they went to check out the offices of this service provider, they found a tiny operation that ran out of a small apartment (and all the servers were stuffed in the bathroom).
According to Leperlier, “PCI DSS is not just about technology, it’s about people and process… If we didn’t go out and see what was going on in Mexico then we wouldn’t have seen they were working from home with a server in the bathroom. You need to check!”
Staff Workarounds 2
Verizon visited an organisation that was sure it didn’t have any wireless networks operating in the building, but using scanning technology, the compliance team kept on coming across a signal. Eventually, the team pinpointed that this signal was coming from the server room.
The IT offices were located 3 flights of stairs up from the server room, and it turned out that rather than walk up those stairs every time something needed to be checked – someone had installed a router in the server room so that they could access the servers from their desk.
The hidden router represented an unprotected node on the system that extended the attack surface of the organisation without authorisation. Again, an easy workaround had produced a security vulnerability.
Need an IT Security Review and Refresh? Contact QCS Group
When it comes to managed IT services, we make networks run smoother, boost productivity, increase security and fix problems fast.