July 8th, 2004, 04:23 PM
sublet office space and security
Ohhhooo...my first post
Well here it is. My company is considering a sublet agreement with another expanding company in our office building.
The other company has outgrown their current space. From my first meeting, the impression I got is that employees [just 5-10] from the other company will be given cubicles in our space with WIFI access to their own network.
My concerns are mostly with accessability of the other employees to our own systems and network.
what would prevent one of the others from walking into one of our own offices after hours etc...and accessing a workstation for example.
Has anyone had a similar situation?
Any suggestions on how I can best raise my concerns to Administration [who is blinded by dollar signs, bonuses and percs and has no clue about possible risks] .
Newly appointed VP actually told me that sometimes dollar signs outweigh the risk.
Can anyone point out other areas of concern that I should address.
July 8th, 2004, 04:36 PM
Physical security is always just as big a concern as digital security. Don't only worry about someone outside the company having access to your company's networked machines. Never ignore the possibility of one of their employees making off with your equipment...
That's Officer 11001001 to you...
Now you see me | Now you don't
"Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
sometimes my computer goes down on me
July 8th, 2004, 06:37 PM
Actually having physical access to a machine is just as important as having a firewall or virus scanner. However physical access is alot more difficult to control because you have to make sure people can be trusted. And people are very unpredictable unlike a computer program.
Here are a few things to think about when thinking about physical access.. Are all the USB ports disabled? Are all extra serial ports disabled, do you have a tight logging system for when users log on, do you have tight server security.
(I asked about the ports because people can pop their thumb drives in their upload some stuff or DL some stuff and boom they are gone with all you stuff)
You have been put in a position to were everyone is potentially your enemy (as all admins are) so make sure you have a good defense and always be ready with a strong offense.
Yeah thats right........I said It!
Ultimately everyone will have their own opinion--this is mine.
July 8th, 2004, 06:43 PM
Thats kind of like giving the fox full run of the hen house.
Physical security would be highly at risk, and that makes digital security equally at risk. If in your company, like most, where you can harvest passwords simpily by checking the post-it notes on monitors, you would basically have opened your entire system up for outside examination.
Even with good password policies in place and followed, a hardware keylogger could easily be placed on any machine. Or perhaps, this other company prohibits web surfing on their network, so their employees would use your network to do their web surfing and download mulitipal virus and trojans that your IT department has to clean.
As 11001001 has already stated you would also have the risk of their employees stealling equipment and supplies.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
July 8th, 2004, 06:50 PM
some techniques you could use:
Consider controlling your network jacks, only enable ones that your employees need, that prevents someone from plugging into a spare jack and gaining access to the network.
Now, the problem here is that someone can unplug one of your machines and plug theirs in, so then you need to use MAC filtering. This is a pain in the butt, but I have seen one (large) financial instituion doing this with some success.
These two technical fixes can most likely be done with your existing equipment so the cost shouldn`t be too high.
To protect your workstations ensure that all emloyees are using password protected screensavers and enable them when they are away from there desk. Also ensure strong passwords are enforced (nothing thats easily crackable). To do this successfully you are going to need to look at a security awareness program which makes your employees aware of the risks (this should be generic, not just against this one company!) otherwise people will write passwords on post-its, choose their dogs name, etc... Also a security awareness program can be cheap to implement and have a high return on investment (good to mention to your VP). As you are going to be sharing office space I think making your users aware of information security risks must be the number one priority.
Also be aware of the risk that someone could steal your equipment, so asset tags, hardware locks etc...could all be useful investments, but all cost.
Also make sure your offices have decent locks on the doors and that office are locked after hours (unless someone is in them).
Hope this helps.
Quis custodiet ipsos custodes
July 8th, 2004, 08:34 PM
As stated above make sure you are logging who access all computers, the usb ports, firewire if you have them, if you are really paranoid turn off the power to the outlets where work stations are plugged in when no one needs them. Disable all un-needed wall jacks to prevent unwanted access toy our network as well as make sure you encrypt you info over wireless, and use appropriate authentications for connections. Use strong passwords and have them change frequently, as well as in invest in some security cameras. Group all the other companies people in one area so you if they are caught on camera in an area they have no reason for being in they will have a harder time making up an excuse. be sure that is is known that they are not allowed to sue any of your equipment. set screen savers to low times so they are activated even if the user only steps away for a moment. if possible make access to the tower it self un avaiable by using locking cabnits with fans for ventilations. We made a bunch of these at ourschool to prevent people from touching our computers while in the lab, and only give users access to what they need that way if there account is used to get into the network their ability to do things is still limited.
July 8th, 2004, 10:13 PM
Good passwords, domain authentication, false adminstrator and login time restrictions for most if not all users.
Proper locks on doors, auto-closers on doors, locks on cases, no floppy or CD-ROMS or disable floppy and CD in BIOS, BIOS password to change settings if possible, barbed wire, Gun pits....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
July 9th, 2004, 12:36 AM
Hi mate, and welcome to AO................
Yes............many years ago, in a foreign country..............the chairman backed me up on the security angle.............but he was a real hard New York, Czechosolvak Jewish gentleman...............
Has anyone had a similar situation?
Go to your beancounting (finance) types and tell them of your concerns
The newly appointed EVP needs to be reported to the FBI and the Secret Service.................9/11.........hasn't it sunk into his pillockbrain..............please print this and show it to him.........you won't have a job................but neither will he
Seriously, try Human Remains(HR) on the terrorist personnel thing, and Finance on the security thing..........
Bloody good luck mate
July 9th, 2004, 01:14 AM
Make sure all your PCs that are accessible to these other employees are locked down. This includes, but isn't limited to, passwording all the BIOS' with a strong password known only to those 'need-to-know' people (IT), USB and Serial devices don't have to be locked down *as long* as either PC is constantly locked whenever nobody's there, or the machine requires logging in through a domain, guest account disabled, etc...
Password every screensaver, which should be on every machine and set for something reasonable like 10 minutes (maybe even less). Make sure nobody has their account info written on paper near their machines, make sure their desks are locked and if you have doors, make sure a proximity card (or those that are pretty solid like that) can't pop the lock (we do it all the time at my work place, hehe). Make sure any wireless-connecting machines are locked down similarly, especially network properties and make sure your ESSID is something that only you guys know and not something like the numeric address of the building (like ours, haha). DHCP should be very locked down, especially considering they could hijack your network and the next thing you know, you have an anonymous ftp porn server going?!
Make sure there's a sign-in/out sheet or at least some other method of tracking employees as well as the equipment they come in with. Make sure all PCs under your control are all but welded to the desks (I recommend high-tensile wire that's drilled through the back of the desk...everything else can be pulled off, etc). If that's not enough, hook in a good ol' 220v wire to it...live current baby! Replace all screws with hex/octagonal allen screws; even better, things with more than 2, mix and match (kidding!). Close off all network ports at the switch level and you might even invest in a few close-circuit cheap cameras with a monitor feed in a locked/secure area. Just the idea that someone is possibly being recorded can be enough of a deterrent.
Make all employees sign waivers that they may be searched by security (if you have it) checking bags and things like that. You can always claim 9/11 like every other business does.
Hope this helps along with what everyone else said...and when it doubt, go with TS and his razor wire/gun pits routine, hehe..
Some of what I mention is laughable, but unfortunately, I've seen everything I listed having been abused at some point...glad I turned off my anonymous ftp porn server before they kicked in the door!!!!1111
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
July 9th, 2004, 02:39 AM
This situation can be summed up in one phrase:
PHYSICAL ACCESS = p0wned.
Consider this solution. Provide them with physical access to their area only. Secure all other physical space to your own employees. If this involves building a partition wall, so be it.
Visit the patch panel and pull the cables on all drops in that area. This includes telco too.
If dollar signs drive your management, ask them how much money they are willing to spend in law suits when company data strolls out the front door.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden