I recently took on a computer forensics consulting project. A state agency was renting a small office building for the supervisors of a large construction project. They reported that an intruder had entered the building over a weekend and left a mess which included locking up one of their computers.
They found the computer with a full-screen warning supposedly from the U.S. Department of Homeland Security telling them that they faced a possible prison sentence because of their computer’s use in viewing child pornography. However, a US$ 300 fine paid with an on-line money order would make the charges go away. It’s just the common “scareware” or “extortionware” we mention in Learning Tree’s Introduction to Computer and Network Security course. This one was quite effective, both at hiding the Task Manager and Start menu and at frightening the owners. They had power-cycled the system a few times but it always came back to this.
Local law enforcement lacked the resources to investigate the computer side of the intrusion, and they asked me to take a look. Sure, this sounds interesting! But let’s be careful:
The good news for this agency is that they had a peculiar and rather clumsy and messy intruder who was interested in using their Internet connection but not at all interested in easy money. The compromised system was one of six highly visible and easily portable laptops in the building, but nothing was taken.
One of the men said it would have been catastrophic if the project leader’s computer had been stolen, as “that’s where all our plans are stored” and its loss would have set the construction project back several months. “No,” the project leader corrected him, “All of our data is at state headquarters. We just use these computers to access our data.”
Centralized storage with carefully controlled access from lightweight devices in the field. This doesn’t have the scale or the ease, speed and low cost of deployment of the Amazon, Google and Microsoft large-scale public clouds we discuss in Learning Tree’s Cloud Security Essentials course, but it’s a step in that direction.
There’s the potential availability, but is this state agency’s access really “carefully controlled”? Not even close. Their access devices are Windows XP systems with automatic login to one account shared by all users, no password-protected screen lock, and everyone was mystified when I mentioned that the little strip next to the keyboard was a swipe-style fingerprint scanner. The contractor who replaced the system said that they had tried enforcing user authentication but gave up because everyone was continually locked out of their systems and they couldn’t do their work.
You can lead people up to the edge of a secure solution, but you can’t make them use it…