|
Posted by Todd H. on December 20, 2005, 10:19 am
If you were Registered and logged in, you could reply and use other advanced thread options > Alright, I have a client busting my chops on our finding that they
> aren't singing in/out unauthoirzed employees and vendors entering their
> data center. I've tried explaining the reasoning, but the client would
> like additional guidance in the way of published baseline guidelines
> and/or standards that support our claim they should maintain a log of
> people going into and out of the data center who aren't typically
> allowed access, and shouldn't be relying on the receptionist sign in
> and data center cameras as the sole means for preventing unauthorized
> access.
>
> As we all know recpetionists hardly ever remember to sign visitors
> in/out all the time and I demonstrated that fact to them during our
> social engineering testing and I was able to piggy back into the data
> center on numerous occassions. Not once did the client or any of their
> staff bother to look at the footage of their video and care to question
> my presence, but this apparently isn't going to be enough.
They were at least smart enough to hire y'all for whatever reason.
Why did they say they hired you? Is this an audit they've had done
for some sort of regulatory compliance? If so, show them that if they
don't understand the common sense of why this is worrisome, maybe
they'll respect that they're non-compliant with regulation. If
they're a health care entity, point them to HIPPA's physical security
guidelines that talk about secured access to the data center.
Tell them there's an entire domain on physical security within the
most common security certification in the world.
http://www.cccure.org/Documents/HISM/675-680.html
Ask them if they'd run their systems without a password. If they say
"of course not" then make sure they understand crystal clear that
physica access to a box allows people to circumvent password security
trivially. If they aren't preventing people from getting to the data
center, they may as well be running their business off an open kiosk
at a shopping center.
If they're not listening, they're paying you to bang on the table and
give them religion and tell them all the things a person with physical
access can do. Network sniffing, passwords, data corruption, data
loss, data theft, corporate espionage, stealing their servers,
intercepting all communication, rerouting traffic, physically
endangering their employees, making them liable to lawsuits should
someone cause harm to another and they've expended no due diligence
against things despite a documented finding by a reputable security
firm, destroying their entire business.
> Any help would be greatly appreciated. Please send your repsonses to
> Stealth_Devil@hotmail.com.
No thank you.
Please at least have the courtesy to read replies here and participate
in the community if you're asking help from it to the benefit of your
business.
Best Regards,
--
Todd H.
http://www.toddh.net/
| 
XML site map