In the previous column, security specialist Jan Buitron, a graduate student in the Master of Science in Information Assurance program at Norwich University, began a report on a horribly insecure facility at which she worked some years ago. Today she goes from the outside to the squishy inside of the house of horrors.

* * *

Facility design (outside the building)

Since the IT department was in operation from 6 a.m. to 7 p.m. every day, the exterior of the building should have been well lit for personnel safety, but it wasn’t. The exterior entrance door to the showroom floor had no floodlight; in the evenings it got very dark. The main entrance door to the IT department had two automatic floodlights pointed at it, but visibility overall was poor. The door was set back in a recessed area on the side of the main building, and visibility of the area was reduced.

The automatic floodlights were supposed to switch on when it got dark. As it turned out, they worked very well in the summer, but in cold weather in winter, there were nights when the light never switched on (or it would switch on after I was leaving the facility). I mentioned the poor lighting and lack of attention to personnel safety several times to my management, but my concerns were never addressed.

Facility design (inside the building)

The core processing for the whole company was housed in a separate area in the same building as manufacturing. One piece of good planning in place was that manufacturing and the data center were on separate circuits with separate power feeds.

The incoming power for manufacturing was in a locked room near the manufacturing area. The incoming T-1 1ine was also in the same room.

The circuit breaker boxes were in two different exposed areas. One was in a garage bay where company trucks parked. Anyone from the street could walk in at any time and throw the switch on the breaker box, cutting off power instantly to all of the company’s servers.

The breaker box for the server room was just inside a main exterior door on the other side of the building. Although the breaker box on the wall was kept locked, anyone could walk into the hallway where the breaker box was and pick the lock on the box. After gaining access to the breaker box, it was easy to flip off the switch in the breaker box and bring down all of the company’s servers at once. The data center was equipped with a motion-detection system armed each night by the last employee to leave. The circuit breaker was not in the area covered by the motion detectors.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.