SEGURIDAD EN INFORMATICA

Why telling a success story
Today, new challenges lie ahead for modern companies due to the countless risks they are exposed to, regardless of their executives being aware of them or not.

That is why we exhibit here some of the most representative success stories corresponding to difficult cases we have been convoked to resolve.

The paradigm of cybersecurity is: Being ready when it happens. We know how to help you. You can count on us.

Case 1
Business Continuity Plan

Scenario
We were summoned by a leader company in the aluminum extrusion industry that produces 7500 tonnes a year with two extrusion presses which have been operative for about 40 years. Each press is operated by 3 different computers each used in the successive phases of the production process. The presses are located in a 2000 m2 industrial plant at temperatures that, in summer, get to 50° C.

The maintenance and process control of each press is made from a computer operated by the maintenance department. They use this computer to monitor the state of the presses’ sensitive parameters.
An homogenization oven is automatically controlled by means of a PLC motherboard which generates a temperature curve calibrated for the baking process.
There is also a packaging division with automated weighing scales. The stickers used to identify the batches and their addressees are printed in this division.
Any inconvenience experienced with the printing gives rise to high impact bottlenecks that severely affect the processing times, so much so that the production chain may even be stopped – which naturally strikes negatively on the sales objectives and the award systems of the affected working teams.

The company has 120 employees between the plant and the administration. 50 of them have mobile phones provided by the company.
The Systems department is operated and managed by just one employee, the IT supervisor, who has been working for the company for 7 years. This employee is the one who designed the network and configured both the servers and workstations.

The external surveillance system has a number of computers (which exceed 5 years’ useful life) running Windows XP to monitor the security cameras. The domain controller has a Windows 2003 server with an out of warranty Dell computer and the website is installed in a Linux clon. There’s a server for the management system of the whole company and another server for the switchboard.

The management system is used for EACH AND EVERY process of the company: invoicing, ordering, manufacturing and follow-up of the different stages of the production process. The developer of this system is the one that provides support and develops all improvements requested - by means of just one employee for whom, in case of unavailability, there is no replacement.

The Case
The senior executives of the company convoked us for a personal interview. The Director General and the HR Manager let us know that they needed to dismiss the IT supervisor, who was in fact the only person working in the area and giving support to all users in the organization.
The client asked that we intervened the IT department once the IT supervisor no longer be attached to the company.

Ikyo proposal consisted in performing a comprehensive security audit in order to take over. The final report would serve to devise and implement an action plan with the aim of transferring control from the IT supervisor to the company.
During the 3 months that followed the completion of the audit, different changes were implemented in operative and security issues. Also, we started to write procedure manuals in order to put together a business continuity plan.

When all of the above was completed, the conversation on dismissal with the IT supervisor began. His termination operated 4 months after the audit started.

Lessons Learned
SMEs lack a clear criteria on how to understand the risks that jeopardise the business cointinuity, which occur more and more often and result in a negative economic impact which is rarely assessed in all its dimension.
When companies have in-house IT personnel, they should have at least 2 employees in the sector so that if one of them is absent for whatever reason, the other can always bring forward the operations, thus reducing risks.
Likewise, it is extremely important to have policies and procedures in writing (which should be revised periodically.) Also, it is crucial to carry out regular audits with the aim of monitoring whether there has been any deviation from the proposed policies and, if so, either improve those policies or correct the processes. ISO 27.00x standards or other regulations could prove to be good guidelines for SMEs, without necessarily having to obtain a certification.

Case 2
Insider Attack

Scenario
The company that seeks our advice dedicates to road transport in different areas: long distance, logistics and distribution and transport of refrigerated products.
The company is in business since the 1970s. At the beginning, it distributed products from local bottling companies. Later, it started merging and acquisition processes which , in time, turned it into a large bottling company at an international level. They then expanded their distribution from the city of Buenos Aires to the interior of Argentina.

The company has a fleet of its own of about 150 trucks which are located in different parts of the country. It also manages more than 10 outsourced independent carriers.

Its operating center is located in the city of Buenos Aires where it also has a workshop for heavy trucks, a parking lot for trucks and cargo transfer and its administrative office. It is in the administrative office where the data center can be found. This data center is on a network connected through Virtual Private Networks (VPNs) to all the other points.

The Systems Department is managed by 2 administrators who distribute among them the maintenance, support and planning tasks.

The Case
The situation arises when they decide to dismiss one of the systems administrators, who learned about this decision by informal channels before the management had the chance to communicate it to him formally.
Everything seemed to follow the normal course of events until, just one day after this employee was separated, the company found out that:

The administrator’s password had been changed.
The users’ privileges had been removed.
The passwords to access the routers had been modified.
The password to access the Microsoft licensing portal had been changed.

The domain controller was setup in a Hewlett Packard server with RAID 5.

The envisaged scenario posed the question as to whether this employee could have remote access to the network and, where in doubt, we acted as if this scenario were real.

Therefore, the first immediate measure was to propose that routers in every access point to the network be replaced in order to take control of the accesses of the corporate network.

The next step consisted in virtualizing the DC (domain controller) to be able to later work in a lab environment and look for a solution which could be implemented in the production environment.

Considering that installing software was impossible due to the lack of an administrator user, we got software that allowed the server to be started and virtualized from an external disc without having to install it. Then the virtual image that we obtained was copied onto different external discs and we worked on different computers using different lines of action.

A team found vulnerabilities in the software and succeded in modifying the password. A procedure, which could later be replicated successfully in the production environment, was drawn up.

Another team devoted to obtaining the hashes of the users’ passwords as a first step towards getting the domain administrator’s password by using similar tools.

All this could be completed in 60 days.

Lessons Learned
Having more than one employee managing the Systems department is a necessary condition, but not sufficient to safeguard the business continuity.

It is essential to have a Human Resources policy able to monitor the processes where critical positions for the company are involved. The security level is determined by its weakest link which, in general, is the user.

In the case we just described, we can say that the dismissal process failed. According to the “Fraud Triangle” model, three conditions must be met for a person to commit fraud: pressure, opportunity and rationalization.

Pressure is what motivates the crime in the first place. In general, this is generated by economic or financial needs that will trigger in case the following two phases occur.

The second element is the perceived opportunity – this defines the method by which the illicit act will be brought forward. The person must see some way by which he can abuse his position of trust in order to solve his economic or financial constraints.

The third phase necessary to commit a fraud is rationalization. Most fraudsters don’t have a criminal background or behaviour, so they need to find grounds that justify their acts in a way that they become acceptable.
When the person finds this rationale, the triangle is closed and the fraud is perpetrated.
The business continuity plan is NOT a mere technological or auditing issue. Instead, it is a subject where every area in the organization should be involved.