Facilities Management in the
Age of Information Warfare [1]
by M. E. Kabay, Ph.D.
Associate
Professor, Information Assurance
Program Director, Master of Science in Information Assurance
Norwich University, Northfield, VT 05663-1035 USA
Facilities managers have always been involved in security. Many sites provide their tenants with guard services, access control systems, and surveillance. However, as the developed world increases its reliance on information systems, facilities managers are being called upon to help their clients establish stronger security for information resources.
This article summarizes some of the changes that have been taking place in information systems security in the last few years and then turns to some practical steps facilities managers can take to provide better security to existing tenants and to make their site more attractive to prospective tenants. In the text that follows, I shall refer to “clients” but naturally also include organizations that have their own, in-house facilities managers. Service-oriented facilities manager always treat their tenants as clients even if they work for the same organization.
The defining technology of civilization as we enter the twenty-first century is the computer. Computers are pervasive, necessary and vulnerable to attack. Computers are linked to each other through networks; one cannot pick up a daily newspaper without reading about the data superhighway that will supposedly bring cyberspace into our living rooms and allegedly bring anything from good grades to the end of civilization.
In the closing years of our century, the developed world depends on information technology to a degree unimagined ever a few years ago. Cellular phones depend on computers to switch their signals from station to station. Automobiles can’t run without microprocessors. Air traffic, ground transport, medical care, science, the military, consumer goods – all depend on information technology. Factories communicate automatically using EDI (electronic data interchange) so that suppliers can deliver materials and parts minutes before they are needed by the client. The use of computers and telecommunications links for communications has spawned a new sphere of human intercourse: cyberspace.
Cyberspace includes all the intangible communications that many of us depend on daily: from voice messaging systems through electronic bulletin boards, CompuServe and the Internet, digital telephony and virtual reality. Because of the storage and transmission of information about ourselves, we all extend at least partly into cyberspace. An error in a government computer can cause untold headaches for the victims of mistaken identity. An error in a commercial credit bureau can ruin an innocent person’s chances of buying a car.
In contrast with earlier times, computer expertise is no longer rare. Some children begin using computers as early as three years of age. One computer expert in Los Angeles was writing programs at eight and had his first contract with a major computer manufacturer as a consultant at the age of thirteen. He was hired for his deep knowledge of the operating system for million‑dollar computers. By the age of sixteen, he was a millionaire because of a utility program he wrote that was sold to thousands of customers at $5000 a copy.
Cyberspace has its villains, too. Disturbed, poorly socialized youths turn the world of electronic communications into the equivalent of the trash‑strewn school yard. Childish criminal hackers – including children – enter poorly‑protected systems and leave electronic graffiti in their wake. Misguided programmers amuse themselves by writing self‑replicating programs called viruses which cause havoc on infected systems. Government agents invade privacy, interfere with citizens’ rights to private communication and store intimate details of the lives of innocent and guilty alike.
Organized crime is implicated in a growing number of attacks on computer systems. In response, the FBI created a special unit, the Computer Analysis and Response Team (CART) in February 1994. CART consists of computer specialists devoted to the identification and preservation of computer data needed as evidence in criminal prosecutions.
Another area of concern is the growing use of the Internet and of value-added services such as CompuServe and America Online. Criminals have already taken advantage of the relative anonymity of cyberspace communications to engage in fraud.
The classic definition of information security is
“Data security ... [involves] the protection of information from unauthorized or accidental modification, destruction and disclosure.”
Another classic triad names confidentiality, integrity and availability. Donn B. Parker, a respected author, teacher and thinker in the security field, added to this triad another three factors: possession, authenticity and utility, making the Parkerian Hexad. The following list defines each of the terms used above:
Enterprise systems are faced with two kinds of threat: people and disasters. People include managers, employees, service personnel, temporary workers, suppliers, clients, thieves, liars and frauds. Disasters include fire, flood, earthquake, civil disturbance and war.
Most of the damage to information system is caused by errors and omissions of staff who are authorized to use the systems they damage. Carelessness, inattention, inadequate training and inadequate supervision are responsible for more than half of all the damage to information technology.
Intentional attacks on information may have different motivations and targets. To make sense of the wide range of problems we face in resisting deliberate attacks on information systems, Winn Schwartau, a leading information warfare theorist, has defined three levels of information warfare:
This introductory article cannot go into detailed descriptions of all the techniques used for information warfare; instead, we will look at those techniques which should most concern facilities managers: penetration of security perimeters.
Breaching security perimeters is the first step in many, but not all, attacks on I.T. Attackers, especially criminal hackers, have developed a range of techniques generally called “social engineering.” Many techniques involve eavesdropping, or unauthorized listening to communications. Weak access controls give many intruders a nearly open door into data processing and communications systems; brute‑force attacks target harder perimeters. Traffic analysis, a component of SIGINT, or signals intelligence, allows an observer to deduce important information by monitoring communications flows. Finally, data leakage is the practically undetectable loss of control over or possession of information.
Social engineering often begins with scavenging, the search through discarded materials for nuggets of valuable information. Scavengers (also known as Dumpster divers when they root through real garbage) are especially interested in security information that can help them penetrate the perimeter using identification and authentication data. Logon IDs (identification) and their passwords (authentication, or proof of legitimate use of the ID) are prizes in this search.
Social engineering’s most powerful and commonly-used technique is impersonation. Impersonation can occur on the human level or electronically. For example, piggybacking consists of entering a secure area at the same time as an authorized user. When an employee slips an ID card through the reader and politely ushers a colleague through the door first, the pair have fooled the security system into allowing two people into the area on one ID. Similarly, when users leave work stations logged into a network without putting up a security screen, they have encouraged logical piggybacking into the network. Both forms of piggybacking are made easier by psychosocial factors which impede the implementation of security policies. Most people are socialized into holding doors open for others, so letting one’s colleague (or a visitor) in through a security screen may not even register in the perpetrator’s mind as a violation of security: it’s just normal politeness. Blanking one’s screen and locking it before getting up for a coffee may make a naive user uncomfortable: it implies lack of trust of colleagues, and society teaches people to value trust. Appropriate awareness training and practice can overcome these inappropriate scruples.
Building staff can contribute to a more secure environment by enforcing requirements to wear employee-identification badges, scrupulously checking on inbound and outbound strangers, and by being alert to and reporting unusual activities spotted during patrols and CCTV surveillance.
Perhaps the most pervasive and subtle attack of all is data leakage – the insensible copying of restricted information. The main reason information can be stolen so easily is poor data security among users and administrators of work stations (the term personal computer should have been banned from office environments because of the false impression it creates). Such systems have standardized data formats (e.g., spreadsheet, database and word-processing files) that can easily be read on millions of systems around the world. In contrast, mainframe files tend to be in proprietary or site-specific formats which are considerably more expensive to convert and use. In addition, work stations often have high‑capacity miniature media such as 1.44 Mb (megabyte, or millions of characters) diskettes a few cm in diameter (recent products can put 10 Mb on a diskette) or removable disk drives holding up to a GB (gigabyte, or approximately 109 characters) on units that can be concealed in a pocket. Typically, work stations have limited or no physical controls against data theft; they rarely have access-control software installed.
Some simple precautions can make data theft less likely. Clearly labeling all removable media with tags that indicate their level of sensitivity and their ownership would make accidental removal of such media less excusable. Certainly facilities managers can safeguard their own site records; use adequate access controls for the security computers and for administrative computers containing information about the buildings and clients. Security programs on each workstation can prevent unauthorized access to the computer and control use of the diskette drives; the auditing features of such programs can provide a record of all activity by each user ID and by so doing further discourage casual data theft. If the facility provides central guard stations, clients may agree to have the staff check magnetic and optical media for authorization before allowing removal.
Another area of concern to facilities staff is protection of telephone and network cabling against unauthorized wiretaps. Junction panels must be secured at all times to prevent tampering; cables should run through manifolds to prevent attachment of taps outside authorized locations.
In addition, anyone concerned about security should ban wireless phones from their premises; these devices broadcast all communications to a radius of hundreds of yards for pickup by anyone with a compatible handset or broad-range scanner. Similarly, cellular phones are not secure and all calls made using these systems should be considered public.
Much of the above overview has been concerned with technical issues. However, at the heart of all security is trust in people. It is critically important that all staff hired by the facilities manager be thoroughly screened for suitable background. Cleaning staff, guards, maintenance personnel – all have access to secure areas maintained by clients; the facilities management group’s reputation rests in the trustworthiness and honesty of all such staff.
In a recent case in Florida, two computers disappeared from a medical clinic; their disks contained the clinical records of 8,000 people who were HIV-positive. The disappearance of the computers was met with dismay by everyone concerned, given the possible damage to people’s lives from unauthorized publication of their status. The computers were eventually located: they had been stolen by two security guards assigned to protect the clinic. Facilities managers should contemplate the embarrassment and legal liability of the firm that supplied those guards.
[1] This paper was originally published in Facilities Management magazine in 1996.