Money wasted on perimeter security, CCTV, alarms, locks & doors
Following the theft of new IT equipment from a wealth management company’s HQ in London QCC received a call to investigate how the incident had occurred. The CEO of the company was shocked to learn that the incident had happened at all because the company had spent significant money on the implementation of a comprehensive range of security controls none of which seemed to have stopped the intruders or even alerted staff to the fact that an intrusion had occurred. The theft was only discovered the following day when the IT team realised that the boxes containing the new servers and laptops were missing from the server room.
QCC reviewed the perimeter security and subsequent inner layers of security including alarms, CCTV, locks and doors and found that they could all be bypassed with reasonable ease or in the case of the CCTV had not provided any evidence of the intrusion due to their ineffectiveness. Ironically it was not the case that all of the security controls in place were poor quality as they were all high quality systems but rather they were either being used in the wrong context or were not fit for the actual purpose intended.
An example of this failing was the CCTV system. The CCTV system was a high quality system consisting of a number of full HD colour CCTV cameras which recorded the video product to a hard disk recorder. However, although the cameras were high quality and very expensive they were not 0 lux rated and therefore could not see anything in the dark ! This fact when coupled with the fact that the office lights auto turned off at 22:00pm and only switch back on when the cleaners arrived each morning at 04:00am meant that no video of the incident had been recorded. QCC identified varying issues with each of the security systems in place which when joined together left the company wide open to the incident which had occurred. Sadly, the reality was that if the original suppliers of the security controls had given the company better guidance on what systems to purchase the break in could have been prevented.
QCC advised the CEO and his Facilities Manager on the changes which needed to be made to make the security controls effective and when the suppliers provided proposals for the changes to the systems, QCC reviewed the proposals to ensure that they would provide the correct and effective solutions needed to secure the site. Following the implementation of the new security controls, QCC conducted periodic ongoing physical penetration testing of the site to ensure the security remained effective.
QCC were requested to conduct a TSCM inspection of a Dutch company’s corporate HQ to identify any eavesdropping vulnerabilities or attacks. The inspection did confirm that thankfully no active eavesdropping was taking place but also that there was significant leakage of RF energy from the Clients building which could be received outside the building and in neighbouring buildings. Radio signals being leaked from the Clients building including Wi-Fi, Bluetooth, GSM, 3G, 4G and various other wireless RF transmissions many of which were communicating sensitive data or which could give unauthorised access to sensitive IT systems.
QCC advised the Client that the signals could be intercepted by unauthorised persons and recommended a package of solutions to manage the risk including the installation of counterintelligence window film to reduce RF leakage to an acceptable level. The window film QCC recommended in this case also gave protection from laser microphones and included bomb blast protection. QCC installed the specialist window film and then following installation QCC tested the new levels of RF leakage and confirmed to the Client that the emissions had been reduced to an acceptable level.
CyberSticks to stop you losing your memory
Following the theft of research & development (R & D) data from a global technology corporation based in Palo Alto, USA, QCC received a request to conduct an independent cyber forensics investigation into what had happened and to see if the perpetrators could be identified.
QCC’s cyber investigation identified an individual who had left the company shortly after a copy of the data had been stolen from a sandboxed R & D computer network. The mode of removal of the data was forensically proven to be via a USB drive which had been connected to the R & D computer. The individual in question was presented with the facts and admitted what she had done.
As a follow up to the investigation, QCC presented to the Client a solution which would stop the theft of data via USB memory sticks happening in the future. QCC recommended our unique CyberStick SS USB memory sticks which can be configured to only connect to specific computers be that 1 computer or 100,000 computers and no other device. The Client implemented the QCC CyberSticks across their organisation to allow data to be efficiently transferred between authorised computers without the risk of data theft even by a rogue employee. The Client has suffered no data loss via USB memory drives since.
QCC conducted a security audit for a multinational Client in the oil & gas sector which was requested following an information leak of geological survey data to a competitor. QCC identified a number of information security issues including critical vulnerabilities with their sensitive waste disposal process.
According to company policy any waste paper or waste digital media containing sensitive, confidential or proprietary information was supposed to be disposed of in a secure way. In reality the sensitive waste disposal process had been outsourced and was actually being conducted by an external company offering secure waste disposal services.
The waste company had deployed “lockable secure waste bins” throughout the Clients offices to collect the waste which were emptied only once a week and were so poorly made that they could be unlocked with a spoon allowing access to the data they contained. The waste when emptied from the “lockable secure waste bins” was bagged and then taken to the unlocked, unattended waste truck (sign written with “Confidential waste disposal service”) and then this waste was left unattended on the unsecured truck for the rest of the day as the truck made further collections from other clients.
QCC followed the truck and during one Client collection the truck with our Client’s sensitive waste was left unattended with the tailgate open for over 20 minutes before the driver returned.
QCC reported our findings to our Client and recommended a secure solution to mitigate the risk of sensitive waste falling into the “wrong hands”. Our solution was simple, cost effective and highly secure and manages our Clients secure disposal and recycling of their sensitive document and digital waste including all forms of hard drives and digital media.