Do you spend time and money developing your organization's disaster recovery plan, while failing to back up your home PC?
Do you invest in guards and security cameras for the office, and then leave confidential papers on your desk while you step out for a sandwich?
Do you set up your desktop's antivirus system to automatically download new virus definition files every day, while allowing your home PC's antivirus system to expire because you didn't want to pay $50 when the trial version ran out?
The most conscientious security professionals that I know practice what they preach. They have shredders in their kitchens for those incessant credit card offers. They alarm their homes. They turn on wired equivalent privacy (WEP) encryption on their home wireless networks. And they password-protect the photographs on their personal Web site. You have to live it, they say. Otherwise, you aren't worth your salt.
Likewise some CSOs are genuinely concerned about their own security and privacy. They know that an extremely effective way to target an organization is by targeting the homes or personal lives of its directors. In this case, surveillance can be done without breaking the law.
Consider the 1988 US Supreme Court case of California v. Greenwood, in which the court ruled that Americans have no right to the privacy of their trash. Billy Greenwood was a man whom the local police suspected of dealing drugs, but they didn't have any proof. So the police acquired Greenwood's trash from the collectors who picked it up from the curb, and then went through the bags with a fine-tooth comb looking for evidence. They found it. The evidence was used to obtain a search warrant for Greenwood's home. Drugs were found in the home, and Greenwood was arrested and eventually convicted on felony drug charges. Greenwood appealed, arguing that the original, warrantless searches of his trash had been unconstitutional search and seizure.
The court disagreed. "It is common knowledge that plastic garbage bags left along a public street are readily accessible to animals, children, scavengers, snoops and other members of the public," wrote Justice Byron White, delivering the opinion of the court. "Moreover, respondents placed their refuse at the curb for the express purpose of conveying it to a third party, the trash collector, who might himself have sorted through it or permitted others, such as the police, to do so. The police cannot reasonably be expected to avert their eyes from evidence of criminal activity that could have been observed by any member of the public."
The Greenwood case should be a reminder to all executives that there is no legal protection for materials that are thrown into the trash. Yet time and time again, I have seen business travellers rip up documents that they had been reading and stuff them into trash cans at United Airlines' Red Carpet club and other similar locations. Although it might be somewhat embarrassing for United, it would be perfectly legal for one of the club's employees to take the documents out of the trash, piece them back together, and either publish them on the Internet or sell them to another organization. (Someone should also remind these executives not to yell into their cell phones about confidential matters, but I digress.)
Of course, if the bad guys are willing to break the law, things can get much worse. Business leaders in countries where kidnapping is a fact of life know this very clearly. But in the United States and much of Europe, executives are, at times, blissfully naive. I know many executives who are astonished when they realize that they are personally targeted by their corporate enemies. In one case, a CEO's laptop was stolen out of his briefcase when he got up from his seat to give the opening keynote at a conference. Even though the room was packed, nobody noticed the thief walking out with the executive's booty.
Classified StorageOne of the most famous cases of poor home practices jeopardizing the security of an organization is the case of John Deutch, an MIT professor who served as President Clinton's director of central intelligence from May 10, 1995, until December 14, 1996. Several days after Deutch left office, high-level classified information was discovered on a government-owned computer located in Deutch's house in Bethesda, Maryland. Deutch held a security clearance, of course, but the computer was not approved for the storage of classified information.
According to a government report, the resulting investigation found that Deutch had stored high-level classified information on at least "five government-owned Macintosh computers, configured for unclassified purposes, to process classified information. At least four of these computers were connected to modems that were lacking cryptographic devices and linked to the Internet, a DoD electronic mail server and/or (bank) computers. As a result, classified information residing on Deutch's computers was vulnerable to possible electronic access and exploitation."
One of the e-mail messages that Deutch received on these computers during his time as intelligence director, the report states, apparently came from a Russian colleague. Of course, e-mail can also deliver Trojan horse programs that seek out confidential information. Cookies found on the computer's Web browsers indicated that the computers had visited Web sites considered "risky."
But this wasn't all. Deutch, unlike former directors, had refused to have a 24-hour guard in his house because he wanted to preserve his privacy. As a compromise, the CIA and local police drove by his house on a regular basis and installed a residential security system that included an alarm on his study's closet, which contained a safe. But Deutch, without the agency's permission, gave the alarm's code to his resident alien maid, who didn't have a security clearance. "Deutch said that he thought his residence was secure," the report said. "In hindsight, he said that belief was not well founded."
The report notes that Deutch could have been fined or imprisoned for up to 10 years or both for his careless handling of classified information. Instead, he was pardoned by President Clinton.
Home security isn't just a problem for governments trying to secure classified information; it's important for businesses trying to secure their internal networks. Remember back in October 2000 when Microsoft announced that its corporate network had been penetrated by hackers? It's now widely believed that the program responsible for the attack, Troj.Qaz.A, was delivered to the home machine of a Microsoft employee in an e-mail message, and then gained access to Microsoft's internal network over a VPN connection. Such an attack could be delivered equally well over a laptop computer that traveled from one side of a company's firewall to the other.
Backups are another big problem. These days, most organizations seem to back up their servers and hope that their employees don't store the only copy of important files on their company desktops. But what about that mobile executive who spends three weeks working on a few PowerPoint presentations and an accompanying Excel spreadsheet: Is that information backed up? Many times the answer is no. This is an especially big issue when important projects are due after the holidays.
Secure Home MachinesSo what's a CSO to do? You can start by making sure that your home machine — as well as your organization's employees' machines — are as secure as the machines at work. When you negotiate your antivirus contracts, purchase extra copies for people's home computers. Even if you have a centrally managed firewall, license host-based firewalls for laptops and home computers. Even if you are a Windows-only shop, be sure that you license Mac products for those 5 percent of your users who have Apples at home.
If you haven't already, make sure everybody in your organization has easy access to a decent crosscut shredder. Next, institute a program for shredding every piece of paper your company generates that contains the name of your company, a customer or a business partner. This is a simple rule that's easy to implement and easy to audit. But the real value comes from the awareness training that the program instils: Once your users are hooked on shredding, set up a program that allows them to purchase shredders for their homes at a deep discount.
Most home computer users I know are completely flummoxed at the prospect of backing up their home systems and laptops. Help them! These days there are a number of very good backup solutions for home users — including network-based backup providers, home servers with automatic backup and even USB hard drives with a big "backup" button. You may bristle at the thought of backing up Junior's collection of pirated MP3s, but you need to have some way of making sure that company work products on home machines don't get lost when Junior needs more room. Don't be so foolish as to think that you can keep your files off employee's home machines; even with the threat of 10 years in a federal penitentiary, the CIA wasn't able to get an MIT professor who should have known better to follow the rules.
Simson Garfinkel, CISSP, is a technology writer who is based in the Boston area.