Abandoned Spreadsheets and Orphaned Machines

Sometimes web-related hazards can be physical rather than virtual. In this case, I'm referring to the kind of web that collects in ceiling corners and the labs of mad scientists.

What could be the harm of a few cobwebs gracing your computer? Nothing that dusting can't fix?

Perhaps, but those cobwebs could be a sign of an orphaned machine, left to its own devices (so to speak) under a desk or in the back of a closet. Its operating system is probably older and therefore unpatched, and its hard drive could contain out-of-date databases, ancient reports and/or abandoned spreadsheets.

What could go wrong? Plenty if that machine is recommissioned into service. Once fired up and connected to the network, BAMM!!!, it could be immediately compromised. It may have just been "recruited" as a new member of a botnet to serve up spam, or worse, it could have been hacked into to gather any valuable data residing on it.

A few months ago at a security conference, I attended a session called "Orphaned Servers and Broken Processes: Lessons Learned and Applied on the Frontline", which inspired this article (as well as its title). The presenter from Moran Technology Consulting described an incident audit they had conducted of a large research institution that had experienced a major data compromise. Their analysis revealed flaws in system management: a machine had been "decommissioned" and removed from the network, but then returned to the network several times. Panelists from California State University, Northridge decided to use the incident at another institution "to repose the salient questions and to review our security stance!".

Those salient questions included:

• Has every server in the central data center and those exposed to the Internet been identified? [Though the session focused on servers, any machine connected to the network with critical and/or sensitive information could be at just as much risk, and "serve up" the data to prying hackers.]
• Are there servers on the network that are believed to have been powered off but are really powered on?
• Is there sufficient information to protect these assets?
• What additional policies, procedures, and processes are needed?

They discovered that there were a number of orphaned servers on their network. How did they get there?

• Well meaning staff ("I'll get to it.")
• Shifts of responsibilities and new staff ("I thought they/he/she owned it.")
• Overloaded staff and lack of resources

The lessons they learned are universally applicable:

1. Be realistic: Always presume that you are less secure than you are! We're human and miss things.
2. Review: To catch what you miss, perform periodic reviews of your environment, which include reviewing the ownership of servers and identify the administrators.
3. Clean up: Establish strong change-management procedures that include removing services from production.

Here is a recommended plan of action:

• Scout out any cobweb-catching computers in your office or department.
• Decide to save or surplus the machine(s).
• If saved, boot up, upgrade by applying the most current patches, delete unneeded contents and move any confidential information to a centrally managed server that is overseen and protected by full-time information technology professionals (i.e., get it off individual workstations or laptops).
• If surplused, follow the steps outlined in the Electronic Equipment Disposition Policy. Here you will find links to the Purchasing Department's Computer Surplus Form. Note that while it is recommended that equipment leaving the department for disposal undergo a general data purge, a designated vendor will be responsible for the thorough destruction of data to prevent it from ever being recovered by an unauthorized party.
  
  See the Secure IT! article "Drilling Down" on Disposal Details for more background.

- by Pat Falcon, IT Security Policy & Communications Coordinator, CIS