Home > Security

Computerworld - Trouble Ticket

• Issue: A security audit in Moscow turns up several areas of concern, but the engineers there want Internet access.
• Action plan: Demand stricter adherence to restrictions as a condition.

A decision to send coding work offshore requires a weighing of benefits against risks. And who gets to deal with most of the risks? The security manager, of course.

Thats why I just returned from my yearly trip to Moscow, where employees of a partner company write source code algorithms for some of our products. This arrangement puts our intellectual property at significant risk, so we have a strict contract outlining how PCs and network connections are to be set up. If our intellectual property is compromised on foreign soil, we have to rely on the local authorities to take legal action. And thats a hit-or-miss proposition.

Our contract requires that CD drives and USB ports and other external connections be removed or disabled on all the PCs used to work on our source code. We also rely on air-gapping, which keeps these PCs off of the partner companys network. To do this, we set up a VPN that sends all the partners network traffic to our companys gateways. This lets us control access to all resources, and we dont have to vouch for the integrity of another companys infrastructure; after all, we dont want its network security problems to be ours as well.

In Moscow, I conducted an audit of the partner companys operations. My findings were not good.

I had the local IT guy run a Microsoft Baseline Security Analyzer scan on a random sample of PCs. These scans showed that the PCs were not up to date with Microsoft security patches. I then sat down at these same PCs and checked their anti­virus programs. Again, pattern files were badly out of date, by as much as two years. The Moscow engineers told me that since they have no Internet access, they cant download patches. Theyre right: While it is possible to do these updates without Internet access, its a more time-consuming process.

Not So Random
I also chose 20 PCs and checked to make sure that their USB ports were disabled and that no unauthorized applications were running, and I ran a limited forensic examination to ensure that the engineers who used those PCs werent making unauthorized Internet or corporate network connections when I wasnt around.

I didnt have time to run these checks on the PCs used by all 50 engineers who work on our source code algorithms, so I chose the 10 engineers with the shortest tenure and the 10 with the longest. Why them? The newest employees had been given new PCs that had to be set up to meet our requirements from scratch. The longest-tenured employees may have become comfortable enough to try subverting our restrictions.