When students and staff at the Coast Guard Academy needed their laptops and mobile phones repaired, they called Larry Mathews. For over a decade, Mathews owned the local computer repair shop. Then he pleaded guilty to computer intrusion. On more than 250 occasions, Mathews copied personal information (often including account names and passwords) from the devices that were left in his care.
Then there’s the insider. Consider the case of Adeniyi Adeyemi, who – before going to jail – was a computer technician. Adeyemi, a contractor once hired by a bank, pleaded guilty to grand larceny and computer tampering after stealing the personal information of 2,000 employees and making over a million dollars through identity theft.
So how do you secure the confidentiality, integrity and availability of data and systems during maintenance and repair? NIST considers the following:
- Policy: If you’re in need of a System Maintenance policy, check out the State of Alabama’s cybersecurity website at cybersecurity.alabama.gov, and review and revise theirs based on your specific requirements.
- Internal Control: Network maintenance and repair should be scheduled and documented, follow vendor specifications and organizational requirements, include peripheral devices (such as printers), and account for supply chain risks when replacing components. Often overlooked, but quite important, is the need to verify that security configurations, logging functions, and auto-update settings remain unchanged during and after maintenance to the fullest extent possible.
- Remote Control: Consider requiring approvals for off-site equipment repair or third-party remote access and control. With the rise of BYOD, it’s helpful to educate employees that personal and corporate data may be at risk from repair shops (allegations have been made against employees of such well-respected companies as Radio Shack, Best Buy and Verizon Wireless). Recognize that deleted sensitive files might be recovered, and if employees give their password(s) to a technician, say goodbye to the benefits of encryption.
- Tools: It made headlines when a security researcher discovered he could install malware in his own car that, when he went to a service station, would modify the equipment the dealer used to run vehicle diagnostics and update every other customer’s car software. The lesson? Tools should be checked often for integrity, including malware. They also should be restricted to certain users and, if belonging to a vendor, eventually wiped clean of your confidential corporate data.
- Personnel: Administrator rights and physical access should follow the concept of least privilege, and individuals performing maintenance and repair may require background checks.
- Timeliness: Consider ways to make your maintenance and repair activities preventive (replace end-of-life components before they fail), predictive (measure performance to assess degrading conditions, and have sufficient support and replacement equipment in place), and automated (capture and analyze data to improve detection of failures and to reduce downtime).
When it comes to network maintenance and repair, sometimes the cure can be worse than the disease. Having a sufficient approach for securing these processes can play an important role in risk management.