Security at the Olympics

If you watched the Olympic Games on television, you saw the unprecedented security surrounding the 2004 Olympics. You saw shots of guards and soldiers, and gunboats and frogmen patrolling the harbors. But there was a lot more security behind the scenes. Olympic press materials state that there was a system of 1,250 infrared and high-resolution surveillance cameras mounted on concrete poles. Additional surveillance data was collected from sensors on 12 patrol boats, 4,000 vehicles, 9 helicopters, 4 mobile command centers, and a blimp. It wasn't only images; microphones collected conversations, speech-recognition software converted them to text, and then sophisticated pattern-matching software looked for suspicious patterns. Seventy thousand people were involved in Olympic security, about seven per athlete or one for every 76 spectators.

EMBARRASSED SECURITY GUARD

DUMPSTER DIVING

Dumpster diving is a term that describes pawing through a target's garbage in search of valuable information. The amount of information you can learn about a target is astounding.

Most people don't give much thought to what they're discarding at home: phone bills, credit card statements, medical prescription bottles, bank statements, work-related materials, and so much more.

THE HUMILIATED BOSS

Nobody thought anything about it when Harlan Fortis came to work on Monday morning as usual at the County Highway Department, and said he'd left home in a hurry and forgotten his badge. The security guard had seen Harlan coming in and going out every weekday for the two years she had been working there. She had him sign for a temporary employee's badge, gave it to him, and he went on his way.

It wasn't until two days later that all hell started breaking loose. The story spread through the entire department like wildfire. Half the people who heard it said it couldn't be true. Of the rest, nobody seemed to know whether to laugh out loud or to feel sorry for the poor soul.

THE PROMOTION SEEKER

Late in the morning of a pleasant autumn day, Peter Milton walked into the lobby of the Denver regional offices of Honorable Auto Parts, a national parts wholesaler for the automobile aftermarket. He waited at the reception desk while the young lady signed in a visitor, gave driving directions to a caller, and dealt with the UPS man, all more or less at the same time.

"So how did you learn to do so many things at once?" Pete said when she had time to help him. She smiled, obviously pleased he had noticed. He was from Marketing in the Dallas office, he told her, and said that Mike Talbott from Atlanta field sales was going to be meeting him. "We have a client to visit together this afternoon," he explained. "I'll just wait here in the lobby."

PREVENTING THE CON

From pawing through your trash to duping a security guard or receptionist, social engineers can physically invade your corporate space. But you'll be glad to hear that there are preventive measures you can take.

Ongoing Maintenance

The security policies, standards, procedures, and guidelines are living documents. That means they are not written once and left unchanged for years. These documents should be regularly updated in response to changing business conditions, technologies, customer requirements, and so on. Some form of document version control technology may be helpful in managing this life cycle process.

In order to communicate the security documents, it is best to keep them online or in a place where the various audiences will be able to review and understand changes as they are approved and implemented. Some organizations use an intranet web site to present their security documents, so employees can easily reference them throughout the workday.

Security Guidelines

Guidelines give advice. They are not mandatory—they are just suggestions on how to follow the policy. Guidelines are meant to make life easier for the end user, as well as for the security manager who wrote the policy, because they help people understand how to meet the goals set by the security policy.

Security Guideline Example

In this example, the password complexity rules of the password policy are translated into a set of easy-to-follow suggestions. There may be other ways to select a password to be compliant with the policy, but these guidelines are intended to simplify the process for the end users while at the same time allowing them to make strong passwords. Notice that unlike standards and procedures, the material is easy for everyone to read and understand.

Security Procedures

Procedures are step-by-step instructions to perform a specific task.

Security Procedure Example:

In this example, notice that the level of detail is more specific than that found in both policies and standards. The procedure is a set of instructions that a system administrator would perform when sitting at the keyboard of the computer being built. Most people will not understand this information—it is very specialized, and intended only for someone who is a system administrator. The type of specialized information found in a security procedure is usually very job-specific.

PURPOSE

This procedure is intended for the security installation of Apache web servers. It defines the steps necessary to ensure a secure installation that complies with security policy.

Security Standards

A standard is somewhat more detailed than a policy. Standards describe how to comply with the policy, and because they are associated with policies, they should be considered mandatory. Standards are the extension of the policy into the real world—they specify technology settings, platforms, or behaviors. Security managers responsible for IT infrastructure will usually spend more time writing standards than they spend on policy.

Much of the information contained in this book pertains to settings for Unix and Windows systems. Those settings would typically be the level of detail that is included in standards. Compare the information in those chapters against the set of policy statements listed in the previous section of this chapter. You’ll see that policy statements are simple, direct, and somewhat general. Standards interpret the policy to the level of specifics needed by a subject matter expert.

Security Policies

A security policy is the essential foundation for an effective and comprehensive security program. A good security policy should be a high-level, brief, formalized statement of the security practices that management expects employees and other stakeholders to follow. A security policy should be concise and easy to understand so that everyone can follow the guidance set forth in it.

In its basic form, a security policy is a document that describes an organization’s security requirements. A security policy specifies what should be done, not how; nor does it specify technologies or specific solutions. The security policy defines a specific set of intentions and conditions that will help protect an organization’s assets and its ability to conduct business. It is important to plan an approach to policy development that is consistent, repeatable, and straightforward.