Quarantines

A cheap price of admission for electronic client files

Everyone understands the risk their firm faces from hackers and cyber thieves lurking in the shadowy places of the Internet. What they might not know is that the greatest, and most common, technology threat is posed by their own clients. In this article, the author retells the story of how his entire business data system was taken down by a trusted client and his creative solution to solve the problem. 

Does your practice or organization utilize a computer quarantine process? If not, after reading this, you will!

The day began in a typical manner, reviewing information recently received from a client to determine next steps. These records included printed documents, two CDs, and a USB jump drive (also known as a “flash” or “thumb” drive).

So Far, So Good…

After sorting the printed documents, we inserted each CD into our Windows computer, located the files, and copied them onto a dedicated new folder on the internal hard drive. We then removed and stored each CD as received for future access.

Next came the USB jump drive. We inserted it into the computer’s USB port, just as we have with other jump drives countless times before. Instantly a notification popped up on the screen, indicating the imminent launch of an unfamiliar and unexpected program.

Hmmmmmm…

Knowing we hadn’t launched any programs, but simply inserted the jump drive into the port, we canceled out of the notification. The insistent message popped up several more times, and each time we selected “cancel.”

Finally, things appeared normal once again. We located the desired files on the jump drive, highlighted the list, and copied the files into the folder on our hard drive.

Going, Going…Gone

The file-copying process began normally enough, but then it slowed to a halt. Not knowing why it stopped, we watched to see if it would continue copying…

It didn’t. The system simply froze. Frantic, we abruptly removed the USB drive from the computer. The screen immediately displayed a message indicating we should close the application running before the computer shut down. My associate and I looked at each other, perplexed, as the computer did not indicate any applications running. Within moments, before we could formulate a response to the message, the computer shut down on its own.

We pressed the “power” button to restart the computer, and the pilot light glowed once again. The screen displayed the initial Dell insignia, and then the computer immediately froze, without ever making any of its familiar “start-up noise.” Our hearts sank.

Over the next hour or so, we frantically tried restarting the computer, to no avail. We found our Windows 7 software CD, inserted it, and followed the online instructions to restart our computer…

Nothing. The blue Dell insignia again came up, but, otherwise, no power, and absolutely zero functionality.

We called our computer support consultant, who cleared his schedule to come to our aid. The hour-and-a-half between our call and his arrival seemed like an eternity. Did our computer die. Did that death affect our file server? If so, to what extent?

After some initial diagnostics, the consultant advised us the computer would no longer function, and that we would need to replace it. Then he delivered the worst news: our back up, which comprised a complete backup of the entire hard drive, would not likely work with a new replacement computer.

He advised us to buy a new computer, re-install all the software applications, and then recover the data files from the backup drive. At that point, we had already lost the better part of the day due to the vicious attack we unwittingly launched vis à vis the client USB jump drive.

The Resurrection

After more tinkering, removing various components, and disconnecting devices from the ill-fated computer, our consultant eventually got the computer machine up and running once again. With no other components connected, the computer’s display screen appeared as it did at the beginning of our day.

Replacing one element at a time and rebooting to see what would happen, we narrowed down the issue to the USB hub attached to the computer. The USB hub expanded the number of USB ports available, as often the two or three USB ports contained on the computer prove less than adequate for the number of USB devices we desired to connect. The hub no longer functioned, although its green power light glowed innocently.

With the USB hub disconnected, the rest of the computer appeared restored. We deleted every file associated with the project from the hard drive, and sealed the CDs and USB drive in an envelope, never to be used again.

Shortly thereafter, our adrenalin rush finally hit, and panic squeezed with a tight-fisted grip. We had received, copied, and utilized client files provided to us on CDs, DVDs and USB drives since the day we opened our doors for business, always without incident…until today.

What Now?

We never considered that a client’s files or media, once introduced onto our systems, could take down our entire computer environment. Based on the day’s events, we wondered, “How could we ever again accept files sent to us by clients, knowing that they might contain an element of serious risk to our systems?” Had the time arrived to implement government-level, pre-screening requirements on all files prior to allowing them onto our systems?

We quickly answered our own question: “Yes.”

The Answer: A Quarantine Station

Moving forward, we purchased an inexpensive desktop computer with Windows installed for dedicated use strictly as a quarantine computer station. Connected to the Internet only to maintain a current anti-virus and anti-threat scanning solution, the workstation is not, and never will be, connected to our network. The unit maintains minimal software on its hard drive.

No data files reside on the computer hard drive. The sole function of the workstation? To receive client-provided files, screen them for potential threats, and, once processed and deemed safe for use on our systems, allow us to copy the files onto our internally controlled medium for copying and use on our systems.

Should the computer become infected or destroyed by “malware” contained on client-provided files, we can simply re-format it, re-install the operating system, and re-establish the protection software. Thus, no exposure exists to other systems or files within our firm’s environment, minimizing our downtime, should something similar to that dark day’s events occur again. Worst-case scenario, we replace the quarantine workstation with a new one.

Take It from Us…

Learn from our experience. If your firm or organization accepts electronic information from clients or any other parties outside of the organization for use within your systems, your procedures should incorporate a similar quarantine process. Otherwise, you run the risk of feeling our pain. Create, document, and distribute policy and procedures to ensure awareness among all staff of the expectations, risks, and consequences associated with circumventing the process.

For all employees and individuals within your organization, create, distribute, and implement a similar policy and procedures that prevent users from bringing in files from home or other sources for introduction into your systems without such preemptive screening.

Many organizations already enforce policies preventing employees from installing unauthorized software onto their employer-provided computers. However, the next question should present itself: “Do your policies also address employees accepting electronic files provided by clients’ systems?”

After a stiff drink and time to reflect on just what occurred, how it happened, and what measures could have prevented this unfortunate scenario in the first place, we felt extremely grateful, especially to our computer consultant, that the loss of our USB hub posed the sole physical loss.

Our technician theorized that our abrupt removal of the client USB jump drive thwarted the complete launch of whatever virus it contained. Had we left it inserted and simply waited to see what happened, the outcome could have proven much different…and much worse.

Computer forensic experts can often make that determination after their analysis. Replacing the computer would have carried a reasonable and fixed cost, but losing the systems and files on that computer and the backups we maintained would have created a far greater loss, and dictated far more time…at the bar.

This article was originally published by Forensic Accounting Services, LLC and Stephen A. Pedneault, CPA/CFF, CFE, FCPA. You can reach Steve atsteve@forensicaccountingservices.com or (860) 659-6550.