Geometric Authentication

Around mid-2004, my participation and the contacts I had made through the CISSPBR list led to a conversation with the folks at a company based in Rio de Janeiro that wanted to set up an office in Brasília. The company worked in the information security field, with its main focus on services, especially consulting.
I had an initial phone conversation with one of the partners and was then invited to dinner at a restaurant in Brasília, which served as a kind of informal interview. Some time later, they got in touch again and made an offer. I would still be hired as an external contractor, with pay more or less equivalent to what I was making at BRB. I asked that they include a few vacation days, which would be an improvement compared to my previous contract, and they informally agreed, though it wasn’t explicit in the contract.
Their offer looked interesting to me. I’d be leaving a pretty stagnant environment at BRB for a company specialized in the area in which I wanted to build my career. There wouldn’t be a significant pay difference, but I would now have paid vacation. After thinking it over a bit, I accepted the offer and we set a start date. This would be my first experience as a consultant. Until then, I had only dealt with consultants from the client side; now I’d have firsthand experience of the other side of that relationship.
The first surprise came two days before the official start. I was invited to a team lunch with the rest of the team that was already in Brasília, so we could get to know each other before work began. That’s when they informed me that the company required a nine-hour workday, instead of the traditional eight. At that point, there wasn’t much room to back out. I decided to push forward and start in the best way possible. I just said I needed an adequate lunch break, not only to eat but also to take my kids to school.
When I joined the company, they had a pretty large contract with Brasil Telecom, the phone operator that served Brasília and the Central-West region and that would later be absorbed by Oi. The project involved a risk analysis with a pretty broad scope. There were already two consultants and one of the partners, from Rio de Janeiro, working on that contract. I became the fourth person dedicated to the risk analysis. Since the company didn’t have a physical office in Brasília, all the work was done in person at Brasil Telecom’s headquarters. We used to joke that access to the company’s campus worked by “geometric authentication”: if the car had a green circle on the windshield (sticker) and the person had a blue rectangle on their chest (badge), they could go in.
The risk analysis work covered various IT processes at the company. One of the most interesting parts I worked on was the risk analysis of Brasil Telecom’s call center operations. The company maintained several call centers spread across the country, responsible for both the directory assistance service, known in Brazil by its service number, 102, and for serving corporate customers, such as banks and large companies. Our work process included interviews with the people in charge of the area, based in Brasília, and in-person visits to two of these centers: one in Campo Grande and another in Curitiba.
I was assigned to visit both sites and produce the reports on the risks identified. I learned a lot about how call centers work and about the information systems used in those environments. One of the more curious episodes happened during the visit to Campo Grande. Right at the entrance of the building, I saw a scale model of Brasília. I asked why, and they explained that this center handled the directory assistance service for the Federal District. The agents needed to have some idea of the city’s layout to answer calls better. One example was understanding that “SQN 106” was the same as “Superquadra Norte 106” or “106 Norte.” For that, it was necessary to give the agents basic training on the geography of Brasília. That is, people in Campo Grande needed to learn how addresses worked in Brasília in order to provide the service correctly.
Besides the risk analysis of the call centers, the project scope included Brasil Telecom’s business intelligence environment. After the initial conversations with the people in charge, it became clear that there was little or no control over the origin and ownership of the data and who could access it. The impression was that information coming from various systems in the company was mixed together and used to generate reports across all kinds of business areas, without proper access control or traceability mechanisms. There was no simple way to identify the exact origin of the data used in each report. From an information security point of view, that was a nightmare: an almost total absence of control.
We even discussed creating a framework that would let us trace the origin of the data and better control access, but it quickly became clear that this was something extremely complex and expensive to implement. Today, looking back, I believe the cost would be too high for practically any company, except in environments requiring extremely high levels of security.
The Brasil Telecom project was a great learning experience and generated lots of interesting and seemingly endless discussions with colleagues, especially about concepts such as risk, vulnerability, and threat. I’m not entirely sure how much practical impact the final result of the work had, since the internal political context of Brasil Telecom was pretty complicated. We had a few other projects after this one, but that’s a story for another chapter.
Advice nobody asked for but I’m giving anyway:
- Negotiating the terms of an employment contract is a delicate process that requires attention. It’s important to pay attention to whether the company is “putting its cards on the table” or whether there are terms and expectations that weren’t brought up in the initial conversations. Asking questions and understanding the contract terms is essential. I know that sometimes there’s a bit of fear about being seen as difficult for wanting to understand all the details but, if that happens, it’s much more of a red flag about the company than a mistake by the job candidate.