February 3, 2011

Six Security Sins to Avoid: The IT Darwin Awards


You've heard of the Darwin Awards, which are given out for the rather grim achievement of doing something particularly dumb and usually fatal. We've heard of a few security mishaps that may have been career suicide, but thankfully none that have actually proven fatal. Still, we don't advocate security Seppuku either. Here's some should-be-obvious mistakes to avoid.

The Written Password

Walk through any decent-sized company and look around a bit. Odds are, you'll find at least a few sticky notes with username and password combos written down in plain view or tucked neatly under the keyboard.

We're sure we don't have to tell you not to do this. We hope. But if you're part of the security or IT staff in your organization, make a point of patrolling the premises and peeking at Post-Its for passwords. You'll be shocked, and alarmed, at what you find.

Unencrypted Laptops

Laptops and netbooks are wonderful inventions. They enable employees to be productive far, far away from the corporate mothership. Unfortunately, they also tend to be lost or stolen from time to time. Loss of hardware is bad, but usually not fatal. The loss of data, on the other hand, can be a major problem. At least all of your laptops are encrypted, so that the bad guys can't get to the data even if it's in their hot little hands, right? Right?

It doesn't matter whether your work laptop runs Windows, Linux, Mac OS X, or one of the BSDs. Any OS worth it salt supports disk encryption at this point, or at least should have third-party products that should do the trick. If you, or your staff, are walking around with unencrypted data you have a problem just waiting to happen.

Unencrypted Services

Speaking of problems waiting to happen, there's Firesheep and many other threats just waiting to pluck your data out of thin Wi-Fi.

Setting up SSL and VPNs can be a headache. Forcing users to use VPNs and secured services can be a bigger headache — but not doing it can mean leaving a wide open door to attackers. Any service that your employees connect to remotely, whether it's Webmail or the company content management system, should be over SSL only. Same goes for sending and receiving mail, which should never happen over unencrypted connections.

Working in Public Places

Here's a complaint you'll never, ever hear — "that airplane seat was just too roomy, I felt like I was too far away from the other passengers." If you're crammed into a cattle class seat, you might as well be a conjoined twin with your neighbor for the duration of the flight. Even in business and first class airline seats, the idea of privacy from your co-passengers is laughable. So why do so many people feel comfortable working on confidential company data in the form of office correspondence, email, budget spreadsheets, presentations, and the like in plain view?

By all means, bust out the laptop for a rousing game of solitaire or Minesweeper to pass the time and take your mind off the gruesome airline food. Pop on your headphones and watch a few episodes of Family Guy on that aging Dell laptop you're issued — but working on sensitive company projects with a random passenger staring over your shoulder is a bad call. Maybe they're totally disinterested and not paying attention — or maybe you're sitting next to someone from the competition heading to the same trade show.

This rule, of course, applies at sea level and not just 30,000 feet. Be smart about where you trot out the company's sensitive information, particularly when any number of prying eyes could be eyeing your laptop like an underachiever eyeing your paper during a final exam.

This goes for phone calls as well. Don't conduct business calls (IT or otherwise) in public within earshot of strangers. If anything in your conversation should be confidential, wait until you're in a secure location before making the call.

Shred, Baby, Shred

That paperless society that computers were supposed to enable? We're still waiting on that one, along with jetpacks and flying cars. In the meantime, computers have made it easier than ever to produce hard copies of everything from company budgets to draft presentations or network diagrams — all things that may be easier to eyeball on dead trees, but provide a quick way around computer security when they're handled incorrectly.

Of course, data disposal isn't limited to paper — how is your company dealing with obsolete equipment? Are hard drives properly wiped when machines on lease go back? If you sell off or donate computers, are they leaving the company with valuable data on them?

Company policy should be to shred any documents that are to be disposed of that contain confidential data. Whether it's customer information or company plans and information, a dumpster diver could come away with much more than you'd like them to have. Are these types of attacks rare? Sure. Are you feeling lucky? You're in the wrong business if you depend on luck instead of responsible data disposal policies.

Disposal of storage media and equipment also requires care. Make sure that CD/DVD-ROMs are shredded, not just thrown away. Hard drives need to be erased thoroughly, DBAN is a good option here. Obsolete mobile phones need to be erased, and so on.

Obscure is Not Secure

One thing that sensible IT staff should know — obscurity is not the same as security. Sure, you want to keep certain things obscure (like network topologies, usernames, hostnames, etc.) as an added security measure. But that doesn't replace true security.

One of the silliest things we've seen is when companies put up information in an obscure location rather than securing it. You know the kind of thing we're talking about — using a staging or testing site that's considered safe from prying eyes because the URL isn't public. Even so, that kind of thing can turn up on search engines or be found by resourceful attackers, competitors, or plain-old looky-loos.

Bottom line? If you're testing or staging a new site, especially if it contains unreleased product information or other not yet ready for prime-time info put a lock on it. Require a password, preferably over an encrypted connection. It's always better to be safe than a candidate for the IT Darwin Awards.

Click Here!