Silly Security Mistakes: Things You Overlooked While Doing the Hard Stuff

Silly Security Mistakes: Things You Overlooked While Doing the Hard Stuff
While you were upgrading your servers with the latest intrusion detection, did someone just walk in and steal them? We urge you not to forget the obvious when you're doing your security planning.
By Josh Fruhlinger
Features Jun 8th 2012

If you're worried about high-tech hackers using advanced and sinister techniques to break through your fancy firewalls -- well, that's not outside the realm of possibility. By all means, spend money on firewalls! But you might also want to keep in mind some distinctly low-tech security problems that are not particularly sophisticated -- in fact, some might call them distinctly dumb -- that nevertheless mean bad things for the companies or people who suffer them.

We live in an increasingly virtual world, where our crucial data lives on the cloud and we live in fear of electronic intrusions into our particular fiefdom in cyberspace. But it does pay to remember that all of that data does, ultimately, reside on metal-and-plastic computers that do occupy real space in the physical universe. These computers can be touched, picked up, and carried away, and that's bad news. For instance, NASA has suffered a number of recent cybersecurity scandals, among them the fact that 48 of the agency's laptops and phones were just straight-up stolen.

The one thing that makes stealing stuff tricky is that it requires real physical access to that stuff. But getting physical access to things is easier than you'd think. One security researcher demonstrated fairly easily that it's pretty easy to get access to restricted areas via attitude (e.g., imperiously waving a badge at security guards, even if it's not a badge that allows you access to wherever it is you're going) and a moderate amount of stealth (e.g., slipping in through exit doors). Oh, did we mention that these techniques worked at an RSA Security conference? Probably it's even easier in your building.

How many of these people are in this RSA conference legitimately? (Source: ixfd64/Flickr)

But when your tech goes missing, don't forget the old adage that you should never blame on malice what can be attributed to good old-fashioned incompetence. For instance, maybe those computers weren't stolen by dastardly cat burglars bent on sabotage; maybe someone who was in charge of them just lost them. This didn't happen so much when everybody had a large desktop computer that was hard to lug around, but the convenience of laptops and smartphones makes them also convenient to lose. One survey of small businesses found that 35% had an employee who lost a device with business data on it. And if a survey of USB sticks found on Sydney commuter trains is any indication, almost none of those devices were encrypted in any way.

Source: IT World


What did we learn about cybersecurity in 2015?

Cybercrime is always a hot-button issue, and last year was no different. What lessons can we learn from some of the more insidious trends and events to better prepare ourselves for the year ahead?