Silly Security Mistakes: Things You Overlooked While Doing the Hard Stuff
If you're worried about high-tech hackers using advanced and sinister techniques to break through your fancy firewalls -- well, that's not outside the realm of possibility. By all means, spend money on firewalls! But you might also want to keep in mind some distinctly low-tech security problems that are not particularly sophisticated -- in fact, some might call them distinctly dumb -- that nevertheless mean bad things for the companies or people who suffer them.
We live in an increasingly virtual world, where our crucial data lives on the cloud and we live in fear of electronic intrusions into our particular fiefdom in cyberspace. But it does pay to remember that all of that data does, ultimately, reside on metal-and-plastic computers that do occupy real space in the physical universe. These computers can be touched, picked up, and carried away, and that's bad news. For instance, NASA has suffered a number of recent cybersecurity scandals, among them the fact that 48 of the agency's laptops and phones were just straight-up stolen.
The one thing that makes stealing stuff tricky is that it requires real physical access to that stuff. But getting physical access to things is easier than you'd think. One security researcher demonstrated fairly easily that it's pretty easy to get access to restricted areas via attitude (e.g., imperiously waving a badge at security guards, even if it's not a badge that allows you access to wherever it is you're going) and a moderate amount of stealth (e.g., slipping in through exit doors). Oh, did we mention that these techniques worked at an RSA Security conference? Probably it's even easier in your building.
How many of these people are in this RSA conference legitimately? (Source: ixfd64/Flickr)
But when your tech goes missing, don't forget the old adage that you should never blame on malice what can be attributed to good old-fashioned incompetence. For instance, maybe those computers weren't stolen by dastardly cat burglars bent on sabotage; maybe someone who was in charge of them just lost them. This didn't happen so much when everybody had a large desktop computer that was hard to lug around, but the convenience of laptops and smartphones makes them also convenient to lose. One survey of small businesses found that 35% had an employee who lost a device with business data on it. And if a survey of USB sticks found on Sydney commuter trains is any indication, almost none of those devices were encrypted in any way.
The media world in late 2011 was roiled by the spectacle of the News Corp. phone hacking scandal, in which it came out that multiple newspapers in Rupert Murdoch's British media empire broke into the voicemails of celebrities and crime victims in order to get media scoops and sometimes engage in a little light blackmail. Less well publicized was the method used to achieve this seemingly high-tech coup: investigators who had the target's contact info simply called up the number their mobile phone provider set up to retrieve voicemail remotely, then entered some guesses as to what the victim's PIN might be. Many were fairly obvious -- in fact, many were simply the default that came with the account.
The lesson: people will, if given the chance, pick dumb passwords. Have policies that force people to pick the least dumb passwords possible, and force them to change those passwords on a semi-regular basis.
Rupert Murdoch defends his company's practices at the Levenson inquiry in the U.K. (Source: Reuters TV)
Paranoid sysadmins will keep their OS patches up to date, of course. Windows in particular has a reputation as a leaky ship, and so tech staffers -- particularly tech staffers who may have been in part responsible for picking Windows as the OS of choice -- are generally good at keeping all those patches up to date.
The problem is that a lot of those most easily hacked vulnerabilities aren't in the operating system; they're in the applications that run within the OS. Just as an example, check out this list, put out by SANS in 2009, of applications that were problematic at that point. What's at the very top? Oh, just a text converter for WordPad, which you probably thought was about the most innocuous program on your computer. Also on the list is Java, which, as Mac users unhappily learned, can open up all kinds of holes on its own.
Thankfully, there was no personal data on any of these. (Source: Jeran Renz/Wikipedia)
Your data is among your most important assets: it may contain information proprietary to your business, or information about your customers that you've promised to keep secret and secure. Hackers will be trying to get this data, of course, but there's really no need to actively try to help them do it. Remember the 2006 incident when AOL put the search records of millions of users, complete with personally identifying information, on a public server by accident. It's easy to make fun (and especially easy to make fun of AOL), but the truth is that most organizations of any size have a heterogeneous host of servers, some public, some not, and some set up by shadow IT and not covered by rigorous security policies. The advent of cloud storage as a trend has just made it easier to perpetrate an embarrassing screwup along these lines.
Just as it can be difficult to keep track of how public various servers on your corporate network are, it can also be hard to keep track of network nodes that might be public facing. Rather famously, in 2007 TJX (the company that owns prominent discount department stores like TJ Maxx and Marshalls) suffered an embarrassing breach when hackers tinkered with public kiosks that were set up so people could submit job applications. (They even did so in plain sight, simply claiming to be IT staff there to repair the machines.) Remember, it makes no sense setting up elaborate defenses against unauthorized intrusions onto the network when you provide a fully authorized entrance that anyone can walk right through.
It does pay to remember that all of that data does, ultimately, reside on metal-and-plastic computers that do occupy real space in the physical universe. These computers can be touched, picked up, and carried away, and that's bad news.