Requests for our team to help address a security breach or vulnerability are fairly common, so we always encourage clients to establish some security best-practices within their organization. We recently polled our technical staff who provided their real-world feedback on the quickest and easiest changes you can make to help prevent the loss or theft of data due to a compromise in security:
1. Implement complex password requirements
No one likes to be required to memorize a long password with specific requirements, such as having to utilize special characters or to include upper and lower case letters. However, there is a very good reason that complex password requirements are the de facto standard for authentication: Simple passwords can be guessed very easily. While you might think it is unlikely that anyone would guess the name of your first pet, hackers don’t actually have to guess it. They can get a computer program to guess it for them, pulling a list of words from a large dictionary and perhaps applying transforms to tack on numbers (so “fluffy12” is not much more secure than “fluffy”). This is one example of a Brute Force attack and is fairly common on many systems, from e-mail to bank accounts to your personal laptop. So just imagine your password is a key that unlocks a system. The larger and more complex the key, the more difficult the lock will be to pick for an attacker.
2. Establish an employee termination checklist
What policy does your business have for terminating employees or processing resignations? While it is never a pleasant experience, the loss of an employee can be made in to an even greater headache when that employee walks away with valuable information, such as an administrative username and password.
Your employee termination checklist should always include at least one box to address some common I.T.-related security steps that only take a few moments to accomplish:
Disable or remote-wipe any company-owned cell phones or PDAs
Disable user accounts
Redirect e-mail to a secondary user
Any modern, well-designed I.T. infrastructure should be able to easily accomplish these three tasks. The key is to react quickly; malicious inside users are one of the top causes of data loss worldwide. Your I.T. department or provider should be able to respond to a termination before that user has a chance to harm your business.
A common issue we see is users who have been granted the ability to work from home, typically through a remote or virtualized desktop, who do not have their access revoked in a timely fashion. They are often able to take sensitive company materials (think client or accounting records) with them to a competitor or otherwise damage the data. Sometimes, user privileges are not revoked because they are using an account that needs to stay active or is utilized by multiple people, which brings us to the next topic:
3. Eliminate shared accounts and protect passwords
How many people in your office know the username and password for your computer? Perhaps you know the credentials for a coworker’s computer, or even the e-mail account for your boss. While there is sometimes a valid business requirement for this (such as a legacy system that only supports a single user), these cases are rare.
Using shared accounts and informing people of your password presents some obvious security risks, and while you may trust the person you shared it with, there are other reasons to keep those credentials private:
Sharing credentials means that there is no way to tell who is actually logged in to a computer or performing a given action. Properly configured networks should be able to audit user activity, but you won’t be able to establish non-repudiation if your employees are swapping passwords or writing them down. This means if something “goes wrong”, such as a file being deleted or inappropriate e-mail being sent, there will be no way to accurately tell which user performed the action.
Giving out your password to your favorite coworker may seem harmless because you trust them. But after you’ve given it out, there is no way to guarantee it won’t be handed to someone else. Even if you explicitly request that they not share it, passwords are often written down and it is now outside your control. This makes things particularly complicated if you have to let go of any employee, as it becomes difficult or even impossible to know which accounts that user had knowledge of.
Users should treat the password to log in to your sensitive business systems as if they were bank account passwords, and often times they really are!
4. Monitor your security software
Many of our technicians reported that they have seen a large number of instances where clients were not receiving the level of protection they expected from their security software. Antivirus and similar security applications need to be updated and enabled to be useful. Unfortunately, it isn’t always apparent when there is an issue with your security software and maintaining can require some proactive steps.
Check as often as you can to ensure your antivirus is updated, has a valid license (not expired), and has completed a recent scan on all of your systems. If you have a large network to manage, this can be a cumbersome task. We recommend business decision makers in this situation take advantage of our free monitoring software to help ensure security risks are addressed quickly.
5. Secure your connection points
Whether it is a wireless network or a remote access technology, make sure all points of entry in to your network are secured using the best available methods. Frequently we find networks that have poorly configured security or are using a deprecated method to secure data. Here are some general guidelines for protecting the most commonly exploited points:
Wireless Networks – Use at least WPA or WPA2 encryption. Open wireless networks or those that utilize older standards such as WEP should only be available for guest use or legacy purposes.
Remote Desktop – Ensure your server uses TLS encryption if available. Consider only allowing access from certain computers or networks (whitelisting).
Exchange/Mail Servers – Disable unnecessary features and set the connections to only allow access from a trusted spam filter.
While these may seem like complex tasks, they are fairly routine for an experienced I.T. company. Depending on the infrastructure, they can be accomplished in a very small amount of time.
Although this is certainly not an exhaustive list of best practices, it will hopefully get you thinking about your own internal security practices and encourage you to take a closer look at how prepared your business is for the risks that will be an inherent part of doing business in 2011.
If you find that you need assistance, or would simply like to discuss any of the topics here, we encourage you to reach out to us.