Security! Security! Security!
Let me begin by stating that I’m an incredibly firm believer in integrity and doing what’s right to ensure that I can look myself in the mirror everyday. That’s why I jumped at the chance to become an internal auditor for a company here in Pittsburgh. I’m sure the terms “auditor” and “audited” send a slight chill up your back, but it really was a great job. I was helping to improve the integrity of internal systems by finding security flaws and pointing them out to those who could patch them up. Some of these holes were small, but if exploited properly, they had the potential to endanger company operations and sometimes employee lives. At the end of each day, I knew that I was helping to maintain the stability of the organization, and while it sometimes didn’t help you to make friends, it was entirely worth it.
During my time in that position I learned a great deal about risk/control assessment, backup/recovery, change management, and physical/logical security. What I didn’t expect to learn was just how many companies out there exist that are completely ignorant to these types of disciplines. I’m not just talking about your mom & pop shops that have a computer in their back room for e-mail. Companies of all sizes, large and small, are affected by this.
The Risk Is Real
For many companies existing in today’s workplace, the Internet has become the lifeblood of the organization. As such, I’m sure that you would be sickened to find out that your confidential documents are available to anyone with access to Google everyone. Don’t believe me? Do a Simple search for “this document is confidential” and see just how many private documents are available to the prying eyes of the public.
You would also probably hate to receive a call in the middle of the night stating that your Website was hacked, and the hacker was kind enough to leave you a message. But it happens:
This was a Website that I used to administer, and there is nothing more humbling than fixing a Website hacked by a group of 14-year old kids half a world a way and then having to explain what happened to your supervisor.
Losing a Website is bad, but the risk can be far worse. Take these two examples for instance:
It happens every day and most of the risk could be easily mitigated if only these organizations were to follow the appropriate steps to ensure the integrity of their systems.
So What Do I Do?
Now before you yank the network plug from your computer and curl into a ball in the corner, don’t panic. A lot of the preventive measures are simple and go a long way to maintaining the integrity of your Website, and/or business. Below are just some of the “low hanging fruit” that you should be mindful of to assure that you don’t fall to the same fate as those mentioned above.
-
Wireless Network: Having a wireless network is wonderful. With portable computer prices dropping and the amount of work that Americans are taking home increasing, laptops have become the popular business computer. Being able to connect your computer to your network without a Cat-5 cable makes it even better, especially if you are a minimalist like me. Unfortunately, most Americans possess the “I want it now” mentality and fail to properly secure their wireless network before they begin using it. This greatly increases the potential for them to fall victim to an outside attack.
Imagine that it’s late at night and your working away on a project due tomorrow. A car is parked outside and the driver of the car has a pair of binoculars. They’re using them to peer at your computer screen through the window; uncovering company secrets as you type away. Scary, huh? Well, thanks to the computer-age and wireless technology, the person in the car no longer needs binoculars, instead, with their laptop and your unsecured network they now have the ability to confiscate your nicely formatted documents without even straining their eyes.
Lock down your wireless networks. All wireless routers include fairly easy detailed instructions on how to appropriately secure your network so that only authorized computers may access it.
As I type this, there are three wireless networks around me that are completely unsecured and accessible.
-
Username and Password: This is a fairly simple one that everyone should be following. Your username and passwords are your gateway to your computer systems. Having a weakness here leaves you vulnerable to intruders accessing your systems as if they were you. I’m sure that you would hate to explain to the CEO of the organization that all of your customer data was not deleted by you, even though the log files indicate that it was your username that did it. To avoid this, simply follow these steps:
Complex/Strong Password: Do not use something easy to guess like your name or your username. Instead, use a tool like Microsoft’s Password Checker to ensure that your password is strong.
Change Your Password Periodically: You should change your password at least once a year, but if possible it you should change it every 3 months. And if your IT systems let you change it to the same password…Don’t. Instead, be proactive and choose a new unique password.
Delete Unused Accounts: When I left one of my previous positions, my user accounts were deactivated before I left the office. However, at one of the other organizations some of my accounts are still active today. It is imperative that your IT department immediately deactivates any accounts related to an exiting employee.
- Logging: Most computer systems have the ability to verbosely log any activity occurring on the system, and they’re usually activated by default. While having a log file of events is great, it doesn’t mean anything unless you proactively monitor the activity. Routinely scan the log files for any anomalies and investigate.
- Backup: As with logging, having a backup of your data is important, but it’s even more important to periodically test the backup recovery procedures to ensure that your backups are viable. After all, you don’t want to be like tech that wiped out $38 billion in funds, or would you?
That’s All For Now
As you can probably tell, this is a topic that I’m emphatic about, and without restraint, I could ramble on for days. While we’ve only scratched the surface, I feel that it’s something that we all need to be cognizant of. If you’re in the working world it’s applicable to your every day life in one form or another. Now go out there and secure your stuff!
Good to know these things. Thanks for sharing.
wow… a great post! it is incredible and scary to see that there are very easy ways people can steal data online…
Your logo gave me the impression that I was visiting a 300 fan site or something. Anyway, most people won’t take heed to the whole password thing. They either think their basic system is secure enough (hahaha!) or that no one would be interested in their private data.
@Leon: Well you’re definitely visiting the site of a fan of 300, I just don’t blog about it. ^__^
Your point is exactly why I felt inspired to write the post. Being the token IT-guy amongst my friends and family, I get a password-related call a couple of times a year asking eery questions.
“Hey! I just tried to log into my email today and I couldn’t get in using my password. I then reset it back to what it was supposed to be and now it’s changed again”
That’s a prime example that happens all too often. People can brush it off all they want, but in the end, they’ll be the one talking about how violated they feel and asking how someone could do such a thing.
When it comes to the Internet and your personal information, you can never be too proactive.
This Just In:
Mass Web Infection Leaves Researchers Scratching Their Heads
Be safe. Be secure. Or be sorry.
[…] Shultz over at Truebluetitan has an interesting article on security. I agree with all of his points except for […]
Found this website which gives you heaps of different google hacks.
Good tips here. Sometimes people forget how important security is. Don’t underestimate it.