 |
|
 |
|
|
|
 Back To Redspin In The News
June, 23 2006
Company Data Easily Put At Risk
Dow Jones News Syndication
By Monica Gutschi of Dow Jones Newswire
©2006 Dow Jones & Company, Inc.
Toronto (Dow Jones), June 23, 2006 — Computers are safe - until you put a human in front of them.
Humans will do risky things like use their birthdates as passwords then write them underneath their keyboards, take laptops full of confidential information on business trips, leave modems attached to public telephone lines, access the company's network from home, and even let hackers into their secure data room.
"Some of these issues may seem obvious," says John Abraham, president of Redspin, a California network security firm. "Nonetheless, they commonly exist."
And that means your company's network isn't necessarily secure even if it has firewalls, patches are installed on a regular basis, and the data room is under lock and key.
"Don't disregard the minor details. What you think is unimportant may be significant," Abraham said in a Toronto seminar sponsored by smart-card provider Gemalto.
For example, he's seen modems that accept incoming telephone calls attached to internal servers and accidentally left enabled, giving hackers easy access.
Or in the case of companies that allow remote access to their computer networks, Abraham says there isn't always the "strong authentication" needed to ensure that only authorized employees are signing on. A home computer in an unlocked room that has access to a company network is extremely vulnerable, he says.
Laptops and personal digital assistants are taken out into the public sphere every day with sensitive information unencrypted, he says. "That's your data walking out the front door," he says.
Employees with unlimited access to the Internet can be unwittingly attracted to "evil" Web sites that could then send a virus back to the computer. Employees are also known to install software plagued with viruses onto their office computers. A problem with one machine compromises the entire network, Abraham says.
And he notes that it can sometimes be ludicrously easy to launch an attack on a corporate network. An effective method is to send out e-mails to employees either posing as management with an important announcement, or luring them into a trap by providing a link to an evil Web site - with bait such as a salary survey.
Another method that Redspin has tried with dramatic success is sending a security engineer to pose as a computer technician arriving to check the server. The engineer simply "talks his way" into the company's data room where he has access to sensitive corporate information.
Most of all, Abraham says, "we see a general lack of security policy."
He suggests companies create one for all network users, and educate them about what it contains. As well, companies should limit employee access to the network, such as prohibiting users from installing downloaded applications on their workstations or storing confidential information on laptops.
He also recommends that companies have their technical staff consistently patch all servers and workstations against viruses, and that they disable ethernet ports in public areas.
If remote access is needed, technical staff should do a physical inspection of the off-site computer, and ensure that access require more than simple VPN authentication.
As for passwords, Abraham says the more complex, the better. But even a complex one is "useless", he says, if it is overheard or pasted to the underside of a keyboard.
Contact
Monica Gutschi, Dow Jones Newswires; 416-306-2017; monica.gutschi@dowjones.com
Back To Redspin In The News
|
|
 |
