| Executive Summary: Security horror stories abound and serve as wake-up calls for IT folks. You can prevent your own security nightmare by following these tips to protect service accounts, increase computer usage safety, perform high-level security assessments, get to know the Encrypting File System, master the authentication methods for Active Directory, properly use the Administrator account, and generate hash values for files and folders. |
Security horror stories tend to
wake and shake IT pros, forcing
them to think about the safety of
assets in their organizations. No
one wants 15 minutes of fame on
Internet security blogs as a prime
example of what not to do. To prevent security
disasters, the wise systems administrator avoids
missing something obvious, watches out for the
rogue colleague and the clueless CIO, quickly
tackles user antics, and anticipates the unexpected.
The shrewd IT leader also turns security
nightmares into proactive strategies and follows
tips, such as the ones I provide in this article, to
protect valuable information.
Missing Something Obvious
One of the most common security mistakes
is overlooking obvious threats. For
example, I frequently hear stories about a
stolen or lost laptop that holds thousands
of confidential records or credit card data.
Why is it possible to copy private data to
a laptop computer in the first place? Why
isn’t the data protected by some form of
encryption?
Another common tale centers on the disgruntled
employee who maliciously deletes
business-critical data. If the company in
question had set up file and folder permissions
and had regularly secured file server
backups, the amount of damage that such
an employee could cause would be minimal.
These obvious security holes are easy
to plug.
Rogue Systems Administrators
Another security risk is that of the rogue
systems administrator. IT managers should
beware of laid-off and vengeful colleagues
who have planted “dead-man switches”
throughout the IT infrastructure. These
switches could trigger a routine that deletes
critical data. At other times the switches
could activate scripts that do more damage,
such as reconfiguring or deleting critical
domain accounts, changing every password
in the environment, and locking everyone in
the company out of their computers.
These possibilities jar IT pros because of
the infinite number of ways that someone
who has complete access to the network can
cause damage. The rogue systems administrator
knows what he or she wants to do and
how to bypass any security measures.
The Clueless CIO
Clueless CIOs, although not malevolent, can
be dangerous nonetheless. Have you ever
heard of a CIO who blindly ordered a change
that ended up making the IT environment less
secure? At one organization a CIO insisted on
being added to the Enterprise Administrators
group because, the CIO argued, managers
are higher on the organizational chart than
systems administrators. Unfortunately, the
CIO brought his son to work with him on the
weekend and logged the boy on to the network
using privileged credentials. It took the
company’s administrators two weeks to put
everything back in order, including returning
several explicitly labeled user accounts to
their original names.
In another enterprise, a CIO acting on
behalf of a CFO circumvented a policy restricting users from installing software on
their own laptops. The CFO’s teenage son
wanted to install games on his father’s powerful
laptop to use at LAN parties. Unfortunately,
the games were laden with viruses
and worms. After the CFO reconnected the
laptop to the corporate network, it infected
other computers. Even CIOs acting in good
faith can put your entire network at risk.
User Antics
IT pros have to keep a close eye on users,
but you might not realize the extent to which
users can unknowingly compromise your
organization. Some have actually given their
passwords to survey-takers in exchange for a
bar of chocolate. Security guards have been
known to disable the alarm on the emergency
exit to a data center in order to prop open the outer door for a smoke break. Stories
of user antics prove the adage “Nothing
is foolproof to a sufficiently talented fool.”
What IT pros can learn from such stunts is
that the average worker can either be oblivious
to or very creative about getting around
security policies and restrictions.
Who Could Have Guessed?
Some security threats are almost impossible
to anticipate. Even the most diligent, proactive
security professionals can’t foresee horror stories
that don’t fit into the usual paradigm. For
example, a worm-infested antivirus update
server could infect all the other computers in
an organization. Likewise, laptop computers
sent to a manufacturer for repair could return
riddled with spyware. Although risks such
as these are difficult to predict, IT managers should be on the lookout for them and ready
to react at the first sign.
What To Do
In their eagerness to tackle any immediate
concerns that might arise from other
companies’ horror stories, IT pros should
remember to continually and analytically
examine their entire security configuration.
If they become too focused on avoiding
the threat of the moment, they could miss
more dangerous security problems. Don’t
be swayed by vendors offering a quick bandaid
for a problem your organization might
not have. Also, think about whether to use
scare tactics to awaken end users to dangers
that are lurking behind the scenes.
Shop wisely. Beware of consultants and
salespeople who spread disaster tales and then peddle their own wares as the only
answer to your potential nightmares. Such
marketers might have only limited knowledge
of your specific security environment.
For example, without looking too hard
on the Internet you can find some frightening
stories that involve SQL injection attacks.
The way to protect against such attacks is to
ensure that your web application validates
input data. Some vendors sell software that
does this. Protecting against SQL injection
attacks is a priority if you are running a
public-facing website that interacts with a
database but is less urgent if the only web
application in your organization is a seldom-used
intranet site that contains little important
data. In one case a decision-maker at a
company purchased an expensive piece of
data validation software although the only
web-driven databases at the business were
used by the HR department to schedule
annual leave. To avoid such costly mistakes,
look at your overall operations before making
security decisions.
Scare the wits out of users. Although
bombarding IT pros with horror stories
can lead to misdirected resources, it’s OK
to occasionally frighten non-IT staff members
to help them understand the reasons
behind your sometimes baffling security
policies. They might learn, for example,
from the experience of a financial institution
that hired a company to test its security.
The company scattered USB thumb drives
around the institution’s parking lot. Workers
passing through picked up the devices and
promptly connected them to their desktop
computers, curious as to the contents of
the discarded items. Unbeknownst to the
employees, the company had hidden Trojan
horse software on each device that activated
when users accessed what seemed to be
a harmless collection of pictures and then
transferred complete control of the user’s
computer to outsiders.
Such a tactic illustrates why some organizations
have a policy disallowing the
connection of unauthorized USB storage
devices to company computers. It brings a
complicated policy into focus and makes
security policies seem less arbitrary to the
people they affect.
Another area in which scare tactics
might help is in preparing non-IT staffers
for social-engineering attacks. For example,
someone phones an employee, pretending
to be from the IT department and asking
for the employee’s password. The employee
reveals the information and suddenly loses
control of his or her user account. You could
use this kind of horror story to explain why
IT staff members must present identification
before being allowed to reset passwords.
Likewise, clever mischief-makers might
go to a user’s workspace, pick up the phone
there, and call the IT department for a
password reset. This tactic could fool the IT
department into thinking that the display
of the incoming caller’s extension offered
proof of identity. Telling your users stories
such as these will make them more aware of
security risks and less likely to fall for them.
Tips to Avoid Becoming Your Own
Security Horror Story
Think sensibly about the risks your organization
faces and deal with them in a structured
manner. Avoid diverting all your funds
to tackle a specific threat just because you’ve
recently heard rumors about it. Consider
thunderclouds in terms of how seriously
they could affect your organization rather
than how they already impacted a victim
in a security nightmare. Good IT security
practice is not only safeguarding an asset
but also realizing why you must do so in
the first place. When you understand why,
you can prioritize the protection of more
important assets over less important ones, thus best utilizing the resources you have
available for security projects.
Continue to page 2
Previous
Register
