Featured Story

Go: Google’s new open source programming language

Home > Digital Business > Insecure At Work?

Latest News Headline: Microsoft releases details about IE9

Insecure At Work?

by Team Digit / Nov 01, 2005 13:16:29 IST / Tags: security, regsvr.exe, e75, AMD

Rate this article
55

As competition grows, businesses need to become smarter and warier. Often, we hear of employees being poached by the competition, of security lapses and data theft. Since computers took over managing our daily business chores, paranoia has reigned the masses; well at least the smarter ones…

Does this all sound alien? Are you wondering what on Earth we're on to? We certainly hope not, because it would mean that you haven't even been worried about confidential data that's stored on your company computers. Whether its employee PCs or the company's file or Web server, there's always some data the security of which keeps the bosses awake at night!

Most regular employees will probably be frowning really hard right now trying to comprehend, while most senior management people are nodding their heads off in approval! Sadly, that's the case in most companies across our country, with only a few corporates and even fewer medium-sized companies having a data security or protection system and process in place.

Whatever is done on your computer by others will be attributed to you

It's almost always the middle to senior management that's entrusted the task of securing their own data, and no training is given to the legions below. Why? It's either because we're too lazy, too paranoid, or just too ignorant of the risks.

Consider this: according to various studies conducted by research agencies such as the US Department of Commerce, as much as nine per cent of all data lost is stolen! So whether it's a teenage hacker, who could also be on a competitor's payroll, or your own employees and colleagues, chances are your data will be/has been/is being stolen, right from under your nose.

Who Wants My Files?
You'll be surprised at the importance of almost every company-related document you have, especially if you are at the middle management level!

Let's take, for example, your team's payroll file. Here's a file that only contains a list of names and their salaries. How could anyone but the accounts guys have any interest in that? Right? Wrong! Your team members may or may not discuss each other's salaries, especially if there is disparity in amounts due to differing performances over the year. The last thing you want to do is have a team divided by jealousy just because you forgot to add the "$" symbol when sharing the folder that contained the aforementioned file! Even if you don't think it's that big a deal, your bosses might not agree.

This however, is a very simple example! Perhaps none of us are stupid enough to do something like that. However, do you know there are tons of other ways you might unknowingly compromise the security and stability of your company? All it takes is a PC in the hands of a naÃ¯ve employee to ruin things, and we hope that putting this article in his or her hands might solve some of those problems.

The Beginner Level
The first step is to secure your computer. More often than not, your PC is just your PC! There's no one else who is supposed to use it, and probably, in larger companies, a systems admin (SysAdmin) sitting somewhere far away watching characters (data and IPs) stream across his screen. To him (or her), you're just a number associated with the network IP or MAC address you were allotted. Anything that happens on that system is attributed to you, and, in the event of a disaster, all the protesting in the universe will not convince the SysAdmin that it just wasn't you trying to access all those confidential files from your machine!

It's as simple as walking away from your seat without locking your computer! If someone really wanted to get you into trouble (or keep themselves out of trouble) all they would have to do is look for a free PC. When the coast is clear, and a malicious user is sure of not being noticed, he (or she) would use your computer for nefarious purposes-trying to access restricted security areas (files or folders), do some damage to a network or file server, steal data, or even something as silly as surf for pornography.

In the end, whatever is done on your computer by others will be attributed to you. If we haven't made ourselves clear, lock your computers when leaving your desk. Put boot passwords to prevent unauthorised startup, and if you use Windows XP, make sure the default Administrator password isn't left blank!

If your office has shifts, and computers are shared by multiple users (a typical BPO setup), make sure to create separate logins for each user that uses a particular machine, and allocate each machine to only a fixed number of users. In this case (BPOs), chances are this has already been done at your office, or you use a system that makes each user log in to identify themselves. Just make sure to stress on the importance of each user keeping his or her password to themselves, and not share it with friends.

E-mail Security
Though e-mail is generally considered the least secure of all daily tasks, there's still a basic level of security you should adhere to. You need to make sure that your e-mail client is secured with your anti-virus, because the last thing you want to do is be the cause of a big, bad virus entering the office network.

Viruses apart, there's still the need to keep e-mails private. Whether it's accolades or criticism you receive from your bosses, personal mails from your significant other, jokes from your friends, or confidential information passed on by your bosses and colleagues, you don't want just anyone accessing these mails. Make sure to use an e-mail client that offers password protection for both the e-mail client as well as the stored e-mails.

Microsoft Outlook is perhaps the most popular e-mail client, and it has both features. Just make sure you password-protect both the 'outlook.pst' as well as the 'archive.pst' files. You can do this easily by right-clicking on your 'Personal Folders' folder and selecting 'Properties'. Go to General > Advanced > Change Password. Now enter a new password and click 'OK'.

Proper Policies

Bigger businesses will have heard of the ISO 17799 security standard. Getting ISO 17799 certification can mean the difference between being thought of as a small-time player and a 'proper' corporate entity. For those of you who haven't heard of it, here's a brief description, as taken from ISO's (International Organisation of Standardization, a.k.a. International Standardization Organisation) Web site www.iso.org:
"ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

Security policy;
Organization of information security;
Asset management;
Human resources security;
Physical and environmental security;
Communications and operations management;
Access control;
Information systems acquisition, development and maintenance;
Information security incident management;
Business continuity management;
Compliance.

You can find a lot more information at www.17799.com, which is a community forum for the standard, and www.iso17799software.com. The entire standard description is not available for free download, and you will have to pay approximately $155 (Rs 6,800) to get it. If interested, you can buy and download it from http://snipurl.com/iso17799/.

Password Strengths
More often than not, we use passwords that are not really secure or creative. Most people use passwords that are specific key combinations, such as "asdf" or "abc123". Such passwords are not hard to guess, and any password cracker out there will do so in a jiffy. What you need to do is make sure that passwords are a mixture of numbers and letters, have no obvious sequence, and are not public knowledge. For example, if your name is Ram Rao, with the username set to "Ram", the first password people will try is "Rao"; the very next thing will be "r40", "ra0", "r4o", and other combinations of the same (FYI, 4=A if you're substituting numbers for letters).

Sometimes people are complacent and set their passwords to their mother's, spouse's or pet's name. These should be easy for anyone who knows you well enough to guess, and are thus a bad idea. Using your date of birth is also a big no-no. An example of a good password would be "R4o!s!nD4h0u53" (Rao is in da house) using numbers, letters and an exclamation mark! You could even set a cryptic enough hint to this password, such as "All Hail me…I have arrived".

We should reiterate that a lot of intrusions and security lapses happen only because of weak passwords.

Networks
This is perhaps the biggest boon and bane of the IT world! If we all had standalone computers, we would have no security problems. At the same time, we wouldn't have PCs in the first place then anyway! Networks have brought us everything we now take for granted: the Internet, ATMs, LANs, Wi-Fi, hackers, viruses, spam… you get the picture.

Your office LAN is where most of the attacks come from. Whether it's from your colleagues or from an unknown hacker across the world who has got into one system and is trying to explore the network. A virus on one colleague's PC could infect an entire office if you don't take basic security seriously. Things like anti-virus software are now a given, and no office is without one, but what about anti-spam software? And what about anti-adware or anti-spyware software?

Most offices are vulnerable via e-mail, and that oh-so-cute PowerPoint presentation you received in a mail might just contain a new Trojan that your anti-virus knows nothing about. So think twice (or two hundred times) before you blindly forward it to your entire office-or perhaps you should consider not opening these things at work in the first place.

Sharing is another hassle. Some of us learn of dollar shares, and think, "ahh, perfect!" We then promptly share important stuff with a dollar at the end of the name and then tell our bosses where to find them. Unfortunately, dollar shares are far from secure. Just because you haven't told anyone the name of the shared folder doesn't mean people will not find your shares. For example, anyone on a Linux computer can find your shares just by browsing through the network. Windows users, too, have several small software, available for free download, that can scan a LAN to find computers and their shared folders-simple shares or dollar shares.

So it could be someone looking for some new music that accidentally stumbles across your shared folder that contains your team's appraisal sheet, or data meant only for your boss to see! In such cases, perhaps the internal e-mail system would be much more prudent to use.

Of course the risks are increased by orders of magnitude when you have a wireless LAN, since you not only have to worry about the users in your office, you also have to worry about guests and people outside. A good site plan when setting up a Wi-Fi network is a must, and good security should be used-like 128-bit encryption at access points. Make sure you have access lists set by MAC addresses, and that you supply users with fixed IP addresses, rather than using the Dynamic Host Controller Protocol (DHCP), where IP addresses are assigned upon connection.

Read up on Wi-Fi networking and make sure to follow all security measures properly, or else you could get intruders in your LAN. The damage could be as simple as increased bandwidth due to unauthorised client PCs accessing the Internet, or as severe as data being corrupted and going missing, or even company secrets and policies being stolen. Digit's book Fast Track to Wi-Fi, provided with the May 2005 issue, should tell you more about Wi-Fi security.

Finalising Security
For companies that base their marketing on the level of security their data has, a good thing to do is ISO certification. For information security and management, you should look to get your company ISO-17799 certified. (See box Proper Policies).

Since getting this certification will most certainly be expensive, smaller companies might not want to opt for such drastic measures. That's where scouring the Net for information on security policies and reading up on case studies of companies with proper security training techniques will help you.

Remember, your company's security is only as strong as the weakest link, which most often is at the executive level. So make sure you train your employees well. We've just given you a refresher in the basics, mainly due to the fact that every business has its own individual security requirements.

Online businesses, for example, need a way to secure their Web server and databases. Offline businesses will have a security requirement for their accounts and offline databases. Who has access to what information, and who uses which computer, is something your company security policy needs to decide. BPOs need to limit the amount and type of data that different levels of employees access; the list is endless.

Once you figure out what data needs to be kept secure, you can start looking for security loopholes and then decide upon a strategy to plug them all up. Meanwhile, you can start at the lowest level by teaching your employees about the necessity of personal data security.

Back