Security is a full time job

11. April 2013 Security 0

And i don’t mean the IT guy at work or your spam filter service provider, i mean you. Anyone and everyone is responsible for their own security as i mentioned in a previous article. Of course your company has some staff (hopefully) that are there to ensure the company network is secured but that staff can only do so much. Even if they do their job, stay on top of security and keep all latest updates and patches installed, they can not account for one or more employees ignoring security. If you get a phishing email and decide to click on the links, download some files and hand out sensitive information, you just became that network’s weakest link and may be responsible for the company getting hacked.

If you use a computer, tablet or smart phone either in the office or at home, you should be aware of security policies, popular scams and ways hackers may exploit you or your system. Personally, i think it is mandatory. Like knowing how to drive before you are allowed to own a car. Sounds harsh i know but would you be comfortable being on the road knowing there are people on that same road that are driving a car without a license and barely any experience? No you wouldn’t. So why be comfortable on a network that has users on that same network that do not know about security and lack experience? They are a danger to themselves and others. The internet is such a network, a global network with a dangerous mix of inexperienced users and super experienced users that know how to take advantage of the inexperienced ones. Your home or office network, while connected to the internet, should at least be able to keep anything connected to that network safe from outside attacks. This is where you come in.

At home, make sure someone is responsible for security or appoint yourself to handle it. Keep systems up to date, keep software up to date, make sure the network is properly secured and educate other users on security and possible threats. At the office there should be staff handling these things but you still have a job to do. If your computer notifies you about available updates, let your IT staff know. If you receive emails that look ‘phishy’ ignore them and alert the IT staff so they can be properly blocked by adding them to the spam filter. If you receive calls from someone asking for sensitive information do not just hand it out. A man may call you claiming to be from your IT department, he is out on location and would like the VPN details so he can dial in and continue working. Even if this person uses credentials that sound true, do not hand out that information. Contact your IT staff so they can take over the call and handle it appropriately. While at the office your IT staff is the first line of defense, a lot of the weight involving security falls on it’s employees still.

After this rather lengthy intro, let me get to the point i am trying to make in this post and the reason i titled it the way i did. There is a reason good antivirus applications update their database several times a day or more, vulnerabilities are found every day, several times a day and companies are struggling to keep up by releasing updates and patches to have these vulnerabilities closed. As soon as one of these updates are released we know exáctly which vulnerabilities they fixed, updates with detailed descriptions are a goldmine for hackers. Now hackers know exactly what they can look for and exploit on systems that do not have those updates installed. This is why it is so important to install updates as soon as a trusted source notifies you (your Operating System, Flash or Java plugins for example) and to check every day for other software updates (Microsoft Office, Adobe, etc.). Don’t check once in a while, check évery day. If you check for updates and patches once a month you are missing out on a LOT of security patches and you may have kept your whole network at risk. Make sure these updates and patches are applied on all of your systems and enforce this on systems you do not have access to for whatever reason (office environment where people can connect their personal laptops, tablets or smart phones). If they do not update their systems and software simply deny them access to the network and explain they are putting the whole network at risk. For example if someone wants to connect to my WiFi with a laptop running Windows XP or an Android phone i must break the news that this will not be happening. It is my job to keep my home network safe and secure, these systems could compromise that.

In an office environment strong and strict policies may get in the way of productivity so a good balance must be found. Keep in mind though that security múst always be the number one priority. “Sorry Maggie, but your password is extremely weak, your user account could be used to gain further access to our corporate network. Update your password to meet these requirements right away or i will have to disable your account until you do.” you will get some pushback as no one likes passwords that are not short and easy to remember but you are in charge of keeping the company network safe. “Do i really need a password every time i want to send a fax?” Yes you do, the fax is connected to the network so it must be secured. Though it may hinder productivity slightly, it is worth the sacrifice.

I have worked for companies that put me in charge of security and some companies have hired me as an outside source to make sure the policies are enforced properly. The first thing i always do is grab a list of all the user accounts and start trying to crack their passwords (which are, or should, always be stored in an encrypted format). When done, all the passwords that i was able to crack right away or in a short amount of time are disabled, those users have to pick a new one that is stronger immediately to get their user account working again. Passwords that took significant time to get cracked will result in a notification to that user to let them know. “hey, good password but i was still able to crack it, please consider updating your password, here are some tips”. Passwords that i was unable to crack or that would take an insane amount of time to crack receive a compliment. If people change their passwords (as they should) once in a while then by the time i would crack that password it will have already been changed.

Take responsibility, specially if you are already in a position where people trust and rely on you to keep the network safe. If no one is in charge, partner up with your manager in the office or your family at home and get someone in charge. Make sure that person (or persons) stay on top of it. If you noticed a system has been asking for updates for three days and the person in charge of that has not updated yet, let them know. Noone is perfect and noone has all the answers, not even security specialists and IT staff, we learn new things every day. All help is welcome so the more people are aware, the faster updates and patches can be installed.


Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.