Following on from last week’s “10 Ways to Improve Your Security” post….here’s the 5 you never would have thought of.
Rogue access to wireless points
Rogue access to wireless points can be either be setup via a malicious hacker or created by a user who is not aware of the ramifications of their actions. You may have a user with a laptop who connects into the corporate network with a standard ethernet cable. They try to visit a website that is blocked by your company’s internet filtering policies, so they use Wi-Fi and find a free access point called “Wi-Fi free” and connect in. They can now access the website, however they have breached your company’s security controls. Not only could their traffic be sniffed by the access point (for passwords and credit card details) but they have inadvertently provided a malicious hacker access to your network. There are also trojans which will turn on a wireless access point on a laptop enabling hackers to use it to breach networks. Another common method hackers use is to deploy an access point with the same name as the company access point. This way a user may inadvertently connect to the hacker’s point instead of the corporate network.
USB – the biggest offender so far
Every day we see more and more virus infections as a result of USB keys. Malicious hackers will purchase hundreds of USB keys, install viruses on them and ‘accidentally’ lose them. Users find them, plug them in and they instantly turn machines into a bot, or just cause havoc through worms. If in doubt – don’t plug it in!
Bluetooth is a major source of security weakness for organisations. Even with the emergence of WAP, 3g and wireless the amount of people that still use Bluetooth and leave it on all day is amazing. It is extremely easy for a hacker to perform ‘Bluesnarfing’ and take control of your device, gaining access to everything from your videos, through to contacts and even making phone calls. And, if your phone is also linked to the company network over wireless, a malicious hacker has just bypassed all of your enterprise security controls. ‘Bluejacking’ is another common term that involves sending unsolicited messages or data to your Bluetooth devices. If you need to use Bluetooth, you can lower the risk of Bluesnarfing or Bluejacking by ensuring you set a PIN and change it frequently. For new Bluetooth connections periodically review your partner list and remove anything you do not know. Block all unauthorised connections to your device and turn off visibility for Bluetooth. Or, if not in use, just turn Bluetooth off!
Standardise mobile devices
As part of your company’s mobile security policy, look to standardise on mobile devices. Not only does this make purchasing easier, but from a system admin, support and security point of view it reduces costs dramatically. The more diverse the devices, the more money, time and effort it will take to secure them.
Acquisitions or partner companies
If a hacker can’t penetrate through your company, they may try and gain access through your partner company’s networks and infrastructure. Organisations need to ensure that their partners or affiliated businesses are also secure, especially if there is a trust between the networks or vpn connection.
Many companies will have the view that they won’t be the target of hackers and therefore don’t require these preventative measures. The reality is that with modern hacking tools and applications you don’t need to be a specialist to wreak havoc on an unsecured network. In fact SMEs are the new target of sophisticated cyber crime as larger companies become increasingly better at protecting themselves. A security breach could be initiated by a disgruntled ex-employee, a bored teenager in a remote country, a budding hacker after credibility and bragging rights, a spammer looking to line their back pocket off your contact list, or someone trying to gain information on one of your clients via your systems. These days even if you don’t store credit card details online, almost all companies hold sensitive information about finances, trademarks, strategy and general email conversations not only for their own business but those of their clients – everyone is a potential target and the consequences of a breach can be devastating and irreparable.