So most of you reading this blog are likely to be IT professionals who may or may not be involved in the security area.
I thought I’d take some time out to pen a series of posts on some common security mistakes I have found in assessments. These also apply to daily life and are very simplistic in nature, but they are everyday things we forget to do which can have a disastrous impact on the security of an organisation or of an individual.
Sometimes we forget, and that’s ok, so long as you keep some of these points in the back of your mind, we can at a minimum minimise the damage.
Today we’ll look at the general rules of thumb and in future posts I’ll go into more detail around things such as client side attacks, antivirus, passwords, encryption, mobile devices….and more.
Rules of thumb
– Never give out your username and password through email, phone or in person to any individual that you do not know or are not expecting. This includes not leaving post it notes around your desk containing usernames/passwords.
– Never open any emails from sources you are unsure of, or emails you are not expecting, this is especially important with links in emails. One link can take down your machine and compromise the entire network. In undertaking an assessment I will often send something as simple as a spreadsheet to a user, and of course the spreadsheet bypasses attachment controls and users think these are safe. If in doubt, throw it out.
– Never post sensitive information on social media sites about your company or post your date of birth ANYWHERE. Also use a separate email account for your personal use and not your work address. Your name, address and date of birth is all someone needs to steal your identity or impersonate you to other parties.
– Lock your machine when you are away from your desk! Simple and effective.
– Always query people who are unknown to your workplace and on the floor. Physical security is a large part of an organisation’s security policy, employees should be vigilant and identifiable with access cards and the like, and contractors should be cleared and queried prior to providing physical access. Same goes with securing your servers, make sure you have a locked server room. I heard a story recently from a friend of mine regarding a visit to a large retail store. When he was walking through he found that they had a server room unlocked, with the door left wide open, he even took a photo, it only takes 2 minutes for someone to grab the server and take it out of there and you have a disaster on your hands. That is of course, unless your server room looks like this, then you have bigger things to worry about…
In the next installment of this series we’ll examine Client Side Attacks and look at why your browser is one of the biggest weaknesses both in a corporate environment and in a home environment.