IT security's infamous five
Despite all the warnings, all the headlines, and all the headaches, there are some security basics that we just keep leaving undone: Graham Cluley names them.
Most enterprises deploy some software to protect against malware threats, yet companies are still overlooking key aspects of IT security. In truth, security strategies are often full of holes – caused either by managerial oversight or individual error.
There has been much published about the top IT security threats, but the biggest ostensible dangers are not necessarily the ones that end up posing the most prevalent problems. Quite often it is the less high-profile, more mundane vulnerabilities that persistently vex security specialists.
Being a senior technology consultant at Sophos means I have been well placed to keep count of the categories of vulnerabilities that keep cropping up again and again. So here, for the first time, we’ll reveal the Five Most Overlooked Points of IT Security – all holes that need fixing fast in order to reduce the threat...
1: Deploying email gateway protection, but ignoring the desktop, is like locking the front doors of your office, but forgetting that you’ve left a ground floor window wide open. Threats can enter an organisation via many different routes – for example, worms that spread via instant messaging software will bypass gateway protection entirely. If the desktop is unprotected, there’ll be nothing to stop the worm from infecting the computer and endangering network security.
If you protect desktops alone, the infection may be stopped; but you could still face technical support issues caused by panic-stricken PC users. A typical user may be alarmed if a message alerts them that a piece of malware has been intercepted, or asks them which action to take, and the inevitable call to the IT helpdesk will then waste time and resources.
Users protected by email gateway software need never know that someone tried to send them a virus, because it will be intercepted long before it reaches their computer. Additionally, it takes away their responsibility – i.e., they don’t have to decide what to do with the virus warning.
2: Many users delight at the prospect of receiving a joke program or file from a friend or colleague – bored with office work, it is too tempting for some to resist. But malware often poses as legitimate attachments, a classic example being the Love Bug worm (circa 2000), which sent round a message with the subject line ‘ILOVEYOU’ and the attached file ‘LOVELETTER_FOR_YOU.TXT.VBS’.
Arguably, the ‘genius’ of the Love Bug was in its psychological hook – using a phrase that held universal understanding and appeal. Whether received from your boss, assistant, or the hottie from accounts, the temptation to open it was huge.
Not practising ‘safe computing’ exposes computers to infectious attack – a fact often overlooked by organisations of all sizes. Common sense is an important part of any security defence, and enterprise users need to be seriously educated about appropriate online behaviour.
3: Many employees are their own worst enemy when it comes to remote security. Corporate laptops are used in public places, regardless of potentially dangerous wireless hotspots, and the amount of confidential information available to eavesdroppers, while laptops can easily be lost on public transport, stolen from cars, or tampered with by children.
Detached from their ‘mothership’ network, these computers are often left with out-of-date antivirus software and security patches, further increasing the risk of infection. It’s an ‘out of sight, out of mind’ approach that needs immediate remedying. Remote workers must be treated as though they are on the company network, because if they bring in an infection from outside, this could transfer to the network and be passed on to customers, jeopardising valued (and valuable) relationships.
Home PCs are often used for work purposes even though they may be inadequately protected – in the past year there’s been secret information related to nuclear power plants and police investigations stolen by malware, after unwary staff made this mistake.
4: It might be easier on your memory to have a single password for all websites, but the security implications could be disastrous, especially if you start using this password for online banking, eBay/PayPal, or any site storing confidential details.
Recent research from Sophos indicated that 41% of respondents fall into this category, while 75% of the respondents admitted to the use of weak, easy-to-guess passwords. This presumably means that 31% of users (75% of the 41%) have no accounts at all with satisfactory passwords.
For businesses, it could mean that a password used to protect several important company files is the same one that an employee uses to play online poker, bid in online auctions, and log into special-interest forums.
Users need to be taught not to choose dictionary words which are relatively easy for a hacking program to crack, while ensuring that the passwords they eventually go for differ from site to site.
5: The most serious IT security issue is the one that you've done nothing about. All of the foregoing flaws can cause serious repercussions, yet while some enterprises are aware of the potential damage, they fail to ensure employees abide by company policies.
Every organisation needs an IT security policy, but it’s equally important that there’s someone tasked with following it up. There has to be a proper set of guidelines for dealing with security breaches – and this should include the threat from within. You don't need to be draconian – if anything, this will make staff more likely to hide computing misdemeanours, rather than admitting to any mistakes.
Organisations must take action if a person repeatedly ignores IT security protocol, but for the most part simply reminding staff that such a policy exists should help keep everyone in line.
Graham Cluley is senior technology
consultant at Sophos