“Hackers Elect Futurama’s Bender to the Washington DC School Board” -- posted by PCWorld on March 2, 2012.
“STOLEN NASA LAPTOP HAD SPACE STATION CONTROL CODE” -- posted by Discovery News on March 1, 2012.
With headlines like this popping up, it seems a good time to ask the question -- how does your company protect itself from direct hacking or hacking through stolen property?
In the article about the Washington DC School Board, not only did the hackers fix the election, but they discovered that Iran-based hackers were snooping around the system by using a default admin login (admin with a password of admin) and put a stop to them by blocking the IP access. If only all hackers are willing to fix out security holes for us. In the case of the stolen NASA laptop, it was a case of physical theft that granted hackers access to key systems.
Get Back to Basics
In my years of working with Enterprise Content Management systems, I have been surprised at the number of companies who have left the default admin passwords as they come out of the box. Even when it was recommended that organizations change this password, I had been able to log into their systems months, even years, after the implementation.
In each case, I would inform the appropriate individuals at each company that their password was never changed and that it was a security risk, only to find that most of the organizations never fixed the password afterwards.
Most applications today require administrators to set a password during the installation. Here are some common Don'ts that people keep doing:
- Don’t use the same admin password for each new application or service
- Don’t use correlating numbers for letters (example 0 for o, 1 for l, 9 for r, 3 for e)
- Don’t use consecutive numbers
- Don’t use your company name in any password (even if you use correlating numbers)
- Don’t use recognizable words (in any language)
- Don’t use names
- Don’t use significant dates for numbers (example 100112 for the admin's anniversary date)
- Don’t use old passwords over again
- Don’t store passwords in an un-encrypted file
- Don’t forget physical security
- Don’t boast about how good your security is
I know there are many articles and books out there on how to improve security, but it seems more often than not, security holes can be traced down to basic principles that have been ignored, such as the Don’t list above. Keeping in the scheme of getting back to basics, the following is a list of Do’s that I see a lot of organizations failing to maintain or act upon:
- Do change passwords on a regular basis (I have read some experts actually prefer password changes to be done on an irregular basis to limit predictability)
- Do use a combination of upper/lower case letters, numbers and special characters (based upon what is allowable by the system)
- Do maintain unique passwords for each application and system
Don’t Forget Physical Security
We’ve all heard the horror stories about organizations who have forgotten the rooms or cabinets where electronic equipment is stored and have had hardware stolen from them.
What amazes me, and I am guilty of this as well, is the number of times I see people walk away from their laptops in a coffee shop, restaurant or even at the airport. It only takes a second or two for someone to swipe an unattended machine or tablet off of a table. By the time someone sets down their laptop, walks to the counter to put cream and sugar in their coffee, and grab a napkin, some sticky-fingered patron at the coffee shop can grab the laptop and be out the door.
The purchase of a twenty-six dollar security cable (from makers like Kensington) and 60 seconds to attach it to a table and laptop can save untold numbers of dollars. I once had a home security expert tell me that a sign in the yard of a house indicating that the house is protected is a huge deterrent to theft simply because most thieves are looking for easy targets.
The same can be applied to mobile electronics. Because devices like security cables are not a hundred percent effective (but much better than nothing), companies should standardize an encryption technologies for all remote systems.
A published statement from Paul K. Martin, Inspector General at NASA, in “NASA Cybersecurity: An Examination of the Agency’s Information Security” said that, “Between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information (PII), and third-party intellectual property.” Mr. Martin also indicated NASA’s challenges with dealing with the Agency’s task of protecting against inadvertent loss and malicious theft was, among other things, “Slow pace of encryption for NASA laptop computers and other mobile devices.”
The Washington DC School Board elected a cartoon character because the school was so confident in their systems and security that they publicly dared hackers to crack their absentee voting system. Security conscious NASA had issues with hackers just because of who they are, despite all the precautions and internal audits they have performed.
The point is hackers will try anything to get into places they shouldn’t. Boasting only encourages them and makes it a challenge, and forgetting the basic principles of protecting your organization and its employees only makes it that much easier for them to wreak havoc. Use common sense and deploy strong strategies in regards to security to keep cyber pirates and thieves at bay.
Image from Igorsky (Shutterstock).
Editor's Note: You may also be interested in reading:
- Threat Intelligence Without Action is Not Intelligent by @solutionary
- Information Security Study Shows Increased Risk, Insufficient Spending by @normanmarks