Print 21 comment(s) - last by ksuresh.. on Jan 25 at 11:40 AM

Beware threats from both within and without; protect employee privacy; secure your networks via education

Today's workplace is a massive nightmare for information technology folks when it comes to security.  But by emphasizing consistent, workplace-wide policies and by enforcing reasonable access limits, a company safeguard itself against both internal and external data loss.

Let's discuss a few keys to maintaining a secure workplace.

1. Rule BYOD, don't let BYOD rule you

Most businesses are going to let employees bring their own devices (laptops, tablets, etc.) to do work with.  But holding seminars on how to keep private and workplace data is crucial.  BYOD hardware must be managed with a clear and consistent policy, with well-defined limits to prevent your IT employees from accessing personal data.

Women on cell phones
BYOD can save costs, but poses unique privacy and security risks.
[Image Source: Andrew Hinderaker]

That way if employees do choose to bring devices and their privacy is violated, the liability will lie not with your management, but on the staff member who violated that trust.  Likewise, if the employee engages in inappropriate behavior (say viewing adult videos at work) you'll have the analytics to challenge them as necessary.

2. Ban USBs, CD Burning; go to an Internal Cloud

An internal cloud is a much more secure solution than allowing employees to share and transfer files via physical media such as USB sticks or CDs.  Not only can such media carry malware, but it can also be used by a malicious employee or person posing as an employee to steal valuable trade secrets from your firm.

If your private cloud is properly designed and firewalled from the external world, it not only will allow you employees to share information more easily, it will also cut off a major source of data loss.  Banning physical media is a smart idea and easy to do with today's technology.

3. Adopt the Latest Software

Still kicking around Internet Explorer 7?  Kicking it with Windows XP?  Quit it.

Old software is a security risk.  If it is patched, it is often patched at a sordidly slow pace.  And there's typically a lot of it lingering around here and there, so inevitably it's a highly attractive target for malware authors.

Windows XP
We know you loved Windows XP, but it may be time to move on. [Image Source: Microsoft]

While few businesses have the need or resources to upgrade with every single release of Windows and every single new browser release, many should put a bit more effort into staying up to date.  And if you're testing software for older browsers or other older platforms with inherent security risks, be sure to isolate them from your other networks.  Just ask Google Inc. (GOOG) which saw IE 7 test machines exploited by Chinese hackers to steal data off its network.

4. Blacklist URL Shortening domains

Huge security risk, enough said.

5. Enforce Passphrase Use, Use Strong Hashing

Hold an employee seminar and explain how you can make a sentence into a password.  A 30 or 40 character long password is very hard to break even with modern GPUs.  

Like the sound of that? Do one better by also securely backing the password with the most modern hashing algorithms like SHA-256 or SHA-512.  Combined these two techniques will make it virtually impossible to brute force your passwords.

6. Hold Education Seminars on Phishing, Spear-Phishing

Phishing -- sending malicious links inside innocent-looking email messages -- is a huge security risk for every company.  Even the best password won't protect you if you go giving it to the wrong web-form.  Teach your employees to watch their url bar in their browser and to avoid clicking on email links to access a site, unless they really trust them.

Spear Phishing
Beware spear-phishing, lest it compromise your employees who hold the most valuable files.
[Image Source: FBI (modifications: Jason Mick/DailyTech LLC)]

Special care should be taken to prevent spear-phishing -- attempts to target specific high profile catches, such as a CEO/CTO/CFO's login information.  You executives may moan and groan, but they're far to valuable to let them fall for such ploys.

Special screening of executive email can help cut down on spear-phishing threats as well.  While staff obviously can't hand-screen every email message, it is practical to screen high-level management's messages for clear fraud/spam attempts.

Again a clear-cut policy to protect privacy must be enforced here, to prevent unfortunate incidents.


Following those 6 principles will take some work, but it will be worth it.  After all, your firm is only worth as much as its security.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Use expensive hashes.
By Kakao on 12/27/2012 9:12:58 AM , Rating: 2
Do one better by also securely backing the password with the most modern hashing algorithms like SHA-256 or SHA-512

Those algorithms are designed to be fast to compute. That is exactly the opposite to what should be used. There are hashes designed for passwords that are computationally intensive and make a brute force attack more (or much more) expensive.

RE: Use expensive hashes.
By FITCamaro on 12/27/2012 9:29:13 AM , Rating: 2
Still better than nothing though.

RE: Use expensive hashes.
By Etsp on 12/27/2012 10:00:51 AM , Rating: 2
bcrypt basically runs the password through SHA-512 x thousand times (configurable) and scrypt does something similar in a way that also consumes a lot of memory so that GPU based decryption is slowed down when attempting many passwords at once.

RE: Use expensive hashes.
By JasonMick on 12/27/2012 10:32:59 AM , Rating: 2
Those algorithms are designed to be fast to compute. That is exactly the opposite to what should be used. There are hashes designed for passwords that are computationally intensive and make a brute force attack more (or much more) expensive.
If you salt them with unique, random salts SHA-256/512 are perfectly fine AFAIK.

Feel free to correct me if I'm wrong, master hackers/cryptographers, I am but a humble analyst.

RE: Use expensive hashes.
By Kakao on 12/27/2012 10:47:13 AM , Rating: 2
If you salt them with unique, random salts SHA-256/512 are perfectly fine AFAIK

Yes a salt turns a non random into a random password preventing dictionary and rainbow table attacks. But still not a too big barrier against modern multi GPU brute force.

RE: Use expensive hashes.
By RufusM on 12/27/2012 10:57:46 AM , Rating: 1
I think salted SHA-256/512 should be fine for a while yet, but it's things like this which represent threats to inexpensive encryption:

If quantum or organic computing arrives these algorithms will likely be crushed under the speed.

Specifically for passwords, the best method of cracking is using a rainbow table of known passwords, known password patterns (letters + numbers) and dictionary words and combinations (such as replacing o with 0).

RE: Use expensive hashes.
By AnnihilatorX on 12/27/2012 11:50:11 AM , Rating: 2
With the globalisation era, I hope there is more awareness in what one can do with unicode passwords. All password craking programs I have seen brute force with ASCII character sets.

Try to crak a password such as:


That, although doesn't make sense in Japanese, is that Microsoft Japanese IME gives you when you type "password" with your keyboard

RE: Use expensive hashes.
By AnnihilatorX on 12/27/2012 11:51:11 AM , Rating: 2
lol so much for globalisation, DT comment form doesn't support unicode :P

RE: Use expensive hashes.
By borismkv on 12/29/2012 1:50:54 PM , Rating: 2
Still depends on the Hashing algorithm used in password transmission. With older algorithms like MD4, which use a very short keyspace, you have issues with collision. When you have collision with multiple hashes, you don't have to determine the actual password, only a password that matches the hash, so a unicode password can be hashed and have the same hash value as a straight ASCII password. When that happens, you can often log in with the ASCII password without knowing the unicode one, because most password comparison systems will hash the password you enter before transmission, and the password is never reversed. You get logged in when the system compares the transmitted hash with the hash of the stored password.

RE: Use expensive hashes.
By borismkv on 12/29/2012 5:05:13 AM , Rating: 2
Rainbow tables are basically just a distributed brute force. The way a hashed password is cracked is by obtaining the transmitted or stored hash and the attempting to determine the password by hashing every possible combination of passwords and comparing the resulting hash with what was transmitted or is in storage. Rainbow tables are collections of previously hashed words. Rainbow tables are only useful when the entire keyspace of a given hashing algorythm has been discovered. If a password in use has not been previously hashed and stored in a rainbow table, the attacker must resort to brute forcing the remainder of the hash keyspace to get the password. Defense against rainbow tables requires two things, a large keyspace, and a password policy that requires passwords that are complex or long enough to make brute force more difficult. For instance, the entire keyspace for passwords below 7 characters (using all acceptable character sets) utilizing the hashing methods in Windows LanMan has been hashed and the resulting rainbow table can be stored ona single CD. However, NTLM, which replaced LanMan in Windows 2000, is still being hashed against. So far, the tables are above 3 terabytes in length, if i remember correctly. This only covers a minor percentage of passwords below 14 characters using all characters. The reasons for this difference vary. For one, LanMan hashed passwords at 7 character intervals, so a 14 character password generated two hashes. Wiht fewer characters, it is easier to brute force. Second, lanman used a weak hashing algorithm with a short keyspace. This resulted in heavy collision issues, where multiple passwprds returned the same hash, and since password systems work by hashing input and transmitting the hash, if two passwords have the same hash, both passwords will allow login.

To circumvent these issues, NTLM encorporated a longer keyset, stopped splitting hashes, and allowed for passwords that were up to 128 unicode bits in length (different characters have a different bit length. Special characters are longer in unicode than letters and numbers). This means that there is no storgae medium currently capable of storing a rainbow table for the full NTLM keyspace while remaining portable. As technology evolves, this will change, and new methods must be developed for securing passwords. For now, there remains few rainbow tables for passwords beyond 14 characters in length, and the keyspace for password hashes above 18 characters is virtually unexplored.

With all that said, Jason,the recommendation for having users secure their passwords with sha 256 or 512 is not very tenable, since the end user and, usually, the IT organization, cannot control the hashing algorithms used in their systems. Windows only allows passwords to use lanman, ntlm, or ntlmv2, and the hashing algorithm is non variable in a windows organization, which thevast majority of information systems that end users work with use. A tenable recommendation would be to ensure that windows systems are not storing lanman hashes (default operation in all windows since vista), for one, and using passphrases abpve 18 character, for another, 40 character passwords are currently excessive in length and will greatly hamper users that have to use passwords a lot.

RE: Use expensive hashes.
By RufusM on 12/31/2012 12:55:54 PM , Rating: 2
Yes, rainbow tables only work for common hashes or hash/salt combinations, but brute force is coming along nicely. Take the Windows password brute force link I posted earlier, for example. It can brute force any NTLM Windows password in 6 hours, given the hash.

In general I wasn't referring specifically to Windows passwords (except the link to show how far brute force attacks have come), but passwords in general.

Right now, there are so many real passwords in the wild, stats have been created about which passwords are the most common, what common patterns are, etc. For example, a large percentage of passwords end in four numbers which decreases the number of brute force attempts for many passwords fitting that pattern. A faster hashing algorithm just increases the speed at which the brute force attempts can be made. Granted, you still need to know the hashing algorithm to brute force, but once that is known a good brute force attack is possible in many cases.

Like you indicated, entropy is your best bet to protect against a brute force attack. The longer the password the more entropy it has, all things being equal.

RE: Use expensive hashes.
By borismkv on 1/4/2013 3:37:28 PM , Rating: 2
NTLM hashes are only used when computers aren't a member of a domain. Kerberos uses a different method that is significantly stronger and doesn't rely on Hashing. Domain secured accounts are significantly more difficult to brute force than hashed Passwords. Ultimately, the brute force methods used in that link are useless for determining passwords on a Domain, which basically means that it won't help you get into any real enterprise network. It'll get you into someone's home computer easily enough, or into a local account on a domain joined computer, but getting access to the domain is a lot harder to brute force.

Old software is a security risk?
By HoosierEngineer5 on 12/27/2012 10:48:25 AM , Rating: 2
Why wouldn't older, well-patched software be more secure than new software? New software will be old some day, will that make it less secure than it is now?

RE: Old software is a security risk?
By RufusM on 12/27/2012 11:07:48 AM , Rating: 2
Much of this depends on the software's exposure. For systems getting a lot of hacking exposure like Windows, some argue that a patched Windows XP system is more secure than a patched Windows 8 system since Windows 8 is untested. In this situation, I would argue than Windows 7 is the better option since it's newer than XP but has been in the wild for a bit and is still supported for quite some time.

In my IT circles, the general rule of thumb for production OSes is to wait about 1 year for most of the holes/issues to be plugged/fixed. Once it's been in the wild for a bit, then consider it for deployment. It typically takes a while to complete some base compatibility testing anyway if you're in the enterprise.

RE: Old software is a security risk?
By Trisped on 12/27/2012 2:08:34 PM , Rating: 2
Also, new OSes have additional security features. For example Vista added the UAC, an updated firewall, ASLR, and NAP.


My issue with old OSes is that people have had plenty of time to find exploits. While many of the big ones have been patched, I am sure there are many more which have not been reported, waiting to be exploited.

Internal "cloud"
By 91TTZ on 12/27/2012 2:11:02 PM , Rating: 3
When has "cloud" become such a meaningless buzzword? First it was "WebMail" or "WebStorage" or "WebApps". Then all these services on the web came to be known as "Cloud" applications. After that even internal systems that ran on their corporate intranet started being called "Internal Cloud" and now finally we have external USB drives being called "Personal Cloud" drives.

Can we stop it with this nonsense?

RE: Internal "cloud"
By SAN-Man on 12/31/2012 10:25:33 AM , Rating: 2
Cloud is a buzz word used by people who generally don't know anything and don't actually work in technology (writing about it, badly, on a blog doesn't count).

This entire article is fairly laughable but to the uninitiated it probable seems fairly smart.

BYOD sucks
By tayb on 12/27/2012 4:49:53 PM , Rating: 2
I would never, ever, work for a company that required me to provide my own equipment. I can't believe people agree to this.

RE: BYOD sucks
By edge929 on 1/2/2013 1:27:45 PM , Rating: 2
I have mixed feelings on this. On one hand I 100% agree with you but on the other it never ceases to amaze me how my Fortune 25 company gives its developers 2 year old laptops (XP 32-bit, HDDs) for intensive, heavily-threaded programming projects. The 55 year old leader of my division is convinced that portability (laptops) is a greater advantage to workstation power. We are not field workers, we're 9-5ers, so the portability benefit is near-useless. I wish I could build my own workstation with multiple SSDs (scratch drives), 16GB of RAM and an i7 3930K or AMD FX 8-core. The increased productivity from me not having to wait on my slow machine would pay for itself in a few months or less.

As for tablets/smartphones, I'm totally against BYOD.
By ksuresh on 1/25/2013 11:40:26 AM , Rating: 2
Good thoughts on ways to prevent data loss in businesses. I happened to read a whitepaper on this very topic "how manufacturers can spot and mitigate fraudulent activity" it provides very good information which readers will find helpful @

Bad ideas there
By dgingerich on 12/27/2012 2:24:00 PM , Rating: 1
2 and 5 are just asinine.

If you make your people pick a long password, the longer or more complicated it gets, the more often they'll write it down and tuck it under their keyboard. This is even more likely with passwords that expire too quickly. Password systems that expire every 30 days, and then remember the last two dozen passwords, are so incredibly dumb. long or complicated passwords are utter stupidity. Use a second factor authenticator: keyfob, fingerprint, smartcard, or some other unique identifier. The Smartcard system is already built into both Windows and Linux. It's not hard to implement.

As for banning USB sticks and CDs, that's just not going to work. It costs money to get network storage. Many companies can't afford, especially now, to get more storage. (It took over three years of being at 95% capacity with monthly requests to employees to delete old data before my last company finally ponied to to get new storage, and all they did was double it. it was full again within a year.) When main network storage is full, many employees resort to emailing documents all over, multiplying the problem on the email system. Yes, you can 'encourage' employees to stop that and adopt safer, cleaner, more responsible methods of storage, but that's like pulling teeth, and most people will do anything to get around it. Having them use their own thumb drives is about the only way to keep them from storing their personal Quicken files and home photos on the network drive. I'm still not convinced that contracting to an outside company for "cloud" systems is a smart security move. I will never like putting my data in someone else's hands. I'm uncomfortable enough with my email going through someone else's server.

For IT these sound just fine, but the general population is stupid and lazy. They will use the company computer for their personal stuff. They will fill up their hard drive and then shunt that onto the network drive. Banning USB drives will only make that worse. They will write down their passwords. Those passwords will get picked up by janitorial staff. You're never going to get around that. Work with it and live with it and you'll be less stressed. There are strategies around much of these flaws. Charging them straight on is a losing strategy.

"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki