6 Common-Sense Security Measures Every Business Should Adopt
December 27, 2012 8:45 AM
comment(s) - last by
Beware threats from both within and without; protect employee privacy; secure your networks via education
Today's workplace is a massive nightmare for information technology folks when it comes to security. But by emphasizing consistent, workplace-wide policies and by enforcing reasonable access limits, a company safeguard itself against both internal and external data loss.
Let's discuss a few keys to maintaining a secure workplace.
1. Rule BYOD, don't let BYOD rule you
Most businesses are going to let employees bring their own devices (laptops, tablets, etc.) to do work with. But holding seminars on how to keep private and workplace data is crucial.
must be managed with a clear and consistent policy, with well-defined limits to prevent your IT employees from accessing personal data.
BYOD can save costs, but poses unique privacy and security risks.
[Image Source: Andrew Hinderaker]
That way if employees do choose to bring devices and their privacy is violated, the liability will lie not with your management, but on the staff member who violated that trust. Likewise, if the employee engages in inappropriate behavior (say viewing adult videos at work) you'll have the analytics to challenge them as necessary.
2. Ban USBs, CD Burning; go to an Internal Cloud
An internal cloud is a much more secure solution than allowing employees to share and transfer files via physical media such as USB sticks or CDs. Not only can such media
, but it can also be used by a malicious employee or person posing as an employee to steal valuable trade secrets from your firm.
If your private cloud is properly designed and firewalled from the external world, it not only will allow you employees to share information more easily, it will also cut off a major source of data loss.
Banning physical media
is a smart idea and easy to do with today's technology.
3. Adopt the Latest Software
Still kicking around Internet Explorer 7? Kicking it with Windows XP? Quit it.
Old software is a security risk. If it is patched, it is often patched at a sordidly slow pace. And there's typically a lot of it lingering around here and there, so inevitably it's a highly attractive target for malware authors.
We know you loved Windows XP, but it may be time to move on. [Image Source: Microsoft]
While few businesses have the need or resources to upgrade with every single release of Windows and every single new browser release, many should put a bit more effort into staying up to date. And if you're testing software for older browsers or other older platforms with inherent security risks, be sure to isolate them from your other networks. Just ask Google Inc. (
) which saw
IE 7 test machines exploited by Chinese hackers
to steal data off its network.
Huge security risk, enough said.
5. Enforce Passphrase Use, Use Strong Hashing
Hold an employee seminar and explain how you can make a sentence into a password. A 30 or 40 character long password is very hard to break even with modern GPUs.
Like the sound of that? Do one better by also securely backing the password with the
most modern hashing algorithms
like SHA-256 or SHA-512. Combined these two techniques will make it virtually impossible to brute force your passwords.
6. Hold Education Seminars on Phishing, Spear-Phishing
Phishing -- sending malicious links inside innocent-looking email messages -- is a huge security risk for every company. Even the best password won't protect you if you go giving it to the wrong web-form. Teach your employees to watch their url bar in their browser and to avoid clicking on email links to access a site, unless they really trust them.
Beware spear-phishing, lest it compromise your employees who hold the most valuable files.
[Image Source: FBI (modifications: Jason Mick/DailyTech LLC)]
Special care should be taken to prevent
-- attempts to target specific high profile catches, such as a CEO/CTO/CFO's login information. You executives may moan and groan, but they're far to valuable to let them fall for such ploys.
Special screening of executive email can help cut down on spear-phishing threats as well. While staff obviously can't hand-screen every email message, it is practical to screen high-level management's messages for clear fraud/spam attempts.
Again a clear-cut policy to protect privacy must be enforced here, to prevent unfortunate incidents.
Following those 6 principles will take some work, but it will be worth it. After all, your firm is only worth as much as its security.
This article is over a month old, voting and posting comments is disabled
RE: Use expensive hashes.
12/29/2012 5:05:13 AM
Rainbow tables are basically just a distributed brute force. The way a hashed password is cracked is by obtaining the transmitted or stored hash and the attempting to determine the password by hashing every possible combination of passwords and comparing the resulting hash with what was transmitted or is in storage. Rainbow tables are collections of previously hashed words. Rainbow tables are only useful when the entire keyspace of a given hashing algorythm has been discovered. If a password in use has not been previously hashed and stored in a rainbow table, the attacker must resort to brute forcing the remainder of the hash keyspace to get the password. Defense against rainbow tables requires two things, a large keyspace, and a password policy that requires passwords that are complex or long enough to make brute force more difficult. For instance, the entire keyspace for passwords below 7 characters (using all acceptable character sets) utilizing the hashing methods in Windows LanMan has been hashed and the resulting rainbow table can be stored ona single CD. However, NTLM, which replaced LanMan in Windows 2000, is still being hashed against. So far, the tables are above 3 terabytes in length, if i remember correctly. This only covers a minor percentage of passwords below 14 characters using all characters. The reasons for this difference vary. For one, LanMan hashed passwords at 7 character intervals, so a 14 character password generated two hashes. Wiht fewer characters, it is easier to brute force. Second, lanman used a weak hashing algorithm with a short keyspace. This resulted in heavy collision issues, where multiple passwprds returned the same hash, and since password systems work by hashing input and transmitting the hash, if two passwords have the same hash, both passwords will allow login.
To circumvent these issues, NTLM encorporated a longer keyset, stopped splitting hashes, and allowed for passwords that were up to 128 unicode bits in length (different characters have a different bit length. Special characters are longer in unicode than letters and numbers). This means that there is no storgae medium currently capable of storing a rainbow table for the full NTLM keyspace while remaining portable. As technology evolves, this will change, and new methods must be developed for securing passwords. For now, there remains few rainbow tables for passwords beyond 14 characters in length, and the keyspace for password hashes above 18 characters is virtually unexplored.
With all that said, Jason,the recommendation for having users secure their passwords with sha 256 or 512 is not very tenable, since the end user and, usually, the IT organization, cannot control the hashing algorithms used in their systems. Windows only allows passwords to use lanman, ntlm, or ntlmv2, and the hashing algorithm is non variable in a windows organization, which thevast majority of information systems that end users work with use. A tenable recommendation would be to ensure that windows systems are not storing lanman hashes (default operation in all windows since vista), for one, and using passphrases abpve 18 character, for another, 40 character passwords are currently excessive in length and will greatly hamper users that have to use passwords a lot.
RE: Use expensive hashes.
12/31/2012 12:55:54 PM
Yes, rainbow tables only work for common hashes or hash/salt combinations, but brute force is coming along nicely. Take the Windows password brute force link I posted earlier, for example. It can brute force any NTLM Windows password in 6 hours, given the hash.
In general I wasn't referring specifically to Windows passwords (except the link to show how far brute force attacks have come), but passwords in general.
Right now, there are so many real passwords in the wild, stats have been created about which passwords are the most common, what common patterns are, etc. For example, a large percentage of passwords end in four numbers which decreases the number of brute force attempts for many passwords fitting that pattern. A faster hashing algorithm just increases the speed at which the brute force attempts can be made. Granted, you still need to know the hashing algorithm to brute force, but once that is known a good brute force attack is possible in many cases.
Like you indicated, entropy is your best bet to protect against a brute force attack. The longer the password the more entropy it has, all things being equal.
RE: Use expensive hashes.
1/4/2013 3:37:28 PM
NTLM hashes are only used when computers aren't a member of a domain. Kerberos uses a different method that is significantly stronger and doesn't rely on Hashing. Domain secured accounts are significantly more difficult to brute force than hashed Passwords. Ultimately, the brute force methods used in that link are useless for determining passwords on a Domain, which basically means that it won't help you get into any real enterprise network. It'll get you into someone's home computer easily enough, or into a local account on a domain joined computer, but getting access to the domain is a lot harder to brute force.
"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov
Microsoft Raises Its Licensing Fees to Cash in on Bring-Your-Own-Device
November 27, 2012, 11:35 AM
"High Roller" Hacker Attack is Stealing Hundreds of Millions From the Rich
June 26, 2012, 3:13 PM
Bitcoin Giant Mt. Gox Promises to Change Post-Hack
June 22, 2011, 2:21 PM
Future is Uncertain for Popular .ly Domain
April 15, 2011, 8:03 AM
CDs, DVDs, Thumb-Drives Banned from SIPRNET Under Threat of Court-Martial
December 13, 2010, 12:33 PM
IBM Workers Strike Over Terms of Deal That Will Have Them Working for Lenovo
March 6, 2014, 9:29 AM
Google Picking Up Artificial Intelligence Company "DeepMind" for $400 Million
January 27, 2014, 9:25 AM
Quick Note: Qualcomm Grabs up Palm, IPAQ, and Bitfone Patent Portfolio from HP
January 24, 2014, 9:18 AM
Verizon Buys Intel Media OnCue Cloud TV assets
January 21, 2014, 10:26 AM
Google's First Asian Data Centers Now Operational
December 11, 2013, 8:50 AM
IBM to Offer Watson Supercomputer as Cloud Development Platform
November 14, 2013, 12:00 PM
Most Popular Articles
Mt. Gox Bitcoin CEO Can't Stifle Grin as he Bows in Apology for Bankruptcy
February 28, 2014, 5:00 PM
Report: Microsoft Considering Offering Free “Windows 8.1 with Bing”
February 28, 2014, 10:21 AM
Facebook Kills Popular Messenger App for PCs
March 1, 2014, 4:01 PM
Two More Microsoft Executives Leaving the Company
March 3, 2014, 4:38 PM
USAF Moves Forward With Long Range Bomber Program Despite Budget Crunch
March 4, 2014, 9:44 AM
Latest Blog Posts
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
Is The Period Becoming an Expression of Anger?
Nov 26, 2013, 2:02 PM
NSA and Congress -- You Will Never Kill the Constitution, It's an Idea
Nov 10, 2013, 2:00 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information