backtop


Print 21 comment(s) - last by ksuresh.. on Jan 25 at 11:40 AM

Beware threats from both within and without; protect employee privacy; secure your networks via education

Today's workplace is a massive nightmare for information technology folks when it comes to security.  But by emphasizing consistent, workplace-wide policies and by enforcing reasonable access limits, a company safeguard itself against both internal and external data loss.

Let's discuss a few keys to maintaining a secure workplace.

1. Rule BYOD, don't let BYOD rule you

Most businesses are going to let employees bring their own devices (laptops, tablets, etc.) to do work with.  But holding seminars on how to keep private and workplace data is crucial.  BYOD hardware must be managed with a clear and consistent policy, with well-defined limits to prevent your IT employees from accessing personal data.

Women on cell phones
BYOD can save costs, but poses unique privacy and security risks.
[Image Source: Andrew Hinderaker]

That way if employees do choose to bring devices and their privacy is violated, the liability will lie not with your management, but on the staff member who violated that trust.  Likewise, if the employee engages in inappropriate behavior (say viewing adult videos at work) you'll have the analytics to challenge them as necessary.

2. Ban USBs, CD Burning; go to an Internal Cloud

An internal cloud is a much more secure solution than allowing employees to share and transfer files via physical media such as USB sticks or CDs.  Not only can such media carry malware, but it can also be used by a malicious employee or person posing as an employee to steal valuable trade secrets from your firm.

If your private cloud is properly designed and firewalled from the external world, it not only will allow you employees to share information more easily, it will also cut off a major source of data loss.  Banning physical media is a smart idea and easy to do with today's technology.

3. Adopt the Latest Software

Still kicking around Internet Explorer 7?  Kicking it with Windows XP?  Quit it.

Old software is a security risk.  If it is patched, it is often patched at a sordidly slow pace.  And there's typically a lot of it lingering around here and there, so inevitably it's a highly attractive target for malware authors.

Windows XP
We know you loved Windows XP, but it may be time to move on. [Image Source: Microsoft]

While few businesses have the need or resources to upgrade with every single release of Windows and every single new browser release, many should put a bit more effort into staying up to date.  And if you're testing software for older browsers or other older platforms with inherent security risks, be sure to isolate them from your other networks.  Just ask Google Inc. (GOOG) which saw IE 7 test machines exploited by Chinese hackers to steal data off its network.

4. Blacklist URL Shortening domains

Huge security risk, enough said.

5. Enforce Passphrase Use, Use Strong Hashing

Hold an employee seminar and explain how you can make a sentence into a password.  A 30 or 40 character long password is very hard to break even with modern GPUs.  

Like the sound of that? Do one better by also securely backing the password with the most modern hashing algorithms like SHA-256 or SHA-512.  Combined these two techniques will make it virtually impossible to brute force your passwords.

6. Hold Education Seminars on Phishing, Spear-Phishing

Phishing -- sending malicious links inside innocent-looking email messages -- is a huge security risk for every company.  Even the best password won't protect you if you go giving it to the wrong web-form.  Teach your employees to watch their url bar in their browser and to avoid clicking on email links to access a site, unless they really trust them.

Spear Phishing
Beware spear-phishing, lest it compromise your employees who hold the most valuable files.
[Image Source: FBI (modifications: Jason Mick/DailyTech LLC)]

Special care should be taken to prevent spear-phishing -- attempts to target specific high profile catches, such as a CEO/CTO/CFO's login information.  You executives may moan and groan, but they're far to valuable to let them fall for such ploys.

Special screening of executive email can help cut down on spear-phishing threats as well.  While staff obviously can't hand-screen every email message, it is practical to screen high-level management's messages for clear fraud/spam attempts.

Again a clear-cut policy to protect privacy must be enforced here, to prevent unfortunate incidents.

.......

Following those 6 principles will take some work, but it will be worth it.  After all, your firm is only worth as much as its security.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Use expensive hashes.
By borismkv on 12/29/2012 1:50:54 PM , Rating: 2
Still depends on the Hashing algorithm used in password transmission. With older algorithms like MD4, which use a very short keyspace, you have issues with collision. When you have collision with multiple hashes, you don't have to determine the actual password, only a password that matches the hash, so a unicode password can be hashed and have the same hash value as a straight ASCII password. When that happens, you can often log in with the ASCII password without knowing the unicode one, because most password comparison systems will hash the password you enter before transmission, and the password is never reversed. You get logged in when the system compares the transmitted hash with the hash of the stored password.


"We don't know how to make a $500 computer that's not a piece of junk." -- Apple CEO Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki