Wednesday, July 29, 2009

Living Next To The Security Graveyard...

IT Consultants and Business Clients are both ignoring the gravestones in their networks, when it comes to security.

When I was a kid in the sixth grade, I lived right next to a graveyard. When I went out to mow the grass (BTW, something I hated), the grave stones were there. When I went to the swing to play, the grave stones were close by. When I looked out the second story windows... well, you know what goes here. When I first moved there, it really bothered me. I got so use to it being close, though, that I successfully learned to ignore it. I only consciencely realized it when a new friend would come over and make a big deal out of it.

IT Security issues are the same as the graveyard I put up with as a preteen. We may know about security holes at our and our clients networks, but we have lived with them close for so long, that we have learned to ignore them. If someone points out a glaring hole in our security practices, we take notice and might get motivated to do something about it. If the news harps on a new "disaster computer worm aka Conflicker", our clients suddenly check their antivirus definition dates or call us to be reassured that we have it under control. Otherwise, we and they get numb to the fact there are security problems.

Here are the names on some of the grave stones:
  • EXPIRED ANTIVIRUS - very common, frightfully so. And rather than just renewing what they currently have, review the best of the current suites out there. Get the LATEST security suite (Trend Micro Worry Free is my favorite!).

  • CONSUMER GRADE FIREWALL - Might be OK for protecting your grandmother's pictures, certainly not your customers' client social security numbers. You need a Business Grade firewall with an IPS (Intrustion Prevention System). All Hail Calyptix, here!

  • NON WORKING LOCAL BACKUP - Yes, backup is a security component. Start thinking that way. Get some imaging software if nothing else and store to an external device. Storagecraft is GREAT! And setup some way to verify that backups actually HAPPEN and are RESTORABLE.

  • NO OFFSITE BACKUP - No protection against fire, flood, bad employee or theft, tisk tisk. This should at least be a device you can take offsite, but ideally a complete internet encrypted backup of your server and critical workstation files.

  • NO OR POOR SPAM BLOCKING - As per my earlier post on the human mind, social engineering is getting really crafty. Users are easily tricked into opening email and clicking on links. Block it so they will not have to make the wrong decision! Best if appliance based or third party filtering.

  • POOR PASSWORDS - I know, I know, I feel the pressure from my clients too to let them use weak passwords. Just make sure there are at least letters and numbers and a symbol, and it is at least 8 characters, more if possible. Passphrases are even better.

  • UNSECURE OR OLD STANDARDS WIRELESS - If you are an IT consultant and set up a client with unsecure wireless, SLAP YOURSELF! Get something for your client that is WPA2 and setup it up as WPA2. (And consider making it a 20+ character passphrase.)

  • UNPATCHED OS AND SOFTWARE - Everyday, a piece of software on your computer gets a new "hole" that needs to be filled. The Russian mobsters, script kiddies, Black Hats, Chinese nationalists, etc actively attempt to find and exploit these holes for their own purposes. And it is not just Microsoft software with the holes. Active patch management is a must, whether a duty assigned to a staff member or a duty that a computer consultant does for the client.
Now, look at your network. Do you see any of these grave stones? Do you see any in your clients' networks? Remember, your client will become numb to these over time. Have a serious talk with them. Clients pick up clues from you as to how serious a security issue is, so stress it. Do the right thing and point the stones out, repeatedly, before the network ends up on a cold, hard slab.

No comments: