I guess holiday cheer was in short supply for employees of Sony Pictures Entertainment this past Christmas. The November 2014 cyberattack on Sony was really bad, but the worse part of the story from Sony was the discovery that its company-wide security practices were embarrassingly bad.
The scary news about Sony Pictures is that they are not the only company that needs to improve its security procedures. Your company might not be the target of hackers, but you’ll still want to review these basic security tips before it is too late.
How do hackers gain access to your corporate network? Sure, there are disgruntled employee or former employees that could either access your network using an authorized account. You do have policies and procedures in place to make sure that terminated employees and contractors lose access the moment it is no longer needed, right?
Are employees given basic security training, like not giving their passwords to anyone, including someone who says they are from IT Support and need their password to help them? Do they know the basics of creating a good password, not writing the password down or storing their password in a text file on the network, and what kinds of internet sites to trust or not to trust?
Do you have physical access controls in place to prevent unauthorized personnel from freely entering the building, particularly after hours or in super-secure areas like the server room or switch closets?
Do you have controls at your company that limits user access to just the security each person requires to perform their job responsibilities? You don’t just make everyone an administrator or their laptop or network server, right? You might be surprised what level of security a normal user might have, based on their membership in selected groups in Active Directory or local server security settings. If you are an administrator-level user, you might be accustomed to unlimited access, but have you logged in as a “normal” user lately and checked out what you can or can’t do on the network? What systems do you have remote desktop or administrator-level access when logged into the network as just a “normal” user?
Have you reviewed what users have remote access to your network? Do all of these users “need” remote access? If their account is compromised, what privileges would be granted to that remote user (who might be a hacker located in North Korea or China)?
There are also resources outside of your company. Do you know who has usernames and passwords to access the corporate web site, Twitter feed, Facebook account, etc. How secure are the passwords used for these accounts, and how often are they changed? Do you have vendors connecting to your servers via FTP or other connections? Are you positive those connections are secure and only allow access to the files they need under your contract agreements?
A dedicated group of hackers can assault your company connections and find your weak points fairly quickly. Using known vulnerabilities and standard attack tools you can become a fairly easy target, unless you have taken some basic safeguards to prevent the easy attacks.
The easiest safeguard is keeping your software updated, which will prevent those known vulnerabilities from allowing an easy breach of your network.
The user community is also a source of failure. Make sure users know what kinds of contact to report to you, like unsolicited telephone calls from people needing remote access to their laptops or other devices. Make sure they know that they should never give their passwords to anyone, how to create a good password, and that you systematically require them to change their passwords every 90 days.
Like the old joke goes, when chased by a bear you don’t have to be the fastest runner, you just have to be faster than your friends. To prevent a random hacker attack you don’t have to be the most secure network, just more secure than their other targets. You want a hacker to fight for every piece of information. They shouldn’t compromise a users laptop and that access then allow them access to the entire network and all network resources.
Assume any email could be made public one day. Don’t put anything in an email they you would be embraced to say in public, like during an investigation by the FBI or local police. Assume anything and everything you put in an email will eventually be read by anyone. Don’t include racist, sexist, or other unacceptable commentary or jokes to be in any of your emails. If someone sends you an email that includes this type of content, don’t forward or reply to the email. Print it out and carry it to HR for them to address.
Don’t include sensitive information in emails. Hackers may compromise your emails one day, but what information would they collect? If there is nothing there that is useful or embarrassing, what have they stolen?
What ideas do you have? What steps have you taken to prevent becoming the next Sony?