Tuesday, May 25, 2010

Guest Post - Ricky Peterson - Threats to Your Information Security

Ricky Peterson was a Spring Research Analyst at Fortalice® LLC and is a student at Immaculata University.



TEASER/TITLE: Your biggest information threat is closer than you think!



SUMMARY PARAGRAPH: Threats to your information and computer security may be closer than you think. This applies to businesses and individuals alike. You may be a threat to your own information. If you own a company the threat may be as close as your own employees. These threats are very real because most people do not think about being a threat to themselves or the companies they work for.


KEY FINDINGS:

Lost or stolen laptops account for over 32% of information thefts
According to ComputerWorld 30% of passwords are 6 characters or smaller while nearly 50% are easily cracked.
Most cases of computer viruses are a result of user carelessness
Unsupervised children and employees cause a large number of information thefts without their knowledge
BACKGROUND:

When most people think of information theft, they think of hackers working long hour trying to break codes and steal passwords. They think of complex programs that bypass firewalls and intrusion protection systems. This is, however, far from the reality of things. Most information theft is caused by you or someone close to you. Most of the time it is unintentional, but it still happens. Most people, be it an individual or a CEO of a large company, do not realize that seemingly insignificant things can cause big problems.

ANALYSIS:

Perhaps one of the biggest causes of information theft is weak passwords. A weak password is generally one that is; less than 8 characters, a name or significant date, a consecutive string of numbers or letters, or an easily guessed word. Some infamous weak passwords are; 123456, birthdate, first initial plus last name, and password. About 42% of all stolen passwords are weak. The reason for this is because people have a hard time remembering complex strings of characters. People tend to make an easy password that they can remember and then use it for everything. Hackers love it when we do this. Passwords like 1234 and significant words are the first ones they try because they know people still use them. Some people use different, complex passwords for everything, but then need to write them down. This poses another problem. If the password sheet is lost, someone can gain access to all of your accounts. Ideally a password should be; 8 or more characters, a combination of upper and lower case letters, numbers and symbols. They should also be changed at least every two months. This is however, idealistic and not possible for most average people. The solution is to change your password frequently and avoid using the common ‘weak’ passwords. If this is done you will have increased security while avoiding messy, complicated passwords.

Company provided laptops are a huge risk factor as well. When companies provide employees with laptops for business purposes, a whole range of potential problems are created. If an employee loses the computer, or it is stolen, sensitive company data could end up in the hands of a cybercriminal. An estimated 32% of data thefts are a result of “misplaced” laptops. This does not mean that you should not supply your employees with a convenient mobile workstation. The risks can be reduced by having the computers tagged to the employee they are given to. If the laptop leaves the company building, have it checked out. This way you know exactly whose laptop it was and what kind of information may be on it. Another solution is to not store any critical information on the computer itself. Allow the employee to pull all the data and files they need from a secure server. With this solution, you would need to pair it with a program like DeepFreeze, which will wipe all data from the hard drive when the laptop is turned off. This way even if someone does get the computer, there is not useful information on it anymore.

One other big thing to consider is what your employees, children, and you, do to compromise your security. If you own a business, your employees may cause risks by doing seemingly harmless tasks during breaks or lunch. These may include opening emails, checking social media websites, making purchases, and browsing the web. The majority of malware that infects computers and compromises security are the result of end user oversight. By this I mean clicking on links or downloading files from unknown sites, opening email from people you don’t know, and shopping on unsecured webpages. Children do the same things as well. For parents, a child might think they are downloading a song by their favorite band, when in reality, they just unknowingly installed a backdoor on your computer that gives a hacker free roam in all of your files. Both business owners and parents can take precautions for situations like these. Set up guidelines regarding what people may and may not do on the internet. Let children and employees know the dangers of downloading files and clicking links on a whim. Most importantly, set them up with limited accounts that do not allow the downloading or installation of files.

By taking these precautions, you can prevent serious trouble and a serious migraine.

IMPLICATIONS:

Supplying employees with laptops can be a great benefit, but needs careful and thought out planning.
Passwords should be memorable, but not simple.
Seemingly innocent acts can be catastrophic for your information security.
Most malware needs an end user’s help to infect a computer.
Unsupervised employees and children often unwittingly cause security threats.
A good systems use policy is a must for both parents and executives.

RECOMMENDATIONS:

Create passwords with letters, numbers and symbols.
Use words, but swap letters for other characters. Ex. Swap s with $, E with 3, O with 0, A with @ etc.
Change your password at least 4 times a year- With the new seasons
DO NOT WRITE PASSWORDS DOWN!!!
Do not use the same password for everything
If supplying employees with laptops, create a way to keep track of where they are, who has them, and what’s on them
Do not allow employees to save anything directly on the laptops that you are not willing to share with a hacker
Create a policy for internet use and enforce it strictly
SOURCES:

Computerworld-  Users still make hacking easy with weak passwords By Jaikumar Vijayan

Laptoptheft.org- laptop theft breach statistics

Discovery.com- The Biggest Threat To Your Online Security Is...You by Jonathan Strickland

Compuhack.info- Top 5 Internet Security Threats by Gaelim Holland

No comments:

Post a Comment