Monday, January 28, 2013

Corporate security

Lots of happenings in the corporate security world lately.  Most not good.  This article and this article kind of sum it up nicely.

Most companies still do not spend enough time or effort on security, while some are just in plain denial ("hackers aren't interested in us").  In all honesty though, most companies only have the time and financial backing to focus on their specific business - not becoming security experts.  However, these companies still have to understand there are potential vulnerabilities in a lot of the common business products and  plenty of people out there willing to put forth a lot of time looking for any kinds of weaknesses to exploit.

Think about some of the issues that connected companies must deal with:
  • You weren't invited: It's cool to have all kinds of gee-whiz video conferencing tools, but are they being used against you?  Could somebody be listening in or watching everyone in the room when a video conference is not underway?  Researchers recently found large numbers of systems that are exposed to the internet with little or no security.  Attackers could simply scan for the known ports and then connect and watch the video feed to see what might be going on in the conference room.  If nothing else, at least turn the system off when not in use.
  • Stop watching me: There have also been a number of findings recently related to vulnerable video security camera systems.  People want to be able to monitor the systems remotely, but when misconfigured or loaded with faulty software, potentially more people than necessary could have access. Might not be a huge deal if somebody was able to watch certain camera feeds, but what about if they were able to alter the feed storage or maybe change camera angles or even turn cameras on and off?
  • I heard that: Phone systems are getting some press lately as well.  There have always been problems with phone systems getting set up without any kind of authentication.  If you knew the right time and the right phone number, you could just join right in.  Some researchers are now finding certain systems vulnerable to attacks where the microphone can be turned on without the phone showing it is in use.  Everyone is used to a phone on their desk and most wouldn't think twice about what they may be saying when the receiver is down.
  • Makin copies:  Most printers/copiers/scanners/faxes, just get hooked up right out of the box and nobody gives them any more thought until the toner or paper runs out.  The problem is, most of them have an abundance of data stored on board.  Make a copy of an important, private, document and anyone else with access to the device could potentially see your document too.  Anything that gets scanned on the tray is probably saved off in memory someplace.  Who knows how often it is cleared out?  
  • Help me find my way:  Network gear, like routers and switches, generally come with well known default login accounts and passwords.  Yet many of these devices get hooked up with no thought to changing the defaults.  You definitely don't want somebody from outside the company with access to alter the flow of data on the network.
  • Guess what I heard:  All the perimeter and network security in the world won't guard against employees posting proprietary company information on social networking sites.  Oh, but we have really snazzy content filtering on the network and won't allow certain types of posts to certain sites on certain days at certain times.  Ok, great, but what about the employees with their personal phones and tablets?  Those devices are probably not running through your snazzy content filtering.  Especially when the employees are away from the office.
There was a time not too many years ago when the biggest worry for most businesses was somebody breaking into the office overnight and stealing the books.  To combat this, the solution would be to install alarm systems and possibly even hire security guards.  In most cases, that was extremely effective.  Now fast forward to 2013 with companies all connected to the internet.  Corporate data is no longer stored in file cabinets or desk drawers.  It's stored on storage devices in who knows how many different locations.  Each location connected to the other, making access to all the data super easy.  The problem is, with all the inter-connectivity, companies are not keeping up with the security threats.  Focus must shift from protecting the front door to protecting the data, wherever it may be.