As much as CIOs and CSOs would like to, they know it is impossible to monitor and control every single thing your company's workers are doing with the corporate devices and technology they have available. Chances are, CIOs and CSOs have too many people to look after, and when it comes to monitoring the organization’s network, these IT executives have to focus on the truly alarming activities at the expense of some of the more mundane, but at times equally dangerous, behaviors that are going on. It’s unfortunate, since many cyber-attacks come in by way of common human error.
Janco has found several places where users can compromise a secure network and organizational data. The security holes are:
- Users let others use their corporate devices
- Users access personal email accounts from their corporate devices
- Users find ways around filters for sites they visit or email they get
- Users leave their corporate device unattended in a hotel room, restaurant or a bar when they are away from the office
- Users access corporate data on an open or unprotected network
- Users install unapproved software on their corporate device
- Users access a link their personal social network site
- Users copy files off of a corporate device
The most common security mistakes that are made on corporate web sites have been identified by Janco Associates of Park City, UT.
- Using only single level verification for access to sensitive data - Password authentication is more easily cracked than cryptographic key-based authentication. The purpose of a password is to make it easier to remember the login credentials needed to access a secure resource, however biometric or key-based authentication is a stronger authentication method which make credential more difficult to crack.
- Having “public” workstations or access point is connected to a secure network - If workstation that anyone can use or re-boot is connected to a secure resource you can’t guarantee it is secure. Keyloggers, compromised network encryption clients, and other tricks of the malicious security cracker’s trade can all allow someone unauthorized access to sensitive data regardless of all the secured networks, encrypted communications, and other networking protections you employ.
- Sharing login credentials - The more login credentials are shared, the more they likely they are commonly know by too many others, even with people who should not have access to the system. The more they are shared, the more difficult it is to establish an audit trail to help track down the source of a problem. The more they are shared, the greater the number of people affected when logins need to be changed due to a security breach or threat.
- Connect to network from an unsecure access point - When traveling avoid connecting from open wi-fi networks, networks with unknown or uncertain security characteristics or from those with known poor security such wireless access points in coffee shops. This is especially important whenever you must log in to the server or Web site for administrative purposes or otherwise access secure resources. If you must access the Web site or Web server when connected to an unsecured network, use a secure proxy so that your connection to the secure resource comes from a proxy on a secured network.
- Corporate web site is encrypted but the login process is not - Encrypting a session after login may be useful but failing to encrypt logins is a bit like leaving the key in the lock when you are done locking the barn door. Even if a login form POSTs to an encrypted resource, in many cases this can be circumvented by a malicious security cracker who develops their own login form to access the same resource and allow them access to sensitive data.
- Using weak encryption for back end management - Using Windows Remote Desktop without and encrypted user-id and password in a non-VPN environment is opening your site to the world. Using proprietary platform-specific technologies often leads to resistance to use of secure encryption for Web site access. Cross-platform-compatible strong encryption such as SSH is usually preferable to platform-specific, weaker encryption tools such as Windows Remote Desktop.
- Using unencrypted or weak encryption for Web site or Web server management- Using unencrypted connections (or even connections using only weak encryption), such as unencrypted FTP or HTTP for Web site or Web server management, opens you up to man-in-the-middle attacks and login/password sniffing. Use encrypted protocols such as SSH to access secure resources, using verifiably secure tools.. Once someone has intercepted your login and password information, that person can do anything you could have done.