May 24, 2013 — From GRBJ by Mike Nichols
Using some form of encryption on company computers is a far better practice than just relying on password protection, according to IT security experts. Courtesy Thinkstock
How can you keep your company from being hacked?
The Grand Rapids Business Journal recently discussed IT security with Scott Montgomery, IT security practice manager at Open Systems Technologies, or OST, a Grand Rapids-based IT consulting firm.
Montgomery, who’s had more than 30 years of experience in the field, said West Michigan companies are being hacked daily, and the business community can no longer “bury (their) heads in the sand” regarding IT security issues. The consequences are too costly.
Over the years, Montgomery and his team have discovered 10 consistent mistakes businesses make when it comes to IT security. He shared this list with the GRBJ in a live-stream video chat that aired on the website last Friday.
1. Reliance on vendor or installer for security
Montgomery said problems such as unlocked security cameras, or manufacturing, health care and banking computer systems with little security configurations in place are major issues that can go unnoticed for years, leading to devastating hacks in those industries.
“(The vendor or installer’s) job is to get a product purchased, installed and working,” he said. “Security has slowed down on the list. … Just because it’s working, doesn’t mean it’s secure.”
2. Weak or trivial passwords
This is the most common problem Montgomery comes across. The best passwords are long, contain a special number, combine letters and numbers and use a case change on letters other than the first and last letter in the sequence, he said.
“I don’t know how many times I have to say it, but “password1” and “summer13” are not good passwords,” he said. “We can scan an organization, and whether there’s three user IDs in their environment or 100,000, there’s going to be a percentage of those passwords that are weak and easily guessable. … Starting with a dictionary word is not the way to go.”
3. Consistent passwords
A password shouldn’t just be uneasily guessable, Montgomery said; it’s also got to be unique. Otherwise, high-level access to an organization could be available all through one password.
“You’ve got network administrators who’ve got the same password represented on 30 to 40 accounts,” he said. “If one account is provided to somebody and the correlating password is provided, you don’t ever want that password to be used for different accounts.”
4. Missing security updates/patches
Anything public-facing with a direct connection to the Internet will be a target, Montgomery said, as will wherever a business keeps its most valuable data. This is why it’s important to keep up with software updates, he said.
“It becomes a big issue when it becomes a public exploit for that vulnerability. … Then somebody can take advantage of it and gain the system or access to the device,” he said. “Keeping your manufacturing updates current is a big issue.”
5. Scanned documents on “multi-function” devices
A multi-function device refers to a printer/scanner/fax machine combination that is plugged into the network, he said. These devices all have internal hard-drives, Montgomery said, and in many cases the previously scanned or printed information is never deleted. This becomes especially problematic when devices are leased out and then returned.
“Because there’s not good security in keeping unauthorized people off the devices … we’ve had many instances where one or thousands of documents containing private or personal information have been readily available,” he said.
6. Not changing default login credentials
Any device with a wireless access point, such as security cameras, televisions and VCRs, have active connections to a business if a user brings their computer home. If plugged into a network, Montgomery said, a hacker could use it to break in, simply by searching the device name and password in Google to find the user ID.
“What people don’t realize is the manufacturer does a great job of allowing you to set up your own credentials,” he said. “But they don’t necessarily tell you that you have to go and change the default password that set up the device.”
7. Open network shares
Open network shares — how users share information without a file server — may result in a user-made error that puts information into a network, he said.
“Somebody right-clicks on a folder in Windows, hits the share button — next thing you know that information is available to anybody on that network that has an Explorer application,” Montgomery said. “If you have files that are supposed to be private, they’re no longer private.”
8. Not planning for lost, stolen, discarded or sold computers
Businesses need to develop device-securing technology as part of a plan of preparation rather than a reaction of victimization, Montgomery said. Even a simple precautionary mobile pin number could help. For computers, there is encryption software available, he said.
“A password alone for your PC does not keep the bad guys out. … You’ve got to have some form of encryption on the device to keep that information properly secure.”
“There’s even LoJack you can buy for PC’s. If your PC is stolen, you can contact the company that you purchased the software from. They can find the device and they can even turn on the webcam and take a picture of the person.”
9. Antivirus not installed or out-of-date
Antivirus software, like passwords, is one of the early layers of security for any organization, Montgomery said, but many users either disable it because of a perception that it makes the computer slower, or they don’t update it regularly.
“There are updates for your antivirus signatures that are taking place multiple times a day,” he said. “You’ve got to turn on the automatic update process.”
10. Improperly configured Wi-Fi or improper use of Wi-Fi
Wi-Fi, although extremely useful, can be subtly dangerous because there’s often no way to confirm its security, Montgomery said.
“When we walk into a coffee shop, if there’s an orange plug, an RJ45 jack that we need to plug our computer into, we can pretty much rest assured that the network connection we’re attaching to is owned by that coffee shop because it’s a physical connection,” he said.
“If we walk into the same coffee shop and we see a Wi-Fi network called ‘coffee shop,’ we have no idea whether that’s owned by the coffee shop or by the hacker on a laptop sitting at the next table over.”