Threats to Your Information Security

Tuesday, July 20, 2010

Theresa Payton

D13f77e036666dbd8f93bf5895f47703

Article By Ricky Peterson

Threats to your information and computer security may be closer than you think. This applies to businesses and individuals alike. You may be a threat to your own information.

If you own a company the threat may be as close as your own employees. These threats are very real because most people do not think about being a threat to themselves or the companies they work for.

KEY FINDINGS:

  • Lost or stolen laptops account for over 32% of information thefts
  • According to ComputerWorld 30% of passwords are 6 characters or smaller while nearly 50% are easily cracked.
  • Most cases of computer viruses are a result of user carelessness
  • Unsupervised children and employees cause a large number of information thefts without their knowledge

BACKGROUND:

When most people think of information theft, they think of hackers working long hour trying to break codes and steal passwords. They think of complex programs that bypass firewalls and intrusion protection systems.

This is, however, far from the reality of things. Most information theft is caused by you or someone close to you. Most of the time it is unintentional, but it still happens.

Most people, be it an individual or a CEO of a large company, do not realize that seemingly insignificant things can cause big problems.

ANALYSIS:

Perhaps one of the biggest causes of information theft is weak passwords. A weak password is generally one that is; less than 8 characters, a name or significant date, a consecutive string of numbers or letters, or an easily guessed word.

Some infamous weak passwords are; 123456, birthdate, first initial plus last name, and password. About 42% of all stolen passwords are weak. The reason for this is because people have a hard time remembering complex strings of characters.

People tend to make an easy password that they can remember and then use it for everything. Hackers love it when we do this. Passwords like 1234 and significant words are the first ones they try because they know people still use them.

Some people use different, complex passwords for everything, but then need to write them down. This poses another problem. If the password sheet is lost, someone can gain access to all of your accounts.

Ideally a password should be; 8 or more characters, a combination of upper and lower case letters, numbers and symbols. They should also be changed at least every two months. This is however, idealistic and not possible for most average people.

The solution is to change your password frequently and avoid using the common ‘weak’ passwords. If this is done you will have increased security while avoiding messy, complicated passwords.

Company provided laptops are a huge risk factor as well. When companies provide employees with laptops for business purposes, a whole range of potential problems are created. If an employee loses the computer, or it is stolen, sensitive company data could end up in the hands of a cybercriminal.

An estimated 32% of data thefts are a result of “misplaced” laptops. This does not mean that you should not supply your employees with a convenient mobile workstation. The risks can be reduced by having the computers tagged to the employee they are given to. If the laptop leaves the company building, have it checked out.

This way you know exactly whose laptop it was and what kind of information may be on it. Another solution is to not store any critical information on the computer itself. Allow the employee to pull all the data and files they need from a secure server.

With this solution, you would need to pair it with a program like DeepFreeze, which will wipe all data from the hard drive when the laptop is turned off. This way even if someone does get the computer, there is not useful information on it anymore.

One other big thing to consider is what your employees, children, and you, do to compromise your security. If you own a business, your employees may cause risks by doing seemingly harmless tasks during breaks or lunch.

These may include opening emails, checking social media websites, making purchases, and browsing the web. The majority of malware that infects computers and compromises security are the result of end user oversight.

By this I mean clicking on links or downloading files from unknown sites, opening email from people you don’t know, and shopping on unsecured webpages. Children do the same things as well.

For parents, a child might think they are downloading a song by their favorite band, when in reality, they just unknowingly installed a backdoor on your computer that gives a hacker free roam in all of your files.

Both business owners and parents can take precautions for situations like these. Set up guidelines regarding what people may and may not do on the internet. Let children and employees know the dangers of downloading files and clicking links on a whim.

Most importantly, set them up with limited accounts that do not allow the downloading or installation of files. By taking these precautions, you can prevent serious trouble and a serious migraine.

IMPLICATIONS:

  • Supplying employees with laptops can be a great benefit, but needs careful and thought out planning.
  • Passwords should be memorable, but not simple.
  • Seemingly innocent acts can be catastrophic for your information security.
  • Most malware needs an end user’s help to infect a computer.
  • Unsupervised employees and children often unwittingly cause security threats.
  • A good systems use policy is a must for both parents and executives.

RECOMMENDATIONS:

  • Create passwords with letters, numbers and symbols.
  • Use words, but swap letters for other characters. Ex. Swap s with $, E with 3, O with 0, A with @ etc.
  • Change your password at least 4 times a year- With the new seasons
  • DO NOT WRITE PASSWORDS DOWN!!!
  • Do not use the same password for everything
  • If supplying employees with laptops, create a way to keep track of where they are, who has them, and what’s on them
  • Do not allow employees to save anything directly on the laptops that you are not willing to share with a hacker
  • Create a policy for internet use and enforce it strictly

SOURCES:

  • Computerworld-  Users still make hacking easy with weak passwords By Jaikumar Vijayan
  • Laptoptheft.org- laptop theft breach statistics
  • Discovery.com- The Biggest Threat To Your Online Security Is...You by Jonathan Strickland
  • Compuhack.info- Top 5 Internet Security Threats by Gaelim Holland

The author, Ricky Peterson, is an Intern at Fortalice working under the tutilage of Theresa Payton.

 

Possibly Related Articles:
20769
Enterprise Security
Enterprise Security
Post Rating I Like this!
1789975b05c7c71e14278df690cabf26
Pete Herzog Focusing so much on the weak password rather than the fact that there are ZERO additional controls to protect the weak Authentication mechanism? That's like blaming fireworks deaths on short fuses rather than the fact that fireworks are dangerous anyway and you need to wear protective gear. How can anyone seriously offer a place to login without adding controls to curtail brute-force methods? My bank card PIN is only 4 numbers or 10,000 permutations yet it's very safe because there is no easy way to brute force the PIN on an ATM without getting seen and locked-out. If you have a 6 character password and controls which lock that login out exponentially long after each attempt AND you contact the login owner after 5 unsuccessful tries with the info of who and where the connection came from and what to do if they suspect it's fake (like contact support) then you're not going to have problems. We should be teaching people about Defense in Width which is adding different types of controls to interactive areas. The more untrusted the interactive area, the wider your array of controls should be. Different, complementing controls is so much more important than "more" controls, especially considering that each additional control increases your exposure and attack surface because it puts more out there which can be attacked.
1279724862
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams No matter how many times you bash the idea of strong passwords into the heads of people, they always go back to the easy-to-remember passwords. When the RockYou member password list was breached and posted last year, nearly 50% were weak passwords. This is 2009!

New strategies for password management needs to be carefully thought out. Microsoft is doing something interesting. A paper that can be read here: http://research.microsoft.com/apps/pubs/default.aspx?id=132859 reveals a strategy of strengthening user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want-so long as it's not already too popular with other users
1279735665
1789975b05c7c71e14278df690cabf26
Pete Herzog Fred, even if they choose easy to remember passwords, a system which does not allow for brute-forcing or dictionary attacks will not allow for more than 3 or 5 tries before those attacks are no longer valid for that account from that IP. This will drastically reduce successful password attacks regardless of the ease of password. Combine that with additional transaction information required for critical types of interactions from within the account and you will be much better off overall then the big password often changed idea currently in use. Especially when you count the amount of help-desk support the current process requires.
1279737315
98180f2c2934cab169b73cb01b6d7587
Jon Stout Password management is a problem. With many sites on the internet requiring login and password, it is difficult for the average user to keep track without standardizing on an easy to remember password.
1279821357
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.