The Enemy of my Enemy is my Enemy? Huh?
Yes, that statement may seem odd but it's true. Sometimes the greatest threat can come from within. In the last two articles we discussed how an employee of your own company could compromise your entire network by doing something as simple as downloading & sharing the latest Britney Spears song. But what are the implications of this action? Are your employees trying to sabotage your company? Most likely, No. But are your employees performing an action that is inadvertently compromising your information integrity? They might be....
What have you implemented as a company policy or procedure, to educate your employees of the fact that the action they take may impact the company in a negative way? Most of the time nothing of this sort is done, Why?
The problem lies in the fact that most network administrators dwell too much on making things “work” and not enough on making things “secure”. But what does this involve? It's much more than enforcing strong passwords or insisting that the staff not take out of the premises data that may expose information that could lead to a breach. It involves an overall education of what can be done with a small portion of access to your company's network. For example, what information could I gain from a single e-mail login from say,.. a sales person? Any inside information available there? Perhaps information regarding a product that you have a niche in? Do you ever send financial information to a sales person? The point is this, information you would normally pass off as insignificant between members of your own company may seem common but, to the a rival company or malicious entity could be very lucrative. What would be the cost to your company if that information was in the open? Could you lose your advantage or perhaps a crucial bid to a large contract?
Information is everything.
It is the life blood of your way of making money with your product or service.
How do you protect that?
By understanding the flaws that threatened the integrity of that information. Only by understanding how the “would be” attacker of your company thinks, will you understand what really is at risk here. If you do not have someone who understands this very fundamental aspect of information security on your IT team, GET ONE. The need of the cookie cutter “bachelors degree in computer science” is long gone. WORKING knowledge in the REAL world of computer technology and networking is ESSENTIAL.
To the CEO and management personal that are reading this, I write this: there are more vulnerabilities in the software you run each day on your office PC than you can count. And I'm not talking about viruses, ad-ware or spy-ware. Real threats. More and more each day. I don't say this to frighten you but to educate you on the fact that when it comes to “conventional” knowledge of Information Technology, nowadays, it just doesn't cut it. You need to think beyond the out-of-the-box mentality of network security. Norton, McAfee, etc will NOT save you from the real threats that lurk out there. You need real active, intelligent staff in place to deal with the threats that exist.
What can you do as management? Have a conversation with your IT staff or IT provider. Ask them to explain what the TCP/IP stack involves and what tools such as NMAP and Netcat do. Do they understand the various forms of encryption when it comes to wireless? What's the difference between WEP & WPA? Or better yet, keep it short and simple, ask them to give you a detailed report on what steps they have taken to ensure that threats externally and internally are being actively defended against. With this report you should be able to determine what, if any, defense has been implemented against such attacks.
These queries are just the bare minimum in what a qualified IT person should be able to answer today. Why? Because setup and installation of your network is, for the most part, taken care of by the software/hardware manufacturer. Most setup of even enterprise networks is “wizard driven”, meaning automated or really easy. The rest, including securing your information, is up to your staff or IT provider, the human element. Make sure you are protected, in these critical financial times, you cannot afford to lose money due to an information breach.
If you have any questions about this series of articles or need assistance in assessing whether or not your information security is up to par, contact the MAEA. We have a qualified IT and Security staff that can answer your questions.
Nick Hitchcock
OSCP, CEH, CHFI, MCP
NHT Consulting
www.nhtconsulting.com
nickh@nhtconsulting.com
Posts
