Why are passwords insecure?

why are passwords insecure

Too many organisations are still just relying on passwords to allow remote workers, partners and clients to access their business systems.

This generally presents an unacceptable level of risk to a business, passwords on their own are not secure.

How can passwords be breached?

  • Given to or stolen by another employee
    • Eliminating traceability of actions on the IT systems.
  • Cracked by an external or internal entity
    • Via specialist hacking/cracking software and experience.
  • Recorded by spyware software
    • Installed via a virus or other malicious software.
  • Phished
    • Directing the user to a copy of your login systems to facilitate theft.
  • Given out to a 3rd party unintentionally
  • Stolen in transit
    • Unsecured networks can often facilitate password theft.

As you can clearly see the number of risks to a user’s password are significant. They are old and proven methods to in effect steal passwords and use them for malicious intent, such as to enter systems and steal information, hold firms to ransom and the like. Passwords have been insecure for some time, yet many businesses don’t close the hole unless they have a significant security breach. The fact that underground communities swap and trade access details makes this even worse. There’s money in knowing passwords, thus you can buy them online!

How can you increase your security levels?

It’s actually fairly simple to up your levels of security and protect against these risks. You can make your remote system access robust by simply implementing multi-factor authentication as a minimum level of security. It doesn’t make your system hack-proof of course, but it does dramatically increase the security level of systems.

What is two-factor authentication?

Two-factor authentication simply means you use two elements to access your systems, something you know (your password) and something else, i.e. a token device. You may have one for access to your bank, they’ve been in use for years. You can also have the same technology installed as an app on your smartphone.

Two factor authentication device

The fact that you must have at least 2 elements to log in naturally increases your level of security. Every time you log in you must for example first enter your password and then you must enter a unique number which changes say every 5 seconds. Now it doesn’t matter if someone knows your password as they don’t also have the token with the ever-changing number. On the flip side, if you lose your token on the train and someone picks it up, they won’t be able to access your account as they probably don’t know where you work and most importantly they won’t know your password.

It all sounds very simple. That’s because it is. All firms who have people accessing their systems from outside the corporate firewall should be using multi-factor authentication. Actually, it also makes sense for those within the firewall to use it. It’s inexpensive, straight-forward and now a necessity. Passwords on their own are not secure and the threat landscape is changing all the time Organised crime gangs and lone-wolf hackers are on the hunt to extort and steal money from firms – many are sitting ducks.

NEXT>> 9 red flags which should make you doubt an email

10 Data Leak Prevention Tips for Law Firms

IT security - 10 data leak prevention tips for law firms

Data leak prevention (DLP) is a subject that comes up again and again. “How do I stop data leaks from occurring?” and “How do I know if a data leak has happened?” are two questions that legal firms want answers to.

The premise of DLP is to stop intellectual property, client details or other sensitive data from passing into the unprotected Internet. Something that sounds easy, but isn’t. Leaks can happen via email, internet browsing or a breached cloud platform.

You may realise that those are three of the biggest things your firm uses every day and that’s where the difficulty comes in. Setting up a full DLP system is usually difficult and takes a lot of time, technologies and planning. But before you can even start to make a plan you need to understand the fundamentals.

What are the types of data leak?

  • In transit
    • Being intercepted whilst travelling over the wire, i.e. email, web chat, web traffic, etc.
  • At rest
    • From areas such as a file share, a database or from a desktop or laptop.
  • In use
    • From screen captures, clipboard, a printer, USB disk, CD, etc.

Your firm should break down each of these areas, understanding when data is in each vector and how it could leak via the vector. Once you understand what you have and what risks you face on each classification you can start to think about controls and policies. For instance:

  • What is your policy on staff plugging in USB sticks?
  • What controls will you have to stop sensitive details lying in the printer?
  • What is your policy on sharing information via social media?

The controls will vary significantly by but here are 10 areas to consider when contemplating how to keep your sensitive data secure from an accidental or malicious leak.

How can you make data secure?

1. Portable encryption

You should encrypt any sensitive data which leaves the secure confines of your firm’s network. You’ll need software systems to control this as you cannot typically rely on employees to do it. It only takes a lost USB disk, laptop or phone to deliver a severe or critical blow to a firm.

2. Endpoint protection

The data endpoint is typically a computing device, i.e. desktop, laptop, mobile, server, etc. It’s on these devices that IP and confidential data resides or passes through. DLP endpoint protection solutions can protect data inside and outside of the network by controlling functions, such as print, copy, and data transfer to USB devices or a cloud storage platform, such as DropBox.

3. Email content control

Email is a common source of a data leak, as employees use it to send confidential information and documents. Content filtering uses deep content inspection technology to scan the text, images, and attachments of an email, to flag up any potential threats and can alert you if a user tries to send sensitive information.

4. Intelligent firewalls

Data leakage often arises from email, IM or internet use. Firewalls can protect individual computers and whole networks from security threats and can take automatic action against potential data leaks, unauthorised access or malicious behaviour, either by notifying the administrator or by blocking the action.

5. Device control

Endpoint solutions allow administrators to control what devices are in use. They can also see when they have been used, who by and what information was copied, managing the threat of portable storage devices. You should also have effective security policies for your devices, as users typically store email and other sensitive documents on their smartphones and tablets. For example, some required could include the use of complex passwords or to set devices to automatically lock when not in use.

6. Evaluating security permissions

Many users may have access to sensitive data, but do they really need it? Allowing access on a “need-to-know” basis can dramatically reduce your chances of a data leak, accidental or otherwise.

7. Controlling print

Multi-Function printers (MFP) are typically unmonitored and can have a high level of data leak potential. Requiring users to ‘sign in’ before use can reduce this, as they will only have access to certain functions and documents. It also prevents users from leaving sensitive information on the printer, as the document only prints once the correct user has signed in at the MFP.

8. Securing back-ups

Many firms rightly have back-ups of their most important information, but these can be vulnerable too, either from an attack or due to loss. Just like the original data you should encrypt these files, which is a function of most backup software.

9. Image text analysis

Images can be sensitive data in themselves, plus camera-enabled devices like smartphones make it very easy to capture sensitive data. DLP solutions have the ability to analyse text within images, preventing data exposure.

10. Education

Businesses often assume employees know what information is confidential and what they cannot share. Yet, sometimes a data leak is accidental and can be something as simple as an email to the wrong client. A good security policy is well-defined and easy to understand. Helping users perform important functions with reduced risk and increasing the adoption rate of the policy.

NEXT>> How to protect data in end-of-life equipment

How to protect data in end-of-life equipment

IT security - How to protect data in end of life equipment

Any device where data is downloaded or stored is at risk of being accessed by a third party once it is no longer in your possession. Devices at risk range from the obvious hard disks, right through to printers.

The basic principle is: if data is written it can be retrieved unless it’s encrypted. Therefore, if you’re in an industry where your clients’ data is sensitive (which is to say, every industry), if you can encrypt the data you should always do it. Of course, you need to factor in performance overheads in relation to encryption but that is becoming less of an issue now with the entry of technologies such as solid-state disks and self-encrypting storage arrays. Encrypting data effectively removes a lot of the concerns around the disposal and/or loss of a device.

If you do have to dispose of a device then it is usually best to have it done by a third party specialist data destruction firm. However, you need to be aware that by choosing to outsource this function, you are not outsourcing all responsibility. If a client’s data were to be stolen from one of your disposed machines, it’s your brand that will be tarnished, therefore you have to do your due diligence. Assess the data destruction firm and assess your risks. Do not simply settle for a van turning up to remove the worry.

Once you identify the risks you should have them signed off at partner level and agree on a strategy to apply suitable control to minimise them. If you can follow these steps you can be pretty sure that your clients’ data and your firm’s reputation will remain safe.

Don’t think that PCs are the only source of data that can unintentionally (or maliciously) disclosed to a third party though. You should also have security and disposal policies covering the following:

  • PCs, laptops, tablets
  • Mobile phones
  • Printers
  • USB storage devices
  • CDs/DVDs
  • Servers
  • Hard disks
  • Backup tapes
  • Cloud storage

Again, all of these items can be encrypted and, arguably, they all should be if your data could cause your firm or a client embarrassment.

Risk of extortion

Never think that your information is not of interest to a third party. A large proportion of data and security breaches are now focused on blackmail and extortion. Hackers hack for money now, not simply for fun. A hacker doesn’t have to come in over the wire, getting hold of a physical device littered with information will give them extortion material and valuable clues on how to breach network defences at a later date.

Your key considerations

So, what are the key things to consider in relation to ensuring data is destroyed after its useful life? In this article, ‘destruction’ refers to physical destruction (shredding) and ‘wiping’ to cleaning the data off securely, to retain some resale value to the firm or a third party.

1. Control access

As you can imagine, it’s possible that, if you leave a pile of hard disks or USB keys in an uncontrolled area, once could go missing. And if this happened it would be open to all risks. When you have set aside equipment for disposal then secure it away from general access.

2. Control / document assets

Make sure your asset lists are up to date so when you wish to ensure any data is destroyed you don’t miss anything. If you aren’t controlling your assets then you aren’t truly controlling the risks. When you do dispose of an asset, ensure the information is logged, including the device, serial code, how it was sanitised, by whom, when, where it went, etc. If you go to a third party it should provide you with a certification of destruction.

3. Destroy the data

If you just format or delete the data on a device it’s relatively simple to pull it back. If you want to ensure the data is irretrievable then you can use specialist tools to do so. You can start by looking at tools such as Kroll Ontrack and Blancco if you want to do it yourself. If you want to go belts and braces, encrypt the device storing the data and then run the secure erase tools. You then, of course, need to factor in the time required to undertake this work. It all comes down to how sensitive your data is.

4. Destroy the device

In some circumstances, the data is so sensitive that the entire device should be destroyed, shredded in fact. Generally, you would outsource this, but you can also buy the specialist equipment to do it yourself. Typically memory and hard disks are shredded, and other parts of the device sold on to retrieve precious metals. There are strict environmental guidelines on disposal of equipment so be sure to familiarise yourself with the current regulatory requirements if you do it yourself.

5. Destroy it quickly

Once you have identified equipment to be disposed of or wiped, then do it quickly. The longer devices hang around, the more chance they will fall out of control or go missing. You would typically expect to have a periodic destruction cycle or pick-up if using a third party.

6. Have a process

Ensure you have a documented process for the destruction of data and devices as required. If you don’t have a rigid structure, things can and will slip through. Generally, legal firms can’t risk that happening so controls and processes must be put in place and followed. Failure to follow procedures must have tough disciplinary repercussions.

7. Check third parties

If you are outsourcing the destruction of data and devices to a third party then ensure that you are careful in your choice. There have been press reports of devices turning up on sites like eBay with very sensitive data on, even on a printer’s internal flash disks. So, when choosing a service provider, you should be looking for companies with ISO 27001 and ISO 14001 certification as a bare minimum. Also, it helps if they are certified to destroy MOD equipment, e.g. CESG and MOD approved. The higher-end secure destructions firms will also have the equipment they can bring to your premises or premises you can visit to witness the destruction of your data devices.

8. Communicate and review

Once you have a process and policies in place to relation to wiping and destruction of data and devices then ensure that it’s communicated and clearly understood. Make sure all relevant areas of the company understand their roles. Also once created don’t just forget about the policies and processes, review them at least annually. Your assets will change, as will the risks. Ensure that you review them regularly and know what they are

Security is changing

As we look back over this tiny area of IT security, the case for ISO 27001 is becoming more and more important in law firms. The risk of a security breach of any kind can have serious implications more so now than ever before. ISO 27001 will give a firm a framework to identify all risks and assign appropriate controls to mitigate them. It will also give your firm a continual improvement methodology that will deliver gains year on year. It should also be noted that many clients are now demanding ISO 27001 certification as a standard before instruction.

As a final note, just do remember that your data is of interest to many people. Don’t take risks, or at least don’t take them without informed sign-off from your firm’s partners.

Robert Rutherford, CEO of QuoStar

NEXT >>> How to protect your business from social engineering

Why do companies need to control internet access?

IT security - Why you need to control Internet access

How can employees’ internet usage put your business at risk?

1. Security risks

An employee browsing potentially dangerous websites without control can open your business to an array of security risks, such as viruses, trojans, spyware – the list goes on. This is because non-work related websites are a major feed of dangerous exploits into the network. These obviously risk to the individual PC but we’ve also all seen the news articles about private companies and the public sector being down for days when a nasty virus gets into the network. I’ve seen this myself a few years ago where the whole IT team and the CIO of a company were flying around the world trying to eradicate a virus that was flooding the network and killing communications.

Your risk also grows as uncontrolled internet access also allows employees to send information in and out of your organisation without control. This can be intentional via webmail or web messenger applications, such as MSN Messenger, Yahoo messenger or Skype. Or it can be unintentionally through spyware, phishing or other vulnerabilities.

I see data leakage prevention as one of the biggest reasons to control internet access. I’ve lost count of the number of times I’ve been alerted of a customer’s employee taking a sales database or confidential documents before leaving a company. It is difficult to erase any risk but you can make it difficult. This area really falls out of the topic of this blog –  if data leakage is a real concern due to the sensitive nature of your data, or your customers’ data then look into data leakage prevention (DLP) products.

2. Legal liability

If you have copyrighted information, such as software, music, videos, even photo’s on your business network, your business could be legally liable for it. Even if an employee downloaded it onto the network without your knowledge or permission, the business, basically the directors could be legally liable.

Uncontrolled internet access does, unfortunately, leave the door open to a whole host of legal issues. Creating an ‘Acceptable Use’ policy for your IT will help. An effective EIM system will take that further and go a long way to controlling the issue.

3. Waste of bandwidth

Your internet connections are typically the main artery for your business, the main communication line between your business, its customers, and its suppliers. If your employees are downloading non-work related files, listening to music or watching the news then you’ll be paying for that. What do you do when people say that internet browsing is slow? You typically put your hand in your pocket to ‘upgrade the line’.

I can tell you that in at least 70% of cases that I come across when people tell me they need to upgrade connectivity (internet or WAN connections) they actually don’t. They just need to route, control and shape the traffic on their networks more efficiently.

4. Reduced productivity

Your employees’ browsing the internet during work time costs your business money. The average employee spends 15 minutes of time browsing the internet during working time (excluding breaks) for non-business related purposes. This may not seem much but that’s 10 hours a day for a 40 computer-based employee company.

You may say that 15 minutes a day, on top of breaks and lunchtimes, is acceptable, and that’s fine. However that’s an average, and I’ve pulled reports showing some users wasting an hour or more a day on non-work-related internet activity.

If you just say that your employees are all on the minimum wage then it’s costing well over £1,000 per week just on browsing time alone for a 40 user organisation, without taking into account loss of productivity thus loss of potential earnings. The potential for a return on your investment in an employee internet management system should be clear from the start.

It’s not about being Big Brother and locking everything down. Why not quota your employees’ internet access for some non-work-related sites or maybe just allow them access during lunch? This can be managed with virtually all Employee Internet Management systems. If you don’t want people using work machines for non-work related tasks then I suggest that you allow access to dedicated ‘internet workstations’ that staff can use to perhaps to book a holiday or to check their bank balance. These workstations can be given their own internet connection or they can be secured from the main company network – most firewalls/networks can do this.

What about social media?

Should Twitter Facebook and LinkedIn be restricted?

Facebook, Instagram and Twitter? Are these really of any use to an organisation? There will always be exceptions to the rule, but generally, I don’t see why anyone needs access during work hours. You probably wouldn’t be too happy about the whole company sitting on their desk phones chatting to their mates in the day, so why should they do the same through your IT systems?

I was asked if LinkedIn was a security risk the other day, and I guess the question more or less applies to all social media. It does tend to fall under the control of the IT security department, in terms of EIM, as it ‘can be’ classed a productivity killer. It is often bundled into the social media categories with Facebook, Twitter, etc. Is it a risk itself to security? Not directly. You could, however, argue the social engineering card, but that could be done in other ways and you are straying into paranoia territory. There are always exceptions but generally, it’s safe in my opinion.

It all sounds pretty negative but it’s not something to panic about. I do however believe it’s worth thinking about the issues and looking at some sort of control. There are a vast array of Employee Internet Management systems on the market, some more effective, some cheaper and some more expensive than others. The ROI is usually pretty easy to measure and all vendors should offer a free trial to help you gauge the issues within your environment. I should note that I’ve seen Employee Internet Management systems pay for themselves within month 1.

Here’s a list of some EIM vendors

Many vendors now also offer cloud-based services, so you don’t have to purchase hardware and software to install on your own network. Again, your business and its operations will determine if cloud is the right solution. Typically, you’ll probably lose some level of functionality/control with the vendor run cloud-based services over internal hardware/software solutions.

If you want to look at implementing some controls then speak to your IT provider or seek expert advice. All the solutions vary and although most solutions will control Internet access some solutions will be better than others. Fitting the right solution depends on your business and its operations.

And remember it’s not all about the technology. Changing employee’s internet access is a contentious issue and could lead to some unhappy people if not managed correctly. I’d suggest that you explain that the main driver for control is IT security – because it is.