10 Stupid Moves That Threaten Your Company's Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
10 Stupid Moves That Threaten Your Company's Security
Threaded  |  Newest First  |  Oldest First
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 5:22:13 AM
Even Password Management tools can cause problems.
I was reading about the latest LastPass (Password Management Utility) Vulnerability and was left literally shaking my head about it.

Its about time we moved away from Single Authentication systems and moved towards Multi-Factor Authentication Systems(which should be structured and setup individually from each other).

Finger-Print scanning,Iris Scanning or Retina scanning (in addition to further Hardware level checks) can help enormously in this space.

Its about time we made this mandatory for any(& every Transaction) online.

 
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
1/26/2016 | 8:43:59 AM
Re: Even Password Management tools can cause problems.
Right, Ashu. I think it's time we stop blaming the employees and focus on better tech and better training. If so many companies are training employers about cyber risk, if it worked you would be seeing the results. In other words, the training is not working
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 9:26:19 AM
Re: Even Password Management tools can cause problems.
Broadway,

Frankly speaking there is a limit about how much you can train employees today(Yes its true).

I rather prefer providing them with better and easier to use tools which achieve the Job which is providing users with Better Security Protections.

They are all like-"Show me something simple and easy and I will do it."

"I don't want to think how it works-Just make it work and work securely for me!"

In such a sceanrio ,Multi-Factor Authentication Tools work better then simple tools to achieve Genuine authentication needs of Enterprise Users today.

 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:26:29 AM
Re: Even Password Management tools can cause problems.
It is axiomatic that if your security interferes too much with your accessibility (i.e., your ability to "just make it work"), then your users/employees will resent your security measures and try to undermine it and find ways around it.

Good security isn't just having a big lock.  It's also having a lock that people WANT to use and WILL use.  The lock does no good if it's so burdensome to use that people would rather just leave it unused and collecting dust.

Case in point: Policies that make you change your password every three months (if not more frequently).  This is how you get passwords like "mypassword1" "mypassword2" "mypassword3" and so on.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/26/2016 | 1:39:12 PM
Re: Even Password Management tools can cause problems.
@Joe, don't be giving away my system! :-)  Seriously, that is only thing that works, is manageable. Our email/Active Directory remembers the last 32 password changes, requires a number and either a Caps or special char, and must be 8 char long. So I cycle a base password from 1 to 32 and then reuse again. What else are you going to do?

Now, even using system of appending number to base word, it is still somewhat secure when combined with disabling AD account after 5 or 6 guesses. It is pain in rear managing that for all users but I get it, renders brute force impossible.

Spear phishing renders password complexity a moot point. Doesn't matter how complex if you willing give it up to someone you think is from your "help desk". That's where training comes in and can work.

Then you're only stuck with "you can't fix stupid", people who are so clueless they can't be taught.

I am also a believer in two factor as ultimate solution. What you know and what you have, however you want to implement that. Only pure stupidity defeats that.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 1:58:19 PM
Re: Even Password Management tools can cause problems.
@TerryB: But what if it indeed is someone from your help desk? My manager had a "code" that would be propagated and changed every week that could be said over the phone to identify who is who. Too bad that didnt work out.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/26/2016 | 2:26:06 PM
Re: Even Password Management tools can cause problems.
@sunita, everything can fail but think about it. Help Desk would rarely have reason to "cold call" a user to get his password. Usually that is in response to user entering a ticket. So probability of phisher hitting user when he has open ticket is incredibly low.

That said, I like your idea of some technique to verify, especially at large companies where you don't know your IT. We are small enough that thankfully is not a problem.

But if hacker had enough inside info, knew Help Desk person's email and could craft a bogus email appearing to come from that person, most of users would fall for that without batting an eye. Heck, I don't see what would stop me from replying if I thought I was talking to one of guys in Corp land that I know. But I'd like to think email has gotten good enough to stop that kind of spoof, that you could reply to one person and it go somewhere else. Links in email, yeah, those can go anywhere and you could train against that. But just hit "Reply"? If so, there really is no defense other than some inside verification, as you suggest. Good point.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 2:53:11 PM
Re: Even Password Management tools can cause problems.
TerryB,

Lots of very-very good points here!

I am reminded of a presentation from RiskIQ (on Social Media protections) I recently came across;there they focussed intensely on Defensive Registrations of Social Media accounts as well as Automation of protections and safeguards put in place.

Even there they constantly focussed on keeping your Users as aware/educated as humanly possible.

Just don't expect that to be your first and last line of defense!
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 2:29:28 PM
Re: Even Password Management tools can cause problems.
Sunita,

Yes!

Its quite funny,until its you the one who is at the recieving end of the hack!

That unfortunately is the Ground reality we(in IT Security) are facing currently and have to deal with new and more and more complex threats with each and every passing day as we speak.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
1/26/2016 | 11:25:06 PM
Re: Even Password Management tools can cause problems.
TerryB, I suppose if you have "you can't fix stupid" people on your staff, then maybe you (being a company) deserve what happens to you. Sure, you can argue that every organization has bottom-barrel employees, but should you be giving them access to your system? Maybe give them a pad of paper, not a laptop.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/27/2016 | 9:54:08 AM
Re: Even Password Management tools can cause problems.
@Broadway, I take it your career is not in HR and you have very little experience working with outside Sales people. :-) The skill set for being a good people person and exceling in Sales has nothing to do with being tech savvy.  Our business unit is not very big and we have people who stay 30-40 years. Think about teaching your parents good computer security skills. I don't know about you but I had trouble teaching my Mom how to turn the darn thing on and make sure it had an internet connection. "Stupid" is a relative term the way I'm using it.

And you are way wrong if you think that has anything to do with success. This company has been around since before you were born and has reinvented itself several times since I've been here. We sell globally and our product (brass alloy wire) is in things you use everyday. Think about next time you zip up your jeans, that's just one small place we supply wire for.

To these people, computer security (and computers in general) are just a means to an end. a necessary evil. If you think any of them go to bed worrying about creating a secure password you need to get more involved in your company's real business, what gets you your paycheck.

Now if you work for company who's data (financial, medical, etc) is your business, then your comment is much more relevant. But manufacturing, no. I could could give you every bit of IP we have and it would do you no good, you'd have to spend 100 million in capital to setup a facility to earn 5 million in profit every year. Doing that would really make you stupid.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/27/2016 | 7:44:59 PM
Re: Even Password Management tools can cause problems.
But, for sake of argument, could an IP thief not just sell the information for $500k to a competitor with the necessary infrastructure to make that $5mil. in profit no sweat?
nomii
50%
50%
nomii,
User Rank: Ninja
1/28/2016 | 9:41:47 AM
Re: Even Password Management tools can cause problems.

@Joe I agree with you there but that 500K is an amount where most of the companys will hire the professionals to do the job and not relying on others as they might keep something to "blackmail" later. As everything is fair in love and war. What do you say. Just for the sake of argument.

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/28/2016 | 12:37:51 PM
Re: Even Password Management tools can cause problems.
@nomil: Ah, see, I'm not an experienced black-hatter, so I don't know these things.  ;)
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/28/2016 | 1:33:39 PM
Re: Even Password Management tools can cause problems.
@nomii, you have to have inside info to even pull off a hack on a mfg company. So hiring a professional would do you no good if they don't know what they are cracking into. In a real scenario, you'd have to buy off an employee (or ex employee) for core info on the systems employed before you could even craft an attack. Or impersonate a customer to gave physical access to premises, ask enough questions to get a foothold.

We'd be almost impossible without inside help and even then it would be challenge. It takes two factor (SecurId token & VPN client) to even get an IP address on network. Then you'd need to access Active Directory credentials powerful enough to do anything, get to secured network files. Then on top of that, our LoB server is an IBM i5 server you'd need to get credentials for also, that's where our process data is. Then you'd need to know enough about the metallurgy and what we do to even know what you wanted to steal.

500K might not be enough to take that challenge. You'd be better off going the route of China and American Superconductor: Just buy the guy on inside with the access to want you want.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/28/2016 | 10:16:49 AM
Re: Even Password Management tools can cause problems.
@Joe, I get your point, I saw the 60 Minutes episode on American Superconductor and their Chinese affiliate. But that doesn't even apply to us. We have no domestic competition left. Our competitors are in places like Peru and China paying their shopfloor $1 an hour against our union $20+ an hour shopfloor. We never have the lowest price. So our business is in markets that products aren't easy to make. We build very strong relationships with our business customers, quality and service are what make us successful.

Think about it like this: If you could steal all the philosophy/playbooks of Greg Popovich, could you duplicate the success of the San Antonio Spurs without Duncan, Parker, Ginobilli, etc.

If our top metallurgist, who holds a PHD, decided to ignore his non compete and move to Peru or China, that could maybe put a hurt on us someday. But even then depends if their entire culture can match what these guys do here. I was a ERP consultant when I found these guys,  if they weren't so impressive (and challenging) compared to every other place I'd been, I'd have never taken the job to run their IT and do their business development/support.

But in the general picture, you are right on industrial espionage is a concern for many businesses. But as American Superconductor story showed, not much you can really do about it.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/30/2016 | 11:03:37 AM
Re: Even Password Management tools can cause problems.
@TerryB: Your tale/experiences remind me of an incident a few years ago when some disgruntled (possibly former...I don't quite recall) Coca-Cola employees stole and offered to sell the secret Coca-Cola recipe to Pepsi.

Pepsi played along -- while immediately contacting Coca-Cola and the FBI.  They all set up a sting to catch and arrest the Coca-Cola IP thieves.

And, of course, it wouldn't really have benefited Pepsi to take the deal in the first place.  There's a terrific economic analysis on why Pepsi buying and somehow leveraging Coca-Cola's formula would have only hurt both companies in the long run -- driving them to RTTB brinksmanship.  The blogger explains it better than I can, and his piece can be read here: freakonomics.com/2006/07/07/how-much-would-pepsi-pay-to-get-cokes-secret-formula/
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
1/28/2016 | 11:01:15 PM
Re: Even Password Management tools can cause problems.
Well Terry B, I stand corrected. Next time I zip up my jeans, I will think of all the data that is probably being stolen because of your company's sales and HR staff. I will imagine all sorts of solutions, like forced retirements and maybe building that factory you speak of, but alas, once I am done zipping up, I will stop thinking and caring about it and will move on to my next fleeting thought. Best of luck!
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/29/2016 | 10:00:48 AM
Re: Even Password Management tools can cause problems.
@Broadway, I want to apologize if you misunderstood my zipper comment. That was not intended to be an insult, I was just trying to point out all the boring, mundane places you use our product everyday. One of our customers was American Zipper. Not sure anymore, that is example of easy stuff to make that Peru and China excel in with their low cost.

Two key takeaways from what I was trying to say:

1) Many companies are like us, have no data which is used in bank or identity theft. You get one of our Sales laptops, you might get a list of contacts at our customers containing Name, company address and their work phone number. HR does not have client computers with employee info, all that is server based. So our stupidest employee can't impact your life, period.

2) My main reason for replying to you was trying to figure how you envisioned a system where you feed every employee you hire thru a vetting process to make sure they have high quality computer security understanding and are immune to every phishing exploit. I'm only IT guy here and my job is development. You want me to get involved in every hire and give yay/nay based on whther I think they are tech savvy?

For existing hires, are you suggesting we fire a person who is very good at their core job because they click on link which infects them with malware? Or someone steals their laptop while traveling? If so, what guarantee do we have the next employee can even do their core job, much less be better at security issues?  When you get a good employee at their discipline, you keep them. If you know another world than that, please enlighten me.

This whole article and forum is way off base anyway. There is only one core stupid move that is killing everybody:  Connecting ridiculously insecure client computers (Yeah Windows, I'm talking about you) to the freaking internet to do business. We are sitting here debating password strength issues when clicking on wrong link in email or web site can modify your core o/s to install software to capture your every keystroke and screen image and send it home to the bad guys.

Talk about stupid. We are sitting here debating how to best lock the door when the wall has a freaking hole in it. I spent 15 years working in the pre internet age, when businesses used servers with dumb terminals and private circuits. We had none of these problems, period. If we knew what we know now, is online banking and POS card purchasing worth it? If so, just how lazy (or stupid) are we as consumers? I'm on my 3rd debit card, other two were tried to be used on the other side of world.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/30/2016 | 11:49:47 AM
Re: Even Password Management tools can cause problems.
@TerryB: Incidentally, I was under the impression that YKK manufactured something like 97% of the world's zippers.  Is that figure wrong/no longer correct?
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/30/2016 | 9:45:31 PM
Re: Even Password Management tools can cause problems.
@joe, YKK is a customer. I did not know that about zippers though. That market they are in called Cold Heading. In old days it was big for us, now Peru and China dominate on price. We are big in Batteries (Duracell, Energizer and Rayovac all custs) and ammunition now. Also in photovoltaic but that is tough market.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/31/2016 | 10:34:34 AM
Re: Even Password Management tools can cause problems.
Indeed, after hearing that statistic several years ago, I started paying more attention to my zippers.


Sure enough, they all say "YKK" on them.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
1/31/2016 | 3:03:37 PM
Re: Even Password Management tools can cause problems.
@TerryB, No worries, no offense taken. And I love how you really got to the issue there. It's true --- we are letting Windows off the hook for being such a hole-ridden, easily corruptible OS. It should be a given know that users cannot be trusted. Deal with it.
batye
50%
50%
batye,
User Rank: Ninja
2/3/2016 | 11:30:48 AM
Re: Even Password Management tools can cause problems.
@Broadway0474, with Windows security it never ending upgrade/patch process :)... sad reality of IT age...  how I see it ....:(
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/26/2016 | 8:14:56 PM
Re: Even Password Management tools can cause problems.
Hey batye !  Long time no see, good to see you old friend.   I agree no getting around the never ending hell that are patches and updates.  

Windows 10 is especially nerve racking.   After my last forced update, the only thing I noticed changed was where the power button was located and of course some new wallpaper.

 

You know you can never have enough wallpaper.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/27/2016 | 7:43:02 PM
Re: Even Password Management tools can cause problems.
> "So I cycle a base password from 1 to 32 and then reuse again. What else are you going to do?"

Have a more reasonable password policy and more reasonable IT department as a whole?  ;)
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 2:06:49 PM
Re: Even Password Management tools can cause problems.
@Joe: Most companies now have various degrees of securities. Not just employee verification through biometrics but also tracking how And when they use a particular company resource which is in the form of information.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 2:57:16 PM
Re: Even Password Management tools can cause problems.
Sunita,

As someone who has had the oppurtunity to work/train with such systems including Logging systems I can tell you that eventually most SMBs just ignore most of the Alerts they generate(on Insider threats) for better or worse.

It seems that there is a limit to how much you can(and can't) Trust your employees.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 3:41:56 PM
Re: Even Password Management tools can cause problems.
Joe,

Brilliant! Just Brilliant way of putting things here!

I could'nt put it any better of saying what you just said here.

Loved your "mypassword1" ,"mypassword2" touch especially!

Beyond Phenomenal.

LOL!!!

 
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 2:12:19 PM
Re: Even Password Management tools can cause problems.
@Broadway: Training can limit human error and callousness but cannot entirely make it extinct. As long as humans exist, so would such slip ups.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 2:14:47 PM
Re: Even Password Management tools can cause problems.
@Ashu: What makes me laugh is when your $200 smartphone has an iris or a fingerprint scanner and not databases or computer information security systems which are worth thousands of dollars.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 2:46:08 PM
Re: Even Password Management tools can cause problems.
Sunita,

That is a very serious problem,No doubts about that one.

Unfortunately,Until we see more and greater education/awareness amongst ordinary consumers(the most expensive smartphone is not neccessarily the best);this issue will not be solved.

This is an area where Training&education can most definitely help for sure.

 

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 5:38:47 AM
How does Government Agency Diktats play out in the whole debate over Encryption?
I was recently reading/reviewing more details on the Debate currently on between the FBI(which is batting for encryption with Government approved Backdoors) and ironically the NSA which is batting for Strong Encryption currently-theintercept.com/2016/01/21/nsa-chief-stakes-out-pro-encryption-position-in-contrast-to-fbi

Given the well-known past history of the NSA and especially their track record

theintercept.com/2016/01/04/a-redaction-re-visited-nsa-targeted-the-two-leading-encryption-chips & theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq &

theintercept.com/2015/11/28/snowden-effect-in-action-nsa-authority-to-collect-bulk-phone-metadata-expires &

theintercept.com/2015/12/30/spying-on-congress-and-israel-nsa-cheerleaders-discover-value-of-privacy-only-when-their-own-is-violated

I found it hard to take anything the NSA says at face-value.Still it was interesting to note that various Government agencies are not always on the same page here.


I for one won't trust anything any of these Government Goons tell us at face-value!

 

 

 
MarkA187
50%
50%
MarkA187,
User Rank: Apprentice
1/26/2016 | 10:22:55 AM
I'd love to share this with the organization but it's too snarky
Calling employees clueless boneheads doesn't help get the message out to the organization. I'd love to share this information but it's an immediate turn off to employees and has the exact opposite affect.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:23:38 AM
Backup
Another issue with lazy encryption is failing to encrypt backup systems.  This was one of the big facepalms from the Adobe hack of a couple of years ago, when the operational systems were properly encrypted by the backup systems were not.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 2:10:04 PM
Re: Backup
@Joe: Encryption systems can be bought. Technologies that use multiple and multilevel security keys are more sought after but are costly. Moreover these encryption can only work on some domains and not all, so if currently some readily bought system hasn't been applied thoroughly on a backup system, it probably cannot.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/28/2016 | 12:36:48 PM
Re: Backup
The important thing about encryption that a lot of laypeople (and even non-laypeople) forget is that if an attacker is successfully able to compromise and/or spoof authentication, then the encryption does no good; it's already unlocked.

Thus the need for multiple layers of security as opposed to M&M security (hard on the outside, soft in the middle).
GaryS396
50%
50%
GaryS396,
User Rank: Apprentice
1/27/2016 | 12:22:01 PM
Most Overlooked Security Flaw
Allowing decommissioned equipment to leave the company's custody without destroying the data first.  I know it sounds simple, but I've come across many companies storing digital media in an unsecured location until an electronic recycler comes to remove it.  On-site shredding is standard for paper documents – litigators would argue the same for digital data such as hard drives.    

Regulators, customers and Wall Street may forgive a company that is hacked.  I don't think the same would be true if the company literally gives the information away.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/29/2016 | 8:52:24 AM
Re: Most Overlooked Security Flaw
GaryS: Additionally, many organizations fail to properly and completely destroy data.  "Delete" -- or even reformatting -- does not eliminate all data.  While there are more effective ways to do it "in software", complete physical destruction of the drives is usually the best (and often the only) way.
bjames073
50%
50%
bjames073,
User Rank: Apprentice
1/27/2016 | 2:24:39 PM
Awareness Is Key
One of the keys to successfully reduce as you put it, bone headed moves by employees are Awareness programs, which is a lot different than training and the differnce is often lost on HR and IT Security departments.

I see too often compaines with pretty good training programs but little or no Awareness programs. It is not enough to train your folks how to operate safer, for many a lot of it goes out of mind in a matter of days. A really good awareness program has posters all over the place,  that are changed frequently, hints and tips on internal web sites, pretty much like ads on commercial sites, email bullitins, and such. All of this to reenforce the training, to keep in everyone's face.

Info security is frankly not culturally aligned with how big companies operate, they are about making info easy to get at and peopole share information pretty freely (politics aside), and they tend to want to be helpful to other employees.

The only way to really tackle the people element is to drill it into the culture and that happens when people are aware and thinking about it. This is a lot harder than it sounds, Info security to most people is only slightly less boring than watching paint dry.
DanH025
50%
50%
DanH025,
User Rank: Apprentice
1/28/2016 | 9:35:40 AM
Security
Companies who take the issue seriously will invest in on the job use only hardware for their employees. Any business with a BYOD policy has decided they have no intellectual property to protect. The suggestion made in number 3 fails to recognize several factors. 1) The right of the individual with regard to their personal property. 2) An employee may bring devices to the job previously infected with malware 3) Human nature. By having them BYOD the employee will naturally apply the same security protocol to company they do for personal.


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
Slideshows
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
Commentary
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
Register for InformationWeek Newsletters
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll