These questions wont take ‘NO’ for an answer!

Posted July 8, 2009
Filed under: IT Security | Tags: , , , , , , , , , |

Every organization follows some Security Policies & Procedures. Often these are checklists to comply with a given standard. And in the race to get certified, organizations miss out on critical yet some simple-to-implement security issues. Through this post, I am putting forth some questions. Check if you can answer ‘YES’ !

  • Are all the default device user id / passwords changed?

Devices come with the Vendor Specific parameters. Many a times there is vendor-specific default username & password (say user: admin & pass: admin). This is one of the methods hackers, ethical ones also & auditors try to gauge your security. Take enough care to change these default factory settings and you would save yourself from one of the ways through which your systems can be broke into. Default usernames, passwords, IPs, SSIDs, etc. change them all!

  • Is there a limited pool of IPs that can be assigned?

You are unaware that a team of ethical hackers is sitting in your organization generating Security Assessment reports for you! A hacker is sitting at a remote location and connecting to your Wi-Fi network. Wait! How could they ever connect? (Even if they know your ‘secret’ keys or whatever) If you would have kept a limited pool of IP addresses, chances are less that someone could connect into your networks!

  • Are all printers in the organization at public locations?

Taking printouts is the second easiest way of data leakage. If the printer is not located at a secure place, then – A. You can print whatever you wish and walk away promptly! Or B. You give the print order and by the time you come to collect the printouts, some might already collect them.

  • Is there a restriction on access of shared drives or folders on employee computers?

Many a times, you will need to share some official files with other users. And the most convenient way is to use Windows File Sharing. And often, they also enable ‘Allow Network users to change my files’ which essentially gives read/write permissions to any user on the same network. Giving access to manipulate data even in a single folder can have consequences. Also some unwanted users might ‘accidently’ stumble on the shared directory revealing sensitive information.

  • Are all devices in the organization time synchronized?

A major security breach is logged by a firewall at 13:27:22 hrs on Thursday 2nd July 2009 from a particular IP. The IP was traced back to a system. When the system’s  logs were checked it showed the breach but at 7:35:56 hrs on Tuesday 2003! And that too in a different time altogether?

I wonder if you will you be able to take action in such cases?! The user may simply claim that his IP might have been spoofed at that time! I feel it would be helpful to have time sync in an organization.

  • Are your employees given information on the options and recommended backup cycles for their data?

Backup?? Shouldn’t the IT department be concerned for this?! But with diversified projects & departments, how would they know what is the peak time that you accumulate some critical data? If the user is not capable to get the backup, at least he/she should inform the concerned IT guy for getting it done. Many Companies do have a back scheduled regularly, but there are cases when some really vital data may land into your hard disks.

Besides, you are acquainted with Murphy’s Laws, rite?!

  • Are new employees informed about their User ID / Passwords in a secure way?

I am feeling tired to write further. Just wanted to tell you that my brother’s previous company handed over his system username & password that was printed on a piece of paper at the closure of the induction process. His username was his Deep and password was deep1234. 33 new employees & some existing staff were present at the session.

· Are all the default device user id / passwords changed?

Devices come with the Vendor Specific parameters. Many a times there is vendor-specific default username & password (say user: admin & pass: admin). This is one of the methods hackers, ethical ones also & auditors try to gauge your security. Take enough care to change these default factory settings and you would save yourself from one of the ways through which your systems can be broke into. Default usernames, passwords, IPs, SSIDs, etc. change them all!

· Is there a limited pool of IPs that can be assigned?

You are unaware that a team of ethical hackers is sitting in your organization generating Security Assessment reports for you! A hacker is sitting at a remote location and connecting to your Wi-Fi network. Wait! How could they ever connect? (Even if they know your ‘secret’ keys or whatever) If you would have kept a limited pool of IP addresses, chances are less that someone could connect into your networks!

· Are all printers in the organization at public locations?

Taking printouts is the second easiest way of data leakage. If the printer is not located at a secure place, then – A. You can print whatever you wish and walk away promptly! Or B. You give the print order and by the time you come to collect the printouts, some might already collect them.

· Is there a restriction on access of shared drives or folders on employee computers?

Many a times, you will need to share some official files with other users. And the most convenient way is to use Windows File Sharing. And often, they also enable ‘Allow Network users to change my files’ which essentially gives read/write permissions to any user on the same network. Giving access to manipulate data even in a single folder can have consequences. Also some unwanted users might ‘accidently’ stumble on the shared directory revealing sensitive information.

· Are all devices in the organization time synchronized?

A major security breach is logged by a firewall at 13:27:22 hrs on Thursday 2nd July 2009 from a particular IP. The IP was traced back to a system. When the system’s logs were checked it showed the breach but at 7:35:56 hrs on Tuesday 2003! And that too in a different time altogether?

I wonder if you will you be able to take action in such cases?! The user may simply claim that his IP might have been spoofed at that time! I feel it would be helpful to have time sync in an organization.

· Are your employees given information on the options and recommended backup cycles for their data?

Backup?? Shouldn’t the IT department be concerned for this?! But with diversified projects & departments, how would they know what is the peak time that you accumulate some critical data? If the user is not capable to get the backup, at least he/she should inform the concerned IT guy for getting it done. Many Companies do have a back scheduled regularly, but there are cases when some really vital data may land into your hard disks.

Besides, you are acquainted with Murphy’s Laws, rite?!

· Are new employees informed about their User ID / Passwords in a secure way?

I am feeling tired to write further. Just wanted to tell you that my brother’s previous company handed over his system username & password that was printed on a piece of paper at the closure of the induction process. His username was his Deep and password was deep1234. 33 new employees & some existing staff were present at the session.

1 comment so far

  1. Gautam on July 9, 2009

    the post is quite prudent in today’s day and age when all of us want to be connected but leave our devices with preset configuration…..


Comments are closed.