News Archive

USB Policy

by msecadm4921

Almost half of people would take useful information and data with them to their next job; so claims research by Check Point Software Technologies.

It is unlikely that anyone would stop them as three quarters of companies, based on the recent survey, have no security in place to prevent information going out the door! Some 85 per cent of employees admitted that they could easily download competitive information and take it with them to their next job, in spite of 74pc of these companies having a policy that specifically states that company personnel are not allowed to take company information out of the office. These findings come out of a survey by Check Point into “staff and data security” carried out among 200 senior IT professionals.

UK employees are not quite as trustworthy as their Scandinavian counterparts as the same survey was conducted in the Nordic region and found that although most Nordic employees could download data from their current employer, just 32pc would go on to use this information for competitive advantage in their next job.

Laptops are old hat – USB Sticks on a key ring rule!

Eighty one percent of people take files from work to use at home with the majority dumping their laptops in favour of USB sticks as the preferred method to store data, as it’s far more convenient, cheap and easy. Thirty three percent store work data on their USB stick, versus 14pc who now use a laptop.

The huge demand for people to use USB sticks creates a real security headache for most companies as it’s difficult to keep tabs on them because they are so small and go unnoticed. They are also far easier to lose in transit – making them a likely target for opportunists who may find them very valuable assets to trade with competitors or use to blackmail the company into keeping quiet about the fact that they lost valuable or sensitive information without protecting it.

What they say

Martin Allen a Spokesman for Check Point said: “USB sticks are now more popular than ever, with everyone from children up to the CEO now travelling around with data on their USB sticks. Many can now carry 16 gigabytes around with them in their pockets which compares with 640 reams of paper in your pocket. At this estimation it’s not surprising they can become a serious security risk. Companies spend millions on their security and just forget about the fact that millions of pounds worth of valuable data is “going walk about” on people’s key rings and a great deal are very happy to download information to take with them to their next job. Without being too draconian our advice is to lock down computers with vital information and make sure you centrally control USB sticks by supplying them to your staff with mandatory encryption in place. That way they can freely use them keeping the data safe at all times.”

Advice on how to go about rolling out a mobile security policy to secure vital company data:

1 Educate your staff so that they are aware of the security and legal implications of downloading sensitive or competitive information.

2 Include the management of all mobile devices in your security policy.

3 Specify that all staff members have to sign your security policy, to ensure that they will not download sensitive or competitive information, nor will they use this information to take to their next job and make sure you have the appropriate software to enforce the policy in place.

4 If you have sensitive information you do not want downloaded, then block end-points on computers with efficient and cost effective software.

5 Ensure that all USB sticks that are connected are encrypted.

6 Use encryption software that does not impair the use of the device and make sure that employees cannot by-pass the encryption – it therefore needs to be transparent to the user, quick and easy to use.

7 Remember security is a two way process – you need to have your staff on your side, so complement sensible, workable policies, with centrally controlled security technology combined with trust, education and understanding.

Your IT work colleagues may be snooping at confidential information such as your private files, wage data, personal emails, and HR background, by using the administrative passwords that give IT workers privileged and anonymous access to virtually any IT system. So a survey claims. One IT administrator laughed out loud as he answered the survey, saying: “Why does it surprise you that so many of us snoop around your files, wouldn’t you if you had secret access to anything you can get your hands on!” These are the findings of a survey by Cyber-Ark Software, carried out during April’s Infosecurity exhibition in London, visited by IT and information security people. Some 15pc of companies interviewed reported insider sabotage, which is not surprising, according to the IT firm, considering that more than one-third of IT staff report using administrative passwords to snoop around corporate systems.

As if that weren’t bad enough, the survey found that more than one-third of IT professionals admit they could still access their company’s network once they’d left their current job, with no one to stop them.

More than 200 IT professionals participated in the survey with many revealing that although it wasn’t corporate policy to allow IT workers to access systems after termination, still over one-quarter of respondents knew of another IT staff member who still had access to sensitive networks even though they’d left the company long ago.

Post-It Notes

It seems that very little changes year over year – more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. What’s shocking about this year’s annual survey was that the 50pc number now applies to IT Professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords, the super-powerful codes pre-built into every system such the Administrator ID on your local workstation.

As one IT administrator explained: “Sure, it’s easy for an employee to update the personal password to their laptop, but to change the Administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down.” And where do they write it? A Post-It note.

Administrative passwords

One-fifth of all organisations admitted that they rarely changed their administrative passwords with 7pc saying they NEVER change administrative passwords. This may explain why one-third of all people questioned would still have access to their network even if they’d left the company. 8% of IT professionals revealed that the manufacturers default admin password on critical systems had never been changed, which remains the most common way for hackers to break into corporate networks.

Gary McKinnon who has been named as the “most profligate military hacker of all time” (and is still waiting to be extradited to the US) for gaining entry to 90 computers at the US Department of Defense by scanning the US military computer systems for blank administrator accounts says: “The easiest way to infiltrate a company’s network is to look for administrative passwords which are left blank, still have the manufacturers default password or just use obvious names. Once you find these, which are unbelievably simple and common to find, you’re into the system and have the highest level of authority – bingo you’ve got control of the company’s system.”

Passwords insecure

The survey also shows that the majority of companies mismanage the storage of administrative passwords by keeping them in unsecured locations and hence not controlling access to these critical codes. Some 57pc of companies store their administrative passwords manually, 18pc store them in an excel spreadsheet (which are notoriously insecure and easy to access), and 82pc of IT professionals store them in their heads – hindering security efforts, business continuity, as well as the auditing, controlling and managing of passwords. In the event that the keeper of these critical administrative passwords is unavailable or loses the location of the passwords, it can cause massive disruption and hours of lost productivity.

In other words, don’t throw out any Post-It notes laying around the IT department… you may never get into your workstation again!

Insider sabotage

Such snooping can turn ugly when IT workers feel disgruntled, aggrieved and especially after they’ve been fired. According to a recent study by Carnegie Mellon University, the most common insider attack is by a disgruntled IT employee using anonymous access from a privileged account.

Calum Macleod – European Director for Cyber-Ark said: “It’s surprising to find out how rife snooping is in the workplace. Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is EXACTLY what’s happening. Companies need to wake up to the fact that if they don’t introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife!”

Related News

  • News Archive

    Second Life Warning

    by msecadm4921

    Second Life can reduce productivity and cause IT security risks in real life, warns an IT security software firm. Sophos has announced…

  • News Archive

    Data Prediction

    by msecadm4921

    Danish software firm Milestone Systems predicts that the volume of video traffic will overtake voice and other data on the internet between…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing