Organizations and the press do a pretty good job of keeping the average person aware of the latest big technology vulnerability or exploit. And yet, we still see some common mistakes people make that could make them a susceptible to being exploited.
How often do you see someone bend over to pick-up a penny on the ground, and if its “tails-up” they leave it there. USB storage keys have neither heads nor tails, but they can bring you really bad luck. People often pick-up these devices and pop them into their computer. These devices can carry various malware and even programs to infiltrate your data or your organizations network. Some organizations or consultants even leave these laying around to test users security policy adherence. Next time you find a USB key in the parking lot turn it in to the IT staff or security. Then return to looking for pennies; heads-up only of course.
Be nice to others. But not too nice.
We often think computer exploits happen from outside of the workplace using black hat techniques and tools. The truth is that many vulnerabilities occur by taking advantage of people being nice. For example, in a busy office space, especially in office buildings people will often hold doors for people they don’t know. Sometimes the person is carrying something or just rushing; so our good manners kick-in and we swipe our passkey and hold the door for them. More than a few customers will tell you this courteousness has led to stolen laptops and exploited data among other items. Be nice, but not too nice. Make sure the person has a passkey or offer to escort them to a main desk. If they push back you might want to notify the appropriate people.
Be nice to others. But not too nice. (Part II)
During our security assessments we occasionally engage in social engineering. More often than not we are not only able to gain access to facilities, but we can get individuals to give us access to their computers and accounts. From there we can collect information, create back doors, or even load software which will continue to exploit the environment for us. And in case you think this only happens with non-IT users, think again. It turns out that IT professionals can also be nice.
Bluetooth Headsets and Coffee
Okay, there is nothing inherently wrong with Bluetooth headsets or coffee; however, when they are put together they can be dangerous. This is as low tech as it gets but it is reliable and predictable.
For some reason when you give people with Bluetooth headsets coffee and free Wi-Fi they want to tell the world their business. I have found myself in more than one national coffee chain where people decide to set-up their mobile offices. They conduct conference calls, talk to colleagues, and log calls with IT and along the way share all types of sensitive information. And they do it all at two to three time the decibel level of a normal human being.
Following one (of many) recent encounter I got up to leave and gave one of these offenders a piece of paper with his email password, company name, conference call number with password and id, and a number of other pieces of sensitive data. I could do this almost any day, in any city, while enjoying a croissant and a coffee. So next time you find yourself enjoying the benefits of free Wi-Fi in a crowded space, use a little common sense and maybe also some common courteously by keeping the decibels down and the information secure.
Don’t you like seeing pictures of your friends and colleagues on LinkedIn and Facebook? People looking to gain entry to organizations like them just as much. Especially those close-ups where you are wearing your security badge. That way when they try to recreate it they can pay attention to all of the fine details. Sounds like a bit of paranoia, but it is not. So next time you post your photo on-line use one without your security badge; you look just as fabulous without it.
Clouds. Clouds. And more Clouds.
I like the mix of weather in the northeast, but nowadays all anyone wants to talk about are clouds. First it was public clouds. Then it was private clouds. Now it’s personal clouds. People are storing their information, and their organization’s data, in all sorts of clouds. Some are fine, some are not. And people connect from them anytime, anyplace, from any device with any means of connectivity. They connect using personal hot spots and now Wi-Fi drives; both shareable of course. We are not going to get into all of the issues with all of these clouds gathering. Let it suffice to say that a little education, along with clear policies would go a long way to help make these practices a bit safer.
Scott Kitlinski is Director of Global Professional Services at Zensar.