Top 10 Gotchas for Cyber Security

The internet has revolutionised how many businesses operate, and how we live our lives. With over 2 billion users it is also a battleground for cyber security experts and hackers. Protecting key information is often critical to the survivability and competitiveness of businesses today.


Cyber security is also a hot topic at the moment with the government pitching in with adverts to warn us about using stronger passwords; but there are also some very common mistakes we see IT technicians making all the time. Here’s our list of the top 10 security gotchas.....

1. Port forward 3389.

Are you able to remotely login to your server using this method? Restricting access at the Firewall by IP address is not good enough as IP addresses can be spoofed and your details could be “sniffed”. This is called a man in the middle attack. This is such a common issue seen all the time, poor practise creates loopholes!

2. Sharing passwords across clients.

The chances are that the companies which do this will also proudly list some of their clients on their website. Therefore an enterprising person could gain access to all or some of said companies’ clients. The worst culprits seem to be website "designers"

3. Installing 3rd party browsers (like Chrome or Firefox) on to a server, and/or disabling Internet Explorers’ protected mode.

Why would an admin do this? Because it’s difficult to browse from a server otherwise. IT technicians should instead connect to a workstation, browse from there and if needed download files to a shared folder.

4. Poor physical security.

If I can touch your server I can take everything you have. This is quite a remote possibility for most people, but for businesses in highly competitive markets and with valuable Intellectual Property it can be an all too easy mistake to make. For example we have noted that it is usually very easy to get in to a “secure” premises by saying “I’m here to fix the computers”, people tend to just trust you!

5. Creating/not noticing SQL injection vulnerabilities.

These are unfortunately all too common given that they can be easily avoided. One of the most notable cases was the SQL Slammer worm of 2003 which infected ~75,000 machines successfully within 10 minutes of deployment. An amusing yet simple example of SQL injection is the tale of Little Bobby Tables. His mother being the caring sort we all know and love decided to Christen her son “Robert’); DROP TABLE Students;” which when typed in to the school database (as part of standard data entry probably done by an unwitting intern) erased a years’ worth of student data. Obviously they should have sanitised their database inputs! XKCD.

Primary Defences:

  1. Use of Prepared Statements (Parameterized Queries)
  2. Use of Stored Procedures
  3. Escaping all User Supplied Input – Probably the best method!

6. SSL Issues

SSL certificate expiry happens to the best of us, well not us, but some very big companies like Google in the case of their Gmail service. It can be very embarrassing when clients can’t access your website/their email, and potentially damaging to your reputation when they are told it is not a trusted domain. To ensure it doesn’t happen make sure you get the email reminders from your certificate issuer, and that these go to a shared inbox where designated people can action it.

7. Automated Patches

Windows Server Update Services (WSUS). If not configured properly the WSUS will use Http not the encrypted HTTPS delivery. Hackers could use low-privileged access rights to set up fake updates. These updates could download a Trojan or other kind of Malware allowing the hacker some access to your server.

8. Sensitive data exposure

A good developer should be very aware of security, sadly many developers are not. We had a situation like this when we took on a charity who had a lot of work done for them pro bono. We always say that you get what you pay for, and in this case that really rang true. The (very) sensitive data was not encrypted, nor was the access to the data. Anyone working at the web hosting company had access to the data, we had access to the data, the data could have been sniffed etc. and whilst we can be trusted we shouldn’t have access, and Joe Blogs is definitely a security threat.

9. Not applying fixes/updates

In a lot of SME’s they tend to look after their own IT until it becomes too complicated (out of necessity) for them to manage. I can’t count the amount of times I have gone in to scope out a system and found a bazillion updates needed doing. When asking why they have not applied the update the answer is usually “oh that’s what that thing is flashing at me for”. In larger companies updates should be scheduled and run from the server (to save on bandwidth mostly, and in some cases to be able to control which updates should be installed), remote devices should be able to be locked and wiped as a bare minimum requirement if they can’t be fully controlled. We have seen instances where this is not happening correctly and have suggested using a tool like Intune.

10. Poor practise

If it is not broken don’t go looking for issues, mentality. What with all of the above to deal with one would assume that an IT technician needs to keep on the lookout for vulnerabilities, but you know what they say about assumptions.

 

Enjoy the blog post? Then you would love our newsletter! Sign up here Signup and get a free Office 365 pitfall PDF guide

Call us on: 01865 988 217

Follow us here LinkedIn or here Twitter