These are the risks as seen by Timico engineers in their travels around our customer base together with a few of my own real world observations.
This list is not authoritative but it should be insightful and if you are the owner or IT manager of a small or medium sized business then you could do worse than read it. Some of the points, such as updating your virus scanner, might appear to be obvious but believe me they represent real world scenarios.
1. Poor wireless network setup
Do you really want someone sat outside your office using your wireless network and gaining access to your internal servers?
A business needs to set up WPA-PSK or WPA-RADIUS. WEP is simply not good enough, and by attacking a connected WEP client the key can be broken within minutes by a novice.
When WEP keys are broken all traffic on the air can be decrypted, so plaintext authentication to web servers without HTTPS is visible. Even more alarming, is that an attacker can then create their own access point which looks exactly the same as the customers access point, and then tell a client to reconnect. Then any number of man-in-the-middle attacks can be done, including intercepting HTTPS traffic to an online banking site for instance. Users tend to ignore invalid certificate warnings.
2. Default passwords left on devices (switches and routers)
Even my kids know that “admin” and “password” are the logons to try first if you don’t know or have forgotten a username and password. So do the crooks.
3. No security patches applied to external facing servers
These security patches are issued because businesses have had experience of servers being hacked by unfriendly agents.
4. No web or e-mail filtering (content, anti-virus, phishing, and spam)
I was in a queue at the support desk at PC World. In front of me someone was complaining that their PC had ground to a halt. They had so many viruses on it a complete OS reload was required. They had not been using anti-virus software.
Also my wife has anti virus/spam on her PC. Her SPAM is filtered into a separate folder and when I looked recently there were 8,500 SPAM emails in this folder (8 weeks worth!). Her personal email doesn’t go through the Timico Mailsafe service so all mail is delivered and she relies on the PC based anti-SPAM solution to protect her. Many small businesses in particular complain about the amount of SPAM being delivered. If they don’t have a local filter then this SPAM is going to appear in their inbox. SPAM filtering is therefore a massive productivity tool. It stops you having to delete the unwanted mails yourself.
5. Anti-virus not updating.
You probably haven’t updated your subscription.
6. Upset employees causing damage
Whilst there isn’t much you can do about this you can take steps to mitigate against potential problems – access lists for key network elements and password changes when someone leaves the business.
7. Laptop being stolen with no disk encryption
Witness the high profile cases there have been in the UK this year: loss of social security data of millions of people, bank account personal details, national security/military related information. Big potatoes compared to your own company data but do you really want lose a laptop with all your customer contact details on it.
8. Poor firewall rules setup
If you don’t tie down your firewall to allow your very specific traffic i/o requirements then it can be easy for your network to be compromised without you knowing anything about it. Note it is a good idea to have firewalls on workstations configured to reduce risk of data theft in the event of a network breach. Regular security auditing is also a good idea if the resources are available. Servers should have firewalls configured to prevent external access to non-public services such as remote desktop or ssh. A secure VPN connection to the internal network should be established first by remote workers before using such services.
9. Poor VPN security
Old clients using out of date protocols and short and easy to guess passwords are typical issues here. The use of security tokens is recommended for authenticating to privileged networks remotely.
10. Poor or no password policy
For example, users never having to change their password. It is a pain in the neck to have to change a password regularly, especially when people today have many accounts that are password protected. However changing important passwords on a regular basis is an essential security mechanism. Also who do you trust with your passwords?