Recent computer security issues in the news should be a wake-up call for those that are in IT and management. Laziness, circumvention of security techniques and general carelessness have made it easier for hackers to get access to data that they really shouldn’t have.
As most security experts will tell you, if someone really wants to get into your network and they have the time and resources, they will get in. But hackers are human and that means they are going to go for those attacks that give them the most bang for their buck. Specifically, hackers are going for the low hanging fruit, that data which is easiest to compromise.
Let’s take example number one. Shortly before Thanksgiving, CNN (http://money.cnn.com/2014/11/20/technology/security/hacked-web-cameras-russia/index.html?iid=HP_LN) and others reported on a website in Russia that was streaming live video from home, hospitals and other locations. According to the website, none of the cameras were hacked, instead they were merely logged into using default usernames and passwords that come with the cameras.
Not changing default passwords on cameras, routers, servers and other devices is a big no-no, but unfortunately we see it too often. To hear that it happened at a medical institution is alarming to say the least, if it is true. Manuals and other sources of device help are published on-line which means that anyone who can search in Google can find these passwords. To make matters worse in this case, the hackers also published the GPS coordinates of each camera. A rather simple task when you know the IP address of the device.
Another example comes from the Sony hack. The Sony hack provided a perfect example of circumvention of controls. On the Sony network there were numerous documents containing confidential, personal or other protected information. A lot of these documents were password protected. Password protecting sensitive documents is a great way to aid in data security protection in the event that it gets leaked. However, in this case, individuals renamed the password protected documents to include the passwords in the filename. Queue up the IT security team giving a collective facepalm. In this case, protecting company data could have been easily accomplished by using more caution with login information.
I’m sure that most of you are reading this saying “wow, I’m glad it is not me.” Whether you are in management or IT, I think it would shock you to hear that it could very well be you. I’ve dealt with a few recent engagements where there was an incredible disconnect between what one person thought was going on with the IT department and what was really happening. Crucial backups not taking place, password policies being circumvented, highly secret company data being nonchalantly copied by employees onto unencrypted drives and brought home. It happens all the time and it is very likely happening in some fashion at your office.
Are the misdeeds taking place at your office as bad as what is described above? Wouldn’t you like to know about data hacking?
How can you find out? Something as simple as an IT assessment can uncover all sorts of shortcomings in a company IT department. But instead of being afraid of an audit and trying to scare you with what can be found, how about this? Wouldn’t you like to crack open a nice beer and kick back when you find out that your IT department is in order and has been verified by an outside entity? Audits are not just for finding what is wrong, they are also for performing due diligence and being able to report to management, board of directors, investors and other stake holders that your house is in order.
Make your New Year’s resolution to get digital data security protection and contact Vestige for an IT audit and start 2015 off on the right foot. You’ll be happy you chose Vestige for computer forensic services.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer
Vestige Digital Investigations
For more information CONTACT US