Recently, Cisco published a blog post on an interview with a former Anonymous hacker who offered his top security tips for the enterprise. Some of the suggestions were fairly obvious, while others were intuitive and absolutely on point. For example:
#5: Teach your staff about information security
Take note, he didn’t refer to just security staff; he was referring to the entire staff – from the administrative assistants to the most critical of security analysts. In fact, a recent Ipswitch survey shows that even the most stringent security professionals break protocol when it comes to the transfer and collaboration of information. And these folks have tons of acronyms behind their names!
What chance does the layman have? Establishing the groundwork for the dissemination and adherence to corporate policies around information security is a positive set of actions to better protect companies.
There needs to be a general awareness around information security and data and a clear understanding of the security and risk issues associated with physical media, such as DVDs and memory sticks, and outside services, like Gmail, which allows employees to ‘easily’ send large files. This combination can be the best deterrent to data breaches.
#6: Teach your staff about social engineering
The use of technology to interact and collaborate – and how that collaboration can involve unknown third parties – is the very reason your staff should have an understanding around social engineering. Let’s face it, anyone can get an e-mail address and register on any social site. Hackers, thieves, con artists, and scammers aren’t the only ones that want access to
your personal information.
Employees who use shareware or free cloud service are exposing sensitive information and risking an unintentional data breach. Employees who work from home, on a personal machine late at night or on an unapproved smart phone (at any hour) are the biggest targets for hackers and breaches. How many corporate iPhone users are there anyway?
#13: Keep an eye on what information you are letting out into the public domain
In many cases, all information about major IT purchases and deployments by publically traded companies is public record. A move to incorporate MySQL databases, a content management system based on open source technology or even portal technologies can give a hacker everything they need to exploit your system.
Again, this is an issue of determining risk associated with information and mitigating that risk. Laying out your architecture and your infrastructure blueprints for the world to see may not be the best idea for your company…
#14: Use good physical security. What good is all the [security] software if someone could just walk in and take your “secure” system?
Stop everything you’re doing and walk from the front entrance of your office to the mailroom.
Is that door of the mailroom locked? How hard is it to just pick up a backup tape or CD and slip it into a bag? For that matter, how hard is it to just walk into the office without proper credentials? And when you walk into your office, are there secure terminals? Maybe someone in human resources went to the break room for coffee and neglected to lock their computer?
A simple, misplaced memory stick or an unsecured PC are potential recipes for disaster. There is never any excuse for leaving a terminal unsecured in a public or semipublic setting. My rule of thumb: if you can’t leave your purse or wallet opened with hundred dollar bills in plain view, you cannot keep your desktop, laptop, smart phone or a terminal unsecured.
All in all, I think the suggestions make sense. Looking at a few of the tips allows you to take a few steps in the mind of a hacker. A few seconds of non-diligence equals a career of regret.