3 tips for a quieter Christmas than Sony

Sony got breached.

Data was leaked; lawyers’ letters were written; a movie was withdrawn; lawsuits were announced.

We all know what happened; yet we do not.

As we suggested on Naked Security:

Breaches of this scale, on a network of this size, with as much data as was lying around: they're almost guaranteed to be the Never-Ending Story, aren't they?

The FBI blamed North Korea.

North Korea blamed someone, anyone else.

Even Dr Evil weighed into the debate, on US comedy staple Saturday Night Live.

So we thought we’d revisit the Sony story from a different angle.

We’re going to help you to answer the question, “What can I do so that, when my users return from vacation, I reduce the chance of a ‘Sony moment’ all of my own?”

Here are our three tips.

Each one goes against convenience just a little bit, we admit.

Nevertheless, we think you can put all of them into practice without making any troublesome changes to your company policy or workflow.

Tip 1. Segregate your networks.

The word “internet” was introduced as a special term to describe inter­connected networks, because that used to be an exciting (and comparatively rare) way to work.

What we know now as the internet was originally a grandiose proper noun, Internet, a network of internets.

Even interconnected networks, for example on a campus or between company offices, weren’t always connected anywhere else, not only because of cost, but also because of security concerns.

But today, most companies are implicitly connected to everywhere else, thanks to the internet – a word that these days neither needs, nor gets, a capital letter.

Ironically, many companies still use firewalls only to segregate their own interconnected networks from the rest of the Internet, dividing “inside” from “outside.”

But by further splitting up your own internal networks, you can greatly reduce the risk of a breach in one part of the network from spreading further.

For example, your payment terminals and cash registers don’t need to be able to see, or to be seen by, your development and testing network.

Similarly, the servers on which HR store personal details about employees don’t need to be visible to everyone in the company, let alone potentially visible to everyone in the world.

Divide and conquer is a little more work to set up, and a little less convenient for users, at least for users who have become accustomed to accessing almost anything, any time.

But even if you start out by “segregating” your network with internal firewalls that still allow all or most traffic to travel freely, you have the network equivalent of the watertight doors in a submarine that you can close quickly in the event of an emergency.

Tip 2. Revisit file and account permissions.

We’ll assume that you no longer allow any of your users, not even your administrators, to run with administrator privileges, unless they are performing administrative tasks.

(Reading email and browsing the internet are not administrative tasks.)

Giving everyone on the network administrative rights is a bit like giving everybody who attends a concert an Access All Areas pass, or saying that anyone who happens to pass through your warehouse is welcome to hop on a forklift and drive themselves around to save time.

But even in networks where users are not administrators by default, you will often find access controls that are geared entirely towards convenience, and not at all towards security.

Indeed, the terms “network share” and “shared drive,” which we learned from Windows some 20 years ago, are still in widespread use, and they still often refer to common resources from which anyone can read, and to which everyone can write.

Let ransomware like CryptoLocker remind you why this is a bad idea: if everyone can write to anyone’s files, then sooner or later someone will cause havoc, and no-one will be able to stop them.

Things get even worse if you get infected with a self-spreading virus, a type of malware that can disseminate itself.

Shared drives are a fantastic vehicle for viruses to replicate inside your network without relying on vulnerabilities, exploits, poisoned attachments or hacked web pages.

As an example: I simply don’t need write access to files in the accounts department.

In fact, I don’t need read access; or if ever I do, it is unusual enough that I am happy to make a one-off request to do so each and every time.

So by locking me out altogether, you aren’t snubbing me.

Instead, you are not only protecting the company and the network, you are also protecting me from making an otherwise innocent mistake that could end up very costly.

Tip 3. Find all your remote access points.

Many companies allow not only their own staff but also outside contractors or vendors to connect remotely into the network and work as though they were “inside”.

For example, for remote administration, many IT staff make use of Microsoft’s Remote Desktop Protocol (RDP) to connect to internal servers so that they can manage them as though they were right inside the server room.

RDP is super-convenient because it doesn’t just let you issue commands on a remote server, but acts as though your own screen, keyboard and mouse are plugged in via enormously long cables to the server itself.

If you move the mouse on your screen, it moves on the server screen, too. (Or it would move if the server had a screen plugged in.)

If a warning dialog pops up on the server, it pops up on your screen, too.

In short, giving a contractor or a vendor RDP access into your network is a bit like letting them into the server room and then leaving them to work unsupervised: a high privilege that should not be granted lightly.

Amazingly, several recent payment card breaches, where crooks were able to make off with millions of credit card numbers and more, almost certainly happened because of sloppy security practices by third-party vendors.

In fact, these vendors weren’t merely casual with passwords issued to them by the victims: in at least some cases the vendors had set up remote access for themselves as part of a product or service they had installed.

In other words, the victims who ended up carrying the blame (and the cost of fraudulent transactions subsequently refunded) probably didn’t even realise that there was a remote access system that might have been shabbily configured.

Take the time to hunt down everywhere that remote access is enabled into your network, lest you be taken by surprise.

The bottom line

The three tips above help you to:

  • Protect your users from each other.
  • Protect your users from themselves.
  • Protect your users from outsiders, even those who are there to help.

Looking at security this way doesn’t have to be any more patronising than building a car with airbags and seat belts.

And it doesn’t have to be any more restrictive than a sign that says, “Please keep off the grass” when there are plenty of paved walkways to use instead.

As we said at the outset, each of these tips goes against convenience just a little bit.

Nevertheless, we think you can put all of them into practice without making any troublesome changes to your company policy or workflow.

Image of baubles courtesy of Shutterstock.