F-Up #3: MAC Address Restrictions
It’s not secure if I can just copy it.
I will grant that this particular method can at least annoy a script-kiddie who has never seen it before, but even the simplest hacking tools build MAC address spoofing right into them. This effectively renders this technique worthless unless you know how to read your logs very carefully (we’ll cover that in another article). In fact, MAC address spoofing is so easy and fun that I highly recommend it as a fun party trick for some smart-ass host who thinks he knows a lot about networks and bets that you can’t get on his Wi-Fi.
For the uninitiated in this networking jargon, a MAC address is a “unique” (not entirely, but for most any individual network purpose, it is) 48-bit identifier built into each network adapter. The first 24 bits outline the manufacturer and device ID, the second 24 bits outline a unique number and a couple specific-purpose flags. This number becomes an important part of the data that comes from the device, as it is encoded onto the wrapper around each packet (called a frame). This way, if your IP address changes on the network, the router can still find the network card.
It’s better to let script-kiddies not think of having to do this … so that their presence is more obvious.
Routers (both wired and wireless) can be set to only allow connections from certain MAC addresses by dropping any packets that come from unlisted network adapters. Theoretically, this is great protection – except that almost every piece of network monitoring, scanning or penetration software comes with MAC spoofing, which allows an attacker to impersonate any MAC address on the network. Since the MAC address is broadcast on every packet, it’s trivial to determine “valid” addresses.
MAC address spoofing can generate many interesting by-products on a network that a trained eye can catch if he/she knows what to look for… but without that knowledge, enforcing MAC restrictions may be more dangerous than helpful. Not only would an untrained admin not realize there is a problem, but would further think everything is secure because of it and possibly ignore other critical signs. It’s better to let script-kiddies not think of having to do this (because believe me, they won’t unless they have to) so that their presence is more obvious.
F-up #4: Password Madness
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for people to remember, but easy for computers to guess.” – xkcd
First, let’s talk about password complexity. Actually, xkcd already did – just click the link right above this line. Read it. Memorize it. Learn from it.
Enforcing the “at least three of four” (special chars, capitals, lowercase and numerals) rule sounds like absolutely common sysadmin sense. It’s not. It’s contrary at this point, because people are forced to get into TERRIBLE password habits to make these passwords work. They use common words, birthdates, proper names of kids and pets, add an exclamation at the end and call it a day. They then write it on sticky notes to attach to the monitor, e-mail it to themselves, or do other silly things so they don’t forget it.
Enforcing the “at least three of four” (special chars, capitals, lowercase and numerals) rule sounds like absolutely common sysadmin sense. It’s not.
To further help remember it, they will usually only have one or two of these passwords and use them on every site and service they can. That means a valid username and/or password to your network is also being used all across the Internet, from bill-pay accounts to goldfish forums. Scammers who are into social engineering LOVE that stuff.
So what is a better idea? Drop down to at MOST requiring ONE of the extras (for instance, require upper and lower, or lower and a number, or lower and special), and make the other requirement be a minimum of 16 or 20 characters. Encourage randomness. Your users will thank you – and they’ll be less likely to be using the same password for your systems that they use for every other awful service, reducing one more vector of attack.
Now that we have that out of the way, let’s talk about one other issue – wired systems still need password protection for the network. Whether you protect your documents by passwording a network folder or institute a domain (which, if you’re on a Windows server, you really, really should for lots of reasons which I’ll cover in another article), don’t ever leave your desktops unprotected. Sleep mode and timeouts should be met with a login screen, and users should need to authenticate to use network services.
I’m going to give an unusual nod to Microsoft here: Windows Server editions, (which many small businesses use) make this concept so easy to institute through ActiveDirectory and group policy that there is simply no excuse to not do it. Honest.
F-up #5: Mistaking network security for physical security
“Huh, I could’ve sworn there was a server there…”
One of my friends who has spent his entire life in IT and programming told me an entertaining story when I picked his brain about this article. In a reminder about “backups, backups, backups!” (which every good admin should be doing), he told me a story about a client that made sure to faithfully back up every week to a tape, which was put on top of the server in case of server failure. This worked wonderfully – until the server was stolen, and the tape with it. The company had no other backup.
His point on offsite backups is an important one – you should always maintain a regular offsite backup, and I personally try to keep at least three versions back in case of data corruption. But half of the benefit of offsite backups is the fact that the backup isn’t there to get lost, stolen or destroyed! As such, it points out an important part of information security – physical protection shouldn’t be overlooked.
Cabling computers to desks, putting padlocks on server cases and other issues may seem like ridiculous behavior in a small office. However, the last time I checked, your friendly neighborhood burglar didn’t send appointment cards to you so that you knew when your stuff might be taken from you. Sure, the burglar may only want the server because it’s computer equipment he can sell hot – but guess who the buyer might be? A scammer or identity thief who would love to get their hands on your data.
Also, don’t think that physical security ends with your boxes – exposed network and USB extension cables should be examined every so often if possible for rogue devices, and Ethernet wall-jacks in empty offices or publicly accessible places should be disconnected until needed again. You can’t be everywhere at once, so you might as well minimize the potential places that unauthorized connections can happen.
Oh, and for the love of sanity, please take your backups offsite or secure them.