Date: October 19, 2012
Author(s): Brett Thomas
It’s easy to overlook that huge corporations are far less dangerous than the small business you deal with each and every day with regards to information theft. Some institutions have treasure troves of info on you that can far exceed the “big fish”. If you work in a SMB, you can’t afford to have your info stolen, so read on for some important tips.
Writer’s Note: I’ll be covering information security in much greater detail here at Techgage with some great partnerships, including Pwnie Express – the guys who invented the (now infamous) PwnPlug – and Riverbed Technology, an IT monitoring industry leader.
Along the way, I’ll show you some simple and cost-effective tools to perform basic security auditing (known as pentesting) and protection in the SysAdmin Corner, and try to break major security issues down to understandable chunks for those who are novices and intermediates in the field. I hope you will come to enjoy information security as much as I do – or at least learn enough to protect yourself and your data.
This week, I want to cover some of the most basic failings I see time and again – and outline some simple fixes. If you work in a small to mid-sized business that doesn’t have dedicated IT and security, you can’t afford to skip this article. If you don’t work in such an environment, I hope you’ll learn some tips for securing your home network – many of these will apply there as well.
Nowadays, cyber-security is front-page news. It seems like nearly every week, we hear about some big company getting hacked and its customer data being stolen. Outrage from customers and onlookers alike fills the Internet, demanding to know why this data was not protected. Many of these people then go home or to work, hop on unsecured home networks and begin browsing away on malware-infected PCs, never realizing that many of the same mistakes (and more!) are being committed by themselves and their employers.
I truly believe that a much greater amount of data, and therefore risk, lies in the hands of small business than in the mega-corporations. Breaking into Citigroup or Sony may net a real hacker a lot of credibility, but by and large it’s not the real hackers that we have to worry about. Instead, it’s the script-kiddies (miscreants who use the powerful tools that real hackers have developed, often with little understanding) and professional scammers we should fear – and they can get a lot more “bang for the buck” harvesting local, poorly secured networks than wasting time and almost assuredly getting caught busting into big companies. If Citigroup is Fort Knox, then your nearby doctor’s or accountant’s office is a simple snatch-and-grab home burglary, where the tenant won’t be back to find out… ever.
In my office complex alone, there are also: three doctors, two attorneys, one insurance agency and one financial manager (and a partridge in a pear tree!). Six of the above run wireless networks, three of them use default passwords for their router and an easily guessable wireless access password. All six networks have a critical vulnerability running that you’ll read about here. The seventh office uses conventional wired networking, but has no passwords or controls for the network and an Ethernet jack in an unattended conference room accessible from the front lobby.
If Citigroup is Fort Knox, then your nearby doctor’s or accountant’s office is a simple snatch-and-grab home burglary…
Ladies and gentlemen, this is where and how your information is being kept. Your health records, your bank info, your assets and net worth. Your wills and trusts. Your birth dates, kids’ names, speeding ticket defenses. Citigroup has nothing on this.
Have you ever asked yourself: “If that information was stolen… what would I do?”
If you work in small business (or are a small business), you owe it to your clients, yourself and your employer to treat the data you use with respect. So in honor of the seven networks above, I’ve written up seven of the simple mistakes these offices (and countless more) make, and how to protect yourself from them.
Security by obscurity is not security at all.
Two of the offices that use wireless in the above group hid their network name (Service Set ID, or SSID) because “you can’t break into what you can’t see.” Not broadcasting the SSID may keep a client turning on his iPhone from seeing your network, but it does nothing for a hacker.
To understand why, you only need to understand the most basic thing about Wi-Fi – it’s a radio station playing roughly 100 feet in any direction. Your wireless router is “broadcasting” a signal to all devices in the area, whether they are intended to receive it or not. They broadcast back to the router when they are connected. This means that all of the traffic is in the air for anyone to see.
Broadcasting the name of this network is simply a matter of convenience for unassociated devices. Any device that wants to know what the network name is needs only look at the traffic in the air – it’s right in the data. They can also simply “ask” the router… so hiding the SSID does nothing but prevent the router from answering a question before you ask it.
Every script-kiddie and hacker wannabe knows how to find your SSID, so only hide it if there is a practical reason (keeping the list of broadcasted names down) – and don’t ever mistake it for being secure.
A chain is only as good as its weakest link.
WPS, or Wi-Fi Protected Setup, was an attempt to make setting up a more secure home network both easy and foolproof for small-office and home users. It comes in two flavors, “push” and “press”. Press mode is a physical button on the router and the device, which you push to “pair” the two without having to go through the complexity of SSIDs, encryption standards, passcodes, etc. Push mode involves a single eight-digit numeric key which the user types in when associating new devices, allowing the router to send all of the network information automatically and prevent connection errors.
Because the very purpose of WPS is to facilitate hands-free setup, timeouts and lockouts are also not enforceable, meaning that all of the relevant combinations can be tried in a very short timespan.
This is all well and good, except that most consumer-level wireless routers have push-WPS enabled by default or turn it on automatically immediately after using press-WPS. To associate to a router with push-WPS, one only needs that eight-digit numeric key, which is easily brute-forced…particularly since the eight digit is nothing but a checksum of the other seven.
Because the very purpose of WPS is to facilitate hands-free setup, timeouts and lockouts are also not enforceable, meaning that all of the relevant combinations can be tried in a very short timespan. The complexities (which actually make it easier, not harder) are outside the scope of this article… but what you need to know is that leaving WPS on turns any security you have into nothing more than guessing a 7-digit pin at best.
This fairly unforgivable sin was committed by every one of the Wi-Fi networks in my complex… and if I had to guess, I’d bet that the network administrators didn’t even know it and never used WPS to set up their networks. The only workaround to this problem is to make sure to go into your router settings and disable WPS.
While you’re in there, please change your default router login and password, mmmkay? I bet it’s still admin/password or admin/12345.
It’s not secure if I can just copy it.
I will grant that this particular method can at least annoy a script-kiddie who has never seen it before, but even the simplest hacking tools build MAC address spoofing right into them. This effectively renders this technique worthless unless you know how to read your logs very carefully (we’ll cover that in another article). In fact, MAC address spoofing is so easy and fun that I highly recommend it as a fun party trick for some smart-ass host who thinks he knows a lot about networks and bets that you can’t get on his Wi-Fi.
For the uninitiated in this networking jargon, a MAC address is a “unique” (not entirely, but for most any individual network purpose, it is) 48-bit identifier built into each network adapter. The first 24 bits outline the manufacturer and device ID, the second 24 bits outline a unique number and a couple specific-purpose flags. This number becomes an important part of the data that comes from the device, as it is encoded onto the wrapper around each packet (called a frame). This way, if your IP address changes on the network, the router can still find the network card.
It’s better to let script-kiddies not think of having to do this … so that their presence is more obvious.
Routers (both wired and wireless) can be set to only allow connections from certain MAC addresses by dropping any packets that come from unlisted network adapters. Theoretically, this is great protection – except that almost every piece of network monitoring, scanning or penetration software comes with MAC spoofing, which allows an attacker to impersonate any MAC address on the network. Since the MAC address is broadcast on every packet, it’s trivial to determine “valid” addresses.
MAC address spoofing can generate many interesting by-products on a network that a trained eye can catch if he/she knows what to look for… but without that knowledge, enforcing MAC restrictions may be more dangerous than helpful. Not only would an untrained admin not realize there is a problem, but would further think everything is secure because of it and possibly ignore other critical signs. It’s better to let script-kiddies not think of having to do this (because believe me, they won’t unless they have to) so that their presence is more obvious.
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for people to remember, but easy for computers to guess.” – xkcd
First, let’s talk about password complexity. Actually, xkcd already did – just click the link right above this line. Read it. Memorize it. Learn from it.
Enforcing the “at least three of four” (special chars, capitals, lowercase and numerals) rule sounds like absolutely common sysadmin sense. It’s not. It’s contrary at this point, because people are forced to get into TERRIBLE password habits to make these passwords work. They use common words, birthdates, proper names of kids and pets, add an exclamation at the end and call it a day. They then write it on sticky notes to attach to the monitor, e-mail it to themselves, or do other silly things so they don’t forget it.
Enforcing the “at least three of four” (special chars, capitals, lowercase and numerals) rule sounds like absolutely common sysadmin sense. It’s not.
To further help remember it, they will usually only have one or two of these passwords and use them on every site and service they can. That means a valid username and/or password to your network is also being used all across the Internet, from bill-pay accounts to goldfish forums. Scammers who are into social engineering LOVE that stuff.
So what is a better idea? Drop down to at MOST requiring ONE of the extras (for instance, require upper and lower, or lower and a number, or lower and special), and make the other requirement be a minimum of 16 or 20 characters. Encourage randomness. Your users will thank you – and they’ll be less likely to be using the same password for your systems that they use for every other awful service, reducing one more vector of attack.
Now that we have that out of the way, let’s talk about one other issue – wired systems still need password protection for the network. Whether you protect your documents by passwording a network folder or institute a domain (which, if you’re on a Windows server, you really, really should for lots of reasons which I’ll cover in another article), don’t ever leave your desktops unprotected. Sleep mode and timeouts should be met with a login screen, and users should need to authenticate to use network services.
I’m going to give an unusual nod to Microsoft here: Windows Server editions, (which many small businesses use) make this concept so easy to institute through ActiveDirectory and group policy that there is simply no excuse to not do it. Honest.
“Huh, I could’ve sworn there was a server there…”
One of my friends who has spent his entire life in IT and programming told me an entertaining story when I picked his brain about this article. In a reminder about “backups, backups, backups!” (which every good admin should be doing), he told me a story about a client that made sure to faithfully back up every week to a tape, which was put on top of the server in case of server failure. This worked wonderfully – until the server was stolen, and the tape with it. The company had no other backup.
His point on offsite backups is an important one – you should always maintain a regular offsite backup, and I personally try to keep at least three versions back in case of data corruption. But half of the benefit of offsite backups is the fact that the backup isn’t there to get lost, stolen or destroyed! As such, it points out an important part of information security – physical protection shouldn’t be overlooked.
Cabling computers to desks, putting padlocks on server cases and other issues may seem like ridiculous behavior in a small office. However, the last time I checked, your friendly neighborhood burglar didn’t send appointment cards to you so that you knew when your stuff might be taken from you. Sure, the burglar may only want the server because it’s computer equipment he can sell hot – but guess who the buyer might be? A scammer or identity thief who would love to get their hands on your data.
Also, don’t think that physical security ends with your boxes – exposed network and USB extension cables should be examined every so often if possible for rogue devices, and Ethernet wall-jacks in empty offices or publicly accessible places should be disconnected until needed again. You can’t be everywhere at once, so you might as well minimize the potential places that unauthorized connections can happen.
Oh, and for the love of sanity, please take your backups offsite or secure them.
Once I’m on, I’m in… to everything.
I can’t tell you how many times I’ve seen this, and it is far more dangerous and has far greater implications than anything written above in this article. It is also assuredly the least followed. Most sysadmins make the mistake that a network is a flock of sheep, needing protection from the wolves outside. Because of that, these sysadmins forget to do important things – like remember to lock the pasture gates so that the sheep don’t go eat your garden.
Network control is not just about protecting the inside users from the outside, it’s about protecting privileged information from non-privileged people. In every company, small and large, there are things that people need to do their jobs and things that people aren’t supposed to see or change.
The first of these steps is file permissions – whether it’s as simple as making your archives read-only or as important as padlocking the firm’s financial info to an individual user, user and group accounts should be used to protect data from the wrong hands. Follow that up with group policy that protects you from users (or people posing as users) changing or monkeying with settings in Control Panel or other sensitive administrative areas.
Network control is not just about protecting the inside users from the outside, it’s about protecting privileged information from non-privileged people.
Finally, consider your servers – every open port is a vulnerability, and every service is an exploit waiting to happen. One sysadmin friend even told me that on smaller networks especially, he firewalls every server individually. Even if you only have one, make sure that at least your software firewall is on and restrict or shut down the services and ports that not everyone needs.
The purpose of this protection is twofold – first, it keeps your data and settings from being tampered with by the wrong people inside your company. But second, it keeps a lucky script-kiddie from getting access to the goods if he or she just happens to trip over an exploit and stumble into your network. That rush of success turns to an overwhelming feeling of disappointment when that non-privileged account that was exploited just got a pass to nothing but some remedial documents like letterhead templates or a directory listing for files that can’t be accessed anyway.
If you don’t need it on the ‘Net, don’t put it on the ‘Net.
Listen, it’s a weird, wired world out there. We all do so much business from our systems that we often forget what it’s like to not have the world at our fingertips. However, I also work in an office where financial data is everywhere – and to protect it, we don’t even hook our desktops to the Internet; instead, we use separate systems in each office for browsing, e-mail and research.
The truth is that not every user, and certainly far fewer servers, need online capacity. Internal networks can’t be breached when they don’t have an access point to breach from. Even when users need the Internet as an integral part of their day-to-day tasks (which are far fewer people than you’d think), many of these systems don’t need to share the same network with privileged data.
Sure, that all-in-one network that some supposed computer guru set up for you seems wonderful now, but do you need it?
If your information is sensitive enough, it may be time to consider cutting the cord to the outside world and letting your staff get their Internet fix through separate channels. Sure, that all-in-one network that some supposed computer guru set up for you seems wonderful now, but do you need it? Will you protect it? What would you do and who would you be liable to if it was breached?
If you can’t answer that last question, it probably doesn’t need to be connected to the Internet.
At the end of the day, even true tech geeks can become bogged down in the mires of information security – and there aren’t a lot of resources in between “Update your antivirus!” and complex pentesting whitepapers. My long-term goal in this series will be to bridge that gap a bit and arm you with the knowledge to defend your network. By learning some basic tools and understanding a bit of what is going on behind the scenes, you can help keep your home or business a lot more secure.
However, even the best security won’t hold when basic principles are missed. The seven points above are simple and effective methods that good admins follow, and bad ones ignore at their peril. Failing to do these steps is asking for trouble, no matter what else you try to do for your network.
Always remember though that information security is not as much about making something “hack-proof” (I assure you, there is no such thing) as making the risk and effort far greater than the reward for each task. A sysadmin’s goal is to balance the risk of exposure with the need for access. If the controls are too onerous, people will ignore them or bosses will demand they be removed.
If you’re ever in doubt as to whether you’re locking something down too tightly or not enough, go back to the big question: If this information was stolen, what would you do?
Have a comment you wish to make on this article? Recommendations? Criticism? Feel free to head over to our related thread and put your words to our virtual paper! There is no requirement to register in order to respond to these threads, but it sure doesn’t hurt!
Copyright © 2005-2021 Techgage Networks Inc. - All Rights Reserved.