In the last two months I have had the pleasure of working with some interesting scenario’s regarding security needs and the implementing of security practices.

From implementing an open but secured wireless network at a school, to managing webservers for an Internet Service Provider, I have seen a lot in a short time.

What became readily apparent – as I sit here on the couch on a Sunday afternoon – is that security begins and ends with the human factor.

Here are a few quick examples. By necessity the details and identity of the various role-players in these scenarios are muddled. I dare not add to their security woes by blabbing in too much detail.

1. The Incompetent Administrator Now this genius decided to give an “open” (uncapped staff) account to students at the school where we installed a wireless network. Now the school required some sort of security (we went with a flavour of WPA with a unique username and password for every user), and we provided it. We even secured every wireless router and access point with a username and password known only to us. What our intrepid security ninkumpoop did was provide an uncapped account, which was distributed to all students. The end result? No audit trail if we ever need to find out who accessed what from where, more than 3gb worth of porn (and online marijuana orders) accessed by *someone*, and an open password that students will blab about to friends and there we have the whole of the neighborhood getting free internet!
2. Unsecured Access Points Endless counts of walking into the house/premises of a client complaining that their bandwidth usage went through the roof. I switch on netstumbler and find that their access point is unsecured. Yay for passing the responsibility to someone else. I access the router, bump everyone off the network (including neighbor Joe’s daughter’s geek boyfriend downloading torrents) and secure the network.
3. WEP Security Ah, good ole WEP. Crackable within minutes – and the world is full of it. Even a router at our office is still hiding manfully behind a WEP barricade. Reminds me that I have to up it to WPA or something… Funny enough we just sent out a warning to our clients about the insecurity of WEP, only to find that some intrepid Network Admin at our office decided WEP would indeed be good enough for us. Good security practice that.
4. Good Passwords – Bad Implementation I know of at least one company that has extremely good passwords on everything that they run. I am talking 6 to 8 digit masterpieces including capitals, numbers and a combination of ()*&^and #. These passwords are real hard to remember – let alone run a cracking utility on them. But then again there would be no need: All these passwords are listed on an MS Excel file hosted on the staff file server. Yes, an XL spreadsheet including all the passwords for every mission critical computer. The spreadsheet is not password protected itself, not encrypted nor does it reside in an encrypted folder. One leak of this file and these guys are compromised bigtime.
5. The Helpful IT file – or counter book. Good IT practice can equal bad security practice. I always find it pleasantly surprising to be handed an IT file when I get to a client. Usually this file includes notes written by all IT support guys that have been there before, IP addresses for all printers, pc’s and routers and sometimes copies of contracts with IT companies and so on. The file makes every IT technicians life easy. It is no fun to sit there trying to figure out if 192.168.1.254 is the ADSL router address or the Wireless Access Point. And ROUTE PRINT often does not shed much light either when things have gone bonkers on the network – that is why you would be there in the first place. The BAD part to all this would be including all your passwords in this file – and not securing the file. Often I arrive to find the IT file “…on a shelf over there…” in plain view with “IT” emblazoned to help potential baddies identify it.

The moral? Secure your security practices. Below are some tips, ranging from upping home IT security, to hardcore Corporate Paranoia.

1. Secure Your Password Files If you have the need to have a Password Master List – you may need one if you have lots of servers and workstations – secure your list. Encrypt the file, password protect the folder and make sure only a few key people even know it exists and where it is stored. In the case of a hardcopy – LOCK IT UP. You lock up your cheque books in a safe, why not your IT file? If that file falls into the wrong hands you are in serious trouble.
2. Secure Your Wireless Network This should be one of the first things you do with any wireless router: Secure it with at least WPA authentication. WEP is not good enough any more. Be it at home or at the office – you will at the very least be saving yourself some bandwidth, and at worst stopping someone from snooping your files on the network. Also you could use MAC address authentication. Every network card has a unique MAC address, and you could specify which MAC address can access your wireless router. If an address is not on the list access will not be granted.
3. Use Multi Owner Passwords Divide passwords and usernames between people. Person 1 knows the username, Person 2 the password, or even two people for the password alone. At any reputable bank no single person ever has more than one of the safe’s keys – it should be no different with passwords. Passwords are the keys to your information.
4. Common Username/Password Combo’s to Avoid Avoid any of the following Username/Password combinations, and yes – I have come across all of these somewhere…
   user/password (Yes, I have personally seen this combination in action – this is not just an example), admin/admin, root/user, yourname/yourname (or surname), admin/12345. In short – avoid any combination of username that are or include your name, surname, sequential numbers or sequential letters of the alphabet. As a rule of thumb, if it is hard to remember – it should be harder to crack or guess.
5. Encrypt Everything I have a friend who not only password protects his hard-drive, but encrypts it. To even boot up his machine he has to enter at least two passwords. That is a good thing if you work with mission critical data as he does. If someone steals his notebook they won’t even be able to access the data on his harddrive even if they insert it into another machine. Good security practice – maybe a bit over the top for the average home user, but good nonetheless.
6. Use different subnets Not all routers support this functionality, but I has given a Buffalo Access Point to test this week, and it has a nifty feature. You can put it on a different IP subnet than the rest of your network, and it will still function as a gateway to your ADSL router. The average home network has an IP range of 192.168.1.1 to 255. The Buffalo router can sit on 192.168.11.1 for instance and still route your internet traffic through to 192.168.1.1 (the ADSL router address). What this means is that if your wireless network is ever compromised, any hacker will only be able to “see” the access point, because the wireless access point will be handing our dynamic IP addresses on its own subnet. The way networks are structured means that the rest of the network will be invisible to his computer. Hence your internet access might be compromised, but your files on your other computers should be safe, unless the hacker knows to explicitly look for different subnets.

So there you have it, a quick rundown of good security practice. You will notice that I haven’t even mentioned Firewalls and Anti Virus and Spyware checkers. The reason being that people will focus on these – very neccesary – tools and forget about everything else.

Enjoy safer networking!

No related posts.