Home Contributions Articles Users poke holes in network security
Users poke holes in network security Print E-mail
Written by Christine Leonardi   
Tuesday, 03 June 2008 07:55

Idle hands and other major security threats

In the super-connected, complex world of business and Web 2.0, companies increasingly use server-based computer networks to create productive, knowledge-sharing work environments connecting people who instantly access and share internal and external information.

Burglar behind keyboard
Source: www.jonathanfields.com

These networks have the long-term potential to be great business assets. But, in the short-term, they often become the bane of corporate life, powerful enough to bring any organisation to its knees.

No organisation’s network server is immune to the constant attacks from legions of hackers, worms, viruses and malicious software programmes, which compromise network security and ultimately, jeopardize the future of organisations, by exploiting security holes through software imperfections.

If left unchecked, these programmes suck the very lifeblood out of any enterprise.

In their haste to get their networks up and running, many companies don’t have the necessary security measures in place before the network goes live.

According to business information website All Business.com, these are the top network security mistakes made in business:

  • Users don’t use passwords
    Few people use the simplest form of security, password protection, correctly.  Most users don’t use passwords, or use passwords, like “password” or “admin, which are easy to crack. This is an open invitation to unauthorised users to view sensitive data.
     
    All Business.com suggests using pass-phrases, which generally take the form of abbreviations or acronyms, instead of passwords.
     
    For example, "TQBFJOTLD" would be a simple pass-phrase that stands for "The quick brown fox jumps over the lazy dog." The phrase is resistant to dictionary attacks by programmes trying to gain unauthorised access to data using tens of thousands of English words as possible passwords.
     
    Pass-phrases, which should change periodically, are much more secure when they contain a mix of upper and lower-case characters, numbers and special characters.
     
  • Companies don’t educate users
    Uneducated computer users often open the security holes exploited by viruses, worms and spy ware, designed to corrupt computer systems or leak personal information to unauthorised third parties.
     
    Educate people on the risks involved in downloading information from the Internet and opening e-mail attachments, especially from unknown senders.
     
  • Users are too lazy to make backup files
    Laziness is one of the biggest network security threats. Re-creating a crippled system is much more difficult than making proper data backups. Create backups often, but don’t overwrite them immediately with the next set of backup files. Keep copies of backup files off-site in case of an emergency.
     
  • Companies don’t invest in and install protection software
    Brand new computers are not made to plug and surf. So, before a phone line, Ethernet cable or wireless card go anywhere near a new computer, first install a line of software defence.
     
    This should ideally include virus protection, multiple spyware scanners and a programme that prevents the installation of malicious software running in the background.
     
  • Users don’t update virus/spyware definitions
    It is crucial to update systems with the latest "virus/spyware definitions" on a weekly basis. Virus and spyware scanners can’t detect the latest malicious software, if they are out of date.
     
  • Users don’t install security patches
    Since all software is imperfect, operating systems may have security holes. Once found, they are usually exploited within a very short period of time. It is therefore vital to install security patches as soon as possible.
     
  • Users don’t use encryption technology
    Encryption is especially important in online banking and credit card transactions. Storing and transferring unencrypted data is basically the same as posting the data for everyone to see. Companies that don’t know how to implement encryption technology should call in the services of an IT specialist.
     
  • Users blindly trust and click on “urgent system messages”
    Internet advertisements have become devious and deceptive. They appear as "urgent system messages" and warnings, which are designed to scare users into clicking on them. As a general rule, if a popup window contains an ad claiming to end popups, chances are it's a scam.
     
  • Companies try to manage everything in-house
    Setting up a network, applying proper security measures, and downloading and installing software can be tricky. While, large companies have IT departments, it is worth the extra cost for small businesses to seek advice on or even employ someone to assist with managing day-to-day network challenges.
     
  • Users don’t receive proper security instruction
    Security measures are most effective if everyone is aware of how the system operates. Give employees a brief overview of the security threats and measures.

Business networking 101:

All Business.com says a peer-to-peer network is the most basic type of network where every computer is connected directly to every other computer. Every computer handles its own tasks, like connecting to the Internet, file sharing and sending and receiving e-mail messages.

Client-server networks connect all computers in the network to the server, which manages the network by fulfilling requests from individual computers. 

Computers in a client-server network run leaner and faster, because tasks, like connecting to the Internet, file sharing and sending and receiving of e-mail messages are outsourced to the server.

Instead of saving/storing files on individual computers, users store and share files on the server.  Information sharing fosters collaboration, which means people working in teams work faster and smarter,

File access is controlled by setting user permission rights, which prevents certain users from accessing files containing confidential information.
 


Protecting network servers from attack

Using excel spreadsheets is dangerous, says All Business.com. A recent CFO Research survey showed that 73% of companies still rely on spreadsheets, like Microsoft Excel, and manual planning, budgeting and forecasting processes.

The problem is that spreadsheet files are highly susceptible to virus infection, which can threaten data security and financial continuity.

One way of improving network security is to move away from spreadsheets and manual processes by opting for dedicated server-based analytical tools, instead. These tools enhance business performance, as well as mitigate risks associated with emailing or transferring virus-prone Excel spreadsheet files.

All Business.com says companies improve network security when they:

  • Use servers’ built-in security features
    If configuring your server's security settings is beyond the scope of your technical expertise, hire an expert to do it. The little bit extra paid towards securing your network is miniscule when compared to responding to and recovering from a hacked server.
     
  • Put up firewalls to control access
    Servers, at the very least, need software firewalls, which are sufficient for small networks. However, if the network is large or spread out, consider running a hardware firewall in conjunction with a server.
    Hardware firewalls control access to network computers from a single point, making it easier to monitor, and theoretically, more secure.
     
  • Install software patches for new threats
    When new viruses, worms or Trojan horses emerge - antivirus software developers issue software patches, or updates, that close the security hole that the malicious programme has exploited.
     
    If you're running an old version of a server operating system, your server could be vulnerable to attack. Not having the latest version of your server's software installed is the same as not being inoculated against eradicated diseases. There is a cure, but you didn’t feel like taking your medicine. 
  • Give unrestricted server permissions and passwords to as few people as possible
    Use strong passwords, and keep them strictly confidential.
     
  • Consider the importance of physical security
    When it comes to servers, physical protection is just as important as password protection. It is essential to protect servers from the elements and criminals. To prevent flood and water leak damage to server computers, set them up on racks designed specifically for flood protection.
     
    Lock the server room when the server it's not being used, and ensure that only employees, who absolutely need access to the server room, have keys.
     

Useful links:

Check out the “5 Rules for developing safe and sane password protocol for small businesses” 

SOURCENOTE: University of Pretoria’s Gordon Institute of Business Science; www.gibsreview.co.za
 
Copyright © 2012 www.vandernest.biz. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.