Six enterprise security leaks you should plug now

Deal with these before it's too late

The Titanic was thought to be unsinkable, a testament to the engineering prowess of its day and the fact that luxury liners rarely collided with massive icebergs.

In modern enterprises, there's a similar perception of invulnerability. Yet, for every large organization that glides through the year without any mishaps, there are many stories about perilous break-ins, Wi-Fi sniffing snafus and incidents where Bluetooth sniper rifles were used to steal company secrets.

Here's a look at six security holes that are often wide open, even in companies that take great pride in their security precautions. We checked with security consultants to find out what you can do about them, before your enterprise ship hits a wall of ice.

1. Unauthorized smartphones on Wi-Fi networks

Smartphones create some of the greatest risks for enterprise security, mostly because they're so common and because some employees just can't resist using personal devices in the office -- even if their employers have well-established policies prohibiting their use.

"The danger is that cell phones are tri-homed devices -- Bluetooth, Wi-Fi and GSM wireless," says Robert Hansen, founder of the Internet security consulting firm SecTheory. Employees who use their personal smartphones at work "introduce a conduit that is vulnerable to potential attack points," he explains.

If you use a device like a smartphone that spans multiple wireless spectrums, "someone in a parking lot could use a Bluetooth sniper rifle that can read Bluetooth from a mile away, connect to a smartphone, then connect to a corporate wireless network," says Hansen, who is also known by his alias, RSnake. Bluetooth is the open portal that lets a hacker access Wi-Fi and therefore the corporate network.

Hansen says policies that simply disallow smartphones aren't likely to be effective -- employees will be too tempted to use their gadgets at work even if they're prohibited. Instead, he says IT should allow only approved devices to access the network. And that access should be based on MAC addresses, which are unique codes that are tied to specific devices -- making them more traceable.

Another tactic is to use network access control to make sure whoever is connecting is, in fact, authorized to connect. In an ideal world, companies should also separate guest access Wi-Fi networks from important corporate networks, says Hansen, even if having two wireless LANs means some redundancy and management overhead.

Another approach: Provide robust, company-sanctioned smartphones on popular platforms, such as Google's Android, and thereby dissuade employees from using nonsupported devices. By encouraging the use of approved phones, IT can focus on security precautions for a subset of devices instead of having to deal with numerous brands and platforms.

2. Open ports on a network printer

The office printer is another seemingly innocuous device that represents a security risk, although most companies are oblivious to the danger. Printers have become Wi-Fi-enabled over the past few years, and some even use 3G access and telephone lines for faxes. Some models do block access to certain ports on printers but, as Hansen says, if there are 200 blocked ports for printers at a large company, there might be another 1,000 ports that are wide open. Hackers can break into corporate networks through these ports. A more nefarious trick is to capture all printouts as a way to steal sensitive business information.

"One of the reasons you do not hear about it is because there is no effective way to shut them down," says Jay Valentine, a security expert. "We see access all the time via network ports in the electric utility industry, which is a major accident waiting to happen."

The best way to deal with this problem is to disable the wireless options on printers altogether. If that's not feasible, IT should make sure all ports are blocked for any unauthorized access, says Hansen. It's also important to use security management tools that monitor and report on open printer ports. One such tool is ActiveXperts Software's Active Monitor.

3. Custom-developed Web applications with bad code

Just about every enterprise security professional lives in fear of holes created by sloppy programming. This can occur with custom-developed software as well as with commercial and open-source software. Hansen says one common trick is to tap into the xp_cmdshell routine on a server, which an inexperienced programmer or systems administrator might leave wide open for attack. Hackers who do that can gain full access to a database, which provides an entryway to data and a quick back door to networks.

Hansen says PHP routines on a Web server can also be ripe for attack. Small coding errors, such as improper safeguards when calling a remote file from an application, provide a way for hackers to add their own embedded code. This can occur if a developer wasn't careful to restrict which files might be called based on a user's form input, or a company blog using a trackback feature to report on links back to its posts, without first sanitizing stored URLs to prevent unauthorized database queries.

The most obvious fix to this problem is to avoid some software such as freely available PHP scripts, blog add-ons and other code that might be suspect. If such software is needed, security-monitoring tools can detect vulnerabilities even in small PHP scripts.

4. Social network spoofing

Facebook and Twitter users can be fooled into divulging sensitive information. Usually, these types of attacks are subtle and not necessarily traceable.

"People looking for jobs are often willing to divulge [personal] information," says Hansen, who says one of his clients told him about how a hacker used a fake e-mail address from a job-search Web site to pose as a recruiter. He declined to elaborate on this example to protect the client, but it's an example of what he calls the "confused deputy" scenario, where someone claiming to be, say, a recruiter for contacts an employee, and the employee believes that the caller is, in fact, a recruiter and doesn't ask to verify his credentials. Hansen says it's the same as getting an envelope in the mail -- just because the envelope has a certain return address, it doesn't mean that the contents actually came from that sender.

Companies should use e-mail verification systems that confirm the identity of a sender. These verifications send an e-mail back to the address to confirm the sender's credentials. Some states -- including Texas -- have made it illegal to impersonate someone by e-mail.

5. Employees downloading illegal movies and music

P2P networks just won't go away. In a large company, it's not uncommon to find employees using peer-to-peer systems to download illegal wares or setting up their own servers to distribute software.

"P2P networking should, as per policy, be completely blocked in every enterprise," says Winn Schwartau, CEO of The Security Awareness Company, a security training firm. "The P2P ports should be completely shut down at all perimeters and ideally at the company's endpoints. P2P programs can be stopped through white/black listings and filters on the enterprise servers."

Schwartau tells the story of a financial services firm in New York that had a P2P port running all day, every day in its office. Eventually, it was discovered and found to be a porn file server. Schwartau says the unfortunate truth about what he calls "criminal hacking" is that the thieves are usually drawn to nefarious activities, so one of the first places they might look is a P2P server and any potential security holes.

"Injecting hostile code into P2P files is [not difficult] and can create a beachhead within an organization, depending upon the code design," he says. He suggests a technique called "resource isolation," which essentially controls which applications users are allowed to access based on permission rights. Different operating systems do that in slightly different ways, Schwartau says, but it's worth pursuing in situations where a corporate policy is lacking or isn't followed.

Schwartau encourages IT shops to conduct regular sweeps of all company networks and servers to look for P2P activity and to be vigilant about blocking any P2P activity.

6. SMS text messaging spoofs and malware infections

Another potential attack vector: text messaging on smartphones. Hackers can use SMS text messages to contact employees in direct attempts to get them to divulge sensitive information like network log-in credentials and business intelligence, but they can also use text messages to install malware on a phone.

"In our proof-of-concept work, we showed how a rootkit could turn on a phone's microphone without the owner knowing it happened," says Schwartau. "An attacker can send an invisible text message to the infected phone telling it to place a call and turn on the microphone." That would be an effective tactic if, for example, the phone's owner was in a meeting and the attacker wanted to eavesdrop, he notes.

Schwartau says there are ways to filter SMS activity, but that's usually done through the wireless carrier, since SMS isn't IP-based and therefore isn't usually controlled by company admins. The best option for blocking such attacks is to work with carriers to make sure that they're using malware-blocking software, SMS filters and redirects for those kinds of attacks.

And again, creating smartphone usage policies that encourage or require the use of only company-sanctioned or company-provided phones and service plans can reduce that risk.

Of course, companies can't thwart every possible security attack with current technology, and hackers are constantly switching tactics. You should try to plug these six security leaks and work to ensure that they stay plugged -- but you should also keep an eye out for new forms of malicious activity.

John Brandon is a veteran of the computing industry, having worked as an IT manager for 10 years and as a tech journalist for another 10. He has written more than 2,500 feature articles and is a regular contributor to Computerworld.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FacebookGoogleHewlett-Packard

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place