Most home and business offices now have a firewall separating their internal computer network from the wild west of the worldwide Internet. The good news is that firewalls have become increasingly sophisticated, and properly configured they can do an excellent job of protecting internal devices on the computer network. Modern firewalls now include intrusion detection and prevention, email spam filtering, website blocking, and most can generate reports on who did what and when. Not only do they block bad guys from outside your network, they keep an eye on internal users from accessing inappropriate resources on the outside Internet. Employees can be blocked from visiting sites that could rob your business of valuable productivity time or violate security compliance requirements. Main business hours really isn’t the time to update your Facebook page! We also don’t want our medical and financial services people using an instant messaging service to chat with a stranger!
The firewall is the electronic equivalent of the “front door” to your computer network and there is an endless parade of potential evil spray-painting your doors and windows, tirelessly searching for a way in. A properly configured, managed and regularly updated Firewall can be very effective in protecting your computer network, both in the office and at home. Behind the firewall, desktop computers and office servers should have local software-based firewalls installed that also provide virus protection. Hopefully, if something does get past the firewall, in-house antivirus and desktop firewall solutions will provide an additional level of security.
Firewalls are reasonable and appropriate, but here’s the bad news. Most of the hacking you now hear about and read about is not being done by bad guys breaking through your firewall! The real damage is done by those within your network! Malicious users and dishonest employees will always be a treat. There is always the deal with the unscrupulous employee who slips credit card details or passes security information for money. However, the real danger comes from users simply ignoring today’s highly sophisticated security vulnerabilities. The most honest employee can inadvertently become the source of a major security breach resulting in the loss of their own personal data or the personal and financial data of their customers.
Take your average laptop user as a perfect example. How many times have you gone to Starbucks and set up a store? Beautiful day, fresh air, sun, and a high-speed Internet connection, cordless phone, and business as usual! If I told you how easy it is to set up a “man in the middle” attack on Starbucks, you’d give up coffee for the rest of your life. You think you’re on Starbucks WiFi, but actually that kid in the back of the Starbucks with the wireless access point plugged into his USB jack has tricked you into thinking he’s your gateway to the Internet. He has been monitoring every keystroke on his laptop since he logged in. In fact, he now has your login, password, and just about everything else on his computer. Now when he gets back to the office and logs in, he’s just released a bot on the company network and he’ll be back later tonight!
If laptops weren’t enough, now everyone walks around with a smartphone! Did you know that your Smartphone keeps a list of all the WiFi networks that you have used recently? Remember when you were at Starbucks checking your email while you waited for that cup of coffee? Now, wherever you go, your phone sends out a beacon request that sounds like “Starbucks WiFi, are you there?” hoping it will get a response and automatically connect you to the internet. Do you remember the boy we were talking about? He decided to respond to your beacon request with “yes, here I am, hop on!” Just another “MITM” attack and what it can do to your smartphone, especially those Androids that make your laptop look like Fort Knocks!
Sometimes, for fun and entertainment, while sitting at the gate of an airport lounge, I scan the WiFi network to identify how many phones, computers, and iPads are online and connected. I’m not saying I would do this, but I think you could run a Netbios attack in less than five minutes. It’s amazing how many people leave their printer with network sharing options when they travel. Even more people leave their “Network Neighborhood” settings at the default settings! The exercise is always the same: map the network to see which hosts are connected; port scanning for known vulnerabilities; the exploit toolkit and the rest is getting relatively boring for the ethical hacker. Now credit card thieves on the other hand…
Your Internet browser is most likely the worst enemy when it comes to protecting your privacy. Hundreds of companies track every website you visit, every email you send, and every link you follow. You do not believe me? If you are using Firefox, install an additional extension called DoNotTrackme and see what happens. Assuming you’re an average internet surfer, in less than 72 hours you’ll have a list of over 100 companies that have been tracking your every move on the internet. These companies do not work for the NSA, but they sell your “digital profile” to those who are willing to pay for the information. Where has your GPS been? What sites you visited, what movies you watched, what products you bought, what search terms you selected – all duly reported by you and your unsuspecting employees. Ever wonder if your competitors want to know what you’re looking at online?
Voice over IP phone systems offer a whole new range of vulnerabilities waiting to be exploited by the unscrupulous criminal! We recently showed a client law firm (as a paid consultant in intrusion detection and penetration testing and with the client’s permission) how easy it is to covertly turn on a speakerphone in a conference room and broadcast the entire conference to a remote observer over the Internet. ! In fact, capturing voice packets for playback is the first cheat script kids learn in hacking school.
VoIP, Bluetooth, Wi-Fi, GPS, RFID, file and printer sharing, and even the “cloud” add up to a list of vulnerabilities that can be easily exploited. What can you do? You should educate yourself and develop your own “best practices” for secure computing. You need to educate your employees and co-workers about the various vulnerabilities we all face every day as we become more “connected” and more mobile. Hire a competent computer network security professional to perform “penetration testing” on your corporate network and firewall. It would be better to pay a professional to “hack” it, then pay to have it fixed after it’s been hacked! Remember that if we can touch your network, we will own your network!
