• Training news
  • E-Academy in the press
  • 2009 news archive
  • 2008 news archive
  • 2007 news archive
  • 2006 news archive
  • 2005 news archive
  • 2004 news archive
  • 2010
  • 2011
  • 2012

• Bookmark and share
  • Technorati favourite
  • Delicious
  • Digg
  • Reddit
  • Facebook
  • Stumble Upon

• Recent pages
  • When is a course not a course?
  • The social business
  • The skills to build a more effective business
  • The cloud is now – and the future
  • Taking a look at Windows 8

You can never be too secure

Security is becoming one of the most important parts of an organisation's IT strategy. We take a look at just a few of the ways in which you may be exposed.

15 December 2011

It's an almost impossible job to pen an article about top security issues, for a couple of reasons. First, let's face it, there are just too many of them. Second, what exactly constitutes a 'top issue'? If your security is compromised by what many think is a trivial issue, then in your eyes it's quickly become the top issue.

You are the weakest link

But if there's one universally agreed weak spot in almost any security scenario, it's humans. We're unpredictable. We do daft things. We do malicious things. Our agendas can change. We're forgetful. So, despite being told otherwise, many of us use the same password for every system we access - the password is seldom changed, if ever, and it's often laughably easy to crack. Yes, like 'password' or perhaps your wife's name. We also tell others our passwords, write down our passwords and leave ourselves logged into systems when we should log out.

And that's just the system - the data within the system can be even harder to secure. Perhaps you're taking some data home to work on it - on an easily lost, unsecure USB stick. Or accessing office networks from an Internet café. Or you have data replicated on your laptop - which is, of course, attractive and easy to steal.

Then there's the added layer of malice, the disgruntled employee who can down entire systems easily by simply deleting data to which he/she previously had trusted access.

For this reason, many security attacks focus on the user, not the technology. It can be far easier to pretend to be a trusted person, then ask a few probing questions of a user, than it is to hack a secure system. And yes, people do answer questions such as, "need to confirm who you are, what's your mother's maiden name?" - which is one of the top password questions imposed by many 'secure' systems. With just that and an e-mail address (usually easily guessed or found) it's easy to access many online services or corporate networks.

Website security

Websites are often an organisation's most public-facing technology - frequently with many points of data access, which are usually protected only by a user name and password. These are only as secure as the human which created them - so it's wrong to assume that a technically secure system is a secure system. Using only simple Web forms, critical data can be accessed - or data can be poisoned (good data overwritten by bad) which can be hard to detect and impossible to fix if it's not spotted for months.

SQL injection is used to attack websites running SQL Server or MySQL databases - SQL statements are added to Web forms, or the URL string, which perform what should be restricted activities on the database itself. This can include downloading all of the data in its entirety. This is a common method of attack and needs serious consideration for e-business applications - though, with some care, it can be prevented.

Many websites allow almost any type of file to be uploaded - let's say, for a form where a document upload is required. You might expect the file to be a .doc or .pdf, but has your website team catered for the scenario where the file is an executable. So what? Well, if your website system places that file in a guessable location, it can be executed remotely without a great deal of effort - a URL can be used to do this.

Some third-party services can introduce a security issue - or be the security nick that outsiders are seeking. We saw this week a website service which places a button on a website for users to add in information, connecting the service with the company hosting the website. It's slick and seamless - but puts unencrypted within the HTML of the Web page the e-mail address of the recipient. This is a fairly trivial piece of information out of context, but knowing that this e-mail address is used to pass information to a specific system provides a route to that data - where only an easily guessable password might stand between the hacker and the information.

Some newer website technologies don't have proven security - or can be insecure when implemented in many common ways. We're all used to interactive websites which use various forms of JavaScript, for instance. An increasingly common one is JSON (JavaScript Object Notation) which is used for data interchange. A key problem is that these give over control of a Web page (or part of one) to an outside source in an automatic way - the code of the outside source service could be doing practically anything.

Like JSON, AJAX is popular on the Web. It's also not inherently insecure but can create security issues if implemented without care. Because AJAX is a client-side scripting language, it can be reverse engineered without too much trouble - so it's not hard to work out what it does. It can also be run locally, allowing hackers to easily test what a script does before modifying it with confidence. The lesson here is to implement security controls on the server itself, or harden client-side security with server-side security.

Mobile devices

Today's mobile workforce also accesses data from smart phones and tablets - introducing another series of security challenges. Many phones contain shortcuts to Internet banks, office WANs and so on; without a password (or with a weak one) all of these are easy to access. These mobile devices change the entire nature of the security perimeter of an organisation and need careful consideration when deploying them. It's not wise to rely on the security within the devices themselves (although these should be used, of course) - harder security also needs to be implemented within the systems to which they provide access. Third-party mobile applications, which may seem to offer convenient power, could actually represent a security risk which is difficult to evaluate.

Cloud computing

Cloud computing brings with it a whole new series of security risks - while also carrying over many from non-cloud systems. The hard reality is that there are no guaranteed 100% secure systems. None. Most systems which have been hacked were once thought secure. So, organisations have to prepare for that eventuality in many ways - encrypting stored data, for example, so it's useless (or difficult to make use of) if accessed. Even trusted big players have had security issues. Cloud services rely on local computers accessing remote information - which makes them more in need of securing, since the modus operandi of the cloud service is to expect questions from the outside.

Just scratching the surface

Worryingly, these issues just scratch the surface of what's possible. The sheer range and complexity of security issues make it a difficult field to keep up with - but the potential losses from a breach make security a non-optional part of any IT strategy.

e-academy provides a range of security training courses - including Microsoft security training and training for the rigorous ISO 27001. If you're unsure of which course might be best for you, please just give us a call on 0845 650 6500 - we'll be happy to help.