Six Leaks to Plug Right Now

Even companies with great security may have left these holes open.

Just as the Titanic was thought to be unsinkable, many of today's enterprises think of themselves as invulnerable. Yet, for every large organization that glides through the year without any mishaps, there are many others that suffer break-ins, Wi-Fi sniffing snafus and incidents where Bluetooth "sniper rifles" are used to steal company secrets.

Security consultants have identified six holes that are often wide open in corporate IT systems, even at companies that take great pride in their security precautions.

1. Unauthorized Smartphones on Wi-Fi Networks

Smartphones create some of the greatest risks for enterprise security, mostly because they're so common and because some employees just can't resist using personal devices in the office -- even if their employers have well-established policies prohibiting their use.

"The danger is that cell phones are tri-homed devices -- Bluetooth, Wi-Fi and GSM wireless," says Robert Hansen, founder of Internet security consulting firm SecTheory LLC. Employees who use their personal smartphones at work "introduce a conduit that is vulnerable to potential attack," he explains.

If you use a device like a smartphone that spans multiple wireless spectrums, "someone in a parking lot could use a Bluetooth sniper rifle that can read Bluetooth from a mile away, connect to a smartphone, then connect to a corporate wireless network," says Hansen, who is also known by the alias RSnake. Bluetooth thus becomes an open portal that allows hackers to access Wi-Fi and therefore the corporate network.

Hansen says adopting a policy that simply prohibits personal smartphones isn't likely to be effective -- employees will still be tempted to use their gadgets. Instead, he says, IT should allow only approved devices to access the network. And that access should be based on MAC addresses, which are unique codes that are tied to specific devices, making them more traceable.

Another tactic is to use network access control to make sure whoever is connecting is, in fact, authorized to connect. In an ideal world, companies should also separate guest access Wi-Fi networks from important corporate networks, says Hansen, even if having two wireless LANs requires redundant systems and added overhead.

Another approach: Provide robust, company-sanctioned smartphones on popular platforms, such as Google's Android, thereby dissuading employees from using nonsupported devices. By encouraging the use of approved phones, IT can focus on security precautions for a subset of devices instead of having to deal with numerous brands and platforms.

2. Open Ports on a Network Printer

The office printer is another seemingly innocuous device that represents a security risk, although most companies are oblivious to the danger. Printers have had telephone lines for faxes for several years, and some are now Wi-Fi-enabled or support 3G wireless connectivity. Some companies do block access to certain ports on printers, but as Hansen says, if there are 200 blocked ports for printers at a large company, there might be another 1,000 ports that are wide open. Hackers can break into corporate networks through these ports. A more nefarious trick is to capture images of all printouts in order to steal sensitive business information.

"One of the reasons you do not hear about it is because there is no effective way to shut them down," says Jay Valentine, an independent security expert. "We see access all the time via network ports in the electric utility industry, which is a major accident waiting to happen."

The best way to deal with this problem is to disable the wireless options on printers altogether. If that's not feasible, IT should make sure all ports are blocked for any unauthorized access, says Hansen. It's also important to use security management tools that monitor and report on open printer ports. One such tool is the network monitor from ActiveXperts Software BV.

3. Custom Web Applications With Bad Code

Just about every enterprise security professional lives in fear of holes created by sloppy programming. This can occur with custom-developed applications and with commercial and open-source software. Hansen says one common trick is to tap into the xp_cmdshell routine on a server, which an inexperienced programmer or systems administrator might leave wide open for attack. Hackers can use that opening to gain full access to a database, which provides an entryway to data and a quick back door to networks.

Hansen says PHP routines on a Web server can also be ripe for attack. Small coding errors, such as a failure to use proper safeguards when calling a remote file from an application, provide a way for hackers to add their own embedded code. A company can also be open to attack if it has a blog with a trackback feature (to report on links to its posts) but doesn't sanitize stored URLs to prevent unauthorized database queries.

Of course, the obvious fix to this problem is to avoid using freebie PHP scripts, blog add-ons and other code that might be suspect. If such software is needed, security monitoring tools can detect vulnerabilities even in small PHP scripts.

4. Social Network Spoofing

Facebook and Twitter users can be fooled into divulging sensitive information. Usually, these types of attacks are subtle and not easily traced.

"People looking for jobs are often willing to divulge [personal] information," notes Hansen, who says one of his clients told him about a hacker who used a fake e-mail address from a job-search Web site to pose as a recruiter. He declined to elaborate on this example to protect his client, but it's an example of what he calls the "confused deputy" scenario, where someone claiming to be, say, a recruiter for Monster.com contacts an employee, and the employee believes that the caller is, in fact, a Monster.com recruiter and doesn't attempt to verify his credentials. Hansen says the same thing can happen with postal mail -- just because the envelope has a certain return address, that doesn't mean it actually came from that sender.

Companies should use e-mail verification systems that validate senders' identities by generating return messages that ask senders to confirm their credentials. Some states have made it illegal to impersonate someone by e-mail.

5. Employees Downloading Illegal Movies and Music

P2P networks just won't go away. In a large company, it's not uncommon to find employees using peer-to-peer systems to download pirated files or setting up their own servers to distribute software.

"P2P networking should, as per policy, be completely blocked in every enterprise," says Winn Schwartau, CEO of The Security Awareness Company, a security training firm. "The P2P ports should be completely shut down at all perimeters and ideally at the company's endpoints. P2P programs can be stopped through [whitelists or blacklists] and filters on the enterprise servers."

Schwartau tells the story of a financial services firm in New York that discovered a P2P port that was running all day, every day, in its office. It turned out to be a porn file server -- exactly the kind of P2P server that criminal hackers like to exploit, he says.

"Injecting hostile code into P2P files is [not difficult] and can create a beachhead within an organization, depending upon the code design," Schwartau says. He suggests a technique called "resource isolation" that controls which applications users are allowed to access based on permission rights. Different operating systems do that in slightly different ways, Schwartau says, but it's worth pursuing in situations where corporate policy is lacking or isn't followed.

Schwartau encourages IT shops to conduct regular sweeps of all company networks and servers to look for P2P activity and to be vigilant about blocking any P2P activity.

6. SMS Spoofs and Malware Infections

Another potential attack vector: text messaging on smartphones. Hackers can use SMS text messages to contact employees in direct attempts to get them to divulge sensitive information like network log-in credentials and business intelligence, but they can also use text messages to install malware on a phone.

"In our proof-of-concept work, we showed how a rootkit could turn on a phone's microphone without the owner knowing it happened," says Schwartau. "An attacker can send an invisible text message to the infected phone telling it to place a call and turn on the microphone." That would be an effective tactic if, for example, the phone's owner were in a meeting and the attacker wanted to eavesdrop, he notes.

Schwartau says it's possible to filter SMS activity, but that's usually handled by the wireless carrier because SMS isn't IP-based and therefore isn't usually controlled by company administrators. The best option is to work with carriers to make sure that they're using malware-blocking software and SMS filters to prevent those kinds of attacks.

Again, creating smartphone usage policies that encourage or require the use of only company-sanctioned or company-provided phones and service plans can reduce the risk.

Of course, companies can't thwart every possible attack, and hackers are constantly switching tactics. But you should take steps to plug these six security leaks -- and then try to keep them plugged -- and be on the lookout for new forms of malicious activity.

Brandon worked as an IT manager for 10 years and has been a tech journalist for another 10.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Copyright © 2011 IDG Communications, Inc.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon