As you might imagine – and would probably hope – the technical team here at OutSource IT are some of the biggest security Nazis you could ever meet. No port goes unblocked and no interface is left unprotected. We even have a layer of protection protecting our protection systems. We simply have to, we’re not only securing our own data but we have the CloudSource data centre whirring away next to us and there are over 100 servers in there that are very precious to the folk who run their businesses on them. Backups, firewalls and anti-virus systems are all place, that are all best-practice and solid.
Security and productivity in conflict.
We preach this same practice to our clients. However, sometimes the ideal security measures are counter-productive and put impediments in the way of people doing their daily tasks. An example of this was a recent security audit by an external specialist which took place at one of our clients – their board wanted to verify that we were doing everything possible to secure their sensitive data as they are a public facing organisation with dozens of staff out and about using laptops. One of the items that was highlighted was the lack of security on those laptops. Sure, we had all the “normal” items locked down. Passwords were enforced and complex (8 characters, must include at least one upper case and one number) but the external auditor said that wasn’t really enough and we should encrypt all the hard drives with a 16-character password and also disable the USB ports.
Easy to do, but what about the possible impact? The level of frustration the users would experience at having to type a 16-character password every time they wanted to use their laptop. The need to centrally store these passwords in case someone left or went away and urgent access to their local data was required? And removing the ability for people to copy a document so they can work on it elsewhere or hand it to a colleague to view?
It was discussed only very briefly before common sense prevailed and some policies were put in place around what can be stored locally and the idea of encryption and blocking dismissed. It’s all about measurable, manageable risk.
We broke our own rules.
So, where does the great OutSource IT data breach of 2018 figure in this? We would never encourage opening a port on a firewall in order for someone to directly access a PC on the LAN in your business. The correct way to get in from outside is a secure, encrypted VPN (Virtual Private Network) and these are very easy to set up and manage if you know what you are doing – and we do.
However, for a very short time we had an external financial contractor needing to access data on our finance PC and it was desirable to not have to wait and get them set up with a VPN client, so we opened a port to that PC so they could remote control it. The port was to be closed again immediately after they finished using it.
Within an hour someone in Texas had found the open port, found an old temporary user account that had a weak password and started planting ransom-ware and encrypting the hard drive on the PC.
We noticed. Very quickly.
Our intrusion protection alerted us straight away and we shut it down. Actually, it’s not quite as careless as I’ve made it sound, we’d isolated that PC and the account using it had no access outside of its own hard drive. Additionally, the data on it was just a copy. Yes, we had to rebuild and restore it, so there was still a labour cost involved in the attack, but we didn’t lose anything or suffer any other damage.
It could have been so much worse…
It’s all too easy to just “make an exception” or let down your guard a little for the sake of an easy life. People complain about having to have a complex password and having their access locked down, they want everything to be available and easy… as easy to use as Facebook. There are many policies and processes that OutSource IT strongly recommend around passwords, access rights and user adding and removal processes. We don’t do this just to slow things down, we do it to try and ensure that sort of intrusion can’t happen on a live PC on your network.
It’s still easy for time to pass and important things to slide under the radar. A thorough security audit every so often is a good preventative measure against this, and we’re now conducting those ourselves with the help of the new management software we’re putting in place. (Another example of the Artificial Intelligence I’ve mentioned previously.)
Ultimately, we can’t always stop a breach like the one we just experienced – it’s down to the end-user always being able to do something in a moment’s distraction that compromises security, no matter how robust. We can, however, drastically reduce the chance of it happening and minimise the impact.
Our little intrusion was quite exciting, it put a few things to the test and I was personally very pleased with how little impact it had. It was also a bit of fun, in a geeky sort of way, tracking down the guy who did it and looking at his life – he had very little security on his social media and some open records about his past criminal convictions!
Philip Adamson, Managing Director, Outsource IT
Back to all articles
