Common security pitfalls

By Babby Boss Following discussion is centered on common vulnerabilities that are typically found in a general office environment. Usually, these vulnerabilities remain unnoticed until exploited. The list of vulnerabilities discussed here is neither complete, nor arranged in any specific order. Inappropriate area separation In select business environments, you may find no proper demarcation between general and restricted work area. As a result visitors get easy access to restricted portions of the premises without facing much problem. Lack of security awareness training A chain is only as strong as its weakest link. Since human beings are the weakest link in the People-Process-Technology chain, the organization should pay equal attention to strengthen this link as they do for Process and Technology links. Lack of adequate security awareness among employees increases their susceptibility to social engineering attacks. For example, an attacker posing himself as a legitimate technician may offer troubleshooting services to victimize innocent users with his tricks and obtain passwords, take away sensitive data, and inject backdoors into systems for subsequent remote access. The increased number of successful attacks reiterates that management does not seriously take the issue. Till date, information security awareness training programs get lower priority in management agenda. Either security awareness programs are irregularly conducted, or little attention is paid to obtain and evaluate feedback on effectiveness of awareness training. This provides little or no knowledge about the program usefulness. Lack of proper communication Generally, remote offices are not timely informed about the joining of new/transferred officials at managing office. Lack of good communication between the managing office and remote offices may result in a successful social engineering attack. Ideally bio-data of these employees should be immediately communicated so that remote offices may have knowledge about the right officials, and resist any social engineering trick. Lack of life safety training Often, employees are not equipped with essential training on how to operate fire extinguishers, and other life safety equipments installed in the premises. They also lack training on emergency medical procedures, and access to medical care kits. Without imparting adequate operational

knowledge of security tools to its employees, organizations investment on these tools remains limited to regulatory compliance. Non-reporting of suspicious conduct Usually, employees are not encouraged to take note of suspicious actions of their peers and visitors and timely report their observation to the appropriate officials. Thus, employees pay no attention to strange behavior and the results show that some incidents could be easily prevented from happening if timely information about the observed behavior could have been communicated to the authorities. Outdated contact list Often emergency contact list is not frequently updated and promptly communicated to all concerned officials. Thus, response team does not get timely intimation about the incidents which require manual reporting. Outsourcing against policy Sometimes remote offices offload data entry and rectification jobs to third-parties without consulting with the managing office and without even entering into a non-disclosure agreement with the service providers. Such examples of policy violation result in unanticipated cases of data leakage and possible legal actions. Poor inventory management Often, decentralized functioning of an organization yields poor inventory management. The quantity and type of registered assets in the central database seldom match with the actual inventory. Generally, the line managers attempt to conceal the cases of missing assets. Role confusion Lack of knowledge about policies and procedures among employees, and managements lenient approach to policy enforcement typically result in the lack of employees clear understanding of their roles and responsibilities during an incident and disaster. The moment, employees are expected to play their due role for incident response, or disaster recovery, they fail to deliver the results, because they do not have an idea of what they are expected to do. Jam-packed server area Often, in small and medium sized organizations, server rooms are congested with stuff like empty boxes, surplus spare parts, and several other things without any valid reason of their existence inside the area. Ideally, server rooms should have place for most essential things only; making it appear like a junkyard only invites problems.

Physically insecure desktops Despite watchful eyeballs on the job, attackers have made it possible to take away critical systems. Although it looks trivial to chain computers with cable locks hooked into heavy stationary items, IT WORKS. Improper electric circuitry Often electrical grounding and cabling are tested only at the time of their installation and preventive maintenance checks are casually performed. As time passes, electrical outlets marking fades, and unplanned maintenance without any proper electric diagram worsen the situation. Sometimes, in the absence of clear indication, users accidently plug their devices into mains supply instead of smooth electric supply through UPS system. Insecure transportation Often sensitive printed documents are moved between offices without any proper transit protection. In case the consignment is a big one, the recipients rarely check the volume for completeness at the time of getting the delivery and such checks are postponed for a long period. In some cases the delay costs a lot to the organization, as some of the documents may have been stolen during transportation. Insecurity of security devices Its a good idea to see physical monitoring technology like CCTV installed in and around the offices. But do people really check whether the cameras, cabling, and video recorder rack are physically secure? Tampering of monitoring devices is a real possibility. Irregular preventive maintenance Improper and irregular preventive maintenance of security controls reduce the information assurance. Ideally, all controls should be regularly inspected to ensure that they deliver the expected security services without fail. But it has been noticed that after few cycles of preventive maintenance, service providers (or product suppliers) and onsite professionals adopt casual approach for maintenance. Fire fighting issues Fire extinguishers installed at wrong places and in insufficient number reduce the fire fighting capability to a great extent. Additionally the selection of fire extinguishers should be based on the kind of environment these are installed in. Often, offices have big deposit of inflammable material like Paper, Wooden fixture and furniture, Foam, etc. Some of the organizations have policies to dispose off waste only after expiry of a certain time period. In the meanwhile, offices continue to operate without having sufficient number of appropriate fire detection and prevention equipments in place.

No pest control Decade before, pest controls were treated as an essential mechanism to eliminate the problems pest can create. As time passed, professionals started dropping the need of having pest controls in place, which earned them unforgettable experience of equipments jam, wiring cuts, etc. Pest problem is a real one and even after dense urbanization pest controls are still required to keep these problems at bay. No video recording Not many people check whether their CCTV video recorders are working in expected manner. Usually, people use CCTV cameras for live monitoring and take little interest in periodically inspecting proper footage recording. Thus, whenever they refer to recorded video, they find that recorder unit was not recording any video footage. No video footage backup Generally, CCTV video recorders offer limited capacity for footage retention. A typical video recorder unit offers 30 to 90 days recording capacity depending upon the storage media under use. Regular backup of video footage helps to avoid data loss in case of recorder unit failure. Single CCTV Digital Video Recorder (DVR) CCTV video recorders have the obvious problem that during the boot time, it is not possible to record video footage. Thus, an accidental or intentional power failure for a moment causes gap in video recording, in case only one recorder unit is used. A parallel recording system powered through separate electricity source helps to continue video recording. No paper shredding Despite various well-publicized cases of scavenging, organizations are yet to ensure that paper shredding is made mandatory and brought to practice for proper disposal of sensitive documents. Ideally, the sensitive printed information should be shredded before disposal to avoid any possibility of leakage. Power backup issues In traditional business units, you may find that UPS systems and batteries are installed next to each other. Although their proximity reduces a little expenditure in wiring and ease maintenance efforts, it is not recommended because explosion cases have been recorded in even sealedbatteries installation. Sometimes you may find UPS systems and batteries installed in the server area itself. This can cause great damage to the systems and data residing in the server area.

Single entry-and-exit point In few businesses, it is recommended to have single entry-and-exit point, but it is not always useful. The architects should have an evacuation plan in mind while designing the buildings. Static electricity Even in some well-maintained environments, you may experience static electric charge distributed over critical systems. Such organizations seldom employ techniques to contain and eliminate static electric charge until it starts generating problems with normal functioning of systems. Unattended copiers Unattended or out-of-sight copiers, printers, and fax machines allow any unauthorized person to capture sensitive information. Generally such units are big source of useful information to attackers. Local data insecurity Even though the remote offices use central web applications deployed at the managing office or the data center for data processing, still some of these remote offices store sizeable data. In absence of a proper strategy for data backup and restoration, and non-adherence to the best practices for data protection, fear of data loss always looms around. Insecure communication channels Often the electronic communication between managing office and remote offices is conducted over insecure channels. Ideally, the collaboration activities like document sharing, peer-to-peer messaging, email communication, etc. should provide required levels of information confidentiality, integrity and non-repudiation features. Some organizations take the issue very seriously; however, not every organization pays similar attention to secure the channels. Insecure media disposal Despite various best practice documents available on the Web, and approved policies for secure media disposal, many organizations do not view it as a big concern. No serious efforts are made to ensure that storage media is wiped out (or erased) using industry standard tools and techniques before their disposal. Insecure telecommunication Often less attention is paid to securing telecommunication equipments specially the Private Branch Exchange systems. Attackers find it easy to locate PBX and tap important phone calls without anybody even taking note of eavesdropping.

Invalid system configuration Improper planning leads to poor performance. Asset procurement without adequate capacity planning or proper feasibility checks results in acquisition of systems with odd configuration that simply does not conform to the infrastructure standards and usually produces security configuration problems. Unauthorized changes taking place In several small and medium sized organizations, some irrelevant factors govern the changes being made to the application, infrastructure, and environment. These factors unofficially dominate the approved change management policies, and drive the processes to bypass the policies. Allowing unauthorized changes to materialize creates several security related problems in due course of time. No password protection Lack of security awareness among users lead to practice of password sharing and negligence to notice cases of shoulder surfing. Usually this kind of casual behavior defeats the purpose of separation of duties, gives rise to insider frauds, and makes organization an easy target to attacks. Permitted use of removable media It is a recognized fact that removable media specially the USB pen drive is one of the reasons behind data leakage and malware spread problems. Restricted use of removable media helps to address these problems to some extent. Still, information security professionals fail to convince the management for policy enforcement to control their usage. Use of legacy applications In the present era of cutting-edge technologies, most organizations rely on modern applications to support their business functions. Still, some organizations have significant share of legacy applications in use. These end-of-life applications use outdated technologies and unsupported tools; employ insecure protocols to transmit data; store sensitive information in plaintext. Often authentication controls are so lax that it is trivial to bypass them altogether. These legacy applications give rise to some inevitable security problems.