I’ve been doing some security reviews for a number of small companies over the last month or so, mainly companies operating in shared office space who don’t have a full time tech or support contract. I knew there would be some holes but I was in for a surprise and this got me thinking about how computer security is presented in the media and tech community.
There were so many issues I created a top 10 of what I think are the biggest areas of risk for these small companies. The following post is very long.
10. No Backups or encryption of laptops
A lot of the companies only buy laptops for employees now. These laptops are used at work for business but are also taken home by employees, left in cars over night, used by their kids etc so most are in a bad state. I think as an industry encrypting portable devices needs to be easier, especially for small companies who are frightened by ideas like encryption.
9. No anti virus
I’ve put this at number 9 as when was the last time your AV picked up a virus? However when was the last time you got hit by spyware? I think spyware / malware is more serious, but on a properly patched up to date system with a user running limited privileges suffering a virus is less of a problem these days. (I would still recommend virus scanning of emails for corporate users)
8. No domain
A lot of smaller companies don’t run a domain. They might have a Server 2003 file server but with individual local accounts, and all the PCs all have half a dozen local accounts with matched up passwords to the file server. While it’s not a bad thing if managed properly it is a lot more time consuming and there is a risk of leaving security holes open with so many places to set passwords.
7. WEP only wireless security
A couple of the businesses still ran WEP to secure their access points. I know there is a lot written about the ease at which WEP can be broken and I’ve even had some geek fun breaking into my own WEP network using an external USB wi-fi card and a Linux live CD but in reality who actually does this?
If the media is too believed and you run WEP you’ll have shady men in black and geeky teenagers hacking your network bankrupting the company. In reality who is going to want to hang out on an industrial estate to hack “bobs carpets” or “Industry incorporated ltd” to use their 2mb internet connection? Of course once you are on the network you can proceed to attack file servers to try and access corporate files, but proper layered security would make that extremely difficult and you have that in place right?
I’d always recommend the best wireless security you can have but WEP is still better than nothing at all to deter the opportunist.
6. Every user is a local Administrator on all machines
Security isn’t just about keeping external bad guys out but there is also a risk from internal users who either maliciously or through incompetence can damage the IT systems.
Almost every single PC I looked at all the users on the machine were local administrators, fairly standard for Windows XP, but most Vista machines had UAC on but again users were local administrators. More worrying was that of the companies that didn’t run domains had all users who accessed the file servers were local administrators. This of course means that all users of the server can, by default as an administrator, change all files on that server and its operating configuration.
I’m not surprised to find a setup like this as it makes file access super easy, but super easy for people to access files you don’t want them too.
5. IUSR_<MachineName> is a local Administrator
Finding the IIS6 user account IUSR_<MachineName> in the local administrators group on a Server 2003 machine was a first. It turned out that a 3rd party supplier had installed some software on the server that the company used for shipping invoicing and they had set it up like this. When I asked why the users said “because it just worked like that?”
What the people installing the app and making this configuration change didn’t (or did!) realise is any web user arriving at the box requesting pages or details from the shipping app ran as a local administrator will all the inferred privileges. Any error in the application or exploit in IIS (on an unpatched server) would be able to exploit the web box as the administrator!
4. Misconfigured SharePoint sites exposing corporate information
I’m no fan of SharePoint, mainly because it’s so complicated but it’s still important to secure. Another company running reports through SharePoint from http://domain.co.uk/repots/trans/report.aspx had a nice report on the .aspx page, but browsing back down the directory path exposed all other directories and files. This was because anonymous access was left on and the user that ran the report was the SharePoint administrator.
All the users I asked had no idea they could drop back a level and see other reports; to them all they knew was the one URL to the report.aspx page. They were genuinely surprised to learn that security through obscurity wasn’t actually worth anything.
3. No patch management
Personally I think 50% of all security problems could be avoided by having all your systems up to date with the latest patches, not only for Windows desktops and Servers but also for plugins and 3rd party apps. Adobe flash is probably the biggest security patch needed after Windows OS patches.
When a new exploit is found a tool is developed to search the internet for vulnerable machines. If you leave your machines unpatched you are an ideal target, and if running as a local administrator too it just makes the job of using your machine for other nefarious web attacks that much easier.
This is where SBS (Small Business Server) comes in handy, it now includes WSUS (Windows Server Update Services) and running with machines on the domain means that updates are automatically pushed out to users laptops and PCs as needed, an essential part of a security plan.
2. Bad password policy / Non expiring passwords
I know passwords have become a real pain in modern life. A pin for your bank cards, passwords for online shopping sites, passwords at work and security tokens for physical access are all things to remember.
I know that larger organisations enforce password complexity, history and a lifespan, but even the Windows Server 2008 default complexity of 6 characters or more and two of the following; uppercase, number, special character, can be met with the following password: Password1
Couple this with most users just wanting to do their job and not have to remember passwords you have non expiring passwords (in small companies with no real admins) and people sharing accounts or passwords written on post-it notes stuck to monitors, it’s a terrible situation for security.
The only real solution is user training, and an understanding by management that computer security is important. When something goes wrong they are usually looking to place blame, and if it’s down to a lax security policy or ignorance on the part of management I know exactly where I would lay that blame.
1. Backups never taken offsite
This is the winner for me, I’ve seen some massive holes in a company’s security while doing these reviews but when I asked the receptionist at one company what the Western Digital My Book was used for on her desk this was the conversation.
Me: Do you know what these external disks are for?
Receptionist: Oh, I they are connected to the server?
Me: The server is under your desk?
Receptionist: Yes, the last tech guy said they are for the backups.
Me: Oh good you have backups, who takes the disks home at night?
Receptionist: oh no, they live on my desk, they’ve never left the company, it’s the backup!
Me: Well what would you use as a backup if the building burnt down?
As a computing professional I’ve been educated to make systems secure, run with least privilege, and only allow access where needed, but small companies on the whole follow none of these rules.
Which makes me consider how security is reported? If you read any security blog or news report you are lead to believe that if you have an unsecure system as many of the companies I saw had you will have your corporate secrets stolen, machines used as botnets and virus infections galore.
I saw no of the signs of this, even when I got antivirus installed and scanned there were no infections. There was also no unusual network activity after watching the traffic for a week and people hadn’t reported anything unusual.
Now I know that chances are you wouldn’t know you are compromised but it does seem worrying that many companies are running the risks of being exposed by running with the above security holes.