On IT Security At Work

Standard

It’s no co-incidence that I’m writing this at the end of the week in which 48 of the UK’s health service trusts were “hacked” by malfeasants brandishing an “indiscriminate attack across the world on multiple industries and services”.

I’ve been a Chief Technology Officer (CTO) for a number of small to medium sized businesses for over 10 years. Prior to that I was a developer earning my crust across a wide range of (primarily) web focused services.

I’ve met a handful of senior tech leaders from big companies. Most of them were much older than me. I’ve a little experience (both actual and anecdotal) of big company (and government) IT policies and some of them amaze me.

My own approach to security around IT is to try and create a process where it’s easy to follow a safe, secure path – rather than construct strict rules that most people try to circumvent (not usually for malicious reasons I hasten to add).

I’m also going to ignore the fact that a “hacker” is a cool programmer who has just managed to quickly fix a bad bit of code. A cracker is someone nasty who wants to break into your secure files. The press love to use the former to describe the latter. Because most people are unaware of this, I will use the more widely known vernacular “hacker” (as much as it riles me).

Password Policy

Lots of big companies enforce a strict password change policy. Every 30 days you must change your password. You can’t use any of the previous 8 (for example) passwords you’ve already used.

Why is this bad?

Unless they’re using a super-computer, most hackers will struggle to break a 8 character password using a brute force approach. Most systems (not all) lock you out after a handful of incorrect attempts. This seriously slows down brute force attacks on passwords.

If the IT department genuinely think that a hacker will brute force your password then making you change it won’t make it any more secure. Brute force could chance upon the password during the first try or it could take a few days (or a few minutes if they have a super computer and the password is just 8 characters long). They still get in.

Also, humans are very bad at remember passwords. We tend to use the same one a lot. That is bad. Instead we will just use, for example, password1 and in 30 days, password2. Or, worst case, people will write down their password because they can never remember it. Very bad.

What should they do instead?

A better policy is brought about through education and better technology.

  1. Educate people to learn their own secure password. 10 characters or longer takes exponentially longer to brute force. Even better, the password can be a combination of 2 or 3 random words – a magic phrase.
  2. Use two factor authentication. Whilst the latest news is that text messages have been intercepted (they’ve always been insecure, but hackers have ignore them until recently) it’s still a great way of helping improve security. Even better, give staff a 2FA device (or app on their phone) that generates a new 6 digit code every minute. The code is algorithmically generated using an algorithm that is unique to the user. 2FA helps prove that the user is the one logging in. It makes security MUCH more secure.
  3. Inform people that they must keep their password private. Nobody should ever know their password. If they think someone knows it, change it.

Operating System Security

So many big enterprises stick to very old versions because they don’t trust the newer versions. They’ve spent years getting to know all about the security problems with the known version and have spent lots of time locking it down to make it conform to their company IT policies.

Why is this bad?

Most enterprises use proprietary operating systems. Usually Windows. The operating system code is not exposed to the IT team, so how can they really know it? Millions of people have used that OS and found millions of viruses, bugs and exploits in there. The manufacturer has spent billions of dollars making newer, better, more secure major versions that have been tested by tens of thousands of users. Often there are financial rewards if you find an exploit.

Sometimes the OS is locked down to prevent users installing unapproved software. There are various reasons why users installing their own software is bad – but they could install a virus by mistake (or on purpose) if the OS isn’t locked down. Unfortunately, viruses don’t always need users to help them out.

Finally, it is bad because users go home and use their smartphones, tablets and computers with the latest OS installed. They go to work and use an antique. This reduces productivity. It also helps ensure your documents and files are increasingly incompatible with other systems. Your old OS can’t run the newest applications. It’s not just the OS that can get a virus; a virus can infect specific applications (programs) too. Newer applications are more secure as their developers learn from the past.

What should they do instead?

Upgrading the OS is expensive. But a big enterprise gets a volume discount. Exploit it. Your IT is important to your business – you NEED to spend money on it. A cheap screwdriver will break soon. A cheap IT budget will break soon.

  1. You do not need to lock down computers. If you don’t trust your staff then you have a bigger problem. Educate them. Write a policy that makes it “very bad” to install software without permission. Just use the normal “user” level permissions on the OS, which prevents installing most software and reserve admin level for the IT team. There are plenty of options, but you must focus on ensuring updates are applied regularly.
  2. The old days of buying a new PC every 3 years (or more) are gone. You need to invest. You need to work out how important IT really is to your business – what would it cost if it suddenly all stopped working tomorrow? You need to invest a good percentage of that cost in keeping IT up-to-date.

Summary

There’s loads I could go into. I’ve consulted to major banks and large PLCs. None of them had IT policies I approved of. Their technical teams need to stop operating their own cottage industry and stop thinking like engineers. Clearly, their policies don’t work. Try something new…