Security Considerations

Security Considerations

Running any business requires a level of ICT understanding, we have listed 8 common security considerations you will come across during your accreditation journey. 

 

1.  Passwords

In today’s business-world ICT plays a fundamental part, with every system there is the basic security of a username and password. Now while most of the usernames that you use will most likely be different, do you tend to use the one password or do you have several?

Having one password for all your ICT access is not recommended. Imagine for a moment that your password has been guessed or hacked? It can then be used to access all your other systems. In this situation what is convenient for you will also be convenient for the person who is not meant to have your password.

Instead, use a handful of passwords that you use interchangeably between systems.
Sometimes you may be prompted to change your password. In this case simply use the next one in your repertoire.

Some IT systems will force you to use a strong password. This typically means that it would take many years for a computer to crack, which we will further discuss below. Mixing numbers into your password makes it harder to crack with a brute-force dictionary attack. A brute-force dictionary attack is an algorithm that firstly tries every word in the dictionary to see if any match your password, then the search will expand with variations of each character until the correct combination is found.

For example, let’s use a base password of delilah. Firstly, using a name of a family member will make it easier for a hacker to crack however, we can strengthen it quite significantly with a few simple substitutions, it can be kept convenient but much harder to crack. Replace the e with a 3 and the i with a 1 and you get d3l1lah.

Let’s go one step further shall we? A complex password is one with at least 8 characters, upper and lowercase, digits and special characters (for example, !@#$%^&*()_+”:<>}{? are all considered ‘special characters). We can add the numbers 01 on the end to increase the length past 8 characters, use a capital D and H, and use an exclamation mark instead of one of the ls. D3!1laH01. Other combinations could be d3lil@H$$, dEL!1Ah@#$, etc, etc.

When hackers perform a Brute-force attack, they try every possible combination until they guess the correct combination, this requires a lot of CPU power and the more power applied the quicker the password is guessed, this is measured by the ‘Number of keys per second’, you can test your password strength at https://online.ictaa.com.au 

 

2.  Password Length

How long would it take to Brute-force a password with today’s technology?

  • 5 Characters (3 lower case letters, 2 numbers) = 1,757,600 possible combinations
  • 8 Characters (4 lower case letters, 2 numbers, 2 special characters) = 46,794,342,400 possible combinations
  • 12 Characters (3 upper case, 4 lower case, 2 numbers, 3 special characters) = 26,318,635,584,716,800 possible combinations
Computer Type Keys per Second 5-character password 8-character password 12-character password
High-end PC 2 billion 0.03 seconds 11 hours 751 years
Amazon AWS (10 servers) 4.3 billion Instant 5.4 hours 349 years
GPU (1 GPU) 7.7 billion Instant 3 hours 195 years 
Distributed PC Network (ie, RC5 project)
1200 PCs
998 billion Instant 20 minutes 1.5 years

You can get an idea of how long it would take to ‘crack’ your password with our password strength calculator at https://online.ictaa.com.au 

 

3.  Wireless Networks

Over recent years, we have seen WiFi overtake wired networks as the preferred and simplest way to connect devices:

  • Enterprises are using WiFi to connect staff and devices to corporate networks.
  • Retailers using it for POS and tracking of stock movements in warehouses.
  • Public “Free WiFi” solutions allow the public to browse the Internet.
  • Hospitals and care facilities use WiFi for mission-critical patient care and telecommunications requirements.
  • Schools are using WiFi to administer exams and deliver learning material.

A wireless network in a small office brings convenience for portable devices like laptops, tablets and smartphones. At the same time, it can loosen your security if not implemented correctly.

Here are some things to consider when setting up your wireless network:

  • Can your WIFI network be ‘Hidden’?
  • Is your WIFI only accessible via a strong encryption key/password?
  • Will you be using WPA2 Security Protocols, and can you upgrade to WPA3 when released in 2019/2020?
  • Do you offer Free WIFI to the public, and have you segregated the Public and Office WIFI networks?
  • Have you performed a WIFI site survey to understand how radio waves will interactive with your office environment?
  • Do your neighbours also have WIFI and will their WIFI interfere with yours?

Please check with your IT service provider to understand what is best suited for your situation.

^Ensure you document your WIFI details in a secure register.

 

4.  Default Credentials On Network Devices

A typical network consists of at least a modem, router, firewall, and wireless access point. In some cases, they may all be in the one unit.
Each of these devices will come from the factory with a default username and password so you (or your IT Service Provider) can configure to suit your needs.
While convenient to leave these credentials as is, it increases the likelihood of unauthorised access to parts of your network. Typical username/password combinations from the factory are admin/admin, admin/password, default/password.

^Ensure that at least the administrative passwords on these devices are changed and then documented on a secure central register.

 

5.  Taking Data Offsite

Do you take backup copies of your data home? Does any team member take data to another location for safe keeping?

What happens if that backup data was stolen or misplaced? If it ends up in the hands of someone unscrupulous, could that person simply view your data backups on their computer and access your files?

If you do have a need to transport data from your office on a removable drive like a USB stick/drive then you must be encrypting the files or entire drive itself. This will prevent unauthorised access to your data. Most backup software has an option to encrypt data during backup.

 

6.  Network Firewalls

Often built into your Internet modem or router, the network firewall is responsible for filtering traffic from the internet by blocking traffic from unwanted ports and IP addresses.

Not all firewalls are the same and newer ones sometimes referred to as “Security Appliances” are the Next Generation of firewalls, able to intelligently monitor and report traffic that’s acting suspicious.

While a normal firewall is blocking traffic based on a couple of criteria, a NextGen firewall is actively performing these functions:

  • Blocking unwanted traffic, both in and out bound.
  • Reporting threats to your IT team in real-time.
  • Monitoring for port scanning and other suspicious behaviours and actively blocking them.
  • Identifying and controlling application traffic, meaning you could give work-related traffic priority over Facebook traffic (on the internal network and also to the internet gateway).
  • Support of traffic polices, meaning servers/PC, users or groups of users can have priority traffic for specific application traffic. (on the internal network and also to the internet gateway)
  • Identity and control of encrypted traffic, hackers can hide behind encryption so a NextGen firewall can identify and where needed view encrypted traffic to ensure its legit.
  • Malware and Virus scanning of traffic in real-time, with the goal of preventing threats before they reach the user.
  • Inbuilt VPN software to allow users to connect remotely to gain access to the internal network over a secure VPN.

 

7.  PC Firewalls

Inside the confines of your network you are typically protected by a network firewall built in to your modem or router. When you leave work with your laptop, it needs to be able to defend itself. Discuss options with your ICT Service Provider regarding software firewalls. Windows has a built-in firewall which will suffice for most micro/small businesses.

 

8.  Remote Access

In a small office environment, your network perimeter firewall (used for access to the Internet) would typically be built into your modem or router. These devices by default will be safely blocking any unauthorised external access into your network. Over time you (or your ICT Service Provider) may have the need to open a port to let specific traffic into your network like VPN or Remote Desktop.

What happens when these services are no longer needed? Have those ‘holes’ (ports) on your firewall been closed again? A great tool that’s been around for a very long time is Shields Up by GRC, similar tools like this are referred to as Port Scanners, but as always please do your research and speak with professionals before browsing the internet looking for vulnerability tools, which may introduce you to unwanted threats.

Share this post

Leave a Reply