The other night I was watching the movie, “Gone in 60 Seconds” with Nicholas Cage. If you’ve seen the movie, you will recall the scene where one of the new kids brings in an El Dorado Cadillac along with a big smile, naturally feeling proud of his accomplishment. Instead, he was promptly scolded. Not only was it too easy to “obtain” the car (the keys were left in it), but the car was not even on their list. I guess that is the difference between a professional and an amateur.
I bring this up because it reminded me of an event I saw earlier in the week: I saw someone leaving a system password on their desk essentially leaving the system open for easy access.
We do all kinds of crazy things with our laptops and desktops leaving our systems open to intrusion, even if our companies aren’t on the hit list of some hacker.
Think of it this way. If you parked your vehicle in the parking lot and you left the windows down and with the keys on the seat, then your car becomes an easy mark and you are inviting every person in the neighborhood to take your vehicle for a joy ride.
When you lock the door and pocket the keys, then you eliminate a large number of the threats. Of course, there are those individuals who are capable of breaking into a locked car and hot-wiring it. This is why we have car alarms, steering wheel locks, kill switches, and lo-jack to further deter those that would attempt take our vehicle. And with every level of protection that we put on our car, we reduce the number of individuals that are capable of accessing it. Eventually, we reach a level where only a handful of people have the skills and abilities to take our vehicle no matter what type of intrusion prevention methods we use. It’s only a matter of them wanting it badly enough and having enough time to get it.
Our information systems are just like our vehicles. However, most of us leave our systems out in the open and don’t take the necessary precautions to prevent intrusion, allowing even the janitor to gain access to our information. Naturally, the more steps we take to secure our system, the more knowledge a hacker will require in order to extract what is important to us.
Security steps may seem a little inconvenient at times and will require some variations on your standard operating procedure. But the prize at the end is a little more peace of mind and a lot more security for your clients and customers. Here are 4 steps you can take to secure your system:
- Set up your laptop to require the user to type in a username and a password.
This is an easy one. Most laptops and desktops come with the standard windows operating configuration. That means that the system comes up in fast switch mode. This assumes that there will be only one user operating the machine and that every time the machine is powered up it will be you that is issuing the commands. Therefore, if someone else gets your machine and powers it up, they will have full access to your data. Go to your control panel, select the “User Accounts” and change the way users log on.
- Set up your screensaver to require a password on resuming activity.
How many times have you been working on some sensitive data, took a walk away to get a cup of coffee and got pulled into a quick, 15 minute, stand-up meeting? When you got back, you simply wiggled the mouse and your system came back up ready to work. So, how many other people have wiggled your mouse and have peeked at your sensitive data? How many times have the room that you’ve were working in was adopted for a quick interview while you were off to the restroom and they just needed it for the next 15 minutes or so? Who is looking at your data while you are away? Who is connecting a USB drive to your system and downloading your information?
Think it doesn’t happen? Well, here is one way to make sure that it doesn’t happen. Right click anywhere on the screen and highlight properties. Hit the “screensaver” tab and then check the box that says “on resume, password protect”. Also, whenever you leave your system, simply put the system into standby or close the laptop (it will automatically go into standby). When it is taken out of standby, it will ask for a password before work resumes.
- Choose a decent password (something with more than 10 characters and is not easy to guess).
This goes without saying. In your control panel, click on the “User Accounts” icon. Then, click on your user name and click on the “Change The Password” link. When selecting a password, stay away from things that a hacker can figure out from digging around in your dumpster or checking your online profile. Avoid names of people in your family, pet names, birthdays, former schools, etc… and avoid making your password too short. It’s a lot easier than you may think to brute force an 8-character password.
Back in the day, when the Sun “pizza box” work stations were all the rage, one of my old friends had a rather unique method of generating his passwords. Whenever he needed one, he would pull out his bible and find a phrase with 10 to 15 words, take the first letter out of every word, capitalize certain characters and substitute letters for numbers where appropriate and… Voila! He had his password. I would suggest that you try a similar tactic when you create your passwords. Just make sure you remember the phrase used to generate it.
- Don’t write your passwords down on paper and keep them taped to the bottom of your laptop.
What good does having a decent password do you if you have it taped to your laptop or on a printout next to your desktop for everyone else to find? Now you may argue, “But we all work in an office environment and we trust each other.” That may be so, but you still invite people in for interviews, your company still gets deliveries and mail, and you still have vendors coming in to do presentations. And in case you haven’t noticed, every cell phones made today comes with some type of camera built in. No one needs to write your passwords down when they can simply ‘point and click’ in real time. If you are in an office environment and you are working on a secured wireless network (either WEP or WPA), make sure that your team does not have the access key printed and posted for easy reference, or for an even easier photo op.
Coming next: 3 simple technical adjustments to keep information private.