Software optimize

Securing your independent consultancy

Consultants can be clients' biggest gaping security hole. Find out why, and learn about ways to lock down those potential leaks.

As IT consultants, we often recommend security improvements to our clients, no matter whether our specialty is in security, networking, software development, or any other activity. Paradoxically, we consultants can sometimes be the biggest gap in our client's security perimeter. We connect our devices to their network, often using elevated privileges, we exchange sensitive information with them over the Internet, and we store some of that sensitive data on our own media. If we aren't careful in every one of those activities, we could easily expose our clients to a breach.

Connecting to your clients

It should go without saying that when you connect to client systems over the Internet, you should use an encrypted connection. A Virtual Private Network (VPN) can provide convenient, secure connections. Even with a VPN, though, you'll want all network-mountable drives to be password-protected. I never use Telnet or FTP to access client machines, even within a VPN. Those protocols transmit passwords as text, so if a cracker manages to get by the VPN security, all s/he has to do is listen for Telnet or FTP traffic to pick up passwords that will give them access to systems on the network. Use SSH and SCP instead to add another layer of security.

Especially on Windows systems, it's a whole lot more convenient to log in as an Administrator, but just say no. Use an account with lesser privileges, and elevate only when needed. That prevents someone who manages to acquire your credentials or run a program under your session from being able to take the whole enchilada.

Transmitting information

Clients these days use email much like they use the telephone; they assume the conversation is private, when in fact it's perfectly legal to "listen" to someone's email transmission, and easier to do than tapping a phone if you have access to any node along the path. Furthermore, relay servers may keep copies of your email indefinitely. Yet, clients regularly send clear-text emails containing sensitive information that's supposed to be under an NDA, sometimes even passwords and credit card numbers.

Some of this complacency comes from companies having their own email server inside their security perimeter. Clients think that anything they send to one another within the company stays inside the organization. That may be true most of the time, but not when one of those local addresses redirects to your external account as a consultant. If you and your client must use email for this kind of communication, at least encrypt it.

I almost fell out of my chair one day when a client, who prudently didn't want to use email for sensitive information, sent it to me instead via a private Facebook message. "It's private, isn't it?" My response: "Did you get Mark Zuckerberg to sign an NDA?" (Even if he had, I wouldn't trust it.)

Storing client data

Once we have client data on our own systems, we need to make sure it doesn't fall into anyone else's hands. Data stored on a portable device like a notebook, smartphone, or USB stick is particularly vulnerable, and we need to take steps to insure that they aren't lost or stolen. It can happen, though, so we should also encrypt sensitive data. Even when stored on a server that's locked in a vault and not open to the Internet, encryption adds one more level of protection. Most operating systems provide some mechanism for volume-level encryption, or you can use a software product like TrueCrypt to create a virtual volume to encrypt only your sensitive data, instead of imposing the performance penalty of encrypting your operating system and applications.

Encryption won't help much if the password you use for it isn't secure. Your encryption password should be just as strong as (and different from) your root/admin password. And don't store the password on a sticky note.

Make sure you encrypt your backups, too. There's no use encrypting your working copy if a tape with an unencrypted version is sitting on a shelf six feet away.

Conclusion

Consultants need to be even more careful about security than most businesses, because otherwise we expose our clients' businesses too. Failure to diligently prevent intrusion or data loss could not only sour your relationship with your client, it could cost them a lot of money and possibly make you the target of legal action. It wouldn't help your reputation, either.

Security is too often one of those priorities that we plan to get around to when we have time. It suddenly becomes an emergency only when it's too late. Lock it down today.

About

Chip Camden has been programming since 1978, and he's still not done. An independent consultant since 1991, Chip specializes in software development tools, languages, and migration to new technology. Besides writing for TechRepublic's IT Consultant b...

8 comments
jfuller05
jfuller05

Do you like Logmein?

Sterling chip Camden
Sterling chip Camden

... until your comment. I don't know enough about it to say one way or the other. Perhaps someone else who has tried it can add a response.

reisen55
reisen55 like.author.displayName 1 Like

I will give TrueCrypt a try. My own theory has been far simpler: never EVER have live client data PER SE up on a system. 23 out of 24 hours a day, or less, my dedicated system for storing client DATA is turned off. I carry a drive with me in my bag and throw that into the trunk of the car so it cannot be seen - hello SAIC and TRICARE. But it is also rarely EVER connected to anything as well. I have some information, never passwords, available and that is limited exposure. My only real hole may be using DYNDNS.ORG for dns forwarding to systems but I plan to improve that by taking port 3389 off the standard list and routing upward to, oh, 3340 or something and just avoid 3389 altogether.

apotheon
apotheon like.author.displayName 1 Like

If you have to maintain servers for various operations dealing with clients -- VPN servers, Web servers, offsite backup servers, et cetera -- it might make sense to keep them segregated on separate systems so that security issues with one of them will not provide an exploit path to the others. Thanks for linking to so many of my articles, by the way. I'm glad they were of use when you wrote this article.

AnsuGisalas
AnsuGisalas like.author.displayName like.author.displayName 2 Like

That way, if for some reason the client relationship ends, data can be handed back (or destroyed) - as is - without consequence for other clients.

Sterling chip Camden
Sterling chip Camden like.author.displayName 1 Like

I haven't done that, but the cost of storage media is no longer an obstacle to that practice. Thanks!