Project Management

Security fundamentals for IT consultants

Erik Eckel highlights three common security failures that stand out from his years of IT consulting work. Make sure your clients are protected from these blunders.

Humility is an important quality in IT consultants. The industry has a way of knocking consultants down a peg and reminding professionals to mind their fundamentals when overconfidence sets in. Security, however, is an area in which consultants can't afford lapses, especially since Sarbanes-Oxley, HIPAA, and data sensitivity have become critical issues.

When I inherit systems, servers, workstations, and networks developed and administered by others, I see other IT consultants' mistakes. I've also seen security failures at the companies where I've worked.

Some security errors are simple brain-dead mistakes, such as affixing administrative usernames and passwords to a server via a Post-it note; other security offenses are less subtle, such as using the same password structure for each client. (Because of one competitor's administrative password naming scheme, I can now log on to any of their clients' systems replicating a simple password pattern.)

Of all the security failures that I've seen, there are three common ones that stand out. Review your consultancy's practices to ensure clients are protected from these blunders.

This column originally published in our IT Security blog.

#1. Permitting simple passwords

I'm truly shocked at how many so-called IT professionals permit users and colleagues to set simple passwords that consist of just letters and even words found in common dictionaries. Simple passwords are easily hacked, which can lead to identity theft, unauthorized use of proprietary data, embarrassing leaks, and federal data standard violations.

In racing, when newbies complain of the cost of a good helmet, the seasoned veteran answers "if you have a ten-dollar head, wear a ten-dollar helmet." If a client has gone to the trouble of investing heavily in firewalls, encryption applications, and additional security parameters, they should invest in requiring complex passwords. Whether the client is protecting a router, a user account, an email address, or another system, you need to insist that employees use eight character or longer passwords that use all of the following: uppercase letters, lowercase letters, numbers, and special characters.

Sure, such passwords are inconvenient, but that's the point. Passwords are a critical component of typically multiple-tiered security systems that are all too often negated as a result of nonchalance. If I can memorize the 26 phonetic alphabet codes, and coworkers can commit to memory the 486 tongue-twisting words to the I Am The Very Model Of A Modern Major General song from The Pirates of Penzance, users can memorize eight to 10 or more characters.

Also, be sure your passwords don't follow the same naming patterns because that's too simple, even if you use complex characters. For example, if one discovers that Acme's server administrative password is Acme*123, it's not going to be too difficult to determine that the Smith company's administrative password is Smith*123, is it?

#2. Deploying equipment using default passwords

IT consultants who deploy business-class equipment using default passwords should return whatever service fees they collect to their clients. Exhaustive lists of default passwords are a simple Google search away. This is exponentially more important when deploying routers, firewalls, and other systems that are accessible from the Internet.

As I explain to clients, your data or company doesn't need to be all that sexy to be of interest -- far from it. Hackers write robotic programs that scour the Internet for nodes that respond. Once a node responds, the device becomes a target for attack. This is true whether the device is stationed inside a plumber's office or a bank.

When organizations need to ensure remote administration of devices is possible, your office can work to restrict authorized connections via originating IP addresses to tighten security. But whenever a security device or any node is connected to the Internet, default passwords should be changed. By using tough-to-crack passwords on equipment, you make it difficult for unauthorized users to gain access, whether those unauthorized users are bored internal employees, angry and disgruntled ex-workers, or black hat criminals.

#3. Sharing passwords via unencrypted email

It never fails. Organizations invest in enterprise-class firewalls, deploy disk encrypting software, and institute multiple-tiered logins -- which each require different usernames and passwords that must regularly be reset and cannot match previously used passwords -- and then someone emails the keys to the kingdom via unencrypted email. Forwarding administrative passwords via unprotected email, even to authorized users or colleagues, is a practice all IT consultants should eliminate.

Email is inherently insecure. Messages pass not only through the sender's email server but to the recipient's server and through an inestimable number of systems in between. Each step in the chain offers the potential for unauthorized users.

I used to be more cavalier regarding security, but years of IT consulting and experiencing the myriad and shocking ways in which businesses battle competitors, disgruntled staff, and others, I place a much greater emphasis on following security fundamentals. One excellent security fundamental that will help keep systems safe is avoiding sending passwords via clear text email. Just don't do it.

Related IT security resources on TechRepublic

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

4 comments
bmnfan
bmnfan

The rule is retarded. There is nothing inherent evil about simple passwords. As there are simple applications which are non critical to the business, there don't have to be complex passwords for ALL fifty apps in each organization. In fact if you force users to use idiotic lengthy passwords for a wiki and holiday planner, you'll guarantee that users will resort to using the IDENTICAL password and the MOST SIMPLE they can get away with. Complex passwords should only be required where it's sensible. Instead of forcing them with unknown constraints, there should be visual feedback about password strenghts. Instead of policy enforcement, there should be user education. And let educated users make educated choices. With one dumb rule for everything, you are defeating the purpose of a security system much worse than with lax policies.

Erik Eckel
Erik Eckel

I agree that requiring complex passwords often results in clients posting passwords on sticky notes. But I believe consultants have a responsibility to protect client's data. Just tell a company that's lost confidential data as a result, or inadvertently exposed customer, client and/or business partner data and committed an unauthorized distribution of sensitive data, that complex passwords are unnecessary. You'll hear quite a different story in response.

heather.cato
heather.cato

Low hanging fruit for IT Auditors. I see this crap all the time.

kevaburg
kevaburg

It is agreed that the concept of "buy a 10 dollar helmet for a 10 dollar head" is a great theory but there are a number of realities that hit us hard on the head when we get to the workplace. For example, I have just moved into a contract where I am managing around 120 Oracle databases and 150 SQL Server databases. For the Oracle machines, everyone logs on using their AD credentials which do not have to be rocket science hard. If they were, calls to the helpdesk to reset passwords would be prohibitive for the 15,000 users we have. The sa account in SQL Server has a format used for each server password that is based on its location and role. It helps administrators log on quickly and effectively when trouble brews. The format is a closely guarded secret and doesn't get out, but still represents, to a point, a potential security hole. I agree that too much standardisation is a bad thing and makes for security holes where none should exist, but the reality is that if too much complexity is built in, passwords have to be written down in order to remember them all. That in itself offers up the possibility that the notebook with the passwords is inadvertently left in the open or stolen. Make the passwords too simple and other people can guess them. Where then, is the boundary between what we regard as acceptable and unacceptable? Is it based on what we deem the worth of our data to be or is it based around an unfeasable paranoia that normal people would think is well over-the-top? My problem is that I work to the requirements of my clients and if my clients want something done a particular way, I can do nothing more than advise them. The final decision is theirs and the consultant is not always the one to blame. Out-of-the box passwords are another issue that I have had with clients in the past. The situation whereby I ave advised a client to change the default and they have come back with the answer "I will change it when you have gone". I too have seen the problems you have described but at the end of the day, the client has the final word. Where hundreds of passwords have to be remembered, is it really realistic to have them all unique and complex?