Leadership

Five dangerous and often overlooked IT security risks

Bill Detwiler reveals five common security risks all organizations have and that many IT pros overlook.

IT admins are often so busy just trying to handle the obvious security threats (like malware and external attacks) that many more problems fly under the radar. During this episode of TR Dojo, I reveal five common security risks that are likely lurking right under your nose.

For those who prefer text to video and to see the full list of 10 security risks, click the View Transcript link below the video player window or check out Justin James' article, "10 security problems you might not realize you have," on which this video is based. You can also sign up to receive the latest TR Dojo lessons through one or more of the following methods:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

5 comments
omesie
omesie

A good solution is to let people keep their password permanently (or at least for a year) and provide everyone with a Pin generator. Check out something like an RSA SecureID or something. No I don't work for them and I don't use them either but definitely something worth looking at looking at how confusing passwords are getting lately. I myself have about 15 passwords at the moment and that number keeps growing. (yes, I do use a password management application but if the password to access that was ever discovered, then I'm in trouble). A keytag means you always have to keep it on you and only a person who has that and your password can log in as you. If it's ever lost, it's reported and you receive a new tag which causes it's own problems. Collins2 - Maybe it's worth setting up an expiry time on accounts that aren't in use? especially for PCs used by multiple users? We have lots of them as well but don't have any solutions in place yet either but looking at ways around it at the moment. Another option was to have a generic username for the actual PC that has no access to network resources (except internet) and have a citrix / terminal server connection for users that automatically boots them out after half an hour of inactivity. I guess what I'm trying to say is there is no right or wrong answer to security. It all comes down to the risks we're willing to take and how much money we are willing to spend for specific circumstances. If you throw too much security on your systems, people will complain at how difficult it is to log in, and if you don't have enough security you'll easily be hacked but at least the users will be happy. Anyway, I've rambled on long enough. comments (or abuse) welcome.

Colins2
Colins2

I have to agree with everything that Mike wrote above. In addition, I'd like to add the problems caused by over-zealous IT departments requiring users to change passwords at short intervals, as is the case where I work. This also leads to passwords being written down and stuck on the monitor. Another point is that we do not have single user access to a workstation. Several people will use each machine which leads to a lot of people knowing the passwords to the most commonly used ones. I do realize that this is not the norm in (say) a large office-based organization, but not everyone works in an office. In my case, perhaps 20% of the workforce are not office based but are still logged in to the office servers.

MikeGall
MikeGall

Overly complex password requirements or vendor generic logins. I've worked at a few hospitals and know for a fact that for example in radiation therapy that the two major vendors of equipment use generic passwords for admin access to the machines across all sites. 90+ % of sites leave them as is for convenience when a technician comes it but that means that anyone that has ever worked at a cancer centre can access your machine. Overly complex passwords: if people can't remember them they will write them down. I've seen sticky notes with passwords on them, again in a healthcare environment with the password on it attached to the monitor. If the password is that hard to remember it serves no purpose. Even a 8 character alpha numeric with symbols password can be cracked in half a day or so (worked at an IT department and we litterly took the NT password hashes of everyone and fed them through a cracker, anyone that we cracked in less than 30min we emailed and told them to change their password) but even hard ones we got in hours not days and years people would have you believe it would take. So your password isn't a security mechanism if it is so painful that it requires the user to do stupid things like email it to themselves so they can copy and paste it later.

zentross
zentross

Draconic micromanagement practices in one place where I worked had supervisors in two departments (fundraising and public relations) requiring that they know their subordinates' passwords in case the subordinate was not available. There are no good reasons for this practice with well trained individuals who use shared network space to store documents or record client interactions on a client management system. The thing that made this even more maddening was that practically everyone in the department ended up knowing the passwords of the others due to frequent 'strategic reorganizations.

mvandy62
mvandy62

Mike. You argue against simple passwords, then argue against complex passwords. If the complex passwords are easily cracked as you say, what then is the point of passwords at all? Well, cracking isn't as easy as you claim, as evidenced by the fact that you and the Bad Guys haven't cracked all passwords invented. And I think the Bad Guys have been trying for a while now. I totally agree about people writing down p'words - complex or not - I routinely induct new employees, tell them their temp. network p'word, and they say "wait, let me write that down" It's a constant battle that must be accepted and monitored by IT, much as we hate it. Educate, remind, remind, remind. Passwords, of course, are but one hurdle we employ in a (hopefully!) multi-layered security environment.

Editor's Picks