As IT consultants, we often recommend security improvements to our clients, no matter whether our specialty is in security, networking, software development, or any other activity. Paradoxically, we consultants can sometimes be the biggest gap in our client’s security perimeter. We connect our devices to their network, often using elevated privileges, we exchange sensitive information with them over the Internet, and we store some of that sensitive data on our own media. If we aren’t careful in every one of those activities, we could easily expose our clients to a breach.
Connecting to your clients
It should go without saying that when you connect to client systems over the Internet, you should use an encrypted connection. A Virtual Private Network (VPN) can provide convenient, secure connections. Even with a VPN, though, you’ll want all network-mountable drives to be password-protected. I never use Telnet or FTP to access client machines, even within a VPN. Those protocols transmit passwords as text, so if a cracker manages to get by the VPN security, all s/he has to do is listen for Telnet or FTP traffic to pick up passwords that will give them access to systems on the network. Use SSH and SCP instead to add another layer of security.
Especially on Windows systems, it’s a whole lot more convenient to log in as an Administrator, but just say no. Use an account with lesser privileges, and elevate only when needed. That prevents someone who manages to acquire your credentials or run a program under your session from being able to take the whole enchilada.
Clients these days use email much like they use the telephone; they assume the conversation is private, when in fact it’s perfectly legal to “listen” to someone’s email transmission, and easier to do than tapping a phone if you have access to any node along the path. Furthermore, relay servers may keep copies of your email indefinitely. Yet, clients regularly send clear-text emails containing sensitive information that’s supposed to be under an NDA, sometimes even passwords and credit card numbers.
Some of this complacency comes from companies having their own email server inside their security perimeter. Clients think that anything they send to one another within the company stays inside the organization. That may be true most of the time, but not when one of those local addresses redirects to your external account as a consultant. If you and your client must use email for this kind of communication, at least encrypt it.
I almost fell out of my chair one day when a client, who prudently didn’t want to use email for sensitive information, sent it to me instead via a private Facebook message. “It’s private, isn’t it?” My response: “Did you get Mark Zuckerberg to sign an NDA?” (Even if he had, I wouldn’t trust it.)
Storing client data
Once we have client data on our own systems, we need to make sure it doesn’t fall into anyone else’s hands. Data stored on a portable device like a notebook, smartphone, or USB stick is particularly vulnerable, and we need to take steps to insure that they aren’t lost or stolen. It can happen, though, so we should also encrypt sensitive data. Even when stored on a server that’s locked in a vault and not open to the Internet, encryption adds one more level of protection. Most operating systems provide some mechanism for volume-level encryption, or you can use a software product like TrueCrypt to create a virtual volume to encrypt only your sensitive data, instead of imposing the performance penalty of encrypting your operating system and applications.
Encryption won’t help much if the password you use for it isn’t secure. Your encryption password should be just as strong as (and different from) your root/admin password. And don’t store the password on a sticky note.
Make sure you encrypt your backups, too. There’s no use encrypting your working copy if a tape with an unencrypted version is sitting on a shelf six feet away.
Consultants need to be even more careful about security than most businesses, because otherwise we expose our clients’ businesses too. Failure to diligently prevent intrusion or data loss could not only sour your relationship with your client, it could cost them a lot of money and possibly make you the target of legal action. It wouldn’t help your reputation, either.
Security is too often one of those priorities that we plan to get around to when we have time. It suddenly becomes an emergency only when it’s too late. Lock it down today.