Instant Messaging in the work place

No No No, this is not some blog about how instant messaging is a waste of company resources, or how to do it without getting caught. This is a blog about how great a tool instant messengers can be for a  company.

As a tech, instant messaging has been a tool that I have used in the work place for as long as I can remember. It, along with email, are the primary way I contact other techs. Recently, many clients have thought about implementing a good instant messaging software for their employees to use, but are concerned about the risks IM software poses, as well as the loss of productivity that may occur is people can just chit chat all day.While both of these concerns are valid, there are solutions in place for both, but before we worry about the risks of using Instant Messaging software, lets look at some of the benefits.

The Benefits:

1. Fewer Interruptions - A lot of the work I do requires me to concentrate on several things at once. Because of this, other interruptions, big or small can cause a problem. If I'm "in the zone" and get a phone call or even worse, someone comes over to talk to me, I usually get distracted and then have to take the time to regroup my thoughts before I can get back to what I am doing, some times it takes only a minute, but sometimes, it takes longer depending on the task at hand. If someone IM's me, I can wait until a natural break in my work occurs, like when I complete a thought and write it down, I can then look at the message, respond, and then move on. And lets face it, most things can wait a couple of minutes, so that delay usually isn't a big deal, and if it can't wait, you can still call.
   
2. Convenience - For me Instant messaging is easier and more convenient that making a phone call. I have a list of names in front of me so I don't need to look up a number, and most times I only have a  quick question, so its just simpler to ask. It also gives the other person a minute to look up and answer if they need to, and you aren't wasting that minute sitting on hold. You also aren't interrupting the person like mentioned above.
   
3. Tracking Employee Conversations - Yes, I know, most people absolutely hate this, but it is a perk for a business. My company logs all conversations held via IM for every employee, the boss will occasionally read through the logs just to see what we are up to. Do we stop joking around, sending funny links and pictures, nope, and he doesn't expect us to. Then why does he do it? So he can see what we are up to. If we are asking each other a lot of questions, or a lot of people are asking about the same thing, maybe its time for an email explaining something, or a training. If we are all complaining about a customer, maybe its time to reevaluate them as a customer. It is also helpful for when we ask a question to a superior and then do what we are told and it turns out to be wrong, we simply pull the log and say "I did ask, and was told to do this" or if a dispute occurs between what was said and what was done. It gets resolved quickly.

The Risks:

1. It is Informal - People sometimes forget that not everything should be discussed via IM. Confidential client information, or confidential company information usually shouldn't be discussed over IM. IM should be an unofficial communication channel. Things that need to be "on the record" should be communicated in person or in formal writing, like email.
   
2. Data Security - There are some risks when using IM. Most are not encrypted by default, because they are meant to be informal forms of communication. The logs are also not encrypted in many cases, so information that shouldn't be shared may be. Depending on the software you use, this data could also get out of the company (although much of the IM software available currently has the ability to make it internal only)
   
3. Viruses and Malware - There are a lot of viruses and Malware that target popular IM software. If you allow communication with outside users, this can be an issue. To prevent this, make your IM internal use only and have a good AV software running.
   
4. People will use it for Chit Chatting - Yes, people will chit chat with one another and talk about non work related things. As long as it is within reason, its no big deal, they are going to do it anyway, and there are far worse things your employees can be doing aside from communicating with one another.

Bookmark this post:

People are the weak link in security

Errata Security recently released their finding after analyzing 28,000 User passwords that had been stolen.

From the AFP Article:

"It found that 16 percent took a first name as a password, often their own or one of their children, according to the study published by Information Week.

Another 14 percent relied on the easiest keyboard combinations to remember such as "1234" or "12345678." For those using English keyboards, "QWERTY", was popular. Likewise, "AZERTY" scored with people with European keyboards.

Five percent of the stolen passwords were names of television shows or stars popular with young people like "hannah," inspired by singer Hannah Montana. "Pokemon," "Matrix," and "Ironman" were others.

The word "password," or easy to guess variations like "password1," accounted for four percent."

While I don't find the results all that difficult to believe, I am still amazed by how little people seem to care. Your username and password are the key to who you are online or on a computer network. If someone steals them, they are you for that moment. In the case of these passwords, I partly blame the administrator of the network that allowed such weak passwords to be used. While we can't expect everyone to understand what makes a password strong, I can expect those tasked with the security of a website to know.

The Do's and Don'ts of strong passwords:

Do:

• Use a minimum of 8 characters
• Include both upper and lower case letters
• Include at least one number
• Include at least one special character

Do not:

• Use your name, your kids names, spouses name
• Use your birthday, anniversary, kids birthday, etc
• Use simple words like love, hate, dog

Things like names and dates are easy to find out and are the first things tried. Simple words are easy to guess, and password cracking software will try common words before trying random characters.

Your password does NOT have to look like this: Yffg87^7!!4f (Although I do know several administrators who do use passwords like that) That type of password is unnecessary for most things. Sure, it wouldn't be cracked very quickly (it would take days to crack if on a Windows network), but it is also very hard to remember, which usually means it will be written down and kept somewhere, which means someone can steal it.

Instead, use something you can remember, a word with special meaning,  a phrase, or a song title like H0telCalifornia! This provides almost the same level of security, and also has the benefit of being remembered.

Remember, strong passwords need to meet the balance of security and usability. If you cant remember it, it is useless, but if its easy to crack, its a security risk, so find a happy medium.

Bookmark this post:

Balancing Security and Usability: The Human Factor

Social Engineering: n. the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information

One element of digital security that is typically over looked is the human element. People, for the most part, are trusting and want to help others in need. While this may be good for the human race in general, its not good for security, and thats what we are talking about.

Training staff members to recognize and protect sensitive data is imperative to keeping it a secret. In addition to recognizing what should be considered sensitive, a staff member must also recognize an attempt from a non authorized person to obtain that data.

For instance, most companies post the names of their executives or other prominent members of their organizations on their website. If a person were to call in to one of your smaller offices, or call someone low in the company answers the phone (we'll call her "Jen") and says they are the VP of sales, most employees probably wouldn't challenge that fact unless they happen to know the VP personally or have at least met enough times to recognize the difference in voice etc. Because of this Jen is probably going to be on her best behavior and want to help as much as possible. If the person calling says they are on a business trip and cant seem to find the number for the IT department or Help desk and needs his password reset, I'm sure Jen would happily turn over that information, because what harm could that do? Now the caller can call that inside phone number, but instead of saying they are the VP of some department, they say they are a new employee (with another phone call a person can obtain the name of an employee) and Jen told them to call here to get their password reset. This gives the caller some perceived credibility since they seem to know a person in the company and also because they are new, people want to help them. So the person taking the call, if not properly trained, or if no checks are put in place will reset their password for them and the intruder now has a user name and password to access company info.

This is a really simplified example, but unfortunately its not unrealistic. Without proper training, staff wont challenge someone the perceive to be their superior. So staff need to both know they should do this and also feel comfortable doing it. In the military soldiers are trained to challenge those who approach an area they are guarding, they are taught that they should respectfully demand proof of identification if one claims they are a superior. This is the thought process staff should be trained with. No one wants to inconvenience another person, especially one who is their superior, but for the sake of security and confidentiality, it is sometimes necessary.

So how do we prevent things like this from happening? There are a few things that can be done.

* Teach staff to identify sensitive information. And properly label items as "internal use only" or "confidential" to prevent any confusion.
* Be sure staff know never to share their password, not with anyone, not even the IT staff. Your IT department can reset the password if they need access to your account, its rare they will actually need your password.
* Put policies and procedures into effect that control how user names/passwords are controlled. Who can do password resets? Who can authorize them? and how do you verify the identity of the person who is requesting it?

But primarily what you need to do is educate you staff and have them understand the reason these things are considered sensitive. Saying "this is bad" doesn't mean much to a lot of people, explain why its bad, explain what can happen if that data is released to the wrong people, and be sure they understand it. Have consequences for when data is mistakenly released, but do not rely solely on the fear of consequences to get staff to follow these rules. And of course treat you staff well. People who feel appreciated, who are happy at their jobs, and who feel they are a part of the company will protect it's interests. A guy you yell at, who hates where he works, and doesn't really give a damn will probably give up what ever info is asked for just because it makes no difference to him.

Bookmark this post:

Balancing Security and Usability: Biometrics

Biometrics: n. The measurement of physical characteristics, such as fingerprints, DNA, or retinal patterns, for use in verifying the identity of individuals.

In recent years the use of biometrics as a way to authenticate users has become more and more popular. Fingerprint scanners are now readily available at electronics stores and are becoming standard on laptops. The reason for this is because using fingerprint recognition is an easy and fairly accurate way of identifying a person without the need for them to remember a password. In addition to fingerprint recognition some building have begun using palm scanning and retinal scanner (to a much lesser extent) as a way to identify the person who is trying to get in.

Why Biometrics are gaining popularity:

• Each person has unique characteristics (finger prints, palm prints, retinal patterns, etc) even identical twins. So both duplication and imitation are difficult


• It is more convenient for a person to place their hand or finger on a scanner for 1 or 2 seconds than it is for them to type in a password


• A person cant give out their fingerprint like they can a password, and it is much more difficult to steal a fingerprint than it is to intercept a password.


• The cost of implementations is dropping


• They are a relatively easy way to add another layer of security to your environment.

Biometrics, as well as most other forms of security, are best used in layers. So in many cases (especially those involving access to buildings, offices, or vaults) your fingerprint or palm scan is only part of the equation. Many times you must use your fingerprint, and once that is accepted enter a password or PIN. This type of set up is more secure than having a person use a username/password combination because it requires the person to both know something (their password) and physically have something (their fingerprint) so for an intruder to gain access it becomes very difficult.

There are downsides to using biometrics however. One major downfall of using finger prints or palm prints would be the fact that they can change with age or even with weather. if your hand are cold your skin will shrink some and change your finger print slightly, or if you have lotion on your hands, or your hands are damp in general the scanner will get an inaccurate reading. Or if you are in an environment where employees hand are prone to calluses or cuts (construction work for instance) the finger and palm prints may be altered temporarily because of it. The quality of both the equipment and software that you are using come into play here. Most software for fingerprint recognition can accommodate for the slight changes that occur due to weather or dampness, but none will identify the fingerprint if there is a large cut or callus over it.

Using retina scanners is also very expensive and many people are hesitant to let a laser shine into their eye. Also, contact lenses can cause the scanner to get an inaccurate reading and will cause problems.

However, the use of biometrics is not full proof. As any form of security becomes popular, there are people looking for way to get around it. Many people have found some simple ways to trick fingerprint readers into allowing them access. For instance, some were able to lift a previous fingerprint off of the reader using standard fingerprinting techniques used by police (i.e. dust to stick to the oils left behind and removal with tape) and then were able to replicate that print using latex and in a few cases using a gummy bear to hold the print temporarily. So, stealing a finger print may be harder, but its not impossible. Steal a palm print is even harder to do since palm shape is also taken into consideration so a simple glove wouldn't do the trick, but still they have been beaten.

Because of these flaws having a staff aware of the danger of intruders is crucial and will be the topic for the next part of the "Balancing Security and Usability" series.

Bookmark this post:

Balancing Security and Usability: Passwords

For this portion of the Balancing Security and Usability Series we will discuss the following things:

• Using Passwords effectively


• "Weak" v. "Strong" Passwords


• How passwords get cracked


• Password Complexity Policies

Passwords:

One of the most well known, effective and easily implemented forms of security for a computer is a password. Passwords are a string of letters, numbers, or special characters (!,@,#,$, etc) that individuals can set in order to prevent unauthorized people from accessing data. Passwords can be set for individual files/folders and then be shared among authorized users or be set for individual user accounts which each have permission to access particular files/folders.

All passwords are not created equally, and some types of passwords are better than others, but in general, any password is better than no password. What differentiates a "strong" password from a "weak" password is the length and complexity of it. For example: Using the password "password" is not as good as using "Pa$$Word!" the reason for this is because the first is very simple in terms of guess ability and crack ability.

To understand why some passwords are better, it helps to know how the tools used to crack passwords work. There are 2 basic types of passwords cracking tools. The first uses what is called a "dictionary attack". Essentially what it does is enters words that it pulls from a list that is pre-defined by the attacker in hopes that one of them will be correct. So using "password" which is a word that is found in the dictionary would probably be cracked in seconds. Where as "Pa$$Word!" is not a real word, and would have to be entered in that exact format on the list for it to be able to be cracked. The second is called a "Brute Force" attack. And the way it works is it just strings together random characters in hopes of eventually hitting the correct combination. This attack is very effective, and if given enough time, will eventually get your password. This is why longer more complex "strong" passwords are much more effective.

In addition to having a good, strong password, it is helpful to change it at periodic intervals. (6 weeks - 3 months is a typical time frame) the reason for this is just in case someone does get a hold of your password, they wont be able to use it forever, because it will eventually change, so they have to go through the cracking process again, and they again risk getting caught.

One way many companies prevent passwords from being cracked is by "locking" accounts that have too many failed log in attempts. So for instance if the incorrect password is entered 5 times in a row, within an hour the account get locked and the user must contact the administrator. Or Companies may place a limit to how many times you can attempt to log in a given time so a person may only attempt to log in 5 times within 15 minutes before his account is temporarily locked. After the 15 minutes, the account is unlocked and the user can try again. (This slows the attack process and increases the risk for the attacker)

So now you must be thinking "good, Ill make it so my users have to have a password that is at least 15 characters long, include letters, numbers and special characters, and they have to change it every month" unfortunately its not that easy. What ends up happening a lot of the time is if it is too hard for an end-user to keep their passwords straight, they end up writing them down on a post-it note and stick them to their monitor. This sort of defeats the purpose. Or what also happens is your IT staff will start getting a lot of calls to unlock accounts and reset passwords, which takes time and wastes resources. So you need to find a balance that works with your organization.

A typical mid-level security password policy might include the following standards

• Passwords must be at least 8 characters long


• Password must contain 3 of the following types of characters: Uppercase letters (A, B, C, etc.), Lowercase letters (a, b, c, etc.), Numbers (1, 2, 3, etc.) and Special Characters ($, %, &, etc.)


• Password cannot contain your username or your real name


• Password must be changed every 90 days (password cannot be reused for 3 rotations)


• Password must be in place for at least 7 days before it can be changed again

Again, this is just an example, and may not work for your organization. Maybe you don't need to have so much complexity, or you are ok with users never changing their password. Do what is right for your company.

Bookmark this post:

Balancing Security and Usability: Introduction

Computer security is a balancing act. Too little security and you are at risk of lost or stolen data, data that gets mistakenly altered or just read by people who shouldn't be reading it. Too much security and people who really do need the information can't get to it, or getting to the data is just so hard, it's not worth having. These lines are not drawn clearly, and a good SysAdmin must be able to work with those who use the data and with the management of the company to find where these lines should be.

Over the next few weeks I hope to address some of the challenges new System Administrators face when trying to establish a good security policy for their organization. I also hope to provide a little insight on these challenges for those who are not in the IT profession, or not in that part of the profession. The way I see it, the more me know about each others jobs, the more understanding we can be when their are problems. So I hope you enjoy, and feel free to leave comments with your thoughts or recommendations.

Before we get started, there are a couple things. you need to realize when dealing with security, otherwise you will drive yourself crazy.

1. There is no such thing as 100% secure. If someone wants something bad enough, they can get it.


2. Your goal is not to make things impossible for unauthorized users to get to, its to make getting to it more work than it's worth.


3. Security is best used in layers. The reasons for this are because:

• There is always a way around an obstacle, having several in front of you makes it both much harder and much more discouraging to attempt.


• It will give you, the administrator, more time to find out what is happening, and hopefully notify you of a problem before there is a total breach.


• It leaves a better trail to follow. It is much harder to cover your tracks when you have to take a dozen routes to get to a location.

When trying to determine the security needs of your organization several things must be considered. Some of them are:

• Who will need to access the data?


• Where will they need to access it from? (Just the office? should users be allowed to work from home?)


• How important is the data? (Can your business function if it is lost?)


• What are the repercussions if the data is seen by the wrong people? (If a competitor gets it, will it cost you lots of money? if the wrong staff see it, will it cause a drop in performance or moral?)

These types of questions need to be answered before you can implement any real security. For instance, if the data you are working with can cause the downfall of your company if it got into the wrong hands, you probably don't want to make it too easily available from outside your office (or inside for that matter), but if the data is something like a general telephone listing for your company, you may want to make that easily obtainable.

Once you determine the level of security you need, you can look at the kind of security you want to use. There are several ways to protect data, and chances are, you will be using more than one. In the next installment of this series, we will discuss the effective use of password.

Bookmark this post: