Monday, 13 August 2007

IT dos and don'ts: my submission to the WSJ

I've just been informed by our friend at the Wall Street Journal, Vauhini Vara, that her next security article is running on Tuesday, with some input from your humble author. I have to admit I'm still a little nervous. So, here is my version, unaltered, with references where I've taken chunks of text from other people's sites.

Vauhini asked me for "tips that employees can use to do a better job using IT without violating company policies". I interpreted that into my own personal list of dos and don'ts. Some you may find horribly familiar, some you may disagree with, in other cases the examples may not be spot on. I'm sure you'll all be able to find something to criticise in fact, but for me this was about security awareness rather than the exact technical reasoning for each case.

Whether she uses all or any of these is up to her of course, she may not use any of it at all. Either way I hope to breathe a sigh of relief at some point tomorrow.

So here goes nothing:

  1. Passwords:
    1. Don’t keep passwords on a post-it note on stuck to your monitor, if someone has your username and password, they can masquerade as you and anything they do on the network is then your responsibility.
    2. Don’t make your password a name (of a pet or partner for example). Password crackers use lists of names to break into poorly protected accounts.
    3. Do use passphrases to remember your password, for example: “Vauhini is always safe for work” becomes “Vias4w”. This will help you remember the password and avoid the need to write it down AND makes it harder for crackers to discover by brute force.


LexisNexis 2005 – In September 2005, the company discovered 59 incidents of improper access to the data. Perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using computer viruses to collect the information from infected machines as they were being used. 310000 users of the LexisNexis database were potentially affected.

[NOTE: This is taken from Milton Sutton's Security Breach Notifications paper, here.]

  1. Internal documents:
    1. Don’t send huge files over the internal network via email. This will slow down the mail server, and if there are many parties working on a document and they all “Reply to All” each time it is sent, the mail server can be put under enormous strain unnecessarily.
    2. Don’t just change things in documents and expect the other people editing it to magically know what you’ve done, or accept it.
    3. Do keep files in a centrally available storage space which everyone working on the document has access to. Restrict access to any other parties accordingly.
    4. Do switch on “track changes”, so that when any user makes a change or a comment, it is recorded and logged.
    5. Do assign an owner of the document who can review and agree to all changes, make the necessary rights changes and say when the deadlines are supposed to be for edits.


A company in the UK was renovating a toilet in their head office. A helpful PA sent plans around to each of the directors asking for feedback on the attached plan. This plan was around 8Mb in size, not huge, but enough to incur a wait to download, even on the local network. So, whilst 8Mb to 8 directors caused a barely noticeable twitch in the network, what happened next shows the with sending large attachments, even of a relatively small size as 8Mb.

The directors all replied to the email, each of them copied in each of the other 8 directors, with the plans attached, with their adjustments made. 8*8*8=512Mb. Now half a Gb of information was travelling through the mail server. A slightly longer delay took place, but everyone eventually got their mail. The managing director emailed all 60 employees of the company for their feedback. After the struggling server mailed out 60*8Mb of plans, EVERYONE in the company mailed back their version of the plans, with EVERYONE in the company copied in, these copies were returned each time one managed to squeeze through. N*60*60*8 = mail server death. The mail server crashed and all the plans were lost. Eventually a meeting was held, and the plans discussed on paper.

[NOTE: I remember reading this story sometime last year, and it stuck with me because it's so stupid. If anyone has any reference for it, I would be very pleased to hear from you.]

  1. Storing files:
    1. Don’t store all your work files on your local machine. This is a hard one to remember, especially if you are very mobile, but laptop theft is the number one global cause of data loss.
    2. Do store private work files on central storage inside your company, and not on your local machine. If you need to take confidential documents home to work on them on a laptop or other portable storage device, make sure the document is encrypted in storage.


Merill Lynch, August 7, 2007: A computer device apparently was stolen containing sensitive personal information from Merrill Lynch, including Social Security numbers of some 33,000 employees. It was not encrypted.

  1. Reporting incidents:
    1. Don’t waste your support team’s time with pointless calls. Check everything before you call up. I worked on a helpdesk many years ago, and about 75% of calls were for network printers around the (very large) building not working. Around 50% of these were solved with the words “is it switched on?”
    2. Do check everything you can think of before calling up. The more information you have about the problem you are reporting, the more chance there is that it will get fixed, and the quicker the helpdesk will be able to respond.


The place mentioned below charges about $100/issue for tech support:

  • Tech Support: "So what can I do for you?"
  • Customer: "I'm trying to run Live Update with Norton, and it came up to a screen with a list of updates, and it says 'Next.' What do I do?"
  • Tech Support: "Did you hit 'Next'?"
  • Customer: "Oh, it's working now."
  • Tech Support: "Anything else I can do for you?"
  • Customer: "No, that's it, thanks."
[NOTE: This exchange is taken from the RinkWorks site. Have a read, it's very funny.]

  1. Email usage:
    1. Don’t reply to spam mails under any circumstances. Sending “unsubscribe” to a spammer is fruitless. This lets the attacker know your address is valid, and will not stop further mails, but more likely increase the amount of spam you receive.
    2. Don’t get sucked in by hoaxes. Every time there is an event, especially one which pulls on your heart strings, a callous spammer will try to take advantage. If you are asked to send a chain mail to help find a lost child, support cancer awareness, etc. don’t send it on. If you are in any doubt, look up the text of the mail on a search engine. If it has been caught as a spam already it will show up on various websites as such. Many chain emails threaten a horrible fate if you do not, don’t worry, this won’t happen.
    3. Do report spam and phishing emails to your administrator so they can be filtered out. Do report phishing emails to the institution they are purporting to be from.
    4. Do switch on email security. Disable links in emails until you specifically choose turn them on. Spammers and phishers often put active links inside emails so that when they are read it notifies them. They then know your address is a legitimate one and will continue to send you trash.


The “Love Bug” virus of 2000. It is estimated that the so-called "Love-Bug" email virus caused some $10 billion in losses in as many as 20 countries. The virus was originally distributed in an email with the subject line "I love you". The message contained the text "kindly check the attached LOVELETTER from me" and an attached file called LOVE-LETTER-FOR-YOU.TXT.VBS. If this attachment was opened it replicated itself and transferred itself to all addresses within a user's email address book. The virus also deleted graphic files ending with the letters jpg or jpeg, and altered music files ending in mp3 to make them inaccessible.

[NOTE: This is taken from the World Socialist Website.]

    1. Don’t download anything from sites you do not trust. Check with your IT department if you are not sure of the trustworthiness of a site.
    2. Don’t visit porn sites or cracking sites at work, they will almost certainly contain viruses.
    3. Don’t install any software on your work machine without checking with IT. You probably won’t have rights to anyway, but even attempting to can launch viruses which are not necessarily detectable by your antivirus.
    4. Do assign a dedicated machine in the office for downloading, off the shared domain. If there are any problems then the single machine can be isolated more quickly than if it was part of the network.


In 2005, a website “” was set up, purporting to have the leaked version of MSN Messenger.

However, the download offered from the Web site did not contain Messenger code. Instead, clicking on the site download links installed a virus and caused Messenger to send download links for the malicious site to IM contacts. The virus also connected infected machines to a remote "botnet" that was used to issue commands to the infected host.

This type of attack has been successfully used to bring web services to a halt in many companies, and more publicly a complete denial of the content filtering service of Akamai in 2004.

  1. Social engineering:
    1. Don’t let your guard down when it comes to personal information.
    2. Do question people if they ask for any personal details over the phone or in person. For example, banks will not ask you for your password or PIN over the phone.


AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL's tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.

[NOTE: This is taken from Audit My PC website.]

Choicepoint 2005 – Scam artists found their way into computer systems, gaining access to personal data on about 145,000 people, resulting in at least 750 cases of identity theft.

And finally… always be aware of your security policy. The biggest issue with problems relating to IT and Security in the workplace come through ignorance:

Security policy:

  • Don’t ignore your security policy. It’s there for a reason, and if you are aware of it, you won’t get caught out.
  • Don’t think penalties for breaching policy will not be enforced.
  • Don’t think you won’t get caught. IT systems are full of logs which can be searched for many months or years after an event.
  • Don’t rely on a plea of ignorance if you are. Just because you aren’t aware of the security policy, doesn’t mean it doesn’t apply. The penalties are still there, even if you don’t see them.
  • Do take time to familiarize yourself with the company security policy. Make others aware of it if you think they are in breach.
  • Do report others’ breaches to the administrator of the network. You will be able to do this confidentially, and the administrator will know of ways to keep your identity safe.
I'm sure I've missed stuff, and I expect I've made errors along the way, but hopefully Vauhini's superior reporting skills will weed out any of the inconsistencies...

See you at the showdown. Just remember, I did it for Security, not the fame.

Can someone save a copy for my Mum? Thanks.

No comments: