Saturday, February 23, 2008

Contracting On Insecure Computers

Every time I get on a new assignment at a new company the first thing I have to do - every time - for any company large or small, is secure my computer. Each time I go in it seems like firewalls are off and patches are severely out of date, insecure end of life or out of date software is running (including Flash, Quicktime, etc). The one thing I cannot always do is turn off all unneeded services because I am not sure what is and is not required by the company but typically there are some that I know can be turned off which are hack-prone.

If this happens at even some of the biggest companies that tells you IT has a big problem. Machines are set up with insecure configurations and even if they are not - if someone leaves their desk with the machine logged in - someone else could jump on there and install some computer software as soon as you walk away. For instance at one company they had me log in and then go get coffee on a machine that was right next to another contractor I didn't know. Perhaps the guy is the greatest guy ever, but he's a contractor right? What if as soon as we walked away he jumped on my machine and installed something that gave him a back door into my machine??

Don't assume I am just paranoid. Read the security articles across web sites as I do every day and then tell me it is not possible. The number one source of security breaches is from internal employees - whether malicious, on purpose, or someone just trying to sabotage or skim.

Personally I think all employees should be told to lock their computer when away from their desk.

One company I was at had Ubuntu and that actually made me nervous because I wasn't quite sure how to secure Ubuntu as well as Windows. And since Ubuntu is made by some guy in South Africa and open source, how is this thing being audited for security? I have no idea.

But then if a company uses Microsoft products and doesn't install service packs until after they've been out for almost a year, might as well use Ubuntu. It's free.