A few things to consider when implementing IT security measures

After working with a range of business types and sizes I have noticed a common concern amongst the people I speak to regarding security, or specifically, information security.  They are worried about leaking confidential business information but also the risk of leaking personal information which is governed by the Data Protection Act.
In this blog post I will highlight a few steps you can take with Apple and online technologies to reduce the risk to your business.
The level of security you implement is of course a sliding scale depending on the size of the business and we would generally recommend only taking action when the cost to implement a security measure is less than the risk you’re trying to protect against.
It is also worth noting that by increasing security you are often reducing usability.  It is important to get this balance right so you and your staff can still do your work and not be overly hampered by excessive security measures.
So a few questions to ask yourself are:

  • If your email account was compromised, what damage could this cause?
  • If you lost your MacBook / iPhone / iPad, how easy would it be for the new custodian to gain access to you data?
  • If the user account details for one of your staff members were compromised, what impact could this have?
  • If you have security policies in place, how can you tell if the users are actually following them?

Things to consider

When you are considering implementing security measures there are a few key themes to take into account:

  • Attack surface area – Essentially, where is your data?  The more endpoints that have business data stored on them, the greater the risk is that information will be compromised.  Also consider cloud services.  The more cloud services you use, the greater the risk, not to mention the vulnerability of the data in transit from your device / office to the cloud providers servers which will be travelling around the Internet, albeit in an encrypted form (I hope!)
  • Vulnerabilities – Taking the attack surface area into account, how vulnerable are each of these points of access?  Is the data encrypted?  Do you need to enter a password to gain access?
  • Passwords – Considering that user passwords are generally the “keys to the castle”, this is a big topic on its own.  I would consider what passwords people are using?  Do you have policies in place to electronically enforce the use of stronger passwords?  Do the users use the same password for other services (or possible personal services such as Facebook)? Are you sure that each of these services are secure?  Are you sure that where the same password is being used, none of these have been compromised?

What you can do

Minimise the attack surface area
This is more of a working practices topic but you generally need to avoid putting the data anywhere that it doesn’t need to be, or leaving data where it is no longer needed.  If the data does need to be stored in a particular location (such as on your MacBook), make sure you review and remove the data once it is no longer needed in that location.
If you use a central file server, get in the habit of working on the data, moving it to the server and then removing your local copy.  When it comes to cloud services, make sure you use trusted providers and if you are putting your data on their servers, make sure they are using SSL and you have strong passwords in place.
For Apple devices there are a few key alterations you can make (or may have already made) that will really help to reduce these vulnerabilities:

  • Turn on disk encryption – This is to make sure that if someone takes the hard drive out of your Mac or puts it into target disk mode, they wouldn’t easily be able to access the data.  The feature is built-in to Mac OS X and unlike the early incarnations of FileVault, since 10.7 it uses full disk encryption and is very reliable.  Turn this on in the security system preference pane or if you have a device management solution in place you can enforce the setting centrally.
  • Require a password to login and to wake from sleep or screensaver – This is to protect the information on the computer if some gets hold of it.  You want to make sure that if the computer boots up, or wakes from sleep, that a password is required to gain access.  In the newest versions of Mac OS X this is normally enabled by default but it is worth double checking that auto-login isn’t switched on (check the users and groups system preference pane) and that “require password to wake from sleep or screensaver” is enabled in the security system preference pane.
  • Install anti-virus software – I would normally recommend the products from McAfee or Sophos as an added layer of protection (if you do use Sophos, make sure it’s not the free / personal edition as this isn’t authorised for business / commercial use).
  • Switch on the firewall – Again this is built-in, accessible via the security system preference pane and adds another layer of protection to your computer.
  • Turn off network services – In the sharing system preference pane there are a load of services you can enable, such as file sharing and internet sharing.  If you do need one of these, switch it on, do what you need to do, then switch it back off.  Try to avoid leaving unused services switched on as each one is an additional vulnerability for the machine
  • Turn on complex pass codes – For iOS devices, make sure you use a complex pass code.  Simple (4-digit) pass codes are weak.  I have lost count of the number of pass codes I have accidentally seen someone type into their iPhones just by glancing at the wrong time.  Not only are the numbers in a predictable pattern, you can easily see what code someone has typed in, even if you can’t read the digits.

A note about “Find my Mac” & remote wipe – Generally speaking, although interesting, I haven’t found this feature to be overly useful.  It requires the device to be switched on and connected to the Internet.  iOS devices with 3/4G aren’t as bad but for Macs this is unlikely to help.  Personally, I prefer preventative methods.
If your Mac is lost or stolen, you want to be in the position to just dismiss it as a shame and buy another one, safe in the knowledge that there isn’t much data on it, it is encrypted and requires a password to access it, rather than panicking about all the data that has just been compromised.  Remote wipe is a handy feature if it works, again for iOS that is more likely but for Mac OS X I wouldn’t count on it.
As I mentioned before, passwords and authentication is a huge topic but here are a few general suggestions:

  • Use a complex password / pass code – The most common cracking methods are a dictionary attack (the cracking program works through every word in the dictionary hoping to get lucky) and a brute force attack.  A dictionary attack only takes a few seconds so if your password is “Apple” or “Password” you will be the first to go down.  A brute force attack will, given enough time, crack the code, but you can make this a great deal harder by using a mix of upper and lower case, special character and numbers.
  • Avoid known “clever” passwords – Such as “LetMeIn1” or “P4ssw0rd” etc.  Most cracking tools will try these first!
  • Avoid passwords that can be worked out from your personal information – Such as spouse name, DOBs, pet names, children names, business road name etc etc.
  • Use at least 8 characters – The more characters the better but less than 8 is significantly easier for a brute force attack to crack.
  • Use a password generator – Either the password assistant built-in to Mac OS X or a third party tool like LastPass or 1Password can generate a random password for you.
  • Only use one password per service – Single sign-on and centralised authentication is great, but what if that one account is compromised?  If your password is compromised, you want to make sure the potential damage is minimised.  You can do this by using different passwords for each service.  If you are thinking that you can’t remember all of these passwords, a tool like LastPass or 1Password will help make it easier to manage this.
  • Use two-factor authentication where possible – A lot of cloud services have two-factor authentication available, including Google Apps, Dropbox & Evernote.  Switch it on and the attacker will need your mobile phone as well as your username and password to gain access to the account.
  • Change your passwords regularly – Think of the lifetime of a password as another attack surface.  The longer it is in use for, the greater opportunity the attacker has to crack it.  I would recommend trying not to increment the number by 1 each time (such as password1, password2, password3 etc).

If you would like to learn more about OS X Security, you can take our 1 day course, alternatively our Mac consultants will be able to advise you on best practice: Email: support@amsys or Call: 0208 660 9999