CT4YE9 Password security

Don’t Invite Strangers Into Your Home: How to Protect Your Think Tank’s Information Technology

THESE DAYS THINK TANKS are especially attractive targets for hacking, phishing, and other assorted cyber vandalism. Even foreign governments, according to the House Intelligence Committee, are busy trying to pry secrets out of think tanks through cyber espionage.

I was talking the other day to a friend about the types of security we use to help protect The Heritage Foundation’s Information Technology (IT) network and ensure that its digital infrastructure remains secure. IT has become the underlying cornerstone for many of our daily workplace activities, such as messaging, idea formulation, internal and external communication, and information sharing. It is critical to keep that infrastructure secure, reliable, and available.

No matter how much time, effort, and money you invest in a system to keep the bad guys out, it won’t work if you open the front door and let the bad guys come right in.

I rattled off a host of techniques that we use, many of them with abbreviations like SSL, Secure VPN, IPSEC, VDI Infrastructure, PKI, IDS, and IPS. When I received a blank stare of incomprehension I came up with an analogy that helped my friend understand that IT security isn’t just for the IT staff to worry about. He is part of the equation, too. I told him:

There was a rich man who lived in a bad neighborhood. The man had valuables that other people wanted to get their hands on. He took steps to secure his home. He put bars on the windows, installed multiple locks on the doors, and had a company come out to install an expensive security system with sensors and cameras that would alert him if anyone tried to get into his house. Everything was automated and he didn’t really have to worry about the system protecting him. It just worked and he felt very secure. One day the man had to go away on a business trip and decided he did not want to leave his house unguarded so he invited a friend to come and stay there while he was away. He explained that the house was secure with the best technology money could buy and the bars on the windows and doors were made from the strongest steel. The house sitter felt very secure. Later that evening the doorbell rang. The friend answered the door and found a well-dressed man carrying a suitcase on the doorstep. The man explained that he was friend of the homeowner who had some business papers to drop off. The house sitter let the man in. They chatted for a while and the man handed him some papers for the home owner. He then asked if he could use the bathroom, and he walked through the house to use it. The next day the owner returned home and discovered some of his most valuable possessions were missing. The owner asked the house sitter how the loss might have happened. The house sitter said it must have been the visitor who dropped off some business papers. The owner was not pleased. He had spent a lot of money on a security system only to have it rendered pointless by his friend’s gullibility.

No matter how much time, effort, and money you invest in a system to keep the bad guys out, it won’t work if you open the front door and let the bad guys come right in.

Your IT security system is like the door locks, the bars on the windows, and the house alarm system. Firewalls, the IDS, the IPS, the antivirus infrastructure, and all the other technical backend are put in place by IT staff to keep a network secure. Your employees are like the house sitter—dedicated workers researching, downloading, and e-mailing to get theirs jobs done. And rogue states, mafia rings, kids writing scripts to damage networks for fun, spammers, intellectual property thieves, and data thieves are like the well dressed visitor who gains entry via a ruse.

Criminals don’t usually walk around wearing a mask and carrying a bag that says “Loot” on the side of it. The same is true of cyber criminals. There are a number of simple steps that you and your staff can take to protect your network and data. Unfortunately, it takes only a little bit of carelessness to make yourself a victim of “social engineering” techniques that trick people into giving out sensitive data to people who seem trustworthy but really are not. “Social engineering” is very hard to thwart, which is why it is the number one way that networks are compromised.

Clicking the link in an e-mail from an unknown recipient, visiting a website that looks legitimate, and browsing the web with no real goal are prime ways to be hacked. Ninety percent of the time these vulnerabilities can be combated through taking the following precautions:

● Be suspicious of unsolicited phone calls, visits, or e-mail messages from people asking about employees or other internal information. If someone you do not know claims to be from a legitimate organization, verify his or her identity directly with the company first before giving out any information.

● Do not provide personal information or information about your organization, including structure or networks, unless you are certain the person is authorized to have the information.

● Do not send personal or financial information via e-mail and do not respond to e-mail solicitations for this information. And do not follow links that may be in such e-mail solicitations.

● Do not enter sensitive information onto a website without checking the website’s security.

● Pay close attention to website addresses (URLs). Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

● Be extra vigilant during events such as natural disasters (e.g., Hurricane Sandy, Indonesian tsunami); during epidemics and health scares (e.g., an influenza epidemic); during peak shopping seasons (e.g., Cyber Monday, Christmas, Valentines Day); and during major elections. Attackers often take advantage of those occasions to steal information.

My friend didn’t need to be educated in the technical aspects of network security to help keep his information safe. He just needed to know to be careful and aware of what the risks were and of social engineering tactics used to gain access to important information. Education and awareness are the keys to keeping us all safe and secure.

Mr. Harris is Director of Information Systems at The Heritage Foundation.