Are you able to remotely login to your server using this method? Restricting access at the Firewall by IP address is not good enough as IP addresses can be spoofed and your details could be “sniffed”. This is called a man in the middle attack. This is such a common issue seen all the time, poor practise creates loopholes!
The chances are that the companies which do this will also proudly list some of their clients on their website. Therefore an enterprising person could gain access to all or some of said companies’ clients. The worst culprits seem to be website "designers"
Why would an admin do this? Because it’s difficult to browse from a server otherwise. IT technicians should instead connect to a workstation, browse from there and if needed download files to a shared folder.
If I can touch your server I can take everything you have. This is quite a remote possibility for most people, but for businesses in highly competitive markets and with valuable Intellectual Property it can be an all too easy mistake to make. For example we have noted that it is usually very easy to get in to a “secure” premises by saying “I’m here to fix the computers”, people tend to just trust you!
These are unfortunately all too common given that they can be easily avoided. One of the most notable cases was the SQL Slammer worm of 2003 which infected ~75,000 machines successfully within 10 minutes of deployment. An amusing yet simple example of SQL injection is the tale of Little Bobby Tables. His mother being the caring sort we all know and love decided to Christen her son “Robert’); DROP TABLE Students;” which when typed in to the school database (as part of standard data entry probably done by an unwitting intern) erased a years’ worth of student data. Obviously they should have sanitised their database inputs! XKCD.
SSL certificate expiry happens to the best of us, well not us, but some very big companies like Google in the case of their Gmail service. It can be very embarrassing when clients can’t access your website/their email, and potentially damaging to your reputation when they are told it is not a trusted domain. To ensure it doesn’t happen make sure you get the email reminders from your certificate issuer, and that these go to a shared inbox where designated people can action it.
Windows Server Update Services (WSUS). If not configured properly the WSUS will use Http not the encrypted HTTPS delivery. Hackers could use low-privileged access rights to set up fake updates. These updates could download a Trojan or other kind of Malware allowing the hacker some access to your server.
A good developer should be very aware of security, sadly many developers are not. We had a situation like this when we took on a charity who had a lot of work done for them pro bono. We always say that you get what you pay for, and in this case that really rang true. The (very) sensitive data was not encrypted, nor was the access to the data. Anyone working at the web hosting company had access to the data, we had access to the data, the data could have been sniffed etc. and whilst we can be trusted we shouldn’t have access, and Joe Blogs is definitely a security threat.
In a lot of SME’s they tend to look after their own IT until it becomes too complicated (out of necessity) for them to manage. I can’t count the amount of times I have gone in to scope out a system and found a bazillion updates needed doing. When asking why they have not applied the update the answer is usually “oh that’s what that thing is flashing at me for”. In larger companies updates should be scheduled and run from the server (to save on bandwidth mostly, and in some cases to be able to control which updates should be installed), remote devices should be able to be locked and wiped as a bare minimum requirement if they can’t be fully controlled. We have seen instances where this is not happening correctly and have suggested using a tool like Intune.
If it is not broken don’t go looking for issues, mentality. What with all of the above to deal with one would assume that an IT technician needs to keep on the lookout for vulnerabilities, but you know what they say about assumptions.
Enjoy the blog post? Then you would love our newsletter! Sign up here Signup and get a free Office 365 pitfall PDF guide
Call us on: 01865 988 217
At Bongo IT, we know that technology is increasingly dominant and crucial to maintaining business performance and productivity.
Organisations should make sure they are making the right IT decisions for their current needs, whilst also planning for the future with flexible and scalable solutions.
As a special offer, we are offering a FREE one hour consultation to address your current IT setup and recommend an effective strategy for your future requirements.
Addressing issues such as computer hardware, broadband, data security, file sharing, compliance and more, we’ll help you build a plan and ensure you deploy the most cost-effective IT strategy for your company’s needs.