1. Company Intranets: Company Intranets are probably the most valuable storehouse of sensitive data in a corporate environment. A lot of groups in the company employ code sharing servers or share folders with documents or code or other data with minimum or no restrictions. All anyone would need in such a situation is employ one of those 4Gig flash drives to copy paste sensitive code or data and walk out with the crown jewels of a company.
Solution: Employ folder sharing through Active Directory where employees are only given access according to those set by their group policies. Also, do not publish DB’s outside groups which need access to them and monitor your access logs for both successfull and unsuccessful authentication.
2. Company Website(s): A company’s website is probably the most vulnerable to an external malicious hacker. These days CSS(Cross Site Scripting) vulnerabilities and SQL injection attacks are the rage and in the end leave the companies DB’s exposed to highly sensitive and critical information.
Solution: Conduct internal audits and code checks of your external facing website. Deploy scanners like WatchFire’s web based scanners. Know how your website works, how data manipulation is performed and how it displays data and information. It is too easy to leave out critical information within the HTML code of a small supporting page on your website. Hire experts to audit your exposure to security holes like CSS vulnerabilities and SQL injection attacks.
3. Wi-Fi Access: This is the age of the laptop and that shows with many employees preferring Laptops to desktops and getting an external monitor to complement the LCD on their laptop and there are good reasons for employees chosing Laptops. They can carry them to their meetings, carry work over to home and work over using VPN’s besides providing them the various advantages of mobility. This also means that Wi-Fi access is required to juice up the laptops in meeting rooms or cafeteria’s or other places. This brings in its own set of problems with a malicious hacker sitting in the parking lot and trying to crack a basic WEP based network and sniffing and capturing the traffic passing through or setting up a fake Wi-Fi network and inviting employees to log on to them.
Solution: Open Wi-Fi is okay for a starbucks but a strict no-no for a corporation. Secure your Wi-Fi with WPA2 with either AES or TKIP. Also when you hand out laptops to employees, do not give them the passphrase but instead have it built in, into the laptop and disable the settings to prevent the user from changing them. Also, restrict Wi-Fi access to only certain access points or SSID’s.
4. E-Mail: It is very easy for a rogue employee to mail sensitive documents to their personal email. Besides that, E-mail is also succesptable to phishing.
Solution: Deploy a proxy server which disables employee access to their personal webmails. Unfortunately, this method still does not prevent them from mailing the documents and accessing their personal email from a non work location. As for combating phishing mails, follow the guidelines provided by the Anti Phishing Group which maintains a list of latest phishing techniques and put in rules in your HIPS based product on the client/employee machines.
5. Mail Rooms: Many corporations have mail rooms usually within their copy rooms. They have open slots for different groups for mail to be placed within them. This is a huge opportunity for thieves/rogue employees to swipe away potential confidential data
Solution: Mail boxes should have combinations on them. Consider replacing these mail slots with lockable boxes. Also, screen your mail room employees thoroughly.