Companies are taking measures to protect their systems from security leaks that can make them vulnerable to external attacks.
Unauthorized Smartphones On Wi-Fi Networks: Smartphones create some of the greatest risks for enterprise security, mostly because they’re so common and because some employees just can’t resist using personal devices in the office.
The danger is that cell phones are tri-homed devices — Bluetooth, Wi-Fi and GSM wireless. If you use a device like a smartphone that spans multiple wireless spectrums, “someone in a parking lot could use a Bluetooth sniper rifle that can read Bluetooth from a mile away, connect to a smartphone, then connect to a corporate wireless network. Bluetooth thus becomes an open portal that allows hackers to access Wi-Fi and therefore the corporate network.
Only approved devices should access the network. And that access should be based on MAC addresses, which are unique codes that are tied to specific devices, making them more traceable.
Another tactic is to use network access control to make sure whoever is connecting is, in fact, authorized to connect. In an ideal world, companies should also separate guest access Wi-Fi networks from important corporate networks.
Open Ports on a Network Printer: Printers have had telephone lines for faxes for several years, and some are now Wi-Fi enabled or support 3G wireless connectivity. Hackers can break into corporate networks through these ports. A more nefarious trick is to capture images of all printouts in order to steal sensitive business information.
The best way to deal with this problem is to disable the wireless options on printers altogether.Make sure all ports are blocked for any unauthorized access.
Custom Web Applications With Bad Code: One common trick is to tap into the xp_cmdshell routine on a server, which an inexperienced programmer or systems administrator might leave wide open for attack. Hackers can use that opening to gain full access to a database, which provides an entryway to data and a quick back door to networks.
Small coding errors, such as a failure to use proper safeguards when calling a remote file from an application, provide a
way for hackers to add their own embedded code. A company can also be open to attack if it has a blog with a trackback feature (to report on links to its posts) but doesn’t sanitize stored URLs to prevent unauthorized database queries.
The obvious fix to this problem is to avoid using freebie PHP scripts, blog add-ons and other code that might be suspect. If such software is needed, security monitoring tools can detect vulnerabilities even in small PHP scripts.
Social Network Spoofing: Facebook and Twitter users can be fooled into divulging sensitive information. Usually, these types of attacks are subtle and not easily traced. Someone claiming to be, say, a employer, contacts an employee, and the employee believes that the caller is, in fact, a employer and doesn’t attempt to verify his credentials.
Companies should use e-mail verification systems that validate senders’ identities by generating return messages that ask senders to confirm their credentials.
Downloading Illegal Movies and Music: In a large company, it’s not uncommon to find employees using peer-to-peer systems to download pirated files or setting up their own servers to distribute software. The P2P ports should be completely shut down at all perimeters and ideally at the company’s endpoints. P2P programs can be stopped through [whitelists or blacklists] and filters on the enterprise servers. Injecting hostile code into P2P files is not difficult. organization. A technique called “resource isolation” that controls which applications users are allowed to access based on permission rights.
SMS Spoofs and Malware Infections: Hackers can use SMS text messages to contact employees in direct attempts to get them to divulge sensitive information like network log-in credentials and business intelligence, but they can also use text messages to install malware on a phone.
An attacker can send an invisible text message to the infected phone telling it to place a call and turn on the microphone. That would be an effective tactic if, for example, the phone’s owner were in a meeting and the attacker wanted to eavesdrop.
it’s possible to filter SMS activity, but that’s usually handled by the wireless carrier because SMS isn’t IPbased and therefore isn’t usually controlled by company administrators. The best option is to work with carriers to make sure that they’re using malware-blocking software and SMS filters to prevent those kinds of attacks. Creating smartphone usage policies that encourage or require the use of only company-sanctioned or company-provided phones and service plans can reduce the risk.