Some IT departments defend their enterprise network to the death only to have security compromised by users who take a company laptop computer to an unprotected connection at home or at a Wi-Fi hotspot. Hackers can even set up rogue Wi-Fi access points near hotspots to trick users into logging onto their networks. Once a malicious user has control of a computer, they can plant a keylogger that can steal passwords to corporate VPN software and use it to access the network at will. (For precautions to take when using an unsecured access point, see Securing Your Starbucks Experience.)
Sometimes the mere threat of mischief can bring a company to its knees. Hackers have extorted money from victims by threatening to bring down their Web sites, delete important files, or place child pornography on their computers. Many online gambling sites in the United Kingdom have reportedly been paying extortion money to hackers who threaten to hit them with denial of service attacks.
Myth #7: If you work for a security enterprise, your data is safe.
Even the most supposedly secure organizations may find themselves vulnerable to hackers. George Mason University in Fairfax, Va., home to the Center for Secure Information Systems, a workplace filled with security experts, discovered recently that the names, Social Security numbers, and photos of more than 32,000 students and staff members had been exposed to hackers who attacked the university's main ID server and installed tools there for probing other university servers. The hackers may have entered through a computer that lacked firewall protection and then planted scanning tools to search for passwords to break into other systems.
In response, the university shut down part of the server and replaced students' Social Security numbers with a different ID number to guard against identity theft. The school might also employ software to scan computers before permitting them to connect to its network, set up smaller subnetworks to isolate computers that contain sensitive data, and monitor overall network activity more closely.
National defense departments aren't immune either. They constantly have to deploy new software to guard against emerging vulnerabilities as well as maintain tried and true security practices. The Canadian Department of Defense, for example, uses Vanguard Security Solutions 5.3 from Vanguard Integrity Professionals to protect its IBM eServer zSeries mainframes. The software includes two-token user authentication and works along with IBM's Resource Access Control Facility (RACF) for z/OS.
George Mitchell, central RACF administrator for the Canadian Department of Defense, says he always has to be vigilant against unauthorized users gaining access to the system. In addition to monitoring tools, he must use common sense. "I'll have someone call on the phone saying he's so and so. I have several questions that I ask and I'll always reply to that person via encrypted e-mail if he wants a password changed."
What it all boils down to, unfortunately, is eternal vigilance. As the recent hack of Paris Hilton's T-Mobile Sidekick account and theft of customers' confidential credit information from ChoicePoint and LexisNexis show, the range of subterfuges employed by hackers is growing. Hackers are exploiting an increasing number of vulnerabilities in increasingly creative ways, and it's up to us to stay abreast of the latest tools and tricks and protect ourselves accordingly.
Michael Cohn is a freelance journalist.