As a managed service provider (MSP) in the Dayton, Ohio, area, I help a variety of small businesses with their IT. Of course, I typically start with the basics when it comes to security: the firewall, WiFi security, virus and malware protection, and Windows update. Sometimes I just don’t get time to investigate or address the many other seemingly less-important security threats. But there’s no denying that these uncommon security holes could be just as bad as if you have a hacker coming at you. Here are four security risks you might not even realize exist:
Keyboards are probably the last thing you’d consider a security risk. But anything wireless, including keyboards, have some risk of being intercepted or interfered with because the communications are sent via the airwaves that you can’t control access to. Although most wireless keyboards utilize encryption for the connection between the keyboard and USB receiver, some still allow unauthenticated and unencrypted incoming wireless communication.
For instance, nearby hackers could send keystrokes or commands to a computer via a vulnerable USB receiver, one that doesn’t authenticate the incoming traffic nor require encryption. No matter what authentication and encryption is used, remember that all wireless devices are also subject to denial of service attacks: someone could transmit on the same frequencies to jam up the airwaves, potentially disabling any nearby wireless keyboard and mouse. The worst scenario: on any keyboards and USB receivers that still use poor or no encryption, someone could potentially capture all the keystrokes of a user, opening them up to similar risks as posed by keyloggers.
Check which wireless keyboard and mouse models you’re using and do some Googling to see if yours has any known vulnerabilities. Also, take a look at the product description for any details about encryption. Additionally, take a look at the vendor’s website for downloads and software updates that might fix any known issues. Going forward, be wary of this issue when making purchases. You might even consider keeping them wired to save yourself a headache in research.
Printers and copiers
Printers are another commonly overlooked peripheral when it comes to IT security. Many of the business-class printers and copiers have an on-board hard drive that may be storing digital copies of the prints, copies, and scans, some of which may contain some real sensitive data. Keep this in mind when getting rid of printers and copiers. You should treat their hard drives the same as you would from computers: ensure they’re securely wiped before trashing them.
Printers can also be hacked via poor network and Internet security measures, particularly if their web-based GUI is somehow opened to the Internet. I’d certainly include printers and copiers in any security audits or vulnerability scans you perform. I’d also spend some time dedicated to looking over their settings and configuration and any security features they might include.
For printers and copiers shared in the office with multiple users or departments, you should also think about the security of sensitive documents. Some devices support secure printing, such as delaying the print job until the user physically goes to the printer and enters their PIN. This helps prevent other users and employees from picking up sensitive documents, intentionally or not.
WiFi security modes
There are two very different modes of WiFi security: personal and enterprise. Both modes are available with WiFi Protected Access version 1 (WPA) and version 2 (WPA2). The personal mode is what you likely use at home: create a password on the wireless router and you enter that same password on all devices to connect to the WiFi.
The problem with the personal mode on business networks is that when a WiFi device is lost or stolen, or an employee leaves the organization, the thief or employee can go back and connect to the WiFi. Depending upon the device, they may also be able to retrieve the actual WiFi password, allowing them to get on the WiFi with other devices as well. Although you can change the Wi-Fi password to prevent thieves or past employees from coming back and connecting, it’s a hassle to inform all the users and for them to have to enter the new credentials.
The enterprise mode gives each WiFi user his or her own login credentials. Then if a device is lost or stolen, or an employee leaves, you can change or revoke just that user’s credentials. The type of credentials depends upon which EAP method you deploy. The most popular method, called Protected EAP (PEAP), gives them each a username and password for when logging onto the network. If there’s Active Directory or another network directory on the network, the WiFi usernames and passwords can typically be derived from there.
The downside to using the enterprise mode is that it requires a RADIUS server to do the 802.1X authentication. If you have a Windows Server, or something similar, check out its RADIUS capabilities. But if that’s something you don’t have, keep in mind there are hosted WiFi security solutions out there that will run the RADIUS servers for you. These are particularly useful for organizations that don’t run Windows Servers at all, or don’t have them at each location they manage, or for MSPs that manage many different companies.
All-access VPN connections
Enabling employees and staff to work at home or on-the-go can be crucial for an organization. If you still use a good old VPN for this purpose, you should evaluate your situation to ensure it’s the most secure remote access option available. If full access to the office network isn’t required, perhaps look into other solutions for your remote workers. Giving out VPN access has serious security risks that should be weighed along with the advantages.
For instance, what happens if the employee’s kids get on the VPN and play around? Or even worse, what happens if the laptop or device is lost or stolen? There’s an alternative, like web-based email and cloud storage, that won’t open up other network resources at the VPN source if the laptop or device gets in the wrong hands.
If you still feel a VPN is the best option, ensure it’s as secure as possible. If using the old protocols, like PPTP, see if you can move to something more secure, like IPSec. Modify the VPN and firewall rules to limit remote users’ access to only the resources they require, just in case the end-user device is comprised. Look into other features, such as split tunneling, to bypass the VPN for general Internet traffic from the remote user in case someone missuses the Internet while they’re connected to the VPN.
Finally, hack yourself
You can read and read about these and other security vulnerabilities, but sometimes the best way to understand them is to exploit them yourself: do some penetration testing. I’m not taking about breaking laws and hacking your co-workers or neighbors, but hacking yourself. Of course, if you do this at work or hack work equipment, I suggest discussing it with supervisors first. The process of learning how to exploit security holes and seeing it in action can really help you understand the vulnerabilities and how to fix them.
Photo credits: Pixabay, Cisco