When connecting to remote systems, it’s often easy to overlook a very simple fact;  many methods of communication are not protected in any way, shape, or form.  Even as you read this post, the data is being sent in cleartext and anyone with the desire to watch over your shoulder, can.  Data is the foundation of the internet and businesses in general, and not all of it is a big deal if someone else gets it.  However, there is a lot of information that should be protected, and there are a lot of ways to protect it.

First, a common example and, hopefully, some answers.  Let’s start with probably the #1 offender: Instant Messaging.  IMs have exploded on the internet in the last few years as a great, simple way for people to talk (ok, type) to each other.  Here is the problem.  Odds are very good that your message to your wife with your account information for the bank website was sent in the clear because you aren’t using any encryption.  Yes, most IM technology has no concept of secure communication at all, so everything you type is like talking on a party line; anyone that’s listening can hear it, too.  

Now, depending on what IM system you are using (AIM, Yahoo!, MSN, etc), there are different ways to deal with this one.  Some of them may have an encryption option built in, which is a lot more rare than it should be.  Because of this, there are some third-party IM client solutions.  One of the more popular IM clients is pidgin. Not only does it allow for multiple messaging protocols (because you can’t get all your friends to use the same one), but it’s available for most Operating Systems, and has more than one encryption option available as a plugin.  If you primarily use AIM, then the OTR plugin is probably what you want.  Adium (the MacOS native IM client based on the pidgin libraries), has OTR built in.  The pidgin-encryption plugin is another option that has been around almost as long as pidgin.

Unfortunately, this is just one of many potential examples/solutions.  Do a little research into whether or not your favorite IM client or protocol has any way to encrypt your messages.  The real point is just to be aware that what you are sending is probably vulnerable, so don’t send anything that you deem to be important without setting something up first.  

How many web browser windows do you have open during the day? Have you ever tried to dedicate a window to a specific web application only to have it overrun by a link to another site? Site Specific Browsers (SSB) might be the answer you are looking for. 

More and more applications are being written as web applications instead of the traditional compiled, system dependent binary. Web apps allow a wide range of flexibility for the developer, but having everything in your web browser can get cluttered in a hurry. This is where SSBs become helpful. They are essentially stripped-down web browsers tied to a specific site (hence the name). What makes these different is that they behave on your system like an actual application, not a web application. This can be especially useful for internal web applications, too.

The one that I am currently using is called fluid. It is a MacOS specific SSB that allows you to pick a URL, and save it as an application. When you run it, it behaves just like any other app.  It shows up in the Dock as a separate application with its own set of preferences. The fluid application itself is a small manager of your web applications that you have created, and it is not necessary to run it on a day-to-day basis, only when you want to create a new SSB application.

Users of other platforms aren’t left out in the cold, either. Mozilla Labs has an SSB called prism that is available for multiple platforms. Current versions of prism can be found at mozilla labs.

One of the things that constantly comes up when you start taking the security of your computer systems seriously is the simple fact that your users are the weakest part of any security policy. You can spend all day working out intrusion detection systems, firewalls, nearly impossible to crack passwords, and doors with five levels of authentication, but when your security guard holds the door open for the pizza guy, you have a problem.

This is a type of hacking called “Social Engineering” and it can undermine all your work in a hurry. In general, people are trained from birth to be helpful and trusting, and hackers are going to take advantage of that. It ranges from the guy that tailgates behind an employee, to the admin that has the administrative password on a stickie under the keyboard because the password is too hard to remember. It also includes seemingly innocuous questions about the company or that innocent “I forgot my password” problem that a “user” calling the helpdesk is having.

So the real question is; How do you protect your company against a social engineering attack? In one word, Education. You need to make sure that your employees are properly educated in how to recognize and deal with social engineering attempts. For example, with physical security problems like tailgating, make sure they understand that holding the door for someone is not an option. They may even know the person, but what if the attacker is an ex-employee and they didn’t know?

At the end of the day, just remember that proper training and education of your employees will do wonders for your company’s security posture. It is also one of the most important aspects of security that gets left behind. Remember, most employees aren’t trained to worry about “Security” and think that it is someone else’s job. It’s your job to make sure that they think otherwise.