Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

If your business uses security cameras, recording is essential.  The recorded security camera feed can be used for a variety of purposes, especially after a business has been burglarized or robbed.  Currently, most businesses use a DVR (digital video recorder) to record their security cameras, but some still use time-lapsed VCR.  No matter which method you use to record your security cameras, what will prevent the criminal from taking the video tape or the DVR’s hard drive when they burglarize or rob your business?  If there is nothing to stop the criminal from taking the recorded security camera video, you should consider the use of lock boxes.

This week I stopped by what use to be an auto dealership in a city near where I live and saw some examples of good and bad security that I thought I would share with you in this post.  While there, I took some pictures to illustrate what I saw.  If you look closely at these pictures, you will see that the business installed a metal barrier which  prevents vehicles or other equipment from easily being taken from the lot.  It is a simple design of steel piping that is secured in the ground with the openings to the lot being protected by a sliding gate made from the same material.  The steel posts in the ground are close enough that even if the top steel piping was removed, it would not allow a vehicle to be driven between the steel pipes.  Not placing posts close enough together is a major problem in most dealership lots I have evaluated.  The pictures show a good example of how to do it right without making the barrier an eyesore.  In addition, the business secured the steel piping in the ground with concrete and even formed a raised concrete lip, making it difficult to remove individual steel piping from the ground even with the right type of heavy equipment.  Please note:  this type of lot protection is good when you are trying to prevent theft of vehicles or equipment, but additional security is required if you are trying to protect against parts theft.

While trying to catch up on some of my reading this week, I came across an article from the December 14, 2009 edition of Forbes magazine which discussed computer-controlled vending.  A vending machine is equipped with an add-on box which captures all the transactions and transmits the information back to the company.  The boxes can also send an e-mail or text message when a vending machine sells out of an item.  This type of electronic device saves the vending company money in lower fuel costs and more efficient use of their manpower.  If you are interested in learning more, you can check out the website for Cantaloupe Systems .

If you have not already heard, in mid-January Internet Explorer was under attack by the same attack method that was used by the Chinese to break into Google’s network.  Since then, a number of security researchers, security companies ,and even some governments have recommended that computer users switch to other web browsers such as Firefox, Chrome, Opera and Safari.  Currently, it appears the attack code is mainly geared towards IE (Internet Explorer) 6 and possible IE 7 so businesses that are still using IE 6 should change to another web browser or at least upgrade to IE 8.

Do you or your company use encrypted USB flash drives?  If so, are they one of the flash drives that this month was discovered could be hacked?  Encrypted flash drives from SanDisk, Verbatim and Kingston are vulnerable to this most recent form of attack.  Basically, the attack occurs on the software that comes with the drives and runs on a computer, not the USB flash drive.  The software allows the user to enter a password, and if the password is correct, the software sends a signal to the encrypted USB flash drive to unlock itself.  The problem is that other software can be written and has been written to change the USB software running on the computer so that it always sends a signal to the encrypted USB flash drive no matter what is entered as a password.

I was planning on writing about endpoint security near the end of last month, but with the holidays and numerous other business and personal activities occurring at the end of the year I had to take a little sabbatical from writing posts for our website.  It is good to be back into the swing of things again, and I hope everyone has a great and successful year with their business.  As always I will be here to help you with any security issues that you may have for your business so feel free to leave comments or contact me using my contact form on my About page.

Well, I really do learn something new almost every day.  I was reading an article in Forbes magazine  the other day about a robbery prevention technique that I had never heard of before.  I thought I would share it with you in this article.

Greeting a Bank Robber

Some banks are now using greeters, like Wal-Mart does, at the entrance to the bank as a robbery prevention tool.  The theory behind this technique is that most criminals do not want to be noticed.  Supposedly if a bank employee looks the criminal in the eye and says hello when they walk into the bank, the criminal no longer has that psychological edge of anonymity and confidence they need to commit the crime.

A strike plate is a part of a door lock.  It is the metal plate that is attached, usually with screws, to the door jamb (door frame) and has one or more holes that hold the lock bolt when the lock is engaged.  When the door is closed, the lock bolt extends into the hole which then keeps the door closed.  Refer to the picture for a look at a high security strike plate.

This past month I have been working with a business regarding some physical security improvements, and one of those items was a security or intrusion alarm system.  It got me thinking about businesses that I deal with who usually ask me about why a certain element of security they have implemented, such as security systems, is not working.  Most of the time when I look at their particular situation, one or more elements of the security system does not fit their needs.  Usually this is not discovered until the system has been installed and paid for, leaving the business with a system that does not fulfill their needs and sometimes results in the system not being used after a period of time.  This results in wasted time and money for the business owner as well as poor or nonexistent security.