How to Fight Back Against Hackers

October 1, 2012

In the beginning of September, a group of computer hackers calling themselves AntiSec announced that they had stolen a file containing unique identification data for 12,367,232 Apple iOS devices. They claimed the database was stolen from the compromised laptop of an FBI agent. Simultaneous to AntiSec’s release, the FBI denied the claim. To substantiate their claim, AntiSec released one million of the unique identifiers minus the personal data embedded in the stolen file.

My reaction to this obscure story is: what was highly confidential data doing on a laptop computer, and why weren’t there security measures in place within the laptop to prevent the theft? It seems that every day there is another incident reported in the media of data being stolen or computer networks compromised. The problem persists even though companies spend millions of dollars every year to curtail the theft and breach of their virtual systems.

Part of the problem resides with the employees themselves and their personal security practices related to their computer devices. Previously I wrote about the blending of our social lives and work and personal lives. However, access control within our social and professional lives expands well beyond Facebook and Twitter. It extends to the virtual devices we use. Devices like smartphones, laptops, tablets and even desktop computers are the conduits that connect our personal and business lives. And by doing so, we expose these devices to potential attack from hackers. Most of us have a desktop computer, a smartphone and probably a laptop or tablet as well. On all of these devices we keep our personal and work information together in order to make our lives simpler. We transfer pictures, documents and postings between all of our devices regardless whether they are personal or professional. Today’s technology not only opens us up to public scrutiny, but it enables hackers and corporate spies to infiltrate our data and our lives and create havoc with our devices. Providing access control to personal devices is just as important as securing social networks, and utilizing just a password is not enough. Because technology makes our lives so very easy, we forget the potential liability we incur because of involvement in our social networks or just because of convenience.

So how, as social entities and corporate officers, can we help to secure the access of our social and corporate devices within the virtual world? Here are a few simple practices to help increase the security of your devices.

If data transfer to a laptop is necessary in order to conduct business, the computer should be locked down. There should be no apps, programs or anything that could potentially compromise the computer. However, if Internet Explorer, Adobe or Java is needed to conduct business, the device is susceptible to an attack. In this case, proprietary data should not be stored on the device. All proprietary data should be kept secure off-line. When using the data, it should be uploaded, worked on and then downloaded. And social networking should be done on your smartphone or tablet device.

Many programs and apps have passwords for access. This feature should be activated, especially if they store data and the data is propriety. The password utilized for the app or program should not be the same as the password to log onto the device. In the case of data storage or programs that contain proprietary information, a third password is recommended that is very different than the others you use. Ensure your device is accessed through a password as well, so if it is stolen the perpetrator cannot gain access into your device.

It is also helpful to turn off Wi-Fi when your device is lying dormant. This way access into your device is impossible. A good time to establish this practice is at night when the device is charging.

Key to controlling unauthorized access to mobile devices is the identification of apps and programs that can create vulnerability. Keeping tabs on news related to breaches and vulnerabilities can help with this process. When a breach is publicized for an app or program, you have the option of deleting it until a fix is made public or just ensuring that the program is closed on your device when it is not in use.

Apps or programs that are not in use should be turned off. That means going into your device and either quitting the program, closing or exiting it from the tool bar or turning the app or program off on your mobile device and keeping it off until you need to use it again.

And finally, make sure that your devices are set to close automatically, within two to five minutes after it becomes dormant. If proprietary information has to reside on your device, make sure your device auto-closes at a minimum time – 30 or 60 seconds.

Following these simple, basic practices will dramatically reduce the opportunity for hackers to access your smart devices and steal important data. However, the best practice to follow when it comes to proprietary information is leave it offline and protect the device it resides on by using encryption, controlling access through a password and securing it so that it is not lost or stolen.

This article was previously published in the print magazine as "Hack Away at the Hackers."

Read more Get Into Access & ID at SecurityMagazine.com/Columns/AccessID

Bernard J. Scaglione, CPP, CHPA, CHSP is the Director of Healthcare Security Services for G4S Secure Solutions. He has 30 years of experience in the healthcare security field including a Master’s Degree from Rutgers University School of Criminal Justice in New Jersey. Ben currently serves on the Board of the International Association for Healthcare Security and Safety (IAHSS). He served on IAHSS Education Council from 2005 until 2011. Ben is past Chairman of the ASIS International Healthcare Council and the Past President of the New York City Metropolitan Healthcare Safety and Security Directors Association. He has been a columnist for Security Magazine and contributing author for the Journal of Healthcare Protection Management. Ben was an adjunct faculty member at Pratt Institute in New York teaching engineers and architects in physical security. He taught at Interboro Institute in New York and at New Jersey City University. He was also an instructor at John Jay College Peace Officer Academy.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.