This Halloween, information security horror stories are all around us. From new Java exploits to the recent Adobe source code breach, security vulnerabilities and exploits are as prevalent as ever.  Yet despite these media-centric attacks, most attacks and malware remain hidden in closets or under beds, away from the spotlight of the public.  Even during our own penetration testing and Managed Security Service engagements at Rhino Security Labs, we have seen some information security horrors in the past year.  This is a story of one of those cases.

Imagine you run a small e-commerce vintage motorcycle parts company. All work is done in a warehouse and there are very few client facing interactions. Any data needed from the client for a purchase is stored, including credit card information, on a text file so that you may access the information quickly and be able to update it easily. A company’s security is only as strong as its weakest link – if the only thing guarding that text file is a system password (no encryption or permissions) then that information would be easy to steal.   If it fell into the wrong hands, such a data breach could cause severe damage to the store’s credibility, losing you business and reputation.

As your vintage motorcycle parts company grows, it is becoming more and more difficult to keep the data required to run the business organized.  You need access to things like old motorcycle manuals and part lists from the manufacturer. Each motorcycle’s make, model and year have a different PDF document that correlates to all the parts for a specific bike. As the owner, you are trying to help a customer identify the needed part. You agree to meet with the customer to inspect his motorcycle. At the meet up, you need to be able to access those manuals and part lists, as well as inventory, on the go. To solve this problem, you set up the company data to be accessed through an anonymous FTP (File Transfer Protocol) server, hosted on your company workstation, to your C: drive. Well awesome – now you can access your data anonymously from anywhere in the world, so long as you know the IP address associated with the FTP server.  But here’s the kicker, all of that means that anyone who can get that IP address also will have access to your data. They could delete files, store illegal data on your system, overload your servers, and or infect the system with malware.  As the owner of the company, it’s necessary to protect not only your data, but that of your customers as well.

So, now that you realize that anyone could have access to your data, you try to set up a VPN with a dual-factor authentication mechanism. Every morning you would receive a new token to use to log into the VPN to gain access to your data and then provide your personal account password. Every now and then, you forget to write down the new token on your way out to meeting a customer. To solve your problem, you set up a public webcam aimed at the VPN token on the screen.  In case you forget your token, you can connect to the webcam and view what the token for that day will be. By doing this, you have effectively put yourself in the same poor security spot as with the anonymous FTP site. As long as a user has access to the IP address of the webcam, they can also see your VPN token and gain access to your internal network.  At this point, you don’t know what to do to keep your data safe.

All of these security flaws can cause severe headaches for any small business owner.  It’s imperative to be aware of your company’s state of information security, so don’t guess – get your company tested with a penetration test or vulnerability assessment from Rhino Security Labs.  Don’t let these information security horrors happen to you, and have a fun and safe Halloween!