It’s not often that we reference baseball with intranets. But earlier this month, the two came together in the form of a security “hack”. Now this wasn’t your ordinary hack, because there was NO hacking involved! Instead the media portrayed or labelled it as a “hack”. So what really happened? Although, we are not 100% sure what went down, we do know that the St. Louis Cardinals were able to gain access to the corporate intranet of the Huston Astros of the MLB. Most say that the user’s account accessed in the breach, was a former Cardinal who went to work in the office for Huston.
The initial story was that they were able to look up the former employees password in the Cardinals database, and used the same password to access the database of his new employer. Another theory is that the breach happened due to a “Brute Force” attack, which would guess thousands of passwords in a minute if there was no limit set to password guessing. Either way, it brings up the important topic of intranet security and passwords. It is said that hundreds of thousands of dollars worth of data was acquired through finding a way into the Astro’s intranet. So obviously, if you have sensitive data on your intranet, it is valuable to use best practices regarding intranet passwords.
The Password is…… “Password”
We have heard many times through the years, “It’s the end of the password”. Other security technology has been developed and is in use by people and companies such as, using token authentication with smartphones and biometrics (finger print scanning, face recognition etc). But for intranets, these options aren’t very viable. Unless you use “Single Sign-On” (not secure!) the password is still king.
So it’s important to make sure your intranet has the ability to have full control over your password settings. This way you can set your password requirements based on the needs of your company. Some password settings you can have in Noodle intranet are:
- Passwords must contain upper and lower case letters
- Passwords must contain digits
- Passwords must contain other symbols
- Set the minimum password length
- Set user passwords to expire after a certain amount of time
“I needed a password eight characters long so I picked Snow White and the Seven Dwarves.” – Nick Helms
Of course, setting requirements on an administrator level is important. But, the onus can still fall on the end-user to keep their accounts secure. They should avoid these habits:
- Using ‘password’ as their password
- Using common phrases related to the business
- Using a password with a personal reference (name, child’s name, phone number etc)
- Setting a password that you used previously or using a similar password
- If there isn’t a password expiry, not changing their own password regularly
- Not leaving your password in a txt file on your desktop, or worse, on a Post-It note
The last item was covered in a recent episode of HBO’s show, “Silicon Valley”. The character, Gilfoyle, was accused of hacking into their competitions system to retrieve private and confidential information. The competition’s security officer thought his system was impenetrable and couldn’t figure out how Gilfoyle got in. Later, it was revealed that, while visiting the competition’s building, found a Post-It note on someone’s desk with their login information.
“If you’re the CEO of a company and you’re dumb enough to leave your login on a Post-It on your desk, while the people you just ripped off are in your building, then it’s not a hack. It’s not even social engineering. It’s more like Natural Selection.” – Bertram Gilfoyle from HBO’s “Silicon Valley”
Saving your passwords in a file, noted in your desk, or sharing with others is one of the most common ways for your information to be leaked out. So as we can see, to make sure your company’s information is protected, compliance is required from all levels involved. Management must decide on the guidelines, IT needs to set up the technology and the end-users need to be “password responsible”.
But Wait…. There’s More!
Still, other than passwords, there are other ways to protect your intranet from an unauthorized user access standpoint (we aren’t getting into server or network security today!) If your intranet is cloud based (or some self-hosted), users may be able to access the company intranet from any location. Whitelisting IPs limits access to only your approved locations/offices. Choosing to whitelist only specific IP addresses may prevent some outsiders from getting in or seeing your confidential information. It’s also easier to track site activity using a whitelist as well as you can easily find where users are logging onto the intranet, or what network downloaded a specific file.
As I said above, Single Sign-On (SSO) isn’t always the most secure option either. It’s easy and convenient to open your browser and be brought to your intranet page. But there are some drawbacks as well. In terms of permissions and user access, if you do not lock your computer, anyone can open your browser and acquire your user access. This may be a manager’s computer who has access to private information, or has administrator access to make changes to the intranet. Requiring users to enter a password also promotes the practice of keeping their user account secure. Nobody likes when you leave your Facebook page open and others post statuses and comments as you, right? It may have worse consequences in your workplace.
Make sure your intranet also has the following security practices in place:
- Intranet inactivity timeout period so your account logs out if you are away from your desk for too long
- Failed Password attempt limit to avoid “Brute Force” attacks
- Use SSL digital certificates to use encryption to secure the intranet
- Analytics that keep track of what users view/download and from what location are they accessing your intranet
- Do not share user accounts with more than one employee
- “Forgot my Password” feature (because no administrator is happy about resetting everyone’s passwords themselves)
- Limit your amount of administrators to avoid misuse of user privileges
- For temporary or seasonal employees, set their user account to start and end on a specific time. This way they don’t still have access to the intranet after they are no longer with the company even if the administrator forgets to remove them
- Don’t keep Post-It notes with your login information on your desk….just saying…
There are many other ways to keep your intranet secure. These are just some examples and tips to make sure you are using the best security practices for your company. Some businesses require more security than others, and it should be meant to reflect that level of confidentiality required. You don’t want to make it overly frustrating for users to be able to access the intranet, but you do want to make sure they understand why your company may require a higher level of security. This too will help prevent breaches and leaks as employees respect the privacy as they understand why it is private.
Noodle has all these security functions and much more. Noodle is an intranet that has the flexibility to set your security levels as low or as high as you need for your business. Contact a Technical Solutions Specialist now to learn more about the security features of Noodle, or ask us for a custom demonstration. Make sure the information you and your employees share are kept secure and private within your organization.