Managing Vulnerabilities In Your Office

As part of its second cybersecurity sweep, the SEC is asking advisers and broker dealers about their vulnerability management process. When a regulator starts asking about vulnerability management, the first thought most people have is pointing to vulnerability scanning as we have written about in previous posts. But vulnerabilities beyond technical configurations can lay in wait in your offices, undetected and unresolved, for years. As part of the CCO’s responsibilities, you should be proactive in asking your designated tech person, internal or external, about the following five items – all of which reduce your firm’s attack surface:

  • Public Spaces – The public spaces in your offices are ripe for hacking incidents or for data leakage. Take an inventory of your public spaces, including reception areas, conference rooms, and break rooms. Now review the network jacks that are in those spaces and are generally unattended. Chances are those access points to your network are wide open and may grant access to all of your firm’s network resources. As part of a larger IT strategy, take the time to determine if there is any need for these connection points to be enabled. If you have a main computer that is used for presentations and the like, you may want to leave that one enabled. As spaces and devices move to a more Wi-Fi-based environment, there may not even be a need for such ports anymore. In the absence of a specific need, leaving network jacks open and live provides an unmitigated vulnerability and access point to your network. Talk with your IT tech about disabling these jacks. It’s a relatively simple process. Should your business still have a need for wired connections in a public location such as a conference room or reception area, there are other tools that can be utilized to cordon off those physical locations from the network, which will still allow access without granting full rights to a machine that plugs in to be able to see all of your network resources.
  • Unused Offices – Similar to conference rooms, unused office spaces and unused network jacks around your office all represent vulnerability points. A bad actor needs only to physically be present at your location once, or to pay a member of the cleaning service, to hook up a rogue access point and slide that device behind a desk. If this happens, your firm now has a wireless point that may grant access to all your sensitive files without your knowledge. In the same vein as the actions you have just taken to secure your public spaces, identify those offices or spaces that are vacant at this point. Work with your Tech to make those offices “go dark” from a connectivity standpoint. It literally only takes a few seconds in the server closet to either disable or enable those ports. If you don’t need them, shut them off.
  • WiFi Names – What’s in a name, after all? Turns out, a lot. The first step an attacker who is plotting to access your data will do is spend some time performing reconnaissance. If your WiFi name clearly identifies your firm by name, you have just made that attacker’s job much easier. Searching through a list of 20 nearby networks is made considerably more difficult if your WiFi name is nondescript. It may take a couple extra seconds to find your network in a list, but the tradeoff in security is worth it. Even if your WiFi name doesn’t explicitly identify your company, it’s best not to include other “tips” either. For instance, naming your SSID after your address (123AnyStreetWifi) or your floor (5thfloorwifi) is roughly akin to explicitly identifying your router. People often ask us about disabling the SSID on their networks as a security precaution. This provides no security whatsoever, as a simple scanning tool, freely available for most smartphones, will immediately locate and identify your network. On top of that, you then have to remember your WiFi name and type it in every time a device wants to join. In short, no security, and makes it more difficult for you to use – don’t bother disabling the SSID.
  • WiFi Guest Access – Review your WiFi configuration and determine what can and cannot be seen from a data standpoint. If you use your WiFi for business purposes and your resources (such as printers, computers, servers, etc.) are visible – DON’T allow guests access to this network. Take the time to set up a separate guest network. Most routers these days have the option already built-in. Alternately, you can purchase a separate router and configure it so that there is no access to your firm’s network. These days it’s not particularly feasible to not offer any type of internet connectivity to your guests, but it remains an option that you can, at the very least, consider. While you’re reviewing your WiFi connectivity, as well, make sure that your firm is using a secure encryption method for transfer. Use of an outdated security protocol, or none at all, could lead to the interception of data across your WiFi connection, including usernames and passwords.
  • Unescorted Guests – This one falls under the common-sense heading, but is one of the most critical and overlooked security arrows in your quiver. Your staff should be trained to ask any guest or individual who they are and why they are there. We find that this notion oftentimes needs to be drummed into people’s heads. In a building environment with a reception desk, your doorman shouldn’t be granting access to your office or floor without positive confirmation from you that the individual is, indeed, approved and supposed to be in your space. Once there, your employees should feel confident enough that they can stop and request information from such an unknown person, especially if they are in abnormal areas, such as offices or breakrooms. If the employee isn’t satisfied with the challenge response, they should request the unknown person to come with them while they attempt to validate their identity. If an employee or worker doesn’t feel comfortable challenging a stranger in the office, they should immediately report to their supervisor or other responsible party who can address the situation, or confirm the reason for the person’s presence.

Security is a complex task that is made up of many moving pieces, and the SEC is asking you to be familiar with all of them in some way or another. If you’re just beginning on a vulnerability management plan, we’d recommend you take a look at these five points. Working with your IT department or consultant, you can make your firm more secure starting today for no cost at all. By identifying and remediating these weaknesses, your firm will be moving in the direction of tighter security. All of these items can and should be included in your regular Information Security Committee agenda and should be considered whenever any changes are made, either to your physical space, or to your IT Infrastructure. Making these small changes today can yield big dividends in the future.