Stupid security mistakes: Things you missed while doing the hard stuff

If you're worried about high-tech hackers using advanced and sinister techniques to break through your fancy firewalls — well, that's not outside the realm of possibility. By all means, spend money on firewalls! But you might also want to keep in mind some distinctly low-tech security problems that are not particularly sophisticated — in fact, some might call them distinctly dumb — that nevertheless mean bad things for the companies or people who suffer them.

We live in an increasingly virtual world, where our crucial data lives on the cloud and we live in fear of electronic intrusions into our particular fiefdom in cyberspace. But it does pay to remember that all of that data does, ultimately, reside on metal-and-plastic computers that do occupy real space in the physical universe. These computers can be touched, picked up, and carried away, and that's bad news. For instance, NASA has suffered a number of recent cybersecurity scandals, among them the fact that 48 of the agency's laptops and phones were just straight-up stolen.

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

[ Think we're being too mean? See “Microsoft goes back to blaming victims: Your malware problem is your fault" ]

The one thing that makes stealing stuff tricky is that it requires real physical access to that stuff. But getting physical access to things is easier than you'd think. One security researcher demonstrated fairly easily that it's pretty easy to get access to restricted areas via attitude (e.g., imperiously waving a badge at security guards, even if it's not a badge that allows you access to wherever it is you're going) and a moderate amount of stealth (e.g., slipping in through exit doors). Oh, did we mention that these techniques worked at an RSA Security conference? It's probably even easier in your building.

But when your tech goes missing, don't forget the old adage that you should never blame on malice what can be attributed to good old-fashioned incompetence. For instance, maybe those computers weren't stolen by dastardly cat burglars bent on sabotage; maybe someone who was in charge of them just lost them. This didn't happen so much when everybody had a large desktop computer that was hard to lug around, but the convenience of laptops and smartphones makes them also convenient to lose. One survey of small businesses found that 35 percent had an employee who lost a device with business data on it. And if a survey of USB sticks found on Sydney commuter trains is any indication, almost none of those devices were encrypted in any way.