Another tactic is to use network access control to make sure whoever is connecting is, in fact, authorized to connect. In an ideal world, companies should also separate guest access Wi-Fi networks from important corporate networks, says Hansen, even if having two wireless LANs means some redundancy and management overhead.
Another approach: Provide robust, company-sanctioned smartphones on popular platforms, such as Google's Android, and thereby dissuade employees from using nonsupported devices. By encouraging the use of approved phones, IT can focus on security precautions for a subset of devices instead of having to deal with numerous brands and platforms.
2. Open ports on a network printer
The office printer is another seemingly innocuous device that represents a security risk, although most companies are oblivious to the danger. Printers have become Wi-Fi-enabled over the past few years, and some even use 3G access and telephone lines for faxes. Some models do block access to certain ports on printers but, as Hansen says, if there are 200 blocked ports for printers at a large company, there might be another 1,000 ports that are wide open. Hackers can break into corporate networks through these ports. A more nefarious trick is to capture all printouts as a way to steal sensitive business information.
"One of the reasons you do not hear about it is because there is no effective way to shut them down," says Jay Valentine, a security expert. "We see access all the time via network ports in the electric utility industry, which is a major accident waiting to happen."
The best way to deal with this problem is to disable the wireless options on printers altogether. If that's not feasible, IT should make sure all ports are blocked for any unauthorized access, says Hansen. It's also important to use security management tools that monitor and report on open printer ports. One such tool is ActiveXperts Software's Active Monitor.
3. Custom-developed Web applications with bad code
Just about every enterprise security professional lives in fear of holes created by sloppy programming. This can occur with custom-developed software as well as with commercial and open-source software. Hansen says one common trick is to tap into the xp_cmdshell routine on a server, which an inexperienced programmer or systems administrator might leave wide open for attack. Hackers who do that can gain full access to a database, which provides an entryway to data and a quick back door to networks.
Hansen says PHP routines on a Web server can also be ripe for attack. Small coding errors, such as improper safeguards when calling a remote file from an application, provide a way for hackers to add their own embedded code. This can occur if a developer wasn't careful to restrict which files might be called based on a user's form input, or a company blog using a trackback feature to report on links back to its posts, without first sanitizing stored URLs to prevent unauthorized database queries.
The most obvious fix to this problem is to avoid some software such as freely available PHP scripts, blog add-ons and other code that might be suspect. If such software is needed, security-monitoring tools can detect vulnerabilities even in small PHP scripts.