Why would somebody want to hack into my network?
That got your attention, didn't it... :o)
Just yesterday I was having a discussionwith some powers that be about physical and network security. Overall, they were dismissive of the need for such things - "there's nothing we have that hackers would want" and "nobody's going to be interested in our stuff - it'll put them to sleep".
My primary nightmare is that, one day, a disgruntled client will walk in and start attacking their servers with a baseball bat or axe or just take the whole damned box. Yet, whenever I voice my concerns about unlocked doors and unfettered access to servers I'm told that "if we put a lock on the door we'll have to walk the long way around to get to the comms room". Umm, guys, let's get your priorities right.
Ok, so let's imagine that somebody walks in to your office and walk out with that backup tape which contains your entire network. Or they walk in and plug one of those tiny wireless access points into an unused network outlet in some quiet corner of your office. I don't think your insurance company will be very sympathetic if the worst happens and your company gets sued.
Y'know, putting convenience before security is a real bad idea. Thinking that there is nothing that the bad guys would want is worse. What can we do to convince people to be cautious about their security *before* they're hit with a worst case scenario?
Here is a real world this-is-actually-happening example of what can go wrong if your computer or server is unprotected:
Guess who is going to be blamed for damage caused by the hostile Web site hosted on that "home PC located in Herndon, Virginia". How much do you want to bet the *owner* of the "home PC" doesn't even realise that his machine is being used to attack people on the Internet.
Last week somebody set up an unsecured wireless network close to my home. When I went on to a business site I was shocked to discover that their wireless access point was also unsecured (personally I think that company should have sued the IT providers that set up the servers and wireless network - security was a foreign concept - how can *any* reputable IT company walk in, make all users domain admin, plug in a wireless access point, leave it completely unsecured, and say that that was a job well done?? How can their staff be working on the servers, go to lunch or disappear whatever other reason, and leave the server screens unlocked??).
*Anybody* could connect to those networks and download whatever they wanted **including illegal stuff**. And here is something else that was really scary. The business site being discussed is located in a building right next to a hotel run by a major international chain. Guests in that hotel were able to detect and use the business's unsecured broadband connection. Why pay a hotel to use their broadband when you can simply hook into that nice unsecured network right next door? I shudder to think how many hundreds, or thousands, of business travellers with laptops that are wireless capable have stayed at that hotel over the past few years...
Do you want your computers to be used to host phishing sites or as a virus vector? Do you really want to the bad guys to be using *your* internet account to download warez or kiddy p0*n? Law enforcement is not going to believe you when you say it wasn't you if those downloads are traced to your hardware.
A fellow MVP, Rocky Heckman, has put together a SOHO security video, in flash format, that is available here (scroll down if you are using IE7) that helps get the point across, discussing the risks that SOHO face, and what should be done to minimise risk.