When you leave your workstation unlocked you are giving anyone that walks by access to everything on your computer.  Your email, access to the company intranet, etc.  Anything that you have access to without entering a username and password (or that has a saved username and password) they have access to.

Have iTunes installed on your work computer with a credit card saved in it so you can grab the new song that just came out?  So do they.  They could download 10,000 songs on your account and you wouldn’t know it until the next time you opened iTunes or checked your credit card statement.  (I’m assuming that iTunes will save your credit card, I don’t actually use it but you get the idea.)

Have usernames and passwords saved in your browser so you can easily log into various websites like your bank, credit cards, forums, etc?  So does anyone who sits at your computer.

You are probably sitting there thinking to your self, if some strange person was sitting at my desk, someone would notice.  They might, but probably not.  Lots of times I’ve had strange people sitting in my chair waiting for me with no one around to question them.

If you have an office, you aren’t exempt.  Yes I know that you lock your office door at night.  Look around your office, do you have a trash can sitting in there somewhere?  Do you use it?  Is it empty in the morning?  The magic trash can fairy doesn’t clean out your trash.  Someone who makes way to little money to clean up after the slobs in the office (sorry I’m projecting a little here, or depending on your office maybe I’m not) comes in and cleans it out and dusts your desk off.  You know how they get in, either they have a key or the guards open the doors for them.

I know that one company I worked at everyone who had an office would be gone by 7pm.  At about 9pm the security guards would come around and unlock every single office from the lowest manager to the highest C level exec.  I know this because I worked swing there as a Database Engineer for several years (pretty much every department except for Marketing was staffed 24×7 365 days a year).  After the guards would open the offices the cleaning crew would come through and clean all the offices, empty the trash, etc.  Some offices had a window to the inside of the building, some didn’t.  Most had blinds that could be closed for privacy.  Lost of people had only a laptop, many were left at the office on weeknights, and many people had a desktop.  I would say that 80% of offices had a computer in them at night.

How hard would it be for an outside person to pay someone from the cleaning crew $5000 to get them to copy some data to a USB drive, or infect the network with a virus?  That’s probably more than most people on the cleaning crew make in a month for just a few minutes of work.  To most people, especially in this economy this would probably be to much money to pass up.

If a competitor (or an employee for that matter) wanted access to data that was private, and we didn’t have a policy in place to automatically lock the computers, it would have been a piece of cake for someone to sit at a desk and download all sorts of confidential data from the persons computer.  All without anyone knowing about it.

Fortunately at this company we had a policy which required the computers to lock them selves, but many smaller companies don’t enable this feature for one reason or another.

If your computer isn’t locked when you get to work in the morning I urge you to talk to your IT staff and have them enable auto-locking on the company computers.  It’s a slight annoyance to have to unlock your computer in the morning, but it’s much better than having someone walk in and simply take all your personal and corporate data.

Denny

Your database holds all of your data.  If someone was to great into your database server they would have access to view, and possibly delete all your data forcing you to restore your data from your backup.  In a perfect world there would be no database servers directly accessible from the Internet.  There is pretty much no reason for database servers to be directly accessible from the Internet.

If your servers are CoLo’d then setup a VPN between your office and the CoLo, or VPN directly into the CoLo.  There are some hosting providers which prefer to setup the servers on public IPs, however most of them will if requested use private IPs and configure a Site to Site VPN connection for you.

Pretty much the only times that a database needs to be on the Internet would be if you are replicating data between servers as this will typically require that at least one of the servers be on the public Internet.  SQL Service Broker can need to be on the public Internet as well.  However in both of these cases, you don’t need to give the server a public IP.  You can give the server a private IP, and NAT the server from the Internet to the private IP.  However make sure that only the correct port or ports are open through the firewall.

In Oracle this should be done by setting up a new listener.  In SQL Server this is done by setting up a new endpoint either for general connection, or in the case of Service Broker an Endpoint is used to connect to, which listens on a seperate TCP port.  When setting up these listeners or endpoints make sure that only the accounts which need to have access to them have access.  This way the minimal attack surface is avaialble from the Internet.  In addition you will want to setup your firewall or router ACLs to allow only the required public IP addresses to have access to the listener or endpoint.

With your database being publicly available attack scripts could attack for it, or people could manually try and break in.  With SQL Server running in mixed mode, and with Oracle there are accounts which can be brute forced which have well known usernames such as system and sa.  When SQL Server is running in Windows only mode breaking in is harder, but not impossible.

Denny

Installing a router also uses a technology called Network Address Translation (NAT) to mask the actual IP address that your computer is using from the internet.  The router assigns you what is called a private IP address, instead of the public IP address that your Internet Service Provider provides you.  This is just another way that the router can protect you as the attacker can only attack the firewall of the router, and isn’t able to connect to your home computer.

These home routers are very easy to install, usually in just 10-15 minutes.  When you purchase the router it will usually come with a CD or DVD which has some software to assist you in configuring your router.  This will secure the router so that it can’t be accessed with the default username and password.  Be sure to change the default password to something else as the default passwords are well known by the people who may be trying to break into your computer.

If you purchase a router with wireless and don’t need the wireless functionally be sure to disable the wireless functionally.  Most routers will allow you to disable the wireless.  If they don’t, be sure to secure the wireless using WEP or WPA encryption.  WPA is a much stronger technology and should be used if it is available.  Leaving the wireless unsecured will allow anyone driving by to access your wireless network and access your computer (if it is turned on) or access the internet using your internet connection which could lead to any accusations which should be against them to being levied against you.  (And no you can’t leave your wireless unsecured and doing this you shouldn’t be and use the WiFi wasn’t protected excuse.  That was already tried in court in the US and the judge rejected that argument.)

That said, if you can afford the computer and the internet connection, you can afford the router.  So go buy one already.

Denny