A Real World Security Reminder

A saw a tweet from Brent Ozar about USB ports on slot machines to charge your devices. There are also wireless charging pads. Convenient, but also potential security problems, especially for IT workers that hold privileged access to code or data.

Please, don’t use public USB ports for charging a device. You never know if there is any data access taking place. Yes, I know that most phones ask you to approve things, but have you ever hit the wrong button on your UI? Know how to turn it off? How quickly would data move or malware install? Just don’t plug in.

Next, beware of physical security. My wife was using a wireless pad at a Starbucks a few years ago. She was sitting there talking with my daughter, and occasionally checking her phone (she gets LOTS of texts). Someone walked up and started talking with them, pleasantly and unassuming. After a few minutes, they walked away.

A minute or two later my wife realized her phone was gone. They both looked around and then ran outside. They couldn’t find the person, and since this was a trip to visit colleges, she ended up purchasing a new phone. An expensive trip for us all.

That reminds me of a few stories in the past from my former CEO, Simon Galbraith. He wrote a piece in 2005 about the issues of losing backup tapes. That used to be a problem, along with the loss of laptops. He also shared a story internally about finding a USB drive near our HQ. Our IT staff investigated the USB drive on an air-gapped computer since USB drives are sometimes spread around with malware.

In this case, we found that it had been lost by our auditor. No Redgate information was on it, but there was data on it from another client. An accident, but one that could have had severe consequences if someone else found the drive. A good reason to be sure that any data you move around outside of production is masked or anonymized, no matter how secure you think your development laptop or mobile device is in your possession. Mistakes happen.

We also need to be careful with devices. These days, with BYOD and MFA, it’s especially important that we secure devices and limit the disclosure of data on locked screens. Whether for a practical joke or malicious purpose, having someone else get access to our credentials is not something we want to explain to our employer.

Steve Jones

Listen to the podcast at Libsyn, Stitcher, Spotify, or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.