12 Secrets to SMB Security

Reviews

Tags

Stats

views:: 64
rating:: not rated
reviews:: 0
posted:: 4/6/2008
language:: UNKNOWN
pages:: 0

The 12 SECRETS to SMB Security By CopiaTECH June 15, 2007 If you have a lot of money would you keep it all at home or would you prefer to put it in a bank? If you choose the latter, it is obvious that you are concerned about the money you have earned and would like to protect it. When you buy a computer, you have spent money and you should want to protect that money from harm and also the data that is so important to you. This is where the Common Sense Guide to Cyber Security comes handy. To protect your computer you need to know about Cyber Security. Before embarking on the virtues of Cyber Security, some of the common myths and norms need to be dispelled. To begin with, you need to take out time and realize how important it is for you to protect yourself from cyber attacks and how disastrous these attacks can be. Attacks on information systems operated by small and mid-sized businesses are increasing. According to a survey, ‘My Doom’ virus affected one out of three small businesses. Compared to the large businesses which were affected by the same virus, this is twice the proportion. Today, business losses arising from cyber attacks are estimated at several billion dollars a week. Larger businesses have more to lose in terms of absolute dollars, but it is the narrow profit margin under which smaller businesses work which makes it important for them to have their information backed up. If you lost your data and did not have a back up imagine the cost involved in recovering it. Also, there might be some data which cannot be recovered. How much loss on a day to day basis would that be for a small business? More importantly, can you afford such an inconvenience? Most of us tend to think that such things happen to other people and we are safe from them. Here is a real life example, which dispels such a belief. A company, valued at $1million dollars, had to sell its customer lists after a series of computer attacks. As quoted by the disgruntled owner in the Computer World Magazine,” My business is lost. My wife’s business is lost. I hope we can hang on to our house.” This guide contains a lot of real life examples. Not all are as disastrous as the one above; nonetheless, they all led to some amount of loss. What every business owner needs to understand is that no matter what the size or type of business you have, you are prone to cyber attacks if you are using the Internet. To envision the prosperity of a business without Internet is similar to hoping that your product will sell like hot cakes with no publicity or marketing costs. Page: 2 Everyday there are technological changes taking place and the only way to protect your business from their adverse effects is through Cyber Security. Why would anyone attack me? Most of us think along the lines of why anyone would attack us. Most of the times, we are not a direct target. The attackers do not target anyone in particular. What most attackers do is send a large broadcast which looks for any unprotected system and then uses it as a launch pad for the attack. An unprotected system, that is a system with no firewalls, anti virus software or user education, affects your business and other businesses that come in contact with you, as the virus spreads through the Internet. It is better to be proactive than being reactive. As users of the Internet, we should contribute to an environment of security which will lead to an increase in business and consumer confidence. To achieve this, we need to start by protecting our systems and ensuring that no virus spreads from us to our partners, colleagues or associates. Does this Guide apply to my business? The next logical question would be if this guide is applicable to my business type. This guide is designed to meet the requirements of businesses which have more than one computer but do not have an in-house information technology department. There are guides available even for a sole proprietorship kind of business, which would probably have only one computer. We can call that guide a “Guide for Really Small Businesses”. How is it that smaller enterprises are a bigger target than the larger enterprises? A likely reason could be the fact that they have a separate information technology department at their disposal. Even though these companies can afford to have a separate information technology department, they too would require a guide to remain up to date with the current cyber security software available. We can call it a guide for “Guide for Senior Managers”. It may be difficult to classify a business as a small or a large one. The most common way to classify would be to do it on the basis of the number of employees and the annual revenue. But this may not be the best criterion to choose. For example, a construction company might have a large number of employees and big annual revenues, but they might have a small head office with only one person managing to keep the computer network up and running. So, they would require the Guide for Small Businesses. Page: 3 Whereas, a small bank with fewer employees and lesser annual revenues would require the Guide for Senior Managers, either alone or in combination with the Guide for Small Businesses, because of more number of computers and its complex legal and regulatory environment. How can I stay updated on what I should be doing to secure my business? This is where the Guides come into play. The aim of these guides have always been clearly defined and that is to use the experience of the Internet users to provide the best of information security practices, policies, and technologies to enhance the security of the Internet and global information systems. The guides have tried to focus on general issues which will stand the test of time and will not become outdated soon. But, it does not promote a specific vendor. For instance, they will suggest the use of anti-virus software but will not suggest which one as it is beyond their scope. The trade press publishes reviews of such products. You may refer to this and choose the best option. This solves the problem of how to remain up to date with the new technologies and software available to help you secure your business. This guide is an effort to encourage small businesses to understand the importance of cyber security and it provides information beneficial in promoting cyber security. How much will it cost me? This brings us to the final question and probably the most important question, namely, how much would it cost you? There have been many seminars on Cyber Security so that people can have information on the best practices to avoid cyber attacks specifically targeted towards small businesses. There were discussions among many small businesses in the development of this piece of information, thereby, helping this guide toward the specific needs of the small business community. The main theme of these discussions was the cost in terms of time and money. Hence, the guide aims and tries to not only suggest appropriate steps to be taken, but also address the issues of time, money, and technical skill required. It also discusses the consequences of not adopting the best practices through real life incidents. Moreover, each suggestion is broken down into the implementation of the suggested practice, explaining how to get started and what additional steps are required. Coming back to the cost factor, like most businesses prepare a budget for their marketing plan, similarly, they have to prepare a budget for their cyber security plan. Page: 4 On an annual basis, your costs would be highly software driven for maintenance and upgrades. But in the longer run, necessary security features need to be budgeted upfront both in hardware and software terms. While we understand that improved security will come in stages, the goal of this publication is to take you through all the stages. This guide suggests a 12-step program to ensure that you are secure. Thus, it is in the best interest of your business to budget for these 12 steps and follow them earnestly. The 12 steps with a basic idea about their cost, the technological skill required and those who will use it are enumerated as follows: 1. Use Strong Passwords and Change Them Regularly: Cost: Minimal - No additional investment Technology skill level: Low to medium Participants: Everyone using the electronic facilities A password is what ensures that your information remains secure. To simplify or understand something which is complex requires a lot of effort. Same is the case with your password. The more complex it is, the more difficult it is for intruders or attackers to crack it. In smaller businesses the employee turnover is generally high, which increases the need to change passwords frequently. This is because there is no way to find out if a password has been guessed or not. Thus, it is advisable to change your password preferably every three months or otherwise every six months. Also, it is advisable to use a new one every time. Do not reuse an old password as the attacker may well be a disgruntled employee who may be aware of it. For each account you make you should have a separate password so that if any one account is hacked the others are not easily accessible as well. Do not write down any password and even if you have to, store the written password in a secure and locked place. Do not share your password with anyone. A password is a way to ensure security but it is not a foolproof method. Every user of a computer should have a separate account and should be made responsible for the account’s password. This is a simple yet effective way of linking actions to a specific individual. Any network which is connected to the Internet is accessible from anywhere in the world. This obviously increases your chances of being attacked. One of the preliminary steps to avoid such an attack is a good password. But passwords too provide limited protection. Page: 5 Computer attackers use trial and error methods or simply brute force to gain access. They may put in all the dictionary words in a login program, which would not take too long, and discover your password. If they know something about you, such as the name of your pet, your children, spouse etc. they would have narrowed their range. Such information would be their first choice as would be yours. As has been established, a password should be complicated so that it is not easily guessed. The best way is to have a combination of letters, upper and lower case, numbers and punctuation marks. But it should be one which you can memorize easily and do not have to write down. Educate your employees about the need for strong passwords and the need to change them regularly. Also, they should change the default and initial access passwords immediately. To ensure that your employees are doing so, a policy may be made which makes having a strong password imperative and also states the frequency of changing the passwords. Additional steps: Another way to ensure that you have strong passwords is by setting up the electronic environment to demand strong passwords. The length, complexity, structure, etc. may be specified so that each user necessarily has a password fulfilling that requirement. To enforce changing of passwords frequently, passwords may be set to expire after a certain period of time. What happens if you do not take these precautions? This may be illustrated with the following real life case. Ex-Employee Uses Old E-Mail Access to Spy for Competitive Advantage A Californian man pleaded guilty to illegally accessing the computer system of his former employer. He read e-mail messages of the company’s executives for the purpose of gaining commercial advantage at his new job with a competitor. The guilty party had been an employee at a contractor in Chino, California. After leaving one firm to go to work for a competitor, he used his Internet access to his former employer’s office to gain access to computer systems on more than 20 occasions. He read e-mail messages of his former employer’s executives to gain knowledge of their business opportunities and gave this information to his new employer who was in the hope of seeking a competitive advantage. The original employer lost thousands of dollars in business before the FBI was able to stop the illegal activity. Page: 6 If the above stated precautionary measures had been used, the chances of something like this happening would have been reduced considerably. 2. Look out for E-mail Attachments and Internet Download Modules: Cost: Minimal - No additional investment Technology skill level: Low to medium Participants: Everyone using the electronic facilities One of the easiest ways to spread computer viruses is through attachments accompanying e-mails or from materials downloaded from attractive sites. If you open these attachments or download information from these sites then the virus enters your system and in most cases it starts spreading. With attackers now being able to get hold of your address book, they are able to infect more than just your system. The virus is able to send a mail with an attachment to all the people listed in your address book and if they open the attachment their system will get infected too. Anyone who writes a software program can sell or distribute it on the Internet or by sending you a copy of that software as an attachment with your email. Assuming that you will open the attachment and run that software on your computer leaves you at the mercy of the program author. This is because; the author can easily program this software to perform all the functions that you perform on your computer. Putting it simply, if you delete a file, send an email, add or remove a program this software will be able to do the same. All this can be done by an intruder simply if you install that software and run it. How does anyone know which software you require? This is extremely simple. Website designers take advantage of your computer’s inbuilt capabilities to check your machine and to make sure you have the needed software tools to access their content. In case anything is missing they automatically arrange for the installation of that particular software for you. As this is quick and easy, especially if you are not very comfortable using a computer you would install it which then, can be used against you. By opening an e-mail attachment or accepting an install option, the code is copied to your computer (sometimes in the temporary files that you cannot easily see). Such harmful codes or viruses that get copied to your computer will usually attempt to spread themselves to other computers using e-mail attachments. If your computer is not protected and becomes infected, then everyone in your email address book will receive an e-mail from you with an attachment which if opened can attack his or her system. Page: 7 The volume of e-mails sent alone can bring a network to a standstill. In addition, the harmful code can corrupt and delete files and software running on your system. If you do not take steps to prevent this, software which can be used to spy on your Internet usage may be loaded on your computer. It can then keep a track of the websites you use and the accounts you have on the Internet. Also, key tracking software may get installed on your computer. This software is able to decode the password or keyword you type in. This will enable the attacker to gain access to your information and misuse it. To prevent this from happening, all e-mail users should: • Be careful and not use the preview button for e-mails. • Do not open an attachment which the anti virus software has advised against. • Do not open e-mails (delete them instead) from someone you do not know, especially if the subject line:  Is blank or contains strings of letters and numbers that are nonsense  Tells you of winning a contest you never entered or money you should claim  Describes the details of a product that you might like  Notifies you of a problem with instructions to install software on your machine  Notifies you of a billing or account error for a service you do not use. • If you know the sender, then check the subject line and ensure it makes sense before you open the email. Additional steps: • Set up your browser to alert you to the Internet module it is downloading and do not accept them from sites you do not know, especially if an e-mail from an unknown person has sent you to the site. • Delete and do not forward chain e-mails (similar to chain letters) and do not use the unsubscribe function for services to which you did not subscribe initially since this only alerts an attacker that an active address has been located and makes you a target. • When you are considering buying a software program, look for a clear description of the program and its features and make sure the source of this information is reputable and reliable. The MyDoom Virus as mentioned in the beginning is a perfect example stating the need for this step. Page: 8 MyDoom Worm Hits Thousands of Small Businesses Hard The MyDoom e-mail worm and its variants spread rapidly, accounting for 30% of all e-mail traffic in early February 2004. The worm arrived as a well-disguised e-mail attachment, which, if opened, could install a backdoor that would allow unauthorized access to an affected computer, which might be utilized in a variety of harmful ways in the future. Research showed that nearly 1 in 3 small businesses had been affected by MyDoom and 1 in 6 in larger enterprises. In addition, MyDoom can spread through popular file sharing networks such as Kazaa. The total cost to business from the effects of MyDoom has already run into several billion dollars is still climbing. 3. Install, Maintain, and Apply Anti-Virus Programs Cost: Low – Site licenses are available Technology skill level: Low to medium depending on selected approach Participants: Everyone using the electronic facilities Anti-virus programs are a low-cost means of protecting your systems and information from external threats. When we say nothing is perfect, it includes the electronic and technological fields as well. There is no hardware or software which does not have flaws or vulnerabilities. It is these flaws and vulnerabilities which viruses or harmful codes exploit to gain entry into systems. Viruses can infect a computer in many ways: through floppy disks, CDs, e-mail, websites and downloaded files. Each time any of these is used, they need to be checked for viruses. Each virus has a unique pattern or a signature. An Anti-virus (AV) program looks at the contents of each file and when there is a match with a virus signature, the program intimates you. For each file that matches a virus signature, the anti virus programs gives you different options. The options may be that of removing the virus or letting you quarantine or delete that file or email attachment. Automatic updates are available through the net to keep the AV programs up to date with the latest fixes for new viruses. It is important to install the AV program on all machines connected to the internet and/or the office network. It is important to keep your anti virus software updated as newer viruses keep coming into the environment. Protection is needed on all machines as one infected machine tries to infect other machines. Page: 9 DO NOT connect to the Internet without first activating an AV program. Educate all computer users to remove or destroy infected files identified by the AV software. Make sure your employees know how to remove their machine from the network and whom to call for help if they suspect an infection. Educate all e-mail users not to open e-mail attachments from unexpected and unknown sources to avoid unleashing a new virus not yet blocked by the AV program. Additional Steps: Enable the AV program to automatically check every file source on each machine when it is used (CD, floppy, etc.). Program an AV examination of all files on a regular basis, preferably weekly, to catch problems missed at other checkpoints. The next real life example shows how being negligent about updating the anti virus software cost a professional his customers. Consultant Fails to Keep Software Updated; Winds Up Infecting His System, and Losing His Customers A New Jersey utility consultant operating as a sole practitioner bought a new computer to manage his growing business better. The salesperson told him the new computer came with anti-virus applications already installed. Unfortunately, the consultant did not realize that he needed to update the anti virus protection software on a regular basis. Without the new virus definitions, his system became infected. His address book was used to spread viruses to his customers through bogus e-mails, resulting in several of his clients terminating their business relationship with him. 4. Install and use a Firewall: Cost: Moderate – Software can be free but effective tuning takes time and money Technology skill level: Moderate to High depending on selected approach Participants: Technical support Page: 10 A firewall performs a job similar to that of a security guard. It examines the messages coming into your system from the Internet as well as the messages you send out. The firewall determines if these messages should continue on to their destination or be stopped. The firewall “guard” can greatly reduce the volume of unwanted and harmful messages allowed into your network, but it takes time and effort to set one up and maintain it. Firewalls can also prevent many forms of undesirable access to your network. What is difficult is to determine what should be allowed to enter and what should be allowed to exit. If you choose the Deny all option then nothing can come in or go out. This leads to no communication at all with the Internet. Obviously, that is not a solution. Some firewall products allow the user to review or check each message and choose what they want to do with it. While buying a firewall product, look for this feature. It is quite difficult to determine what is suitable to come in and what is allowed to go out. Therefore, it is easier to check with your technical assistance team. They will be able to determine what normal usage for your business is and what needs to be blocked. Firewalls are a good tool to stop access to sites which you deem unfit for your organization such as pornography, gambling, etc. If your network does not have a firewall installed then there is no way to keep a check on information coming in or going out. You will have to rely on your employees to follow proper email and download practices. In case, you are using a high speed Internet connection such as DSL or cable, you will be dependent on other subscribers to your service, as well, to protect your system or network from viruses. Without a firewall, it is very easy for attackers to go through all computers on your network and find vulnerabilities. To effectively use a firewall follow the steps mentioned below: An individual firewall must be installed on every machine and it should be set up to block traffic for all services except those specifically used on the machine. Page: 11 Educate your employees as to the value of the firewall so they will help you refine the rules instead of disabling it when a change in the implemented rules is needed. This may happen while the firewall rules are being crafted, as there will be instances of over-blocking, making the use of some computer services more difficult. Additional Steps: Get technical help to establish one or more firewalls for the network based on the configuration. Establish a security policy to be implemented in the firewall that will define which content is wanted and which is unwanted within the network. Provide a process for adjusting the security policy for approved exceptions. Educate employees as to the value of a centralized solution and establish a mechanism for monitoring and changing the rule over time to meet new needs of the organization. This is what a security expert has to say about firewalls. Hotels and Wireless Internet Connections Need Firewalls “Most hotels offer secure broadband services, but do not know enough about security issues to ask their providers questions,” a broadband security expert told CNN. “A guest of company A could hack into a conference held by company B, their competition, thereby stealing valuable corporate data and leaving the hotel open to liability,” CNN reported. Many laptops have a default setting that enables a person to share files with other computers. Unless this is shut off, hackers can easily get in when a traveler logs on to a wireless network. Personal firewalls can be used as a deterrent. These are softwarebased, and simple versions can be downloaded free off line. 5. Remove Unused Software and User Accounts; Clean Out Everything on Replaced Equipment Cost: Minimal - No additional investment Technology skill level: Low to medium Participants: Technical support Page: 12 Computer systems come with a host of pre-installed, pre-activated software that can be manipulated to attack your network. The installation process is designed more for ease than security. Thus, mostly functions which may cause a security risk are also activated such as remote file sharing. The best way to prevent such an attack is by disabling or removing all unused software from the computer. The company system administrators are best suited to decide what software should be installed. Every computer user should have a unique account so that his access to the data and software is limited to what they require to do their job. It is also important to ensure that the invalid user accounts be deleted regularly to prevent system attacks. Similarly, the access to specific software should be allowed per user id based on their current job functions and it should be kept up to date based on changing user roles. A lot of confidential information is stored onto disk drives. Generally, whenever information is deleted, this information somehow remains undeleted and may be retrieved later. Similarly a lot of information gets stored in the temporary files which we may not be able to view easily. As the disk drive may fall into the wrong hands, thereby causing a huge loss to your business, it is better to prevent confidential and sensitive data from leaking out. To do so you must overwrite the complete hard drives and floppy disks with useless data when discarding them or selling it. One wonders why something which is not troubling the user should be removed. Well the answer is simple. Each unused user account and software is just an easy entry into your system for the attacker. It allows the attacker easy access and he will be able to can take confidential information such as information about your credit cards and customer names and can easily damage and destroy files and programs. Attackers can also use your systems as a base to attack others, and these victims can sue you if their losses are high. If an infected email is sent from your computer leading to the infection of other computer it may become a problem for both parties. Like we manage our money with caution, we need to do the same with computer access. This is because any loss of data or information is as bad as losing money. As was illustrated earlier with the example of an ex-employee using his former email access to gain a competitive advantage, leaving unused user accounts to remain on the system or network may be detrimental. Page: 13 To prevent such an event: • Remove accounts for terminated employees when they leave. When firing someone, do not allow them any computer access before notifying them and arrange for a monitor while they are on the premises. • Establish a policy that software which is not needed should not be installed on company computers (i.e. games, free download software, music players, etc.). • Establish a process for removing data on all computers hard drives when equipment is repurposed, discarded, donated, and sold. Use a utility program to remove all information by overwriting all available disk space. Additional Steps Uninstall software and archive data files that are no longer used. The less useless information on the system the easier it will be to manage backups and keep software on the system at a current update level. While it may be convenient, it is very risky to rely on vendor defaults for your system. Default functions are attractive targets for attackers --the likelihood of availability is high since most installers will choose the default. Reduce your visibility as a target by explicitly selecting only the computer functions you need at installation. If you do not know what a function is, check the help information and make sure it is something you need before turning it on. A little time in the beginning can save you from major trouble later. Here is a real life example of how a disgruntled former employee may cost you valuable business. Small Telecom Consulting Firm Loses Business When Security Breach is Made Known to Prospective Clients A telecommunications-consulting firm with 8-10 employees reached a business agreement with a security consultant for joint work. To confirm, the security consultant sent a letter to the president of the company via e-mail. The president never got the letter. Instead, the consultant received a note back with his original e-mail saying; “Don’t do business with this company. We are a government organization made up of DEA and FBI agents. This email has been sent to you confidentially. If you disclose any of this information we will prosecute you.” Since the consultant was in the security field, he easily determined the warning was bogus and contacted the State Attorney General’s Office and the FBI. Page: 14 The consultant also terminated his agreement with the telecommunications firm, which threatened to sue him, a threat that never materialized. It turned out the bogus e-mail was from a disgruntled former employee who had built the company’s e-mail server. Before leaving the company, the former employee arranged to have all e-mails to the president of the company forwarded directly to him. He has not been prosecuted. 6. Establish Physical Access Controls for all Computer Equipment Cost: Minimal Technology skill level: Low to medium Participants: Everyone using the electronic facilities We have already established that despite having a strong password and good security controls, if someone has physical access to your system they can do a lot of damage. Therefore, it is extremely important that physical access to computer equipment must be limited and monitored to prevent unauthorized access to your systems. Electronic devices should not be left unattended inside or outside the office, especially while a user is logged on to an account and the account is active. Visits to office complex by maintenance and cleaning staff, family members and friends of the employees should be supervised to prevent anyone from making unauthorized access to the company database from within the office premises. They may not deliberately do any harm. But, they may accidentally delete files or download harmful viruses while using the computer. Also ensure that all computer users lock their machines when they are away. This prevents anyone without the correct password from accessing their systems. If network access plugs or network drops are active in open areas such as empty offices, conference rooms and reception areas, outsiders can plug in a device to harm the network. Anyone with physical access to your electronic device, including repairmen, technical support and family members, can bypass installed security controls and see, change, and destroy data and programs on your computer. If your device is connected to the network, the data and programs on other computers on the network are also at risk. Installed security controls will slow them down but will not be able stop them. Page: 15 To avoid such an event, establish policies for employees such as: 1. Logging off or applying a screen lock to their computer before leaving it unattended even if they are going for a short break. 2. Assigning employees’ responsibility for computer access and equipment taken offsite. 3. Limiting employee and family member’s personal use of company computers. 4. Limiting the use of personal machines on the company network. 5. Establishing employee liability when these rules have not been followed. 6. Make sure all equipment is protected against power surges with power strips. 7. Lock down equipment located in high traffic areas. 8. Store unused equipment in locked areas and arrange for a sign-out process by making one person responsible for the key. 9. Educate employees about the policies and walk around the office periodically to make sure policies are being observed. Additional Steps Get technical help to ensure that all portable devices are authentic when they are reconnected to the network. Lock empty offices and conference rooms, where active network access plugs are located, when not in use. Review contracts with technical support and repair services to include liability for equipment and information stored on equipment that is required to work with. The following example tells us how you are never safe and good safety measures are the need of the hour. Accounting Firm Makes both Physical and Electronic Copies—but Business Is Threatened by Fire A New Jersey accountant had his office in a building that also housed a small trucking firm. The accountant had dutifully made electronic backups of his clients’ tax returns and put another copy in his filing cabinet along with the rest of his important documents. He also arranged with another accountant to hold additional copies of each other’s files. Page: 16 Unfortunately, the trucking firm had a fire that wiped out most of the building and caused the accountant to lose both the electronic and physical copies of all his records. He was able, however, to maintain his business only because he had provided for another copy to be stored offsite. 7. Create Backups for Important Files, Folders, and Software Cost: Moderate to Expensive (depending on the level of automation and sophistication of selected tools) Technology skill level: Medium to high Participants: Technical support and Users if individuals must handle their own backups If your computer systems were attacked and data and information was corrupted, what would you do? If you have backups then you would use them to restore order. But what if you were not maintaining any backups? Would your insurance cover pay you for the business you lose till the time your systems are repaired and are up and going? Most general insurance policies do not cover risks such as cyber losses. But you can have backups which act like another form of insurance. They are copies of various data that is required to run your business efficiently. They provide a reliable way of recovering important data in case of mishaps like fire, virus attacks or any other such event. Backups can be created by copying the data on media like CD or floppy disks. Data retrieval becomes very simple in case you need to do so. The process of creating backups can be manual or can be programmed to execute automatically at regular intervals. At times, you may have loaded some software from a CD or floppy disk. This reduces your work as you already have a backup of that program. Knowing when to create backups is important so that you are never caught unawares. A backup should be made whenever there is a change in the original content. The choice of backup infrastructure depends upon the needs and budget constraints of the business. It could be based on the expense in terms of time or equipment or both, available time for creating the backup and on the recovery time or time it will take to restore the original content from the backup. Copies can be created on any form of removable media including floppy disk, CD, ZIP disks, or removable disk drive. Computers which are not in use may be structured to continuously build a duplicate at the same time as the original for immediate recovery. Page: 17 Ideally, backup copies should be stored away from the main premises to avoid losing all the data to the same natural/unnatural disaster. Do keep in mind that your backups are copies of your original information. So the same caution and care must be taken in protecting these as is taken for the original. To start, schedule a date and time to make a backup of all files. To select appropriate frequency for making backups, remember that changes to the original between the time of backup creation and loss would have to be applied manually. Retain backups over a period of time to allow for fixing a problem that is not discovered right away. Special backups such as calendar year-end and fiscal year-end should be saved for several years. Periodically test the backup process by restoring the contents to an alternate location and checking it for accuracy. This ensures that you will not be let down in case of an emergency. Additional Steps Get technical assistance to automate as much of the normal backup process as possible to make sure it always happens. Make sure the backup process creates a date and time log so that the contents of the backup can be validated. Create copies on multiple types of media (file server copy and removable disk copy) to provide as much restoration flexibility as possible. To confirm that the automated process of creating backups is taking place on the schedules time, check periodically by restoring the contents and verifying their accuracy. Check your insurance policies to make sure your data and information systems and intellectual property are covered as well as your physical property. The following real life example of a small manufacturing firm drives home the point that making backups is not enough. If they are not kept securely they are of no use to you. Page: 18 Small Manufacturing Company Loses Major Government Work Due to Software “Time Bomb” A northeast manufacturing firm captured contracts worth several million dollars to make measurement and instrumentation devices for NASA and the US Navy. However, one morning workers found themselves unable to log on to the operating system, instead getting a message that the system was “under repair.” Shortly after that, the company’s server crashed, eliminating all the plant’s tooling and manufacturing programs. When the manager went to get the back up tapes, he found they were gone and the individual workstations had also been wiped out. The company’s CFO testified that the software bomb had destroyed all the programs and code generators that allowed the firm to customize their products and thus lower costs. The company subsequently lost millions of dollars, was dislodged from its position in the industry, and eventually had to lay off 80 workers. The company can take some solace in the fact that the guilty party was eventually arrested and convicted. 8. Keep Current with Software Updates Cost: Moderate – Software maintenance fee plus staff time to install and verify Technology skill level: Medium to high Participants: Technical support Software vendors keep providing updates or patches for their software to fix various issues with their product. These can be fixes to the software functionality and in many cases these can be patches to fix some security weakness. In addition, many of these patches fix vulnerabilities that could be used by viruses and other attacks to harm your computer and its contents. By keeping software up-to-date, software malfunctions and opportunities for system compromise are minimized. In today’s day and age of after sales service, one does not have to bother following up with the vendor about new patches or updates. This is done for us by the vendors themselves. Vendors often provide free patches for downloading from their websites. You can receive patch notices through e-mail by subscribing to the mailing lists operated by the vendor. Through this type of service, you can learn about potential problems before they occur and, hopefully, before intruders have the chance to exploit them. Page: 19 Sometimes a patch fixes one problem but creates another. When this happens, the repair cycle may have to be repeated until a number of successive patches completely fix a problem. No software is defect free. Vendors rely on their customers to tell them when something unexpected happens while using their software. By not installing patches, you are missing the fixes to problems discovered by others. Code defects make your software vulnerable to harmful code attacks. These attacks can corrupt and delete files and remove protection mechanisms such as antivirus software and firewalls to increase future vulnerability. Attackers can use your computer as a base for attacking others with unwanted e-mail that appears to be from you. Intruders find out about vulnerabilities the same way you do--by monitoring e-mail lists and subscribing to automatic notification services. The longer the vulnerability is known, the greater the chances are that an intruder will find it on your system and exploit it. You can never be too careful. So when you are purchasing a program, find out how and when the vendor supplies updates. Learn how the vendor provides answers to questions about problems with their products. Consider purchasing extended warranty support if it is available. If patches are not supplied, find out when a new release is available and consider upgrading if vulnerability fixes are included. Locate and apply vendor software updates, especially patches for known vulnerabilities, as soon as possible. Consult the vendor’s website to see how to get timely e-mail notices about patches. Subscribe to the vendor’s mailing list for notification of problems and fixes. Additional Steps Some vendors provide programs that automatically contact the vendors’ websites looking for new patches to their software. These programs can tell you when patches are available, and when you can download and install them. You can tailor the program’s update features to do only what you want-- for example, reporting that a new patch is available but giving you the option to defer its download and installation. If you learn of some vulnerability and no patch is available, consider using some different software until the original program is can be fixed. Page: 20 What happens if I do not update my software? In case you want to ask this question, read the following real life example to get your answer. Diners Have Supply Chain Interrupted/North Carolina Inn Has Reservation System Crashed—Both Failed to Update Software A small string of diners in Maryland that had come to rely on e-mail to deal with its suppliers found itself knocked off line for four days by a virus attack. Although the company tried to download the patches to address the specific problem, it found it was unable to because it had not put in patches for earlier software problems. Similarly, an Inn on the Outer Banks of North Carolina found it was also unable to make repairs to its system in response to an attack because it had not kept up maintenance. It found its online reservation system knocked out for a period of days, and employees became distrustful of the rest of the computer system for fear it too had become corrupted. 9. Implement Network Security with Access Control Cost: Moderate to High depending on the options selected Technology skill level: Moderate to High Participants: Technical support and all network users Though an organization’s technological environment is often referred to as “the network,” in reality it is a collection of pieces put together in a certain way to meet the technology-specific needs of that organization. Good network security requires access protection for each component on the network including firewalls, routers, switches, and all connected user devices. Otherwise, anyone who could reach your network could locate and harm the network components and services. In addition, remote and portable devices should be required to authenticate themselves to the network so that it is possible to limit who can see and access the network services such as databases, shared files and printers. Access to important data should be limited to the relevant users and should not be made available to all employees. This not only helps in preventing sensitive information from leaking out but also prevents unauthorized persons from intentionally or unintentionally corrupting the data. Page: 21 A firewall acts as a buffer between the components of your network and the external environment. It helps in keeping out undesirable and harmful content from the network. Other techniques, such as proxy servers and network address translation (NAT) can help in further adding protection limiting the information an outsider can have access to. This helps in preventing them from learning about the components used in your technology environment making it more difficult for attackers to find vulnerabilities. The more access restrictions you can legitimately place on your network using blocking capabilities within the firewall and other similar services, the easier it will be to keep it secure. Special Considerations Good access control is critical for wireless access since use of this type of connectivity is less visible. It is not uncommon for someone sitting in a car in the parking lot to be able to access an unsecured wireless network and destroy or damage everything on the entire network. You may have a wireless or remote access (dial-in) connection to your network and not realize it, since many vendors install them to provide remote support capabilities. The ability to reach and use services on your network from outside (called remote access) is extremely valuable for traveling employees, suppliers, and customers. Remote access also allows technology vendors to provide support for critical network services quickly without having to travel to your site. Employees can and do add remote access devices (dial-in) directly to their computer so they can work from offsite. Use of this type of network access requires careful control, or anyone who happens to find the access point using simple scanning tools can get into the network and alter or destroy information. Instant messaging, chat sessions, and music-sharing capabilities establish other routes (peer-to peer) into the network, bypassing many of the traditional network security mechanisms. These options are a growing source of harmful codes and must be used carefully. What Happens without a Good Network Security? Attackers are constantly putting up devices on the Internet with programs such as query functions which looks for weaknesses in your system. Unprotected systems are infected within minutes after connectivity is established especially when Internet access is available through cable modems, digital subscriber lines (DSL), or other high-speed connections. Page: 22 As we know, one infected device can put all other devices on the network at risk since it can be used as an inside source for locating weaknesses in the network and attacking them. Unfortunately, not all attackers are external to the organization. Jealousy makes people do irrational things. Employees can compromise fellow employee machines using tools readily available from the Internet when there is poor network security. These tools allow them to spy on others’ actions, view information outside of their job function, stalk and harass others, and plant inappropriate content on others’ machines. This is one of the simplest ways to exact revenge from the person you want to without getting caught. The best way to avoid such a situation is by being more aware of cyber security practices. Access to each component on the network should be limited to protect it from improper access and harm. Basic access protection can be implemented using strong passwords. Establish procedures to turn off the file and printer sharing feature on each computer unless it is in use, particularly when accessing the Internet using cable modems, digital subscriber lines (DSL), or other high-speed connections. Instruct employees to disconnect from the Internet by turning off the online session and turn off their computer when it is not in use. Access to network protection devices such as firewalls, switches, and routers should be further limited to only those individuals responsible for the maintenance and support of these components. Knowledge of the passwords for each component should be limited to two people--the primary user and the person responsible for creating and maintaining backups. Try and ensure that the vendor providing component support should exercise the same level of caution. Do not select the option on web browsers for storing or retaining user name and password. Make sure that authentication for wireless and remote access is required. Page: 23 Additional Steps Consider the use of smart cards or other hardware tokens for remote access to network-critical components, especially the firewall, switches, and routers. Educate employees in the use of these devices along with the reason for their use, and assign the responsibility to the employee in the event of loss or destruction. Get technical assistance to establish intrusion/detection monitoring to make sure the network is being used as expected without internally - or externally – generated interference. Following is an example of how emails are used as a means of extorting money not only from large businesses but also from smaller ones. Cyber Blackmail Goes Mainstream Once perpetrated predominantly against wealthy individuals or major corporations to extract large payouts, cyber blackmail has now become prevalent even in smaller business. Office workers are now widely reporting being the targets of an extortion scam that seems to target almost anyone with an e-mail address. The e-mail demands that the recipient make an on-line payment of a small sum of money, usually $20-$30 dollars. If the recipient fails to comply, the sender threatens to attack the company’s computer system and wipe out sensitive files or upload child pornography. Unsuspecting victims often opt to pay the extorter rather than risk the possibility of attack or embarrassment. Consequently, many instances of cyber extortion go unreported and investigations are not conducted. 10. Limit Access to Sensitive and Confidential Data Cost: Moderate to High depending on the options selected Technology skill level: Moderate to High Participants: Technical support If everyone could be trusted there would be no need for security measures anywhere. It is from this lack of trust that the need for security and control mechanisms arises. Page: 24 E-mails should only be viewed by those to whom they are sent. Data files should only be accessed by individuals who have the permission to view them. If the data is stored in files, folders, and databases within your network, you can control who can see and use the contents with an access control list, or ACL. ACLs define who can perform actions on a file or folder such as reading and writing. When access to information cannot be tightly controlled, such as e-mail or a credit card transaction over the Internet, this information can be concealed through a mathematical process called encryption. Encryption transforms information from one form (readable text) to another (encrypted or scrambled text). The encrypted text cannot be understood by most and remains so for people who don’t have the formulas (encryption transformation scheme and the decryption keys) to turn the encrypted text back into readable text. The encryption mechanism must be sufficiently complex or someone with electronic tools could guess the formulas and defeat the encryption. There is a wide range of people who work in an organization. Employees may be working full time, part-time, on a temporary basis, as contractors and vendors. All these people will have legitimate access to your network but should not have unrestricted access to every piece of information on the network. When a person can access your network, he can see every communication that passes among the devices on your network and can view, modify or destroy the contents. There may be employees who harbor some grudge against the company. Unfortunately, they have legitimate access to your network. They can initiate programs to search your network communications for credit card numbers, social security numbers, and financial information for criminal intent. They can search for passwords to databases, applications and other networks to expand their access capabilities. It is these dangers which you need to safeguard yourself against. A few steps can be taken to achieve this objective. Some important ones are: • Educate employees to use care in sharing sensitive and confidential information electronically. • Do not use real information for the testing of any new processes. Page: 25 • • Do not use public computers or Internet café computers to access online financial services accounts. Do not make any financial transactions from these places. Use a secure computer to do that. Do not disclose personal, financial, or credit card information to any website which you do not have enough information about or suspect. Additional Steps Ensure that your browser supports strong encryption (at least 128-bit). Get technical assistance to establish automatic encryption. When possible, try use encryption for all electronic communication that passes outside of your network, and notify the sender when information cannot be sent encrypted. Get technical assistance to establish ways to encrypt sensitive and confidential information which is stored and shared on the network. Turn off the caching feature for the browser so sensitive and confidential information is not stored in unprotected temporary locations. Establish ACL’s for access to all shared files, folders, and databases to assure that access is only available to those who have permission. These lists will have to be altered and maintained over time as staff changes. Further put a restriction on who can update and delete data and files. This allows for greater protection. Here is an example of how your employees can use information shared on your network for their personal gain. Credit Union Employee Gets Private Customer Information and Uses It for Personal Gain The US Justice Department has prosecuted a woman who worked at Sacramento, California, Credit Union. The woman used her firm’s computer to obtain customer account information including names, social security and driver’s license numbers, and addresses to open accounts in the names of others and incur unauthorized charges. Some of the credit card accounts were opened on the Internet. After the phony accounts were established, the defendant made numerous purchases totaling well over $50,000. Page: 26 11. Establish and Follow a Security Financial Risk Management Plan; Maintain Adequate Insurance Coverage Cost: Moderate – a risk management methodology is free Technology skill level: Low to Moderate Participants: Representatives of all levels of the organization and technical support. In order to be effective, security must be available throughout the organization. Having tight security controls but practically non existent organizational security policies, makes no sense and undermines the very nature of the security tools. The best way to ensure that you have good cyber security measures is by having people from various levels develop a plan keeping the technological needs of the business in mind. While planning the following areas must be considered: 1. Security awareness and training for all technology users 2. Organizational security policies and regulations 3. Collaborative security management (partners, third-parties contractors) 4. Contingency planning and disaster recovery 5. Physical security 6. Network and data security and In the rush of daily activities it is easy to overlook the need for such things as employee security training, contingency planning, and disaster recovery. You may not even be aware of the level of dependency your organization has developed on technology and the potential impact that a failure of one or more components will cause. By developing a security risk management plan, these dependencies will be highlighted and steps to lessen their disastrous effects can be identified. This will help to reduce the potential impact of technology compromise or failure. Assume that you do not have a security risk management plan. Without a plan, you will have to react to technology compromise or failure as and when it happens. Your options for response will be limited by what you can find when the problem occurs. Also, you will not be in a good position for negotiating the cost of technical assistance or the level of expertise provided. The problem and the loss arising thereof may continue to remain longer than necessary as you attempt to figure out what to do before acting to correct the problem. Page: 27 To save yourself from such a situation review your disaster recovery and contingency plans. Identify the impact to your business should you experience an extended power failure, flood, or major storm. Additional Steps Apply a security risk management methodology design for small business, such as OCTAVE®-S, to identify important technology assets, threats to these assets, and to develop a security plan for your organization. As part of the methodology you will compare your existing security practices with established best practices to identify areas where your organization is vulnerable and seek mechanisms and solutions for addressing the gaps in your existing security practices. Get technical assistance to perform a vulnerability assessment on your technology environment to assist you in identifying vulnerabilities that pose a major risk to your important technology assets and identify mechanisms for reducing their possible impact. Here is an example of how security measures could have saved this manufacturer from ruin. On-Line Retailer Misunderstands Insurance Coverage, Gets Wiped Out by Attack Thanks to a series of computer attacks, an on-line retailer once valued at over $1 million is ruined. The worst damage was done when the attacker spammed his clients contending the firm was a front for pedophiles (his wife operated a day care center). Direct losses, denial of service, replacing data, customer attrition and PR costs crippled him. Since this was an inside job no reasonable technical measures would have protected him, but appropriate risk management including insurance might have. Unfortunately, the president of the company had misunderstood that his cyber-risk exposures were not covered by his standard property and casualty policy. Standard insurance policies do not cover cyber-risks.* “My business is gone. My wife’s business is gone, now I just hope we can hang on to our house,” said the disheartened former owner. Cyber insurance, which is now available, might have saved this company. Of course, taking out a separate cyber policy would have added to his operating expenses, but it might have allowed his company to survive the financial consequences of the cyber attack. Page: 28 Some organizations have arrangements in place wherein substantial premium credits on the cyber-insurance premium can be provided to its members who comply with best practices such as those outlined in this guide. 12. Get Technical Expertise and Outside Help When You Need It Cost: Low to High depending on the services needed Technology skill level: Medium to High Participants: Company Management and Technical support Good technical assistance is a valuable asset for any business in today’s day and age. You have a business to take care of and cannot possibly manage all the security and risk concerns on your own. Therefore, it is important to have someone who is qualified in this line of work. Even this measure is not totally foolproof as new viruses are discovered on a daily basis. Unlike most software tools and hardware components, technology security cannot be learned by trial and error. Security is not something which will remain constant. There are new dangers to security at every corner and that is why security measures need to be reassessed frequently. This frequent reassessment will enable you to identify when changes within the organization and new threats require an adjustment to some or all of the protection mechanisms. But though this is important to have technical assistance, it is equally important to safeguard yourself. Those taking care of your technological security will be aware of your weaknesses and may use them to your disadvantage. Make sure they are able to explain whatever they are doing and how it is going to help you prevent attacks, recognize intrusion and recover if need be. Hardware and software components are designed for easy installation and use and with the purpose of enhancing security. A wide range of information sharing capabilities are available but should not be used without careful consideration. Additional time and effort is required to implement security, but without it your network can be compromised and your information taken or destroyed without your being aware of anything unusual. Page: 29 In addition to the Internet attackers attempting to compromise all types of devices for unknown purposes and data snoopers looking for ways to steal personal and financial data, others such as your competitors, current and former employees, and family members may be seeking ways to learn more about your business, employees, and customers. Whether their reasons for snooping are that they are doing it for fun or whether the reason is that they are trying to get at you, the outcome to your organization will be a loss of your business reputation, potential harm to customers, potential fines and penalties, and loss of time while you explain why you let this happen. The only way to stop such things is by following the best practices of cyber security. Start by asking the individuals handling your technology support how they are addressing the security practices in this booklet and if they need additional assistance. If you are considering hiring outside assistance, evaluate the following: 1. Review past work experience 2. Review partial client list and ask for references from current customers 3. Ask how long the company has been in business 4. Ask who, specifically, will be assigned to do your work and their qualifications and relevant certifications 5. Ask how they provide support, what is done at your site, and what is done offsite 6. Ask how offsite access is controlled Make sure you have made arrangements for all of the security practices described in this booklet. If internal staff is handling some of the technical work with the assistance of a consultant, make sure everyone knows what they are to do and how they will work together. Make sure you have included minimum performance requirements, monitoring mechanisms, and a termination process before establishing any technical security support. Additional Steps Through organizations such as the Chamber of Commerce, National Association of Manufacturers, National Federation of Independent Businesses, the Internet Security Alliance, and other peer groups and conferences, ask others about their approach to security and what they feel has been successful. Page: 30 Establish periodic reviews of your security service, whether it is being handled internally or externally (annually at a minimum and preferably once a quarter) to determine if existing support is sufficient and identify if any further improvements are needed. This is an example of how we tend to undermine the need for cyber security and how it leads to undesirable consequences. Venture Capital Research Firm and Law Firm Try to Get by Without Good Technical Assistance—Regret the Decision A three-person venture capital research firm realized how dependent their business was on the Internet when their e-mail went out due to a virus just before two of the partners were due to take extended business trips. Although the firm received over 600 e-mails a week and used the web as its sole source of promotion, it felt it could not afford a full-time tech expert. The partners had to cancel the business trips fearing they would lose their customers if they could not keep in touch. It took three frantic days of calling around before they found an expert to talk them through their problems. An Albany, NY law firm with about 20 computers lost its network administrator and failed to replace him for six months. When the firm finally brought in consultants, they found a variety of vulnerabilities. In addition, updates had not been applied to the server, the anti-virus software had not been updated, and the license had expired. After the technical consultants turned in their analytical report, but before they had begun to repair the situation, the law firm was hit by a virus. Many of the PCs were affected and hundreds of files were compromised. Page: 31 About this Guide The aim of this guide is to make you aware of the risks involved when you are dealing with computer network. Whether you have a small or large business, you need to be aware of the risks and must take actions to mitigate these risks as far as possible. Further, analyzing these risks on your own can be costly in the long run as you might not be able to do a thorough analysis yourself of the dangers of these risks. It would therefore be advisable to take a professional help. COPIATECH has done such analysis for a number of businesses and its experts understand the vulnerabilities much better than you can imagine. COPIATECH can help you develop a plan to eliminate all those risks so that you can focus on your business and do not worry about cyber security. What are you waiting for? Eliminate your security issues by calling or filling out a contact sheet and we will be glad to help you understand the world of IT Security. Page: 32