Information at your fingertips. It’s still a noble goal even more than ten years after Bill Gates first announced it as Microsoft’s strategy. Back then the problem was trying to connect users and make the mountains of data available to everyone.
Today it is easy to make the data available to your users – employees, vendors, customers. The concern now is to only have that information at the fingertips of the people you choose. Keeping your company and personal data away from the prying fingertips of competitors and hackers is a significant challenge.
There are two main threats to data security: lack of knowledge and actual attackers. Typically, attacks on your data’s security will come from outside your network, but there may be internal attacks from disgruntled or malicious employees.
Keith Rowe, president of Aztek Technology, a division of Westlake-based Aztek, says, “From my experience, a good internal security plan/philosophy can eliminate most accidental employee security mistakes. However, any employee with malicious intentions and with the proper access is probably the most dangerous and difficult to detect, much less stop.â€
Smaller businesses are particularly vulnerable to both kinds of threats because they don’t have as many resources to educate their employees on proper processes. Plus, they don’t think they are of interest to external hackers.
For example, a small business made up of primarily family members and trusted friends might not see the need for using annoying passwords every time they want to access a shared-data directory. So they leave the password blank and it’s much easier and faster to grab the data they need.
The problem is that other people on the same network can access that data with the same blank password and it’s very possible that the “same network†means the entire Internet. While it may be a hassle to enable security precautions, it’s also a hassle to lock your car, but the effort is worth the reward.
External threats are constant and numerous. Any computer that is connected to the Internet is at serious risk. No matter how small your company is and how unexciting you think your data is to the outside world.
“Usually the risks on a private network are manageable, but when you get to the Internet you can only control up to your presence,†says Larry Kelbach, manager of data security for Westlake-based Antares Management Solutions, an IT and business process outsourcing firm that’s a subsidiary of Medical Mutual of Ohio.
Many of the external attacks come from young people who have copied some of the free hacking tools available on the Internet. Rowe says, “The most dangerous individuals are usually in high school and have a couple of computers, a couple friends, and a high-speed Internet connection.â€
Kelbach calls them the “Nintendo Boys.†But in the last few years, he has seen a shift away from the “copycat kids†and their malicious fooling around because detection tools are better. “Now it’s shifting more toward money and theft,†he says.
Keith Peer, president and CEO of anti-virus company Central Command Inc., sees Trojan and backdoor programs as the most common threats. “Typically,†Peer says, “these malicious programs don’t call too much attention to themselves. In fact, they usually go unnoticed.
However, they open a computer to a broad range of potential hazards, including the stealing of credit card and bank account information, as well as passwords and other confidential data.â€
Once an outsider has control of your PC he can exploit it. Your PC may end up being used as a porn zombie without your knowledge. Try explaining that to the FBI when they knock on the door.
Scared yet? Peer says that for a typical unprotected home-PC user on the Internet, there is a 39 percent chance of the system being infected in 10 minutes, a 72 percent chance of the system being infected in 30 minutes and a 95 percent chance of the system being infected in 60 minutes.
“Some threats today are simply programmed to probe for vulnerable systems,†Peer explains. “Take the infamous Zotob worm family or ‘bots’ in general.†He adds that there hasn’t been a worldwide virus epidemic in many months “because malicious attacks are becoming increasingly targeted.â€
So the bad guys are getting smarter and more malicious. And, they have a greater arsenal of tools to work against you. “Some of the most dangerous threats come from individuals or organizations with enough time, money and know-how,†Rowe says.
There are three areas you need to develop to counter their efforts. First is what’s called the “back office.†This is where your IT pros combat the threats to your systems and data. If you don’t have someone in-house who can handle this, you may need to outsource the task. It is an essential part of doing business.
The “back office†staff will employ a series of protection strategies to make your systems less vulnerable. Kelbach warns about the large number of vendor software vulnerabilities. Software companies continually test and respond to bug reports. If you purchased Microsoft Windows XP, for example, from a store shelf just a few months ago and haven’t updated the software since, your system is extremely vulnerable.
Microsoft is an easy example because such a large percentage of the market uses Windows and other Microsoft software, so they are a constant target for attackers looking to harm the most users. But Linux and Macintosh users are also vulnerable as hackers have begun exploiting their weaknesses. Whatever operating system and application software you run, it is imperative that you regularly check for critical updates and patches for the products and install them.
Having a firewall is essential. A firewall is hardware and/or software that intends to isolate your PC and network from the rest of the Internet. As a packet of data tries to enter your network, the firewall inspects it to see if it should be allowed in or not. Some firewalls are one-way only. That is, they prevent bad things from entering your PC, but let anything out.
In a business environment you want a firewall that blocks bad outgoing packets as well. This will prevent the “porn zombie†scenario because if a piece of malicious software infects your system it won’t be able to do damage originating from your PC to the rest of the world.
“Scanning and probing? That’s a given,†says Kelbach. “That’s a part of a presence on the Internet. You gotta live with it. So what you do there is you make sure that your servers and OS are current as far as vendor patches and vulnerabilities. You must constantly keep up with what software your users are using and what vulnerabilities are announced daily.â€
Of course you need to protect all of your PCs with anti-virus software and, as evidenced by Peer’s statistics, they must be kept up-to-date. With 240 new threats introduced just today alone, if your anti-virus software is not current, you are asking for infection.
There are numerous tools and techniques that your “back office†can employ to limit your exposure. They can encrypt e-mail and Instant Messages, filter content so some sites and actions are unavailable to the users, make users change passwords regularly and so on. But many of the techniques require the cooperation of the users, which brings us to the second area of prevention: education.
Standards and policies need to be set in place and users should be trained on them to maximize your data security potential. Your users need to be aware. They need to know not to open attachments from unrecognizable sources.
Be sure users know the dangers of setting up a rogue Wi-Fi access point, for example. Remind them that it’s also their personal information that is exposed. Teach them not to share user IDs or passwords, even with co-workers, let alone a clever thief who may be employing social engineering techniques to get their information. Train them to delete their temporary files after browsing public Internet providers like the library.
“Almost all the delivery viruses, Trojans, spyware, etc., are a choice technology – you make a decision and if you have ignorant users they may wind up making the wrong decision,†says Kelbach. Help them make the right decisions with training and reinforcement.
The third area of protection is testing, often using the same tools and techniques that hackers would. Though he has the skills, Kelbach pays an outside company to do perimeter reviews of his networks. “I don’t care how good people say I am, inevitably I might make a mistake.
The best thing to do is have someone else do professional hacking against it to test penetration. Let some other professional look for penetration and rogue stuff.â€
Data security is an ongoing process. The bad guys don’t rest so neither can you. With proper “back office†techniques, user education and testing, you can keep the data at your fingertips and out of the wrong hands.