Category Archives: Information Protection

How do LinkedIn’s security problems affect you?

The recent news that top business networking site LinkedIn had a significant number of passwords compromised has been the biggest story in the information security world this week. It is disappointing but not surprising that LinkedIn was affected this breach. What went wrong in their security process?

  • An as of yet undisclosed vulnerability (probably some type of database injection attack) led to unauthorized access which allowed the hacker to download the site’s hashed password database.
  • Even though the passwords were hashed they were not salted to provide an additional level of security. This meant that the he hashed passwords were susceptible to attacks that could quickly crack weak passwords.
  • LinkedIn was relatively slow to fess up to the attack and notify the users to change their passwords. This has now happened and after taking some initial grief LinkedIn has now forced password changes on those they believe were affected. This should help minimize the damage to users who had passwords disclosed.

So how do LinkedIn’s security problems affect you?

If you are a LinkedIn user make sure to reset your site password and the passwords on any other sites if you use the same passwords across multiple sites.

What information security lessons does this incident teach an average website user?

Even professional companies with a lot of money to spend will be subject to information security compromises. For that reason it is important to utilize different user account names and separate passwords on each site you use to minimize the impact if any one account is compromised. To help manage this level of security and keep your sanity in the process I highly recommend that you use a password management program such as LastPass. This will help you spread out your risk and minimize the damage of any one site being compromised (and if your password management company gets compromised be sure to change that one with lightening speed). Lastly, it is important to keep up with the news and know when information security problems occur for sites you utilize. That will help you take swift action to minimize your chance of problems.

 

Are you protecting your most important information assets?

Information security sometimes feels like a never ending challenge. There are a thousand different things that need to be done from patching systems to educating employees and any one hole can mean big problems. Smart companies have realized the impossibility of securing every asset and have changed the theatre of the information security battlefield.

Effective information security management is no longer about trying to stop every little problem that can go wrong that is an impossible task with failure guaranteed. Leading businesses are now focused on securing the intellectual property and operations that are most critical to their competitive advantage. This new approach is more advanced than previous information security approaches that attempted to throw information security controls against the wall in hopes that enough stuck to keep bad things from happening.

What are the advantages to approaching information security based on a critical asset protection model?

  • Helps focus your information security investment towards protecting the most important assets that matter.
  • Makes information security more manageable and makes realistic assumptions vs. assuming you can protect everything.
  • Allows you to be more specific about your information security objectives vs. operating in a more abstract manner.
  • Increases security oversight over important assets/business processes and enables customized monitoring specific to those resources

What are the challenges in implementing a risk based critical asset information security model?

  • Initially many organizations will struggle with answering the question about which assets are truly critical.
  • Requires a more collaborative model of information security with deeper level of engagement needed with key business partners. Many information security organization struggle with understanding which assets are truly critical because there is an insufficient understanding of how the business really works.
  • Requires a change in mindset from trying to secure the perimeter and keep the bad guys out to assuming they are already inside and layering your controls to focus efforts on protecting critical assets. This is not to say that firewalls and other perimeter based control mechanisms are obsolete only that they have proven ineffective as the primary mechanism of protecting an organizations critical intellectual property.
  • New security tools will be needed to help protect down to the data layer and assist in blocking advanced threats.

If your information security organization is still operating with a secure the perimeter mentality as your primary focus you risk becoming obsolete. More is expected of an information security organization in our knowledge based economy. You are expected to understand the business at a sufficient level to know what intellectual property and business processes are critical to ongoing success of your company. This requires deeper business knowledge and business relationships to help validate that you are focusing on the right things.

Information Security for laptops, desktops, and servers

Your companies laptops, desktops, and servers are critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

Here are the key items you need to consider to stay protected

Update your software – The developers that make the software you utilize are not perfect, in fact there are thousands of yet to be detected errors in every piece of software you own. Nearly every company is regularly updating its software to improve functionality and eliminate security vulnerabilities and you need to quickly update your systems to prevent against known security threats.

Utilize auto update functionality – For most desktop/laptop systems auto updates are the best way to ensure that you are installing any needed security patches in a timely manner. This link to Microsoft’s site shows you how to set the auto update functionality for their most common operating systems. Application software updates for the common applications you use including Microsoft Office, and Adobe among others are also required to round out your protection. Your internet browser (whichever you choose to utilize) is also one of the most critical things to have running at the most current version because a lot of malware is picked up via the Internet.

How to update Internet Explorer – While in IE go to Tools > Windows Update and install any recommended patches

How to update Firefox – While in Firefox go to Help > Check for Updates

* Note it is also important to ensure any Firefox updates you have installed are updated in a timely manner when a new release is available.

How to update Google Chrome – Follow the instructions provided by Google in the attached link.

The one exception you should make for auto updates is to not perform it on critical servers. All updates should be tested in a more controlled manner on a critical server to avoid potential problems with new security patches.

Utilize Antivirus software – Antivirus software is essential for minimizing the risks of getting infected with all forms of malware including viruses and worms. If you do happen to get infected antivirus software can often help you fix the issue and remove the problem. In addition to antivirus software, Microsoft’s Malicious Software Removal Tool is an excellent free tool that offers malware removal options.

Practice Safe Internet Browsing – Educate your users and train them to limit their Internet activity to trusted sites to lower their chances of picking up nasty malware. Even if you patch and have anti-virus you could be pushing your luck if you visit untrusted sites as a 0 day vulnerability could be waiting to infect your systems and defeat the other security mechanisms you have implemented.

Backup Your Data – Tips for keeping your information secure

Backing up your data is one of those information security chores that we know is important but we often neglect to do, it is basically the cleaning your gutters of information security. Just as failing to clean gutters can lead to eventual roof leaks, failing to back up your data can lead to big problems should a natural or unnatural disaster occur. Disaster’s come in many forms varying from flood, theft, and electrical surges to malicious insiders or outsiders with a grudge against your business seeking to do harm.

Now that you are convinced that backing up your data is one of the most important steps you can take to ensure your business or personal files are protected how do you get started? Two items to consider are what are your Recovery Point and Recovery Time Objectives? Simply put a Recovery Point Objective guides you to frequency of backups while RecoveryTime Objectives determine a business risk based target for when the system must be operational again.

Examples

RPO – If your business Recovery Point Objective (RPO) is to lose at most a day’s worth of data you are fine performing daily backups that can recover you to the desired time. Likewise if it is a personal computer contains information that is only updated with photos and key documents on a weekly basis you are fine setting an RPO of one week.

RTO – If you perform a risk assessment and determine your Recovery Time Objective (RTO) is 3 days that means you must craft your backup and recovery program to allow system recovery within this time frame.

Data Backup Tips

  • Backup frequency should be determined by your Recovery Point Objective (RPO) and the importance of the data.
  • Automate your backups using scheduling software to ensure they happen regularly and to minimize the likelihood of human error
  • Store the backup sufficient distance away from the primary source of the data. This helps ensure that both copies of the data are not lost if you experience a fire, flood, or theft. Good ways to do this include using a secure online backup service, a professional physical backup service, or by storing physical drives or media in a bank safety deposit box
  • Verify that your technical support people are monitoring backup failure reports. Backups can fail for a wide variety of reasons so it is important to regularly monitor the success of backups.
  • The ultimate proof that your data can be recovered is to perform a restoration test. This will validate the backup is of good quality and that you are truly protected. It is recommended backups be tested annually at a minimum

Ways to backup your data:

1. Online Backup Services – Online backup is both cost effective and a convenient way to ensure the information is far enough away from your primary data source. For a business I recommend sticking with large reputable providers and avoiding free services that may not be there tomorrow. I will review online backup services in a future post but for now you can consider highly rated providers Mozy, IDrive or Amazon S3 storage services

2. External Hard drives – An external hard drive is a great way to conveniently store backups that are smaller in nature and then storing it in an off site location. I would consider getting 2 2 TB external hard drives that would enable you to set up a small off site rotation plan.

3. Recordable Cds/Dvds – A recordable DVD drive is a great way to make a portable backup that can be stored off-site in a bank safety deposit box or other secure location.

4. Magnetic Tape – Is cost effective for larger corporations with large volumes of data but for smaller businesses I recommend one of the options recommended above.

Online Banking Security Tips

Another day and another report of a big online banking information security incident. At this point you have to be asking yourself if your business can securely online bank or if it is best avoided altogether. The FDIC offers some limited online banking guidance that primarily deals with not doing business with fake banks and how to validate if your bank is FDIC insured. While these measures are important they are not sufficient to ensure that your online banking is done in a secure manner.

Step 1 – Decide if the benefits of online banking are greater then your potential exposure from loss due to fraud. For individuals this is an easier decision as you have more protection but a business should fully evaluate the risks and implement controls recommended below prior to online banking.

Step 2 – Ensure the computer(s) that you will be online banking with are regularly patched (both operating systems and other general applications), utilize up to date anti virus control, and have a personal firewall installed. I will cover all of these items in more depth with recommended options in a future article but if you are using an all in one suite like Mcafee or Norton  you are on the right track.

Step 3 – Strongly consider dedicating a single machine used only for online banking. That means no internet surfing, no email usage etc… The most common method of compromise is via malware from internet surfing or infected email attachments so avoiding these activities via a dedicated machine greatly reduces your risk. That being said you must be consistent and do this 100% of the time for it to be effective.

Step 4- Never perform online banking transactions on a shared PC or on a network that you do not own. Shared PCs or strange networks could be capturing your online banking credentials and could lead to the compromise of your accounts.

Step 5 – Practice good password management practices with your online banking credentials.

Step 6 – Implement automated account monitoring that will automatically alert you of key changes to your account such as security setting changes, adding of a new payee, as well as low balance alerts set on your desired threshold. I recommend getting these alerts sent to your mobile phone as this will offer some additional protection vs. being sent to a traditional email account.

Step 7 – Not many banks have implemented advanced controls to replace passwords (such as password tokens that change every minute) but if you are considering different banks I would lean towards one with greater security measures vs. those that only offer static passwords.

Step 8 – Check your online bank balances once or twice a week to ensure that nothing suspicious has occurred and if you do detect an issue promptly report it to your bank and document all the follow-up you have performed to help minimize your chances of financial loss (keep detailed records of dates and individuals you have talked to). In addition, no amount of error is too small to follow up on as thieves often start with a small test transaction to set the stages for a bigger heist later.

Online banking is convenient but you must be vigilant and implement the recommendations above to stay secure and protect your business.

Password security – Tips to keep your passwords secure

A user name and password is still the most common method of controlling access to systems. Utilizing good password practices can make the difference between keeping your information secure and becoming a victim. Here are some important password tips:

1. Choose a password that is easily remembered by you but not easily guessable by others. The password should be a minimum of 8 characters and include at least one letter, number and symbol. Here is a link to a site with comprehensive password guidelines in case you are looking for even more detail and here is my example of a password that fits that criteria – HEN2!blue

2. Do not utilize the same password for all of your activities. I recommend having a standard password for non critical Internet sites and then a separate unique password you utilize for important systems at your home or office.

3. Do not write down your password and leave it in a place that others can see. Many security pros recommend to never write down a password at all but I will be practical and say if you need to write it down keep it locked in an area that only you have access to.

4. Do not disclose your password to others even if they ask for it (whether it be in an email, over the phone or in person). Hacker’s are crafty and often pose as a trusted person in an attempt to get you to lower your guard and give them the information they are looking for (known as social engineering)

5. Be extremely careful of saving your user name and password when given the option especially if you are not the sole user of your PC.

6. If you have advanced security needs or have an excessive number of passwords to remember I recommend utilizing a secure password management software package. Many options exist but two to consider are Roboform Pro and SurfSecret KeyPad. You can likely find some freely available password management software but be sure to read the licensing agreement if you plan on using for your business.

Follow the above steps to keep your passwords secure and help ensure you and your business are protected.

Information Security – Who needs it? Pizza Shops Do!

You own a small pizza shop or a chain of them perhaps but you could not possibly be the target of internet thieves. Mary’s Pizza Shack thought the same so learn from their mistake before your become a victim. Russian hacker’s managed to infect the transaction terminal that processed credit card orders which exposed customer’s accounts to unauthorized transactions.

Company Exposure: Company was forced to announce embarrassing disclosure to it’s customers and pay for expensive analysis regarding the damage done by the incident.

Lessons Learned & Possible Preventive Measures:

1. Employee education regarding dangers of clicking unsolicited attachments (likely source of infection)

2. Avoid surfing Internet with sensitive systems that process credit card transactions (2nd most likely source of infection)

3. Stay current with anti virus and operating system patches

Data Security – Tips to Keep your Data Secure

Securely wipe data off of hard drive devices prior to redeployment

As mentioned in Top 10 Information Security Items Your Business Needs to Do Now, when you plan to get rid of old computers, servers, network devices, portable storage (like USB drives) and printers your job is not yet done. These devices will walk out the door with sensitive company information on them if you do not put in place proper measures to sanitize them prior to removing them.

When you are eliminating an electronic device and wish to secure sensitive data, simply deleting files or formatting the drive is not sufficient to secure your sensitive data. Short of physical destruction of the disk itself, which is often not a viable option if you lease or wish to donate it to charity, utilizing disk wiping technology is the preferred method for safely removing data. Listed below are several disk wiping technologies with recommended products to assist with this important security process.

Recommended commercially available hard drive / disk wiping software:

#1 – WipeDrive PRO

This industry leading software is trusted and used by the Department of Defense who literally wrote the book on disk wiping requirements. In addition WipeDrive PRO is an approved compliance wipe disk tool for regulations such as HIPAA, Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, The Patriot Act, Identity Theft and the Assumption Deterrence Act. Supports all PC and Mac Computers and can also wipe external hard drives, thumb drives, memory cards, iPods & other external media.

#2 – Acronis Drive Cleanser

Is compliant with DoD standards and supports the majority of Windows and Unix Operating Systems that your small business is operating. Friendly menu driven software is easy to install and operate and comes pre-loaded with all of the standard algorithims you may wish to use.

Recommended free hard drive / disk wiping software for personal or business use:

Disk Wipe – Tool is free of annoying adware and is a fully functional disk wiping utility that also works on portable drives and other media like SD cards. My favorite of the freebies.

Eraser – Works with any Windows based drive and suports most of the common wiping methods described already.

DBAN – Last of the big 3 no cost solutions is another strong option for handling disk wiping needs on a budget.

All of the above product recommendations are for Windows based devices. If you are utilizing Apple Mac’s I recommend utilizing  WhiteCanyon’s WipeDrive for Mac

Hard Drive wiping tips:

  1. Configure the setting for number of disk wiping passes for a minimum of 3X to ensure the data is sufficiently overwritten. The setting could be set much higher but any greater then 7X does not add much to security and will add a lot of time to the process.
  2. Disk Wiping can take a lot of time depending on your configuration option so usage of a concurrent license option is recommended if you are dealing with large volumes of devices.
  3. Review the completion log to ensure the wiping completed 100% successfully
  4. If you choose to use one of the free options I recommend using a “stable” vs. “beta/preview” builds to minimize your likelihood of encountering errors.
  5. If your business must comply with a certain regulations like HIPAA it is safer to go with commercial products that have certified their products to comply with a particular standard vs. freely available products that often do not.

Leased Equipment Tips

  1. Ensure your lease agreement covers the vendor securely wiping your device whether it is a pc, server, printer, or network device. This will likely come with an extra fee associated with it but unless you are certain disclosure of the data would not cause you harm it is worth the piece of mind.
  2. The typical cost per device for a lease company to wipe the drive ranges from $20-50$ depending on the company.
  3. It is not wise to attempt to cleanse a leased device yourself without discussing with the vendor ahead of time and making sure it will not potentially violate your lease agreement.

Information Security – Top 10 Items your Business Needs to Do Now

1. Protect your laptops, desktops, and servers

Your companies laptops, desktops, and servers are likely critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

2. Separate your network from the Internet

Your network is your businesses pathway to the Internet and interactions with customers, suppliers and other business partners. Your network also enables those seeking to do harm potential access to your company’s systems so it is important to follow good network security practices to prevent unwanted access to your systems. Keeping the bad guys out while allowing needed business activities to happen is the name of the game.

3. Online Banking Security

Online banking is convenient and can be a real productivity enhancer for individuals and businesses alike. It is also filled with perils especially for businesses that are not afforded the same liability limits that individuals enjoy. If something goes wrong with your online banking does the bank really have your best interests at heart?

4. Backup your critical data

Most of the protection areas discussed focus on insiders or outsiders intent on causing trouble but sometimes equipment just fails. Are you prepared if you suffer hard drives failures on critical systems or would you lose critical data that could potentially put you out of business? Back it up and get the peace of mind that you can recover if your hardware has an issue. Systems are easily replaceable but the data often is not.

5. Follow good password practices

Unless you have implemented more advanced controls passwords are likely your primary method for controlling access to various accounts and sensitive data. Despite years of repeated attempts to educate end-users about what makes a good password many people still make easily avoidable errors. Don’t be one of them, follow good password practices and you will come out ahead.

6. Educate your employees about information security

A company may spend a significant portion of its revenue on information security but if it’s end-users have not been properly educated all of that can be easily defeated by a crafty intruder. Fake emails, known as phishing, have greatly improved in quality and can often fool even observant employees. What will your employees do when they receive and email they think is coming from you but is sent from a suspicious email address?

7. Physical security

An information security protection program is only as good as the physical security in place protecting the assets. If someone can steal the device or gain unauthorized physical access to it all other protection measures can be of little value.

8. Secure your wireless networks

Everyone is using wireless these days it is convenient and helps facilitate business. It is also very insecure right out of the box so it is important to implement best practice security solutions to ensure your networks are safe.

9. Encrypt sensitive files

Passwords are a first line of defense but often times they alone are not adequate to truly secure sensitive data such as employee records, customer lists, and credit cards. Loss of this data can subject a company to legal fines and embarrassing customer notification expenses so it is important to take additional measures to protect this data and you’re your business stakeholders comfort that you are doing the right thing to protect their sensitive data.

10. Securely remove data off of old devices

When you get rid of old computers, servers, network devices, and printers your job is not yet done. These devices will walk out the door with sensitive company information on them if you do not put in place proper measures to cleanse them prior to removing them.

Remember keep an eye out for our detailed implementation advice for each of these top 10 items coming soon!