Tag Archives: Information Security Tips

Information Security Management – How to stay out of the news

Information Security and IT Operations have a good bit in common most notably that the #1 goal is to be invisible to the public. Unless your company is in CIO or Information Security magazines being touted as a leader in your field if your company is in the news it is probably bad news.  In IT Operations poor website uptime performance that causes a loss in sales is very visible much like an information security breach in the IT Security field. Dealing with an information breach is not only embarrassing but also has legal implications since there are notification requirements if sensitive employee or customer data is accessed inappropriately or potentially exposed to a breach. I regularly review these required breach notifications to see what information security lessons can be learned and here are the most common themes I regularly see:

Unencrypted laptops containing sensitive data are lost or stolen and information is exposed.

There are a number of information security lessons that can be learned from this but by far the biggest are to avoid putting this type of sensitive data on the laptops in the first place and to utilize encryption to protect laptops containing business information. It is also possible to install some laptop recovery devices to help track these devices down but often times the real value is in the information not in the cost of the lost laptop itself.

Information Security Test:

  • Are you securing your laptops with encryption?
  • Are you preventing sensitive information that could require a breach notification from ever being on a laptop in the first place?
  • Are you auditing compliance to make sure what you think is happening is based in fact and not blindly on what policy says should happen?

Company websites are hacked and sensitive data is disclosed.

The most common problems here are unpatched systems exposed to the Internet, default passwords, and cross site scripting attacks on vulnerable web applications.

Information Security Test:

  • Are you regularly patching your systems as new patches are released?
  • Are you performing web application security audits to validate that your sites are secure and compliant with company policy?
  • Are you managing your sites over secure networks using secure protocols to prevent credentials from being intercepted?

Online banking credentials are stolen and financial accounts are drained

Many different information security principles can come into play here but the most common thing is to avoid falling victim to phishing attacks or having your pc become infected with malware by visiting insecure websites.

Information Security Test:

  • Are you educating your employees about the danger of social engineering and online banking phishing scams?
  • Are you educating your employees about the danger of surfing to internet sites that are of dubious quality?
  • Have you considered the risks of online banking and taken  appropriate protection steps?

Follow these tips and audit your compliance versus them and hopefully your information security measures will help your company stay invisible from a required security notification perspective.

FBI advisory for Businesses – Online Banking Accounts at risk

Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.

The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.

What does the FBI Advisory recommend to avoid becoming a victim?

1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.

2. Secure Your computers and networks

3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.

4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.

5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.

6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.

Information Security for laptops, desktops, and servers

Your companies laptops, desktops, and servers are critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

Here are the key items you need to consider to stay protected

Update your software – The developers that make the software you utilize are not perfect, in fact there are thousands of yet to be detected errors in every piece of software you own. Nearly every company is regularly updating its software to improve functionality and eliminate security vulnerabilities and you need to quickly update your systems to prevent against known security threats.

Utilize auto update functionality – For most desktop/laptop systems auto updates are the best way to ensure that you are installing any needed security patches in a timely manner. This link to Microsoft’s site shows you how to set the auto update functionality for their most common operating systems. Application software updates for the common applications you use including Microsoft Office, and Adobe among others are also required to round out your protection. Your internet browser (whichever you choose to utilize) is also one of the most critical things to have running at the most current version because a lot of malware is picked up via the Internet.

How to update Internet Explorer – While in IE go to Tools > Windows Update and install any recommended patches

How to update Firefox – While in Firefox go to Help > Check for Updates

* Note it is also important to ensure any Firefox updates you have installed are updated in a timely manner when a new release is available.

How to update Google Chrome – Follow the instructions provided by Google in the attached link.

The one exception you should make for auto updates is to not perform it on critical servers. All updates should be tested in a more controlled manner on a critical server to avoid potential problems with new security patches.

Utilize Antivirus software – Antivirus software is essential for minimizing the risks of getting infected with all forms of malware including viruses and worms. If you do happen to get infected antivirus software can often help you fix the issue and remove the problem. In addition to antivirus software, Microsoft’s Malicious Software Removal Tool is an excellent free tool that offers malware removal options.

Practice Safe Internet Browsing – Educate your users and train them to limit their Internet activity to trusted sites to lower their chances of picking up nasty malware. Even if you patch and have anti-virus you could be pushing your luck if you visit untrusted sites as a 0 day vulnerability could be waiting to infect your systems and defeat the other security mechanisms you have implemented.

Information Security and Physical Security

Photo Courtesy of http://www.flickr.com/photos/eprater/

Information security is often thought to be very technical in nature and a lot times it is. After all technology is exciting and many people prefer to focus on firewalls, intrusion prevention systems and other state of the art technologies. Physical security is an essential often neglected aspect of information security and it is every bit as important as the more technical aspects. If you neglect implementing adequate physical security measures all of your other efforts can be in vain.

The following are the primary business risks if you fail to implement adequate physical security measures:

  • Disclosure of sensitive business information
  • Theft of your business assets
  • Financial loss for replacing assets
  • Loss of ability to use data that may be critical for sustaining ongoing operations (if no backups are available)
  • Negative publicity if the event is disclosed

So now that you agree it is important what do you need to do? One of the first steps should be to perform a risk assessment so you can document and prioritize based on business risk. This helps you focus your efforts and decide how much you are willing to spend to mitigate certain risks. I will provide a sample risk assessment at a later date to serve as a template but for now here are items to consider when implementing  physical security.

Physical Security Things to Do At Your Business

  1. Control access to your business facility to only allow authorized personnel inside. At the minimum this should mean securing your business at least as much as you do your home. Locked doors, security systems, and  or more advanced control mechanisms like building control devices.
  2. Secure rooms with computer servers and networking equipment in it with an additional level of security. Ideally physical access to these systems should be restricted to individuals that need to access them. In addition, a simple guest log in book is a good way to document who is accessing a security controlled room (of course badge access control is even better but it is all based on your cost/risk tolerance).
  3. Consider using a camera/DVR based security system. I have not yet purchased one but for under 400$ I am looking to get one very soon likely the Defender SN500. This set looks quite nice and is very cost effective for the additional protection it provides.
  4. Utilize cable locks for your desktops, laptops, projectors and network equipment. Physical theft is the greatest threat to these assets so lock it down to get a little more secure.
  5. Lock up sensitive physical files in drawers or cabinets and do the same with portable electronic media such as USB devices or cd/dvds.
  6. Make sure you follow our backup tips to ensure you do not lose critical data in the event of an environmental disaster such as a fire or flood.

Physical Security Things to Do on the Go

Laptop thefts are the biggest risk to your business assets while in transit. Follow these tips to make sure you minimize your likelihood of becoming a victim of laptop theft.

  • Place your laptop in your trunk immediately when leaving work for the day. A majority of laptops stolen from vehicles are stolen because they are visible tempting targets to thieves.
  • Never leave your laptop unattended when it is not locked up. Keep an eye on it at all times much like you would a small child playing in the yard.
  • Consider utilizing a laptop recovery service if you will be storing sensitive information on your machine.
  • When traveling on a plane never check a laptop always carry it on yourself.
  • If you are in a hotel room the best option is to lock your laptop in the in room safe. Next best options include using a cable lock to secure it to some furniture or shelving in the room. A last resort option is to use the do not disturb sign and hide it as best you can as recommended in these tips from Microsoft.
  • If you have to step away for even just a moment ask a trusted person to keep an eye on it for you. If there is no one available take it with you.

In summary, do not neglect physical security as part of your information security program. Doing so will leave you with a false sense of security and an incomplete protection program.

Information Security – Who Needs It? Hospitals Do!

Photo courtesy of http://www.flickr.com/photos/shopxtreme/

Fraser Health Authority in British Columbia is the latest company to suffer an information security incident that could have been prevented. A laptop in their pulmonary function lab containing sensitive patient information was stolen resulting in 600 patients data being potentially compromised. Worse yet the laptop was not protected by encryption or password protected making the data readily available to the criminal.

 

Lessons Learned

  • Do not store sensitive data on laptops if a more secure mechanism is available
  • Utilize encryption when any sensitive data will reside on the machine and especially if you violate the rule listed above.
  • Utilize cable locks for all computer equipment to add a dimension of physical security and theft deterrence.
  • Implement audits to ensure compliance with any IT Security policies you have

Information Security Awareness – Educate, inform, secure

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Educate your employees about information security or all the security tokens in the world won’t save you.

A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.

Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.

Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation and

Do I not entertain you?  – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.

Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.

Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.

Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.

Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.

In the very near future we will be offering a weekly information security email newsletter so stay tuned and stay secure!

Information Security – Top 10 Items your Business Needs to Do Now

1. Protect your laptops, desktops, and servers

Your companies laptops, desktops, and servers are likely critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

2. Separate your network from the Internet

Your network is your businesses pathway to the Internet and interactions with customers, suppliers and other business partners. Your network also enables those seeking to do harm potential access to your company’s systems so it is important to follow good network security practices to prevent unwanted access to your systems. Keeping the bad guys out while allowing needed business activities to happen is the name of the game.

3. Online Banking Security

Online banking is convenient and can be a real productivity enhancer for individuals and businesses alike. It is also filled with perils especially for businesses that are not afforded the same liability limits that individuals enjoy. If something goes wrong with your online banking does the bank really have your best interests at heart?

4. Backup your critical data

Most of the protection areas discussed focus on insiders or outsiders intent on causing trouble but sometimes equipment just fails. Are you prepared if you suffer hard drives failures on critical systems or would you lose critical data that could potentially put you out of business? Back it up and get the peace of mind that you can recover if your hardware has an issue. Systems are easily replaceable but the data often is not.

5. Follow good password practices

Unless you have implemented more advanced controls passwords are likely your primary method for controlling access to various accounts and sensitive data. Despite years of repeated attempts to educate end-users about what makes a good password many people still make easily avoidable errors. Don’t be one of them, follow good password practices and you will come out ahead.

6. Educate your employees about information security

A company may spend a significant portion of its revenue on information security but if it’s end-users have not been properly educated all of that can be easily defeated by a crafty intruder. Fake emails, known as phishing, have greatly improved in quality and can often fool even observant employees. What will your employees do when they receive and email they think is coming from you but is sent from a suspicious email address?

7. Physical security

An information security protection program is only as good as the physical security in place protecting the assets. If someone can steal the device or gain unauthorized physical access to it all other protection measures can be of little value.

8. Secure your wireless networks

Everyone is using wireless these days it is convenient and helps facilitate business. It is also very insecure right out of the box so it is important to implement best practice security solutions to ensure your networks are safe.

9. Encrypt sensitive files

Passwords are a first line of defense but often times they alone are not adequate to truly secure sensitive data such as employee records, customer lists, and credit cards. Loss of this data can subject a company to legal fines and embarrassing customer notification expenses so it is important to take additional measures to protect this data and you’re your business stakeholders comfort that you are doing the right thing to protect their sensitive data.

10. Securely remove data off of old devices

When you get rid of old computers, servers, network devices, and printers your job is not yet done. These devices will walk out the door with sensitive company information on them if you do not put in place proper measures to cleanse them prior to removing them.

Remember keep an eye out for our detailed implementation advice for each of these top 10 items coming soon!