Are you being invaded in cyberspace?
Nobody leaves their home front door open all night, yet an alarming number of people leave the door to their business data open at all times, via the internet. And then they're surprised when the cyber-burglars walk in. Doing nothing in not an option, warns Peter Dunwell
We think that we know about computer viruses, which may make us blasé about Internet security risks. However, just because we know the names of a few viruses does not mean that we can drop our guard on IT security. On the contrary, never has the IT/CT environment harboured more security risks than it does right now.
First, some viruses never show themselves on the system they have attacked. They use it as a host from which to spread to other systems who, identifying the infected computer, may decide to exclude or delay e-mail and web traffic from that business with potentially serious competitive consequences.
Hackers do not even need to get into a computer. By using a device called a "sniffer", they can monitor and record all telephone traffic to and from a computer to collect usernames, passwords and pin numbers plus other data.
The next tune in the hacker's repertoire is often known as Spyware. It may do nothing more than provide its instigator with marketing information. However, even that can be irritating and Spyware programmers may not design it very efficiently: an early sign that a PC is harbouring Spyware is slow running, another sign could be the appearance of an unusual toolbar on the web browser or an increased frequency of "pop-up" adverts and may even extend to logging unbidden onto unwanted web sites; all wasting resources and indicating a wide-open door into the system.
And then there is the security threat of the moment, the Trojan Horse, designed to compromise your system. Often arriving as an e-mail attachment offering a free game or screensaver or access to pornography, Trojans are executable programs that, once opened, integrate themselves with the system. Simple ones may log keystrokes to steal information and passwords; more sophisticated ones such as the tastefully named "Back Orifice" or "Sub Seven" give full control of a PC to the hacker behind the attack to access data and interact with any network with which the PC is linked. At worst, a Trojan Horse may be impossible to remove except by rebuilding the system and even then, it will never be certain that a key has not been left somewhere for the hacker's future use. There could not be a greater threat to IT security.
A DTI Industry Information Security breaches Survey found that about 75% of all businesses have suffered a security breach involving their information and this rises to 94% for large businesses with 1,000 or more employees. As Professor Sir David King, the UK Government's Chief Scientific Adviser put it: "We need to think of online crime in visible terms - broken windows and ransacked offices - if we are to beat it."
The perennial threat is from staff; usually by opening the attachment to an e-mail from an unknown source. But sometimes the threat is malice or plain carelessness such as copying an e-mail in to an unintended recipient.
However, there are steps that any business can take to avoid and, in the worst case, deal with the above threats.
The first and most important is staff training with rules when using the Internet and supervision. Formulate a company policy on IT security, communicate it to all staff and then make sure it is followed. At the very least no e-mail attachment should be opened unless from a known source and expected, and e-mails should not be sent until the sender has checked that no unintended recipients have been included.
Using the "Reply All" button on an old e-mail from the intended recipient is lazy and, where an e-mail is not a reply, should not be used. It is far safer to create a new mail to only the intended recipients. Also, staff should be taught how to create memorable but unique passwords, not to keep them on a Post-it® note stuck to the PC monitor, and to change them regularly.
To create a memorable but unique password, think of an easily remembered phrase or saying and use the initial letters of those words followed by a dash and a memorable number such as your birth year. So, for instance, if your birth year was 1976, "Its an ill wind that blows nobody any good" becomes Iaiwtbnag-76
Any commercially sensitive or critical data should be encrypted but, of course, encryption requires that the recipient be able to read the information so they will need a decryption key. Modern "two key" encryption systems use a common or "public" key, which will be the same for senders and recipients of information plus a "private" key unique to each party and without which the "public" key cannot work.
More familiar to readers will be Internet Security software such as Norton and MacAfee, which can be very effective at excluding or isolating e-mails and attachments that contain unfamiliar material or known threats. These work very well as long as they are regularly updated, to take account of the latest threats, and used to scan the system.
Firewalls sit between the protected system and the outside world of the Internet. They can be configured to restrict connections to known web sites but that may be restrictive for someone whose job requires looking at a lot of sites for, say, purchasing requirements. More discerning firewalls are available but they cost more. Similar are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). All of these tools will only be as good as the care with which they are set up and used.
A very effective and free step for Microsoft Windows XP users is to download "Windows Service Pack 2" (SP2) which will activate protections already in the system and will schedule automatic updates and enhancements. SP2 provides a useful firewall with protection against Trojan Horses, Spyware and other uninvited software.
To locate, remove and prevent future intrusions from unwanted software, use a specialist tool such as Ad-Aware from Lavasoft or Spybot Search & Destroy (S&D), both available as free downloads. Some Spyware is resistant to normal "Delete" or "Uninstall" commands but these tools can get around that.
As is often the case, while there are a lot of tools available, for the best IT security nothing can beat vigilance and the application of common sense by users.
Installing Microsoft Windows XP Service Pack 2 is the easiest security step to take and can be activated by going to www.microsoft.co.uk, clicking the large "Security Update" icon and following the instructions. You will be asked to back-up your system before downloading the service pack but the download process will direct you how to do that. For users of Windows XP, SP2 is more about activating features that are already present but turned off plus adding and updating a few tricks. I found the download easy, (although as with any IT process, it is best not rushed and best not interrupted) and the security additions have not clashed with the Norton security tools on my system from Symantec or the Ad-Aware tool from Lavasoft. SP2 does cause a lot more notifications and opportunities to decide whether the user wishes to open an e-mail attachment but this only takes seconds and, frankly, even in a year, will not take as much time or be as costly as the effects of having the system infected.
Norton Internet Security » www.symantec.co.uk
MacAfee Internet Security » www.macafee.co.uk
Ad-Aware » www.lavasoft.de
Spybot » safer-networking.org/en/index.html
For Windows SP2 » www.microsoft.co.uk