Over the last several months I’ve been talking with clients, prospects, and non-profit groups about ways to increase IT security and reduce the risk that they will lose important data or expose personal information.  More often than not, I find that most people underestimate their risk, and simply figure, “it won’t happen to me.” A recent report published by the Identity Theft Resource Center http://www.idtheftcenter.org/index.html sheds some new light on this subject.

What is a data breach?

The ITRC has a clearly defined policy on what constitutes a breach:  an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.  Most agencies, state and federal, have a similar understanding of what constitutes a breach.  (When breached records have been  encrypted, the ITRC currently does not consider that to be a data exposure. However, ITRC considers breached records that are “password protected” as not sufficient protection under most circumstances, and will consider these events as breaches.)

What is the recent trend?

The ITRC has released its latest report http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml , for the first 6 months of 2010 in which they recorded 384 breaches that exposed at least 9 million records.  In the full year of  2009, ITRC recorded 498 breaches.  And these are only breaches that are publicly acknowledged from reliable sources.  I suspect there is significant under-reporting.  And clearly this problem is not going away.

How do breaches occur?

According to ITRC, 82% of all breaches were electronic, 18% were paper.
25% of the breaches were “non-malicious”, either a loss of “data on the move” (17%) or “accidental exposure” (8%).
34% of the breaches were “malicious”, either “insider theft” (17%) or “hackers” (17%)
(The remaining 41% of the breaches were not classified in the ITRC report)

What does this mean?

With this new understanding of how breaches occur I suggest approaching the subject of “IT Security” a bit differently:

• First, focus on exposure to non-malicious breaches.  This will address 25% of an organization's exposure.  And in most cases, these risks can be mitigated simply by improving procedures, and perhaps employee training, and will not require a big investment in security software, appliances, or services (that, sadly, we’d like to sell).  This is low-hanging fruit and big bang for the buck!

• Next, focus on the malicious breach exposure.  Addressing this risk will likely require some security software, appliances, or services.  The important point here, however, is to look for solutions that address the both the insider and outsider (hacker) risks—in equal measure.

I was invited to make a presentation on the topic of “technology” at the annual Not-For-Profit Leadership Summit conference on May 10, 2010.  This conference, sponsored in part by our good friends (and client) the United Way of Westchester and Putnam, brings together leaders in the not-for profit sector. 

My Challenge
I’m certainly comfortable presenting solutions that will improve the IT security and reliability of a company—but usually these are solutions that cost money.  Money that is usually paid to Pragmatix.  After all, that is how we stay in business.  Given the state of the economy, and the extra pressure that brings to not-for-profit organizations, I was asked to present solutions that don’t cost money.

My Approach to the Problem
Realizing I might be facing an audience with diverse needs, and diverse technology platforms as well, I looked to focus on the most common—and serious—problems that organizations are facing, and then identify no-cost ways to address those problems.

My starting point was a recent study that was published by the non-profit SANS institute (see http://www.sans.org/top-cyber-security-risks/), a pre-eminent computer security training , certification, and research organization.   In their report, they identify the top 3 cyber security threats. The report, by the way, was based on attack data from six thousand organizations, and vulnerability data from nine million systems.  So these risks are not theoretical, they reflect what is actually happening in the world. The three biggest risks are:

• Client side software that remains un-patched
• Internet facing websites that are vulnerable
• Rising zero-day vulnerabilities

My Solutions
Having identified the key, real-world risks, I then set about finding no-cost solutions that would reduce or eliminate these risks.  I came up with Ten Things to Improve IT Security and Reliability that don’t Cost Money:

1. Log in as a Local User, Not as Administrator

2. Apply Patches and Updates Promptly

3. Run Vulnerability Scans on your Website

4. Use Anti-virus Software and Keep it Up-to-date

5. Use a Firewall and Make Sure it is Working Properly

6. Run Backups and Take Them Offsite and Test the Recovery Process

7. Keep Servers in a Locked Area with Limited Access

8. Use Passwords or Encryption to Protect Laptop Computers

9. Use a Password on Your Mobile Phone

10. Don’t Leave Your Password on a Sticky Note!

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

Do you run backups and get them offsite weekly or more frequently?  When was the last time you verified that backups actually did do offsite?  When was the last time you verified (by testing) that you can successfully?

Here’s the way we approach this with clients.  Start with two simple questions:

1. How much data or work can you afford to lose?  In some organizations losing a full day’s worth of work is annoying, but not a big deal.  In others, lost hours of work, or unrecoverable missing transactions, could be very costly.  So you need to determine, in the worst case scenario, what you are prepared to lose.  This is called Recovery Point Objective (or RPO). If the ABC Agency is prepared to lose one day of work due to some fatal computer failure, then their RPO would be one day.

2. How long can you afford to be down?  (Or how fast do we need to get things recovered?)  Some organizations could withstand being down for a week, maybe more, others only a day.  This is called Recovery Time Objective (or RTO).  If the ABC Agency’s computers or servers were to disappear today, and ABC’s management team said, “We must have all our systems recovered by a week from today,” —then their RTO would be seven days.

The next step is to adjust your current backup technology, or choose new backup technology—whether hardware, software, or online services—to support your Recovery Point Objective.  In the case of the ABC Agency I just mentioned, it was prepared to lose one day of work, so its RPO is one day. Just about any backup technology that runs nightly would be suitable for that situation.

Next, you need to evaluate whether your current backup technology—or any new technology you might be considering—will also support your Recovery Time Objective.   So, let’s see… the ABC agency has an RTO of seven days.  Since it might take more than 7 days to order new servers, re-install all the software, and restore all the data from the backups, a tape-based backup technology might not meet their Recovery Time Objective. (By the way, if you need help selecting or evaluating the appropriate backup technology, I can provide consulting assistance—at no charge—just send email to bill@pragmatix.com.) Once you’ve settled on a technology you need to get it implemented and assigned to one or more people to carry out as part of their routine duties.

And finally, you need to verify (a) that the employees are in fact performing their assigned backup duties and (b) that the backups will actually work.  There is a simple way to verify both  Test the recovery process.  In our company, we do a test recovery once per month, as a scheduled event.

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

Here’s a funny thing about laptop computers—they have a bad habit of getting lost or stolen.  Even laptops that are not ordinarily taken out of the office have this same habit.

At a minimum, you should be insisting that any laptops in your organization are protected with strong passwords—meaning they cannot be started up and used without first entering a password.

An improvement on this is to use biometrics, like the fingerprint readers that come pre-installed in many different models, including this laptop that I am using.   (There are add-in devices that you can get that will retro-fit a laptop with biometric protection.   But we haven’t located any that are available for free.)

If laptops have confidential data, human resources data, or personally identifiable information, we recommend encryption as an added layer of protection.

First, a quick word about personally identifiable information (or PII).  Personally identifiable information refers to any information that can be used to uniquely identify, contact or locate a single person. The privacy regulations concerning PII are getting increasingly strict, at both the state and federal levels.  So if you have a list of names and addresses of employees or of sponsor and donors, on your laptop, we strongly recommend that the laptop be encrypted.  And if any of those names include any Massachusetts residents, you may be subject to a new law enacted last year in Massachusetts that REQUIRES you to use encryption.

Here is a Microsoft article about laptop security which includes links to articles on how to encrypt laptops that use the more recent Windows version (see http://www.microsoft.com/atwork/security/laptopsecurity.aspx).

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

Both the SANS Institute report I mentioned in a previous blog entry and IBM’s X-Force 2009  Trend and Risk Report documented significant growth in website vulnerabilities, particularly across three attack categories:  Cross-Site Scripting, SQL Injection, and File Include vulnerabilities. The IBM X-Force report provides these succinct descriptions.

What You Should Do
First, you should make sure that any people you have developing or maintaining your websites are familiar with these types of vulnerabilities and that they are using current methods to protect against them.

Second, you should check with whoever is responsible for hosting your websites to see if they offer any kind of web vulnerability scanning as part of their hosting service.  (In some cases, hosting companies may charge extra for this; in other cases it’s included as part of the fee you already pay.)

And third, you should use web vulnerability scanning software.  Some vendors may offer to perform the web scans for free, as a means of getting in the door to talk to you about purchasing other services.  (Full disclosure: Pragmatix has been known to do this also.)

There are several free tools available on the internet.  My network engineering team has identified two that are definitely worth looking into.  One product is named Rapid7 (see http://www.rapid7.com/vulnerability-scanner.jsp ).  While there is a cost to purchase a full copy of their software, they do offer a very useful free version.  Another product is named Gamja (see http://sourceforge.net/projects/gamja/).

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

In a previous blog post, I cited the SANS Institute study that listed un-patched client software as the highest priority risk.  Interesting enough, this is a problem that most users or system administrators can easily address on their own.  But all too often, we find the users just don’t bother.

The Problem
When you get a pop-up reminder on your computer that “updates are available” for a particular software, do you click on the “Install Now” button, or the “Remind me Later?  In our work with clients we find that most people choose “remind me later”, either because (a) they are too busy to stop and take care of it at this exact moment, or (b) they figure the current version is working fine and they don’t really need the update.

Why this Happens
But let’s stop and think for a moment as to why the software vendor has released this update, which by the way is free.  They’ve released it to patch some of the software vulnerabilities that the security researchers have found.

The longer you wait to apply that update the more time you are leaving yourself open to an exploitation of that vulnerability.

Every software vendor has vulnerability disclosures.  A disclosure is when they acknowledge that a security weakness has been identified in their software.  You might be interested to know that IBM’s X-Force security research team analyzed and documented  6,601 new vulnerabilities in 2009.  Of course, all vulnerabilities are not equal; about 25% of these were classified as critical or high risk.

Which vendor had the most disclosures? I thought it was interesting that after holding the top vendor spot for three years in a row (2006-2008), Microsoft has dropped down to number three according to the IBM X-Force report. Apple has taken the number one slot, and Sun is in second place as the vendor with the most vulnerability disclosures for 2009.

The Solution
First, turn on Windows Updates.  Depending on the settings you choose, this can automatically apply updates to all your Microsoft products, including Office.

Next, check all of the other software programs you use to see whether they have an automatic update feature.  Most do, now, and it is usually found in a Tools or Help or About menu.  If you find an automatic update feature, we suggest you turn it on. If you don’t find an automatic update feature, you’ll need to get updates from the software vendors website—and we’d suggest you do this about once per month.

And finally, when the reminders do come up, you’ll want to  “Install Now.”

Think of this like brushing your teeth, it’s easy to postpone and not bother but it is certain to lead to embarrassment—or worse problems—later.