Over the last several months I’ve been talking with clients, prospects, and non-profit groups about ways to increase IT security and reduce the risk that they will lose important data or expose personal information.  More often than not, I find that most people underestimate their risk, and simply figure, “it won’t happen to me.” A recent report published by the Identity Theft Resource Center http://www.idtheftcenter.org/index.html sheds some new light on this subject.

What is a data breach?

The ITRC has a clearly defined policy on what constitutes a breach:  an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.  Most agencies, state and federal, have a similar understanding of what constitutes a breach.  (When breached records have been  encrypted, the ITRC currently does not consider that to be a data exposure. However, ITRC considers breached records that are “password protected” as not sufficient protection under most circumstances, and will consider these events as breaches.)

What is the recent trend?

The ITRC has released its latest report http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml , for the first 6 months of 2010 in which they recorded 384 breaches that exposed at least 9 million records.  In the full year of  2009, ITRC recorded 498 breaches.  And these are only breaches that are publicly acknowledged from reliable sources.  I suspect there is significant under-reporting.  And clearly this problem is not going away.

How do breaches occur?

According to ITRC, 82% of all breaches were electronic, 18% were paper.
25% of the breaches were “non-malicious”, either a loss of “data on the move” (17%) or “accidental exposure” (8%).
34% of the breaches were “malicious”, either “insider theft” (17%) or “hackers” (17%)
(The remaining 41% of the breaches were not classified in the ITRC report)

What does this mean?

With this new understanding of how breaches occur I suggest approaching the subject of “IT Security” a bit differently:

• First, focus on exposure to non-malicious breaches.  This will address 25% of an organization's exposure.  And in most cases, these risks can be mitigated simply by improving procedures, and perhaps employee training, and will not require a big investment in security software, appliances, or services (that, sadly, we’d like to sell).  This is low-hanging fruit and big bang for the buck!

• Next, focus on the malicious breach exposure.  Addressing this risk will likely require some security software, appliances, or services.  The important point here, however, is to look for solutions that address the both the insider and outsider (hacker) risks—in equal measure.

It is easy to run your home wireless network with very little security and not feel any sense risk. After all, you don't feel exposed and unless you venture outside your home with a laptop, you may not be thinking very hard about who else has access to your network. You have to get used to the idea that now your network and any computers or other devices attached to it are accessible from outside your home. Hackers with plenty of time, just need to be close enough to be within range of your wireless signal, which can easily cover a city block with the newer wireless routers. There are some important steps you can take to reduce your vulnerability. A good list of these steps, with links to more extensive explanation and instructions can be found at About.com here: http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm

I was invited to make a presentation on the topic of “technology” at the annual Not-For-Profit Leadership Summit conference on May 10, 2010.  This conference, sponsored in part by our good friends (and client) the United Way of Westchester and Putnam, brings together leaders in the not-for profit sector. 

My Challenge
I’m certainly comfortable presenting solutions that will improve the IT security and reliability of a company—but usually these are solutions that cost money.  Money that is usually paid to Pragmatix.  After all, that is how we stay in business.  Given the state of the economy, and the extra pressure that brings to not-for-profit organizations, I was asked to present solutions that don’t cost money.

My Approach to the Problem
Realizing I might be facing an audience with diverse needs, and diverse technology platforms as well, I looked to focus on the most common—and serious—problems that organizations are facing, and then identify no-cost ways to address those problems.

My starting point was a recent study that was published by the non-profit SANS institute (see http://www.sans.org/top-cyber-security-risks/), a pre-eminent computer security training , certification, and research organization.   In their report, they identify the top 3 cyber security threats. The report, by the way, was based on attack data from six thousand organizations, and vulnerability data from nine million systems.  So these risks are not theoretical, they reflect what is actually happening in the world. The three biggest risks are:

• Client side software that remains un-patched
• Internet facing websites that are vulnerable
• Rising zero-day vulnerabilities

My Solutions
Having identified the key, real-world risks, I then set about finding no-cost solutions that would reduce or eliminate these risks.  I came up with Ten Things to Improve IT Security and Reliability that don’t Cost Money:

1. Log in as a Local User, Not as Administrator

2. Apply Patches and Updates Promptly

3. Run Vulnerability Scans on your Website

4. Use Anti-virus Software and Keep it Up-to-date

5. Use a Firewall and Make Sure it is Working Properly

6. Run Backups and Take Them Offsite and Test the Recovery Process

7. Keep Servers in a Locked Area with Limited Access

8. Use Passwords or Encryption to Protect Laptop Computers

9. Use a Password on Your Mobile Phone

10. Don’t Leave Your Password on a Sticky Note!

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

Do you run backups and get them offsite weekly or more frequently?  When was the last time you verified that backups actually did do offsite?  When was the last time you verified (by testing) that you can successfully?

Here’s the way we approach this with clients.  Start with two simple questions:

1. How much data or work can you afford to lose?  In some organizations losing a full day’s worth of work is annoying, but not a big deal.  In others, lost hours of work, or unrecoverable missing transactions, could be very costly.  So you need to determine, in the worst case scenario, what you are prepared to lose.  This is called Recovery Point Objective (or RPO). If the ABC Agency is prepared to lose one day of work due to some fatal computer failure, then their RPO would be one day.

2. How long can you afford to be down?  (Or how fast do we need to get things recovered?)  Some organizations could withstand being down for a week, maybe more, others only a day.  This is called Recovery Time Objective (or RTO).  If the ABC Agency’s computers or servers were to disappear today, and ABC’s management team said, “We must have all our systems recovered by a week from today,” —then their RTO would be seven days.

The next step is to adjust your current backup technology, or choose new backup technology—whether hardware, software, or online services—to support your Recovery Point Objective.  In the case of the ABC Agency I just mentioned, it was prepared to lose one day of work, so its RPO is one day. Just about any backup technology that runs nightly would be suitable for that situation.

Next, you need to evaluate whether your current backup technology—or any new technology you might be considering—will also support your Recovery Time Objective.   So, let’s see… the ABC agency has an RTO of seven days.  Since it might take more than 7 days to order new servers, re-install all the software, and restore all the data from the backups, a tape-based backup technology might not meet their Recovery Time Objective. (By the way, if you need help selecting or evaluating the appropriate backup technology, I can provide consulting assistance—at no charge—just send email to bill@pragmatix.com.) Once you’ve settled on a technology you need to get it implemented and assigned to one or more people to carry out as part of their routine duties.

And finally, you need to verify (a) that the employees are in fact performing their assigned backup duties and (b) that the backups will actually work.  There is a simple way to verify both  Test the recovery process.  In our company, we do a test recovery once per month, as a scheduled event.

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

How many of you use the passcode or password feature on your mobile phone?

Let’s imagine for a moment what information would be available if someone found (or stole) your mobile phone.

First, they’d probably find the phone numbers and maybe addresses of your closest family members, your children, perhaps elderly parents.  It would likely be easy for them to figure out who is who, since most of us enter “mom” as the phonebook entry.  Or if you’re married a long time like me, you have “mom1” and “mom2”.  My soon to be son-in-law has “girlfriend mom” as the entry in his phone.  You may have pictures of all these people also.
If you use the notes or memo feature on your phone, whatever tidbits of personal information (maybe account numbers, passwords, etc.) would be ripe for picking.

And to top things off, if you receive email, particularly email business email, on your phone, you will have potentially exposed private and confidential information.

Considering the negative impact the exposure of all of this could have, I suggest to you that a momentary pause to enter a password before using your mobile phone is well worth it—at no cost and 2 seconds extra effort.  By the way, on most phones that I know of, you don’t need to enter the password when answering an incoming a voice call.

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

We always get nervous when we go to a client’s offices and discover their servers are left out in open areas, amidst the hustle and bustle of daily activities.  This is not good.

Servers in open areas are exposed to all sorts of adverse environmental factors, ranging from being accidentally unplugged or being bumped or jostled by cleaning crews. And worse, servers in open areas become easier targets for unauthorized access by employees or others.

We know that often space is very tight and it is not possible to dedicate a server room or even a server closet, but with a little planning and creativity it is possible to create a safe, locked area for servers.  Many computer equipment manufacturers sell server cabinets that are small and can be wall-mounted, to create a secure space where the server will be secure and protected.  These products are relatively inexpensive ($300-$900, depending on size).  If these are still outside your budget, I bet you could construct something similar, on your own, for free.

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

Here’s a funny thing about laptop computers—they have a bad habit of getting lost or stolen.  Even laptops that are not ordinarily taken out of the office have this same habit.

At a minimum, you should be insisting that any laptops in your organization are protected with strong passwords—meaning they cannot be started up and used without first entering a password.

An improvement on this is to use biometrics, like the fingerprint readers that come pre-installed in many different models, including this laptop that I am using.   (There are add-in devices that you can get that will retro-fit a laptop with biometric protection.   But we haven’t located any that are available for free.)

If laptops have confidential data, human resources data, or personally identifiable information, we recommend encryption as an added layer of protection.

First, a quick word about personally identifiable information (or PII).  Personally identifiable information refers to any information that can be used to uniquely identify, contact or locate a single person. The privacy regulations concerning PII are getting increasingly strict, at both the state and federal levels.  So if you have a list of names and addresses of employees or of sponsor and donors, on your laptop, we strongly recommend that the laptop be encrypted.  And if any of those names include any Massachusetts residents, you may be subject to a new law enacted last year in Massachusetts that REQUIRES you to use encryption.

Here is a Microsoft article about laptop security which includes links to articles on how to encrypt laptops that use the more recent Windows version (see http://www.microsoft.com/atwork/security/laptopsecurity.aspx).

 

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

By now, most people have installed some sort of anti-virus software on their computers.  That’s the good news.  The bad news is that we often we find that the software subscriptions are allowed to lapse, or not renewed, so the user will stop getting updates.  Sometimes it’s because a new computer was delivered with a six- or twelve-month free subscription, then the user did not purchase the renewal.  Or sometimes we find that for some reason the anti-virus has been turned off, or is otherwise not working properly.

So the first thing to do is to check on what antivirus software you are using today, and make sure that (a) the subscription is up-to-date, (b) you are in fact receiving the updates, and (c) that the updates are actually being applied to every PC and server in your organization.

There are free anti-virus software products available, including AVG (see http://free.avg.com/us-en/homepage).

Also, in addition to anti-virus software, we recommend that you also have some sort of anti-spyware or anti-malware software installed on every PC.  To go a step further on this point, we recommend placing a link to that software on every user’s desktop, so they can launch it immediately when the need arises.  We recommend MalwareBytes Anti-Malware (see http://www.malwarebytes.org/ ) for this purpose, and they do have a free version.

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

One of the key ways to keep your computers safe and secure is to make sure you are using a firewall to close out unwanted traffic.  I suspect many of you are thinking, “Yep, we’ve got that one covered, let’s move on.”

Hopefully, you do have this one covered, however, I think it’s worth a moment to point out a few things you should double-check.

By way of definition, the purpose of a firewall is to inspect network traffic and permit or deny passage based on a set of rules.  It is normally placed between a protected network  (like your home or office) and an unprotected network (like the internet) and acts like a gate to ensure that nothing private goes out and nothing malicious comes in.

Usually, a firewall is a dedicated appliance, or piece of equipment. A firewall can also be software, running on a computer. So the first thing you need to do is double-check to make sure the firewall is plugged in, turned on, or enabled. If you are using a software firewall, you need to check that it is turned on, and that you are set-up to receive regular software updates (I talked about the importance of applying patches and updates in a previous blog entry).  If you are running Windows Vista or Windows 7 operating system, you can check on the status of your updates using the Windows Action Center. In general, we recommend turning on Windows Firewall.

If you have technical resources available to you, it’s a good idea to have them periodically review the firewall logs and settings.  Specifically, they should check to ensure that no traffic is allowed from the outside (Internet) to the inside (home or office)—though there are some exceptions.  If you don’t have technical resources available to do this, Pragmatix engineers can usually run firewall scans at no cost.  (Send email to bill@pragmatix.com if you’d like a free scan.)

If you are running Windows 7 (which we recommend, by the way), the new Action Center (pictured below) is a perfect place to check these security settings.  It constantly monitors Windows firewall (and others), anti-virus software, internet explorer security settings, and network access settings.  If it detects a problem, it will notify you and provide links with instructions on how to fix it.

For personal use, there are a number of free firewall software products available on the market such as Comodo (http://personalfirewall.comodo.com/free-download.html?aid=350   ),  Outpost ( http://free.agnitum.com/   ), and  PCTools ( http://www.pctools.com/firewall/ ).

For small businesses, we’ve identified a few free firewall software products such as product name Private Firewall (http://download.cnet.com/Privatefirewall/3000-10435_4-10371057.html?tag=mncol

This entry is part of the series Ten things you can do to improve IT security and reliability without spending money

Both the SANS Institute report I mentioned in a previous blog entry and IBM’s X-Force 2009  Trend and Risk Report documented significant growth in website vulnerabilities, particularly across three attack categories:  Cross-Site Scripting, SQL Injection, and File Include vulnerabilities. The IBM X-Force report provides these succinct descriptions.

Attack Technique	Description
Cross-Site Scripting	Cross-Site Scripting vulnerabilities occur when Web applications do not properly validate user input from form fields, the syntax of URLs, etc. These vulnerabilities allow attackers to embed their own script into a page the user is visiting, manipulating the behavior or appearance of the page. These page changes can be used to steal sensitive information, manipulate the Web application in a malicious way, or embed more content on the page that exploits other vulnerabilities.  The attacker first has to create a specially-crafted Web link and then entice the victim into clicking it (through spam, user forums, etc.) The user is more likely to be tricked clicking the link because the domain name of the URL is a trusted or familiar company. The attack attempt may appear to the user to come from the trusted organization itself and not the attacker that compromised the organization’s vulnerability.
SQL Injection	SQL Injection vulnerabilities are also related to improper validation of user input, and they occur when this input (from a form field, for example) is allowed to dynamically include SQL statements that are then executed by a database. Access to a back-end database may allow attackers to read, delete, and modify sensitive information and, in some cases, execute arbitrary code. In addition to exposing confidential customer information (like credit card data), SQL Injection vulnerabilities can also allow attackers to embed other attacks inside the database that can then be used against visitors to the Web site.
File Include	File Include vulnerabilities (typically found in PHP applications) occur when the application retrieves code from a remote source to be executed in the local application. Oftentimes, the remote source is not validated for authenticity, which allows an attacker to use the Web application to remotely execute malicious code.
Other	This category includes some denial-of-service attacks and miscellaneous techniques that allow attackers to view or obtain unauthorized information and/or change files, directories, user information or other components of Web applications.

 

What You Should Do
First, you should make sure that any people you have developing or maintaining your websites are familiar with these types of vulnerabilities and that they are using current methods to protect against them.

Second, you should check with whoever is responsible for hosting your websites to see if they offer any kind of web vulnerability scanning as part of their hosting service.  (In some cases, hosting companies may charge extra for this; in other cases it’s included as part of the fee you already pay.)

And third, you should use web vulnerability scanning software.  Some vendors may offer to perform the web scans for free, as a means of getting in the door to talk to you about purchasing other services.  (Full disclosure: Pragmatix has been known to do this also.)

There are several free tools available on the internet.  My network engineering team has identified two that are definitely worth looking into.  One product is named Rapid7 (see http://www.rapid7.com/vulnerability-scanner.jsp ).  While there is a cost to purchase a full copy of their software, they do offer a very useful free version.  Another product is named Gamja (see http://sourceforge.net/projects/gamja/).