Information Security, Huh? By: Kevin Dunn, CTO Client Profiles, Inc. and Thom Pakurar, CTO Information Security Technology Corp.

“Our system is crawling! I checked our e-mail log file and we’re sending out nearly 10,000 emails per hour!! Our servers have every update known to man; our anti-virus is current; we have a firewall; HELP!” This is just one of the calls Client Profiles has answered since criminals have figured out how to use the internet to their benefit (want to know the outcome of this call --- read on.) Cybercrime is continually growing because of the ease of gathering confidential and personal information. Thieves are getting smarter at using technology to their advantage. Training your users about security policies and ensuring that they are followed is your primary defense against social engineering – both on-line and off-line.

Thom Pakurar, a Security Technology expert explains, “Social engineering and phishing are common methods of collecting sensitive data. Social engineering is the age old practice of conning people into revealing sensitive data. Phishing is the practice of sending electronic mail under false pretense in an attempt of conning people into revealing sensitive data; (I get at least two e-mails a week claiming to be from Citi Bank wanting me to go to their website and “re-enter” my user info;) it is just a high-tech version of social engineering.” Spyware (covered in the last issue of this newsletter) is used to collect data from your machine and send it out of your firm.

There are many solutions to help protect your investment (some are free); information security does not have to be intrusive or costly. Generally to guard against attacks, experts recommend a multi-layered approach; these systems include: security policies, firewalls, anti-viral/malware, data encryption, identity management, intrusion detection, biometrics, and business continuity planning.

Thom continues, some of the most common threats revolve around social engineering and can be resolved with simple cost effective employee awareness training. Having a good written security plan that outlines company policy is the best place to start. According to ISO 17799, this security document should be reviewed at least annually, and updated to meet the ever changing threats. Quarterly awareness training (do it as a “lunch and learn”) addresses current flaws and vulnerabilities, like avoiding the practice of keeping passwords under the keyboards or on Post-it-Notes and changing your passwords on a regular basis. Your security policy should include simple reminders such as checking your anti-viral program at least weekly. Security is everyone’s responsibility, and keeping everyone current on the latest threats is a prudent and good business practice.

So, what was the answer to the support call at the beginning of this article? The firm had upgraded an old Novell system to add an NT server with Exchange 5.5 – they brought all of their users and passwords forward from the old Novell system (including a user called “backup” who’s password was “tape” -- does that ring a bell for anyone??) As they continued to upgrade, they continued to bring their users and passwords forward. Since “backup” has administrative privileges, hackers can use it to authenticate to your servers and instruct them to do just about whatever they want – in this case, 10,000 junk emails an hour for Viagra! We changed the password & the problem stopped. In review, the user “backup” was no longer even used by the system and could have been deleted years ago. There are hundreds of common username/password combinations that hackers test against thousands of systems every day. Since every system has either an “administrator, admin, super, or supervisor” login account, those need to be especially difficult; mix numbers and letters, upper and lower case – even special characters (the shift of the number keys.)

When was the last time you checked your security policy against the way your employees conduct business or verified that your backup tapes could actually be restored? Don’t wait until after the disaster! A security assessment or security audit can reveal vulnerabilities and show cost effective means of treatment.

For more information, please visit Kevin Dunn at http://www.clientprofiles.com/Professional-Services.asp and Thom Pakurar at http://www.infosecuritytechnology.com where an ounce of prevention can save you $$$ thousands in cures.

Back to top

Editor: Brian Gedeon (BHGedeon@duanemorris.com) (This publication is the property of the Atlanta Association of Legal Administrators. Reproduction or reprint without prior permission is strictly prohibited. Click here to request reprint permission.)

Designed/Distributed By