Full Newsletter   Newsletter Archives



  Printable version 

  Protection From
  External and Internal Threats

From home PCs to corporate computer networks, there is always the potential for becoming the victim of computer crime. With a few clicks, technologically savvy thieves can steal your personal information and your company's confidential strategy plans, customer information and financial data.

The question remains: Are you and your employees shrewd enough to stay ahead of external and internal threats? Take this short quiz (and print it out for others) to help assess how up to date you are on what is needed to keep your personal and business data secure.

Answer each question True or False. The answers are at the bottom of the article:

Question

True 

False 

1. You are the only person who uses your office computer and you never leave your office without locking the door. Since these careful measures are taken, you don't need a startup login and password.    
2. Natural disasters, terrorist attacks or frequent power outages led your company to install surge suppressors and uninterruptible power supply (UPS) battery backups on its network. The battery backups are configured to supply power for six hours. As a result, your company's staff can continue working for that long during any power disruption.    
3. Your employees often must work remotely on the Internet using your organization's virtual private network (VPN), which has the most up-to-date and secure encryption technology available. When staff members load the VPN software onto a computer at a hotel, conference center or Internet cafe, they can perform even the most confidential business transactions with total confidence that the data remains secure.    
4. You have seen employees violate your company's acceptable use policy (AUP) by downloading mp3s or videos on their breaks. But they aren't disturbing colleagues, their productivity remains high and you think that the music keeps their morale high, You should not take any action to prevent the downloads because it would damage morale more than it would bolster security.    
5. A member of your IT staff quits on short notice. You make sure the individual turns in security passes, keys or keycards, and you delete the person's logins and passwords from your business's network. The organization is now secure from potential threats from the former employee.    
6. Using Wi-Fi Protected Access (WPA) encryption and media access control (MAC) address filtering on your company's wireless access point is not enough security to allow confidential Internet transactions from remote computers.    
7. The more anti-virus software you install, the better protection you'll receive from malicious software that can damage your computer or business network.    
8. Your organizations should never use wired equivalent privacy (WEP) encryption on Wi-Fi networks.    
9. Your organization is in an information intensive industry such as banking, insurance, or legal services so you have installed the most sophisticated, advanced and up-to-date security program known to man. It makes sense to try to capitalize on this by creating a multimedia ad campaign about your business's impenetrable security.    
10. You receive an e-mail from your bank asking for confirmation of some of your personal information. Or one of your Information Technology (IT) employees sends you a message advising you to download and install a patch to plug a security leak in your company's software. Before following the directions on either e-mail, you should verify that the e-mail is legitimate.    

Answers


1. False
Without password startup protection, an intruder may be able to copy data from your computer's hard drive. While it seems a nuisance to use IDs and passwords every time you start your computer, that minor hassle is worth it when compared to the possibility of having critical business and personal data stolen or deleted by an intruder.

Using your computer's default, administrator account leaves it vulnerable to viruses. Information security specialists often advise using two logins -- one as administrator with full access and another that allows only restricted access. For your daily tasks, you would use the restricted access, which gets you into only those programs you need to work. This helps add protection from the threat of bugs entering your PC, being triggered, and performing whatever malicious tasks they were designed for. You would use the administrator login for adding programs or software purchased from a legitimate and reliable vendor.

2. False
For one thing, UPS batteries generally last just a few years and suppressors become less effective as time passes. At the very least, your company should conduct regularly scheduled inspections and tests, and replace any faulty or weak equipment. UPS batteries are designed basically to allow systems to be shut down safely when power is lost.




"The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice."

-- Kevin David Mitnick, computer security consultant and author of The Art of Deception,  who served five years on charges related to computer crimes.

3. False
While virtual private networks (VPNs) offer an extremely high degree of protection and are adequate for remote access using a personal laptop, they do not provide protection from threats posed by publicly accessed computers. Computer security specialists report that public networks, such as those in conference hall lounges, are prone to vulnerabilities. As a result, an employee could unwittingly send a virus through your company's VPN.

4. False.
Employees could be violating copyright laws and exposing your business to legal liability. In addition, viruses can piggy back media files to enter your company's network and can even be disguised as media files. Moreover, media files can be quite large and bog down your organization's network. The bottom line: A lax approach toward enforcing the company's AUP can prompt employees to become casual with regard to that policy and other company guidelines as well.

5. False.
IT employees can easily plot ways to take advantage of their knowledge of your company's technology and security. They could plant technological time bombs that detonate after they have left the enterprise and cause major damage, create super passwords that can be used to block access to administrative functions, and make changes that leave the network vulnerable or unusable. Your company should have detailed policies and procedures for the termination of IT employees to prevent last minute scrambling and to enhance the overall security of its network.

6. True.
WPA and wired equivalent privacy (WEP) encryption protect only the link between the remote computer and the point of access. There must be more encryption beyond the access point and through the network path. Specialists recommend adding such encryption as secure sockets layers (SSL) VPN, or secure HTML (SHTML) to bolster security.

7. False.
Antivirus programs may often be in competition, slowing down the network, potentially interfering with each other's purpose, and even delivering false positives when they scan for intrusive software. One antivirus software program is sufficient, but be sure you keep it updated.

8. False.
Years ago, WEP was cracked by hackers. But these days, the encryptions have become more effective and the ability to compromise WEP is far beyond the skills of most hackers. If your network includes older equipment you may have no choice other than to use WEP because in order to use the more complex and secure WPA encryption, every computer on the network must be compatible with it. WEP is not as secure as WPA but it is better than nothing at all. If a security audit shows that your enterprise is a potential windfall for hackers, consider upgrading to equipment that can use WPA.

9. False.
This would be tantamount to issuing a public challenge to invade your organization's system. No matter how airtight you think your security is, no system is absolutely safe from being cracked open. Avoid publicizing your business's high-end security and becoming an irresistible target.

10. True.
The common computer scam of phishing involves sending e-mails that appear to be from a trusted and legitimate source, including an employee or an organization that you do business with. The e-mails direct you to a link that, in reality, take you to legitimate-looking sites that are actually Internet hubs where Trojans or other malicious programs can automatically be installed on computers. Phishing schemes can also involve corporate espionage when they attempt to gain customer information, trade secrets and other confidential data.

Despite the fact this scam has been around for some time, businesses continue to be targeted. For example, executives at AirTran Airlines reported they were sent messages seeking to get them to reveal confidential corporate information, as well as attach malware to their computers. The e-mails got through a filter placed on the airline's computers but was caught by team members and software designed to look for out-of-the-ordinary behavior.

Before clicking on any link in an e-mail, always verify that the individual or company actually sent it. Don't follow directions in an e-mail until you are convinced it is genuine.

There is more to a contingency plan than keeping the network and computers running. In addition to taking the above steps, consider lighting, HVAC systems and other elements that are necessary for a functioning workplace, as well as compliance with laws and regulations.
 Save Article  Email Firm  Email to a Friend  Get Trade Pubs
Is this item worthy of implementation? Yes No Maybe
Is this item worth sharing with other associates? Yes No Maybe
Did this item present value to you and your business? Yes No Maybe
Comments:

We take great care in the preparation of our articles and announcements. We also have a process of reviewing articles when major changes take place. The business, legal and tax climate is constantly changing especially when reviewed on an industry basis.

It may be very important to consult with us or your Investment Advisor before implementing ideas contained in articles and announcements. Many ideas have complexities and nuances that cannot be adequately detailed in the articles or announcements. We are not responsible for errors, misinterpretations or omissions related to these articles or announcements. Nor are we responsible for the applicability to your personal, business or tax situation.

Pursuant to Circular 230 promulgated by the Internal Revenue Service, if this email, or any attachment hereto, contains advice concerning any federal tax issue or submission, please be advised that it is not intended or written to be used, and that it cannot be used, for the purpose of avoiding federal tax penalties unless otherwise expressly indicated.