In a recent survey of a small number of people, uncovered an appalling truth: many people access the Net at work for just the things they do at home! What's dangerous is that they could be doing this in your office. Apart from the legal ramifications, your security, too, might be unwittingly compromised by an employee who doesn't understand the consequences of his actions. The onus is therefore on the company to inform employees about how the Net should be used at work and possibly even monitor their actions. Most of your employees are getting online, checking e-mails, chatting, surfing, Googling, and playing online games - unless you've specifically blocked access. With all this Internet activity going on, you have to think about the threats posed by hackers, crackers, phishers, and the other "ers" out there. Every second day there's a new exploit, threat, worm and/or virus detected, which puts your data at risk. Now, the very people you employ could unwittingly turn out to be threats to your company -- if they're oblivious to the dangers that Internet access brings with it.
Human Engineering
This is a term used to refer to the ploys used by attackers to fool people out of money or data. With Internet banking and a host of other online services being offered by banks, phishing is on the rise. From eBay clones to banking site rip-offs, there are thousands of sites that claim to what they're not. Advancements in the Web coding means that a phisher can even hide the address bar of his site, thus making a user believe they're really at a bank site. Most phishing attacks come via e-mail, where a user is asked to click on a disguised link, and then update some information. Now if one of these users happens to be an accountant or someone with access to your company bank account, you could be in serious trouble. It is of utmost importance that you educate your employees about the phishing threat. One fix is to make all your employees see their mail in text format, in which case the problem of disguised links is eliminated. If Out-Look is the e-mail client you use, go to Tool>Options, and under the e-mail header, click on the "E-mail Options" button. Here, check the "read all standard mail in plain test", and the check the "Read all digitally signed mail in plain text" box. Even if text in an e-mail asks to copy and paste link into browser, your employees are probably smart enough to make out, from the text of the link, where they'll be going!
The Real Threats
With Internet penetration increasing by the hour, fewer people are falling prey to human engineering. More and more hackers and crackers are therefore focusing their attention on finding ways and means to infect your computer with bugs that will allow them to gain access to your computers and their data.
For a company, data is money; whether it's an accountant's laptop that contains vital company information, or your browser's cache which contains your various passwords, it's all up for grabs! Since there are so many ways that people try and get into PCs, we'll break them up into the following categories to give you a general idea what to look out for.
Adware / SpyWare
There's a fine line between adware and spyware: very often, they go hand in hand, but a lot of software products are adware-supported and do not contain spyware. The perfect example here is the Opera browser - it just displayed ads from Google, and contained no spyware. However, many software (especially desktop theme packs, screensavers and the like), are filled with spyware. Very often, a smaller software company will bundle their software with adware or spyware from a bigger company, because the former has to cover development costs. In fact, sadly, a lot of the "freeware" out there is adware or spyware supported.
What you need to do is make sure all your computers are protected with anti-spyware tools. Two excellent examples here are Spybot Search & Destroy, and AdAware. Make it a policy for your employees to check and clean their PCs frequently using these tools. It's accomplished at the press of a button.
You could also make sure that none of your employees are allowed to install anything without permission from the system administrator. The simplest way to do this in Windows XP is to have your admin password protect the Administrator accounts on all PCs, and make lower-level accounts for employees.
ActiveX
Though a lot of good software uses this Internet Explorer-based browser installer to integrate its content or services with Windows, many more sites try and trick users into installing malicious ActiveX code into their browsers. If ever there was software that did more harm than good, it has to be ActiveX.
Be aware of the fact that many of your employees probably visit "warez" sites. If you're in a position to do so, enforce a policy that dictates that no employee should visit such sites - your admin's logs should tell you who was where on the Net. We say this because virtually any software "crack" downloaded from warez sites contains some sort of malicious code that puts your computers at risk. Then there is of course, the whole legality issue, which we won't get into here.
A more drastic solution to the "warez problem" would be to have your admin create lower-level accounts for your employees and restricting them from downloading anything.
Windows Update
It's funny - most users will spend hours entertaining themselves online, but will promptly stop "Automatic Updates" for Windows as soon as they see the little icon pop up in the taskbar. A lot of people actually permanently disable this update service. We suggest that system admins update computers regularly.
Passwords
A lot of people use public computer terminals such as at cyber cafes. Now, when accessing office mail using Web mail, if a user checks the "Remember my username and password" box in the site or browser preferences, they're leaving their inboxes open to anyone who uses the computer after them. This can result in secrets being leaked, especially if the employee is of a high enough rank.
Anti-Virus
Make sure you have an anti-virus application that scans files as well as chat and Internet traffic. A toll that scans all data that goes to and from over the Internet, while also scanning the files being saved on your computers, is a must. A good anti-virus application should detect malware before a site or e-mail message even prompts you to install the malicious software.
Here’s something we can’t stress upon enough: update your virus definitions regularly. This is very easily achieved: enable automatic updates in your antivirus software. This will result in a message popping up once every few days saying “An update is available. Do you want to download and install it?” or something of that sort. Don’t say no to these messages just let the software update itself!
In addition, your company e-mail server should have an antivirus program on the server itself to remove malicious software embedded in e-mails before they reach your employees inboxes.
E-Mail Attachments
Beware the e-mail attachment! This path into a computer can be the death of your data…
If your company uses outlook, ask your system admin to disable the preview pane on all computers, and to make sure your antivirus scanner scans mails as they arrive. Also make file extensions visible on all your computers: in Windows Explorer, go to Tool>Folders Options…>View, and uncheck “Hide extensions for known file types”. This will help prevent users from opening a virus thinking it’s a Word document!
Firewalls, NAT Servers And Proxy Servers
You should have a firewall for both your internet connection as well as any wired or Wi-Fi network connection. A firewall will prevent malicious users from seeing your computer online, and also block a lot of unwanted traffic to and from your system. A NAT (Network Address Translator) server will be the face of your company computers, thus showing the world only one computer. Hackers are less likely to attack what look like a single computer because they prefer to get into large networks.
A proxy server solution such as squid for a Linux server will help you keep your employees in check. You will be able to generate logs to find out who does what and who visits what, and also give you the option to block access via port blocking (effective against P2P) and keyword blocking ( effective for blocking words such as porn, xxx, crack , serial, etc)
A Final Word
Thought digit can advise you on how to battle threats that come in the form of data packets, there’s no way we can help you protect your data from other humans! Make sure important company data is only shared on a need-to-know basis, and not openly accessible by anyone.
If we’ve scared you, we’ve achieved our task, and we hope you will begin looking for more security holes into your company and its data, and also better solutions to manage its security.
No comments:
Post a Comment