Data security – Network perimeter defense

ISO 27001 Data Security, Small Business Tips No Responses »
May 102013

In previous blog posts, as well as my 5 Step Data Security Plan for Small Businesses article, I have touched on methods you can put in place to protect your business network.  In this blog post, I am going to discuss these defense processes in more detail to give you some tips on how to protect your business network.

Network Security

Unfortunately though you are no longer just protecting your office business network as your business network has expanded to include wireless platforms, social marketing accounts, client extranets, internal intranets, etc.  As such it is important to employ a multi-layered defense strategy.  So let’s take a look at some of the steps you can take.

  1. Setup a defensive proxy server to regulate all web content and file transfers by blocking specific website urls and IP addresses based on parameters such as blacklisted websites, content – such as adult websites, and website reputation scores.  Depending on your type of business, you can also take it one step further and only allow access to trusted websites.  If you have a client extranet and/or internal company intranet, you can limit external access based on client/employee IPs which is especially crucial when you are providing access to sensitive data.  And finally you will want to setup encryption of all incoming/outgoing traffic if sensitive data is being sent/received.
  2. Integrate your network defense/proxy with your email security to prevent phishing attacks and spoofed emails.  For example you could receive an email from a reliable (whitelisted) email server which contains a link to website used by hackers.
  3. For employees logging into your network remotely, require access through two-factor authentication VPN.  In addition the remote devices used need to be managed by your company to ensure they are protected via virus/malware scans, the latest security patches, and ensuring home/remote networks and computers are also protected via a firewall.
  4. I say it all the time, but routinely scan your network for vulnerabilities as well as scan/monitor for network intrusion attacks.
  5. In addition to individual computers, setup network virus/malware protection.
    And unless you have a robust network setup scans for off-peak business hours to avoid slowing down your network.
  6. Segment your internal network to prevent the spread of malware internally.  For example with your access control you can limit employee access to certain areas of your network based on their role within the company.  You can protect each segment via a proxy and firewall based on your security needs.  In addition for sensitive data stored on networks, you can completely isolate the area from internet/outside access.
  7. Use sniffer programs to guard against attacks from external as well as internal sources.
  8. Routinely review and manage network logs for any unusual activity.
  9. And finally test, test, test, and backup, backup, backup.  You can’t stop everything, but you can minimize the impact of intrusions.

As always if you have any questions or comments, please feel free to list them below in the comments section.

Posted by Trey at 4:35 pm Tagged with: , , ,

Update of LinkedIn data security considerations

ISO 27001 Data Security, Small Business Tips, Social Marketing (Web 2.0) No Responses »
Apr 092013

Well I promised I would update my last blog post on my data security experiences with LinkedIn.  Let’s cut to the chase – I have several concerns, and here they are.

  1. LinkedIn’s tech support response is painfully slow.  I opened the ticket on March 27.  LinkedIn responded on April 8.  For those of you counting at home that is 12 days.  If you are going to run a business catering to millions of potential users, you need to develop a support system to respond to them.  LinkedIn could take some lessons from Amazon.
  2. They removed the user from following my LinkedIn company page which per their Help Desk, they say they will do.  Unfortunately though you do not have the ability to do this yourself, and you have to request for LinkedIn tech support to perform the action - which in my case took 12 days.
  3. Regarding the user claiming via their LinkedIn profile to work for my company, LinkedIn did nothing about this issue, and here was their response:  “If any members indicate they are current or past employees when in fact they aren’t, it’s usually because:  1. They haven’t had the chance to update their profiles.  2. They mistakenly selected the wrong company name when they updated their profile.  We generally don’t moderate or validate information that members post, but there are times when we might intervene.”

Number 1 is a problem because when you have a problem on LinkedIn, it looks like it will take a while to get it sorted.

Number 2 is a minor problem, and essentially you are unable to remove people from following your company pages.  From a data security standpoint, it only really becomes a problem if the same person is trying to also pass themselves off as an employee of your company.

Number 3 is the larger problem from a data security standpoint, especially for larger companies who are unable to actively monitor all existing employees.  You basically have two data security issues here.  The first would be someone attempting to pass themselves off as an employee of your company and contacting your existing clients to gain some type of info from them via LinkedIn.  The second data security issue would be someone attempting to pass themselves off as an employee of your company and contacting your existing employees to gain some type of info from them via LinkedIn.

So how do you protect yourself?  First close your Connections status to allowing those outside of your network to be able to view them.  Second do not send any type of sensitive documentation via the LinkedIn internal email system.  In this case it helps to have an information classification policy in place to prevent employees from sending out sensitive documents.

As always if you have any questions or comments, please feel free to list them below.

Posted by Trey at 10:19 am Tagged with: ,

Data security considerations for social marketing – LinkedIn

ISO 27001 Data Security, Small Business Tips, Social Marketing (Web 2.0) No Responses »
Mar 272013

Social marketing has opened the doors to allow smaller businesses to compete with larger businesses on a somewhat level playing field.  That being said social marketing has all opened the door for a new level of data security considerations.  This will be the first blog post, in a series, discussing data security considerations for social marketing initiatives.

LinkedIn is a business social marketing website, and there are several data security issues you should be aware of when using LinkedIn, but in this blog post I am going to discuss just one issue that is very troubling.  Just as people lie on resumes, they can also lie on their LinkedIn resumes.

So what do you do when someone claims to have worked for your company, and they follow your Company Profile page to make it look even more legit?  Obviously there are multiple security issues here.  Someone could contact connections via LinkedIn passing themselves off as a representative of your company.  If you, or someone employed at your company, open your personal connections to be viewable by anyone on LinkedIn, then this person can also access and contact your business connections directly acting as a representative of your company.  Personal or business data could be passed to this imposter along with the obvious PR damage that could be done to your company image.  So this issue could go way beyond just someone “padding” their resume.

So I will ask the question again – what do you do when someone claims to have worked for your company?  Well this issue is actually happening to me right now, and I am going to update you in real time to how LinkedIn responds.  Today I discovered someone claiming to work for my company, and they are also following my Company Profile page.

LinkedIn provides instructions here on how to go about contacting them to get the person removed from your Company Profile page, but they do not say what to do when someone is misrepresenting themselves as working for your company.  As such I included both issues in my request to remove this person from following my Company Profile page.

Frankly so far I am not impressed with how LinkedIn allows you to resolve this situation.  I understand they cannot immediately suspend someone’s account, but there should be a way to escalate matters such as this.  I will keep you posted on their response time and how they resolve the issue.

So what can you do to prevent this from happening?  Periodically review your Company Profile page to see who is following you, which you should do anyway from a social marketing perspective.  In addition you can use the LinkedIn Advanced Search to search for your company name to see how it is being used on LinkedIn.

If you have any questions or comments, please feel free to list them below in the comments section, and I hope to update you soon – at least it better be soon – on LinkedIn’s response.

Posted by Trey at 6:21 pm Tagged with: , ,

Data security – securing your data and preventing data loss

ISO 27001 Data Security, Small Business Tips No Responses »
Mar 082013

Although hackers taking down company systems and accessing “secured data” such as credit cards or passwords is what makes the nightly news, data loss can occur in a variety of ways.  Additional examples include loss or theft of laptops/smart phones, internal employee theft, poor data storage handling, etc.  In this blog post, I am going to discuss some methods you can use to prevent data loss.

Data loss prevention starts first and foremost with simply protecting your data. 

  1. Encryption of your mobile devices, emails, network data, offsite storage data, and creating strong passwords that are routinely updated is the first step.
  2. Ensure all mobile phones can be deactivated remotely is lost or stolen.
  3. As mentioned in step 1, secure and encrypt data moved across your internal network and avoid weak links such as wireless internet access devices.
  4. Control admin rights to employee computers and block downloading of unknown software.
  5. Ensure virus and malware protection is in place.
  6. Actively monitor your network for intrusion attempts and routinely scan your network for vulnerabilities.
  7. If your company is responsible for securing overly sensitive data, consider configuring your systems to block the use of USB devices to prevent internal theft or accidental loss of data.
  8. Secure all offsite data storage via encryption whether it is backed up via network or removeable media.  If removeable media such as backup tapes are used, record and track all serial numbers and storage locations. 
  9. Test and audit all procedures on a regular basis to detect any holes in your current security policy.
  10. Have a plan in place in to immediately react to and handle any data loss incidents.

Follow these steps to prevent data loss incidents, and as always if you have any questions or comments, please feel free to list in the comments section below.

Posted by Trey at 2:41 pm Tagged with: ,

Quick tip on a previous post – virus and malware protection

ISO 27001 Data Security, Small Business Tips No Responses »
Feb 112013

After my blog post on virus and malware protection, a few people have emailed me asking for recommendations on good programs to use to remove malware and spyware.  There are a ton of good programs out there, but I have had good results recommending the following three to clients.  I actually recommend you run all three programs to make sure you get everything removed.  Sometimes you have to do the removal manually, but these programs are generally pretty succesful in removing a problem.

  1. SUPERAntiSpyware – They have a free and paid version for removing spyware and malware.
  2. Malwarebytes – They also have a free and a paid version of their software.
  3. Microsoft Malicious Software Removal Tool – Free download.

As I mentioned if you are having a malware problem, run all three of these programs first to do an automatice removal.  And as always if you have any questions or comments, please feel free to list them below.

Posted by Trey at 4:26 pm Tagged with: , , ,

Update on the Java software issue

ISO 27001 Data Security, Small Business Tips No Responses »
Feb 042013

A couple of weeks ago I alerted you to the Java software issues.  In step 2 I explained how to update Java to the latest version and disable it within the browsers.  Unfortunately this is not working for Internet Explorer…surprise, surprise.  So what are your options?

  1. Hardest Solution.  If you absolutely have to have Java running in IE, CERT has documented a rather tedious process of how to get you there. 
  2. Somewhat difficult solution.  As I explained in my previous post, I have a dedicated Java browser for when I need to use it.  You can run IE as your dedicated Java browser and use another browser, such as Firefox to conduct your regular web business.
  3. Easiest solution.  Remove Java altogether.  Unfortunately some businesses use internet platforms that require Java so this might not be feasible, but I would set out a plan to get your company there.  For example if you use an internet meeting platform that requires Java, tell them you are switching unless they make changes.  You do have alternatives here. 

Unfortunately there are no easy answers to this problem because of the extensive use of Java, but personally I am down to one website that requires Java, and it is a personal banking website.  So do not worry; you can get there.  In the meantime make sure you have the latest Java version (they released an update today actually), and make sure your anti-virus/malware programs are also up to date and scanning regularly.  As always if you have questions or comments, please feel free to list them below in the comments section.

Posted by Trey at 5:10 pm Tagged with: ,

Java software and the data security issues

ISO 27001 Data Security, Small Business Tips No Responses »
Jan 152013

I am guessing by now you have seen a lot of news and warnings about Java since the Department of Homeland Security urged computer users to disable Java because of the vulnerabilities associated with running the program.  Frankly they should have issued the warning long ago.  I do not think I have used Java for at least 2 years, if not longer.  I have a designated security browser, and if I need to use Java, I enable it within this browser.

The problem with Java is that it is an easy program for hackers to exploit, and they do so quite often.  Unfortunately there are still a lot of programs and websites that require Java to run certain features so oftentimes you are forced to use it.  As such you have a couple of ways you can use Java in a secure or somewhat secure manner. 

  1. At a minimum you should update to the latest version of Java and keep it updated.  You can go to this link to determine if you need to update.  If you intend to run Java all the time, make sure you have the latest version of Java, your antivirus software is up to date, and you periodically run Malware/Spyware checkers like SuperAntiSpyware and Malwarebytes’s Anti Malware.
  2. Or you could run Java only when you need it, and this is very easy to do once you have updated it.  Just go to Control Panel and click on the Java applet icon (View by Small Icons in Windows 7).  Once you have the Java Control Panel open, click on the Security tab, and uncheck Enable Java content in the browser to disable it.  To enable it again, just check the box.  See the Java Control Panel image below.

Java Control Panel

Follow either of these steps, and you will greatly decrease the vulnerabilities associated with running Java.  And if you do not upgrade to the latest version of Java, and you want to disable it, you will have to do so in each browser.  Feel free to post below in the comments, if you need any help.

Posted by Trey at 5:08 pm Tagged with: ,

Data Security – Hardware and Software Configuration

ISO 27001 Data Security, Small Business Tips No Responses »
Jan 042013

When you add a new desktop to your network, let’s use a Windows OS as an example, have you noticed that as soon as you start setting up the computer, installed software programs are prompting you to do updates?  The default configurations for new systems are always behind on the latest patches and updates making these new systems especially vulnerable to a security exploitation.  Note:  for the purposes of this blog post, we are only concerned about security patch updates.  In fact I would recommend that you only perform security updates for existing software and hardware configurations.  So let’s take a look at the proper procedures for maintaining proper hardware and software security configurations.

  1. You should have a process in place where all new systems and applications (desktops, laptops, servers, mobile, etc) are configured and updated in an isolated environment before adding them to your network.  Examples of configuration include applying security patches, adding/removing unwanted software, installing approved virus protecttion, setting up user and/or admin privileges, etc. 
  2. You will also have a process in place for adding these new systems to your network such as firewall configuration, remote connections if required, backup configuration, etc. 
  3. User access configuration – determining the rights and network access privileges for each new user.  There should be a process in place for new user access.
  4. If you are adding a new server to the system, look for systems with pre-installed security systems out of the box that adhere to your existing security requirements.
  5. An automated configuration monitoring application will allow you to test and monitor all initial configurations as well as ongoing changes.  Monitoring will allow you to identify and manage any software changes or new installations, deletion/addition of files and or applications, new applications running on the system, etc.  A process must be in place to identify and react to any detected changes within the security configuration parameters. 
  6. Utilize configuration managment tools such Active Directory Group Policy which you can use to manage configuration policies on an ongoing basis.
  7. Establish a process for ongoing security patching and updating for all systems including mobile. 

As always if you have any questions or comments, please feel free to list below.

Posted by Trey at 3:21 pm Tagged with: , , , ,

Data Security – Network penetration testing

ISO 27001 Data Security, Small Business Tips No Responses »
Dec 072012

Penetration testing is a part of vulnerability scanning, and in fact it takes vulnerability scanning to the next level.  As such penetration testing may not always be necessary for every business, or maybe it is necessary for a segment of your business operations.  Penetration testing essentially involves taking the actions a hacker would take, trying to gain access to your network, and seeing how far and how much you can exploit the network and physical location(s).  So let’s take a look at how proper penetration testing should be carried out.

  1. The first step is determining the procedures for how you will go about performing a vulnerability test.  Will you use an outside vendor to either perform the testing or assist?  Just a tip:  a third party expert will most likely find holes where you would never expect.  What steps will you take from an external as well as internal perspective?  Who will be involved and what areas of the business and network will you test? 
  2. You should conduct a pentration test before and after conducting a vulnerability scan.  Don’t just assume because you have scanned your network and fixed all active issues that everything is ok.
  3. Setup externally through either another network or nearby wireless network to conduct external penetration testing.  Setup a test user account to conduct penetration testing internally.
  4. Consider physical pentration testing as well, especially if you utilize any type of electronic/biometric systems. 
  5. If issues are identified, involve the entire organization to determine how vulnerabilities will be addressed and by whom.  For example what is the chain of command for notification of issues?  How would marketing/PR, legal, HR, etc., respond?  How do issues uncovered compare with previous issues found in prior testing?  Conduct penetration testing as part of your regular Business Continuity/Disaster Recovery Plan (BCP/DR).

There are quite a few technical elements to penetration testing and there will be widely varying requirements depending on your organization.  This blog post covers the high-level basics to get you started, and if you have any further questions or comments, please feel free to list below.

Posted by Trey at 5:13 pm Tagged with: , ,
Older Entries
© 2013 Wilkins Consulting Blog © 2013 Adventures of a New Business Owner - Wilkins Consulting Suffusion theme by Sayontan Sinha