Apr 212015

I offer a ton of tips and advice on how to protect your small business from a data security issue. But let’s face it, no matter how well we protect our data, the hackers are always going to be ahead of us. So there is always the potential of having a data security issue, and one of the most common problems small businesses face is website hacking.

If you are running a content management system like WordPress or if you have an e-commerce shopping cart, it is crucial that you keep it updated with the latest security updates, back it up regularly, and take steps to protect it such as utilizing a firewall, malware/virus detector, etc. Most hosting companies will offer these products for a small monthly fee, you can buy them yourself, and/or WordPress has many security plugin offerings for free.

Of course we all get busy, especially in a small business, and sometimes we just let things slip. So what do you do in the event your website is hacked?

I recently ran a test with WordPress, and based on my experience, it should take you 24 – 48 hours to get your website clean and up and running again – if you have a cooperative hosting company. Here are the steps you should take.

Step 1 – How do you know you’ve been hacked?
You need a way to be notified your website has been hacked. Many hosting companies will notify you, but you are on their timeline. So to ensure you are covered, you should also make sure your website is setup with a Webmaster Tools program like Google. Google will notify you when your website is hacked, and they do it fairly quickly. In fact they will even mark in the search engine results that your website may have been hacked so you want to fix the issue asap.

Step 2 – Contact your hosting company
Don’t panic! If your hosting company didn’t notify you, then you need to notify them as quickly as possible. If you are setup with a Webmaster Tools program, you should have some information on the type of hack, a list of the website pages affected, and when it occurred. Most hacks are going to be one or a combination of all the following types: install of virus/malware on your website, redirect links to spam websites, and/or an attempt to access/steal information.

Step 3 – Remove it
In most cases if you didn’t already have some type of protective service installed on your website, your hosting company can either install one and clean it for you or they can provide you with a list of the affected files for you to manually delete via FTP. Once you think everything has been removed, either run the scan or have your hosting company run another scan to verify.

One thing to consider – Ideally you would have had a backup, and you might just be tempted to delete everything from the beginning and start all over. This can be a lot of work so I wouldn’t necessarily just jump to taking this step. Let’s say you had 100 files affected on your website. In reality with an FTP program, it will only take you about an hour to delete those files, and hopefully the damage will be minimal. In my test with WordPress, I had 78 infected files. Once I deleted those files, I only needed to reload my WordPress theme, and I was back the way I started. Either way though make sure you have a backup in the first place, and back it up on a regular basis.

Step 4 – Fix it
Once you remove all of the hack instances, you’ll then need to go about fixing the issues that allowed the hack in the first place. The first thing you want to do is upgrade since this was the most likely issue allowing the hacker to access your website. Using WordPress again as example, you’ll need to update the WordPress version, all plugins, and the theme. Once you’ve upgraded everything, if you didn’t have any type of website firewall/virus/malware scanner, then get one. It’ll go a long way towards preventing you from ever having to endure this headache again.

And that’s it. Remember don’t panic. It may look daunting at first, but in reality if you have a good hosting company and you are backed up, you can actually fix a website hacking issue fairly quickly.

Mar 062014

One of the most common ways hackers will exploit and attack a business network is through open and unsecure network ports.  By using a default or “easy to guess” user/password combination, hackers can gain access through network services and software such as mail servers, email servers, DNS servers, VOIP servers, and other network servers.  Here are a few tips to help you close and monitor your network ports to prevent these type of attacks.

  1. Install a firewall(s) and a network port filtering tool and set rules to only allow business verified network traffic and to monitor  all network traffic.
  2. Routinely check and install security patch updates.
  3. Maintain and audit these applications on a regular basis to ensure all rule, patches, and services are up to date.
  4. Routinely audit all ports and protocols, perform automated port scans, and compare results and settings to your asset management system.
  5. Ensure systems are in place to routinely and quickly alert when unauthorized ports are installed and opened.
  6. It may be necessary to maintain critical servers in isolated environments with no internet access.

Follow these simple steps to manage your network ports and prevent potential hacking exploits of your network.

About the author

Dec 052013

The majority of data security attacks and vulnerabilities can be found in software applications and more specifically web software applications.  Major hacker attacks of online systems are becoming more and more commonplace with hackers exploiting vulnerabilities through SQL DB injection attacks, buffer overflows, cross-site scripting, and many more areas.   So it is important for you to protect your business by testing application software for vulnerabilities, and here are some examples of how you can strengthen your business against these attacks.

  1. Install and test all new software publications on devices outside of your network such as a single desktop.
  2. Use automated remote web application scanners to test for security vulnerabilities prior to software deployment within your network.
  3. If the software requires a database, test the database to ensure it has been hardened.
  4. Once testing is complete and the software is deployed in your network environment, ensure it is properly setup and configured within your network firewall to protect against potential outside threats.
  5. Turn off all automated updates except for security updates.  And depending on your network type, you may either want to test or use a third party to whitelist software security updates before introducing them into your network environment.
  6. All system error messages should be displayed internally only.
  7. If you develop and code your own in-house software, keep the development area separate from your production network environment.  Test for common vulnerabilities such as software backdoors, malware insertion, coding errors, etc., before deployment of this software.

Follow these steps to ensure you are testing for and removing any potential software application vulnerabilities prior to deployment in your network environment.  And as always if you have any questions or comments, please feel free to list them below in the comments section.

About the author

Jun 282013

Employee training is and should be an important part of your data security program.  The type of training required will depend on several factors, and chief among those factors are the type of data security program you have in place, the sensitivity of your data, and your number of employees.  For example if you have an ISO security program in place, data security training will be required for every employee that falls under the program, it will be required on an ongoing basis, and you will have to document and show that every employee has undergone training.  If you are smaller company with relatively small amounts of sensitive data such as your accounting and customer databases, then employee training might only be required for your IT people and new employees.   Either way though, just as technology is constantly changing so are the data security requirements, and I am going to cover several examples of the types of security training you can put in place depending on your business.

  1. Setup training for all new employees.  Integrate data security training into your regular new employee training.  If you have an existing security policy in place, then all new employees will be trained.  If you are only protecting certain key areas of your business, then only certain new employees will need to be trained.  For example a new network administrator would have to receive extensive network security training, whereas a new marketing person would need to be trained on the potential for social marketing abuse among other items.
  2. Ongoing security training.  It may be as simple as having your employees review your Information Security Policy on a yearly basis to as comprehensive as setting up testing criteria that all employees must pass to be certified in internal security training.
  3. If you are a smaller company, train on the basics – keeping antivirus up-to-date, avoid opening suspicious emails, loading unknown software on your computer, etc.
  4. If you are a larger company, you may want to consider additional outside training/certification for key employees such as CISSP, CISM, or CISA.
  5. Always keep a record and show where employees have received training.

The key point to remember is to provide ongoing training to keep your employees abreast of your latest security policies.  When in doubt just train on your Information Security Policy.  As always if you have any questions or comments, please feel free to list them below in the comments section below.

About the author

Jun 132013

I covered access controls in my article, 5 Step Data Security Plan for Small Businesses, as well as a few blog posts, but you can never talk too much about access controls when it comes to data security.  I have written about the need to give employees different levels of network access depending on their roles in the company – we will call it employee network segmentation.  Well in light of recent events, think government leaks, it is probably a good time to touch on just how important access control is to your overall data security plan.  In short – your salespeople do not need access to your accounting program.

In a nutshell you have two areas to worry about here – external and internal.  Obviously you do not want employees accessing areas of your network where you are storing sensitive data that does not apply to them.  In addition an external hacker could gain access to your sensitive data through these same employees that should not have had the access in the first place.  So let’s discuss the steps involved.

  1. First you need to understand and classify what exactly is sensitive data as well as employee roles.  Examples of sensitive data are accounting info, customer/employee information, and proprietary information on your products and services.  In addition you define the roles of each employee and what types of data they need access to on the network.  As mentioned before your salespeople will not need access to your accounting program.
  2. Separate data and access on your network based on the sensitivity of the data.  Use firewall segmentation/filtering, multi-level data identification, Active Directory, etc., to segment and protect the data on your network.
  3. For very sensitive data consider encrypting it on the network in addition to encrypting information flow on the network.
  4. Setup network logging to proactively review access as well as use it to help discover any network breaches.
  5. Setup alerts for when access is attempted to areas of your network without the appropriate access privileges.

As always if you have any questions or comments, please feel free to list them in the comments section below.


May 212013

Let’s face it – unless your business is mandated to do so, or you have secure data that you need to protect, or you have suffered a data security loss at some point, data security is not at the top of the priority list for most businesses…especially small businesses.  And in the field of data security there is one often overlooked area – monitoring and reviewing log records.  Reviewing logs can be boring and tedious work, but oftentimes it may be your only evidence that an inside or outside attack has occurred so it is very important to review your logging records on a routine basis.  Let’s take a look at several steps you can incorporate to monitor logging records.

  1. The first step is to set a routine schedule for reviewing your audit logs.  Set your review schedule based on the sensitivity of the data.  For example I would say a minimum review period would be weekly or biweekly, and a maximum review period would be quarterly.
  2. Make sure all your systems and network entry paths are recording logs and fault logging so this would include network servers, individual employees computers, remote access logins, etc.  In addition you want to log events that occur within your network such as access to files and folders on your network.  And ensure your logs are capturing info such as operating system type, application, system activities, dates and time, source and destination address/traffic, system resource usage, exceptions, etc.
  3. Monitor who is logging in, failed login attempts, all network traffic including blocked and allowed, software downloads, creation of services, etc.
  4. Create a separate logging server to maintain all system logs for review and monitoring.  Restrict access to admin personnel only.  Copy all log files to the centralized location in addition to the default location for individual servers/OS.  Create a retention period for log records.  I would advise holding logs for at least one year or longer depending on any additional requirements.
  5. Ensure all your systems and server clocks are synchronized with the correct timestamp so you will know when an event occurred.
  6. Allow for automatic profiling of your network so you can monitor deviations from normal network activity and manage accordingly.

As always if you have questions or comments, please feel free to post them below in the comments section.

May 102013

In previous blog posts, as well as my 5 Step Data Security Plan for Small Businesses article, I have touched on methods you can put in place to protect your business network.  In this blog post, I am going to discuss these defense processes in more detail to give you some tips on how to protect your business network.

Network Security

Unfortunately though you are no longer just protecting your office business network as your business network has expanded to include wireless platforms, social marketing accounts, client extranets, internal intranets, etc.  As such it is important to employ a multi-layered defense strategy.  So let’s take a look at some of the steps you can take.

  1. Setup a defensive proxy server to regulate all web content and file transfers by blocking specific website urls and IP addresses based on parameters such as blacklisted websites, content – such as adult websites, and website reputation scores.  Depending on your type of business, you can also take it one step further and only allow access to trusted websites.  If you have a client extranet and/or internal company intranet, you can limit external access based on client/employee IPs which is especially crucial when you are providing access to sensitive data.  And finally you will want to setup encryption of all incoming/outgoing traffic if sensitive data is being sent/received.
  2. Integrate your network defense/proxy with your email security to prevent phishing attacks and spoofed emails.  For example you could receive an email from a reliable (whitelisted) email server which contains a link to website used by hackers.
  3. For employees logging into your network remotely, require access through two-factor authentication VPN.  In addition the remote devices used need to be managed by your company to ensure they are protected via virus/malware scans, the latest security patches, and ensuring home/remote networks and computers are also protected via a firewall.
  4. I say it all the time, but routinely scan your network for vulnerabilities as well as scan/monitor for network intrusion attacks.
  5. In addition to individual computers, setup network virus/malware protection.
    And unless you have a robust network setup scans for off-peak business hours to avoid slowing down your network.
  6. Segment your internal network to prevent the spread of malware internally.  For example with your access control you can limit employee access to certain areas of your network based on their role within the company.  You can protect each segment via a proxy and firewall based on your security needs.  In addition for sensitive data stored on networks, you can completely isolate the area from internet/outside access.
  7. Use sniffer programs to guard against attacks from external as well as internal sources.
  8. Routinely review and manage network logs for any unusual activity.
  9. And finally test, test, test, and backup, backup, backup.  You can’t stop everything, but you can minimize the impact of intrusions.

As always if you have any questions or comments, please feel free to list them below in the comments section.

Apr 092013

Well I promised I would update my last blog post on my data security experiences with LinkedIn.  Let’s cut to the chase – I have several concerns, and here they are.

  1. LinkedIn’s tech support response is painfully slow.  I opened the ticket on March 27.  LinkedIn responded on April 8.  For those of you counting at home that is 12 days.  If you are going to run a business catering to millions of potential users, you need to develop a support system to respond to them.  LinkedIn could take some lessons from Amazon.
  2. They removed the user from following my LinkedIn company page which per their Help Desk, they say they will do.  Unfortunately though you do not have the ability to do this yourself, and you have to request for LinkedIn tech support to perform the action – which in my case took 12 days.
  3. Regarding the user claiming via their LinkedIn profile to work for my company, LinkedIn did nothing about this issue, and here was their response:  “If any members indicate they are current or past employees when in fact they aren’t, it’s usually because:  1. They haven’t had the chance to update their profiles.  2. They mistakenly selected the wrong company name when they updated their profile.  We generally don’t moderate or validate information that members post, but there are times when we might intervene.”

Number 1 is a problem because when you have a problem on LinkedIn, it looks like it will take a while to get it sorted.

Number 2 is a minor problem, and essentially you are unable to remove people from following your company pages.  From a data security standpoint, it only really becomes a problem if the same person is trying to also pass themselves off as an employee of your company.

Number 3 is the larger problem from a data security standpoint, especially for larger companies who are unable to actively monitor all existing employees.  You basically have two data security issues here.  The first would be someone attempting to pass themselves off as an employee of your company and contacting your existing clients to gain some type of info from them via LinkedIn.  The second data security issue would be someone attempting to pass themselves off as an employee of your company and contacting your existing employees to gain some type of info from them via LinkedIn.

So how do you protect yourself?  First close your Connections status to allowing those outside of your network to be able to view them.  Second do not send any type of sensitive documentation via the LinkedIn internal email system.  In this case it helps to have an information classification policy in place to prevent employees from sending out sensitive documents.

As always if you have any questions or comments, please feel free to list them below.

Mar 272013

Social marketing has opened the doors to allow smaller businesses to compete with larger businesses on a somewhat level playing field.  That being said social marketing has all opened the door for a new level of data security considerations.  This will be the first blog post, in a series, discussing data security considerations for social marketing initiatives.

LinkedIn is a business social marketing website, and there are several data security issues you should be aware of when using LinkedIn, but in this blog post I am going to discuss just one issue that is very troubling.  Just as people lie on resumes, they can also lie on their LinkedIn resumes.

So what do you do when someone claims to have worked for your company, and they follow your Company Profile page to make it look even more legit?  Obviously there are multiple security issues here.  Someone could contact connections via LinkedIn passing themselves off as a representative of your company.  If you, or someone employed at your company, open your personal connections to be viewable by anyone on LinkedIn, then this person can also access and contact your business connections directly acting as a representative of your company.  Personal or business data could be passed to this imposter along with the obvious PR damage that could be done to your company image.  So this issue could go way beyond just someone “padding” their resume.

So I will ask the question again – what do you do when someone claims to have worked for your company?  Well this issue is actually happening to me right now, and I am going to update you in real time to how LinkedIn responds.  Today I discovered someone claiming to work for my company, and they are also following my Company Profile page.

LinkedIn provides instructions here on how to go about contacting them to get the person removed from your Company Profile page, but they do not say what to do when someone is misrepresenting themselves as working for your company.  As such I included both issues in my request to remove this person from following my Company Profile page.

Frankly so far I am not impressed with how LinkedIn allows you to resolve this situation.  I understand they cannot immediately suspend someone’s account, but there should be a way to escalate matters such as this.  I will keep you posted on their response time and how they resolve the issue.

So what can you do to prevent this from happening?  Periodically review your Company Profile page to see who is following you, which you should do anyway from a social marketing perspective.  In addition you can use the LinkedIn Advanced Search to search for your company name to see how it is being used on LinkedIn.

If you have any questions or comments, please feel free to list them below in the comments section, and I hope to update you soon – at least it better be soon – on LinkedIn’s response.

Mar 082013

Although hackers taking down company systems and accessing “secured data” such as credit cards or passwords is what makes the nightly news, data loss can occur in a variety of ways.  Additional examples include loss or theft of laptops/smart phones, internal employee theft, poor data storage handling, etc.  In this blog post, I am going to discuss some methods you can use to prevent data loss.

Data loss prevention starts first and foremost with simply protecting your data. 

  1. Encryption of your mobile devices, emails, network data, offsite storage data, and creating strong passwords that are routinely updated is the first step.
  2. Ensure all mobile phones can be deactivated remotely is lost or stolen.
  3. As mentioned in step 1, secure and encrypt data moved across your internal network and avoid weak links such as wireless internet access devices.
  4. Control admin rights to employee computers and block downloading of unknown software.
  5. Ensure virus and malware protection is in place.
  6. Actively monitor your network for intrusion attempts and routinely scan your network for vulnerabilities.
  7. If your company is responsible for securing overly sensitive data, consider configuring your systems to block the use of USB devices to prevent internal theft or accidental loss of data.
  8. Secure all offsite data storage via encryption whether it is backed up via network or removeable media.  If removeable media such as backup tapes are used, record and track all serial numbers and storage locations. 
  9. Test and audit all procedures on a regular basis to detect any holes in your current security policy.
  10. Have a plan in place in to immediately react to and handle any data loss incidents.

Follow these steps to prevent data loss incidents, and as always if you have any questions or comments, please feel free to list in the comments section below.