The Steps to Becoming Safer in your Business - Adjusting yourselves to the New Wave of Hacker
Information Technology works both ways. You need the technology to deal with the information, but you also need the information to deal with the technology. As a support company, it is part of our job to make sure you are making the right decisions regarding your information technology. Not just your spending, but your training, your policies, your predictions and the procedures you have in place already as regards dealing with your computer systems. As computers become more and more a part of our daily lives - you probably have at least three or four in your kitchen as we speak - the levels of computer interaction become ever more complicated. As a result your computer network becomes evermore complicated too, after all, that's what a network is, computers interacting. If you have a mobile phone you synchronise it with your computer - it may be a trio or whatever - then it is something that we have to be aware of in order to fit in if and when it may become a security issue. If you have a wireless connection at home then it is a way of software gaining access to your laptop.
It is a primitive idea that viruses and the like are built by people seeking notoriety or credibility amongst the hacker community. Most hackers these days are developing code designed to exploit a known weakness, and then selling that code on to organised crime. As user demand (and therefore the applications themselves) get more and more sophisticated, there are bound to be more vulnerabilities. After all, if the application is bigger, there are bound to be more parts of it that can be turned to misuse. These two factors acting together make for a new form of attack; one that is designed and motivated. It is designed by people trying to make a name for themselves as creators of clever and reliable code that does not lead any trace to the instigators so that the organised criminals will want to come back for more. And it is motivated by the desire of the criminals to turn a profit on the money spent obtaining the code. Quite a dangerous little cocktail.
Some of the statistics derived by Symantec in Q3-4 of 2005 (who have more information on this subject than everyone else put together no matter what the web whiners say) show some fairly alarming trends:
Even computers on a scale of the Sony PSP have mal-ware being distributed. 'Brick' turns your PSP into just that - a brick - and already there are Trojan horse viruses running around pretending to be fixes in order to catch people out. And this brings us to the most important area to be increasing your staffs awareness in. At least half of all successful attacks on companies in the UK are initiated from the inside, either deliberately or by trickery; this is where your staff are your security front line. In the near future you will begin to see mobile phones becoming a real target for viruses and spyware, especially as so many run Windows now. Undoubtedly Antivirus programs for these phones will follow too and we must all be prepared. Do you know who connects there mobile phones to your network? Soon it will become a priority.
2. Your Vulnerabilities
Where is your most sensitive data kept? How is it accessed? Do you enforce regular password changes for the users of this data or do you find that the forgetting of all the passwords by your staff seems to rob you of more revenue than you can cope with? Where is your email server? Does it scan for viruses in incoming emails?
Your network firewall always used to be where you connected to the outside world but now the outside world has such a high level of interaction with you computer system, that it is beginning to be tricky to tell them apart. Every accessory that is synchronised or copied to your network is a path to and from the outside world. Every laptop, PDA, mobile phone, USB ram drive, modem, VPN, camera and MP3 player brings information in and takes it back out again. If you have a wireless connection then you have another full-time connection that is sending data out to the world and receiving it back just for your system to identify users for authentication. As a result your perimeter has become dynamic and less predictable and so different measures must be in place.
Preventative is always a better option and so once your vulnerabilities have been identified it is time to draw up a plan to minimise their abilities to do you harm.
3. Your Policies
Clear policies should be defined pertaining to the use of any hardware or software that may be a danger to your computer system. To close as many avenues as possible is not necessarily the first or best option as this action will limit your capabilities. The most sensible course of action is to start by informing your staff of the most likely ways attackers will try to compromise your security. Here are a few examples but we will be following these up with subsequent reports.
4. Your Perimeter
You must be equipped with a firewall and antivirus solution at every point of contact with the internet. Denial of Service (DoS) attacks are still common to servers and desktops alike and can cause outages in connection to your email, database and fileservers or the internet:
On top of all of this, take access to your building to be a means of stealing data from your computer network just as if they were going through your files. Make sure there are no network ports on the ground floor which are unnecessarily connected and could be granting access to anyone walking into your foyer.
5. The Future
Each emerging technology offers its own set of difficulties. The age of the PDA is just about to begin facing the difficulty of malware and SPAM as it transforms into a miniature PC in it's own right. The USB drive and the DVD are now internationally recognised as a primary 'back door' into larger networks and custom malware is written to take advantage of this. In each area you must continue to do enough to stop you being an easy target but not enough to be spending unnecessarily. Walking this line is the target of all of your information systems providers and it will continue to be, the biggest influence on how far they shall succeed in this matter is how much you and your company assist them.
Send mail to email@example.com with questions or comments about this web site.