Keeping your company’s valuable information safe from cybercrooks.
By Bridget McCrea
In the “olden days” of e-theft, cyber-criminals were mainly interested in large companies – the kind that possessed huge volumes of sensitive data, information and other valuables of interest to cybercrooks. But where these hackers once went after larger national firms, much of that low-hanging fruit has since been picked (mainly through the use of robust data security and encryption systems), leaving the bad guys to use their harmful tactics on small to mid-sized companies.
“It’s getting harder and harder for the cyber-criminals to get stuff from large firms, which realize the liability and purchase the technology needed to thwart those efforts,” says Mark Piening, senior director of worldwide SMB marketing for Symantec in Cupertino, Calif. “Smaller firms haven’t been able to make the same kinds of investment, and where the great payoff still comes from stealing from a big company, the process of doing so is getting more difficult. Instead, they’re going after companies that aren’t protected as well.”
Top of mind
Internet and computer security are issues that should be top of mind for precast companies, each of which has its own degree of sensitive information and vulnerabilities. The threat is both real and prevalent, according to Symantec’s most recent Internet Security Threat Report (March 2007), which uncovered a fundamental shift in Internet security activity. The current threat environment is characterized by an increase in data theft, data leakage and the creation of malicious code that targets specific organizations for information that can be used for financial gain.
Instead of exploiting high-severity vulnerabilities in direct attacks, for example, attackers are now discovering and exploiting medium-severity vulnerabilities in third-party applications, such as Web applications and Web browsers. Those vulnerabilities are often used in “gateway” attacks, in which an initial exploitation takes place not to breach data immediately, but to establish a foothold from which subsequent, more malicious attacks can be launched.
Symantec also reported high levels of malicious activity across the Internet with increases in phishing, spam, bot networks (computers that, unbeknown to their owners, have been set up to forward transmissions to other computers via the Internet), Trojans and zero-day threats (Web-based hacking in which certain parameters in the Uniform Resource Locator or Web page form field data entered by a user are changed without that user’s authorization). The United States accounted for 31 percent of all malicious activity during the second half of 2006, more than any other country.
Stopping hackers in this area means taking steps to protect data, systems and applications, and then developing IT security policies that all employees and managers must follow. Ed Moyle, manager at CTG, an IT consulting and advisory firm in Buffalo, N.Y., says a good first step for firms is to understand where the data is. “It may sound like a given, but that’s not always the case,” says Moyle. “Companies don’t always know where the data comes from, how it gets there and how it’s used within the organization.”
Next, come up with a way to protect that data in case of emergency, be it a natural disaster, a cyber-hacker or an internal threat to the system’s technology infrastructure. “Backing up is important,” says Piening. Back-ups should be frequent and should be tested to ensure that the data is recoverable.
David Hahn, director of product and market strategy at MessageLabs Inc., in New York, divides IT security into two buckets: systems that allow companies to block information that they don’t want getting onto their networks (malware, spam and viruses, for example) through Internet instant messaging and email channels; and filtering technologies that allow companies to determine information that should be kept within those networks, and which data should not be there.
Sometimes, just acknowledging the fact that data is sensitive is a good starting point for manufacturers looking to better protect that information, says Hahn. Take the tax return that you’re filing with the IRS, or the spreadsheet of sensitive financial data you just sent over to a client. Understanding the sensitivity of the data, the smart firm would enlist encryption technology to protect it on its trip through cyberspace.
“You can encrypt information from the time it leaves the customer’s network to the time it’s delivered to the receiving party’s network,” says Hahn. “That means that, during transmission, it cannot be hacked into by any cyber-crooks.”
Batten down the hatches
Because data is fraught with intellectual property these days, Hahn also suggests a robust disaster recovery system that allows your firm to get back up and running within a matter of hours or days – not months or years. That means retaining multiple copies of data in a way that’s easy to store and retrieve. Online backup systems, for example, are one good option that allows for off-site backup and storage at an affordable price.
Finally, says Hahn, companies must secure their mobile workforce’s technology, namely their laptop computers. Secure them from both a password (necessary to even log into the computer) and Internet access (by using firewalls) perspective, thus ensuring that the person sitting in the next room at the Marriott can’t hack into the computer and steal the critical data from it.
But none of this technology is useful if employees and managers aren’t aware of its existence or cognizant of the need to use it on an everyday basis. “A very focused message concerning security must be put out there,” says Hahn, “to ensure that as the data enters, moves around and leaves the organization, it’s secure and appropriate in accordance with those internal policies.”
Unfortunately, data security isn’t getting any easier. Every day it seems as if a new threat is rearing its ugly head, ready to wreak havoc on unsuspecting companies. Threats are also becoming more “targeted,” according to Hahn, who says hackers are developing attacks against specific firms and types of information with the intention of stealing and exploiting that data to their advantage.
To deal with these and other emerging threats, Moyle says firms should use planning that is well prioritized, and that is proactive rather than reactive. “Put aside some time and resources to evaluate the regulatory context, the important controls and how they relate to your business priorities,” says Moyle. “Then develop an IT security strategy that is well thought out, endorsed by management and/or legal counsel, and put it in place.”
Six Security Steps You Can Take Right Now
Mark Piening, senior director of worldwide SMB marketing for Symantec offers these six action steps that precasters can take to protect their IT infrastructures:
- Turn off and remove IT services that are not needed.
- Enforce an effective password policy.
- Isolate infected computers quickly to prevent the risk of further infection within the organization. Then perform a forensic analysis and restore the computers using trusted media.
- Train employees to not open attachments unless they are expected and come from a known and trusted source, and to not execute software that is downloaded from the Internet unless it has been scanned for viruses.
- Use an Internet security solution to scan attachments and files at point of entry.
- Ensure that emergency response procedures are in place. This includes having a backup-and-restore solution present in order to bring back lost or compromised data in the event of a successful attack or catastrophic data loss.
One way crooks are stealing identities and other valuable information from consumers and businesses is through a practice known as “phishing.” The criminals steal consumers’ personal identity data and financial account credentials through “spoofed” e-mails that lead unknowing users to counterfeit Web sites of “hijacked” brands. The e-mail appears to come from a well-known bank or finance company, for example, when it is really from a hacker who is stealing the name. Once there, recipients are tricked into divulging financial data such as credit card numbers, account usernames, passwords and Social Security numbers.
To help recognize and thwart online phishing, the National Consumers League (NCL) recently paired up with the National Cyber Security Alliance to release news tips and advice on how to keep computers safe from phishing attacks. Published online at www.staysafeonline.org, the tips include such advice as:
- Don’t click on links within e-mails that ask for your personal information. Fraudsters use these links to lure people to phony Web sites that look just like the real sites of the company, organization or agency they’re impersonating.
- Never enter your personal information in a pop-up screen. Sometimes a phisher will direct you to a real company’s, organization’s or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear with blanks in which to provide your personal information.
- Watch out for “phishy” e-mails. The most common form of phishing is e-mail pretending to be from a legitimate retailer, bank, organization or government agency.
- Beware of “pharming.” In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate Web site, you’re taken to a fake copy of the site without realizing it.
- Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. A spam filter, for example, can help reduce the number of phishing e-mails you get, while firewalls prevent hackers and unauthorized communications from entering your computer.
Along with the new phishing tips, NCL offers information about other forms of online and telemarketing scams on its Web site at www.fraud.org.