Firewalls are still important—be sure to keep them!

Most of you know that https:// sites use encryption to protect your information from snoopers during transmission.

What will happen when one or more of your users receive an “urgent” e-mail that does its best to compel them to click on an https:// link inside the e-mail? Maybe most of your users would recognize the danger; however it only takes one user to click.

When the user clicks on the link, malicious code could be installed on the user’s machine and, consequently, possibly reach your servers and entire network.

Normal perimeter defenses, such as basic firewalls, cannot read the encrypted traffic to watch for that malicious code.

You could configure a firewall to disallow all https:// encrypted traffic; however, no one in your organization could easily access https:// web sites, such as banking sites.

Some people would argue that the best firewalls these days are firewalls that can examine even encrypted data—sometimes known as proxy or application firewalls or Layer 7 (no, that is not a brand name) firewalls.

Keep your firewalls, but don’t count on them too much.

Please post your comments on this blog.

One effective way to disable USB ports is to fill them with epoxy glue—although this ruins the port. New ports can be purchased and added in the future unless the machine is a laptop.

Or, your qualified IT professional may be able to disable the USB ports in the system BIOS of the computer and then set a password for the BIOS so the user cannot re-enable the ports.

Using Windows, it is fairly simple in Group Policy Objects (GPO) to disable the “autoplay / autorun” feature. If you want to stop the USB from working completely, your qualified IT professional will use GPO settings to disable USB devices already installed and prevent users from installing more. For more information your qualified IT professional can visit  http://support.microsoft.com/kb/823732

Also, many anti-virus suites and even VPN clients offer some form of endpoint security that include the ability to lock down your USB ports. Your anti-virus or VPN solution may have that capability.

There are also third party tools that allow you to control USB devices such as Device Lock or ScriptLogic Desktop Authority.

Another method is using shared published desktops, application virtualization and streaming, or virtual desktops to deploy applications and then users cannot access the drives while using the applications you provide. Combined with GPO’s, your qualified IT professional can really lock users down.

Then, to allow users to use USB and reduce the chances of a lasting infection, and especially for public access terminals, these tools can reset the computer back to “square one” every time it is rebooted: Microsoft Steady State can be difficult to set up but it is free. There is also Returnil, which is free for some users, and Faronics Deep Freeze.

Please post your comments on this blog.

This company, like many, had separate networks for e-commerce and for administration. The IT professional had been telling his CEO that the organization was “compliant” based on the security of the office administration network—not the IT systems that actually process, store, and transmit credit card information.  He pretended to be shocked that he needed to secure the computers and network that actually handle the credit card data.

As IT professionals, it is important to know what we are talking about when we answer a CEO’s question. Especially if a wrong answer could lead to the CEO facing fines, lawsuits, and even the failure of a business. If we don’t know, the proper response is, “I do not know but I will find out.”

As a C-level executive, business owner, and as a manager, it is important to understand that, unfortunately, some IT professionals will tell you that you are compliant with specific regulations when they really don’t know.

I want to extend my gratitude to the IT professionals who do act responsibly!

Please post your comments on this blog.

I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”

At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected.  Several of his “IT advisors” told him anti-virus was all he needed.

I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.

This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?

I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.

Executives please make sure your IT department’s advisors are trustworthy as well!

Executives at companies who have never experienced a breach are the ones who feel they cannot enforce their policies.

After a breach or a lawsuit, I see the executive iron fist slam down and things start happening like:

• Forcing employees to sign an acceptable usage policy that forces them to agree to safe data practices.
• Training for employees on security training.
• Technology protection like web site filtering, data loss prevention, and computers that force users to follow the rules by restricting unauthorized behavior as much as possible.

Isn’t it sad that many companies have to go through the “bad thing happening” before they take action?

The IT professionals can use tools like anti-virus, firewalls, application and OS patches, etc. Many IT professionals are not using the tools as effectively as they could, and frequently aren’t using them at all on one or more computers. None of the tools are “set and forget”—all of them have to be monitored.

I feel the executive’s real challenge is, “I don’t know how to help my IT professional fight viruses.”

Responsible executives:

• Provide enough uninterrupted time for the IT professionals so the IT professionals can get their work done.
• Allow ongoing training for the IT professionals to keep up with ever changing technology.
• Hold the IT department accountable for fixing issues discovered during an audit.
• Provide managerial support for policies that support security—such as forcing computer screen savers to lock after a period of inactivity.

If you make your passphrase something like “remember to finish the security project by next month,” you can write it down on a piece of paper and stick it on your monitor. If someone sees that stuck to your monitor, they will think it is just a reminder note (which it is). Another example of a passphrase that would be hard to break is “take the family to go snow skiing in Colorado at night.” That password is much more secure than “@ppl3E5.”

Of course, if you save a file on your hard drive with all your passwords, nothing can help you if a criminal, or even a worker in your own office, finds the file.

Think about it, look in the news at the latest breaches, and make sure to get secure ASAP!

The top executives often get special treatment on the network. Maybe they asked for it, or maybe the IT professional gave it to them “just because.” Some of the biggest offenses I witness repeatedly when auditing companies include:

1. Domain administrative access. In other words, some executives are essentially unrestricted on networks “because they are the boss.” That unfettered access means the executive can easily destroy the entire network. For example, if a virus enters through an e-mail sent to the executive, and your anti-virus system does not catch the virus, the virus will now have unrestricted access to your network. Restrict the executives to the least access privileges they need to do their jobs.
2. Poor password management – such as the same password they use for everything and it is written on a yellow sticky note stuck to their monitor. Consider using password management.
3. Executives sometimes demand exceptions. They want to be able to install software on their own, access any web site they want to, use their office computers for personal activities, and fall for some of the oldest phishing tricks in the book. The executives can be examples by following the safety rules too. Just make sure the rules still allow your employees to be productive!
4. Fixing their own computers, or letting their “brother in law” work on the network. Rely on your own qualified IT professionals please!
5. Bad habits while traveling including connecting to the nearest WiFi network, losing important data, and bringing infections back to the office. Ensure everyone uses secure remote connections and practices.
6. Plug in anything and everything USB into the office computer causing an infection or data loss. Check with your IT department before using any USB device.
7. Sending private information via e-mail or storing it on removable media. Email is like a postcard, not a letter – anyone along the way can potentially read what you send – even the attachments. If someone steals your USB memory stick, they own the data unless you are using robust encryption.

With a little care, the executives can set the excellent example of how to protect your company!

This article from the Washington Post has more details: http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html

The reason criminals keep using the same old tricks is that the tricks work. Warn your fellow executives and other workers about the importance of never opening attachments you were not expecting even if they appear to come from a trusted source. When in doubt, contact the sender to see if they really did send you an attachment.

Your IT department can help you scan the attachment for viruses, and some of you have services that scan all of your attachments. Just remember that the scanning may not catch the virus. Some viruses have new code every four hours so the anti-virus programs cannot keep up with the changes.

Practice many levels of protection and be wary!