One effective way to disable USB ports is to fill them with epoxy glue—although this ruins the port. New ports can be purchased and added in the future unless the machine is a laptop.

Or, your qualified IT professional may be able to disable the USB ports in the system BIOS of the computer and then set a password for the BIOS so the user cannot re-enable the ports.

Using Windows, it is fairly simple in Group Policy Objects (GPO) to disable the “autoplay / autorun” feature. If you want to stop the USB from working completely, your qualified IT professional will use GPO settings to disable USB devices already installed and prevent users from installing more. For more information your qualified IT professional can visit  http://support.microsoft.com/kb/823732

Also, many anti-virus suites and even VPN clients offer some form of endpoint security that include the ability to lock down your USB ports. Your anti-virus or VPN solution may have that capability.

There are also third party tools that allow you to control USB devices such as Device Lock or ScriptLogic Desktop Authority.

Another method is using shared published desktops, application virtualization and streaming, or virtual desktops to deploy applications and then users cannot access the drives while using the applications you provide. Combined with GPO’s, your qualified IT professional can really lock users down.

Then, to allow users to use USB and reduce the chances of a lasting infection, and especially for public access terminals, these tools can reset the computer back to “square one” every time it is rebooted: Microsoft Steady State can be difficult to set up but it is free. There is also Returnil, which is free for some users, and Faronics Deep Freeze.

Please post your comments on this blog.

This is a concern for identity theft and also a source for other private information falling into the wrong hands. Organizations that fall under HIPAA compliance, Gramm-Leach-Bliley Act, PCI-DSS, and other regulations are sometimes more sure of the risk.

Earlier this month while I was performing an audit on a client’s network, he explained that he refuses to allow his staff to “outsource” making copies even to their CPA firm. He does this in order to “isolate” the area he needs to protect. He has a strict policy that documents can only be copied using copy machines in their office.

One of my readers is in contact with an organization that processes used copiers and they make sure to erase the hard drives before the copiers go to new owners.

If any of you are specifically seeking a copy machine security specialist, the CBS video interviews John Juntunen and it appears his web site is www.copiersecurity.com. The phone number on the web site is 530-672-9300 if you want to explore his services. The web site shows they offer a service that will remove your copier’s hard drive, destroy the drive, and replace the destroyed drive with a new drive formatted for use with that copier. They also offer anti-tampering kits to help you monitor your copiers to at least know if someone has accessed the data on the hard drives.

One point he made in the interview is how many companies do not seem to care about security until they have a breach—and then it is too late. I’ve felt the same frustration in the past. Security, be it in your computers, servers, or copy machines, is an important issue!

Please post any of your experiences or additional ideas about copy machine security here on this blog.

We rushed home and drove all night long after being told that his chance of survival was small. Thankfully, he will make a full recovery. That’s after pharmacy personnel defibrillated him, started CPR, rushed him to the ER and then the OR where they cracked open his chest and performed a triple bypass.

You know what? He is the right weight for his 6’1” height. He quit smoking years ago, and cut back on drinking. He exercises and is strong as a horse. He eats well. And his doctor told him it was heartburn.

I bet after surviving this event he gives up red meat and drinking all together and doubles his exercise routine. I see the same things with CEO’s, Presidents, CFO’s, and other executives if their company survives an IT security breach. Sometimes it is too late, and the recovery is no fun.

Why does it take a life changing event to get us to pay attention to do the things we know we should be doing?

For me, PLEASE tell your friends—and the person you see in the mirror two pieces of advice:

1. If you feel chest pain, demand an EKG and don’t leave the doctor until you get one (or call 911—gets you right past the waiting lines at the ER!)
2. If your last IT security audit was more than 12 months ago—it is time for another!

Before it is too late.

Executives at companies who have never experienced a breach are the ones who feel they cannot enforce their policies.

After a breach or a lawsuit, I see the executive iron fist slam down and things start happening like:

• Forcing employees to sign an acceptable usage policy that forces them to agree to safe data practices.
• Training for employees on security training.
• Technology protection like web site filtering, data loss prevention, and computers that force users to follow the rules by restricting unauthorized behavior as much as possible.

Isn’t it sad that many companies have to go through the “bad thing happening” before they take action?

First, there was the problem that Twitter’s server had a password set to “password.”   Executives would find news of their own server passwords being so weak as inexcusable!  Then, there was another breach that was caused by several user blunders including using the same password at both gmail and hotmail.

Do any of your users, or you, use the same password at more than one site?  Change them. Get a password manager such as RoboForm or MyPasswordManager. A password manager remembers all your passwords for you – all you need to remember is your password to the password manager. Not perfect security, but a whole lot more secure than using the same password at more than one site! Protect yourself.

The virus goes by the name of Conficker and it is also known as Downadup (and also Downup and Kido).  My advice remains the same as always: be concerned about a really bad virus every single day of your life. If you are following IT security best practices, then there is nothing more to do in preparation for April 1.

Still, I was amazed during the Y2K bug nine years ago how many executives decided, “ok, let’s go ahead and take appropriate IT steps since there is a deadline.” If your organization has been postponing some of the simple IT security basics, maybe Conficker’s “bright side” is that you’ll do what needs to be done.

Click here to view the embedded video.

Details of some of the steps to take include:

• Make sure all your critical Microsoft and Apple patches are installed. Organizations should use a centralized patch management tool. For short instructional videos for home users click here for Macintosh: http://www.fosterinstitute.com/blog/update-your-mac.html and here for Windows: http://www.fosterinstitute.com/blog/update-your-pc.html
• Make sure other applications are patched.
  See http://www.fosterinstitute.com/blog/useful-utility.html#more-149
• Make sure your anti-virus program is using the current version of the program, has the latest signature files, and is performing scheduled scans of all your computers. More information here
  http://www.fosterinstitute.com/blog/daily-it-checkup.html#more-23
• Continue your practice of having a good backup at least once a day
• Use excellent firewalls and Web Content Filtering tools http://www.fosterinstitute.com/blog/block-sites.html#more-144
• Have regular IT Audits – See www.KeepMyNetworkSafe.com and http://www.fosterinstitute.com/blog/easy-it-audit.html#more-96 for more information
• Educate your users so they help protect your organization’s reputation http://www.fosterinstitute.com/blog/easy-it-audit.html#more-96

Even if the economy is having a negative effect on your business, protecting yourself is very economical. The expensive part is suffering the monetary loss from downtime, lawsuits, and loss of your company’s reputation.

Protect yourself today – and every day!

You trust your employees to access the organization’s data, and along with that access comes the ability for them to harm your organization. Other companies have experienced problems such as:

• The employee copying client information to take with them when they go
• The employee deleting or damaging any company data
• The employee covering their tracks of any wrong-doing by editing audit logs
• The employee sending out damaging information from the company e-mail address
• The employee accessing the computer network remotely in the future from home
• The employee accessing confidential data to release publicly, sell, or even use for extortion to seek revenge on the company
• The employee knowing someone else’s password and logging in under their account to perform any of these tasks
• Damaging any of the services such as the company web site, e-mail system, or any other services they have access to
• Physically damaging company property such as laptops and PDA devices

What can you do to protect this?

Before someone finds out they are going to have their future freed up to go work somewhere else, and after checking with the organization’s legal advisor, organizations ask the IT department perform tasks such as:

• Suspending the employees network and application privileges
• Suspend all accounts the user could use to remotely access the network through a home computer, VPN, GoToMyPC, LogMeIn, Web Access, Remote Desktop, or any other way
• Suspend all e-mail to and from the user’s account
• If there is the slightest chance the employee may know other user passwords, reset those passwords as well. You will be thankful if you are already using two-factor authentication such as key fobs or fingerprint readers to reduce the chances of unauthorized access
• Disable the employees corporate accounts for their mobile phone and PDA devices
• Reset their password on the corporate voice mail system
• There are tools your IT department can install that allows for the remote destruction of all the data on the employee’s computer, laptop, mobile devices etc so they are wiped clean of any corporate information
• Ask the employee to hand over any USB memory sticks or other storage devices they use in their work that might contain company information
• Check with your legal advisor first, and if they support you, ask the employee to divulge any passwords they have used on any systems or to lock any files
• Notify all help desk professionals that if the user calls to get their password reset, to deny the request. Even if some of the application support comes from outside vendors – notify them too
• Have IT be extra-vigilant for intrusion attempts – and in this day and age let’s hope they are very vigilant already since there are so many unsolicited intrusion attempts already
• You may choose to disconnect their computer from the network by removing the Ethernet cable or wireless card if you suspect there may be any data that might need to be used in an investigation of any kind
• After the investigation is complete, the IT department will want to totally reformat the user’s computer and install a fresh copy of the operating system and applications
• Depending on what your legal advisor says, it is best to bar the employee from the premises or at least have them escorted by a trusted person at all times so they don’t attempt to access or damage anything related to IT

These tasks are in addition to the other steps your HR department takes such as taking back the corporate credit cards and keys to the office, handling the legal issues of termination, etc. It could be that one of the first clues your employee has that they are going to be an ex-employee is that all their electronic access stops working.

Moreover, if the person you are terminating is a member of your IT department, the process gets very complicated since they have administrative access to so many areas.

There are all kinds of dangerous scenarios to consider, and the best defense is to have your network security in great shape all the time with the appropriate checks and balances including audit logs that even the IT department cannot delete or alter.  The fact is that there are many steps to put into place all the time with IT security or even the above steps will be rendered ineffective.

Other people say once you use full-disk encryption, it becomes almost impossible for the end user to use the computer. That was true at one point, but today, if I want to lock my laptop, all I have to do is use the Windows L key combination and the computer locks, or I can just set the computer to lock automatically if I walk away for very long. Then whenever I want to get back in, I can take any one of my 10 fingers and swipe it across the fingerprint reader that is on the front of the laptop. Now I’m ready to go again and can access all the data on the system.

People also tell me that encryption is slow. It’s not. I use my laptop to run large and involved programs all the time, so I need speed. And I have overkill encryption on my machine just to prove to audiences how fast it is. I have my data locked or encrypted three different ways, and it only needs to be encrypted once. This is to demonstrate the speed.

So in a nutshell, full-disk encryption security is inexpensive, it’s easy for the user, it’s very important to have, and it’s easy for your IT administrators, too. So it’s time to be secure, and full-disk encryption is a great start to having some peace of mind.

What are your thoughts on this topic?