Will viruses and other malware contribute to injuries and deaths? Imagine diagnostic imaging machines, like X-rays and CAT Scanners, exposing patients to too much radiation due to a virus. Traffic lights not functioning properly, especially on a highway with high speed limits, could lead to a horrible crash.  Emergency services may already be delayed in their response due to computer malfunctions. The airline industry has plenty to worry about. What if trains fail to stop and crash into another train or the end of the line?

Apparently the Spanair diagnostic computer does not connect to the Internet so the infection likely came from an infected USB device, CD-ROM, or some other form of removable media.

Just last month, control systems manufacturer Siemens, who manufactures control systems, warned that malware called Stuxnet is spreading through infected USB devices to penetrate industrial control systems. I wonder if there are any control systems at nuclear power plants infected yet.

More and more regulations and laws are forcing organizations to wake up to the fact that IT security is very important.

Business executives and IT professionals alike must realize:Viruses and other malware do not necessarily make themselves obvious for the simple reason that, if you know a computer is infected, you are likely to have a qualified IT professional fix the problem.

• Anti-virus programs do not always catch all viruses
• Firewalls are not perfect either
• End users can, accidentally or on purpose, bypass some of the best security you set up

How many more people will need to die, how much more money will be lost, before people become aware of the importance of IT security?

Please post your comments on this blog.

A strategy that keeps gaining ground is the concept of “white listing” applications. In plain English, this means your computers have a list of programs that are on the “approved” list to run, such as Word, Firefox, Acrobat, Excel, etc.

Then, any other program cannot run. Period. That means virus 1, virus 2, virus 999, etc. is not allowed to run. This solves the whole problem of needing anti-virus. In theory, even if a virus does come into your network through e-mail, web site drive by download, or Ernie in shipping carrying in an infected memory stick, it doesn’t matter. The virus cannot run anyway!

The challenge lies in your IT department being able to keep an organized white list of “approved” programs. When an update to a program arrives, the new update has to be listed too or it will not run.

Many providers are offering solutions including Bit9 Parity and Lumension Application Control and there are constant advancements in making administration even easier.

Yes, some day anti-virus may be old news and never used again.

The primary reason we perform vulnerability assessments as parts of security assessments is to generate an inventory of all the computers currently alive on the network and a list of vulnerabilities those computers have.

The challenge is that the human brain loves a “list of what’s wrong.”  Most of the IT professionals at organizations go immediately to work solving the identified problems thereby “killing alligators.”

We always implore executives and IT professionals alike to focus on “draining the swamp” in addition to, and sometimes instead of, “killing alligators.”

In our ongoing effort to help IT professionals and organizations focus on strategic, as well as tactical, plans to take IT to the next level, I sometimes feel like a dentist who hands out new toothbrushes as well as a gift certificate to the local candy store in the same visit.

Vulnerability assessments are wonderful—just remember to focus on the one or two strategic changes that can fix one hundred or more tactical issues.

This article from the Washington Post has more details: http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html

The reason criminals keep using the same old tricks is that the tricks work. Warn your fellow executives and other workers about the importance of never opening attachments you were not expecting even if they appear to come from a trusted source. When in doubt, contact the sender to see if they really did send you an attachment.

Your IT department can help you scan the attachment for viruses, and some of you have services that scan all of your attachments. Just remember that the scanning may not catch the virus. Some viruses have new code every four hours so the anti-virus programs cannot keep up with the changes.

Practice many levels of protection and be wary!

While that strategy may help some, it is far from being a reliable way to protect your network. First of all, without performing some technical detective work, it is hard for a non-IT professional to tell who the e-mail came from anyway. You may get an e-mail from a cybercriminal who uses “spoofing” to make the e-mail message appear that it is coming from your best friend, bank, the FTC, or anyone else.

Better protection comes from scanning tools running at one or more locations including your e-mail server, your firewall, your spam filter, and the anti-virus client on your local machine.

Training users “not to open e-mail from strangers” is a moot point if your user is supposed to open e-mail messages from prospects interested in your company’s products and/or services.  There is some training that matters though…

Train your users to NEVER click on a link in an e-mail message. The link may say to the user, “click here to read an important announcement about your future employment at this company” and the link underneath may take the user to, “hose the network now dot com.”

Also train the users to never send out any private information in an e-mail message or attachment. The message can be misaddressed, intercepted or forwarded to the wrong person. If something is private, it needs to be encrypted using an effective encryption method. In another blog entry I addressed data loss prevention tools that can even help identify these messages and stop them before they leave your organization.

If your executives or other users use the strategy of “not opening mail from someone they don’t know,” that is a red flag alerting you to a problem you can resolve ASAP.

The virus goes by the name of Conficker and it is also known as Downadup (and also Downup and Kido).  My advice remains the same as always: be concerned about a really bad virus every single day of your life. If you are following IT security best practices, then there is nothing more to do in preparation for April 1.

Still, I was amazed during the Y2K bug nine years ago how many executives decided, “ok, let’s go ahead and take appropriate IT steps since there is a deadline.” If your organization has been postponing some of the simple IT security basics, maybe Conficker’s “bright side” is that you’ll do what needs to be done.

Click here to view the embedded video.

Details of some of the steps to take include:

• Make sure all your critical Microsoft and Apple patches are installed. Organizations should use a centralized patch management tool. For short instructional videos for home users click here for Macintosh: http://www.fosterinstitute.com/blog/update-your-mac.html and here for Windows: http://www.fosterinstitute.com/blog/update-your-pc.html
• Make sure other applications are patched.
  See http://www.fosterinstitute.com/blog/useful-utility.html#more-149
• Make sure your anti-virus program is using the current version of the program, has the latest signature files, and is performing scheduled scans of all your computers. More information here
  http://www.fosterinstitute.com/blog/daily-it-checkup.html#more-23
• Continue your practice of having a good backup at least once a day
• Use excellent firewalls and Web Content Filtering tools http://www.fosterinstitute.com/blog/block-sites.html#more-144
• Have regular IT Audits – See www.KeepMyNetworkSafe.com and http://www.fosterinstitute.com/blog/easy-it-audit.html#more-96 for more information
• Educate your users so they help protect your organization’s reputation http://www.fosterinstitute.com/blog/easy-it-audit.html#more-96

Even if the economy is having a negative effect on your business, protecting yourself is very economical. The expensive part is suffering the monetary loss from downtime, lawsuits, and loss of your company’s reputation.

Protect yourself today – and every day!

If you have never tried the scans at www.secunia.com you may want to. There is a simple online version of the scan and also more in depth scans you can purchase. One of the most useful parts of the program is that it shows you where to find patches and updates that your system needs to be fully functional.

When Secunia scans your computer, it will look at many applications other than Microsoft. If any of your applications are out of date, it will show you how to fix your system.

The tool helped me track down problems on a new laptop I was building recently. In addition to helping me find patches for applications, it helped me identify that I had multiple copies of tools installed. The multiple copies were causing other problems on my new machine including the dreaded blue screen of death.

Really the only concern is that a cybercriminal could redirect you to put the wrong patches on your system potentially causing an infection. If you trust the professionals at Secunia, they can help you avoid being redirected to the “wrong” site for your patches.  I found the tool so useful I want you to know about it as well to see if you like it too.

As always, check with your IT professionals to get their approval, and maybe even assistance, and you may find Secunia fixes some bugs you always wondered how to resolve.  At the very least, it can potentially make your system more secure.

Any IT professional who has worked with IT security knows the importance of ongoing diligence to keep the network secure. That is why they come to their bosses and managers requesting budget items including centrally managed operating system patches, Internet filtering tools to block malicious code, updated firewalls, robust anti-virus solutions, and other proactive defensive devices. Many executives empower their IT professionals to put these items in place right away. Organizations, after they have suffered a loss, lament about what they “would have, could have, and/or should have” done. Reasons vary greatly.

Budgetary: Some IT professionals explain that they did not even ask their manager to allow them to install a robust firewall since the IT professional felt their manager would refuse the relatively small investment. Some good news is that most security solutions are relatively inexpensive these days – certainly less expensive than a successful attack.

Political: Often, IT professionals do not want to be seen as “the bad guys” restricting users from downloading tools like LimeWire and using instant messenger. This is especially true when IT is outsourced to an IT services company. The outside company wants the users to remain happy so they “keep their job.” This is also true with in-house IT professionals who want to keep their executives and managers happy. I encourage IT professionals to have the courage to speak up, in a kind and gentle way, about how important security is to an organization.

Technology knowledge: Just as you would not go to a brain surgeon to operate on your knee, not all IT professionals are proficient in every area of IT. Be sure your IT professional gets enough IT security training or outsource to someone who can help him or her with the security. The same holds true if your IT professionals will be upgrading you to the latest mail server program. Be sure they are qualified and support them being able to say, “I do not know how to do this and it will cost the company more for me to take time to learn than to outsource this to a local company who will perform the installation for us.” IT is important that your IT professional know they will not lose their job if they know where they are proficient, and where they are not. Could you imagine a hospital firing a cardiologist because the cardiologist refused to deliver babies on weekends too?

Whatever the reason, if you have been putting off your IT security, now is a great time to batten down the hatches.

That’s why you need to secure your the individual workstations as well as the network. And whether you have three computers or 300, you need to have everyone on a domain model, not workgroup model, with a dedicated server. That will give you a central management point so you can take care of all the machines automatically.

Also realize that your company’s computer network is only as strong as its weakest link. Often I hear in companies that the CEO won’t let anyone from IT touch his or her computer. But if all the other computers in the network are up to date except the CEO’s, your company is still vulnerable. So you have to make sure everyone’s computer, even the CEO’s, is protected.

This is why it is so critical that you understand the importance of securing your network as well as individual workstations, and visa versa. When your IT professional says they want to make your computer safe, let them — that’s what they get paid to do!

What are your thoughts on this topic?