Sunday, January 3, 2010

"I just bought a Mac, so I don't need to worry about viruses!"

Ok, slow down just a bit there sparky!

I overheard a conversation at a local electronics superstore recently where a store "expert" told a potential customer that by purchasing a Mac they would not have to worry about viruses ever again. "Can I get that in writing please?"

Just today while assisting a neighbor with their wireless network and printer setup the question was asked. "Are Macs immune to viruses?"

The truth is, Macs are susceptible to viruses. They can also, and perhaps more importantly, be compromised by trojan horses or other malicious code. That being said, it can be argued, and rightly so, that Macs are LESS prone to being the target of viruses. The reason is simply that those who write the viruses, worms, trojans and etc, know that there are many more PCs running Microsoft Operating systems than all of the other Operating Systems combined. If you want your code to be successful you target the masses.

The best bet is to follow safe computing practices no matter what OS you choose to use. There are articles here on my blog that discuss secure computing and one specifically about Viruses here. There are also many others out there for you to read. If you would like to install an anti-virus package on your new Mac then there are plenty to choose from (which suddenly makes me think, why would anyone write anti-virus software if an OS was immune?)McAfee, Kaspersky, Symantec, Avast and others all sell Anti-Virus packages for Macs. Or you could save a few bucks and go with a free tool such as ClamXav or iAntiVirus.I have not used either of these utilities on a Max, but I have used ClamXav both with a desktop linux OS and with a content filtering system I use in my home to block harmful material from my young daughter.

One parting note I would like to throw in for good measure. If you are fed up with Microsoft, due to a virus experience or any of the many other reasons one could find, and want to try something new. Before you go jump head first into a Mac, you might want to at least give a linux distribution a try. Ubuntu would be a good place to start. As with the Mac, linux is less susceptible to malicious software, there is tons of free software and utilities to choose from and most likely it will run on the same PC you are running your windows OS on today. Oh and did I mention, linux is free.

Whichever path you choose, good luck and be safe out there.


Wednesday, December 16, 2009

Windows 7, Should I upgrade?

I was asked this question a day or two ago by a co-worker and the discussion that followed made for what I felt was a worthwhile post.

Ultimately only you can or should make the decision on whether or not to upgrade. You should however do a little research to determine if the upgrade is beneficial to you. Also, be sure you understand the requirements of any upgrade prior to spending your hard earned money.

A few questions you may want to ask your self:

1) Does my current Operating System provide me with the services I need? If so, regardless of the OS you are running, why upgrade? The cost is substantially higher than most software you will buy and beyond that fancy new splash screen or special effects, what do you really gain?

2) Is my current OS still supported. Vista will be supported for many years to come, Windows XP on the other hand has reached end of life status by Microsoft. However, be sure you fully understand Microsoft's product support before upgrading on this premise alone. What most people do not realize is that Windows XP entered into what Microsoft call "Extended" support on April 14th of this year. It will remain a supported product until April 08, 2014. What does this mean to you? That not much really changes. Extended support means that Microsoft will continue releasing security fixes but any non-security related fixes are only offered to companies willing to pay for the development of such fixes. In other words if it works today it will work tomorrow but over time some software may become incompatible with your Windows version.

3) Are there upgrades to software that I do use that is not supported by my current OS? If so, then it may be time to upgrade. While most software companies design with backward compatibility for the most recent OS releases there may be added features in a new OS that prevents this backward compatibility.

4) Will my hardware support the new OS and is it compatible? This can be a huge factor in two ways. First, if your hardware is not supported or lacks the horsepower to properly run the new OS then you are faced with spending a couple hundred on the software, only to have to go buy hardware upgrades, or perhaps even a new PC. Second, if your hardware just will not do with the new OS then you will probably come out cheaper buying a new PC that comes pre-loaded with the newer OS. This is usually cheaper than buying the OS and then upgrading hardware. Just be sure to plan on a means of transferring your existing documents and other data to the new PC.

If you do decide to upgrade then good luck to you and please post a comment on your decision and what factors helped you make your choice.


Sunday, December 13, 2009

Fundamentals of a security plan for small business.

ChoicePoint, Bank of America, LexisNexis, RBS WorldPay and other large corporations have reported Data Breaches of their Information Systems. These companies all had elaborate information security measures in place and budgets for developing and maintaining these systems that would likely exceed the total revenue for some small businesses. So how can you, a small business owner with a limited budget protect your IT investments, prevent loss of productivity or worse yet, avoid the negative image of having been a victim of a security incident? Well, it’s really not all that hard and better yet, many times you can do a really good job on a tight budget.

Regardless of your business model, if you have even a single laptop that is used to support your business then you could be a victim of a cyber threat. Many times small business owners fail to realize just how vulnerable they are until they have a problem. This article will outline many of the more common threats and offer advice on how to avoid problems. However, I would advise any small business owner to seek out a qualified professional to assist you with the development of an information security program. An Information Security specialist will be able to discuss options with you and should be able to help you better understand various threats and how they could impact you.

That being said, let’s get started.

Malware (Malicious Software)

Malware is a fancy work for any code that was written with the intention of performing malicious actions. The term virus has become synonymous with pretty much any malicious code but not all software threats are viruses. Viruses, along with the self replicating virus know as a worm, are very common and can be painful to deal with once your computer is infected. Typically virus will inject themselves into existing documents or files as a means of infecting other computers. Worms on the other hand are self-replicating; they do things like forwarding themselves via email to everyone in your address book. Most times without your knowledge. How happy will your client be when they receive an email from you that contains a virus or worm that brings their network down? The good news is that standard Anti-Virus applications will deal with the problem. For some common sense advice on preventing viruses read my previous article found here.

Beyond the common virus, things get a bit more complicated. Trojan Horses get their names from Homer’s lliad. Just as the Greeks infiltrated the Trojan's defenses with the statue of a large horse, today’s Trojan Horses disguise themselves as something desirable yet mask something more sinister. A few years ago there was a Trojan Horse hidden in a video of the Saddam Hussein hanging. Unsuspecting viewers watched the video without knowing it contained a keylogger that later captured keystrokes used to log into email accounts, perform banking transactions and enter other sensitive information that was then sent to the bad guys. Some Trojan Horses create backdoor portals into your computer; other times they can turn your computer into a zombie that is then used to attack other computers. Best practices for preventing these attacks would be to prevent users from installing software on their computers. Establish a list of “approved” applications on each PC and use policies and user rights to prevent the downloading and installation of additional software. Also, most Anti-Virus programs will also detect and remove Trojan Horses.

Spyware is a generic term for keyloggers and other applications used to gather information about your computer habits and report this information to a third party. These applications can do anything from sending your internet surfing habits to capturing personal and sensitive information. Spyware is many times the payload in a Trojan Horse, affected users usually find out they have a problem after it is too late. There is also the more benign code known as Adware. Adware is most often seen in the form of popups or new browser pages that appear without your request, advertising some service or product. They are annoying and affect productivity but usually do direct harm. Notice I said usually, there are exceptions.

Social Engineering

Social engineering can take many forms. The most common, and the one you have probably heard about recently is known as phishing. Typically phishing is in the form of an email but can sometimes be a website or popup while browsing the web. Phishing attacks will most often try to convince you to provide sensitive information to what you believe is a legitimate website or individual. You may be told that you must update your log in information or provide some other updates to your account. The email or website will even be kind enough to provide you with a link to make it easier for you. The problem is this link is not legitimate. Even though the link you followed may look exactly like the website of your bank, credit card company or credit union, it is really a fake and now a bad guy has your user id and password for your bank account. Always contact your bank to verify any email or website asking you to update your account information to be sure it is legit. And If you EVER follow a link and enter you information during a momentary loss of sanity, CALL YOUR BANK IMMEDIATELY and let them know.

Other forms of social engineering can be in the form of phone calls, surveys, cold sales calls and so on. You have to realize that many times a social engineering attack takes on the form of many small steps and you may be the target of only a small piece of the complete attack. These could be used to gain insight to your business, identify your clients and even to obtain trade secrets or proprietary information. In some cases social engineering has even been used to convince you need the product a company is offering to combat the very problem created by the social engineered attack.

The best counter measure for Social attacks is to be educated and educate your employees. Be sure to include guidelines in your security policies or procedures that limit the opportunity for social attacks to be carried out. Such as restricting employees from participating in surveys, defining procedures for resetting passwords used to access data or limiting what information can be sent via email.

Protect against "Crackers"

“Crackers” is the correct term for individuals that attempt to gain unauthorized access to your systems or data. Hackers have been incorrectly labeled as the bad guys for years, mainly thanks to Hollywood, but I digress. Attacks by individuals can come in many forms. Really many more than can be addressed here so I will focus on the more obvious attacks and methods for dealing with them.

Password attacks are at the top of the list. There are programs available on the internet that can launch various password attacks against a website, router or server. There are dictionary attacks that use a file containing thousands of words to attempt to log into a system. There are brute force attacks that will try thousands or even millions of random characters to try and force their way into a system. The best protection against these attacks is a password policy that requires passwords be changed frequently, at least every 90 days, I prefer 60 or less. Also require users to use complex passwords. Complex passwords consist of alpha-numeric strings including a requirement for both upper and lowercase letters and special characters. It is not as difficult as it sounds either. You can use words that you use every day but substitute certain letters for numbers or characters. Let me give you an example. Take the words “Happy hour” you can turn this into a complex password by changing the letters to symbols and numbers to make a password that is relatively easy to remember. “#aPPy#0ur” or perhaps "H@ppYh0ur”. Depending on the number of characters allowed you could also use what is known as a passphrase. This is just a string of words, preferably unrelated. One example would be: chairscupcakespuppyradio. Whatever makes the password easy to remember yet complicated to guess. There are much better methods for authentication, such as tokens, one time passwords and others but to keep this discussion focused on small and micro businesses I want to keep the solutions simple and low cost.

Denial of Service attacks and exploits are also the results of an attack by an individual. These are attacks that focus on a particular weakness in a system. They can have purposes ranging from simply denying the owner of the services of the affected system to compromising the system with the intent of using your system for the purpose of attacking other systems. Preventing these attacks require more elaborate countermeasures I am afraid. It is up to you the owner to decide what your threshold for pain is and weigh that against the cost of the countermeasures needed to satisfy your level of tolerance. Firewalls, Intrusion Detection Systems, Network Monitoring, Log collection and analysis are all some of the countermeasures designed to prevent these types of attacks. One cheap and easy method for preventing many of these attacks does exist however. Patch your systems!! Most modern operating systems provide mechanisms to notify you if updates are available to protect your systems if vulnerability has been identified. Just don’t forget about all the additional software that is installed on your systems. Often times these applications are the source of an open vulnerability. Not the Operating system.

Physical loss

Physical loss can take many forms. In some cases physical loss can be the result of any of the attacks we have covered so far. So you downloaded a virus, was the target of a cracker or other malicious activity and now you have data loss or the loss of a system that your business depends on to service your clients. What do you do? Well here is where recovery comes into play. Backups, software repositories, business continuity plans all deal with how to correct a problem when it occurs. (Notice I did not say IF but when) These mechanisms can be created that fit your business model and your budget. I would recommend that you consult with a professional to help you identify the best course of action to support your business model because there are so many factors to consider. There are also formulas that can help you identify, how much you stand to lose is a specific system is compromised and this knowledge can help identify a solution that minimizes your risk at a cost that makes sense. In other words spending $10,000 to protect a $4000 investment does not make much sense. Just be careful when calculating costs to not forget things like your reputation or any regulatory obligations you may have. These can be a bit tougher to assign a dollar value to.

One common and useful counter measure that all small businesses should deploy is data backups. These can take many forms ranging from traditional media such as magnetic tape or optical devices such as CDs and DVDs to internet based backup services or data replication to a secondary site. The most important factor to consider when looking at a backup strategy is to only backup what is needed in the event of a problem. Typically this would be data that has been created to support your business such as customer data, accounting information, payroll or employee information and don’t forget about proprietary information or intellectual property. I plan to devote a post to various backup and recovery methods in a future post so if this is an area that interests you, stay tuned. It should be completed in a week or so.

Lastly, do not forget about mobile users and devices. Laptops, PDAs and even cell phones nowadays carry a lot of data that could be disastrous if lost or stolen. These devices must be protected and given with additional consideration when planning your security plan. This is because these items are many times used in environments that are out of your control or that are not protected by the physical measures you have in place at the office. Password protection should be a minimal requirement to secure these devices, many times biometrics are built into laptops and other devices that can be substituted for passwords and even provide a greater measure of authentication for a user. You may also want to consider additional requirements for users that are issued mobile devices such as additional training on how to protect and secure these devices. Of course the best means of protecting these mobile devices is to use encryption of the storage media within these systems. Once encrypted, if a device is lost or stolen then at the very least your data, or perhaps your customers data, is safe and unlikely to be compromised. There are even free solutions available to provide encryption of many of these devices. You can’t get much more cost effective than that.

Lastly even small business owners should create a documented Business Continuity Plan, or BCP and a Disaster Recovery Plan, or DR plan. These do not need to be huge complicated documents, especially for small businesses but should at least provide a documented course of action should a problem occur. I often find that many times people think a BCP and a DR plan are interchangeable terms. This is not the case and really both are needed for any business. Let me try to explain.

Let’s say you are in a car accident, nothing serious just a normal fender bender. Still, your vehicle has been damaged and may not be legal to drive until it has been repaired. Now if your now damaged car represents your business then a viable BCP plan would be, to obtain a rental car that would provide you with a means of getting from place to place while your damaged car is repaired. On the other hand, the DR plan for this scenario would be to identify a repair shop, call a wrecker service to transport your car to the chosen repair shop, work with the insurance company to have your car repaired and then pickup your car once the repair has been completed.

You see the BCP plan just defines how you will continue operating your business while you are performing the necessary tasks (DR plan) to return your business to "normal" operations.

You should also know that depending on the services your small business provides to your clients and their dependency on your services. Your clients may REQUIRE you to have a documented BCP or DR plan. Perhaps they will require both.

In closing

Despite the length of this article, I have really only scratched the surface of many of these topics and there are others that I have not even mentioned. I have jotted down a few notes for some other areas that are just begging for a dedicated article, such as Physical Security, a deeper dive into backup and recovery and others, so those will be coming soon. In the meantime I hope the information here is helpful to you and at least provides you with a basic understanding of core information security concepts. Again, I would advise any small business owner to consult with a professional to assist them in developing a comprehensive security plan. One that protects your investments while doing so within your budget.



Sunday, December 6, 2009

How do secure websites work? Part 2 of 2

Ok, in Part 1 I identified the basic components involved in the SSL process, I will now walk you through how they all come together to protect your private information while on the web.

Any secure website owner should have a SSL generated by a reputable Certificate Authority, and this SSL certificate will have been placed onto the web server you are now attempting to establish a secure session with. This SSL certificate provides several functions, when you request a connection to a secure site (one that starts with https:\\) the server sends a digital certificate to your browser to identify itself. This involves the following functions:

  1. The SSL contains the identity of the Certificate Authority that issued the certificate. The first thing your browser does is check to see if your computer trusts this CA. If it does not a warning is displayed. You may choose to ignore the error (most do because they do not understand the error), you can choose to add the CA to your trusted CA list, or you can cancel the connection and not proceed with your transaction. (One example of how to add a CA to IE 7 can be found here )
  2. The SSL certificate contains information regarding the domain name it is registered to. ( for example) If the domain name does not match the site you just connected to another error will be displayed. Again, most people ignore these because they do not understand what is causing the alarm. This is the root cause of a failure in the SSL process to protect your information. Simple lack of understanding.
  3. Lastly, the server sends a copy of its Public Key. Remember the Asynchronous Encryption information in part 1? With asynchronous or Public-Key encryption, two keys are generated. One, the Private key, must be protected and kept secure from any form of distribution. This key remains on the server and is the most important component of providing security in SSL communications. Two, the public key is distributed to anyone and any data encrypted with this key can ONLY be decrypted by the matching private key of this key pair. This confuses many people so I will explain in more detail how this protects you in a moment. So, if you were connecting to a secure website, you are now at a point where your browser is prepared to establish a secure transmission. At this point no data has been sent between the server and you. You have only prepared the two systems to communicate. What happens next is the part I think is so cool in how it actually works to protect you.

So, you now have a public key, you know the server is THE server you wish to communicate with and you are ready to send data.
As I said, with public key encryption, any data encrypted with the public key (the key sent to your PC), may only be decrypted by the private key(The key that is protected and never leaves the server), but this process is not used to send your private information. It is slow and, while difficult, could be compromised because the keys do not change and patterns could be used by a determined hacker to compromise the key pair.

Instead, the client computer (your PC) generates a random number or a “session key” (synchronous encryption) and then it encrypts this “session key” with the public key that was received from the server. Now because ONLY the private key can decrypt this message, once the server receives this session key and decrypts it with the private key, only the server and the client have a copy of this one time, unique encryption key. This will be the encryption key used to transmit data back and forth between the server and the client. This session key is only used for the current connection between the server and the client and once that link is broken, the key is destroyed. The session key is fast, uses a low amount of computer resources, and because it was exchanged in a secure manner using public key encryption it is virtually impossible for anyone to “hijack” this session and compromise your data. (A hacker would need the “Private key” to compromise this communication which is why the private key must NEVER be compromised. Administrators of these secure web servers go to great pains to make sure this is the case. If a private key is suspected to be compromised then the owner must go back to the CA and obtain a new SSL certificate.)

Congratulations, you session between you and the secured website is now secure and all data transmitted between your browser and the server is now encrypted. This entire process is usually summarized and called the “SSL handshake”.

Once you have completed your connection to the secure site. The communication process is “torn down” the session keys are destroyed by the server and the client. If you go back to this secure site again, the whole process happens all over again with new session keys created for that particular session. The SSL handshake happens much quicker than it sounds and should be completely invisible to you the consumer. If it is not then you see those error messages that were mentioned above. So read those error messages and if you are in doubt contact the owner of the site to determine what is causing the errors. Sometimes the errors or innocuous and can be safely ignored but you should understand the error and be comfortable in ignoring it. Not just ignoring the error because you do not understand or because “I get these all the time, probably isn’t important.”

I hope this helps you understand the SSL process and makes you feel more comfortable with your online experience. It is complicated but I I have tried to simplify the process and make it somewhat easier to understand.

Good luck to you and feel free to post comments or follow up questions. I will try to respond in a timely manner.


Monday, November 30, 2009

How do secure websites work? (Part 1 of 2)

I have been asked this question more times than I can remember. In fact the first time I was asked I did not really understand the process myself and now, even though I do understand the process, it can still be a challenging question to answer. This is because encryption is not without its share of complexities. In some ways it is these complexities that help protect your personal information, credit card data, passwords etc.

I am going to attempt to walk you through the SSL , or Secure-Socket-Layer, process over the course of the next two posts and hopefully once you have read all parts of the series you will understand and feel better about using your sensitive information on the web. If nothing else maybe you will understand all those “certificate error” messages you have ignored all these years.

So how does SSL protect your information? Well first we need to understand some basic fundamentals regarding encryption and the SSL process. You see like so many things with technology, you have to understand the basics before the big picture can be made clear.

First of all there are two types of encryption keys used in the SSL process. These two types of encryption perform very specific tasks and each has unique capabilities.

The first of these is known as Synchronous Encryption. With synchronous encryption the same key is used to encrypt and to decrypt data. It is fast, uses little computer resources and, when used correctly, is very secure.

The second type if encryption is called Asynchronous Encryption. You may have heard it referred to as Public-Key encryption. Asynchronous encryption has almost the opposite characteristics of synchronous. It is much slower in comparison, it uses a key pair, rather than a single key, and it uses a lot more computer resources to perform the encryption and decryption processes. Now, while there is a lot more to these two forms of encryption, this covers what you need to know for this discussion.

Next there is the SSL Certificate.This certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location and the certificate ID of the person who certifies this information. It also contains the public key (asynchronous encryption) and a hash to ensure that the certificate has not been tampered with.

Finally, there is the Certificate Authority, or CA for short. There are many of these providers available, but a couple of the more popular are Verisign and Entrust. The service these companies provide is very important to you the consumer and yet their service does not cost you a dime. Here is how it works. An entity desires to provide services to you which need the protection of encryption while in transit over the hostile network known as the Internet. So they set up a web server and configure this server to use SSL. In doing so the web server is used to generate a CSR, or Certificate Signing Request. The company setting up the secure site then contacts a CA and requests an SSL Certificate be generated for their web server and they provide the authority with the CSR that was just generated on the server, along with other information about the company. Then, for a fee, the CA will generate the SSL certificate. However before they do so, they perform validation checks to ensure that the company requesting the SSL certificate is who they claim to be. Then the CA's certificate ID is added to the SSL certificate as indicated above. So that when you conduct business with this companies web server, if no errors are generated by your web browser, you can be assured that you are sending your sensitive information to the right persons.

So there are the basics, not too bad I hope. Next we will put it all together and explain how all of these components contribute to the SSL encryption of your information and, if used properly, grants you the security you need when submitting sensitive information on the web.


Tuesday, November 24, 2009

Anti-virus advice and common sense protection

A few years back, when people would ask me about virus protection for their computers, I would tell them “Don’t open attachments from senders you don’t know and don’t let your kids download tons of shareware and you should be fine. If spending $60 for an anti-virus application makes you feel better then go ahead but you are probably wasting your money."

My thoughts back then were that most viruses were caused by users carelessly opening unsolicited emails, which they were for the most part. Plus, most users would buy anti-virus and not only think they were impervious to attacks, but they rarely, if ever, downloaded updates or new signatures for their anti-virus software.

Times have definitely changed. The attacks have become more sophisticated and luckily so has the software designed to protect the average user. These days viruses are the least of our worries. With phishing scams, backdoor Trojans, worms and malicious code designed to attack via pop-ups the lowly virus hardly gets much press anymore. When it does it is usually a “generic” description for any one of the aforementioned nasties. Luckily, the software companies have done a pretty good job at keeping up with the bad guys and they have even been kind enough to build automatic updates into their software so we can now safely install it and forget it. Still, one should never just assume that the pc they just sat down at to read their email is safe and impenetrable. Today more than ever, a little common sense and following best practices goes a long way to prevent problems down the road. What follows are common sense steps you can take to prevent the loss of your computer or your valuable data.

  1. I used to advise to not open attachments from someone you don’t know. These days you cannot follow that rule because that person you trust may be victim to a worm that is now sending itself out from your friend’s pc without their knowledge. Turn off the preview attachment option if your email, if it is so equipped. Save the attachment out to your hard drive and make sure it is scanned by your anti-virus prior to opening. Some AV software now embeds itself into your email client and scans attachments as they come in. But be warned, this may not work if you are using a web based email service like hotmail, or yahoo.
  2. If your home internet access is provided by anything other than dial-up get yourself a security router. Good devices can be found today for well under $100 and while they are nowhere near as advanced as enterprise they will provide the average user with a wealth of protection. How these devices work are simple yet very effective. Stay tuned to the IT Guardian Angel, I plan to devote a post to these devices alone and how they protect you from the wilds of the internet.
  3. Backup your data. If you do get a virus or other malicious code on your PC. It is possible that the only way to fix the problem is to format your hard drive. That means any files you had are also gone. CDs are cheap, so are DVD’s and a backup once a month is a small price to pay for the comfort of knowing your data is safe. There are also online backup services that keep your data safe in the event of system loss. Carbonite and Mozy are two of the more popular services. (These are for a fee services and I am not affiliated with either of these services, I simply offer that they are a possible solution for backing up your data.)
  4. Keep your computer up to date. Many times by the time a virus or other attack is running loose on the internet there is already a patch or hotfix available that will prevent your computer from being vulnerable to the attack. An ounce of prevention……….
  5. Be wary of internet file sharing applications such as limewire. While there is nothing wrong with using these services, so long as you are not engaged in obtaining illegal copies of software or other digital property, many times the files that are made available by these services contain malicious code. Sometimes accidentally, sometimes intentionally.
  6. Don’t believe everything you read or see. It has become commonplace for pop up adds and email to warn you that you have a virus in an attempt to lure you to follow a link where you will promptly obtain a virus that you did not have before. Also, never forward emails warning of the latest virus threat, there is a good chance that you may be unknowingly contributing to the problem.
  7. Lastly, get a good anti-virus program. There are many good ones available today and believe it or not some of them are absolutely free for personal/home use. Additionally the most reputable anti-virus providers will many times off virus removal tools for known viruses. While they won’t protect you, they can help prevent the need to format your system and lose all your data. Regarding free anti-virus programs my favorites are AVG and Avast! Both companies offer advanced offerings that will have additional features. If you like the product then by all means purchase the upgrade. It will help them keep the free versions available for the masses.
I hope this information proves useful to you. If you have additional thoughts or ideas please feel free to comment.