Wednesday, December 16, 2009

Windows 7, Should I upgrade?

I was asked this question a day or two ago by a co-worker and the discussion that followed made for what I felt was a worthwhile post.

Ultimately only you can or should make the decision on whether or not to upgrade. You should however do a little research to determine if the upgrade is beneficial to you. Also, be sure you understand the requirements of any upgrade prior to spending your hard earned money.

A few questions you may want to ask your self:

1) Does my current Operating System provide me with the services I need? If so, regardless of the OS you are running, why upgrade? The cost is substantially higher than most software you will buy and beyond that fancy new splash screen or special effects, what do you really gain?

2) Is my current OS still supported. Vista will be supported for many years to come, Windows XP on the other hand has reached end of life status by Microsoft. However, be sure you fully understand Microsoft's product support before upgrading on this premise alone. What most people do not realize is that Windows XP entered into what Microsoft call "Extended" support on April 14th of this year. It will remain a supported product until April 08, 2014. What does this mean to you? That not much really changes. Extended support means that Microsoft will continue releasing security fixes but any non-security related fixes are only offered to companies willing to pay for the development of such fixes. In other words if it works today it will work tomorrow but over time some software may become incompatible with your Windows version.

3) Are there upgrades to software that I do use that is not supported by my current OS? If so, then it may be time to upgrade. While most software companies design with backward compatibility for the most recent OS releases there may be added features in a new OS that prevents this backward compatibility.

4) Will my hardware support the new OS and is it compatible? This can be a huge factor in two ways. First, if your hardware is not supported or lacks the horsepower to properly run the new OS then you are faced with spending a couple hundred on the software, only to have to go buy hardware upgrades, or perhaps even a new PC. Second, if your hardware just will not do with the new OS then you will probably come out cheaper buying a new PC that comes pre-loaded with the newer OS. This is usually cheaper than buying the OS and then upgrading hardware. Just be sure to plan on a means of transferring your existing documents and other data to the new PC.

If you do decide to upgrade then good luck to you and please post a comment on your decision and what factors helped you make your choice.


Sunday, December 13, 2009

Fundamentals of a security plan for small business.

ChoicePoint, Bank of America, LexisNexis, RBS WorldPay and other large corporations have reported Data Breaches of their Information Systems. These companies all had elaborate information security measures in place and budgets for developing and maintaining these systems that would likely exceed the total revenue for some small businesses. So how can you, a small business owner with a limited budget protect your IT investments, prevent loss of productivity or worse yet, avoid the negative image of having been a victim of a security incident? Well, it’s really not all that hard and better yet, many times you can do a really good job on a tight budget.

Regardless of your business model, if you have even a single laptop that is used to support your business then you could be a victim of a cyber threat. Many times small business owners fail to realize just how vulnerable they are until they have a problem. This article will outline many of the more common threats and offer advice on how to avoid problems. However, I would advise any small business owner to seek out a qualified professional to assist you with the development of an information security program. An Information Security specialist will be able to discuss options with you and should be able to help you better understand various threats and how they could impact you.

That being said, let’s get started.

Malware (Malicious Software)

Malware is a fancy work for any code that was written with the intention of performing malicious actions. The term virus has become synonymous with pretty much any malicious code but not all software threats are viruses. Viruses, along with the self replicating virus know as a worm, are very common and can be painful to deal with once your computer is infected. Typically virus will inject themselves into existing documents or files as a means of infecting other computers. Worms on the other hand are self-replicating; they do things like forwarding themselves via email to everyone in your address book. Most times without your knowledge. How happy will your client be when they receive an email from you that contains a virus or worm that brings their network down? The good news is that standard Anti-Virus applications will deal with the problem. For some common sense advice on preventing viruses read my previous article found here.

Beyond the common virus, things get a bit more complicated. Trojan Horses get their names from Homer’s lliad. Just as the Greeks infiltrated the Trojan's defenses with the statue of a large horse, today’s Trojan Horses disguise themselves as something desirable yet mask something more sinister. A few years ago there was a Trojan Horse hidden in a video of the Saddam Hussein hanging. Unsuspecting viewers watched the video without knowing it contained a keylogger that later captured keystrokes used to log into email accounts, perform banking transactions and enter other sensitive information that was then sent to the bad guys. Some Trojan Horses create backdoor portals into your computer; other times they can turn your computer into a zombie that is then used to attack other computers. Best practices for preventing these attacks would be to prevent users from installing software on their computers. Establish a list of “approved” applications on each PC and use policies and user rights to prevent the downloading and installation of additional software. Also, most Anti-Virus programs will also detect and remove Trojan Horses.

Spyware is a generic term for keyloggers and other applications used to gather information about your computer habits and report this information to a third party. These applications can do anything from sending your internet surfing habits to capturing personal and sensitive information. Spyware is many times the payload in a Trojan Horse, affected users usually find out they have a problem after it is too late. There is also the more benign code known as Adware. Adware is most often seen in the form of popups or new browser pages that appear without your request, advertising some service or product. They are annoying and affect productivity but usually do direct harm. Notice I said usually, there are exceptions.

Social Engineering

Social engineering can take many forms. The most common, and the one you have probably heard about recently is known as phishing. Typically phishing is in the form of an email but can sometimes be a website or popup while browsing the web. Phishing attacks will most often try to convince you to provide sensitive information to what you believe is a legitimate website or individual. You may be told that you must update your log in information or provide some other updates to your account. The email or website will even be kind enough to provide you with a link to make it easier for you. The problem is this link is not legitimate. Even though the link you followed may look exactly like the website of your bank, credit card company or credit union, it is really a fake and now a bad guy has your user id and password for your bank account. Always contact your bank to verify any email or website asking you to update your account information to be sure it is legit. And If you EVER follow a link and enter you information during a momentary loss of sanity, CALL YOUR BANK IMMEDIATELY and let them know.

Other forms of social engineering can be in the form of phone calls, surveys, cold sales calls and so on. You have to realize that many times a social engineering attack takes on the form of many small steps and you may be the target of only a small piece of the complete attack. These could be used to gain insight to your business, identify your clients and even to obtain trade secrets or proprietary information. In some cases social engineering has even been used to convince you need the product a company is offering to combat the very problem created by the social engineered attack.

The best counter measure for Social attacks is to be educated and educate your employees. Be sure to include guidelines in your security policies or procedures that limit the opportunity for social attacks to be carried out. Such as restricting employees from participating in surveys, defining procedures for resetting passwords used to access data or limiting what information can be sent via email.

Protect against "Crackers"

“Crackers” is the correct term for individuals that attempt to gain unauthorized access to your systems or data. Hackers have been incorrectly labeled as the bad guys for years, mainly thanks to Hollywood, but I digress. Attacks by individuals can come in many forms. Really many more than can be addressed here so I will focus on the more obvious attacks and methods for dealing with them.

Password attacks are at the top of the list. There are programs available on the internet that can launch various password attacks against a website, router or server. There are dictionary attacks that use a file containing thousands of words to attempt to log into a system. There are brute force attacks that will try thousands or even millions of random characters to try and force their way into a system. The best protection against these attacks is a password policy that requires passwords be changed frequently, at least every 90 days, I prefer 60 or less. Also require users to use complex passwords. Complex passwords consist of alpha-numeric strings including a requirement for both upper and lowercase letters and special characters. It is not as difficult as it sounds either. You can use words that you use every day but substitute certain letters for numbers or characters. Let me give you an example. Take the words “Happy hour” you can turn this into a complex password by changing the letters to symbols and numbers to make a password that is relatively easy to remember. “#aPPy#0ur” or perhaps "H@ppYh0ur”. Depending on the number of characters allowed you could also use what is known as a passphrase. This is just a string of words, preferably unrelated. One example would be: chairscupcakespuppyradio. Whatever makes the password easy to remember yet complicated to guess. There are much better methods for authentication, such as tokens, one time passwords and others but to keep this discussion focused on small and micro businesses I want to keep the solutions simple and low cost.

Denial of Service attacks and exploits are also the results of an attack by an individual. These are attacks that focus on a particular weakness in a system. They can have purposes ranging from simply denying the owner of the services of the affected system to compromising the system with the intent of using your system for the purpose of attacking other systems. Preventing these attacks require more elaborate countermeasures I am afraid. It is up to you the owner to decide what your threshold for pain is and weigh that against the cost of the countermeasures needed to satisfy your level of tolerance. Firewalls, Intrusion Detection Systems, Network Monitoring, Log collection and analysis are all some of the countermeasures designed to prevent these types of attacks. One cheap and easy method for preventing many of these attacks does exist however. Patch your systems!! Most modern operating systems provide mechanisms to notify you if updates are available to protect your systems if vulnerability has been identified. Just don’t forget about all the additional software that is installed on your systems. Often times these applications are the source of an open vulnerability. Not the Operating system.

Physical loss

Physical loss can take many forms. In some cases physical loss can be the result of any of the attacks we have covered so far. So you downloaded a virus, was the target of a cracker or other malicious activity and now you have data loss or the loss of a system that your business depends on to service your clients. What do you do? Well here is where recovery comes into play. Backups, software repositories, business continuity plans all deal with how to correct a problem when it occurs. (Notice I did not say IF but when) These mechanisms can be created that fit your business model and your budget. I would recommend that you consult with a professional to help you identify the best course of action to support your business model because there are so many factors to consider. There are also formulas that can help you identify, how much you stand to lose is a specific system is compromised and this knowledge can help identify a solution that minimizes your risk at a cost that makes sense. In other words spending $10,000 to protect a $4000 investment does not make much sense. Just be careful when calculating costs to not forget things like your reputation or any regulatory obligations you may have. These can be a bit tougher to assign a dollar value to.

One common and useful counter measure that all small businesses should deploy is data backups. These can take many forms ranging from traditional media such as magnetic tape or optical devices such as CDs and DVDs to internet based backup services or data replication to a secondary site. The most important factor to consider when looking at a backup strategy is to only backup what is needed in the event of a problem. Typically this would be data that has been created to support your business such as customer data, accounting information, payroll or employee information and don’t forget about proprietary information or intellectual property. I plan to devote a post to various backup and recovery methods in a future post so if this is an area that interests you, stay tuned. It should be completed in a week or so.

Lastly, do not forget about mobile users and devices. Laptops, PDAs and even cell phones nowadays carry a lot of data that could be disastrous if lost or stolen. These devices must be protected and given with additional consideration when planning your security plan. This is because these items are many times used in environments that are out of your control or that are not protected by the physical measures you have in place at the office. Password protection should be a minimal requirement to secure these devices, many times biometrics are built into laptops and other devices that can be substituted for passwords and even provide a greater measure of authentication for a user. You may also want to consider additional requirements for users that are issued mobile devices such as additional training on how to protect and secure these devices. Of course the best means of protecting these mobile devices is to use encryption of the storage media within these systems. Once encrypted, if a device is lost or stolen then at the very least your data, or perhaps your customers data, is safe and unlikely to be compromised. There are even free solutions available to provide encryption of many of these devices. You can’t get much more cost effective than that.

Lastly even small business owners should create a documented Business Continuity Plan, or BCP and a Disaster Recovery Plan, or DR plan. These do not need to be huge complicated documents, especially for small businesses but should at least provide a documented course of action should a problem occur. I often find that many times people think a BCP and a DR plan are interchangeable terms. This is not the case and really both are needed for any business. Let me try to explain.

Let’s say you are in a car accident, nothing serious just a normal fender bender. Still, your vehicle has been damaged and may not be legal to drive until it has been repaired. Now if your now damaged car represents your business then a viable BCP plan would be, to obtain a rental car that would provide you with a means of getting from place to place while your damaged car is repaired. On the other hand, the DR plan for this scenario would be to identify a repair shop, call a wrecker service to transport your car to the chosen repair shop, work with the insurance company to have your car repaired and then pickup your car once the repair has been completed.

You see the BCP plan just defines how you will continue operating your business while you are performing the necessary tasks (DR plan) to return your business to "normal" operations.

You should also know that depending on the services your small business provides to your clients and their dependency on your services. Your clients may REQUIRE you to have a documented BCP or DR plan. Perhaps they will require both.

In closing

Despite the length of this article, I have really only scratched the surface of many of these topics and there are others that I have not even mentioned. I have jotted down a few notes for some other areas that are just begging for a dedicated article, such as Physical Security, a deeper dive into backup and recovery and others, so those will be coming soon. In the meantime I hope the information here is helpful to you and at least provides you with a basic understanding of core information security concepts. Again, I would advise any small business owner to consult with a professional to assist them in developing a comprehensive security plan. One that protects your investments while doing so within your budget.



Sunday, December 6, 2009

How do secure websites work? Part 2 of 2

Ok, in Part 1 I identified the basic components involved in the SSL process, I will now walk you through how they all come together to protect your private information while on the web.

Any secure website owner should have a SSL generated by a reputable Certificate Authority, and this SSL certificate will have been placed onto the web server you are now attempting to establish a secure session with. This SSL certificate provides several functions, when you request a connection to a secure site (one that starts with https:\\) the server sends a digital certificate to your browser to identify itself. This involves the following functions:

  1. The SSL contains the identity of the Certificate Authority that issued the certificate. The first thing your browser does is check to see if your computer trusts this CA. If it does not a warning is displayed. You may choose to ignore the error (most do because they do not understand the error), you can choose to add the CA to your trusted CA list, or you can cancel the connection and not proceed with your transaction. (One example of how to add a CA to IE 7 can be found here )
  2. The SSL certificate contains information regarding the domain name it is registered to. ( for example) If the domain name does not match the site you just connected to another error will be displayed. Again, most people ignore these because they do not understand what is causing the alarm. This is the root cause of a failure in the SSL process to protect your information. Simple lack of understanding.
  3. Lastly, the server sends a copy of its Public Key. Remember the Asynchronous Encryption information in part 1? With asynchronous or Public-Key encryption, two keys are generated. One, the Private key, must be protected and kept secure from any form of distribution. This key remains on the server and is the most important component of providing security in SSL communications. Two, the public key is distributed to anyone and any data encrypted with this key can ONLY be decrypted by the matching private key of this key pair. This confuses many people so I will explain in more detail how this protects you in a moment. So, if you were connecting to a secure website, you are now at a point where your browser is prepared to establish a secure transmission. At this point no data has been sent between the server and you. You have only prepared the two systems to communicate. What happens next is the part I think is so cool in how it actually works to protect you.

So, you now have a public key, you know the server is THE server you wish to communicate with and you are ready to send data.
As I said, with public key encryption, any data encrypted with the public key (the key sent to your PC), may only be decrypted by the private key(The key that is protected and never leaves the server), but this process is not used to send your private information. It is slow and, while difficult, could be compromised because the keys do not change and patterns could be used by a determined hacker to compromise the key pair.

Instead, the client computer (your PC) generates a random number or a “session key” (synchronous encryption) and then it encrypts this “session key” with the public key that was received from the server. Now because ONLY the private key can decrypt this message, once the server receives this session key and decrypts it with the private key, only the server and the client have a copy of this one time, unique encryption key. This will be the encryption key used to transmit data back and forth between the server and the client. This session key is only used for the current connection between the server and the client and once that link is broken, the key is destroyed. The session key is fast, uses a low amount of computer resources, and because it was exchanged in a secure manner using public key encryption it is virtually impossible for anyone to “hijack” this session and compromise your data. (A hacker would need the “Private key” to compromise this communication which is why the private key must NEVER be compromised. Administrators of these secure web servers go to great pains to make sure this is the case. If a private key is suspected to be compromised then the owner must go back to the CA and obtain a new SSL certificate.)

Congratulations, you session between you and the secured website is now secure and all data transmitted between your browser and the server is now encrypted. This entire process is usually summarized and called the “SSL handshake”.

Once you have completed your connection to the secure site. The communication process is “torn down” the session keys are destroyed by the server and the client. If you go back to this secure site again, the whole process happens all over again with new session keys created for that particular session. The SSL handshake happens much quicker than it sounds and should be completely invisible to you the consumer. If it is not then you see those error messages that were mentioned above. So read those error messages and if you are in doubt contact the owner of the site to determine what is causing the errors. Sometimes the errors or innocuous and can be safely ignored but you should understand the error and be comfortable in ignoring it. Not just ignoring the error because you do not understand or because “I get these all the time, probably isn’t important.”

I hope this helps you understand the SSL process and makes you feel more comfortable with your online experience. It is complicated but I I have tried to simplify the process and make it somewhat easier to understand.

Good luck to you and feel free to post comments or follow up questions. I will try to respond in a timely manner.