Accounting Software, CRM Software, Business Management Construction software, Accounting, Estimating, Project Management, CRM, BOQ's, Specifications, Document Management Manufacturing software for ERP, MRP, APS, Distribution and Warehouse management Retail software solutions, EPOS, Chip & PIN, Loyalty etc.
Home
Register for iTSHOWCASELIVE
Need Help? Let us help you find your perfect iT Supplier
Learn about iTSHOWCASE
Privacy Policy
View Glossary
spacer
spacerNews
spacer
Web Watch - Security
It's not often that technology can claim to have something in common with our first family of football, the Beckhams, but now it can: both have a big security headache. In this Web Watch we touch on some facts about web security & why we are all at risk.

It is a fact that all Internet content you read, send and receive carries a risk. Content security risks such as inappropriate material, data loss, viruses and worms, alongside hack attacks do pose a threat to the majority of businesses. Yet most companies do not address the issue until it's too late and their day-to-day business has been disrupted - arguably the worst kind of locking the stable door after the horse has bolted.

Cause for concern
In October 2002, we read that "cyber-attacks" reached their highest-ever recorded level as pro-Islamic groups launched a wave of attacks in protest at western governments' support of the war against terrorism and the threatened war against Iraq. Surprisingly, the victims were small and medium sized companies, particularly in the UK and USA who are now considered legitimate economic targets.

As well as politically motivated hacking, the pressure for software suppliers to continually add new features to their products brings with it new security vulnerabilities and is another underlying cause of the dramatic increase in malicious hacking. But users too must bare their share of responsibility.

More than half of UK firms admit they are not doing enough to combat cyber crime, even though one third have been hacked according to a survey from Learning Tree International. 53% of firms never discuss cyber crime at board level. Does this mean that senior management are not sufficiently interested in the whole area of digital security or are they caught like rabbits in the headlights of a car by security vendor's messages of imminent and fatal meltdown?

How much is too much?
The fact is too much electronic security is expensive and ultimately silly. For example, if your employees can freely post or take intellectual property out of the building with them, having an IT system that uses fully encrypted, electronically signed, virtual private networked transport within a bomb-proof data centre with iris-print controlled access is about as much use as a chocolate tea-pot. On the other hand there are certain areas that all companies need to look at.

Viruses are a common worry for all companies of any size. Anti-virus software can provide relatively easily supported solutions for server, client and email systems. Unfortunately, however, the speed at which new viruses are written means that the software needs to be up-dated regularly and even then, it may not be foolproof.

The enemy within
Interestingly, sources tell us "insider" security incidents occur far more frequently than "external" incidents. Uncontrolled Internet access, even when protected by anti-virus software, can lead to intentional or unintentional security breaches, loss or inadvertent distribution of confidential information, while compromising the functionality of your network.

With almost three quarters of employees across a range of sectors, according to Web and e-mail filtering company SurfControl's latest NOP survey, never having received training from their employer on how to use the Internet and e-mail to minimise network security problems, Steve Purdam, SurfControl's CEO states: "How can staff be judged as guilty for propagating virus loaded e-mail attachments when they know no better? We firmly believe that IT security training needs to be initiated on two levels led jointly by the IT and HR departments."

So this may mean having one of today's sophisticated Internet "filtering" tools to help manage harmful and unnecessary Web and e-mail content, but ensuring it is used in line with a company's own individual "Acceptable Use Policy."

Acceptable Use Policy
What do you mean you don't know what an Acceptable Use Policy is? An Acceptable Use Policy clearly communicates to employees what constitutes appropriate and inappropriate e-mail use while highlighting what the repercussions would be in the event of a breach of policy.

If you haven't got one, compile one now (free downloadable guide to creating your company's AUP at www.surfcontrol.com/resources) and impose a measure of human as well as technological control over inevitable employee "cyber slacking."  Cyber slacking is web browsing for personal rather than business purposes that can not only massively reduce a company user's productivity, clog up your network with bandwidth intensive files and attachments, but also increases vulnerability to hacking, breaches of confidentiality and leaves you open to lawsuits, harassment charges and criminal prosecution from offensive e-mails.

A web filtering tool imposes your policy rules by scanning email attachments for content you deem objectionable, deleting spam and junk mail, controlling which types of web sites are visited and for how long, denying access to e-mail that carries viruses and isolating, delaying, allowing or denying access to attachments based on file size.

Firewall
General hack attacks aimed at Internet ports should also be viewed as a soft target requiring protection through suitable firewall technologies.

A firewall is a set of related programs located at the network gateway server that protects the resources of a private network from users of other networks. Like its namesake that keeps fire from spreading from one area to the next, so a firewall program filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged as dangerous by the pre-set filters, it is not allowed through. But again a firewall is only effective when it is integrated and understood as part of a company's overall security architecture.

Interestingly some UK companies are now putting hackers on their payroll to find weaknesses in their systems and how they could be exploited. These so-called "white hackers" are now the good guys, poachers turned gamekeepers if you like. They can find and pinpoint security weaknesses, plugging the gaps before the more sinister "black hackers" make use of them. Recommendations are then made for revisions to security.
A word of caution here, can a white hacker be any good if he's never dabbled in the black? Therefore the key challenge to anyone thinking of employing a white hacker is how to prevent them reverting to black and using the information and knowledge they have gained to become in effect a poacher turned game keeper turned poacher again. Confused?

What you cannot escape from is the sad fact that any IT solution can be made secure but will always be undermined by the lack of inbuilt security in the surrounding environment and in the people concerned with the data.

This brings me finally to the November 2002 publication of "The Art of Deception" by the legendary computer hacker turned security consultant Kevin Mitnick. If you were not having security nightmares before, read this book and you certainly will.

Beware the  "social engineer"
In the Art of Deception, Mitnick invites readers into the mind of the computer hacker and reveals how to guard against the gravest security risk of all - human nature. Using realistic but fictional scenarios of successful cons, swindles and attacks on businesses, organisations and government institutions, Mitnick illustrates the extent to which even the most locked-down information systems are susceptible to "social engineers" - hacker con artists who deceive, influence or manipulate trusted employees into revealing information, or performing actions that create security holes they can slip through.

He writes: "as developers invent continually better security technologies, making it increasingly difficulty to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a telephone call, and involves minimum risk."
The book concludes with a look at what Mitnick describes as the only truly effective way to mitigate the threat of social engineering: properly used security technologies combined with security policies that set ground rules for employee behaviour, and appropriate education and training for employees.

It would seem that we have all been warned.

spacer

Accounting and Business Management software latest...
New business focus for Integrity Software...

BIM software latest...
ArchiCAD 12 accelerates the design experience...

General software latest...
Online shake up will revolutionise the face of the Internet...

Security software latest...
Survey reveals scandal of snooping IT staff...


Browse By Category  

spacer
spacer
spacerFeatures
spacer
iTSHOWCASE Awards 2008
...
Unravelling the mess of MES
Voices of reason from the vendor community agree there is much to be learned, even when those voices...
Is this the end of the paper trail?
Following the crowd can make you a lemming, or it can be the smartest business decision you’ll make ...
Building Mobile CRM into the Construction Trade
by Vivek Thomas, Managing Director, EMEA, Maximizer Software...

 
Browse By Category  

Register