Anyone who runs a business ( from small SMEs to large corporates ) these days, with computing facilities for their employees, faces a tough battle with network and computer security. The list of external malicious vectors are endless, including phishing attacks, spyware, viruses, DoS attacks and many others.
The Mariposa virus, shut down in March this year, was responsible for stealing credit card numbers and banking credentials from as many as 12 million PCs. This virus was spread through instant messaging links and propagated through USB flash drives and p2p file sharing networks. Reports indicated that more than half the Fortune 1000 companies and more than 40 major banks were infected. *
According to RSA, EMC‘s Security Division, even at Fortune 500 companies 88% of them had systems that had been accessed by infected machines and 60 percent of them had experienced stolen email account information. Rob Jamison, Manager of Network intelligence, BT Managed Security Solutions Group, added that “some of the larger botnets are de facto controlled by Eastern European crime syndicates, but many others have botmasters in North America, Brazil, and Europe. Chinese hackers also have been extremely effective in infiltrating organizations via spear-phishing attacks and use botnet technology in their attempt to exfiltrate information. While credit card theft is on the decline as it has become more difficult to profit from a stolen credit card number outside of the country of issue, selling stolen banking information to the highest bidder in the secondary market is still the leading business model. The stolen banking information is most often used with ‘money mule’ operations to steal money from victims’ bank and credit card accounts. The botnet operators generally focus only on acquiring and selling the stolen information to separate criminal groups who operate the money mule scams.” **
While external malicious activity gets the bulk of our attention, what’s often forgotten though are the employees themselves. The task for a business owner, is to safeguard the information generated by the employees of the business as well as any IP, trade secrets or other valuable information. Employees often don’t understand the cost or importance of this information and therefore are prone to using the provided computer facilities without due consideration for the security of the data within the organisation. There are a number of issues which an employee may be unaware of:
- internet bandwidth costs – this business expense has a high cost ( especially in the South African internet context ) and uncontrolled use of this provision can cost the business heavily
- malicious vectors – these can not only cause an inconvenience in terms of infection but can compromise data and business operations in a variety of ways
- blackmail as a result of DoS attacks
- destruction/corruption of business data on computer workstations due to virus activity
- loss or disruption of public-facing or internal computing facilities
- support costs – any computer issue requires either support from an internal IT group or external contractor
- loss of productivity as a result of computer issues
- business information exposed – inadvertent, or otherwise, exposure of critical information to outsiders
Beyond the usual security measures one may take ( firewalls, antivirus, etc. ), a certain onus lies on the computer user in terms of their activities and behaviour in their daily computer use. This would include safe internet surfing practices, being mindful and watchful of the content of email and web-sites, constantly being on the lookout for malicious activity. Of course employees are not security experts so there is a responsibility on the management to afford the user good training in this regard. Fast moving changes on the Internet landscape mean that this is a continuous process. Social networking, IM, p2p and corporate apps integrating internet technologies are a constant barrier to keeping pace with security needs.
In addition, Acceptable Use Policies ( AUP ) are a must – these guide the employee in the use of the computer facilities. There should either be a number of AUPs covering a variety of different areas or these can be incorporated into a single document. Areas of coverage should include but are not limited to:
- Email etiquette and usage
- Web surfing practices
- Instant Messaging, social networking
- Local and network document storage
- External storage such as USB and hard disks
Larger corporates typically have the infrastructure and staff to implement effective monitoring of a security policy while smaller companies need to rely on AUPs and periodic inspections to make sure that the business information and operations remain safe. In either case, technologies are available to implement and assist with security strategies that minimise the attack surface that a company has:
- content filtering
- data loss prevention
- desktop monitoring software and key-loggers
- access control
What factors does one take into account when designing a security policy:
- regulatory compliance
- HR policy
- corporate culture
While most security incidences are due to ineffective security or employee knowledge, there is also the case for nefarious action – deliberate and willful actions on the part of the employee to subvert the operations of the business. These cases are often the most difficult to deal with as they are typically unexpected.
Many employees may find security practices and AUPs, within a business, restrictive but the ultimate aim is to protect business data and value. 10% of companies that suffer a catastrophic data loss, will be out of business within a year, with the resulting loss of jobs – employees can help safeguard their companies against problems like this by accepting and working with security policies.
Policies and procedures need to be comprehensive and enforced – these are ineffective otherwise. Corporate monitoring and effective security strategies protect the organisation against theft, fraud, harassment, compliance violations and maximise employee productivity. Employee training aids in the enforcement of security strategies, and improves computer use and productivity. Taken altogether, these provisions can make the difference in an era where security threats are the norm and keeping control of corporate data is a moving target.
* INSECURE Magazine issue 26
** ITWorld – http://www.itworld.com/security/106428/the-botnet-business