Business IT and Security
CFOs and controllers interested in learning more about IT security, and how to arm their companies with the right tools gathered at this roundtable. At this session, Scott Lucas, network administrator at Clayton & McKervey, presented general knowledge and gave advice that every business should utilize. Emphasizing user education, recommendations included:
The Do's and Don'ts of Passwords
Secure your password; change your password once every 40 days, or on a scheduled basis; use strong passwords that are not obvious like a spouse or child's name; don't use the same password repeatedly (spot1, spot2, etc.); recognize that the cost of recovering lost passwords can range between $25 - $50 per call.
Securing the Information Highway
Educate your employees to not download at work; prohibit shopping online from the workplace; use the internet for business related research only; disconnect computers when a problem occurs that could affect other network users.
Phishing
Phishing is the fraudulent use of e-mail to misrepresent an actual source (banks asking for vital information like account numbers and Social Security Numbers in an e-mail). To avoid these scam attempts, don't open e-mails or an attachment to an e-mail if you don't know the sender or expect the attached document; don't use your office e-mail address for personal accounts; turn off HTML and view e-mails as plain text; disable the preview feature of your e-mail software.
Spy ware - address the threats of spy ware; don't use Internet Explorer (Mozilla's Firefox was suggested as an alternate web browser); arm yourself with the right tools, such as Spybot or Ad-A-Ware; participants were given software to assist in the fight against spy ware.
Vulnerability Assessments
To enable our group to better understand security risks as they relate to our own businesses, Matthias Horch, co-owner and IT security consultant of Secure 24, Inc., conducted vulnerability assessments for four companies. Spending two hours with each company, Secure 24 assessed each companies' network structure and reported these findings:
Generally, all companies focused on functionality rather than security. Most companies provided unprotected services out of their internal network. Most companies did not manage the security aspect of their networks, and relied on the initial setup by an outside vendor. Some companies were utilizing unencrypted wireless networks. It appears that all companies had open firewall rules to the Internet. None of the companies were using proxy technology to communicate with the Internet. One company did not use a firewall at all. It appeared that all of the companies relied on antivirus protection on the workstation/server level. Regarding internal scans, many systems were not patched properly. Externally, many companies were "spoofable" (hackers could send e-mails as though they were sending them from your company) via e-mail and were directly hackable. Some companies were "relayable" (hackers could use your e-mail system to relay email). General areas pinpointed for improvement included: security design, vulnerability to viruses and worms, and tightening accessibility. Per Matthias, these findings are not unusual.
While attendees asked questions during both presentations, several attendees noted the need for governmental controls on Internet use. Several attendees noted that while security is a major concern, deciding the level of security measures to implement are a cost/risk evaluation. A range of workable solutions were presented, many of them being easily implemented, low-cost measures. Other more extensive and very worthwhile solutions will require retaining an IT consultant whom can more tightly secure systems.
We would like to extend a special thank you to Secure 24 for generously providing the vulnerability assessments and presenting their findings. Contact Matthias Horch at matthias.horch@secure-24.com for additional information.
