Imagine what would happen if any of the following were to occur:  Someone publicizes the company compensation spreadsheet or the contents of the HR files.

In a word, it’s a nightmare.  You’re now likely to have to justify why so and so is compensated at a higher rate, or potentially liable for accidental disclosure of sensitive personal information.

Who is allowed to access your paper files?  Are they wide open for all staff to peruse?  Electronic files should be protected from unauthorized access.  They should be secured and only those with a ‘need to know’ should have access.

In many situations, three different levels of access permissions can help prevent this situation:

Public – anyone in the company can and should have access.  Public information, Sales & Marketing material (final) and the like.

Limited Groups – Usually by Department and/or location.

Individual – Users have access individually – individual work products in progress, research items, etc.

When developing these different levels using whatever makes the most sense for your organization, here are some other things to consider:  Retention periods, how to handle the ‘unique’ or the ‘exception to the rule’

In any case, it isn’t recommended to create a structure where different permission levels are nested, although that is certainly possible.  Consider what would happen if permission levels were modified at a subordinate folder level and suddenly the CEO couldn’t access his daily report on employee productivity.  This is only one example.

Other Key points:

It is NOT recommended to remove the administrators or the System from having permissions.  In the former case, if one were to lose access to the files, then no one would have access.  In the latter case, the system needs access to files to be able to back them up.

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are sub-types of firewalls.  These devices attempt to analyze all traffic to and from your network.  Most firewalls don’t do content analysis, that’s what makes IDS/IPS firewalls

Who should have this type of system?
Organizations that are legally obligated to protect their data from unauthorized disclosure should have this type of system.  Or, organizations that are especially security conscious.  If you’re one of the above organizations and are considering perusing this avenue, which (or both) should you do?  I would personally lean towards the intrusion prevention because that’s the ultimate goal.  What good would it do to detect an intruder without having the means to remove them?

There are vendors out there and a common question out there in the industry is, “What about unified threat management?”  Unified Threat Management is firewall, anti-virus, anti-spam, IDS/IPS, and a deep packet analyzer all-in-one.  It certainly simplifies the administrative tasks of securing the network.  In some cases it could result in a vanilla solution that’s not tailored to fit your specific needs.

If you take the following example, establishing a DMZ (de-militarized zone) in your network design better protects your inter-network.  Devices that get placed in the DMZ are those that you want people outside of your network to access, web servers, mail gateways ect, that also form another layer of defense for your internal network.

There are variants of network security appliances that are customizable to fit your specific needs.  Contact your network administrator to find out more information about the right device for you.

Wikipedia definition of a firewall is, “either software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network’s firewall builds a bridge between the internal network or computer it protects, upon securing that the other network is secure and trusted, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.”  So what does that mean?  Basically, a firewall filters all the information you’re trying to get and only gives you the good stuff.

How does a firewall work anyway?  The predominate protocol in networks today is TCP/IP.  Within TCP/IP there are over 65,000 ports possible. Well known or common protocols use ports that are assigned by IANA, but is not always required. For example, SMTP uses port 25.  HTTP uses port 80.  HTTPS uses port 443.  HTTP and HTTPS can be configured to use different ports if necessary. Generally speaking, the higher numbered ports are not assigned to specific functions.

Some firewalls are optimized to perform action required on specific incoming port traffic.  For example, many firewall manufactures make a specific product for email filtering which would only monitor port 25 traffic.

Firewall functions range greatly.  In the most basic form, a firewall simply uses the rules set to grant or deny access traffic that passes through it.  There are many different devices to fit each network’s needs.  It’s best to consult an expert to determine which device(s) are right for your network.

Why are screen savers in this list?  You should be taking all kinds of steps to secure your computer/network/servers and prevent unauthorized access to all of the information that constitutes you vital business information.  When you walk away from your terminal, and leave it logged on, you are doing essentially the same thing as making sure that you’ve got an alarm system on your home that’s monitored 24/7 and then walking away and leaving the front door wide open!  Consider the damage that someone could do if they could digitally impersonate you.  Imagine the difficult position you would find yourself in if someone stepped in to your sessions and sent an email with some less than desirable comments included?

Lock your screen!  ANYTIME that you walk away, even if it’s for a short period.  When someone accesses your session, they effectively become you.

In almost all cases, the administrators of the network can set an ‘inactivity period’ whereby the screen saver kicks in, and that forces you to login again upon your return.

To lock your screen, all you have to do is hold the Windows key down and the letter ‘L’.

So what is administrative privilege?  It refers to those who have unrestricted access to the data and are able to set permissions to that data.

The obvious question that comes about from the administrative privilege discussion is, “Who’s watching the watchers?”  Configuration control processes reviewed and approved by a board, which includes non-technical as well as representatives from every aspect of the business, is one means of ensuring that configuration and modification to the production environment are communicated to the appropriate business representatives.   Auditing software with reports being sent to the “watchers of the watchers” is a way to monitor those key people that have complete access.

Consider the hypothetical case of a typical small business where everybody has access to all information.  Even if it’s outside of the scope of their assigned duties.  Do you really want your marketing person to have full access to the company financials?  If your marketing person IS the finance person, then that makes sense.  However, financials are sensitive materials that should be viewed on a need-to-know basis.

Terry Childs
Source: blogs.sfweekly.com

We should never have a case where only one person has “the keys to the kingdom.”  For an additional example, do a Google search of Terry Childs.  If you read more about the Childs’ case, his refusal to divulge the passwords was allegedly based partly on his belief that new management had insufficient knowledge to do anything constructive with the administrator privilege/administrative access.

Administrative privilege is having the right people with the right level of access to the information that they need and nothing more.  It’s a balancing act.  The point is to have a balance between too many and not enough people having administrative access.

Why do my passwords have to be so long?  Why do I have to use a combination of upper case, lower case, numbers and special characters?  Answer: this makes your password exponentially harder to guess; 722 trillion times harder to guess.

So how do you develop a secure password anyway?  There are a few tools out there that you can use to generate a secure password without putting much effort into it.  Try Secure Password Generator from Symantec.  It’s a free online tool to help you generate random passwords.  http://www.pctools.com/guides/password/

Another method for developing secure passwords is to think of a phrase or a quote.  For example, I like using presidential quotes, “Now is the time for all good men to come to the aid of their country,” JFK.  It doesn’t take too much imagination to see how we can come up with this password, “Nt4AgM2c2AtC”.  Ta-dah!  Password created.  Now we have a complex 12 character password.

Rules for passwords:

• ALWAYS change the default password, especially for your bank accounts, routers, etc.
• NEVER give your password to anybody you don’t know, especially when you don’t see them in person.
• NEVER use your same password for multiple accounts.

Consider the implications of someone guessing your password.  They have complete access to everything that you have the rights to.  Have you ever been impersonated?

How are you supposed to remember all this stuff?  There are various tools available that essentially password protect your password file.  Some of them will even remember the passwords for you and autofill things like online banking.  My personal favorite is the one that’s included in the the Kaspersky Pure, which offers anti-virus, anti-malware, etc, along with the password management tool.  I pay for the three user version which is about $130 for 3 years.

Here’s an article form PCMag.com that covers other password managers.  http://www.pcmag.com/article2/0,2817,2407168,00.asp

Keep personal and professional contact lists separate.  What would happen if somebody hacks (if someone figures out your password) into your Hotmail account and sends an email to your boss that says, “To whom it may concern, It is with regret that I am forced to submit my resignation…”?

Computer security is a vital element to keeping your business data secure.  Computer security prevents unauthorized access.  But first we have to understand what qualifies as a computer.

According to Wikipedia.org, “A computer is a general purpose device that can be programmed to carry out a finite set of arithmetic or logical operations. Since a sequence of operations can be readily changed, the computer can solve more than one kind of problem.”  Translation: any device that accesses your business’ data.

Desktop, laptop, tablet, smartphone, and iPad are just a few examples of what qualifies as a computer.  All of these devices offer up access points to your data that can be compromised.

In the next few weeks, we will explore steps your business can take to avoid unauthorized access.  We’ll cover the importance of passwords, administrative privilege and console lock.

Why is physical security important to you and your business?

There can be many tangible and/or intangible costs associated with lack of physical security on your business property.  There are number of ways your company can be affected and this blog is not an exhaustive list but it will be enough to start helping you determine the investment that you should put into physical security of your business tools.

One scenario is where someone gets physical access to your internal network.  Answer these questions to understand why physical security is important to your business:

• What’s the worst thing that could happen?
• Would you let a stranger go browsing through your company files?
• What kind of information is stored on your computer network?
• Do you collect any personally identifiable information on your customers?
  If so and you lose control of that information, you may be obligated to notify them of the possible breech and to provide a fraud/credit monitoring service for a period of time.

Based on the amount of risk you are willing to accept, precautions should be taken to help minimize the effects of the loss of physical security.  By investing in protective measures such as good locks, man traps, and security systems, you can deter unauthorized access.

Think of security as a chain.  The chain is only as strong as it’s weakest link.  There are multiple links in this computer security chain:

• physical security
  • security systems
  • monitoring/notifications
• computer security
  • What qualifies as a computer?
  • passwords
  • administrative privilege
  • screen savers/console lock
• network security
  • firewalls
  • IDS/IPS
• information security
  • permission levels
  • classification of file types
• operations security
  • need to know
  • assessment
• COMSEC – Communications Security
  • Should the data be protected in transit?
  • Is encryption in order?
• security misconceptions

Over the course of the next few weeks, stay tuned to our blog for in-depth information on each of these topics.

We’ve all heard the horror stories.  Fires, hurricanes, tornadoes, floods, servers crashing; it’s all disastrous and it’s difficult to imagine it could happen to your company.  But today, data loss isn’t a luxury.  Data loss and downtime can kill a business in a matter of days.

A disaster recovery plan is an essential piece to the survival of your business and the first piece of a disaster recovery plan is discovering just how much it costs your company to be down.  How long could your company afford to be down?

Step one is to calculate how much downtime costs for your business. This is the direct loss of revenue calculation.  There are a number of different methods that can be used to calculate these costs:

• Method A:
  The simplest formula says to breakdown your annual revenue to cost per hour.  Annual revenue/annual work hours = simple downtime cost.
• Method B:
  For the retail and service industries, you may choose to calculate your downtime with a more complex formula.  Average hourly bill rate x average billable percentage/number of personnel = downtime cost.

The tricky part about these methods is the fact that they don’t account for the intangibles such as loss of reputation or buying cycles.  If you are a retail business and your systems go down on Black Friday, it’s going to be more painful than if they went down during a slow time.

Step two is to determine how long your company can afford to be down.  The universal desired goal here is almost always zero but, the goals change depending upon your business requirements.  Calculating how long your business can afford to be down is business specific.  There is no special formula to determine how much loss you can tolerate.

The IT industry refers to these beginning steps as Recovery Point Objective (RPO) and Recovery Time Objective (RTO).  The challenge in meeting zero downtime requirements is that the solutions are cost prohibitive.

If you have questions or concerns about your disaster recovery plan, contact the experts at Bennett by commenting below, emailing Dean at dbouta@bennettoffice.com, or give us a call at 320-235-6425.