SEMA News—August 2011
Don’t Get Punked
Safeguarding Your Computers From Hackers
By Joe Dysart
So far, the hacking that has grabbed most of the headlines consisted of computer breaches at giant corporations, such as VISA, Mastercard and Paypal, and was perpetrated by a shadowy group of hackers who call themselves “Anonymous.”
“Anonymous is heroic to many people who are sick of government lies and weary of government intrusion—unwarranted and warrantless—into the lives of U.S. citizens,” said Sharon D. Nelson, Esq., president of Sensei Enterprises, a computer security consulting firm. “They have become very much like—in The Terminator movies—the resistance fighting Skynet. Many are script kiddies or amateur hackers. But there is a core group of hackers who have extraordinary skills. They present one of the greatest security threats of recent years. And we have not, so far, done a lot to counter their intrusions.”
But while Anonymous’ exploits have been reserved for big game and even bigger headlines, web-security experts warn that virtually every business and every computer user is at serious risk of being hacked by someone these days—especially those businesses and users that are cruising the web with little or no protection.
“Rogue applications, clickjacking, survey scams—all unheard of just a couple of years ago—are now popping up on a daily basis on social networks such as Facebook,” said Graham Cluley, a senior technology consultant at Sophos, a computer security consulting firm. The firm recently released, “Security Threat Report: 2011."
Web-security experts warn that virtually every business and every computer user is at serious risk of being hacked by someone these days—especially those businesses and users that are cruising the web with little or no protection.
The security take-away? Businesses of all sizes need to make peace with the fact that hackers don’t seem ready to be neutralized any time soon. Those same companies also need to fess up that their current computer defenses are probably silly putty in the hands of the most experienced of hackers. The best way to begin hardening your digital perimeter is to realize that the people responsible for your web security are the overarching factor in keeping your firm safe—and not necessarily the security technology they administer and oversee.
“Fundamentally, good security really is just good systems administration,” said Ira Winkler, founder of Internet Security Advisors Group, another computer security consulting firm. “And if you can’t afford or can’t get a good system administrator, I recommend outsourcing.”
In fact, Winkler said that the smallest businesses will probably be better served by an outsourced third-party solution, given that the entire business of a top-notch network systems provider focuses on configuring, maintaining and securing computer systems 24/7. In other words: You may want to move your critical business systems to the cloud so that you can take advantage of the relatively sophisticated web security offered there, according to Winkler.
At minimum, Sensei’s Nelson recommends a quality firewall that’s properly configured and Internet security software that guards against viruses, malware and spyware. There should also be security policies in place regarding password length and complexity and the like, Nelson said. And you’ll also need to be sure your staff gets the message that your company’s security is serious business.
“A custom CMS is usually a bad idea,” Nelson said.
Many people also tend to get lazy about passwords. Surprisingly, one of the most commonly used is “P-A-S-S-W-O-R-D”—a seemingly trivial oversight that has spelled the undoing of countless otherwise-stellar computer security systems.
Nelson recommended complex alphanumeric passwords of more than 12 characters, which are tough to crack even by password-stealing software that is specifically designed for the purpose. And she reminds people to use different IDs and passwords at different gateways.
Nelson also said that businesses need policies in place to establish lockouts after a system user has entered a predetermined number of incorrect IDs or passwords. And the same lockout failsafe needs to kick in the moment an employee departs or is terminated from a business.
For protection of especially critical data, Winkler advised multiple authentication, such as the use of two or three passwords to access a website maintenance account rather than just one. And he said that companies whose data privacy is especially critical should consider investing in data-leakage prevention software.
Employees also need to stay vigilant for hacker “social engineering” ploys—a fancy term for a hacker who forsakes the digital black arts and takes the easy route by tricking someone at a company into surrendering the crown jewels with a friendly phone call or a seemingly innocuous e-mail.
Regular meetings, newsletters or memos about security vigilance also offer an opportunity for firms to update staff about the latest smoke and mirrors in vogue among hackers. A popular one lately, for example, is to regularly spam people with marketing e-mails that seem to originate from a legitimate firm and include a handy “unsubscribe” link at the bottom. Unbeknownst to the recipient, clicking the link activates an invisible download of malware to their PC or other computer device—software that can be used to steal IDs, passwords, credit card numbers, client data and the like.
“Look at the link, and see where it’s coming from,” Winkler advised. If you don’t recognize the company or the link seems hinky, don’t click it.
“If you give it to the cloud, it’s their problem,” Nelson said. “There’s a big debate about whether that’s a good or bad thing. If you’re going to do it, do it completely and use virtualized desktops. In a mixed-bag scenario, both parties
Companies with especially sensitive data will need another layer of security.
“You should have intrusion detection and prevention systems, including ‘honey-pots’—bogus data to attract a hacker there so they can be picked up,” Nelson said. “You can place resources in a DMZ [demilitarized zone], isolating them from the production network. You need the logging system to have a methodology to send alerts when pre-determined events happen or artificial intelligence products that do heuristic analysis and trigger alerts.”
There are, of course, other ways to further toughen your security. Nelson plans to release an entire book on the subject next year. But at a certain point, you’ll probably need to concede that your security will never be perfect—only, you hope, good enough.
“Anybody who sells you ‘perfect security’ is a fool or a liar,” Winkler said. “What security is about is risk management. The more you elevate security, the more you’re raising the bar and the more exponentially you’re decreasing your risk.”
Joe Dysart is an Internet speaker and business consultant based in Manhattan, New York.
firstname.lastname@example.org; or www.joedysart.com