It's a Christmas Eve cracker - Xmas special day 24

It's Christmas Eve, so in this blog we thought we'd simply wish everyone a very Merry Christmas and a Happy New Year.

If you're taking time off between Christmas and New Year we hope you have a relaxing and enjoyable time. If you're working, we know how you feel! Either way, just make sure your systems and data are as secure as they can be. If you would like some pointers, why not take a look at yesterday's blog, Your Data security Checklist for the Festive Period.

To finish, here are a few terrible cracker jokes to while away some time and try out on your colleagues, family and friends. We're betting they have probably suffered heard many of them before. We can't claim the credit for them. They all came out of the crackers at our rather splendid Christmas bash.

Enjoy!

 

Who's the bane of Santa's life?
The elf and safety officer.

 

How does Good King Wenceslas like his pizzas?

Deep and crisp and even.

 

On which side do chickens have most feathers?

The outside.

 

What's the slogan for the Eskimo lottery?
You've got to be Inuit to win it!

 

What's Santa's favourite motorbike?

A Holly Davidson.

 

A man goes to see his doctor and says, "Doctor, I have a lettuce stuck in my bottom."

The doctor takes a look and replies, "That's just the tip of the iceberg."

 

What do frogs wear on their feet?

Open toad sandals.

 

Why are pirates so cool?

Because they Arrrrrrr.

 

What award do the best door knocker makers receive?

The no bell prize.

 

What do you call a man under a pile of leaves?

Russell.

 

What do you call a woman between two goalposts?

Annette.

 

Why is it so difficult to teach dogs to dance?

Because they have two left feet.

 

Which athlete is warmest in winter?

A long jumper.

 

What did the shy pebble say?

I wish I was a little boulder.

 

 

Your Data Security Checklist for the Festive Period - Xmas special day 23

For many businesses the week between Christmas and New Year is a welcome break, with offices closed and bosses and staff alike taking time to recharge their batteries.

But have they done enough to ensure data security?

Here's a quick checklist for you to run through over the next couple of days if your business will be operating at reduced staffing levels or is closed over the festive period.

1.    Will unused laptops, portable devices and USB devices be locked securely away?

2.    Have all desktop PCs, printers and any other devices that are not required been turned off? Don't leave PCs logged in or even in locked mode.

3.    Are all devices that hold data at least password protected and, ideally, encrypted?

4.    Are desks clear, with any sensitive documents locked away?

5.    Did you make sure all shredding has been done and/or 'secure' shredding bins have been collected? And have you checked the waste bins for any sensitive documents that may not have been disposed of securely? Really! We're serious.

6.    Are all your security applications, particularly server-side, up-to-date and are they set for automatic update?

7.    If you run on-site backups, is there enough storage space to last? Have the backups been properly scheduled to run automatically? Is there any safeguard in place if they fail?

8.    Have you set your systems to 'notify' you of any problems? Or do you have someone who will be regularly checking the 'health' of your systems?

9.    Do you have a list of members of IT staff who can be 'on call' in the case of an emergency?

10. Have you turned the lights off…?

 

 

Does increased spending on IT and data security mean better security? - Xmas special day 22

As with many things in life, it's not what you've got it's what you do with it that counts!

What do you mean?

When it comes to IT and data security, simply throwing money at it will NOT mean you have the best security. You could buy all the top security applications available and still fall victim to hacking or another type of data security breach.

It's all about well thought through implementation of security applications, robust policies and procedures and, importantly, training and awareness for staff.

It's also the case that the best solution for one business will not necessarily suit another.

You need to determine your needs, specify a budget and 'cut your cloth accordingly'.

How do I do that?

By keeping things simple and making sure you adopt a common sense approach. Identify the minimum requirements of good IT and data security for your business - not all will be technology-based – then build upon them as and when you need to. As a start you might consider the following:

·         Implementation of trusted – and compatible - anti-virus, firewall and intrusion detection applications;

·         Formulation of an IT policy document, including a strong but workable password policy;

·         Encryption of data;

·         IT & data security training and awareness;

·         Lockable cabinets for laptops, portable devices and USB devices;

·         Asset/security tagging of IT equipment;

·         Keeping data off laptops, PCs, etc. by 'virtualising' access to data and even applications – whether through Terminal Services, a VPN or via the Cloud;

·         Offsite/Cloud-based back-up and Disaster Recovery solutions;

·         Secure document shredding and data destruction.

That sounds like enough. Is there more?

It depends upon your business, what it does and, as we said before, the sort of budget you have.

If you sell products or services online and process payment cards, for example, you need to have additional levels of security in place to ensure you comply with the Payment Card Industry Data Security Standard (PCI DSS).

Similarly, if your business is regulated - let's say you're a Hedge Fund regulated by the Financial Services Authority – you will have a greater burden of responsibility than non-regulated businesses.

That's not to say non-regulated businesses should take IT and data security any less seriously.

So you're saying I should get the basics right first, then reinforce if necessary?

Exactly!

And always make sure that whatever you invest in is what you really NEED.

 

10 Website Security Tips - Xmas special day 21

Your website is your window to the world. By the same token, it's the world's window to you and there are some people who are more than happy to smash their way in. It can be one of the most vulnerable 'components' of your overall IT infrastructure if you don't take steps to ensure it is secure.

Here are 10 tips for website security:

1.   Don't cut corners

It's no good to simply put up a website and leave it to its own devices. You need to invest time and money in it, not just to keep it working well and looking good, but also to ensure it is as secure as it can possibly be.

2.   Use strong passwords

We've talked a bit about passwords over the last couple of weeks in our blogs 2^nd factor, NOT X-Factor and Gawker hack. What can businesses learn?

The more complex passwords are the more secure they will usually be. And you really should use different passwords for each element of you website operation, e.g. the Control Panel, any payment processing platform and your FTP accounts.

3.   Stay up-to-date

If you ensure you are running the latest versions of your website software, Operating System and IT security applications your website will be far less vulnerable to attack.

4.   Check your host

Spend time comparing the services of different hosts. Some offer far more secure hosting than others, with 24/7 active server monitoring. It's also worth checking if they support SuPHP (see below).

5.   Check your script

Hypertext Pre-processor (PHP) is a scripting language that enables dynamic web pages. It is embedded into HTML source documents that are then 'translated' into web pages by a server with a PHP processor module. Standard PHP script is generally 'open access', which means anyone can run scripts!

suPHP limits access to a single user or group of users with defined permissions, so only those people to whom you grant access can run scripts.

It's important to note that not all hosting providers offer or support suPHP, so that's something worth checking when deciding upon your host.

6.   Consider a move to VPS

Virtual Private Server hosting means your website is hosted separately from other sites. You have far greater control and can usually customise security measures like firewalls to your own specification, something that is not generally permitted on shared hosting. It should mean your website is much more secure.

7.   Restrict file permissions

It makes sense to restrict or even block access to certain files and operations. In some cases you need to change settings to carry out an installation – effectively set as open – so just make sure that when you've finished whatever it is you are doing you set them back again and close the system.

8.   Only link to trusted sites

"Open redirects" allow a large number of attacks through browsers. Ensure your site only links to known and trusted sites, and keep an eye out for any broken or spurious links that appear. You really don't want bad links on your site.

9.   Secure File Transfer

When you upload, download and delete files, you need to make sure the method you are utilising is secure. Use tools like File Transfer Protocol Secure (FTPS), which employs Secure Socket Layers (SSL), for all transfers.

10.Regular 'housekeeping'

Get into the habit of regularly checking your website. Ensure updates have been successfully installed, look for code that shouldn't be there, check all links work as they should and only install trusted updates and plug-ins.

 

 

Local authority IT Security in times of austerity - Xmas special day 20

Following last week's announcement of the latest round in its austerity drive by the UK Coalition Government, councils face the largest reduction in central funding for local government since the Second World War. This brings with it the prospect of job losses and cuts in frontline services.

There is no easy answer to the question of how best to make cuts and where they should be made but, to protect frontline services as best as possible, back-office functions will always suffer.

IT is frequently an area of back-office that is hit when such cuts are announced, despite it being essential for any council's day-to-day operations. And when cuts are made, whether in staff, funding, or both, IT security can suffer.

So what could councils do to reduce expenditure on IT whilst maintaining or possibly even improving upon their current infrastructure, service levels and, most importantly ensuring security is not compromised?

Collaborate.

One answer might be to look at collaboration, or sharing of IT infrastructure, with a single regional support centre and IT professionals who serve more than one council. This could be self-managed or outsourced to a service-provider. It would ensure the focus is not just upon IT provision, but also upon maintaining the security of systems & data. The possible downside to this solution could be the initial set-up/migration costs.

Move to The Cloud.

An alternative would be for councils to virtualise the greater part of their IT 'provision' by progressively migrating it to The Cloud.* This offers the advantage of specialist application support for users, meaning IT staff can concentrate on key functions; it would simplify IT as a service, by reducing layers of provision and making application/software licensing more straightforward; and it should, over time, reduce costs.

It would also offer councils the prospect of collaboration without the need to invest in and maintain shared infrastructure.

Most importantly, security would be maintained, if not enhanced.

·         Data would be held and backed-up off-site in highly secure data vaults;

·         Data would be encrypted at all times;

·         There is no need for data to be loaded on to any PC, laptop or other device;

·         Being Cloud-based could potentially make the transition to 2nd factor authentication a far more viable proposition.

It's too early to know what steps councils will take, but it's certain there are difficult times ahead.

* Cloud computing is a new way of delivering IT services over the Internet. It facilitates the sharing of resources, software and data, and its biggest selling point is the fact it does away with the need for businesses to invest heavily in IT infrastructure because everything can be hosted off-site. To read our blog about The Cloud click here.

 

Gawker hack. What can businesses learn? - Xmas special day 19

We published a blog on 12^th December 2010, titled "2^nd factor NOT X-Factor". In it we discussed the importance of a robust password policy, how to formulate passwords and the use of additional authentication measures.

On 15^th December, the BBC reported that a US Celebrity Gossip site called Gawker, which operates one of the world's most popular blog networks, had been subjected to a major hacking attack. The attack was instigated by an organisation that calls itself Gnosis. After the hacking, details of 1.3 million accounts, including 'a significant number' of passwords, were published online by the group.

As a result, millions of users are being asked to change their passwords, not just for the Gawker site, but also for sites like Twitter, Yahoo and LinkedIn. Even the online game site, World of Warcraft, is asking some users to reset passwords.

Why are all these sites taking such measures?

Gawker will obviously be requiring users to change their passwords because it is the site that has been hacked and compromised, but other sites face potential problems for two main reasons:

1.    Many users 'interlink' the various sites so they can share a feature of interest from Gawker in Twitter, or tell friends about a spectacularly high score in World of Warcraft, for instance. This can mean some 'sharing' of passwords.

2.    Significant numbers of users do not have different passwords for each and every site they are signed up to.

The attack also highlighted just how insecure passwords were. Apparently the favourites amongst Gawker users were 123456, password and 12345678. So users are being asked to make their passwords stronger.

It also revealed underlying flaws in Gawker's overall infrastructure security, something the site's boss has admitted was a serious issue, according to a report that appeared in The Register yesterday (18^th December). Gawker is now planning to overhaul its security processes by introducing 2^nd factor authentication.

What is the significance to my business?

If your employees use the same passwords for social networking and personal online activities, like shopping and banking, as they use in the work environment, compromises like this will be of concern. If one of your employees has a social networking account or, worse still, their home PC compromised, someone could gain unauthorised access your systems as a result.

We mentioned in our "2^nd factor NOT X-Factor" blog that users should ideally have one password per system. It's perhaps worth adding that this applies equally to personal 'accounts' too and that your employees should be advised not to use the same passwords for business as they do for personal computer activity.

 

 

 

 

Data: From Acquisition to Disposal - Xmas special day 18

Your business has a legal obligation to fulfil under the Data Protection Act 1998 when it comes to handling data. It may also have to consider compliance with the policies and guidelines of a regulatory body. The bottom line is that you are responsible for the security of your data from acquisition to 'disposal'.

There are many things to think about when putting systems in place for handling data. We couldn't possibly cover everything in this blog, but we would suggest that there are five broad categories to consider:

 

1. Information Management

A systematic approach to managing company information is a must. This is commonly referred to as an Information Security Management System (ISMS) and these can be accredited under an international standard, such as ISO:270001.
 

2. IT Infrastructure Security

A Penetration Test will highlight weaknesses and vulnerabilities in your systems, identify the appropriate measures to deal with them close the door to attack. You may already have firewalls, intrusion detection systems and other electronic monitoring solutions in place. Whilst these will obviously provide a degree of protection to your IT infrastructure, software patches and hardware updates can all inadvertently leave your system vulnerable and open to attack.
 

3. Training & Awareness

All members of staff within your organisation should be aware of their responsibilities when dealing with your company data. The implementation of an online programme of training that can be monitored and measured is certainly something to consider.
 

4. Business Continuity Planning

When disaster strikes, whether fire, flood or a malicious attack on your IT systems, your business needs to be up and running again with the minimum of financial and reputational damage. A resilient Business Continuity plan, taking account of data security and ensuring regular back-up amongst other things, will provide peace-of-mind to your staff, stakeholders, suppliers and customers.
 

5. Data Destruction

There will come a point when either the data, or the systems upon which it is held, are no longer required, but you can't just throw them away. If the data gets into the wrong hands, and the Information Commissioner's Office comes knocking at your door, the fact it is old and no longer of value to your business will be no defence. It's worth identifying a trustworthy provider of data destruction and IT equipment disposal services who can issue you with appropriate certification and documentation. It will mean you can demonstrate you have taken every possible step to ensure the security of your old data.

 

Are your employees involved & engaged? - Xmas special day 17

Your IT Security is only as strong as it weakest point. And, as we've said before, the weakest point is usually the human element.

A number of our recent blogs have touched upon the subject of involving and engaging your employees in your IT Security policies and processes. In those blogs, we've broadly explained why it's a good thing, but we thought a more detailed blog concentrating upon how you can get them involved, and the sort of things to consider when you do, would be helpful.

 

1.    Help them to understand.

If your employees do not understand the importance of IT Security they almost certainly won't be able to appreciate the necessity of policies and procedures. In fact, they may see them as an imposition, a hindrance, or even something you've put in place just to catch them out. Negativity is counter-productive and something you really need to get past. So, how do you help them to understand? Read on.

 

2.    Keep it simple.

How many times have you heard this before about so many things? Well, don't ignore it because it's very, very important in this context. For your purposes and those of your business, IT policies may need to be detailed, in-depth and highly technical. But overload and overwhelm employees and you will struggle to get them to understand. Try things like:

·         Simple, one page, crib sheets about policies that directly apply to them and their particular roles;

·         Practical, scenario-based training – don't grind them down with hours of PowerPoint presentations and technical jargon;

·         Regular updates explaining what to look out for and what they should do or not do if faced with certain situations.

3.    Make on-going training and awareness an essential part of your IT Security processes.

We've touched upon this in the point above. You need to train your employees, raise their awareness of issues and keep them updated with important changes and developments. Testing their knowledge and understanding on a regular basis is really important, but don't think exams and written tests.

Keeping things light-hearted and, dare we say it…FUN…is a great way to engage your employees. Setting a challenge to find 10 potential security breaches could be one approach.

 

4.    Encourage input from your employees.

Let's say you are considering implementing a new password policy that requires every employee to have different passwords for each system they access. You could simply write it up and go ahead with it. No consultation, just straight to release.

But, if you haven't spoken to your employees and have failed to explore the practicalities of your proposed policy in the light of their working practices, how do you know it's workable? What if employees simply cannot remember every password, but you tell them they mustn't write anything down? What would the impact be upon your time and the time of other IT staff if there is a constant need to 'unlock' users and reset passwords? There's also a good chance it will cause resentment amongst your employees.

We're not suggesting you consult employees on every single detail, but they are the people using your systems. Not only can they tell you if certain policies are likely to work, they can also tell you when things don't seem to be functioning as they should and when there appear to be problems. This could be feedback – possibly an early warning of a major issue – that you could miss out on if your employees don't feel they have a voice.

5.    Ensure buy in.

It's great to encourage involvement but you need employees to really buy-in to your policies and procedures. The best way to do this is to get them to sign-up. By this we mean you should require them to sign acknowledgements that:

·         They have read and understood what they have been told – this should be required every time there is a significant change in policy;

·         They are aware that you expect them to follow policies and procedures;

·         They acknowledge their responsibilities as a part of the process; and

·         They are aware of the consequences of any failure to adhere to policy.

We can see this might seem slightly at odds to our suggestion the process could be light-hearted and fun, but buy-in and sign-up are absolutely necessary. It's also the case that they bestow the element of importance upon the process. It's the only aspect that needs to be formal.

The fact is your employees need to understand your policies in order to apply them and to be aware of the consequences if they don't. You need them to sign-up to this because, much as you wouldn't want it to happen, you may have to take disciplinary or even legal action against an employee in the future. If you have nothing to demonstrate they had received training and understood their responsibilities, you could end up with no claim or case.

Whilst we've written this blog about involving your employees in your IT Security policies and procedures, the points above could equally well apply to all other areas of your business. Involve them and engage them, then get their buy-in by requiring them to sign-up. It makes good business sense.

Disaster Recovery Planning in a nutshell - Xmas special day 16

On 7^th December 2010, we posted a blog called Business Continuity Planning in a nutshell. At the end, we promised a similar blog about Disaster Recovery Planning would be coming soon. Well, soon has come! This is it.

As we mentioned in the previous blog, a Business Continuity Plan focuses on all aspects of your business and seeks to put in place procedures to follow in the event of disaster. It will often include a Disaster Recovery Plan, which focuses specifically upon IT.

The first stage of Disaster Recovery Planning naturally mirrors the first stage of Business Continuity Planning. It includes:

• Identifying the threats and risks;
• Ascertaining the current level of preparedness;
• Documenting normal operating policies and procedures;
• Identifying all IT assets – equipment, software, etc. – and their location;
• Listing all key IT equipment and service providers – e.g. online backup and disaster recovery support – and their contact details;
• Distinguishing between the critical & non-critical IT functions and determining 'acceptable levels' of disruption;
• Documenting the minimum and optimum technical requirements to ensure your business can function after a disaster – e.g. number of servers, PCs, software/applications, access to data, peripherals, etc.;
• Deciding upon the key personnel and/or minimum staffing requirement to ensure critical IT functions can be carried out;
• Listing the contact details of the key IT staff members;
• Understanding the potential impact of disaster.

Disaster Recovery Planning is not a one off process in exactly the same way as Business Continuity Planning is not. Having written up your plan documenting the IT department's response in the event of disaster, you will need to ensure it is regularly reviewed and updated to take account of such things as changes in IT infrastructure (e.g. new servers), amendments to policies and processes (e.g. a move to Cloud-based services) and personnel changes.

Most importantly, any provisions you put in place should be tested, tested and tested again. If your backups could not be restored or technology switched from your primary location to a secondary location at a critical time, all your planning could be for nought and the disaster exacerbated.

To steal a line from the Scouting movement: Be Prepared.

To read Business Continuity Planning in a nutshell click here.

The BIG Threat? - Xmas special day 15

What would you say poses the biggest threat to the security of your systems and data?

- Viruses and Trojans?

- Hacking?

- Theft or vandalism?

- Malicious 'insider activity'?

- Failure to follow policies / procedures?

If you really think about it, the biggest threat is posed by people, because none of the above can happen without human involvement.

People aren't responsible for everything though!

We're not suggesting every threat involves people - there's no controlling the elements and not every leaking pipe or electrical fault will be down to poor installation – but when something goes wrong, there's often someone behind it.

You can't do anything about the people who pose the external threats, like virus attacks, hacking, burglary and vandalism. But what you can do is take steps to prevent, or make it difficult for them to enact, those threats

By regularly testing your systems for vulnerabilities, patching them and implementing robust IT security applications, you can reduce the possibility of a virtual attack.

To protect your systems from the physical threat, you can ensure any data is encrypted; minimise the amount of data held on desktops and laptops; consider locking portable equipment in secure fire safes; and protect your building's perimeter with CCTV, amongst other things.

When it comes to employees, there is much more you can do.

Are you saying my employees are bad people?

Let's be clear before we go on – we're not for one minute suggesting your employees knowingly or maliciously pose a threat to your business. Whilst this can happen, more often than not the threat arises through a lax attitude towards, or even an ignorance of, IT security.

However good your written policies and procedures might be, if people fail to adhere to them they may just as well not have been formulated.

So what can I do?

We've said it before, and we'll say it again, "Get them involved! Engage them in the process."

People learn and understand more by 'doing'. Encourage your employees to help you devise the policies and procedures. Incentivise them to highlight possible issues and threats. It doesn't need to be a financial incentive – praise is often sufficient!

The more they play a part, the more they understand. The more they understand, the more likely they are to want to see IT security policies adhered to.