Ann Arbor Area Business Monthly
Small Business and the Internet
10 Habits of Secure Businesspeople II
By Mike Gould
Here is a continuation of last month's article, picking up from the cliff-hanger ending. Recap: the Internet has dangers, times are parlous, criminals are evil, The Cloud leaks, etc., etc., yadda yadda. Onwards with security habits 6 - 10.
6) Secure Delete
So you finally decide to update that 5-year old computer that keeps breaking things (and you know who you are - names withheld to protect the guilty). You successfully transfer all your data, erase your old hard drive (after verifying all the data made it into its new home on the digital prairie), and donate the remains to a recycle center. Done, right? Well, no. That old erased drive still contains your data, it's just not visible to casual inspection. Erasing files doesn't remove them, it just removes their entries from the drive's directory system. Anyone who buys/steals/recovers your old computer can run inexpensive software to recover your data - passwords, email addresses, customer lists, and all.
The solution is to over-write the data on the drive using secure delete software. This replaces all the ones and zeroes that make up your sensitive files with all ones or all zeroes, effectively making your info impossible to recover. I can't give specific software recommendations here due to the variety of systems out there, but STFW (Search The Fine Web): the wares are there.
Of course, if the data is extremely sensitive, you can remove the drive and physically destroy it: drill holes into it, cut it in half with a band saw, run over it with a truck, shoot it with your Glock, etc. ("Say hello to my little data destroyer..." - don't try this at home).
7) Avoid Social Engineering Attacks
Social Engineering is a term coined by hacker Kevin Mitnick and it refers to loss of security due to someone calling up your receptionist and, posing as a network admin, telling them that "We're working on your account and need your password to test the muffler bearing" or words to that effect. This also happens with spear phishing attacks. Spear phishing refers to security attacks via email where the sender seems to be that trusted guy Joe who works downstairs in the furnace room keeping the network running. The actual sender is Joe the Evil Hacker who has faked ("spoofed") the real Joe's email address so the email appears legit.
This sort of thing can only be combated by training everyone in your organization as to the realities and dangers of giving out passwords via the phone or email. In short, a real network admin will NEVER ask for passwords via email, and rarely by phone. If you get a message like this, report it immediately to your computer support person or admin.
8) Cookie Management
A very, very long story - see URL below for this. Short story: cookies are little pieces of code that web sites store on your computer to enable them to do a bunch of things, most commonly remember you the next time you visit the site. If you log into a site and are given the opportunity to login automatically the next time you come back, this bit of info is stored in a cookie. That way you don't need to sign in every time you visit the site, which can be very convenient. But remember that security is always a trade-off with convenience, so there is a price to be paid.
Cookies can be used to track your path as you browse the internet and that information (which sites you have visited) can be used to target you with ads. This opens you up to invasions of your privacy and the exposure of other things that you might not wish to share with others, especially marketers. The partial solution is to limit the sites you allow to give you cookies; this can be done within your browser's security settings. I have mine (Safari) set to block cookies from third parties and ask websites not to track me. Still grappling with this...
9) Use a VPN
A Virtual Private Network (VPN) is a way to communicate with another network using encrypted data (an over-simplification, but will do for this discussion). In other words, if you access your company's network from the road, say via the WWW using HTTP, the standard Web protocol, your communications are sent back and forth in the clear, i.e., non-encrypted. This means anyone who has tapped into your wireless communications via a man-in-the-middle attack (see last month's article) can grab your login information and get into your company's network to loot and pillage.
Hopefully, if your company has a server and a network to get to it, it also has a VPN mechanism so that your on-the-road logins are handled with end-to-end encryption, which means that any intercepted data is gibberish. If you need to access your server from the road, this is a must - anything else is playing with unsecured fire. Your network admin can fill you in on the details, and your mileage may vary. This is also a must if you log into your home computer while on the road: encrypted communication is your friend - don't leave home without it.
10) Get a Security Audit
But don't take my word for it: if security is important to your business, it is probably worth the expense of getting a proper computer security audit from an expert. A quick Google search should turn up a local company who can test your VPN, train your employees, and evaluate your backup and other procedures. If you deal with sensitive health information, government contracts, or other high-risk data, this is a no-brainer to keep you and your data safe.
Cookie info: http://www.cookiecentral.com/faq/
Mike Gould still feels reasonably secure, was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds laser display devices, performs with the Illuminatus 3.0 Lightshow, and welcomes comments addressed to email@example.com.