Protecting Your Business from Computer Attack
Assurity River Group
The employees of a small family business arrive at the office to find all the computer icons have been changed to pornographic images. Nothing else is damaged, but it is embarrassing and disconcerting all the same. A medium size business is hurt much worse when they are hit with the Nimda virus, causing a work stoppage and the requiring the cost of outside help to remove the virus. What should you know and what can you do to keep your business from being attacked?
Because an investment in computer and network security doesn‘t immediately give a return on productivity or the bottom line, it tends to be ignored or put off. A question a small business asks is “why would anyone bother attacking us”? Attacks these days are not directed at any one person, but rather are an exponential automated attack. Once a site is infected, it searches the host computer for email addresses or IP (network) addresses and then uses that information to launch attacks. These are called “worms“, and are the basis of the latest virus, Nimda. What a business owner really needs to ask is, what is the cost of implementing security versus the loss productivity, business, and the cost of repairing the damage. Once this question is asked, it quickly becomes apparent that the real question isn‘t whether to implement security, but rather how much security do I need.
Best practices: The first step in determining your security needs and the start of any security policy is a map of your network. This shows the assets that need protecting, usually your servers and workstations, but it should also show the doors in and out of your network. By knowing where viruses come in and the paths to your computers, types and placement of security devices can be calculated and installed. One entrance point often overlooked by network administrators are modems on PC‘s. These can be used to bypass all your security. Allowing them and/or their use should be tightly controlled. It is also useful as a running inventory of your computer infrastructure. There are a number of programs or document editors that allow you to draw out your network. Many help desks will ask for such a document to help isolate and troubleshoot a network problem.
After you‘ve documented your network and assets, how do you protect them? There are basically three parts to securing your network from attack, AND YOU NEED ALL THREE!
Virus protection is the most widely thought of first step. Antivirus protection programs scan the files coming into your system and compare them against a database of known viruses. It should be set to start when the system first boots up. In addition to scanning incoming files, they should also periodically scan the files already on your system. This catches files that may have been loaded on your system in the event the antivirus program was off for some reason and to check the existing files against new virus definitions. The biggest mistake people make, once they put the program on and determine they don‘t have any viruses, is they forget to keep updating the virus definitions. It‘s not uncommon to find virus definition files two years out of date. The rate of new viruses are increasing, not decreasing, and by not updated the virus database you open yourself up to all the new and increasingly destructive viruses. Also, if you have an email server, you need specialized antivirus software for that as well. Most viruses are spread via email when a user opens an attachment with a virus implanted.
You must have a firewall. A firewall is like the locked front door with a peephole on your house. You can get out anytime you want, but you get to check first to see if you want to let the person on the other side in. Firewalls deny access to the inside of your network while allowing users to get out. Attack attempts are initiated either as a denial of service (the system is so busy handling the attack it can‘t do production work) or as an attempt to take over the system and harvest confidential information or deface your website. This is a separate function that antivirus software can‘t do. The misconception people have is they believe if they have antivirus software they don‘t need a firewall. The Code Red virus, precursor to the Nimda virus, wasn‘t caught by virus software. Yet, a firewall configured to deny incoming http (web) traffic would have prevented infection. Our company recorded thousands of http probes on our firewall during the Code Red and Nimda virus outbreaks. Firewalls range from free (software) to tens of thousands of dollars. They all have their place, but for a small business that doesn‘t host outside accessible servers, expect to pay from $500 to $1000 for one with an inside and outside interface and basic service. Options that increase the cost of firewalls are: increased user licenses, extra interfaces (usually implemented as a DMZ), ability to handle more IP addresses or ranges, VPN‘s (Virtual Private Network) with encryption, Web access filtering, enhanced service filtering ACL‘s (Access Control Lists), and better management and reporting capabilities.
Update your server and PC software. This is probably the hardest thing to do. Every version of operating system, and most user software, is vulnerable to some form of attack. Software companies constantly come out with patches to their code to close off these vulnerabilities. Make a list of all the operating systems, browsers, and server software you have and record the version and patches installed. Subscribe to any of the major Antivirus software company‘s newsletters or the SAN‘s newsletter. They will have information on the latest problems and patches to resolve them. New equipment is purchased all the time and usually come with different versions of the same software that is on your other systems. Frequently, newer software with newer capabilities open up new vulnerabilities. Microsoft was still beta testing XP when reports of vulnerabilities started coming in. If possible, standardize on the operating system and programs that run on your network. Tracking and updating a standardized setup is much easier than analyzing different systems to figure out what needs to be fixed.
If this all seems a bit daunting, it is. This can be especially tough for small to medium sized businesses. You have all the same software, hardware and issues a large business has, but not enough demand to require a fulltime Systems Administrator. For a part time Systems Administrator, who wasn‘t trained in the first place, trying to recall just what you did and how you did it six months down the line can be frustrating and time consuming.
Consider a part time consultant. By doing these tasks for many customers, he or she stays current on information and skill sets. After initial setup, you should have regular maintenance visits to keep your security up to speed. Use their expertise to troubleshoot problems such as no access to a resource or slow response. Keep in mind that no one person can be an expert on all of this. Large companies will have a dedicated email administrator, web server administrator, regular system administrator, and security administrator. But a consultant should be able to tell you where the problem resides in what portion of the computer infrastructure and be able to research it. If it isn‘t a known problem, then the consultant should know the right information to gather and the right help desk to call.
You probably don‘t skimp on the locks to your house, why would skimp on the locks to the business that pays for your house?
