The biggest threat to your company’s network security isn’t some mysterious hacker
crafting digital attacks from halfway around the world. Nope. It’s Dan in sales or
Michelle in accounts receivable. Employees are by far the most common, if inadvertent,
conduits malware takes to breach security defenses and wreak havoc on your network.
Chris Winn, strategic security adviser at Microsoft, walked us through a short history
of how employee behavior affects business networks. It began when workers started
clicking on e-mail attachments. “E-mail is the primary vector into a company network,”
said Winn. “Initially, hackers did this to slow down a network or to bring down the
network altogether.”
Over time, the hacker’s motivation moved from merely disruptive to a moneymaking
venture. The technology changed too, with the proliferation of USB thumb drives – a
device that provided quick and simple way to steal data from a PC.
“Hackers would embed the drives with keylogger software and other
viruses, and pass them out for free at trade conferences and events,” said Winn. People
took them to work and plugged the drives into their PCs not knowing they were infecting
their computers. “The keyloggers would steal people’s usernames and passwords,” said
Winn.
According to December 2007 Microsoft Security Intelligence Report, the number of
trojan downloaders
and droppers (i.e., forms of malware) increased by 300
percent in the second half of 2007. Winn also said the report found that malicious
software is the tool-of-choice criminals use for targeting computers.
With the increase in mobile workers, the thumb drive has become popular data-theft
device in public places such as coffee shops. “You go into the shop and turn on your
laptop to check your e-mail,” said Winn. “Then you go stand in line to get your coffee.
While you’re distracted, someone pops a thumb drive into your laptop and you’re none the
wiser.”
Being from Microsoft, Winn naturally pointed out a feature within Vista that addresses
this particular issue. “Vista added controls that let you prohibit the unauthorized use
of USB drives,” he said. “A short process lets you register an unlimited number of
individual drives for use on a given PC. However, the computer will not recognize an
unregistered thumb drive.”
Merry Phishmas
Phishing schemes
are another prevalent scam that hackers use to gain personal data and financial
information. What you and your employees may not know, said Winn, is that phishing is
cyclical.
“You’ll see a dramatic increase in phishing e-mail around the holidays,” said Winn.
“These e-mails look like they’re from your bank, PayPal or EBay for example. They
typically ask you to click on a link in the e-mail, which then takes you to a Web page
where you’re supposed to “update” your username, password and other personal
information.”
Training your employees about the nature of phishing, what to look for and, above all,
not to click on links within e-mail, helps keep your company’s critical data – and your
employees’ personal data – out of the hands of criminals.
Winn recommends the phishing filters found in Web browsers or as part of third-party security software
applications. Filters work by accessing a black list of known phishing sites. As you
browse from one site to another, the filter will tell you whether any given site is safe
or not. For example, the address bar in the Internet Explorer 7 browser will flash red if
the site is on the blacklist.
Winn said that Microsoft has been working with partners for the past two years on the
Extended Validation Certificate, which he said, is registered with VeriSign and provides a level of authenticity. “On a site
with the certificate, the browser bar turns green ‑ the highest level of assurance,
which is helpful especially when you’re making transactions online,” Winn said.
The program has been active for just one year, and Winn said it would take time for it
to catch on with e-commerce sites.
Winn offered other recommendations to improve your network security.
- Educate yourself about the types of threats out there, and then
educate your employees about how their actions can enhance or jeopardize network
security. - Look at security as a whole: look closely at how you protect your
existing infrastructure including servers, desktops, notebooks and handheld mobile
devices. - Be sure to have full malware protection that includes antvirus,
antispyware and antiphishing software (typically available as a full suite form a
variety of security vendors. - If you have remote employees make sure their notebooks, desktops
and mobile devices meet your security requirements. Do you let them use their home
computers to access the network over a VPN? That could infect your
entire network. - Microsoft’s Network Access Protection or NAP (or Cisco’s
similar NAC
technology): This layer of security scans any device attempting to access your network.
If the device does not meet security standards (the antivirus software is out of date,
for example), it’s not allowed access and can be quarantined until it meets the
standard.
Article courtesy of Small Business Computing
