How to deal with Internet security threats
How to use the Internet while staying secure has always been a concern for businesses. Over the last couple of years there have been many changes in the Internet threat scenario.
Most notably there has been a significant increase in the “access anywhere/anytime culture’ with a growth in social networking, a move to convergence solutions such as VoIP, a major increase in smartphone use, a growth in cloud computing, plus the consumerization of systems (i.e. the use of personal devices for company data).
The basics that companies need to protect themselves in today’s internet environment include:
Risk assessment/risk management
A risk assessment should be carried out BEFORE implementing additional aspects of internet use, to identify the risks and determine what, if anything, needs to be done to minimise them. It is important to regularly review all security policies. Recent history has shown that it is less expensive, easier and more efficient to deploy security at the beginning of any project than to try to “backfill” it. Oh yes, and it’s more secure!
Staff training
Educated staff are the first and main line of defence. Staff need to be brought on board, where security is concerned. The impetus needs to come from the top and be maintained.
Staying up to date
A basic and key way of staying secure is to make sure you rapidly deploy software updates, such as operating system and browser updates. Make sure too that patches, particularly security patches, are installed as soon as available.
Anti-virus/anti-spyware
As a first line of defense, users should be educated to not open unknown attachments, which are a common source of viruses and spyware, and to be very cautious about clicking on any links.
Anti-virus systems should be behavior-based and updated automatically in the background. Many anti-virus solutions also incorporate anti-spyware elements, to help cope with problems such as the theft of user names and passwords. Suppliers include Kaspersky Lab, VIPRE Business, Norton, McAfee and Symantec. Anti-spyware suppliers include Barracuda Networks and WebRoot. Free anti-spyware solutions, such as Spybot, are also available.
Firewalls
Firewalls are now almost universally deployed. All messages entering or leaving the network pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
A huge range of firewalls is available today from companies such as Check Point, Nortel, Nokia and WatchGuard. Firewalls are also available as part of a unified threat management appliance (UTM) or an extensible threat management (XTM) appliance, where a firewall is combined with other security functions, including (in many cases) web application firewalling (WAF), sometimes also known as deep packet inspection (DPI).
Authentication
The best way to prevent unauthorized access is through authentication.
Single factor authentication involves the use of passwords only, ranging from weak to complex. It has a number of insecurities and is highly vulnerable to the same password being used for multiple applications (including social networking), increasing the risk that your business applications security could be breached.
Strong two factor authentication comprises something you know (a password) and something you have (e.g. a hardware token, which can produce a time limited one time password, a soft token (for example a PIN sent to a mobile phone) or a swipe card). Companies including VASCO, RSA and CRYPTOCard provide strong two factor authentication solutions. While there are still risks with this approach, it provides significantly improved security at a comparatively low cost.
Biometric authentication, involving personal elements such as fingerprint or iris recognition, is more appropriate for high security applications, such as financial or defense.
Remote user security
Encrypted virtual private networks (VPNs), either IPsec or SSL, are the typical solution for secure branch to head office communications, for communications between companies and third parties such as suppliers, and for secure communications between remote/mobile workers and head office/branches. This should be done, using a minimum of two-factor authentication.
Branch offices can install low-cost remote UTMs which incorporate VPNs and these can be centrally administered, typically by the head office. Companies such as WatchGuard, Check Point and NETASQ provide remote, centrally manageable IPsec and SSL VPN solutions.
Another method of securing remote and mobile users is endpoint security (EPS). Coupled with central management, it can ensure that firewall, anti-virus and security patches are used. A range of solutions is available from companies such as Check Point, GFI Software, Kaspersky Lab and Citrix.
With the growth of remote working, managing the remote worker network securely has become increasingly difficult and costly. To complicate matters, many employees are using their own PCs, laptops and smartphones to link to the company.
This carries a significant risk of these devices being infected by spyware, etc. and introduced to the network. Additionally, data on them could be unprotected. Coupled with this, there is the high cost of providing, supporting, patching and managing company supplied devices.
One solution is for the employer to give the employee an allowance to buy their own PC or laptop and to supply them with a secure, hardware encrypted flash drive with embedded security software.
This creates a secure tunnel, stronger than an SSL VPN, between the remote worker’s PC and the applications on the home network. File transfer between the PC hosting the flash drive, and the corporate network, is strictly controlled. The use of applications and programmes too is subject to the applied security policy.
These types of solutions essentially provide a secure, virtual environment, irrespective of the security status of the users PC/Laptop. They include solutions from Check Point (Abra) and IronKey, as well as the different approach of virtual desktop infrastructure (VDI) from Citrix and VMware.
Smartphone growth presents another remote access security risk. Staff are increasingly using them to retrieve email and use other applications on the move.
But they remain largely unprotected and have the potential to put the whole network at risk through unauthorised access, particularly as they are so easily lost or stolen. Wi-Fi roaming out of the office, creates a number of security risks, including the risk of identity and security credentials being lost or stolen.
Because of the dangers, smartphones should be treated just like PCs, when it comes to securing them.
A lot can be done through carrying out a number of simple preventative actions. For example, use the PIN function to secure the phone, install data wiping facilities, employ time-out policies, and install GPS tracking so the phone can be located if stolen. Authentication to the network from smartphones is essential.
Specific smartphone security solutions are also available from suppliers such as Kaspersky Lab, Sipera, CRYPTOCard and Check Point.
Wireless security
The use of wireless has grown significantly in the last few years and is now endemic, with smartphones increasingly being used to connect to wireless.
Authentication is absolutely crucial in this environment and strong two factor authentication should be used for access to all confidential internal data, from wireless pcs, laptops and smartphones. Sensitive data should not be held on a smartphone or wireless laptops, unless encrypted.
IPSec or SSL encrypted VPNs should be used for all wireless communications between head office and remote locations, such as branch offices, mobile users or home workers.
When employees leave a company, and their access to wireless hasn’t been managed, then the risk of them causing problems through unauthorized access is significantly increased.
Wi-Fi roaming and Bluetooth are other risks, with many users leaving their devices Wi-Fi roaming and Bluetooth-enabled. This leaves them vulnerable to attacks resulting in access to the devices and the company network, particularly if authentication is not strong enough.
If your organization is using unencrypted wireless in the office, all the information held on your network can be at risk. If your existing solution supports WPA2 or even the discredited WEP encryption, switch it on (it will have arrived with the default off). It is a good idea to encrypt all relevant confidential files, data, internal e-mails and network attached storage (NAS).
Wireless security providers include companies such as Aruba Networks, Check Point, Ruckus, SonicWall, and WatchGuard.
Encryption (including laptop and smartphone encryption)
The easiest and most effective way of stopping sensitive and critical data being read by unauthorized personnel or outsiders is to encrypt it.
Loss or theft of data stored on laptops or smartphones is a particular problem.
However, this can be easily and inexpensively protected using comparatively low-cost encryption software for laptops from companies such as Pointsec, Utimaco and PGP, and specific mobile security software for smartphones.
The use of unified encryption management (UEM) means encryption can be easily managed across all data risk areas including desktops, laptops, PDAs, USB sticks, mobile phones and other removable media.
Author: Ian Kilpatrick, chairman of the Wick Hill Group.