A recent audit of 4,000 UK firms found the average office PC contains
20 pieces of spyware, including system monitors and trojan horses,
that could put confidential data at risk. And according to Webroot,
the company that performed the testing, consumers are even worse off,
with an average of 26 potentially malicious pieces of malware. Where
is all this spyware coming from?
It was always suspected but now a source reported that practically ALL porn
sites (98%) use some kind of spyware to track visitors.
To make things worse, 15% of the sites launch porn dialers that will cost
organizations even more by running up costs for long-distance phone
numbers. Browser hijacks are also used in 95% of the cases, which are a real
resource killer with their pop-up ads and bandwidth consumption. New
variants appear constantly, and can bring a PC to a standstill. Even if
the real numbers were only half of these claims, this would still be a
security problem.
There are products just being released that are designed to protect your
network against spyware. Give us a call if you would like more information.
Joe Tartaglia / High Caliber Solutions
If there are any topics you would like to see discussed in the future or
if you have any comments, please contact me at
JoeT@HighCaliber.com
Backing up laptops can present a daunting challenge. After all,
backup policies, operations and management of distributed systems
are difficult, even under the best of circumstances. Here are
some steps that can be followed to backup laptops more effectively:
Define scope and business strategy. Backing up everything
stored on every laptop your firm owns would accomplish the goal of
protecting critical mobile data, but at a heavy cost. A more practical
strategy is to find a solution that meets business, financial and
technical goals. How many users should really be covered? What
data actually needs protection? Is the data unique or do
copies of the data reside on protected servers? Where do the users
live? Are they truly remote or do they travel out of the home office?
What type of network access do these users have -- broadband or
dial-up? Answering these questions will determine the real need and
provide you with a blueprint for the appropriate solution.
Given the cost and administrative effort of backing up numerous
distributed systems, it's also worth considering Internet-based backup
services. A backup service may look pricey at first glance, but could
actually be a bargain on a total cost of ownership (TCO) basis.
Link data protection with laptop security. Backup is critical,
but you also want to protect your assets against theft and minimize damages
if a laptop gets stolen. Engrave laptops with company names and serial
numbers, password-protect laptops at the BIOS and system level and encrypt
file systems or critical directories. For the most critical-use laptops,
consider physical locks and cables from Kensington or Kryptonite as well
as alarms and tracing services from companies such as Caveo, Targus and TrackIT.
Train administrators and users. If you decide to administer a
solution on your own, make sure that administrators and help desk personnel
are well trained and can spot and remedy problems as they arise. This not
only involves product training, but also means understanding user requirements,
business processes and IT methodologies. Users should monitor backups,
report problems and help IT improve their backup processes through regular
feedback. On the security side, it's up to laptop owners to be attentive to
security and use common sense to protect their systems and the mission-critical
data they contain.
Develop a process for laptop replacement. Inevitably, even the
most meticulous data protection efforts can't prevent the occasional laptop
theft or damage. What happens when your best salesperson's laptop dies on a key sales
call at the end of the quarter? The key here is to assess the business need. Keep
a spare on site to overnight to remote users who need immediate replacement and
make sure you can rebuild the laptop and files so you can ship a bootable,
no-hassle system.
Laptops are important pieces of your overall IT infrastructure, so data
protection can be just as important for mobile devices as it is for
back-end systems. To adequately protect the potentially massive
amounts of data stored on these devices, firms must acknowledge the
importance -- and risks -- of mobile computing tools and start building
processes to protect their data.
Online low-lives have developed phishing emails capable of automatically stealing
bank log-in details without requiring users to click on a link, according to
email filtering firm MessageLabs.
Back in November, MessageLabs monitored a small number of these dangerous new
emails, which are capable of sidestepping the need for user intervention in
phishing attacks. Users who simply open maliciously constructed emails can be exposed
to risk. These emails contain scripts that automatically redirect users to a
fraudulent website the next time they attempt to access their online
banking account, enabling their log-in details to be stolen. So far,
MessageLabs has only intercepted copies of emails targeting three Brazilian
banks, but if the technique catches on it could have potentially serious
consequences.
How can you defend yourself? Disabling Windows Scripting Host
protects you from this particular type of phishing attack.
Alex Shipp, senior anti-virus technologist at MessageLabs, said: "By
reducing the need for user intervention, the perpetrators are making it
easier to dupe users into handing over the contents of their bank accounts.
Most banks have advised their customers to be wary of any email asking for
personal banking details, but in this case all they have to do is open an
apparently innocent email and their bank details could be silently
sabotaged.
"We currently detect between 80 and 100 new phishing websites a day, showing
just how prolific the threat has become. It is a moving target, making it
harder to identify and defend against," he added.
Government regulations require healthcare companies and financial
service firms to save all email messages to and from their employees.
Email archiving is a standard feature in many commercial email server
systems, most notably Microsoft Exchange. This feature is available
"out of the box" with these systems. If your company uses Microsoft
Exchange Server and needs to archive e-mail, it's a simple process
to enable the feature.
Email archiving poses some interesting technical and security
challenges. Of course, there's the obvious issue of determining
what to archive. Do you archive all email traffic? What about junk
email and nonbusiness-related interoffice email? Consider the
tremendous storage requirements for large companies even when
excluding these categories. And don't discount the security
implications of having a large, detailed email archive for an
entire organization in the first place.
Outsourced email archiving may be the answer for many small to
mid-sized organizations. But again, organizations must address the
security concerns of the archive itself both from within the organization
using the archive and the outsourced company providing it.
Another important issue is whether an organization even knows it's supposed
to be archiving email. Even small medical practices should be archiving email
messages, but few are aware of this requirement, and even fewer have their
own email servers.
In my opinion, it's also important for organizations that implement email
archiving to make employees aware that the practice exists. The content of
nonbusiness-related email often changes quickly once people know the
organization is archiving their email.
Archiving email is a tricky undertaking. There's obviously a need for it,
particularly to comply with legal requirements. But how companies can
implement it effectively and securely is a complex matter. Companies that
are required to implement email archiving often discover that email
archiving poses its own cost and security problems.
When creating a disaster recovery plan, the first thing you need to do is to
determine your recovery point objective (RPO) for critical applications and
data. By this I mean, how much data you can tolerate losing and not have
access to? If you can tolerate the loss of 10 minutes of data, then your RPO
is 10 minutes. If you can not tolerate any loss of data, then your RPO is zero.
Next, you need to figure out your recovery time objective (RTO), which
means how quickly you need to have access to your data. Note that your RTO
and RPO do not have to be the same and that they may differ by application.
The only way to arrive at RPO and RTO is to ask yourself as an organization
how much financial risk you are willing to take: How expensive will it be
to recreate x minutes of lost data? What is the probability that this amount
of data could be lost? How long can your organization afford to be without
access to vital data? What would the financial impact be if your firm could
not access vital data for x minutes?
At some point, after weighing potential risk and costs to minimize that risk,
you will arrive at figures for RPO and RTO. The answers to these questions
will be different for different classes of data. Real-time financial
transactions are probably much more "valuable" than Word documents
containing in-house memos.
Once you know these two metrics, you can decide if real-time replication
of data will be required or if some less complex/costly data protection
solution will suffice. If RPO and/or RTO for certain critical data are low,
real-time mirroring of this data to an offsite data center will probably be
required.
A chart similar to the one below might help you inventory all of your
critical data and assign appropriate RPO's and RTO's for each. You
might want to sort the data by Importance.