Numerous factors should be taken into account when deciding what the distance
should be between your primary site and your data recovery site:
Threats and probabilities.
The selection of an alternate location should be based on the type of threats your
organization could be exposed to. For instance, if fire presents the highest risk,
a remote site across a campus may be fine. Conversely, an increased risk
of a widespread disaster, such as a hurricane, will dictate much greater
distances between sites. Statistical data can provide guidance in
establishing the probability of occurrence.
Risk tolerance.
Potential risks can also include widespread power grid failure (2003
blackout), wide-area weather phenomenon (Katrina), etc. An
organization must assess risk based on existing threats and vulnerabilities
measured against probabilities. Because risk can be mitigated but rarely
completely avoided, a decision must be made as to what represents a risk
that is tolerable to the business.
Potential losses vs. cost of resilience.
This is probably the most important factor to consider. The cost of
establishing and maintaining a remote site should never exceed the potential
losses incurred if you didn't have that remote site.
Recovery Time Objective (RTO).
The RTO will dictate whether a remote or alternate recovery site is required
for a specific service. An RTO will also help determine whether failover to
a replicated environment (hot site) is required or space to accommodate
recovery is sufficient (cold site).
Remote site accessibility.
Serious consideration must be given to the way
applications and data at the remote site will be accessed by business units
and end users. Lack of network bandwidth or accessibility may render the
remote storage equipment useless.
Worms and viruses hit a record level in January 2003, numbering close to
20,000 and causing more than $8 billion in damage worldwide.
In a recent crime survey, 85 percent of respondents had experienced computer
viruses, 70 percent had some form of Web site vandalism, and 12 percent had
some form of theft of transaction information .
Forty-one percent of Fortune 100 firms see spending money on business
continuity management as a priority to ensure compliance with government regulations.
Children present unique security risks when they use a computer -- not
only do you have to keep them safe, you have to protect the data on
your computer. By taking some simple steps, you can dramatically
reduce the threats.
When a child is using your computer, normal safeguards and security
practices may not be sufficient. Children present additional
challenges because of their natural characteristics: innocence,
curiosity, desire for independence, and fear of punishment. You need
to consider these characteristics when determining how to protect your
data and the child.
It is easy to think that just because your child is typing up an
essay or doing some basic research online, there is no danger.
But what if, when saving a document, the child
deletes a program file? Or what if they unintentionally
visit a malicious web page that infects your computer with spyware?
Mistakes happen, but the child may not realize what they've done or
may not tell you what happened.
Online predators present another significant threat to children.
Because the nature of the internet is so anonymous, it is
easy for people to misrepresent themselves and manipulate or trick
others. Children are usually open and trusting, making them easy targets.
The threat is even greater if a child has access to email or instant
messaging and/or visits chat rooms.
What can you do?
Be involved - Consider activities you can work on together,
whether it be playing a game, researching a topic you had been
talking about (e.g., family vacation spots, a particular hobby, a
historical figure), or putting together a family newsletter. This
will allow you to supervise your child's online activities while
teaching good computer habits.
Keep your computer in an open area - If your computer is in a
high-traffic area, you will be able to easily monitor computer activity.
Set rules and warn about dangers - Make sure your child knows the
boundaries of what they are allowed to do on the computer. These
boundaries should be appropriate for the child's age, knowledge,
and maturity, but they may include rules about how long she is
allowed to be on the computer, what sites can be visited,
what software can be used, and what tasks or activities they are allowed to do.
Monitor computer activity - Be aware of what your child is doing
on the computer, including which web sites he/she is visiting. If they
are using email, instant messaging, or chat rooms, try to get a
sense of who they are corresponding with.
Keep lines of communication open - Let your child know that she
can approach you with any questions or concerns about behaviors or
problems they may have encountered.
Consider partitioning your computer into separate accounts - Most
operating systems (including Windows XP, Mac OS X, and Linux) give
you the option of creating a different user account for each user.
If you're worried that your child may accidentally access, modify,
and/or delete your files, you can give them a separate account and
decrease the amount of access and number of privileges they have.
Consider implementing parental controls - You may be able to set
some parental controls within your browser. For example, Internet
Explorer allows you to restrict or allow certain web sites to be
viewed on your computer, and you can protect these settings with a
password.
The term "social engineer" refers to someone who, instead of using technical
and programming skills to break into computer systems, uses people skills.
The easiest way to "get in" on a computer or network is to log on with a
valid user account and password, and social engineers have mastered the art
of tricking people into giving them that sensitive information.
A social engineer is just an updated version of a very old type of criminal:
the con artist. Social engineers con users into giving them information just
like old time con men talked people into giving them money or goods. They
may turn on the charm and flatter you, or they may come on strong and
intimidate you. A common social engineering ploy is to call up an employee
in a company and pretend to be from the IT department, claiming your account
has gotten "messed up" and IT needs to "verify" your password or else you
won't be able to log on to the network. Another tactic is to storm up to an
employee's desk, pretending to be the company's new "head of security," and
accuse him or her of releasing a virus onto the network or hacking into the
big boss's files, then demanding the user's credentials in order to "check
out" the employee's protestations of innocence.
The scenarios are limited only by the social engineer's
imagination and patience. Some will spend days, weeks or even months
building a relationship of trust (even a romantic relationship) with an
employee - especially one with a high level of access or administrative
credentials - in order to find out what they want to know. And they might
not always need to ask for your password directly. Because many computer
users choose passwords that represent something they'll remember easily
(spouse's middle name, child's birthday), the social engineer may be able to
discern enough info to guess your password just from learning such personal
details.
"Phishing" has been discussed in this newsletter before: those email messages you get
that pretend to be from your bank, credit card company, eBay or PayPal,
asking you to go to a Web site and type in your account information.
Phishing is an email form of social engineering. It doesn't rely on
personal interaction as traditional social engineering attacks do, but it
uses the same basic tactics: impersonation and deception aimed at making you
reveal something that can be misused.
Social engineering is a growing problem because it's so difficult to defend
against. Network administrators can put up firewalls or use access controls
to protect against technology-based attacks, but the human factor is the
weakest link. Social engineers take advantage of basic human nature: people
like to be helpful, to provide information to those who seem to need it for
legitimate purposes. People are also quick to provide information to defend
themselves against false accusations. People don't give out sensitive
information to hackers intentionally; they do it because they think they're
doing the right thing.
The best way to keep from being taken in by a social engineer is to be aware
of their techniques, and always be suspicious when someone asks you for your
password. Network administrators should not need to know your password, even
if they need to get into your account. A person who has an administrative
account can simply change the password (without knowing the old one) and
access your account with the new password. You should also pick your
passwords carefully and never use personal info as the basis for your
password.
