Computer attackers often install backdoor programs to allow them to
get on your network and/or individual computers. A backdoor is a
secret passage into your computer system allowing the attacker
repeated access without your knowledge. The obvious question is
"how did the attacker get the backdoor software installed on my
computer in the first place?"
The answer in most cases is through a Trojan of some sort. A Trojan
is a malicious program hidden within a seemingly useful piece of
software. Trojans don't run automatically; they are usually designed
to trick a user into running them.
The backdoor program normally installs a server component on the
compromised machine. That server component then opens a certain port
or service allowing the attacker to connect to it using the client
component of the backdoor software. Some backdoor programs will even
alert the attacker when a compromised computer is available online.
How can you protect your computer from backdoor software?
Never open any suspicious email attachments
Never install pirated or otherwise questionable software
Never open file attachments received via Instant Messaging (IM)
Steer clear of files downloaded from peer-to-peer (P2P) networking systems such as Kazaa
Here are some tips on how to make sure that the backup component of your
data protection plan is as good as it can be:
Remember that traditional backups are a last resort for data recovery.
Data replication and snapshots should also be parts of your plan.
Review backup logs daily. Log analysis can be time-consuming, but
is essential to reliable backup.
Protect your backup catalog. All backup applications maintain
a database or catalog that's absolutely critical to the recovery of backed
up data. Lose the catalog and you've lost your backups.
Make sure that backups are completing within the expected time frame.
In addition to affecting production environments and angering users,
jobs that approach or exceed the backup window may be warning signs of
impending capacity limits or performance bottlenecks.
Centralize and automate backup as much as possible. A key
to successful data protection is consistency. All data of equivalent
value and importance to the organization should be managed in
a similar fashion.
Create and maintain an open issues report for all backup problems.
Not Having a Contingency Plan
Make sure your email systems (servers and workstations) are included in
your organization's business continuity plans. Also, don't forget to
have a backup email administrator who knows the system (configuration,
passwords).
Not Testing Backups
Test your email and other backups often to make sure the
data will be there when you need it.
Poor Communication With Human Resources
If you don't know who just joined the company, who is going
to be out for a while and who quit or got fired, bad things
can and will happen eventually.
Allowing IT to Monitor and Filter Email Content
Human resources should do this, not technology personnel.
Spend Too Much Time Worrying About Spam
Your time would be better spent implenting a spam filtering
system so you can focus on other, more important issues.
Taking the Security of Email Servers For Granted
Email servers are often the point of entry into your network.
Make your email server(s) your most highly secured systems.
Overlooking Data Retention Requirements
Mandates for retaining email messages as business records should come
from upper management and legal counsel. However, you still should help
evaluate, recommend and implement document management or other retention
systems.
This topic was initially covered back in May 2005.
Since more and more people/organizations are investing in these devices,
some additional discussion might be in order.
According to Prakash Panjwani, senior vice president of business development
for Certicom, which develops security software for PDAs, companies are now
seeking the same level of security with PDAs that they once sought for
laptops. "In the past," says Panjwani, "these were consumer devices that
snuck into the enterprise. You got it as a gift, and then you started
downloading corporate information, and your IT managers didn't even know
about it. Now that has changed because [companies] realize that the ultimate
responsibility is the IT managers'."
Although the cost of the hardware isn't huge, the value of the information
can be. The idea of a stranger having access to your personal data may be
distressing, but the possibility that somebody could access presumably
secure corporate information is enough to give any IT professional
nightmares.
The corporate use of PDAs poses two security problems, says Panjwani:
controlling data access through remote connections and unauthorized access
to the data. The first can be handled in the same way that it has been for
remote laptop users: by using a VPN client that will interoperate with the
existing VPN on the back end. The second is trickier. "If an employee leaves
the PDA at a meeting," he asks, "and somebody just glances over and looks at
the information, how do you actually protect that information?"
As a result, there are now many software products that can protect valuable
data in PDAs that are lost or stolen. They offer varying degrees of protection.
The simpler, and less effective, are all available on a consumer level and
implemented on a device-by-device basis. For example, a basic way to protect
data is to use a "digital wallet." Originally a term for encryption software
that protected e-commerce information, it is now used by a number of
inexpensive applets that create encrypted databases where you can store
sensitive information, such as passwords or credit card numbers. These
include Developer One's CodeWallet, Ilium Software's eWallet, and PassKey
from Application Development StudioA.
A more useful way to keep data both safe and separate is to keep it on a
storage card. A number of programs, such as Paragon Software's Cryptographer
for the Pocket PC, encrypt information that is stored on CompactFlash and
PCMCIA cards.
Some applications offer basic data encryption for specific files and/or
folders, so that users can protect crucial information without having to
encrypt the entire contents. These include Applian PocketLock for the Pocket
PC and seNTry 2020 by SoftWinter.
The term "recovery time objective (RTO)" always comes up when you
are discussing business continuity and disaster recovery.
RTO is the maximum amount of time a business can allow to bring a
failed system back online before operations are adversely effected.
Thus, business people should establish RTO's, not IT people.
People involved in the business-end of an organization need to
perform a business impact analysis to determine RTO. This analysis
should address the following items:
What the business unit does: Create a list of the various
things for which a business unit is responsible, including revenue
generating activities and what happens when a specific business
process stops.
Potential losses: Determine the tangible and intangible
losses an outage can cause. Losses can include lost revenue,
salaries paid to idle workers, added expenses, fines, etc.
Intangible losses include damaged reputation, negative public
opinion, depreciated stock value, etc.
Timing: Take into account the worst possible time at
which an interruption might occur (i.e., quarter-end, year-end,
etc)
Dependencies: Identify things that are required to
perform a specific business function.
Contigency Plan: Formulate a contingency plan that could
temporarily buy some time and increase RTO.
Once potential losses have been identified, the business can
make a decision regarding what it considers acceptable losses.
Because losses are incurred over time, this decision also dictates the
maximum outage the business can tolerate for each specific function. The RTO
for the business functions must therefore not exceed that maximum tolerable
outage.
Recovery time determinations must also always consider notification,
response and procurement delays, as these elements can eat into the
RTO before the actual recovery effort even begins.
