In my first three Industry Insights in this series, I wrote about nine affordable technology foundations for a more secure digital world. To summarise briefly, they are:
1) Use a good router
2) Implement a reverse firewall
3) Maintain Windows Update up-to-date
4) Use a not-so-common anti-virus solution
5) Use Windows Limited User privileges
6) Implement OpenDNS
7) Use Google for searches (in association with StopBadware.org)
8) Scan e-mail for viruses before they reach the inbox
9) Use Firefox as a browser
In this last part, I will conclude with a final group of three strategies for a safer way to do business:
10) Have a human being check logs regularly
Nowadays most software and many operating system functions will leave a trail of what has been and is being done. Considering that most software depends on other software or system functions, security breaches offer early warning. In the corporate world, intrusion detection systems are quite common, but the average SME has no early warning signs.
Having system logs checked can be done in an automated way where critical or warning messages are e-mailed on a regularly scheduled basis for review. Most IT companies offering service contracts include manual inspection of logs as part of proactive maintenance routines.
11) Protect WiFi with WPA2 or NASA approach
Steve Gibson, an industry expert in security from grc.com, explains in his SecurityNow podcasts that security cannot be predicted. It can be assessed only with hindsight. To help clarify the history and previously trusted security techniques, let me briefly summarise them:
a) Wireless Equivalency Privacy (WEP) was the first answer to wireless [in]security, but it did not last long before simple tools (search for 'wep hacking' on Google) were made available for even a non-technical person to be able to break into a WEP-protected network. There goes that option!
b) MAC address filtering. Theoretically, even a network card has a unique 12-character hexadecimal address, called a MAC (Media Access Control) address. By listing only specific MAC addresses to be allowed on a wireless access point/router, no unauthorised network card/computer else would be able to join the network. Unfortunately, it is quite easy to 'sniff' out an existing MAC address in use, and later pose as that MAC address. Many cards and drivers permit anyone to easily change a MAC address. There goes that idea!
In the corporate world, intrusion detection systems are quite common, but the average SME has no early warning signs.
David Redekop, co-founder of Nerds On Site
c) WiFi Protected Access (WPA). The Internet shows misinformation about its insecurity, but it is important to recognise that its only weakness is a weakness that is present in anything and everything that depends on a password. It is called a brute force attack. At the end of the day, if a password is eight characters long, then there are a finite (and relatively small) number of combinations of a password. It is a trivial process for a computer to be setup to literally attempt every possible combination until successful. However, if the access point (and cards, etc) supports WPA, it is wise to use WPA, but the important factor is to use a long password such as 32 or 63/64 characters long. I highly recommend using the largest number of characters possible. To obtain a truly random password, visit https://www.grc.com/passwords.htm and each time you visit, a new password will be generated. To give an idea of the number of possible combinations found in a 64-character WPA password, it would take an average computer several hundred years of processing to attempt every possible combination. Nothing is 100% secure, but that is secure enough for me.
The NASA approach bypassed all wireless security, compatibility and support issues. A much simpler approach was to leave all access points wide open with no WEP, MAC address filtering or WPA protection. Instead, every connected computer would be 'sandboxed' into its area, permitting only a special VPN connection to a specific server, which then allowed access to the rest of the network and the Internet. While the approach is majestic in its simplicity, it requires a little more than standard consumer-grade access points/routers. The benefit is in 100% compatibility with all wireless cards.
12) Encrypt sensitive data
In all of my 12 points, I have missed martial arts' simple truth: the best defence is not to be there. The same goes for data. However, if it must travel with you, there are a number of technologies that allow data to be encrypted securely. This ensures information is useless to a would-be thief. One of the key components to public key cryptography is the private key. If it is stored on an external USB device, that's the most secure you can get. Another alternative (free software) worth mentioning is from www.truecrypt.org. While this topic could be an article on its own, I will conclude here.
David Redekop is co-founder of Nerds On Site
Share