TUTORIAL - SECURITY RISKS

The benefits of protecting your network
Before investing in IT security, it is important to understand the reasons why your business information is a valuable asset and one that requires protection.

Educating your staff about the sensitivity of e-mail communication, nondisclosure of passwords and blocking loopholes in your IT infrastructure, offers you that protection.

Your existing customers will feel safe in the knowledge that the company they are dealing with has taken appropriate measures to ensure their personal details cannot be accessed by external parties. Your company's reputation is important when it comes to winning new business.

You have a legal responsibility to your customers and employees in terms of data protection and regulated web browsing respectively.

To summarize, you can expect the following benefits;

Utilize e-mail without the fear of virus infection or interception.

Increase sales through online ordering, by making your website secure.

Information-sharing via secure intranet's (for your employees), extranets (for your
business partners) and customers (public website)

Reduce administration costs by offering the facility to pay online in a secure way

Identify the threats facing your network
It is important to remember that all companies are at risk; some tend to be more vulnerable than others because they have no dedicated IT resource. Whether the action is malicious or accidental, your network will suffer if it is unprotected.

The threat can gain access to your network from numerous points. This includes the Internet gateway, Virtual Private Network links, e-mail, remote access servers, wireless Local Area Network and any method your employees use to telework or connect to the network while on the road.

It's worth noting at this point, that the majority of security breaches are accidents and come from within your organization - this does not make the outcome any less damaging or costly.

The risks your company should be aware of:

Viruses
The past virus outbreaks, SoBig and My Doom, brought the threat of viruses to the forefront. According to a recent DTI survey, 72% of UK businesses had received infected e-mails or files during 2003. Roughly two-thirds of companies that had any type of security incident cited a virus infection as their worst incident of the year.

The threat still remains from infected floppy disks, but the most common method of virus infection is now via e-mail. A single virus outbreak can reach PCs across the world in a matter or seconds. If virus-scanning software is not in place and a virus accesses the network, a user can receive an e-mail attachment, open it and unwittingly run an application containing the virus. Once the virus has entered the system, it can destroy computer files and shut entire systems down.

Blended threats are on the rise and are a combination of viruses, worms and Trojans [Trojans are commonly created to give hackers an access hole, but do not replicate like viruses or worms]. The Blaster worm that hit networks in 2003, bypassed anti-virus software by attacking weaker areas of the network security, targeting for example e-mail, websites and instant messaging. The consequences of such attacks include disabling anti-virus updates, creating openings for hackers to gain access, downloading confidential information and so on.

Spam
Spam is unsolicited commercial e-mail and is not only an annoyance for computer users, but the sheer volume of spam e-mails is becoming yet another security issue for companies.

The increased volume of spam consumes server capacity and valuable network bandwidth. This in turn creates problems when trying to access websites, or sending and receiving e-mails. Spam e-mails also have an effect on employee productivity. Time is wasted trawling through e-mails, deleting those which are spam, or even being encouraged to redirect to a website to view the products being offered. It is important to be aware that a high percentage of spam e-mails have a sexually explicit content, exploiting potential liability issues for a company.

Hackers: unauthorized network access
The hacker's aim is to gain access to a company's network at the highest level. Where there is a hole in network security, a hacker can enter the network and access confidential company information - this may be company data or network passwords. Once they have gained access to the network they can view, change, corrupt or even delete and copy information.

Network users tend to reuse passwords across multiple applications, making it easier for hackers, once they have this information, to access all resources on the network, therefore compromising a company's confidentiality.

The growth of wireless networks is yet another means by which unauthorized laptops users can access a company's network. Once on the network, the hacker has access to all network configurations for further exploitation.

Unauthorized e-mail and Internet use
Company employees can misuse network resources by sending and receiving personal e-mails, surfing non-work-related websites and using instant messaging applications. This not only uses valuable bandwidth, but also opens the company up to costly legal liability issues.

Improper use of corporate e-mail and exposure to inappropriate website content can cause potential legal problems. Offensive content received from external sources or circulated internally presents companies with an employee liability risk. Companies that fail to address problems concerning offensive content in the workplace leave employees working in a hostile environment, and open themselves up to legal action being taken against them.

Such legal cases are not only costly to defend against, but they could seriously damage a company's reputation. Breaches of confidentiality via e-mail present a risk, whether the breach is accidental or malicious.

A disgruntled employee with access to confidential information may distribute details outside the company. E-mail is one the easiest methods of transferring such information.

Denial of Service [DS]
DoS attacks exploit weaknesses in the architecture of the system under attack. The aim of these attacks is to prevent legitimate users getting access. The nature of the attack can take various forms - causing a website to crash or flooding an internet link with false data using all available bandwidth. This can effectively disconnect a company from the rest of the world, which is bad news for e-commerce sites relying on this service for their revenue.

Common targets exploit weaknesses in web servers, mail servers and DNS servers as they are often not protected by a security product, such as a firewall.

Data protection and privacy
It is important that companies intending to do business online are aware of their responsibilities under the Data Protection Act. This legislation states that any personal data that is taken must be stored securely in such a way that only authorized users can gain access to it for the purposes that are covered by the permission.

DTI research shows that many online businesses still store personal data on insecure web servers without encryption. Apart from ignoring the Data Protection Act, these companies threaten consumer confidence through security breach incidents.

Unprotected information stored on a computer system is open to access from unauthorized users. This is especially true of e-mail attachments traveling through a public unsecured network. E-mail is not a secure method of communication and can be intercepted and/or misdirected.

Online fraud
Online shopping is on the increase, but many people still feel that there is a risk associated with submitting their credit card details over the Internet. This lack of confidence is a major obstacle to more widespread use of the online shopping facility.

In actual fact, the risk of online fraud is relatively minimal. Any business proposing to take payment by credit card over the Internet must be authorized by the credit card company to do so.

Security measures: the best approach
Before embarking on an IT security plan, it is important for your company to complete a security audit. The purpose of this is to evaluate existing security measures and analyze for weaknesses and vulnerabilities, and is the most critical phase of the process.

It may seem as if you're undertaking a huge task, without really understanding the reasons why. In summary the audit will:

Identify the threats facing your company and determine the risks - this will assist when allocating a budget for IT security

Reduce the costs currently associated with your IT security by identifying and resolving vulnerabilities and weaknesses.

Provide your company with the assurance that IT security is adequately covered.

Gain and maintain certification to an industry standard

Once a security audit has been completed, you will have the necessary information to implement an appropriate security policy.