Cyber Bytes is S.H Smith & Company's Cyber, Security & Privacy blog – written by the experts you trust.
One of the biggest threats to lost data is storing it in one place. A single point of failure within a data storage infrastructure is a disaster waiting to happen. This applies to your home or work environment. One of the first tasks in creating a backup strategy is to identify what data needs to be backed up. Usually the data you want to back is the data that can’t be replaced. Purchased products like MS Office, or Adobe can be reloaded from the original media. Material that you create with these products cannot be replaced. Focus on the material that can’t be replaced. Far too many times I have seen people lose irreplaceable personal and financial data by not backing it up. The most reliable way to protect your data is through the process of copying your data and storing it offsite. This can be accomplished in many ways.
The most common form of data protection is copying it to some sort of removable media. This can be tapes, DVD’s, or hard drives. All of the Microsoft operating systems come with a native backup program that you can use to create a scheduled backup. If you want something more robust there are several products from third party vendors that will also allow you to schedule backups. A typical backup consists of a weekly full backup, and then daily differential or incremental backups. It is also important to rotate the backup media. Never over write last night’s backup with tonight’s backup. You should use at least 5 sets of different media, and remove a monthly or quarterly set from the rotation for long term storage. Once the backups are created, they must be stored in a different location than the primary location of the data that is being backed up. On several occasions I have seen people who have studiously made backups only to set the backup next to the device that is being backed up. Store the backups in a safe deposit box, fire proof safe, or enlist a courier to transport the media to a secure offsite storage facility.
An increasingly popular alternative to physical backups are cloud backups. This is an online backup service that uses an internet connection and is usually charged per megabyte of data backed up. The advantage of this type of backup is that no additional hardware or software needs to be purchased to implement it. Because it is internet based, it can be accessed from any machine, anywhere that has an active internet connection. That is also a potential detriment. Without an internet connection, you can’t access your backups. Also the backups are stored on someone else’s server someplace else. If that server is hacked, your data can be compromised. I read a story recently where an online storage provider was leasing storage space on servers owned by a different company. When they failed to pay their bills, the server owners shut off access to the data on their servers leaving thousands of customers unable to restore backups.
Snapshot backups can be enabled on Microsoft servers to backup shared folders. This type of scheduled backup is useful as an enhancement to traditional backup methods, and is used to restore prior versions of a backed up file. Because the snapshots are stored on the same server as the data, it is not suitable as the primary backup.
Data replication can be used to create a “hot site”. The hot site usually has backup servers that contain current data that can be used to replace crashed servers with a minimum of downtime. Because the hot site servers only reflect data on a production server they are not suitable as a primary backup solution. Data mistakenly deleted from a production server will also be deleted from the hot site server.
Whatever backup solution you choose, make sure that you can do an effective restore. I have seen people running scheduled backups regularly, but never looking at the backup logs or testing a restore. When time came to restore from backups they found their backups had not been running successfully for months. A practice restore will also give you some idea s to how long it will take to restore your data. You may find that your restores are unacceptably slow and it may take days to restore all of your data.
A solid backup strategy is necessary to protect your data. Whatever procedures you put into place to backup your data, make sure you do it safely and securely. If, despite all of your plans, data is irretrievably lost your best protection is a cyber-security policy. Do your best to protect your company’s information from loss, and do your best to protect them when the loss inevitably occurs.
Remote access is defined as pertaining to communication with a data processing facility from a remote location or facility through a data link. Typically the data processing facility is a corporate network, and the data link can be any communications line through which you can access an external network. The external network will, in most cases, be the internet.
It is important to understand that some sort of connectivity to the internet must exist before you can connect to your corporate network. That connectivity can be supplied by cable modem, DSL line, dial-up modem, or 3 or 4G wireless network device. Where you connect from usually doesn’t matter.
VPN stands for virtual private network. The end goal of a VPN connection is to connect your local machine to your corporate network as though you were sitting at your desk. Networked drive and printers appear as though they are on the same network as your workstation. If you are accessing your e-mail through a VPN, the mail client (Outlook) has to be installed on your local PC. Because data has to be transferred from your corporate network through a slower communications line to your local machine, processing is typically slower than you would experience sitting at your desk.
Terminal Services / Citrix
Terminal Services is a product bundled with the Microsoft operating system. Citrix is a third party product that enhances terminal services functionality. With terminal services and Citrix, the applications run on the server not the local workstation. In essence the local workstation functions as a dumb terminal. You can access your e-mail without installing Outlook on the local machine. This makes for a more secure configuration, and requires a less powerful local device because the work is being done on the Citrix server. Because less data is moving between the corporate network and the local PC, response time is much faster, and less bandwidth is used.
Remote PC Software
With remote PC software, you remotely control a PC that is connected to your corporate network. With this method you get some of the speed advantages of terminal services. The down side is you must commit two devices to the process for each user.
Smart phones / tablets
There are several remote PC software applications available for Apple and Android based tablets and smart phones. There is also a Citrix client for these devices. The main downside to the smart phones is the size of the screen. The screen is simply too small to make it a viable solution for remote access other than to check e-mail. The larger screen of a tablet makes it a much more usable device. In addition, a Bluetooth keyboard and mouse can be paired with the tablet as well as an external monitor. This can turn the tablet into a legitimate workstation replacement.
It is important to decide whether or not employees can use their personal devices to access corporate networks. When making this decision you must weigh cost savings and ease of use against potential security breaches. Allowing employees to use their personal devices will reduce the cost of buying and administering those devices. The downside is you will have less control over the devices. You can at any time shut off access from personal devices, but how can you ensure that there is no company information on them?
Connections between corporate servers and remote devices must be secured with certificates. You can generate your own or purchase one from any number of internet sites. You should also incorporate a token into your authentication scheme. This would require remote users to use their ID, password, and a code that is generated from a token that is assigned to them. The token is never stored with the remote device. In this fashion, if an ID and password is compromised authentication cannot take place without the associated token.
Remote access is necessary in today’s business world. Whatever procedures you put into place to allow remote access, make sure you do it safely securely. If a remote access connection is compromised your best protection is a cyber-security policy. Do your best to protect your company’s information from loss, and do your best to protect them when the loss inevitably occurs.
Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements.
I don’t recommend any particular product to accomplish the encryption. There are many out there and a quick internet search will yield a list of several good products.
One of the first determinations you must make is whether or not employees can access company data and email on their private devices. We have decided not to allow private devices to access our network. The simple reason being we don’t own the devices and can’t control them as we would like. One of the first things we do when an employee leaves the company is to disable their smart phone and remotely wipe it. You won’t be able to do that with a privately owned device.
Data can be stored and transported using several different methods:
Laptops/PCs – Most companies these days issue laptops so that employees can connect remotely to access their data and business systems. Employees with laptops will invariably copy files to the laptop for ease of use. There have been many reports of laptops lost or stolen with confidential information stored on them. One of the simplest ways to avoid this problem is to restrict the employee’s ability to save data to their laptop. This can be done by applying security policies to the laptop. Passwords on Windows based machines are notoriously easy to break. If confidential information must be stored on them then the laptop should be encrypted. Once the C: drive is encrypted, it can be secured using a second password or a token with the encryption key on it. In either case, once encryption has been completed, the drive cannot be accessed without the key. If the key is lost it is very difficult, if not impossible to recover the data on the encrypted disk.
Smartphones/Tablets – Smartphones and tablets are everywhere. Some are more difficult to secure than others. The two leading types these days are Apple based, and Android based. There are advantages and disadvantages to both. The Apple device is not easy to save data to. Typically whatever is saved to an iPad or iPhone must come through iTunes. The Android based device is very simple to save data to. You simply plug it into a laptop or desk top and copy files directly to it. The Android based tablet and phone have native encryption, the Apple devices do not.
Backups – Backups stored offsite should also be encrypted. Most major backup software suites have a native encryption function.
Network Storage – Date stored on servers belonging to the business can also be encrypted, but this is not currently a requirement. Microsoft Windows based operating systems have native encryption built into them.
Email – Emails containing personal information should be encrypted when it is being sent to an external email address. There are hardware, software, and vendors who can implement this for you. Usually the email containing the personal information is replaced with an email containing a link to the email. The recipient is required to access a website and create a logon ID and password to access the email.
Removable Drives/ Flash Drives – It is possible to disable laptop and desktop USB ports and CD drives so that information cannot be transferred to a removable hard drive, or flash drive, or burned to a CD. If you are unable to disable that functionality, the desktop encryption product you select should also be able to encrypt removable hard drives and flash drives.
Transmitting Data – Confidential information should not be transmitted unencrypted through the internet. Most files will be transmitted through email, so encrypting the email will take care of the problem. If you are using a logon ID and password, SSN, or financial account number on the internet, make sure you are using a secure connection. You can determine that by looking for HTTPS: in the address line of your web browser. Faxed documents do not require any sort of encryption.
Wireless Access Points – If you are allowing wireless access to your internal network, make sure and set an access key on all of your wireless access points. Remote users who access your systems from home should also configure their home wireless connections with a key.
A number of these procedures require your employees to make decisions about confidential information and to actively do something to encrypt the information. It is inevitable that someone will make a mistake. If that happens and confidential information is compromised your best protection is a cyber-security policy. Do your best to protect your company’s information from loss, and do your best to protect them when the loss inevitably occurs.
Any discussion of external threats to our data will include terms describing different types of malicious software that can infest your network. Most of these destructive programs have targeted Microsoft Windows based machines. However reports have been coming in of late that Apple and Android based tablets, smartphones, and Apple PC’s are being affected as well. I have also heard that video conferencing, GPS systems, and gaming console are also being targeted.
To protect yourself from these types of threats, you need to take a layered approach from multiple vendors. The solutions can be in hardware devices or software installed on a server. Usually the first line of defense is a firewall. The firewall will filter traffic before it enters your network. If malware makes it past your firewall, the next defense may specifically filter incoming email before it gets to your mail server. There may also be a device that specifically targets internet browsing. The last line of defense is a good malware scanning software package that protects your workstations and servers. Most vendors will offer devices or software that perform all of these functions. The problem is a vendor will use the same technology for all of their products. If a type of malware is not detected at one level, chances are it will not be detected by subsequent levels. Using different vendors at each level increases the chances that the majority of malware will be stopped before it does any damage.
Hopefully, I’ve been able to clarify some of the terms that come up during a discussion about cyber-security. The protections I have mentioned have been used successfully to mitigate some of these risks. If these measures do fail, your best protection is a cyber-security policy. Do your best to protect your company’s information from loss, and do your best to protect them when the loss inevitably occurs.