This is a guest blog post from Dave Chakrabarti, who joins us from Chicago to head projects for ILS Network and ILS Foundation.
Everyone knows the risks and dangers of IT security problems these days; it seems like the more we rely on IT, the more often our corporate IT systems break. Incidences of malware and viruses crippling corporate productivity have been around for years, and are on the rise. With the Occupy Kolkata protests planned in a couple of days, even non-IT folks are hearing about the hacker collective Anonymous and their successful attacks against banks, government sites, and defence contractors; no network seems safe. Similarly, the New York Times reported last week on the Stuxnet virus that the US government built to target an Iranian nuclear facility, and then lost control of, leading to a worldwide outbreak. More mundane problems like losing data when a hard drive crashes or having a website hacked by an angry ex-employee are everywhere you look in corporate India.
Since we're handling an increasing amount of security consulting these days, I've become very aware of the number of devastating security breaches Indian companies face which could have been easily prevented. Of course, hindsight is 20/20, but there are a lot of things our corporate competition takes for granted in the US that Indians companies still haven't made part of our IT culture. Don't have a ton of cash in your IT security budget? Not a likely target for an elite group of international hacker activists? Read on for four ways your IT team can prevent some serious down-time.
1. Stop using email for secure or confidential information.
Almost no one we know is encrypting their email. Unencrypted email is extremely insecure, and can be read by third parties both during sending and receiving. Stop using email for passwords, credit card numbers, PAN cards filings for employees, salary slips, privileged corporate information, or anything else you need to keep private. There's no point paying our team for an expensive audit of your web application's security platform if you're going to toss around the admin passwords by email where anyone can intercept it.
2. Use strong passwords, and change them often.
You'd be amazed at how many corporate security audits turn up "password" or "12345" as a password for a system the company *needs* to be secure. These passwords can be cracked in seconds by even the most inexperienced hackers using free, readily downloadable tools. Use long passwords composed of upper and lower case letters, numbers, and symbols for the best security. Having trouble remembering your random password? Here's a tip: Substitute symbols that *look* like letters, and then combine this with words that aren't from the English dictionary. For example, instead of using "mangotree" as a password, you might want to try m@Ng0Tr33. For even better security, I might start (or combine this) with "aam gaach" (Bengali for "mango tree"), since English-based dictionary attacks won't include those words. I just have to remember which letters I've capitalized and what symbols I've substituted. Still difficult? Write your password on a piece of paper and store it somewhere secure, like your wallet, without any reference to what that password is for, mixed in with several random words.
3. Make it harder for viruses to get in.
If you're using Windows (and everyone is), viruses and spyware probably keep your IT team busy. The easiest ways to avoid them are to do all windows updates as soon as they're released (company-wide automated update policies can help with this), keep a good antivirus program updated and run regular scans (Clam AV is a good, free option), and most importantly, train your users on safe computer use. This means not clicking on email attachments that seem suspicious, not installing that screensaver on their workstation, and not clicking on a Facebook link promising a video of a girl in a swimsuit. Most users *want* to be safer online, both at work and at home. A well-formulated policy for sensible internet use can work wonders in this regard.
4. Recover faster.
When I was strength training for mixed martial arts, I was always told that recovery is much more important than the exercise itself; IT security is no different. A critical part of your security plan involves risk mitigation by minimizing downtime. If a machine is infected, do you have an audited list of any assets that were compromised? Can you restore and resecure these from updated backups (you are regularly testing your backups, aren't you)? If a website is defaced, how much ecommerce business could you retain (and how much damage to your brand could you prevent) if you could be back online in minutes instead of days? Emphasize agile, flexible responses and train in disaster mitigation scenarios so your recovery times are as fast as possible. Then revisit this in a month and make them even faster.