Security and the Internet

This guide will introduce you to the topics of computer security on the Internet and provide practical tips to defend yourself.

Introduction

As companies look to the Internet as a mission-critical component of their business, security has become possibly the single greatest concern they face. When security breaches and large-scale viral attacks make national headlines, consumers typically feel helpless. This guide will introduce you to the topics of computer security on the Internet and provide practical tips to defend yourself.

Physical Security

Perhaps the most overlooked topic when discussing security is that of security in the real world. People panic when they think of "hackers" breaking into their computer and stealing their identity, yet it is far easier to walk down a back lane on trash day and get all the personal information one would ever need. Similarly, there are numerous cases of companies selling off old computers without properly deleting sensitive information prior to resale.

All businesses in Canada are now subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), and one of the Act’s ten principles is that of safeguards. It is your responsibility to protect the physical safety of personal information that your organization collects, and to dispose of it responsibly.

Data Isolation and Backup

Anyone who is familiar with Windows knows that you inevitably need to reinstall the operating system. Hardware can fail; systems become sluggish and bloated with unnecessary and partially uninstalled programs; and despite your best efforts, viruses and spyware can infect your system beyond repair. The downtime of mission-critical systems during an operating system reinstall can be very costly to an organization.

Get into the practice of separating your documents and data from the applications being used. An ideal system would have one main directory (with any number of subdirectories) containing all of the company’s documents, data, etc., that could be transferred from one computer to another if necessary. Some applications, especially older ones, like to save files to the same directory as the application, so pay attention. Storing all of your business documents in one place will significantly reduce the time and risk associated with reinstalls and data recovery.

Now that all of your important files are in one place, backing up your data should be much simpler. With the low cost of CD and DVD burners, you should be backing up your data to removable media like read/writable discs on a regular basis. There are excellent backup and recovery software packages available, but sticking to a schedule of manually backing up data should suffice for most. As an extra precaution, if your burning software allows for it, data can be verified after writing to disc for additional peace of mind.

Critical Systems and the Internet

What is the easiest way to limit attacks against a critical business system? The answer is simple -- do not connect it to an external network. This may not be practical in a small business where one computer is used to do the accounting, word processing, file storage, and web browsing. On the other hand, if your home-office computer is the same one the kids cruise the web with and play games on when you have gone to bed for the night, eventually you can count on having a serious security issue. With computers being relatively inexpensive, perhaps it is cheaper in the end to have separate machines for separate purposes.

Passwords

Is your bankcard’s PIN your birthday? Is your password the same word as your username, a simple word in an English dictionary, or even worse, blank? Do you use the same password for everything? If you answered yes to any of these questions, realize you have put yourself in jeopardy. Strong passwords, consisting of at least 6-8 random alphanumeric characters used in only one location, should be used at all times. No one carries around a single key on their key chain that starts their car, opens their house, and gets into their safety deposit boxes.

Keeping Your System Up To Date

New security vulnerabilities appear constantly within operating systems and software. Minimize these potentially devastating threats by keeping your system as up to date as possible. There is always the risk that a system may lose stability after upgrades, but this risk is usually smaller than the potential of a severe security hole in a particular application. Operating system vendors usually provide free mailing lists that notify subscribers of available security upgrades so that you can try to stay ahead of the game.

Firewalls

A firewall is hardware or software (or both) that inspects, allows, and/or blocks traffic along a particular network, usually between yourself and the Internet. The hardware that typically connects two networks together is called a router, and part of its function can be to serve as a firewall between networks. Software firewalls running on personal computers are becoming increasingly common, with many becoming simple enough for ordinary users to deploy.

Firewalls are often your best defense against intrusion from the Internet. As a result, their configuration and maintenance is best left to the professionals. The standard approach is to lock everything down initially, then gradually open "holes" in the firewall for Internet services you either use or provide to the outside.

Malicious Software

When most people think of malicious software, the term virus is often used. This is not entirely accurate as computer viruses have distinct behaviors. Malware is the general term that refers to any type of malicious software, including:

• Viruses – While there is still some debate on the exact definition of a computer virus, most agree that it refers specifically to a program that has the primary purpose to replicate using existing files, and usually to deliver a malicious payload.
• Worms – Instead of infecting existing files, a worm copies itself to spread over a network and use up system resources in the process. For example, an e-mail worm will spread from an infected computer by sending itself to all email address in the address book of the infected machine.
• Trojans – Like the Trojan Horse from Greek mythology, trojans attack by masquerading as legitimate programs hoping to obtain sensitive information from an unsuspecting user.
• Adware – This potential type of malware forces users to view ads to use certain software and is sometimes very difficult to remove from your system.
• Spyware – Spyware collects marketing information behind the scenes while you use your computer. Malicious spyware attempts to obtain sensitive information without your knowledge.

Protection from Malware

Viruses can corrupt operating systems, physically affect hard drives, and spread like wildfire destroying files. Internet worms have been responsible for shutting down major corporations. Trojans can give hackers backdoor access to your system. Worse yet, most attacks are now combinations of all three. Your single best defense against such threats is to prevent being infected by them in the first place.

Through painful experience, most people now see the benefit of having antivirus software. Antivirus software runs continually behind the scenes, scanning your system. It monitors programs running in system memory, files saving to the hard drive, and incoming email. When malware is detected, the antivirus will identify, isolate, and try to remove the offending software. If you want to think of firewalls as a locked door to your house, then antivirus software is the house’s alarm system.

Antivirus software has become commonplace, but this is only half the battle. The software needs to be continually updated as new threats emerge daily. Most programs give you the ability to automate updating the virus definitions, so there should be no excuse for not updating your software. For computers not connected to the Internet, virus definitions should be manually updated as frequently as your online systems.

Adware and spyware is slowly being considered by antivirus software as a threat, but protection is still limited. Fortunately, most spyware and adware can be removed by scanning with removal tools specifically for this threat. Until antivirus and spyware removal tools are merged into one, you will need to run both types of software protection.

SSL Encryption

The security of your computer is extremely important, but so is the security of communications with the outside world. Imagine the secrets someone can learn if they could eavesdrop on all of your telephone calls. Secure Sockets Layer, known as SSL, has become the most common technology used for encrypting data sent over a network.

Most people encounter SSL encryption when visiting "secure" websites to enter sensitive information. Such a website’s URL will begin with https:// instead of the usual http://, and your browser may inform you that any data sent to this website will be encrypted. While SSL can be used with other Internet services, secure websites are its most common employers.

Another important aspect of SSL is that it can be used to authenticate the identity of both the sender and receiver. This somewhat amazing feature is a basic component of the public-key encryption algorithm used by SSL. Cryptography is an extremely advanced subject, but in layman’s terms, it provides for the ability to "sign" messages much in the same way that your signature can identify you. These digital signatures are often referred to as certificates; website certificates are called ServerIDs, and personal certificates are called DigitalIDs.

For those of you still not bored to tears with this technical stuff, you may have realized that something is still missing when it comes to establishing trust between two unknown parties. Seeing someone’s signature is meaningless unless someone you already trust can vouch for its validity. We encounter this situation in the real world when using public notaries to officially attest to a person’s identity.

The equivalent to a public notary on the Internet is a Certificate Authority (CA). A CA will put their signature on an SSL certificate so that when you encounter a certificate signed by a recognized CA you can trust that the CA is vouching for this person or website. There are relatively few well-known Certificate Authorities that are trusted by your browser, VeriSign being possibly the most widely known to the public.

So now let’s put the whole process together. When you visit a secure website, the website sends its certificate to your browser which includes the domain name for verification signed by a recognized CA. If the domain name in the certificate does not match the name in the URL, your browser will generate a warning before allowing you to continue. This warning is also generated if the certificate is not signed by a trusted CA, or if the certificate has expired (a certificate signed by a CA is typically valid for only a year or two, and must be renewed). If you ever encounter this warning, unless you know for certain what the situation is, you cannot trust that the website is who they say they are and should stop communications with it.

Trust is considered one-way with secure websites, as they almost never require that you have a DigitalID. Most user authentication is done by other means, such as having a user account with an associated password. Requiring users to authenticate with DigitalIDs is a powerful technique, but this would require users to get their DigitalIDs signed by a CA at a certain cost to the consumer. One of the few places DigitalIDs are currently in use is with secure e-mail, though adoption has been slow by the public. Until fundamental business, government, and logistical issues are sorted out, DigitalIDs will remain being used only rarely by the general public.

Summary

The importance of security to your business demands that you take an active role in the defense of your systems. Changing your behaviors and following secure procedures are the most important things you can do to keep threats to a minimum. Consider having an experienced security expert audit your system, just as you would a chartered accountant for your financial statements. We hope this guide has increased your awareness of Internet security issues and will help you develop and action plan to deal with them in your small business.

Resources

• About.Com, "Antivirus Software"
  antivirus.about.com
  
  
• CIO.com, "Internet Security"
  www.cio.com/research/security
  
  
• Microsoft, "Trustworthy Computing: Security"
  www.microsoft.com/security
  
  
• Office of the Privacy Commissioner of Canada
  www.privcom.gc.ca
  
  
• Soltrus Inc, "Free Guides"
  www.soltrus.com/english/corporate/library.html
  
  
• Symantec Security Response
  www.sarc.com
  
  
• Thawte
  www.thawte.com
  
  
• VeriSign
  www.verisign.com

DISCLAIMER
Information contained in this document is of a general nature only and is not intended to constitute advice for any specific fact situation. Users concerned about the reliability of the information should consult directly with the source, or seek legal counsel.

Links Policy
Some of the hypertext links lead to non-federal government sites which are not subject to the Official Languages Act and the material is available in one language only.