An SMB Security Blanket — Expert Tips from HP

By Lauren Simonds
  • Print Article
  • Email Article
Manny Novoa, a technologist in HP's personal systems group was kind enough to answer our security questions relating specifically to small businesses. He breaks down the types of security risks and the ways you can fight back.

SMBs hear a lot about protecting their data from internal and external threats. Could you define internal and external — and give examples of the ways these threats place a company at risk?

Many people are surprised to find that internal threats — not external — pose the greatest risk to your network. In fact, statistics show a staggering 80 percent of IT crimes originate internally. However, companies tend to fear external threats just as seriously.

Internal security threats
These can be caused by people within the company: a contractor or service provider, malicious insider, disgruntled employees or employees who have been recently terminated.

"Social Engineering" is also a new type of internal attack similar to "phishing" in which a malicious insider — with access to company information — tricks other users into providing access to restricted information.

For example, you receive an internal call from someone who claims to be from the IT group. You can confirm that person's name and position in the company directory He proceeds to convince you that you're being moved to a new e-mail server and he apologizes for the slow network today. He tells you that in order to expedite your move, he needs your network password.

Here's another common scenario — an e-mail comes from your boss telling you to give someone else access to sensitive documents. We are social creatures, and inherently trust people we "know" — studies have shown that 70 to 80 percent of people would immediately supply their credentials.

Additionally, security could be threatened simply by careless employees who inadvertently put systems at risk by opening a virus-infected e-mail or by following self- perceived directions that they believe will protect the network when, in fact, they are deleting crucial applications.

An internal attack can range from file and data snooping, deleting valuable information, sharing private data with others (possibly external users), changing policies and database entries, and so on. Of course the extent of the attack will depend upon both the intent and the skill of the person involved. Obviously someone who is knowledgeable about the company network and its IT management practices can pose more of a threat than someone unacquainted with the environment.

External security threats
These originate from outside sources, either targeted at your company or randomly spread to your network through users or the Internet. External threats can range from Web site defacement and attacks targeting your business, to nasty viruses and worms that tunnel their way into any network and destroy or alter data and applications or monopolize system resources (denial of services) by duplicating and spreading themselves.

Trend Micro, the world's third-largest anti-virus software maker, recently reported that computer virus attacks cost global businesses an estimated $55 billion in damages in 2003, a sum that is expected to increase this year.

How can SMBs protect themselves from internal threats?

If your business has an IT manager, it's important to initiate regular internal audits to gather a comprehensive analysis of your IT infrastructure — including its hardware, operating system and applications — for vulnerabilities. Outside vendors and consultants such as HP local service providers can help those small businesses that do not have an IT department or the resources to address this critical examination.

The most crucial component of internal technology security is a well-developed security program that educates everyone in your company on the process, technology and risks associated with vulnerabilities within your IT infrastructure.

No matter how much security technology you have in place, you can't be safe without support from your employees. Make certain they understand how serious you are about security — i.e., you shall not post your password next to your monitor, or you will be fired; don't open suspicious looking e-mail, don't provide your password to anyone, not your administrator, co-worker or even IT personnel.

Data protection is also paramount. Co-workers should not be able to access each other's files unless they are given explicit permission to do so. Smaller companies with only a single piece of more expensive equipment (such as a workstation, or a small pool of notebooks for the occasional traveler) for employees to share, should create separate user accounts for any systems that will be used by more than one person.

During the Microsoft Windows 2000 and Windows XP startup process, the software lets you set up multiple-user accounts. You can also place access controls on specific folders that restrict access to certain people. These two features together help ensure that only employees with the proper network permissions can access company data.

SMBs should also protect company information with a consistent data backup program. Performing daily data backup to an onsite, or preferably off-site, storage solution protects a company from losing significant portions of its critical financial data and intellectual property. These types of storage solutions range from very easy-to-use, low-cost tape backup products to more advanced storage arrays for archiving mass amounts of data.

And what about external threats?

To protect your small business from external security threats, institute a few basic precautions including firewalls, data protection, virus protection and patch management.

External and internal firewalls are both important to handle intrusion detection, which entails notifying the user of the nature and source of an attack in progress. It's advisable to apply a personal firewall on each system in addition to any appliance or company/centralized firewall.

This is especially important for mobile devices — such as laptops — that employees use for business travel and may use with broadband connections in hotels or cybercafes. Many of the personal firewall products notify the user when software on the device requests Internet access. This prevents certain viruses, games, etc. from inadvertently uploading data from your device.

HP offers customers three types of personal firewalls — standalone (software installed), appliance-based, and agent-based (software from a central policy server) — so small and medium businesses can choose which type best fits their IT infrastructure.

Data Protection
In the case of theft or loss of a notebook or handheld device, it's the data that becomes the clear concern, and not so much the loss of the physical device. For example, HP provides a DriveLock feature on notebooks that prevents the hard drive from working unless the user enters his password. That means a thief can't just access the data by plugging the hard drive into another machine.

HP provides different authentication options — ways for employees to identify themselves. These work well in situations where passwords won't work because a company must change them frequently.

HP desktop and notebook PCs use HP ProtectTools Embedded Security feature — an embedded hardware chip built to the Trusted Computing Group standard. This chip provides enhanced data encryption and system authentication, keeping data safe and ensuring that only PCs you've authorized have access to your network.

Smart Cards, credit-card-like security devices combine both a physical element that an employee keeps (a Smart Card) with password only the employee knows The HP ProtectTools Smart Card Security solution features a pre-boot, power-on technology that requires the employee to insert the Smart Card before the system starts up.

This prevents data thieves from giving themselves authorization to your computer systems, which can be done quickly through a computer program if a Smart Card is only used for network authentication, as most traditional Smart Cards do.

You could also use a software solution that requires employees to implement data encryption on any sensitive company data, presentations or e-mail as an added barrier to accessing data. Features built into Microsoft Windows 2000 and Windows XP can encrypt data, as well as many third party products.

Virus Protection
Many anti-virus vendors now offer security solution suites that include firewall safety, e-mail protection, live updates and intrusion protection. Virus scanners and personal firewalls not only keep "outsiders" off your networks, they enforce policies that can prevent viruses and worms from spreading throughout your systems.

Patch Management
Glitches or bugs discovered in software after it ships may leave a system or network vulnerable to attack, so it's critical to maintain timely patch management.

Even a virus utility or personal firewall is only as good as the last update for "known" attacks. Proactive policies must be put in place that either "force" users to update patches periodically or that automates the update process. IT vendors offer a variety of technology patch management solutions to facilitate the process.

More security questions continued on page 2

Page 1 of 2

1 2
Next Page
This article was originally published on August 26, 2004
Thanks for your registration