Saturday, January 6, 2007

Fourteen Key Questions about Computer Safety for Your Home and Business

Fourteen Key Questions about Computer Safety
for Your Home and Business
Courtesy of Etienne A. Gibbs, MSW
Internet Safety Advocate and Educator
www.SayNotoHackersandSpyware.com/

Safety technology is only a part of an overall safety plan. If you use your computer in your small business or home-based business, or simply use it to surf the Internet, or email your friends and family, then developing a comprehensive safety plan should be a very important part of your overall safety strategy to protect your personal and financial files and those of your family. The best move is one of Prevention! Prevention! Prevention!

With that in mind, allow me to share with you 14 questions you need to be asking, or, at least, be thinking about, if you're serious about preventing or stopping safety attacks, risks, and threats:

1. Do I have a solid safety policy? If you don't, begin immediately to get sample safety plans, policies, and best practices for your business and/or home. You may want to search Google using the keywords, “computer safety plans”, for a list of online resources.

2. Where would I go for key information and news on keeping my information private? Search the Internet, for “managed computer safety services”. Ask the sources you select if they provide a free computer test to assess your computers level of vulnerability. Also ask them if they provide the latest tips on how to keep your privacy and protect your personal information and that of your business. Or simply - ask me.

3. Does my disaster recovery plan include redundant back-up and data recovery systems? Understand what a good data back up system is and how to best recover from a disaster. Search Google or Wikipedia using the keywords, “good data back up system”.

4. Do I know how to create safe passwords? Learn how to write virtually un-crackable passwords. Search Google using the keywords, “writing safe passwords”, for a full list of legitimate and bona fide sources of this educational information.

5. What or who is a hacker? A person who uses and/or creates software technology to break into the computers of individuals, businesses, government, and organizations for personal gain is known as a hacker. After he, she, or they hack into a computer, they can control it secretly by remote, making it a "zombie computer”.

6. What is "drive-by hacking"? Because wireless Internet access points have become popular for homes and businesses, computers at these locations have become a major target for hackers. In this new phenomenon, called "dive-by hacking", hackers simply take their laptop computers in their cars and drive through business parks or residential neighborhoods remotely scanning for open wireless networks. (And they don’t even have to enter your home or business to steal your valuable information.)

7. How do hackers break into home and business computers? If they don't have the break-in software, they can buy it off the black market, or create it themselves. With this technology, they use their malicious software to look for holes in the computers of their targeted victims. This is what hackers in Malaysia are doing with the new Microsoft Vista Windows.

8. To what extent might my home or business computers be vulnerable to hackers, their tools, viruses, etc.? You’ll never know unless you take the time to test your computers to see what holes are open and by what backdoors (up to 65,000 portals) are malware entering your computer. If your son or daughter is downloading free music, games, or screensavers, more than likely they are also downloading hidden spyware. (That’s why they’re called spyware.) Again this is what they are doing with the new Microsoft Vista Windows.

9. I have all the safety measures, anti-virus, anti-spyware, and firewall I need. Can my computer still be hit by hackers and other pc-disabling attacks, risks, and threats? Again, depending on the safety measures you have on your computer and the sophistication of the hacker's software program, your computer(s) might or might not be compromised. Remember: Cybercriminals are superintelligent criminals! They somehow always seem to stay one step ahead of authorities and anti-cybercriminal software.

10. What do I do if my employees or family members are my biggest safety risk? Sad, but true, the Federal Trade Commission has reported that employees have stolen something more valuable than money from their employees. Learn about social engineering and insider hacking. Or simply - ask me.

11. How do I train my employees or family members to be safe? Get all leading research on what to teach about safety. Or simply - ask me.

12. Would I know if someone tries to hack into my computer? Depending on the safety measures you have on your computer and the sophistication of the hacker's software program(s), you might or might not be aware. Using keylogging programs, these cybercriminals can secretly see and record every keystroke you enter on your computer, thereby gaining access to all your private and personal information without your knowledge.

13. In case someone does hack into my computer(s) and steals my (or my family’s) identity, what chances of recovery do I have? It all depends upon the severity of the damage done and the time that has elapsed before discovery. Search for a company that offers comprehensive identity recovery services (including all types of identity theft, not just your credit); one that will continue to work on your behalf until your identity has been restored to its pre-theft status; and one that includes $25,000 identity theft expense reimbursement insurance. Be sure that the company also includes in its services full identity monitoring (the proactive monitoring of all forms of identity theft, including credit fraud); and have fully trained professionals to handle it all for you from beginning to end so you won’t have to. Or simply - ask me.

14. Where can I find comprehensive services that will give me full protection of my identity, my financial records, and my computers and for my family all at the same time? I do not know of any one company offering a fully comprehensive set of managed care services except one. If you do not already have access to such a service that offers unlimited service by subscription, a set-up service to insure that the software programs are set up properly on your computers; a full-service legal plan for you and your family for any legal issue with free services including simple wills, unlimited phone and face-to-face conversations, legal document reviews, and discounted and fixed legal fees for extensive legal matters and representation; ongoing service with first month free and includes automatic software updates, free software upgrades, identity theft insurance, safety advisory alerts; and fast, easy, and unlimited telephone access to technical support, ask me how to obtain yours.

Obviously if you have to ask these questions, you need to take immediate steps to plug the holes and cover the gaps. So, here are some steps you can take immediately to implement, or improve, your present safety measures:
  • Learn all you can about hackers and the tools they use to invade your privacy and cause problems. Subscribe to a comprehensive source of Internet safety research, news and information for small and mid-sized businesses and organizations, or other professionals.

  • Take advantage of the research already done. Get access to information about the leading topics in the safety field, including hackers and hacker tools, viruses, data back up, writing good passwords, government and legal issues, protecting from insider hacking - and more.

  • Need help creating a safety plan for your organization or business? Take advantage of professional safety consulting and training both by telephone consulting or on-site visits. Get vulnerability assessments, employees training, safety implementation, and much more.
Because hackers, cyberpredators, and other cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal safety and privacy. Your money, your computer, your family, and your business are all at risk.

Remember: When you say No! to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVIII, Etienne A. Gibbs, MSW
Your Internet Safety Advocate and Educator

Friday, January 5, 2007

Join Me in My Campaign for Computer Safety for Your Home and Business

Join Me in My Campaign for Computer Safety
for Your Home and Business
Courtesy of Etienne A. Gibbs, MSW
Internet Safety Advocate and Educator
www.SayNotoHackersandSpyware.com/

I'm sick and tired of hackers, viruses, and spyware shutting down computers and websites on the Internet. Since my computer was hit by a hacker, virus, or spyware that shut it down just before Thanksgiving last year, it hasn't been compromised since. It's been attacked countless times, but I'm glad to say that it hasn't been compromised. Not ever! That's because I subscribe to a comprehensive managed security service.

Although the Internet basically provides a positive and productive experience, cyber-attacks against our personal privacy and security are reaching epidemic proportions. These attacks are occurring in our own homes and businesses. Our own computers are being used are being used as zombies to attack other people, businesses, and even our nation itself. As an average Internet user, you may not be aware of these threats nor have any idea about the dramatically increasing risks you face when connected to the Internet.

Even Xianz, a family-friendly and safe Christian site, has been hit by scammers and hackers. You might have been attacked yourself or might have seen or responded to the Scammer Alerts I initiated in order to warn, educate, and protect fellow-members.

Now I'm on a campaign for internet safety awareness and protection. My mission is to bring critical awareness to individuals, families, and small business owners, and to provide access to the necessary tools and ongoing expertise to secure your computer and help you stay protected.

I invite you to join the many thousands of others who have tested their computers, discovered these threats are real, and taken the necessary steps to protect themselves.

Take a free test to see what hackers, viruses, and spyware are hiding in your computer. Just click on the following link to go to:

www.SayNotoHackersandSpyware.com/

Once there, click on the red Test button.

Now that you have become aware of these issues, I encourage you to share this vital information with your families, friends and communities. Together, we can reach many millions of people and inform them about the threats to their privacy and security, and help them get the protection they desperately need.

Remember: When you say No to hackers, viruses, and spyware, everyone wins! When you don't, we all lose!

© MMVIII, Etienne A. Gibbs, MSW
Your Internet Safety Advocate and Educator

Thursday, January 4, 2007

Why "Free" Software You Downloaded Isn't Free

Why "Free" Software You Downloaded Isn't Free
Courtesy of Etienne A. Gibbs, MSW
Internet Safety Advocate and Educator
www.SayNotoHackersandSpyware.com/

The following is presented in response to a comment made by one of my friends on my blog.

Here's what she had to say:

    What about those that can't afford to get internet security and download free programs to protect themselves the best way they know how? Is their a safe website you can go, to get internet security? We all know the threats are out there, but what programs or internet security can one use to better protect themselves against such threats? Sometimes downloading free software is not safe either.

My reply:

Thanks for your comments, but it isn't business people alone who need protection. And the cybercriminals know this! That's one of the reasons they give away nicely packaged "free" software disguised as toolbars, screensavers, and thousand of other "freebies". It may be free to you, but it's loaded with their spyware.

Just like going online takes a subscription to your local ISP (Internet Service Provider) for either dial-up, cable, or DSL service, so, too, will it be in the near future for the average Internet user to protect himself from these cybercriminals. Before long, the average user will be investing in security subscriptions. (I do now and have not had to worry about a thing.)

Like anything else, if you value your computer and being safe online, then you will need to invest in a quality security service. There's no way around it, thanks to the cunning hackers and cybercriminals!

Be careful though, cybercriminals, many out of Russia and the Far East, will sell low-cost or give away their free "security protection" software. Again, this is a smoke screen to allow them to get inside your computer.

"Sometimes downloading free software is not safe."

Just like you have to buy gas to make your car run, or insurance to keep it running legally, so, too, you will have to do when it comes to protecting your id, your personal information, and most importantly, your family. This is the only way to stop hackers and cybercriminals.

Unwanted advertising software or "adware" has evolved from an annoyance into a serious threat to the future of Internet.

Why? Every day, thousands of Internet users are duped into downloading adware programs they neither want nor need. Once installed, the programs bog down the computers' normal functions, deluging users with pop-up advertisements, creating privacy and security risks, and generally diminishing the quality of the online experience.

Some users simply give up on the Internet altogether after their computers are rendered useless by the installation of dozens of unwanted programs.

To read about adware's Dirty Little Secret, go to: www.cdt.org/privacy/20060320adware.pdf

Remember: When you say No to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVIII, Etienne A. Gibbs, MSW
Your Internet Safety Advocate and Educator

Wednesday, January 3, 2007

Are Predators Lurking on Your Child's Social Networking Sites?

Are Predators Lurking on Your Child's Social Networking Sites?
Etienne A. Gibbs, MSW, Internet Safety Advocate and Educator
www.SayNotoHackersandSpyware.com/

MySpace, Facebook, BlackPlanet, and other social networking sites are thriving communities where anyone can spend countless hours meeting new people, making
friends
, chatting, and exchanging pictures. Young people especially flock to these sites to build their own 15 minutes of fame. But, sadly, these sites also have become hangouts for child predators, child pornographers, and other cybercriminals.

To stay one step ahead of authorities, these cybercriminals use tricks to conceal their identities online. One of the most common is lying about their ages, claiming to be younger than they are. And to hide their IP addresses and locations, predators and other cybercriminals often piggyback on Wi-Fi connections or use proxy servers. They use decentralized peer-to-peer networks to prevent material from being tracked to a specific server. They also use encryption to allow them to keep online chats private from those policing the Web. When law enforcement, ISPs, and others take down the websites of these pedophiles, predators, and cybercriminals, it's not long before they're back up, hosted by a different service.

Skillful with their cell phones, instant messaging accounts, and with access to personal computers at home and school, young people are easy targets for sexual predators. Too many of them are ready and willing to share personal information online without a thought to how it might be misused by others. The National Center for Missing and Exploited Children reports that one in five kids online has been solicited or enticed. Reports of child pornography on the center's CyberTipline have increased six of the last seven years.

Business and technology professionals may think of online child safety as a family issue, but it's a workplace issue, too. Social networks aren't just a teen phenomenon. A recent survey by Web filtering company, Websense, found that 8% of respondents visit social networking sites while at work. Companies can use Web filters to limit access to the sites, though Websense says its customers don't seem overly concerned. Whiling away company time on social networks is a productivity issue; luring children for sex is a criminal one.

There's little evidence that sexual predators are trolling from workplace personal computers, but it's been known to happen. In 2003, a Cincinnati-area police chief admitted to soliciting sex from someone he thought was a 15-year-old, using his work computer. And a deputy press secretary at the Department of Homeland Security, arrested in March for attempting to seduce a child, had his workplace computer seized as part of the investigation and gave the number to his government-issued cell phone to a police office posing as a 14-year-old girl.

Child porn stored on company computers and servers has been a bigger problem. Filtering and blocking can help keep the images off networks, though it's not failsafe. Keyword and URL-based filters have spotty coverage. Other software scans images for limbs and skin tones and blocks pictures it identifies as porn, but skin often takes up too little of the photographs, and innocuous material can be inadvertently blocked.

The Internet Crimes Against Children program last year investigated 2,329 cases of enticement and of predators traveling to meet minors, and 252,000 cases of child pornography. Yet those numbers provide just a glimpse of the activity, since many local police forces are too small to investigate child porn. "It's absolutely overwhelming," says Brad Russ, director of The Internet Crimes Against Children's training and technical assistance program, which trains 1,000 officers each year. "The scope and the scale of the problem far exceed our capacity." Intensifying the epidemic is that more than half the world has no laws dealing with child pornography.

Vigilante groups are fighting back. In January, NBC's Dateline featured a report about one such group, Perverted-Justice.org, which set up a sting that resulted in 51 men being busted in three nights. The group hasn't seen one acquittal from those it's helped bring to justice, and nearly all of its work is done with law enforcement. Yet some in law enforcement are wary of such efforts. "We certainly take any information that anyone has regarding an offender," says Randy Newcomb, an investigator with the New York State Police in Canandaigua, N.Y. However, vigilantes expose themselves to liability for entrapment or possession of child porn and might not properly maintain digital evidence, Newcomb says.

Putting filtering and monitoring software on kids' computers provides some protection. SearchHelp's Sentry line, for example, blocks Web sites based on keywords and creates a log of visited sites. It also lets parents and other guardians monitor a child's activity from other computers. Parents can be notified of violations via email or cell phone. Sentry also monitors IM conversations, using expertise culled from law enforcement to flag phrases commonly used by predators.

Any Internet Technology professional knows of the limitations of such tools. The filters don't work perfectly, and even if kids post and browse safely, social networking sites present a new set of problems. Profiles on the sites often link to other online information sources, providing the type of data a fixated predator might use to locate a child, such as a school name, says Michelle Collins, a unit director at The National Center for Missing and Exploited Children.

Investigator Newcomb spoke to an auditorium of elementary schoolers in western New York. When he asked kids in the audience how many of them had more than 200 friends on their online buddy list, a bunch of hands shot up.

Out of those, he asked how many have only friends on that list they can put a face to, and half of the hands remained raised.

Finally, he asked if any of the kids had ever gone and met someone they'd got to know online, and a few hands were raised. "That's just totally frightening to me," Newcomb says. "The superintendent looked like his eyes were going to pop out of his head."

It may take a village to raise a child, but in a world of online social networking, decentralized networks and servers, and increasingly tech-savvy child predators, it's going to take a united effort among government, industry, and families to keep them safe. To protect your child, you need an Internet security team of experts making sure that you, your family, and your business computer are always safe and secure.

The best protection you can have in today's rapidly changing world of cyber-attacks is to have expert support for all your Internet security needs that will provide technical support without any hassles and without charging you extra fees. It will become even more critical than it is today as time goes on. You need to find your own personal team of experts to rely on. If you ever have a security problem, you will want to have a trusted expert you can call for professional help, without any hassles and extra costs!

Remember: When you say No to hackers and spyware, everyone wins! When you don't, we all lose.

© MMVIII, Etienne A. Gibbs, MSW
Your Internet Safety Advocate and Educator

Tuesday, January 2, 2007

A Five-Step Plan to Help You Stay Ahead of Security Attacks, Risks, and Threats

A Five-Step Plan to Help You Stay Ahead of Security Attacks, Risks, and Threats
Etienne A. Gibbs, MSW, Internet Safety Advocate and Educator
www.SayNotoHackersandSpyware.com/

The University of Georgia network security system fight off 80,000 to 90,000 potential attacks daily. At the Bank of New York, sensors catch millions of security "events" in a month and "we don't even treat the scripts that run out there or worms flowing across the Internet at any point in time as an incident because they are not entering the network," notes Eric Guerrino, the bank's head of information security.

With all the threats floating around in the cyberjungle, how do you sniff out a serious Information Technology security breach? The best defense requires a mix of technology muscle and human interpretive skills. Detection systems are essential tools, but it's up to professionals to make some informed distinctions.

I have put together five steps that you can take under consideration when evaluating your home or business computer systems. These steps will be presented in five parts. Now, let's begin:

Step No. 1: Let the Bells and Whistles Alert You about the Initial Attack

The Bank of New York's incident-response team sizes up threats based on some critical calculations: the probability of imminent attack, the probability that an attack will succeed once attempted and the potential damage of the attack if it proves successful; the location of the potential targets, the host operating systems and their associated vulnerability to the attack; and the sensitivity of the data residing on affected devices.

What gives an organization the best chance to safeguard itself? The critical elements include multiple levels of traditional and emerging security monitoring tools; an analysis system capable of crunching copious amounts of event data; and the ability to process observations from employees and customers.

Firewalls and intrusion-detection systems are the old reliables of detection technology. Standing at the intersection of internal networks and the public Internet, firewalls are the established first barrier to external attacks. Intrusion-detection systems, which joined the security force in the late 1990s, monitor networks for suspicious activity. Intrusion-prevention systems go a step further, monitoring traffic and then initiating an automated response, such as dropping a particular packet of data.

Old-school intrusion-detection systems identify threats based on the signatures of known attacks. But some new threats are too nimble for that: So-called "zero-day" attacks occur at the same time vulnerability is discovered, leaving no time for the creation and distribution of signatures.

To address this, security teams have supplemented signature-based systems with behavior-based detection technologies, which establish a baseline of normal network traffic. The systems then search for anomalous patterns, for example, traffic coming from a network at a time when no one should be using it, helpful in flagging previously unknown types of attacks.

In responding to zero-day exploits, their biggest concern, Bank of New York deploys hundreds of intrusion-detection and intrusion-prevention sensors that record events on a daily basis. Its intrusion-detection/prevention systems shield the bank from the vast majority of exploits, and only a fraction of the events warrant a security-breach investigation.

The University of Georgia also uses an intrusion-detection/prevention combination. The university operates a Security Operations Center that monitors its intrusion systems around the clock and also minds firewalls, virtual private networks and other security products.

Step No. 2: Follow the Threat to Its Source

When an alert shows up on a security manager's console, it's as if someone set off an alarm, says Morrow, the Chief Security and Privacy Officer for Electronic Data Systems Corp. The security group's first question is obvious: Where is the problem? But finding the answer requires ingenuity. There's no single surefire method for finding a security breach and nailing down its scope.

The task is still more art than science. Event logs generated by firewalls and early warning intrusion-detection/prevention systems give security analysts one route of inquiry. And the demand for tools that help correlate the mass of security data held by the various systems is growing. Security experts advise looking at security information and event management software, which helps security managers detect incidents, for clues that may help identify the source of the attack as well.

Security information and event management software rolls up alerts from firewalls and intrusion-detection/protection systems, along with event data from antivirus products, databases, Web servers and elsewhere. It offers two tracks to get to the source. One is its visualization portion, which looks like a large, continuously scrolling spreadsheet and provides some amount of detail on a network attack, detected virus or other event, including the Internet Protocol address of the affected equipment and device name.

The initial information gives a basic sketch of the problem and where it may exist. Every device connected to a network is identified by an Internet Protocol address that can guide security personnel to the general areas requiring investigation. However, there are limitations to this line of inquiry; one is a lack of context. What does the IP address mean? Where is it and who is using it?

The other limitation is that an attack may spoof the IP address. Security analysts thus have to dig deeper into the second source, the event logs, which contain more finely grained detail. They'll be looking for Media Access Control addresses, which identify network nodes, to see if a given IP address is correct and valid, Lawson explains. The logs also will provide details on how an attack progressed through a network. By examining the firewalls and routers and operating systems, analysts can piece together how many Media Access Control addresses, Internet Protocol addresses and routers were targeted in a given incident, Lawson says.

Security personnel need information beyond the alert itself. A good security information and event management system will archive logs from different security devices, routers and operating systems. A security information and event management system's data gives the security team direction; after that, they must still physically find the affected system.

A configuration management database, which holds information about the components of an organization's information-technology infrastructure, can help. By identifying components and their status, the database helps security managers zero in on the source of trouble, though that doesn't mean all devices are easy to find; a laptop plugged into the corporate network by a temporary worker or other visitor will be elusive.

For all the automated sleuthing, a certain percentage of devices will be discovered only by simple hand-on crawling through offices, plugging and unplugging things. When it comes to detecting an attack, human intelligence must support automated systems in determining the scope and severity of an attack. Security managers say they seek out the affected asset's owner.

Determining the appropriate response means taking the attack's venom into account. Besides wanting to know how many systems are affected and the location of the attack, security personnel also seek to determine the insidiousness of the attack. They will want to know if it is a random exploit or a botnet propagating through the network and reporting information back to somebody or some organization through an IRC [Internet Relay Chat] channel. Something like that is much more impactful."

While corporate security groups chase down incursions when they happen, they've tried to become more proactive, looking for and fixing weak spots before attacks occur with the help of vulnerability management tools. Like intrusion-detection sensors and firewalls, these tools may feed into security information and event management systems and configuration engines.

Many organizations scan for vulnerabilities on a regular basis, allowing security personnel to determine which systems are vulnerable to attack and patch accordingly.

Step No. 3: Implement An Incident Response Plan at Home and at Work

When a security incident occurs, it's the information technology security group's job to respond. Among the group's first assignments: Determine whether an alert represents a serious incident or a false alarm. Security managers may call upon internal experts or external help from antivirus vendors and various intelligence services, which provide reports on computer security threats.

UPS subscribes to a number of such services and maintains a strategic relationship with an antivirus vendor. The relationships help UPS stay on top of the threat environment, which puts the company in a position to react ahead of time.

But the knowledge flows in both directions. When UPS discovered a variant of the Zotob worm, the company notified its antivirus vendor. Zotob achieved notoriety in August 2005 when it hit CNN and The New York Times, among others.

An alert that reaches full-blown incident status triggers an organization's response plan-assuming it has one. Security experts say large enterprises typically do maintain some type of formal response plan, though incident response varies widely. Some response plans, governed by extensive steps and checklists, become so choreographed that they are almost restrictive. The other extreme is no choreography, which results in a "mad dance." The best fit? Follow a middle path. The University of Georgia follows established incident-handling protocols, based on documentation from the National Institute of Standards and Technology (NIST) and the SANS Institute.

NIST's Computer Security Resource Center publishes a range of security policy guidelines, some of which touch on incident response. The SANS Institute, in conjunction with the Center for Internet Security, offers the Security Consensus Operational Readiness Evaluation, which seeks to provide a minimum standard for information security procedures and checklists. ISO 17799, which provides guidelines for security management, also covers incident management.

At some organizations, a computer incident response team (CIRT) puts the response plan into action. The corporate security chief generally heads the CIRT, but some companies prefer to tap an experienced outsider to manage response activity, so that one person doesn't wear two hats in a crisis.

The CIRT team consists of I.T. security specialists, either internal or external, and people with other areas of expertise. Miracle says CIRT usually includes desktop gurus, server managers, and help-desk representatives. The CIRT members' responsibilities are determined in advance. "In real time, you can't have people arguing ... that you can't shut that server down," Miracle explains. He adds that some companies hire consultants to help establish roles and get different groups across the organization to buy into the plan.

While the CIRT team may have broad influence, its physical reach may be limited. To address this issue, the University of Georgia's security group has deputized security liaisons in each of the institution's 14 colleges. Each college has a different security parameter, but through the use of institutional policies, standards and processes, the university has been able to set a security baseline. A security liaison also represents the university's administrative users.

For malware cleanup, an organization may choose to reload a fresh software image rather than delete the offending code. More companies choose such "brute-force methods" because they find it less arduous than potentially spending hours cleaning infected files from a system.

Brute force or not, cleanup comes to a halt when an incident calls for a forensics examination. During an ongoing network attack, the organization must decide whether to let the incursion continue to aid its investigation or cut it off to minimize damage. Technology and business leaders must weigh whether the investigative process outweighs the risk to the network.

Sometimes it's strictly a business decision, but criminal cases may involve external authorities such as the FBI, or state authorities.

Because organizations may lack the specialized staff to investigate computer crime, forensics is frequently outsourced. Banks, for example, handle most response tasks internally, but may call in a forensics specialist if an incident looks like something that might lead to litigation. An event such as theft of service could spark a forensics investigation, but could also be treated as an employee matter if the theft occurs internally. Some banks have a retainer-like contract with a forensics services firm that gathers evidence and maintains the chain of custody.

While investigation and remediation activities continue, incident responders, ideally, keep lines of communication open with key constituencies. The CIRT team, for instance, notifies line-of-business managers of a problem so they can inform their customers.

Step No. 4: Dealing Effectively with Corporate Management

Picking up the phone to call the C-level suite ranks as the most delicate part of a security team's communications plan. Discernment is crucial in deciding when and how to inform the powers that be. Top executives need to be in the security loop, but the sky will fall on the security officer who issues one too many false alarms.

False alarm rate to business people has to be low for it to be taken seriously. If a security shop warns erroneously more than twice a year, people tend to ignore the next one. The experience and intuition of the security manager plays a major role along with knowing what is of interest to senior executives and what's not.

The University of Georgia's triage team always assesses the scope and severity of an incident before contacting higher-ups M&T Bank ranks incident severity on a 1-to-4 scale, with Level 1 deemed the most critical. A Level 1 incident must involve at least one of the following: unauthorized disclosure, modification, destruction or deletion of sensitive information or data; disruption of business continuity and critical business processes or communication; an impact on the long-term public perception of the organization; or identity theft of an individual or group.

In response to a Level 1 incident, the manager of the resources involved is instructed to cease use of the resources until the bank's incident response coordinator makes contact and provides further instruction.

At New York Presbyterian Hospital, the priority of an incident rises as a particular segment of a network becomes sluggish, and then escalates up to the point where there is a complete disruption of service which has to be reported. At the health-care facility, any incident that could potentially affect patient care must be communicated upward as well. Incidents all get reported, but not at the level of individual viruses and not every day.

At Pitney Bowes, context counts. An attack involving one application may sound small, but if that application is a key enterprise system that impacts many people, it may become a need-to-know incident. Incidents judged not to rate the C-level executives' immediate attention are periodically summarized and presented to them in a group.

Some security professionals provide an incident summary to a board-level committee of senior executives every six months. The summary includes the number of incidents by category, including unauthorized access, disclosure, usage, or destruction; loss or theft of information or equipment containing information; service disruptions; and copyright or trademark infringements. Incidents are further classified by impact and severity.

To ensure reasonably smooth communication in a crisis, security groups need to open a channel of communication with management. Having an established foundation for dialogue is crucial to the security officer's effectiveness even in the normal course of business, and more so in an emergency, security experts say. Security experts tout a close relationship with the top brass as critical for maintaining a healthy security budget and a corporate culture that values security. There is tremendous turnover among chief information security officers with some former security officers insisting they won't take that assignment again. But some security officers have established solid executive-level ties.

But there are several reasons why C-level executives may ignore the chief information security officer, including lack of trust in the individual and a perception that security manages are "inhibitors or disablers."

Regulatory compliance issues have pulled at least some senior executives into the information-technology security camp. Sarbanes-Oxley, which demands documented risk-management processes, has forged a much closer relationship between the chief financial officer and the security team today than before. When Chief Financial Officers familiarize themselves with their security group's processes and systems and have invested considerably in technology to address risk issues related to information technology security, the close relationship tend to exist.

Security managers, for their part, have been working to build closer links not just to executive management, but to all levels of an organization. Good communications and partnerships within the business as the biggest boons to a successful security strategy. Having liaisons working with a company's technology and software development team helps in maintaining contacts in key business units and subsidiaries. For example, a security group's outreach could be as simple as bouncing ideas for new security policies or technologies off business-unit representatives. The group may also provide assistance in implementing a security system.

Collaboration between the application and security groups means that security controls are embedded in software from the beginning, as opposed to being retrofitted after development. The corporate legal department and public affairs shop are two other groups beyond the C-level that might be notified about incidents.

The corporate groups, in turn, will likely have advice for the security team. The University of Georgia maintains a security advisory council with representatives from the human-resources, legal, internal audit, and public affairs departments. The university's Chief Information Officer also serves on the council, which offers guidance on security policies and standards, and acts in an advisory capacity during an incident.

Tone is important in building cooperation between security and other business units. Information technology security professionals must be good at getting people's attention in a positive way. Further, they must develop positive ways to share information on security issues and explain to the application development team or the information-technology infrastructure team, for example, how those issues may affect them.

Security has this negative connotation that surrounds it and corporate security groups at some companies have a "Big Brother" image. Some groups build consensus rather than dictate security directives because they want the business to see the security team not as a roadblock, but as a security-minded business partner.

The university environment, in particular, demands communication and consensus-building, because higher education is very slow to change. It's extremely difficult to turn that ship around, if they don't want to be turned around. Some security professional find it easier and more productive to foster and build relationships with students, faculty, and staff before trying to do so with department heads.

Step No. 5: Learning From Your Company Security Experience

The follow-up to a security incident typically involves a round of vulnerability assessment. Security groups check to make sure that the remediation efforts truly eradicated the problem and patched the afflicted systems. Different types of attacks call for different recovery procedures. An unauthorized access incident could involve the attacker gaining root access to a system. If that's the case, the recommended course of action is to change all of the passwords on the system, according to the National Institute of Standards and Technology's Computer Security Incident Handling Guide.

But organizations don't always follow all the steps" toward comprehensively recovering and securing a system. Changing all users' passwords in a big organization is a very tedious job and a time-consuming and very intensive manual process. An intruder who gains root access may have obtained administrator-level access to the system.

Security teams usually conduct a post-incident scan with vulnerability assessment tools to ensure that necessary actions, such as applying required patches, have been taken. But security managers say they are continuously scanning anyway to uncover vulnerabilities or violations of security policy.

Vulnerability scans are used to scan desktops, servers, and networking gear for compliance to corporations' security policies. Then the resulting information is used to improve security measures. Some corporations check for gaps in several key areas including system security configuration settings, security patches, antivirus status, personal firewall status, and industry-known vulnerabilities.

Others have customized their security measures to help assess compliance to their acceptable-use policy. The result is an executive-level snapshot in time of whether end users are following policy. They may also bring in an outside analyst every few years to perform a vulnerability assessment.

The University of Georgia runs vulnerability scans and has vulnerability management applications installed on sensitive and critical servers. The vulnerability management applications check configurations or settings on servers and generate a report card, which covers areas such as operating systems level and patch, open vulnerable ports and user accounts.
Some corporations do vulnerability assessment and scans on a regular basis. Scans at UPS are performed by a managed security services provider and may be scheduled on an on-demand basis as a follow-up to an event.

A vulnerability assessment is largely a technical exercise. Enterprises also convene post-incident meetings with representatives from different areas of an organization, which focus on process as much as technology.

Some security group holds an "aftermath party" with the university's security advisory council, including the chief information officer and representatives from the legal, public affairs and HR departments, among others.

The meeting dissects the security team's response to the incident, assessing the effectiveness of processes and procedures. The follow-up meeting also serves as a springboard to spread the word about a given incident, with an eye toward avoiding it in the future.

Security experts point to education as the most important safeguard against future incidents. Some companies ensure their employees undergo security awareness training when they first join the company and annually thereafter. Managers are held accountable to make sure all who report to them have gone through the training.

Sometimes security training crops up in other guises. Sometimes security messaging and data protection messaging are integrated into all of leadership training ands sometimes a company may schedule a security awareness week each year.

Training aims to prevent incidents, but an educated user can also contribute to early detection. Because they'll know what not to do and when to call if they see something out of the ordinary, many serious incidents are prevented.

Education initiatives must be flexible, enabling security groups to take lessons learned from security incidents and fold them back into the training regimen. They also must study changes in attack types and methods and update the curriculum.

Some banks conduct quarterly threat assessments to close existing vulnerabilities and anticipate new exploits. They may review their security posture annually with a third party. Their new understanding of the threat environment is incorporated into training programs for technical people and awareness programs for the rest.

Keeping information-technology departments up to speed on security is another dimension of the security group's education initiative. Application developers, for example, need to incorporate the organizations' latest security principles as they generate code.

Ongoing training efforts help keep security on the front burner, say security executives, who warn that the absence of major incidents tends to lead to complacency. Companies that are not successfully attacked get lax and you have to reinvigorate them. Understanding the hazards and risks and threats of doing business in a networked environment will help employees and companies become much more secure.

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk.

These cybercriminals leave you with three choices:

1. Do nothing and hope their attacks, risks, and threats don’t occur on your computer.

2. Do research and get training to protect yourself, your family, and your business.

3. Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVIII, Etienne A. Gibbs, MSW
Your Internet Safety Advocate and Educator