Computer PC Security

Introduction to Computer PC Security - in an increasingly computerised, networked, interdependent, global and virtual world, achieving 100% protection of critical business information is becoming increasingly difficult to achieve. Most small firms are now reliant on exploiting low-cost, personal computer technology for a host of business functions. These functions include ecommerce, accounting processes, payroll management, managing employee records, debt collection and sales order management. This article summarises the basic security requirements of most small businesses, the types of the people and groups intent on security attacks, the methods of security threats currently employed and the current PC security product technologies firms can implement to mitigate the risks...

Who are the Bad Guys? - PC security attackers are always one step ahead of the PC security industry, who in response to a new form of threat, have to play catch up to develop new market solutions. Amazingly, some small businesses fail to implement the most basic PC computer security products such as a firewall or antivirus software. Illegal digital security threats come from a range of different bad guys, each of which has slightly different motivations for their actions:-

• Hackers - hackers are traditionally known as people who push the boundaries of security in the interests of their curiosity, as well as malicious intent to achieve personal gain. Some hackers take pride in their ability to defeat systems and consider security as a challenge to their skills. Some ethical hackers use their skills to expose weaknesses in systems and post the results online to ensure businesses are embarrassed into taking remedial action.

• Lone Criminals - lone criminals or organised criminal gangs are more serious people who are using computer technology for financial gain. Most are attempting to steal credit card information and other personal related data form both companies and individuals. Well resourced and prepared to take more risks of detection, these gangs represent the largest threat to businesses. Organised crime syndicates are well funded and can purchase the skills required to launder money and buy expertise.

• Company Insiders - represent a very serious threat to business as most physical and logical security processes are already breached. A company insider is a trusted employee or contractor who already has authenticated access controls to sensitive business data. Their motivations may be either financial greed or alternatively destructive anarchy, perhaps due to a feeling of resentment or anger at the way they have been treated by their employer in the past.

• Industrial Espionage - sometimes industrial espionage occurs between arch rival competitors, intent winning market share from the other at any cost.

Computer Security Requirements for Most Businesses - most businesses have common security needs which dictate their level of spending on computer PC security. The main areas are as follows:-

• Privacy - firms must keep details of their customers, employees and suppliers personal information private. Many national laws exist to protect the rights of individuals privacy. Most businesses are aware of these laws but sometimes unsure as to exactly how to practically implement them. Despite this, firms company policies should normally focus on the right to privacy. To achieve this, access to computer systems must be limited to qualified key staff, securely stored and backed up.

• Auditing - most firms require secure application systems which authenticate double entry bookkeeping principles. Following a security breach, the ability to forensically identify the financial impact on a business is imperative.

• Commercial Anonymity - firms aim to keep all financial transactions and business transactions anonymous and private from snooping eyes. Not all aspects of business transactions are available for public scrutiny. Any sensitive communications between businesses or individuals need to be held over a secure communications protocol.

• Business Authentication - business requires systems that securely authenticate its stakeholders. There are many areas of business in which authentication need to occur before an activity can take place. For instance, allowing employees to access work laptops, taking an order online, ordering trade supplies via an intranet, speaking to customers or suppliers on the telephone regarding sensitive personal data, or credit checking a prospective trade customer. Secure means of identifying people have to exist to ensure trustworthiness and avoid fraud and human error.

• System and Data Integrity - firms require systems to publicly demonstrate that their business data is secure and always accurate. This in turn inspires business confidence in the minds of customers, suppliers and investors. For instance, investors need to be sure their money is accurately accounted for. Likewise customers require reassurance their direct debit details are set up correctly, and suppliers need confidence in a firms ability to pay an outstanding invoice.

Computer PC Security Threats to Businesses - the list of PC security threats is almost endless and constantly changing. At present the main types of security threats are as follows:-

• Identity Theft - identity theft is the fastest growing crime in the UK. It affects employees, small business owners, major companies and business networks. It is the criminal act of stealing personal information with the intent to use it to create similar cloned identities without the victims' knowledge, for financial gain. For owners of small businesses, this can be damaging both to them personally and to their business enterprise. Credit cards and debit cards and loans may be taken out in the names of directors or employees of the company. In addition, the problem of keeping sensitive customer information secure is becoming an increasingly difficult challenge for business owners. If customer data is stolen or customers perceive that it a companies IT systems is insecure, the company may lose a valuable custom as prospective customers fear their personal data is vulnerable to attack. Thieves steal sensitive personal Information using a variety of methods including trawling public records for names and address, raiding bins, mail forwarding, hacking, phishing emails and credit card skimming.

• Distributed Denial of Service Attack (DDOS) - a denial of service attack occurs when hundreds or thousands of remote computers become infected with Trojan horses, which can allow the attacker to control those machines to create an attack on one target website. The network of machines forms what's known as a 'botnet' and collectively visit the target website over and over again. The network of infected users computers may not even know they are part of this type of PC security breach. The target website becomes over whelmed, too slow to use and eventually fails completely. A denial of service attack is a particularly acute problem for online only businesses that rely on high traffic volumes and revenues, by keeping their website online all the time. Cyber criminals use the threat of an imminent DDOS attack to extort money from websites, some of which choose to pay up rather than suffer a bigger loss of online income from a downed site.

• Brute Force Attacks -unfortunately any system is only as secure as its weakest password. He will tend to choose easy to remember passwords, including their relations names and dates of birth. Most PC computer access is controlled via passwords or pass phrases. Attackers rely on user laziness in setting the passwords by using automated dictionary software tools to try every iteration of words and numbers using a brute force method. Thousands of password possibilities are attempted in minutes. If the attacker knows the name of the user or any other personal details about them, the likelihood is that the attacker can used brute force attack to narrow down the possibilities, based on the limited partial information they already possess. Many social networking sites have found users provide far too many personal details about themselves which hackers can use to piece together a jigsaw of their personal identity including potentially their passwords. People are all too willing to share their passwords, particularly when they need technical help from others within their organisation.

• Privacy Invasion - some of the endless torrent of spam e-mail also contains more sinister content, including 'phishing' emails from so called banks or other well known financial institutions. These look-a-like bank e-mails are intended to trick the innocent users into visiting cloned versions of their retail banks website in order to capture their username and passwords.

• Network Security - most PC computer users have experienced some kind of computer virus, Trojan or spyware in their lifetime. Viruses are typically downloaded by the user who unknowingly clicks on an e-mail containing the virus. Alternatively they visit un un-trusted site that downloads an malicious script to the user's computer with kick-starts executable code. The impact of viruses and worms can destroy hard disks, entire networks, becoming self replicating using the power of e-mail to spread itself. There are now tens of thousands of computer viruses in existence. Most are designed to attach themselves to individual application program files within the computer. When the user runs the application, the virus installs itself within the memory. Other types of computer viruses reside within the area of the computer and initiated when the computer is booted up. The last category is macro viruses which use scripting languages to infect users data files. As the explosion of information exchange across the Internet continues, so does the spread of these types of data orientated viruses.

PC Security Technologies and Product Solutions - as the proportion of business users connected to global electronic networks increases, so has the frequency and severity of reported security breaches across those networks. Despite huge advances in encryption based technologies, most security breaches occur because of human behaviour, and not due to failure to upgrade to the latest PC security solution. In addition, one of the biggest problems is that the nature of security threats is constantly changing. To reduce the business risks, owners of small businesses have to keep up with management best practice when implementing new IT systems. Firms will typically need to employing a combination of sensible computer practices and products with regard to security, rather than relying on a one product solution. These may include:-

• Web Browser Privacy - in an effort to speed up a web users future online experience, most modern browsers such as in Explorer, Firefox and Opera all have the ability to store cached versions of files from websites visited by the user. Unfortunately, this also means that malicious scripts can be stored on the user's computer allowing attackers the ability to remotely control the PC, set malicious scripts to log keystrokes, or control the computer as part of a botnet attack. A simple but effective housekeeping procedure for non-IT literate computer users is to clear all Internet traces from their computer before they log off and shut down their Windows operating system. This can be achieved by purchasing commercial Internet Privacy software. In addition, temporary files can be deleted by navigating within the browser and manually selecting stored files e.g. 'Tool's, 'Internet Options' by 'Deleting Browsing History'. Most browsers can also be set to accept 'trusted sites' as well as different 'Security Levels' to prevent cookies and scripts running within the browser during users online activities.

• Firewalls - commercial firewall software such as Norton, MacAfee is the first line of defence to prevent infections by malware, spyware and Trojan horses. Firewalls monitor inbound and outbound Web traffic on a personal computer, searching and blocking behaviour consistent with the known electronic infections. This 'packet filter' monitoring may be based on a set of user defined rules for individual applications and for the computer generally. Some Windows operating systems already have firewalls built into their design. However, attackers find new ways to penetrate firewall technology and hence patches and updates are rapidly produced in response to new forms of attack. A firewall becomes less effective over a long period of time, if the user fails to initiate product updates produced by the software supplier.

• Anti-Virus and Anti-Spyware Software - anti-virus and anti-spyware software searches through a personal computer's files for known malicious software.

• Passwords and Authentication - good business practice is to use longer pass phrases to prevent brute force password software attacks. Also never re-use the same pass phrase more than once and to store multiple pass phrases in an encrypted file at a secure location. It is possible to use biometric passwords to reduce the risk of dictionary brute force attacks. In addition, for any public facing online login areas, use Captcha principles to reduce brute force password attacks from software bots. Captcha stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. It involves placing a slightly distorted image of some text and or numbers which the human user must copy, as part of the authentication login process.

• Digital Signatures and Certificates - with so much money moved electronically, it is imperative that buyers and sellers trust electronic communications gateways. To enhance this trust and confidence unique digital signatures can identify the signer of electronic data, during the process of secure encrypted transactions. Digital signatures ensure that the data itself has not been amended during the submission process. This technology is particularly useful in the area of e-commerce, where the shopper is located remotely and the money is sometimes transferred across bureaux payment services. Similarly, a digital certificate can be used to verify the identity of the holder or sender of data.

• Disk Encryption Software - there are many commercial disk encryption software packages (such as GNU Privacy Guard), to protect the hard disks of personal computers as well as stand-alone storage devices such as Flash drives, USB sticks and backup devices. Encryption is the transformation of plaintext data into a form in which it cannot be made sense of, without the use of some key (commonly known as cipher text in cryptography). With enough computing power to decrypt an encrypted disk, it is theoretically possible to break any form of encryption. However, in practice, encryption only need the strong enough to protect the data if the amount of time that data might be useful to the thief with malicious intent.