kdr ebusiness

This is a complex subject, but Malware is software you didn’t want, that you didn’t choose to install, and that won’t be easy to remove.

Why does Malware exist? Because there is money to be made. Identity theft, corporate espionage, Spam campaigns, denial of service attacks and many other methods of extortion are all now possible due to Malware. And Malware is becoming more sophisticated, with better techniques of hiding itself from detection.

Most software now routinely ‘calls back’ to its manufacturer to check for things like updates and upgrades. Whilst this is good for keeping legitimate software up to date, Malware also uses very similar methods for keeping itself installed and operational on your computer.

How does Malware get installed on your computer? By exploiting security weaknesses in the legitimate software on your PC, or by exploiting the greatest security weakness of all - you. Even people who are aware of the problems of Malware can be caught off-guard and tricked into clicking on something they shouldn’t have. And that is sometimes all it takes. I recently had to remove Malware from a computer that was completely up-to-date, with the latest Anti-Virus and Anti-Spyware products installed and operational.

In a business environment it is important to maintain a high level of security with the ability to restrict the installation of software. With a great many vulnerabilities coming from the internet, a good content filtering appliance is vital, along with a properly configured firewall.
But by far the best investment you can make is to develop awareness and a security mentality amongst your staff. Some refer to this as the human firewall.

Bookmark to:
         

Are your most productive staff your best typists? In my travels I see a huge variety of keyboard abilities and it is apparent to me that the best typists are often the most productive staff.

Given that so much time at work is spent in front of a keyboard wouldn’t it make sense to measure the benefits of typing training for your business?

Try out your typing speed here

Bookmark to:
         

Here is a link to a short but excellent article that discusses whether we have any right to expect privacy on-line. This is recommended reading for anyone concerned about their on-line rights.

Bookmark to:
         

Wireless Networking was designed without a great deal of thought on how it could be secured. The first available security method was known as WEP, or Wired Equivalent Privacy. Unfortunately due to errors in it’s implementation it soon fell to attacks from determined hackers. As a result it is now considered worthless for any serious security use.

Soon after WEP was hacked, a better security system came along. WPA, or WiFi Protected Access, was a great improvement over the original and it quickly became the choice of anyone who was serious about the security of their Wireless Network.

Unfortunately there is now news that WPA has been partially cracked. This will inevitably now lead to further work by hackers to break this system, and ultimately it may become as worthless as WEP. At this point in time no-one knows how long this will take, but you should consider this issue when choosing a Wireless Network in future.

One final point to consider is this, if you do not know what type of security your company is using on your wireless network, you may be in breach of the Data Protection Act. The seventh principal of which states:

“The seventh principle (measures against misuse and loss of data)
17. Having regard to the state of technological development and the cost of
implementing any measures, the measures must ensure a level of security appropriate to —
(a) the harm that might result from such unauthorised or unlawful processing or
accidental loss, destruction or damage as are mentioned in the seventh
principle, and
(b) the nature of the data to be protected.”

The key term here is “ensure a level of security appropriate”. If you must use a Wireless Network, then you should use WPA2 because this is the best currently available. Using anything less means that you are not protecting the data on your network. Given the latest news about WPA, you should also keep an eye out for it’s replacement!

Bookmark to:
         

The Isle of Man branch of the British Computer Society is running a Search Engine Optimisation Masterclass on 29/10/08 at Ballakermeen High School from 18:00 hrs onwards. Admission is free to all. For anyone interested in learning how to make their website more visible to the search engines it will be worth a visit.

Bookmark to:
         

Have you ever sent an email and then immediately realised that you had made a mistake? Do you wish that you could get the email back before anyone reads it? I was recently asked if it was possible to recall an email that had been sent in error, and whilst it is feasible to send out a recall notice from Outlook, this is not a reliable method across all email platforms. So are there any options for those of us prone to the odd email gaffe?

One method we found was to set a small delay on all outgoing emails. This will give you time to recover from the occasional ‘oops’ email before it leaves the building.

Has anyone else got their own solutions to this perennial problem?

UPDATE: Here’s a big list of example email bloopers

Bookmark to:
         

Planning for disasters that may never happen is seldom at the forefront of business owners minds. You will have seen many vendors quoting statistics about business failures following disaster scenarios. However, these almost always leave out the most important statistic, and that is “What percentage of businesses ever suffer a disaster?” Without knowing that you cannot calculate the level of risk you take if you choose not to plan for disaster recovery. The key to dealing with this is to adopt a rational and objective approach to your business continuity planning. Thankfully there now exists a British Standard for Business Continuity Planning known as BS25999.

This latest development in business contingency planning is the recent publication of British Standard 25999. The British Standards Institute is pushing hard to promote this standard and it is worth taking a look at it.

Part one of the standard is a concentration of business continuity best practice. Using the “BS25999 Part 1: Code of Practice” as a guideline makes it easier for businesses to plan, manage and maintain their business continuity so that disruptions or disasters have a reduced impact on customers, staff, business partners, and shareholders.

Why should your company be interested? There are a number of reasons:

1. Having a business contingency plan that is regularly tested and exercised means that you know that you can recover from business disruptions.
2. Your customers, partners and suppliers can have a greater confidence in your company which may help to protect your businesses competitive position.
3. You are protecting the reputation of your company or brand.
4. You are reducing the financial, physical and operational risks to your company.

“BS25999 Part 2: Specification” deals with the Management Systems in place that ensure that your business continuity plans remain up to date and current. This part of the standard can also be audited against and your company can seek BS25999 certification against this standard. Based on what we know from uptake of earlier standards (such as ISO 9001) we know that early adopters certified to BS25999 will gain early competitive advantage and can demonstrate to their stakeholders that they can survive business disruptions. You no longer will have to say to your customers ‘trust us’.

Rob Mercer is a recognised Lead Auditor for British Standard 25999. In addition he has many years experience of practical application of disaster recovery planning and testing. If you would like to learn more about how your company can benefit from adopting or certifying against this standard then please get in touch.

Bookmark to:
         

If your PC has become very slow you may have unwittingly allowed a Browser Hijack to take control of your internet connection. Browser Hijacking is a common type of on-line attack in which hackers attempt to take control of your internet browser to change how and what it displays when you’re using the internet.

the following are indicators of a Browser Hijack:

• The home page changes on your PC.
• Links are added to websites that you would usually avoid
• you cannot navigate to some websites, particularly microsoft update, or security software sites.
• Ad popups appear on your screen with annoying regularity
• Links or popups to gaming, pornography or other unsavoury sites appear.

Preventing Hijacks

Hijacks are relatively easy to defend against and providing you take reasonable precautions your PC should remain free from problems. We would advise the following approach.

• keep your PC up to date with the latest operating system patches
• Use a good anti-virus product, such as AVG
• Load Anti Spyware software, like Lavasoft’s Ad-Aware or Microsoft’s freely available Defender
• Don’t download or allow unknown ActiveX components to be loaded onto your PC.
• Look out for Social Engineering tactics.
• Don’t download or install any software that is not approved.

any website that asks you to install a program should be treated with appropriate levels of suspicion. If in doubt, use Google to pull up some background about the website or product. Also be aware that many popular programs such as screensavers, smileys, registry checkers and PC tuneup applications have been used as methods for Browser Hijacks

If you suspect your PC is infected you should seek professional advice. Unless you are very familiar with the workings of your PC’s operating system and with the methods used by Spyware and Malware programmers, it is unlikely that you will be able to solve the problem yourself.

Bookmark to:
         

Our experience as IT Consultants has shown that Disaster Recovery (DR) plans are often inadequate to effect full recovery of critical business systems. The frequency of testing is also low and these two factors combine to create an unnecessarily high risk for business. This fact, coupled with the increased requirements for reporting on DR in the forthcoming Isle of Man Financial Services Act 2008 has placed disaster recovery back on the agenda for many Isle of Man company directors and business leaders. A recent Institute of Directors survey of SME’s also places DR and Security high on the priority list for action.
In the event of a disaster situation, you need to be certain that you can recover your critical business data and continue to run your business. So in order to help companies improve their Business Continuity planning, I would like to share with you a simple seven step framework for designing, implementing and maintaining your own Disaster Recovery plan.

1. DR Policy

The policy details why you have a plan, who is responsible for it and how is is to be resourced. Legal and Statutory obligations usually feature at key points within your policy statement. It is also important to remember that your policy should encompass people, process and technology.

2. Risk Analysis

Identify failure risks and categorise these by impact - where possible these should be expressed in financial terms. Look out for cascade effects and dependencies between systems - where the failure of one single step has a knock on effect on many others. Performing Risk Analysis (also known as Business Impact Analysis or BIA), allows you to concentrate your resources where they can create the greatest impact.

3. Controls and Preventative Measures

Many simple and cost effective methods can be employed to reduce the risk of failure. Look for single points of failure and balance the cost of implementation against the risk of failure.

4. Recovery Strategy

This is your high level document that should specify Disaster Scenarios and how you will respond to them. Typical scenarios might include: Pandemic Flu, Building Lockout, Server Failure, Power failure. The strategy document sets the targets for the DR team to meet. You must skip the detail at this stage and concentrate on objectives. In Disaster recovery parlance, the most useful here are Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). You should also consider here how you will communicate with your staff, customers, press and other stakeholders and how you will decide to invoke your DR plan. You should also consider creating a core DR team made up from representatives of each area of the business.

5. Detailed Recovery Planning

For each of the scenarios specified in the Recovery Strategy, a detailed recovery plan is drawn up. The outputs from this step are comprehensive plans for how you will achieve the strategic objectives. All areas of the business need to contribute and show that they have plans in place and that your staff are aware of how these will work in practice. Typical things to consider are data backup, telephone and telecommunications arrangements, office space, insurance. You will need to be able to demonstrate compliance with the legal and statutory requirements of your particular industry sector. All of these arrangements must be documented and lastly and most importantly, be made available off-site. You do not want your recovery plans to be locked in a building you no longer have access to!

6. Test the Plan

Once you have created your DR plan, you must test it. In some industry sectors this is a requirement that must be met annually. If you can arrange for independent testing then do so, as it can be difficult for those closely associated with the creation of the plan to remain objective when testing it. If your business is large enough you can form two DR teams, one to create and one to test. Tests can be desk-based, partial recovery or full recovery.

7. Maintaining the Plan

Change happens! As a result, disaster recovery plans must change too. Because you keep a copy of your disaster recovery plan in multiple locations, you need to make sure each copy remains current. Too often we find that planning for DR is something we do after a new business project is implemented. Embedding DR planning into your project management process will mean that new projects will trigger the requirement to maintain the plan.

If you require any assistance with your own disaster recovery planning and testing, KDR Ebusiness can help. Our experience can help you to meet your statutory requirements and reduce the business risks you face. If you already have an in-house team, we can provide an independent, external audit and test of your existing plan.

Bookmark to:
         

Because security should run through your IT like the lettering on a stick of blackpool rock, a security audit may reveal plenty of areas for improvement in your IT infrastructure. There are several frameworks you can choose to perform your IT audit. One of the most popular is the ISO 27002 standard (previously known as ISO 17799). This is a code of practice that covers the following areas:

• Structure
• Risk Assessment and Treatment
• Security Policy
• Organization of Information Security
• Asset Management
• Human Resources Security
• Physical Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development, Maintenance
• Information Security Incident management
• Business Continuity
• Compliance

By assessing each of these areas in turn and by measuring your own arrangements against the code of practice, deficiencies in your IT infrastructure are revealed. Fixing those deficiencies will result in a more efficient, stable IT platform for your business.

If you would like to arrange an audit of your own IT infrastructure, please get in touch.

Tags: IT, audit, ISO 27002, ISO 17799

Bookmark to: