12

Security and Disaster Recovery

Dealing with IT security and disaster recovery is analogous to going to the dentist’s office. We do not typically want to deal with the whole experience, but we know it is a necessary part of good personal healthcare and hygiene. This chapter is not meant to be a technical discussion about information security and disaster recovery protection, but rather a description of a series of practical best practices you can implement to secure the privacy and integrity of the data your firm retains. We cover IT security and disaster recovery together because many of the pieces you need to implement overlap both initiatives because they protect against intentional and accidental data loss or destruction. It is important to understand the components required to implement a comprehensive data protection model, such as hardware devices, software applications, policies and procedures, and personnel training. The latter two are arguably the pieces that have the greatest impact on whether you achieve success or failure in this endeavor.

In order to develop an effective IT security model in your firm, you have to assess the risk of exposure to each of the vulnerabilities listed in figure 12-1. This is much easier said than done. The key is to implement best practice, mainstream protections that will push you above the negligence stage. This will put your firm in a position that will demonstrate to your clients and other interested parties that you are taking prudent steps to protect their confidential information. Perhaps more importantly, your firm will also be in compliance with the vast array of privacy regulations that cover your practice. In our efforts to make this initiative as painless as possible, we have outlined a multistep approach (illustrated in figure 12-2) to developing and implementing an effective security model for your firm.

Figure 12-1: IT Security Vulnerabilities

Data Security Strategies

Data Encryption

If you read the specifications for virtually any data privacy legislation or regulation, you will find a requirement that personal data be encrypted at all times. Regardless of the regulatory environment, it is simply a good business practice to follow. A simple definition of encryption is the process of converting standard plain text data files, that is, e-mail messages, PDF files, and Excel spreadsheets, into encoded files that cannot be deciphered without a decoding key, typically a password. Versions of an unencrypted and encrypted Excel file are shown in figure 12-3.

Figure 12-2: Data Security Strategies

Ideally, your sensitive data should be encrypted at all times, but especially when it is stored on stationary or portable devices and when it is in transmission. More specifically, your data should be encrypted at the following points:

• On network server drives

• On desktop/laptop drives

• On USB and other portable drives

• On tablets and smartphones

• In E-mail file attachments

Abundant solutions are available for encrypting all your storage devices with a single software solution. The new generation of Windows Server and Windows desktop operating systems offer an encryption feature called BitLocker that will work across all your storage devices. We strongly recommend that you seek the guidance of a professional with experience in this area to help you implement your encryption model. Refer to appendix C, “Resource Center,” for links to additional encryption solutions.

Figure 12-3: Unencrypted Excel File (top) and Encrypted Excel File (bottom)

Some very basic steps can be taken for encrypting e-mail. You can encrypt any MS Office 2007/2010/2013 file within those applications by applying a password. The same opportunity exists with Adobe Acrobat and PDF files. As long as the body of the e-mail message does not contain confidential data, this is a practical method for encryption. Just be sure that you do not communicate the password in an unprotected e-mail (see the section “Password Policy” that follows). If you want to use a more complete e-mail encryption model that protects both the message and the attached files, you can utilize a program such as PGP Desktop E-mail from Symantec (www.symantec.com/PGP).

Password Policy

Perhaps the best known and most talked about security policy is that of passwords. Most systems require a password as a form of authentication to access a system or application. The SANS Institute, a nationally recognized computer security training and certification organization, provides a best practice password policy. Their recommendations include the following:

• Change passwords on a quarterly basis

• Contain at least three of the following characters: lowercase letters, uppercase letters, numbers, punctuation, and special symbols

• Minimum of 15 characters

• No words found in the dictionary

• Never written down or shared with another individual

• Use different passwords for various systems, accounts, and applications

In order to create the strongest password, it should be completely random. In recent years, there have been discussions of using pass phrases instead of passwords. The advantages are that they can be longer and easier to remember. A pass phrase is something like: “This is the first day of the rest of your life.” It usually contains words separated by spaces, but it can also contain symbols or misspelled words, such as “Thi$ 1s the fir$t dae of the re$t of ur lief.” A pass phrase can be even better with totally random words with special characters such as “@pple B@ll Or@nge Bike Lime Run.” The idea is to create passwords that meet system requirements but are easy to remember. You can even create a systematic means to use the same pass phrase for all websites or applications by adding something related to each particular website or application to the end of your pass phrase (or password for that matter.) If you use pass phrases, you should pick something easy to remember but not a common phrase or saying. You may find you are limited by the password parameters of the source application.

All these guidelines sound great in theory but are very difficult in practice to implement. If you create a 15-character password that uses a unique and random combination of characters, how are you going to remember it without writing it down, especially if it is different for each application? That is where password memorization programs come to the rescue. One such application is RoboForm (www.roboform.com). RoboForm will store login information for all your websites and applications in a single encrypted file. All you need to do is remember one complex master password to open the encrypted password file. The key to using any of these programs is to make sure your master password that encrypts the data file is very strong. These programs facilitate creating highly complex passwords that you can change often because you do not have to remember them. The newest version of RoboForm also integrates with your biometrics (fingerprint reader) if you have one installed, whereby your master password can be entered via your fingerprint match. These programs typically sell for around $30 per user, which is a relatively small price to pay for peace of mind.

Cloud Computing

We covered cloud computing extensively in chapter 3, “Infrastructure.” The point we want to emphasize here is that cloud applications typically provide the most sophisticated physical and technical security protections that money can buy. They are managed by highly skilled IT security professionals. In addition, cloud applications provide the ability to have your data available anytime, anywhere, thus, eliminating the need to keep data floating around on your portable devices. Just connect to the cloud when you need to access it. This also means that your data resides in a single location; therefore you only need to worry about securing data in that location.

The following is a list of the typical security and disaster recovery safeguards that are provided by data center service providers that host all the various forms of cloud computing infrastructure services outlined in chapter 3.

• Electrical power system that is fully redundant containing uninterrupted power systems (UPS) with back-up generators that include 24 hours of on-site fuel.

• Dedicated and redundant HVAC systems.

• Waterless fire suppression system.

• Multilevel physical security protection.

  — Cement or brick building with no windows.

  — No signage describing that a data center is on-site.

  — Closed-circuit TV system that monitors all access points and data center with recording system.

  — Cameras directed by motion sensors to follow and track movement within the data center.

  — Biometric, key card, and code access required to enter datacenter at all times.

  — Alarm system with fail-safe mechanisms to prevent false discharge or tampering of the system.

  — Database of individuals authorized to access the facility.

  — Database of individuals accessing the facility.

  — All racks of servers and equipment are locked with entry via key card and access code.

• Network operations center that is used to view and monitor the entire data center, including physical security, environmental systems, and all data center equipment 24 hours a day, 7 days a week, 365 days a year.

• Multiple and redundant access to telecommunications providers.

• Networks are secured with firewalls, intrusion detection system, and intrusion prevention systems.

• Redundant and real time data center that provides automatic fail-over in case the main data center goes down.

• Trained staff of technical specialists.

When evaluating a data center, you should ask for independent validation of the security controls. The data center should be able to provide various “audit” tests or reports. These include penetration tests, security audits, and the AICPA’s Service Organization Controls (SOC) reports (formerly known as SAS No. 70 reports). The new SOC reports (SOC 1, SOC 2, and SOC 3) not only report on controls at a service organization (data center) that are likely to be relevant to an audit of a user entity’s financial statement (what SAS No. 70 was designed to do) but also report on the effectiveness of these controls related to operations and compliance. So when evaluating a data center, look for a SOC 2 report, which specifically addresses one or more of the 5 key system attributes: security, availability, processing integrity, confidentiality, and privacy.

Secure Data Transmission

We addressed the issue of encrypting files when they are stored and transmitted via e-mail, but what about data that we enter on a website, for example, accounting transactions, payroll data, personal information, and so forth? For this, you need to verify that you are connecting through a secure transmission, which means your data is encrypted as it travels across the Internet to and from its destination. The most popular method is called secure socket layer or SSL. This process encrypts all data that is exchanged between your browser and the Web server you are communicating with. You can confirm SSL is active if the URL of the Web server you are communicating with begins with https://, the “s” represents secure. You should never enter any personal information through your browser, including credit card information, unless you see the https:// prefix.

Antivirus Software

Antivirus software will help protect your computer from malware (an abbreviation for malicious software), which is the greatest threat to most information systems. Malware are programs that are designed to gain unauthorized access to your computer and applications or to destroy your data one way or another. The most common forms of malware include the following:

• Viruses. Malicious programs that find their way into your computer via e-mail messages, attached to files, or through website access. A virus can wreak havoc on your computer and will often spread to other devices attached to your network or are forwarded on to others.

• Worms. A unique type of virus that essentially replicates itself continuously to the point that it slows down the performance of your computer in every aspect.

• Trojan horses. This is a malicious program that appears disguised as a legitimate program, for example, a calculator utility. It is a form of virus that will corrupt your data files.

• Spyware. As the name implies, this is a program that finds its way onto your computer and will then capture information such as login keystrokes, credit card data, websites visited, and so forth. The spyware can then transmit this information to a remote computer.

The good news is that in the face of all these threats, there are some very reliable antivirus programs that can provide complete protection from all the threats listed previously. Some of the more well-known providers are Norton, McAfee, and Kaspersky. In order to prevent malware infection, all computers should have antivirus software installed.

There are basically three components of anti-virus software:

1. The software application, which is installed on the computer.

2. The virus definitions, which is a database downloaded from the antivirus software developer, installed on the computer, and updated on a frequent basis as new threats are identified.

3. The service, which is a program that stays active on the computer whenever it is running. This is your front line of protection.

It is important that the service is never removed, disabled, or stopped. During installation of some applications, it will be recommended that you disable the antivirus software. This should never be done because it could provide a moment when malware can attack the unprotected system. The virus definitions database should also be kept up-to-date. Most antivirus software vendors provide at least weekly virus definition updates. We recommend that you perform regular audits of workstations to confirm that all workstations have antivirus software installed, the definitions are current, and the service is running. You must inform your staff that this software is never to be halted or disabled.

Firewalls

There are many technical terms for firewalls, but simply speaking, they are hardware devices that reside between your internal network and the Internet. Their job is to make sure only permitted traffic from the Internet passes through to your internal network. Firewalls utilize complex rules, which means you tell the firewall what to allow and what to deny in terms of the type of data traffic. Traffic includes things like Web browsing, e-mail, chatting, remote desktop access, and file transfer, to name a few. The firewall basically looks at the traffic to determine if it meets an allowable rule and, if so, passes it along to the network. A good IT audit exercise is to ask your IT service provider to print a list of all the rules and explain what each ones does. It will be immediately apparent that firewall management requires a unique base of knowledge. For that reason, you typically need to seek the services of a system engineer who specializes in this area.

As with all the services we have discussed in this book, there are software as a service (SaaS) solutions for firewall management. This is typically a core service that is available from a managed service provider, as we discussed in chapter 3. There are also personal firewalls, which are typically integrated into the antimalware applications we discussed previously. These are quasi-managed services because the rules are updated by the vendor as part of the virus threat databases. The bottom line on firewalls is that they are a key component of your IT security and require special technical expertise, so be sure to consult with outside IT professionals.

Mobile Computing Security

This is becoming an increasingly complex issue to deal with as the deployment of smart-phones and tablets grows exponentially. These devices often have full access to the company database. The first step is to determine if the specific devices have built-in encryption or if it is available as an app. You can, and should, install antivirus software on these devices. In addition, you can secure your smartphones or tablets with a lock code to prevent unauthorized access. These are similar to a PIN, but there are various options to make them even more secure. Most of these portable devices can be easily connected to a USB port on any computer. This allows the user to copy any information from your system to his or her device. We recommend that you create a policy that states only authorized company devices can be connected to company computers. In cases when security is of utmost importance, we recommend that you disable all USB ports on computers to prevent unauthorized file transfers.

Remote wipe is another safeguard for your portable devices. This is an application that allows you to issue a command that will remotely wipe all the information from a lost or stolen device. The key weakness of this feature is that the lost device needs to be connected to the data network before it will actually get wiped. Device tracking is yet another tool that will track the location of your device. Many smartphones have this built in, but you can also buy a service called LoJack that will provide device tracking for laptops.

Data Backup

This has been a standard operating procedure since computer technology was first introduced. The good news is that today there is an abundance of alternative data back-up solutions that are very reliable and relatively inexpensive. Three main things need to be backed up: data files, software application files, and configuration settings files. The data files are obviously the most critical; they need to be backed up to a redundant storage device, at a minimum, on a daily basis. With all the cloud-based storage services available, it is very practical to set up a back-up process that is done continuously via the Internet with encrypted transmission. These services can typically be programmed to work in the background to minimize the strain on your system during normal operations.

Our recommendation is that you rely on a cloud-based storage service for all your system storage devices, including server, PC, smartphone, and tablet drives. The benefit is that you will have peace of mind knowing that all your data is located in a secure data center with world class protections in place. As one simple example, we use the Carbonite SaaS service to back up all our computers. They offer a pricing model of $599 for 500 GB of cumulative data storage for up to 15 devices. It does background backups, so no file is typically more than a couple of hours old before it is backed up. One of the key benefits of the online storage model is that if we lose a computer, we can go out and buy a new one, login to Carbonite, and download the files from the lost computer. Refer to appendix C for links to a number of online back-up storage services. They are not all the same, so do your due diligence. Because we are 100 percent cloud-based at our firm, all our applications data is stored at the SaaS vendors’ data centers, so we have 100 percent protection with virtually no effort.

Whatever back-up system you use, it is imperative that you do a fire drill test on a periodic basis, at least every 90 days. Simply try to restore a file or group of files from the backup storage and observe the process to make sure it works effectively and according to your expectations. The most important thing to verify is that all the files are getting backed up. You do not want to discover a deficiency after you have experienced a loss of data.

Disaster Recovery Protection

We could write a lengthy discussion about disaster recovery protection. Theoretically, every organization should have a disaster recovery plan (DRP). In reality, only a small percentage of organizations have a DRP that is documented and tested on a regular basis. In a perfect world, every organization would make this a priority. For most of us, however, we have too many other priorities to juggle, so you have to make sure you have covered the basics. We have outlined a simplistic approach you can take to ensure you have a solid disaster recovery plan:

1. Utilize a data center hosting service for all your server infrastructure and data storage. Be sure that the service provider backs up the data to a redundant data center on a real time basis.

2. Utilize SaaS cloud applications as much as practical to get disaster recovery protection as a by-product of the service.

3. Implement online storage for all your personal computers and mobile devices.

4. Develop an action plan for replacing all lost, stolen, or damaged equipment. This should include an inventory of the make, model, and serial number of all devices; a data file storage catalog so you know what files are stored where; and procedures for doing a system restore.