‘When humans are too happy, even the gods are jealous.’ | ||
| --Old jungle saying | ||
Organizations can suffer from various disasters if critical information and data is compromised by any means. Organizations will rely on several types of data. Some of the information can be confidential and must not be viewed or altered by unauthorized persons. For example, the salary details of all your employees cannot be made public for everyone to know or view. Or your company payment or ecommerce website can be breached and defaced by hackers, causing reputation damage. Hence, it is necessary to have a protective envelope around the various kinds of data that an organization uses. This is information security. To prevent compromises to the integrity, confidentiality or availability of its information, an organization should classify all its data appropriately and ensure proper safeguards for each. Some examples of classifying company data are:
Confidential: For example, only the employee and certain types of employees like HR and finance should know an employee’s salary: it should not be visible for others.
Secure or restricted: Only authorized staff should handle passwords of mission-critical systems, production servers, etc.
Internal or private: For example, general company policies can be made visible to all employees via your company intranet.
Important: A software development team can classify its software code as important and can restrict access only to certain team members.
General or public: For example, certain information like fire safety, health tips, first aid, etc, can be classified as general and displayed for everyone.
As mentioned earlier, disasters can happen to organizations if information security is compromised in any one of a number of different ways, eg:
An organization connected to the Internet can be hacked by unauthorized persons if there is no proper firewall, intrusion detection or anti-virus system. A firewall will prevent an organization’s internal IP network being visible to the outside world. An intrusion detection system will spot suspicious activities happening on the network. For example, an intrusion detection system can detect if some rogue software program is initiating a ‘denial of service’ attack on a website.
A laptop containing confidential and sensitive information can be stolen.
Confidential documents can be scanned or photocopied by unauthorized staff.
Unauthorized personnel can intercept e-mail.
Unauthorized persons may get access to data centres.
Tapes, CD-Roms, diskettes, pen drives, etc, containing confidential data can fall into the wrong hands.
External consultants, contractors, vendors, etc, working within an organization can view or access confidential data they are not supposed to see.
Carelessness and human error in allowing unauthorized persons to get passwords, entry by strangers, etc.
Critical passwords getting lost, stolen or changed by unauthorized persons.
Somebody can hack a company website and alter or steal sensitive information. For example, if an organization sells products over the Internet, somebody can hack into the website and collect customer information like credit card numbers, e-mail IDs, etc.
Employees who resign or get fired may destroy important data before they leave, or pass on sensitive information to outsiders.
Example .
One of the companies that the author was working for in the Middle East had supplied several computers to a large defence organization. Security and movement of materials were extremely tight. The author’s company was maintaining the hardware. However, whenever there was a hardware fault, like a hard disk failure, there would be two qualified defence personnel meticulously supervising the disk replacement by the IT vendor. Even after replacing the failed hard disk with a new one, they would not allow the vendor to take the failed hard disk back, irrespective of the nature of the fault, for security reasons.
Safeguards can be of several different types depending on the nature of an organization. Some of the common precautions you can take are as follows:
All confidential data can be housed in a secure file server with access only by the authorized department’s personnel. The administrative password can be kept in a secure safe and all usage logged in a register.
All important data can be stored in secure file servers that can be accessed only by authorized employees.
People can be prevented from printing, photocopying or emailing certain types of documents. For example, it is possible to convert many types of document in an Adobe PDF file and have printing disabled to make it read-only.
Ensuring that all hard copies of confidential documents are shredded after use so that they do not fall into the hands of unauthorized persons.
Ensuring that nobody stores important data on laptops, CD-Roms, diskettes, etc, that can easily get misplaced or stolen.
Electronic systems can be implemented to log and monitor activities on all computers or only by certain users.
Preventing and monitoring Internet access of every employee. Ensure they do not access chat sites, non-business sites, etc.
Prevent Internet and external e-mail access to certain highly sensitive job profiles if possible. This is to prevent unscrupulous employees from sending details like credit card information, account information, etc, of customers to online criminals.
Prevent users from bringing video phones, digital cameras, fancy communication gadgets, etc, into the organization.
Information security is a very wide topic and encompasses several areas. It is recommended this be the responsibility of a separate department in your organization.
... and other industry best practices or manufacturer’s recommendations.[4]
Hacking means gaining unauthorized access to a computer, its files and programs. The people who do this are called hackers. Hacking may happen just for fun or for commercial gain. An outsider can hack into an organization’s network and somehow get access to critical or sensitive information. Sometimes hackers may destroy or copy important data. For example, if a hacker gets access to credit card numbers, pin numbers and other details they can easily dupe hundreds of customers by purchasing goods online without the original owner’s permission. Intelligent criminals can easily withdraw small sums of money from hundreds of bank accounts without getting caught for years.
Some of the common methods to prevent hacking are as follows:
Install a state of the art firewall (hardware or software) between the company network and the Internet. Firewalls prevent a hacker sitting on the Internet from snooping into an organization’s network. Excellent firewalls are available from companies like Checkpoint, Cisco and others.
Install all manufacturer-recommended patches, hot fixes and service packs on all computers. These patches fix various vulnerabilities that can be exploited to hack into a machine.
Log all accesses into and out of your network using special tools that can detect which computer accessed your systems. For example, with the latest logging tools available today it is possible for you to identify exactly the IP address and other details of the computer that accessed your credit card system. It is even possible to pinpoint it if it is located in some other country.
Change critical passwords often. Ensure that the passwords are not easy to guess. For example, don’t name the passwords ‘blank’, ‘password’, ‘secret’, etc, that are easy to guess. Have a combination of alpha-numeric and uppercase/lowercase letters.
Always have the latest anti-virus update on all critical systems.
As an added precaution, purchase and install personal firewalls on computers (or use the Windows Firewall in Windows XP and later versions). A firewall is particularly important on laptop computers which may be used outside the network. This software can detect and alert a user if some other computer is trying to access his or her computer. Personal firewall software helps prevent people from hacking into your computer while you are on the Internet. A personal firewall can help make your computer impenetrable to hackers. However, as with anti-virus programs, it is important that you keep your personal firewall software up-to-date.
Install spyware and adware removers. Spyware, adware, etc, are tiny programs that install themselves without your permission, while you are browsing the web. Anti-virus programs usually cannot detect such programs. Depending on how it is written, adware and spyware can send out sensitive information without the user’s knowledge. Visit www.bulletproofsoft.com and www.download.com to download or evaluate various types of adware and spyware removal tools.
Do not open suspicious e-mail attachments. The attachments can contain a Trojan virus or a program designed to wreak havoc on your computer. A Trojan is a computer program which, when running on your computer, allows a hacker to gain easy access to your computer system. Users cannot see that a Trojan program is running on their computer. Some Trojans provide a backdoor that allows hackers to take control of your computer system.
Don’t download stuff recklessly from the Internet. Websites designed by troublemakers provide software which is intentionally designed to hack and damage your computer.
A computer operating system and networking software (TCPIP) has various software ports for various functions. For example, port number 80 is used for accessing the Internet, port number 25 or 21 is used for file transfer, and so on. There are 65,536 such ports. Not all ports may be used or active on a computer. A port scan is a series of messages sent by a hacker attempting to break into a computer to learn which computer network services the computer is vulnerable for. Port scanning is a favourite approach of computer hackers, giving the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness. Closing ports can prevent port scan and intrusion. For example, if the computer is not used for file transfer, it should not have the FTP services enabled. It is not possible to check and close all the unwanted ports manually. Specialized tools are available instead, from websites like www.lantools.com, that can scan a computer and generate a report of vulnerable ports along with advice on how to close them.
[4] The Information Security Management Standard ISO/IEC 27001:2005 now provides best practice guidance on designing and implementing an information security management system. For more information on this topic, see www.itgovernance.co.uk/iso27001.aspx