Information Technology Security

Compiled for Enterprise Ireland by ElectricNews.Net Ltd.

Recent statistics highlight the severity of the risks to internet users in the workplace: a survey conducted by the makeITsecure campaign revealed that 50 percent of work users have been affected by a virus, 11 percent have received emails looking for banking details (i.e. phishing attacks) and 29 percent have received some kind of spam.

Backing up the numbers from the makeITsecure survey, December figures from hosting firm IE Internet make for sobering reading; four out of 10 emails intercepted by the firm contained a virus of some description, while spam accounted for 38.9 percent of emails delivered in December.

What's what?

A number of threats - such as worms, Trojans and back-door Trojans - are classified under the term virus. The threats vary in sophistication and method of attack. A worm, for example, is a program that circulates over a network exploiting vulnerabilities in operating systems or software packages, reproducing itself as it goes.

A Trojan Horse is a malicious, security-breaking program that is disguised as a benign email attachment, such as a game. This type of virus normally requires a user to perform some action before it can be activated, so a basic defence against this is a strict organisation policy that email attachments should not be opened until they have been checked by an antivirus scanner and only then if they originate from a known, reliable source.

Backdoor Trojans, on the other hand, are somewhat sneakier. They work by exploiting "secret" network access routes and attempt to give malicious users access to the victim's computer. The malicious user could then turn the computer into a zombie, which he would be able to control without the user's knowledge to send out spam or denial of service attacks.

Good esecurity practice

While the prevalence of such security threats shouldn't deter people from using the internet and email, users should take all the necessary precautions to protect themselves while they do so. There are a number of basic defences that all security experts agree should be mandatory in the workplace. They are:

• Ensuring that antivirus software is in place and up-to-date.
• Installing a firewall on the company network.
• Being aware of security patches from companies such as Microsoft.
• Investing in spam-filtering technology.
• Developing an effective internet and email usage policy for staff.

While many IT managers would find it difficult to believe that some companies do not use antivirus software, statistics from the makeITsecure survey revealed that only 75 percent of work users have this vital program in place. On top of this, the survey also showed that less than half of work users password-protect files on their computers.

"Antivirus software is an absolute must," says Conor Flynn, technical manager with security consulting firm Rits. "Companies can't afford to be complacent about protecting themselves against these threats. They should be looking for regular updates as often as every hour or so."

While checking for updates every hour may seem excessive, Flynn warns that virus writers are constantly seeking ways to exploit vulnerabilities and software firms like Microsoft are continuously patching flaws.

Getting rid of junk

Perhaps more of a nuisance than a security threat, spam - unsolicited junk email - has emerged as an annoying downside to email. In order to deal with the frustrating influx of unsolicited mail, Flynn advises smaller companies in particular to consider outsourcing their spam-filtering to companies like MessageLabs, TopSec or Eircom - to name a few - all of which offer services that filter out unsolicited mail before it even reaches a company's server.

"Services like this remove the headache of spam, meaning companies don't have to monitor their spam filters and staff don't need to waste time deleting junk mail from their inboxes," explains Flynn.

Increasingly, security experts are advising companies to educate their staff on esecurity issues like spam and viruses. Campaigns like makeITsecure work to raise awareness of the issues, but companies would benefit greatly from making sure all staff know the dos and don'ts of internet usage, such as not opening email attachments from unknown sources, advises Flynn.

As virus writers and fraudsters become more sophisticated, educating staff has never been more important. Threats like phishing, spyware and pharming take advantage of users' tendencies to open attachments, click on links and download files from the web. In the second article in this two-part series, we will examine these type of threats and look at ways to combat them.

While internet usage continues to thrive, the methods of virus writers and fraudsters have become ever more sophisticated and difficult to combat. "Phishing" and "pharming", unheard of only a couple of years ago, are evidence of the sinister new turn that security threats have taken. Though threats like these are not as well known as viruses and worms, the damage they can do should not be underestimated.

Judging by a recent survey conducted by the makeITsecure campaign, awareness of phishing and spyware among Irish PC users is low, with only 13 percent saying they had a good understanding of phishing, and 24 percent saying they knew what spyware was. Compounding that lack of awareness, only 29 percent of companies said they restricted the type of websites their employees can visit, and just 28 percent said they have anti-spyware software installed on their systems.

Gone phishing

There seems to be no end to the launch of new phishing attacks. In fact, a report released by Websense and the Anti Phishing Working Group (APWG) at the beginning of January revealed that reports of such attacks have reached an all-time high - up to almost 17,000 in November 2005 from just under 16,000 in October.

Phishing is a technique aimed at gaining personal information from the intended victim for the purposes of identity theft, using fraudulent email messages that appear to come from a legitimate source. These authentic-looking messages are designed to fool recipients into divulging personal data such as bank account numbers, passwords and credit card details. Pharming, a more recent threat, is a spin-off from phishing that uses malicious code to misdirect users to fraudulent websites, where an attempt will be made to glean personal data from the unsuspecting visitor.

The best line of defence in dealing with phishing attacks, and indeed all other eSecurity threats, is having a clear internet usage policy for staff, according to James Finglas, sales director at MJ Flood Technology, a provider of IT solutions for SMEs. "Education is the key in dealing with these kinds of threats," he explains. "Absence of a defined internet usage policy can lead to employees abusing the internet and visiting illicit sites that could leave a company vulnerable to attacks."

Ken O'Driscoll, technical manager with hosting firm IE Internet, agrees, saying that education is "the best way to go for smaller firms who may not have the resources to invest in the more sophisticated protection software."

Both O'Driscoll and Finglas explain that a good policy will outline to staff the dangers of opening email attachments from unknown senders, visiting illicit sites, downloading illegal software or music and clicking on links contained in emails, no matter how official they look.

Finglas notes that banks have been quick to point out that they will never request information from customers via email. "Once people are aware of the threats and understand the damage they can potentially do, they tend to be more careful how they use the email and internet," adds O'Driscoll.

Spyware: the hidden threat

Another relatively new threat is spyware - software that transmits information back to a third party without notifying the user. It too is on the increase, according to a report by Webroot Software last May, which revealed that 87 percent of corporate PCs have illicitly installed spyware on their hard drives, including cookies, adware and system monitors.

Indeed, the threat of spyware is perhaps not fully understood by smaller firms, according to O'Driscoll. "Companies are often unaware of the manipulation and tracking that spyware programs can carry out," he says. "Spyware can sit on a PC and record a user's keystrokes, or it can be contacted remotely by cyber-criminals who can use it to hunt around the PC for sensitive information."

Make no mistake, spyware can affect any company, as highlighted by an incident involving an SME in the manufacturing industry last year. The company, a client of MJ Flood Technology, discovered that spyware had infiltrated its systems, causing them to slow to a crawl. The end result, according to Finglas, was downtime of eight days, the loss of the firm's email client - which was completely crippled by the spyware program - and a direct financial cost of EUR27,000 to rectify the problem.

"In many cases, SMEs do not have a dedicated IT resource and are reliant on their financial controller or office manager to ensure network security," explains Finglas. "In addition, some companies believe that if they have antivirus software and a firewall that they are protected from all threats. This is simply not the case."

One technical solution that is helpful for companies who want to protect themselves against spyware is anti-spyware software such as Adaware, which is free to download and install. Programs like Adaware not only scan a PC for spyware-related programs, but also offer protection against these privacy threats.

With cyber-criminals increasingly targeting companies' weakest link - their staff - it has become more important than ever to ensure that employees are kept up-to-date on how they can help keep their company from becoming a victim.

Source