Are you using enough protection?

Karl Cushing looks at how you can stop hackers penetrating your systems

Karl Cushing looks at how you can stop hackers penetrating your systems

IT security is not something you can look at once and walk away from: it must be constantly scrutinised and updated to make sure that breaches do not occur down the line, whether by accident or as a result of more malicious activities.

Complacency is dangerous. The risks inherent in ignoring or paying lip-service to IT security are all too apparent. "There's a wide range of risks to companies - from regulatory investigations and criminal procedures to civil liabilities, where damages could be unlimited," warns David Naylor, a partner in the technology transactions group of law firm Morrison & Foerster.

A breach of customer confidentiality could give rise to a contractual liability and a company might find itself contravening the Data Protection Act - then there are the costs to the business arising from the damage to its reputation and potential loss of custom.

A key problem, Naylor says, is that companies do not see this area as "sexy", and too many see complying with legislation such as the Data Protection Act as an overhead. This is clearly not good enough.

If Naylor's words strike a chord what should you do next? Here is a list of 10 basic tips aimed at helping companies to secure their computer systems, none of which need cost the earth. Most simply involve the adoption of a different mindset.

Education, eduction, education
Opinion is divided on the relative merits of the various ways of ensuring security, but one thing is clear - more education is needed. Some members of the IT lobbying group Eurim even suggest that schools should teach pupils about the importance of IT security and using safe computing practice.

Graham Cluley, senior technology consultant at security firm Sophos, has long been urging companies to adopt safe computing techniques, like using rich text format files instead of Word files; not opening attachments with a double file extension name; and not running or opening unsolicited executables, documents, screensavers or spreadsheets.

Support any programmes that raise awareness with an active security policy document that is signed by all staff
Bolstering your security measures with an up-to-date security policy is vital, says Neil Barrett, technical director of security consultancy Information Risk Management. "It's your 'starter for 10'. Without a policy your people are just wandering around like lemons and your company will be like a lamb to the slaughter."

User buy-in can be achieved through regular training sessions and creating a separate document outlining the technology employees are permitted to use. It can be backed up in employees' contracts to set out what they can and cannot do. More importantly it can reduce the company's liability in the event of a security breach.

"You may well reduce your liability," says Naylor. "However, it's not a 100% solution." Adequate insurance, technology like firewalls and good service level agreements with third parties are also needed.

He reminds companies that deal with customer data that they must make sure they have legal grounds for holding and processing it, while making sure that it is securely held and kept up-to-date.

Plan carefully and look at all the options, including the less obvious ones
This point is stressed in the latest edition of the Basic Computer Security Measures by the information and security specialist group of the British Computer Society. It reminds IT directors and managers that a stitch in time saves nine and berates companies for allowing the security issue to drift as they rely on trust or luck.

The report claims that most known computer security issues have simple, obvious solutions and points out, "Some of the worst security breaches are caused by deception over the phone and the examination of litter baskets."

Implement a contingency plan or incident response policy to deal with security breaches
This will help to prevent damage caused by over-reacting to a security breach or hoax. A good idea is to have a designated computer security specialist and get users to report incidents immediately in order to limit damage. Staff should forward any warnings to that specialist. A sound response policy should also include liaison with the company's legal and public relations teams.

Patch your systems promptly
This will not just keep security up to a certain level but send out a clear message to hackers, who will then go elsewhere in search of an easier target.

Look for warning signs on the Web
Barrett advises IT directors to check the Web at least once a month for "anything out there that indicates that someone is upset with your company for some reason". It would also be advisable to look for postings from employees who may inadvertently give away technical details.

Think like a hacker
Hackers begin by scanning the systems and doing a "banner grab" to see how the system is set up, says Barrett. So, suppressing the banner ads is obviously a good idea. It sends out a clear message and it is "dead easy" to do.

Barrett also recommends sending an e-mail from your work PC to your private e-mail account and then looking at the extended headers. These indicate the route the message has taken, including all the places and times that it has been handed off - these should be suppressed on the mail gateway. "IT chiefs will be totally gob-smacked by the amount of material provided by these headers," he says.

Last - but not least - he advises IT directors to go over the company Web site with a fine-toothed comb. Look at the source code: does it give away any secrets, such as how the systems are configured or does it include the author's name? This would give hackers something to get their teeth into. Companies should also consider trying to hack their own Web sites or employ a third party for penetration testing.

Make sure hackers know you know what they are doing
For example, when suppressing the banner grabs, insert a message, "Your attempt to access this information has been noted, we have logged your IP address and if you go any further you could be prosecuted under the Computer Misuse Act." In other words, the equivalent to a sign saying that shoplifters will be prosecuted.

Use camouflage
Barrett says some firewalls can easily be identified by their ports, like the almost universally applied Firewall-1 with its 256 and 257 ports which are easily visible externally. He recommends shielding this information or, to really confuse the hacker, installing a different firewall and adopting a "cyberguard" to ape the characteristics of a Firewall-1.

Make your security technology so intuitive that it is invisible to the end-user
Easy wins can be made by simple measures like limiting some employees' Web browsers to certain sites and restricting access to sensitive information, while offering unrestricted Web access on designated terminals on a separate, isolated network.

Read more on IT risk management