Information Security is very important today. Check out our recent article which was published in the California Investigator Magazine.
} What is Information Security? {
“Information security, also termed cyber security, is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.” – National Institute of Standards and Technology
In the context of business the term information includes company policies, procedures, emails, invoices, payroll, employee data, client data, passwords and company website. For investigative agencies subject identifiers and investigation data should also be considered sensitive or confidential information that would need to be safeguarded.
Information systems include computers, networks, accounting programs, case management software, online data storage, etc. Security of information also extends to smartphones and any other electronic devices which are used to connect to the Internet.
} Why is Information Security Important? {
Internet crimes are on the rise, including identity theft, credit card fraud, scams, computer crimes, spam, malicious links, viruses, codes, programs, sexual predators and non-delivery non-payment to name a few. The FBI reported 303,809 complaints of internet crime in 2010. The 2011 Norton Cyber-crime Report estimated that the annual total cost of cybercrime is approximately $388 billion. That number included $114 billion in direct theft and time spent resolving attacks and another $274 billion for productive time lost by victims. Many have the misconception that if they are not doing anything important online then they wouldn’t be a target. It doesn’t matter who you are or if you stand out in some way. Hackers have software programs designed to scan about 10,000 computers an hour to identify those with a weakness to penetrate and launch attacks against them.
Having the best antivirus protection in the world still won’t protect you if you do not use strong passwords. Brute force attacks have become much easier with the advent of sophisticated algorithms specifically targeted at cracking passwords. According to Woopra, one of the world’s leading web analytics companies, the average time to hack a password with only 5 characters all in lower case, using an ordinary computer, is about 12 seconds. The average time it takes to hack a password with 8 characters all in lower case is about 2 ½ days. But if you make your password stronger (longer, include capital and lower case letters and special characters), you can significantly reduce your risk of having your account hacked by a brute force attack. For instance, if you use a password which is 8 characters long and using all character types, it would take over two centuries to hack. If you raise that to 9 characters of all types, it would be 20 millenniums before that password will likely be hacked. This is all considering the use of only an “average” computer used to conduct those brute force attempts. Just imagine if stronger computers were used to implement those attacks. Cyber criminals can afford powerful equipment to handle the efforts they need to hack numerous accounts quickly.
Less serious cyber criminals or individuals with malicious intent can still hack your accounts by brute force without sophisticated computers simply by learning something about you. People tend to use passwords they can easily remember. A great deal of personal information, preferences, favorite books, songs, activities and names can be found on a person’s social networking page these days. How many of you use your dog’s name as your computer password or your date of birth as your cell phone’s voicemail password?
} Who is attacking? {
- Experimenters and vandals – also called “script kitties” going after the notoriety and in it for the challenge (bragging rights)
- Hactivists-believe they are vigilantes fighting for a cause
- For-profit cybercriminals (they often commission custom software and Trojans to use against small businesses which have little protection and a lot to lose)
- Information warriors-spies; going after Departments of Defense organizations of nations
Reasons for launching attacks vary and can be for money, access to additional resources, competitive advantages, grievance or vengeance, curiosity, mischief, attention or notoriety. There are people out there who are professional cyber criminals, script kitties who hack for the thrill of the challenge and everyone in between. Additionally, as one can imagine, in difficult economic times people may become desperate as finances get more strained. Just like every industry which was hit by layoffs and cut backs, there are a lot of highly skilled information technology specialists out of work who have time on their hands and families to feed.
} What are the common targets? {
The bad guys want access to your and your client’s information, access to your money, your personal identifiers, to connect you to a botnet, to connect or use your information for political reasons, to use your resources for hidden file storage, and to identify anything they can use from you to make money. Your personal information is valuable and there are some people out there who want it to sell for a hefty profit. According to the OSF DataLoss in 2010, the average number of identities exposed per data breach was as follows:
• 262,767 from hacking
• 68,418 from insiders
• 67,528 from theft or loss
• 30,572 from insecure policies
• 6,353 from fraud
Hacking has a much higher number due to the fact that hackers use sophisticated scanning software to find unprotected computers. Specific targets are end point operations, your word processor, office software, PDF readers, social networking, emails and mobile applications.
There was a 400% increase in computer infections leading to more data breaches in 2010 than in the last four years combined. And small businesses are prime targets for malicious attacks. It is estimated that there are 26.8 million small businesses in the US and most small businesses (89.9%) have fewer than 20 employees. Small businesses usually don’t feel they are at risk and are largely unaware of the need for protection. Therefore, they tend to not focus on security and remain unprotected. Like any business, small businesses maintain confidential information, employee and client data, trade secrets, financial information and those are all prime targets for attacks. Investigative companies have even more at stake than some other businesses as they typically deal with sensitive and confidential information regularly. So, combine lack of thorough security measures with high stakes information at risk and you have a target ripe for an attack.
Clients and customers of businesses expect that their private information is being appropriately protected. Customers have confidence that companies should be taking the appropriate measures to keep their data and information secure; and that it will not fall into the wrong hands. If a business accepts credit cards, they are expected to be PCI DSS compliant. If a company deals with medical records, it is expected that they are HIPAA complaint.
Some information in a business needs protection for integrity. Other information needs protections for availability. It is also important to note that some of the information used by private investigators requires special protection for confidentiality. See, “Confidentiality – What it really means to private investigators,” And investigators are expected to keep that information both confidential and secure through due diligence.
} Due Diligence {
It is the company’s responsibility to conduct due diligence in protecting their information. Therefore, they must first implement “due care”–the care and forethought that a reasonable individual would exercise under the circumstances. This includes planning for and taking care of information security and staying up to date on the topic as well as being thorough on protecting yourself and your business.
Due care is the standard for determining legal duty. You must be able to demonstrate that you took due care in information security in court to defend against negligence in a lawsuit should you be the victim of a security breach.
Due diligence is the effort made by a reasonable individual to avoid harm to another party, and when failure to make that effort may be considered negligence. What this means for information security is keeping updated on all industry recognized best practices and making changes accordingly. Information security is an ongoing journey not a final destination.
} Common Security Attacks {
Type: Theft of data, services and resources: stealing computer files, accessing accounts, interception of emails or internet transactions, stealing laptops or computers
tip: secure and encrypt critical data
tip: only have a cleaning crew come while you are present
Type: Denial of service: attacking computer or website (locks up equipment or crashes your system)
tip: don’t let your domain expire-people scan domains for expiration dates and when they find ones owned by companies which are about to expire, they monitor and wait for that to happen so they can obtain them and either hold them for ransom or use them to promote their services [your domain name is a company asset]
tip: review a website analytic program to keep track of who is viewing your website
tip: have your domain and hosting set up in the company owner’s name not the IT person’s or an employee’s-so they can’t take it with them if their employment is terminated
Type: Malicious codes and viruses: finds and sends your files over the Internet, can find and delete critical data, lock up your computer or system, hide in program documents or create hidden files, can install on your system and record your keystrokes
tip: use strong antivirus and malware programs on all computers and smartphones
Type: Insider threats: non-business use of computers may expose system to threats, disgruntled employees, vendors or subcontractors, unauthorized use or misuse of resources, illegal transfer or storage of information, compromised data (loss or alteration)
Type: Other threats: spoofing, snooping, social engineering, abuse of system privileges, ransomware, insider threats, phishing, spear phishing, spam, compromised websites
} The Consequences {
The immediate consequences of successful attacks include lost time and money, work and workflow stops and slowdowns, network crashes or lock outs, interrupted email communication, electronic commerce shut downs, embarrassment or diminished credibility, repair costs, legal expenses, misinformation, loss of business, out of business, loss of public confidence in business.
Further consequences include:
Direct legal liability – trade secrets, lawsuits covering improper disclosure of data, breach of contract, etc.
Non-legal liability – business interruption, data loss/corruption, damaged public image and reputation, increase in insurance premiums or cancellation, loss of employee productivity
Indirect legal liability – copyright infringement, illegal storage on your network system (child pornography or other illegal materials), aiding & abetting (where a network is used to attack another network)
Regulatory Consequences-GLBA, HIPAA, SOX, FACTA [Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Sarbanes-Oxley Act, Fair and Accurate Credit Transaction Act]
} Security Tips {
Don’t wait for an issue to arise to deal with the topic of information security! Once a network security breach has occurred, it is the worst time to implement a security plan. At that point the damage has already been done and has already become much more expensive than if security was addressed before any issue had occurred.
The following is a list of some best practice steps which a small business (whether a private investigator or a client) can take to increase information security. Should you have any specific questions regarding your information system or how to implement security, contact a trained IT professional.
1. Identify your risks
2. Determine the cost of: lawsuits, rebuilding data, loss of work/time
3. Assess how much risk you and your business can live with
After you have identified the risks, consider implementing the following steps:
Install a firewall (multiple where needed), use a strong antivirus program and malware detection software, set web content filtering, run trusted anti-spyware, anti-spam, and anti-phishing programs on your computer.
Do not download files, click links or open attachments from unknown sources. To date you cannot get a computer virus simply by reading an email alone; but those days are coming.
Ensure important data and records are backed up regularly and stored off site. The goal is to be able to restore your system and data to what existed before a malicious attack, virus, code problem, theft, destruction, data integrity issue or equipment failure. TEST YOUR BACKUPS and know how to restore your data!
When using off site data storage be sure the information is stored encrypted and the minimum standard encryption is used: fit 140 FIPS-2 compliance
Automate data and system backups
Have a security policy in place which implements “Best Practices”-enforce safe internet, email, desktop and personal practices, teach all users safe computing and Internet skills.
Use strong passwords and change them often
Don’t use the same passwords on all accounts (if one gets hacked the bad guys know to try other likely accounts you may have with the same password)
Be cautious where you store your passwords (a flash drive locked in a file cabinet is a good idea – stored with an online password memory program seems like a great target for hackers)
Don’t allow online sites to save your passwords or credit card information-what happens if that company’s site gets hacked?
Use screen locking on your computer, log off at the end of the day and power down your system at the end of the day
Confirm identities of people or organizations requesting your information
Use locks (buildings, file cabinets, computers), alarms, anonymity, guards
Accompany all vendors or repair persons who enter your business or home
Control employee termination/departures
Give only enough information to answer questions
Conduct a background check on yourself-make sure there isn’t anything on your record that wasn’t put there by you (ex: criminal records, judgments, liens etc.) and run your free credit report yearly.
Be cognizant of proper handling of data in remote environments
Beware of public wireless networks – places which offer free wireless connections can be hot spots for hackers because it is so easy to track someone’s cookies and recreate what someone is looking at on their computer screen. This includes logging in to investigator databases, running DMV information, conducting online banking etc.
Home/Office wireless Internet networks:
• Change the default identifiers (SSIDs) and don’t broadcast them
• WPA2 (WiFi Protected Access 2) is the minimum encryption to use for wireless according to NIST
• Change the name of the wireless router box (too easy for someone to use a search engine to find out how to hack the router box by name)
• Change default encryption keys often
• Change the wireless access point administrator password
• Keep the “automatically connect to a wireless network” feature turned off on your smartphone so that just walking around you can’t have your logins and passwords scanned right off of your phone
Keep operating system updated and make sure all patches for applications are current.
Control access to important company data
When systems are replaced be sure to destroy all information on the old system’s hard drives, remove SIM cards and memory components –deleting or erasing is not enough
Change your email settings to display “plain text” to avoid any hidden codes which could be malicious
Read all details of any smartphone application carefully before you download it to understand what access it will have to your information
} Helpful Resources {
National Cyber Security Alliance for small businesses and home users www.staysafeonline.org
National Initiative for Cybersecurity Education www.nist.gov/nice
Federal Trade Commission www.ftc.gov/bcp/edu/microsites/idtheft
Information Assurance Support Environment, Defense Information Systems Agency http://iase.disa.mil
What to do if you become a victim of identity theft: (1) file a police report; (2) report scams and frauds to the FBI Internet Crime Complaint Center www.ic3.gov; (3) notify the top three credit bureaus to put your name on fraud watch so extra measures must be taken for accounts to be opened in your name and suspect transactions are flagged for closer attention; and (4) change all of your passwords and request new credit cards.
*Article published in CI Magazine October 2012 issue