Case Study: Priority Data Group
Priority Data Group is a software organisation that specialises in network
management and information security services and solutions. They offer a
combination of in-house developed software with best-of-breed products from
the world's foremost software publishers to provide an integrated security
solution. They have found that a new area of expertise that is in great
demand by companies is penetration testing. This is used to find out how
secure a company's' systems are from internal and external security breaches.
Alec Florence [Photo], Managing Director of Priority Data, reveals some
of the common ways company systems are breached, and offers preventative
solutions.
"Have a strict password policy in place", says Alec. This policy
should follow normal 'need to know' guidelines and restrict users' access
to those areas of the system that they need for work. Users should be trained
to know not to give passwords over the phone to anyone claiming to be checking
out the system. "And ban the use of Post-it notes. People tend to write
their passwords on them and leave them in obvious places, such as underneath
the keyboard."
Alec advocates that networks should only be connect to the Internet through
a firewall. "You should enforce strict control over the use of local
modems", he explains. "Hackers routinely scan a range of phone
numbers centred on a business's main phone number in the search for an answering
modem which can give them full remote access to networked services."
Also ensure that the web servers are secure. "If web servers are mis-configured
it may permit unrestricted access to directory browsing and make user information
accessible on the web."
"Use Penetration Testing to harden your systems". Newly installed
systems will still be configured with default settings that can make them
vulnerable to misuse. "Only someone with good knowledge of the operating
system will know how to 'harden' a system to avoid people getting into it".
Alec also notes that the Internet is not the only source of leakage of
information. "Keep track of your backed-up information. Last weeks
copy of your data may not be of significance to your business process, but
it would be of major importance to a competitor." You should also check
that the backup actually works by attempting to restore the tape and ensuring
that the process is OK. Many companies have been caught out by having useless
backups. "You should have a strict physical security procedure. It
is essential to avoid people walking into you office and getting at the
information." It is also worth remembering that not only information,
but also PC's and their data have gone missing from offices. "Never
allow outsiders to wander on to your premises on their own."
Even the simple task of sending an email can be a source of information
leak. "Avoid sending group emails. These display the names of the other
recipients' email addresses and can be a good way of giving your competitors
your contact information." Companies should consider the use of email
content management software to control who sends or receives email, and
who can send attachments. It is also all too easy to attach files, customer
lists, etc to an email message that can be sent anywhere in the world within
seconds. Email can also be a source of viruses. Alec warned "Don't
run any downloaded files without scanning them for viruses."
|