A Guide to Internet Security For Businesses- Business.com

1

Business.com Guide to Internet Security for Businesses

Legal Notice:

© 2014 Business.com Media, Inc. All Rights Reserved.

By reading this e-book, you agree to the following terms and conditions.

Under no circumstances should this e-book be sold, copied, or reproduced in any way except when you have received written permission.

As with any business, your results may vary and will be based on your background, dedication, desire, and motivation. Any testimonials and examples used are excep-tional results, which do not apply to the average purchaser and are not intended to represent or guarantee that anyone will achieve the same or similar results. You may also experience unknown or unforeseeable risks which can reduce results. The au-thors are not responsible for your actions.

The material contained in this report is strictly confidential.

Contents

Internet Security: A Large and Growing Problem 4

Threats to Internet Security for Businesses 7

Protecting Your Business From Internet Security Problems 12

Considerations When Hiring Internet Security Firms 15

Trends in Internet Security for Businesses 18

Business.com Checklist for Internet Security for Businesses 20

Glossary of Internet Security Terms 21

4

Internet Security: A Large and Growing Problem

Recent revelations by National Security Agency (NSA) renegade contractor Edward Snowden have resulted in many businesses paying more attention to how secure their computer systems are. It’s one thing to protect yourself

from hackers and thieves; it’s quite another to protect your data from being intercepted and stored by government agencies.

News that the PRISM program operated by the NSA has access to Internet traffic, including data and messages sent through Google, Yahoo, Microsoft and other providers of free Internet applications and storage, has given many businesses reason to double-check the security of their systems.

Recent revelations by National Security Agency (NSA) renegade contractor Edward Snowden have resulted in many businesses paying more attention to how secure their computer systems are.

5

Even the most “cyber-savvy” businesses can have their computer networks hacked and compromised. Companies in the business of Internet security itself have been subject to embarrassing attacks. In 2011, according to The New York Times, the website of ManTech International was hacked. ManTech is a $2.6 billion computer security company that held a major FBI security contract.

In a 2012 article on ZDNet, Ellyne Phneah reports that losses due to Internet breaches are becoming significant. She quotes Jimmy Sng, partner of IT Risk Consulting at PwC, who points out that losses result not only from direct theft, but also from costs associated with crisis management, customer compensation, lawsuits, and more.

It’s almost impossible to put a dollar figure on the true extent of business losses from cyber crime, but some estimate the annual cost to be as high as $1 trillion. A Pro Publica story from 2012 by Peter Maass and Megha Rajagopalan quoted Gen. Keith Alexander, director of the National Security Administration, who warned that cyber attacks are causing “the greatest transfer of wealth in history.”

It’s almost impossible to put a dollar figure on the true extent of business losses from cyber crime, but some estimate the annual cost to be as high as $1 trillion.

6

He urged Congress to enact cyber security legislation, but the controversial Cyber Intelligence Sharing and Protection Act, or CISPA, now before the U.S. Senate, has drawn criticism from privacy advocates who contend the law contains too few limits on the government’s ability to keep an eye on private Internet use.

Nicole Blake Johnson writes in the Federal Times about the increased significance of data breaches, citing a report by the nonprofit Cloud Security Alliance, Notorious Nine: Cloud Computing Threats in 2013: “In 2010, data breaches ranked fifth on the list of top threats. This year, data breaches rose to the top of the list.”

Today, some aspect of almost any business is conducted using the Internet, even if it’s simply sending email. The very nature of what makes the Internet essential to business -- the ability to store, share, and analyze data quickly among a multitude of users located almost anywhere -- also makes it vulnerable to acts not only of mischief, but criminal intent from identity thieves, corporate spies, disgruntled employees, and individual and group hackers. Even if you think your computer is turned off or you aren’t using it, any networked device is in constant communication with other devices and networks, and is susceptible to being compromised.

7

Threats to Internet Security for Businesses

There are many different paths into a restricted computer or network. Here is a list of the most common security breaches, and the methods used to access, copy, change, or destroy private data.

Hacking: The actual meaning of a hack is deconstruct, debug or tweak a software program or file. While there are legitimate reasons to hack, the popular use of the term implies at the minimum unauthorized access to a computer system. Hacking can encompass attempts to guess an access code or password to a site where one does not have authorized access. When hackers gain unauthorized access to a network with malicious intent to do damage or defraud, they often get other names, like crackers (criminal hackers), or attackers (as in “cyber attacks”).

Phishing: Also called “brand spoofing” or “carding,” this is a play on the word “fishing,” in which “bait” -- i.e., a seemingly legitimate invitation or request -- is thrown out in hopes of hooking unsuspecting users to divulge personal information. The bait is usually in the form of an email, leading to a “pharm” or imposter website designed to get you to reveal a username, password, and/or account number. A variation is “social” phishing, which is when someone calls on the telephone pretending to be a customer service representative for a company

8

you do business with, who at some point requests private access info, such as your password. Phishing happens on social networks, too, such as Facebook and Twitter.

Pharming: Pharming is a form of hacking that involves the creation of counterfeit websites that masquerade as real sites. The rogue sites encourage visitors to enter usernames and passwords that are then used to gain unauthorized access to bank accounts or other private accounts.

Keylogging: Also called “keyboard capture programs,” these programs record keystrokes entered into a computer and often transmit a file containing those key captures surreptitiously over the Internet. Keylogging is legitimately used by companies to track employee performance, measure productivity, and create training materials. But keyloggers can be used maliciously by hackers to gain access to sensitive information such as passwords, credit card numbers, and bank account numbers, social security numbers, dates of birth, etc.

Pharming is a form of hacking that involves the creation of counterfeit websites that masquerade as real sites.

9

Trojan Horses, Viruses and Worms: During the Trojan War, the Greek army hid soldiers inside a wooden horse, which was towed inside of Troy’s fortification to open the gates to allow the surrounding army in to destroy the city. Similarly, a Trojan horse is any software presented as useful that, once installed in the system, proceeds to take it over or destroy it. Unlike viruses and worms, Trojan horses are not self-replicating. Viruses, like the pathogens that harm humans, are harmful code spread through multiple connected computers via the transmission from infected email attachments, websites, flash drives, or other file-transfer mechanisms.

Worms, similar to viruses in that they are self-replicating, do not require user interaction to spread and they don’t damage a system. What they do is siphon the use of resources so as to slow down a system considerably, sometimes to the point of shutting it off completely.

Backdoors: A backdoor is separate way of accessing a system, often installed by programmers to protect against not being paid for a job. The same backdoor left by a programmer can be exploited by a hacker to allow remote control of hardware or software, usually without the permission or knowledge of the network’s owner. While there are legitimate reasons for installing backdoors (e.g., testing), they can be exploited to surreptitiously collect data and install spyware or malware.

10

Bots and Botnets: An Internet robot is an automated program that works without a human operator. Also called “webcrawlers” or “spiders,” bots can secretly install spyware and malware, and are frequently used to carry out remote attacks on a network. When bots are linked together, they form a “botnet” network of bots, installed on multiple computers running identical malware and collaborating on attacks.

Advanced Persistent Threats (APTs): A group of hackers (or the computers they have taken over) collectively targeting a specific network weakness. This is increasingly popular among criminal hackers. Growing use of APT requires new and creative security responses.

Denial of Service (DoS) Attack: The “denial of service” attack is an attempt to shut down an online service by flooding it with redundant requests, such as continuously reloading a home page from thousands of different computers at the same time. The result is that the site’s services are denied to authorized users, who can’t get in. Site response times will often slow down with DoS attacks, which is one way of detecting them. In some cases, DoS attacks can cause a site to crash.

Cookies: Cookies are files containing small amounts of data and instructions typically used to customize a website to the user’s personal preferences. Cookies identify the user as someone who has visited the site before. They are often capable of retrieving a browser’s history and preferences, tracking the browser’s movements through the site, and tracking the browser’s online activities after leaving the site. Thus, cookies can be a threat to privacy as well as a tool to make using the Internet faster and more personalized.

11

Adware: Pop-up windows or advertising banners that appear within a website’s interface. While generally not malicious, adware can be pernicious and annoying, and can, in fact, be used to transmit malicious code (malware) to connected devices.

Drive-By Attacks: A “drive-by attack” is the installation of rogue software without a user’s knowledge or consent. Drive-bys are usually accomplished when an unsuspecting user clicks on a pop-up ad on a website. Sometimes the drive-by is initiated by clicking the “close” box on the ad, so that attempting to close the pop-up launches the attack.

Hijacking: These software programs alter browser settings or change a default home page to some other site. If your browser is hijacked, it will take you to sites you didn’t ask to see. An innocent example is a hotel’s Internet access page, which appears when you attempt to access a site before consenting to the hotel’s terms. Another form of hijacking is when a website -- or even just a homepage -- is taken over by hackers and redirected to another site or replaced with a bogus homepage. Sometimes hackers hijack a site to make the fact that they cracked the system undeniable -- forcing companies to admit that they were hacked.

Rogue Antispyware: Programs that pose as legitimate virus protection or antispyware applications. The rogue program alerts you to a nonexistent problem on your computer and triggers a pop-up ad offering to sell you an unneeded product that supposedly fixes it. Neither the pop-ups nor the rogue software itself are easily removed.

12

Protecting Your Business From Internet Security Problems

Some Internet security steps are relatively simple and can be performed by the average, non-technical person. However, as the size and complexity of a business grows, even these “routine” tasks must

be effectively managed to protect your data from compromise.

¾ Virus and spyware protection. Software programs installed on a computer to protect against malware, which is unwittingly downloaded, usually through email or a website, but sometimes through organized. There are basically two kinds of malware:

� self-replicating computer viruses designed to spread infection throughout a computer network to either disrupt efficiency or outright disable functionality

Asset ranking tools grade equipment performance according to user and manufacturer criteria, calculating the costs of operation and predicting probable lifespan.

13

� spyware that does not self-replicate, but rather is surreptitiously installed on a computer to monitor Web behavior, usually to collect data for advertising purposes

¾ Firewalls. A firewall prevents unauthorized access to a private network. A firewall can involve hardware, software or both. Data received by a private network from other public networks (such as the Internet, other corporate intranets, an online email service, etc.) is screened according to certain security criteria. If the criteria aren’t met, the data is blocked from the private network. Firewalls have two main uses: 1) they prevent network users from accessing inappropriate websites, such as sites containing pornography, illegal content, or inappropriate content; 2) they prevent network users from receiving solicitations from senders or sites that are known offenders of network rules. While firewalls are effective against unsophisticated hacking that depends in large part on duping legitimate network users into revealing access information, knowledgeable hackers can breach most firewalls.

A firewall prevents unauthorized access to a private network. A firewall can involve hardware, software or both.

14

¾ Passwords and Email Security. Just about everything is password-protected, from your computer to the websites you visit. There are certain standards for ensuring passwords are not easily compromised (e.g., they must include certain combinations of upper and lower alphanumeric characters that are not easily guessed). Most corporations typically require users to change passwords regularly as an extra security precaution. Good security software or services can help automate the process of password selection, changing, and verification. Another aspect of password security is education, making sure users do not divulge their passwords or other confidential information in emails, over the phone, on social networks, or in other seemingly innocent exchanges. Certain emails regularly circulate that contain malware attachments; even opening the email without opening the attachment can contaminate not only the user’s computer and the immediate network, but the computer and network of every contact ever made through that user’s email program. Periodic alerts warn users to immediately delete such suspected email malware.

¾ Mobile Security. The growing popularity and prevalence of mobile applications raise a host of security issues. Faster network connections, more remote and mobile users using a variety of laptop, iPhone, iPad, and Android platforms all require new, more complex solutions to protect network integrity.

15

Considerations When Hiring Internet Security Firms

An Internet security firm can perform all the following list of functions on behalf of your employees, notifying them of automatic downloads, performing security system updates, managing password

authorizations, training employees to be aware phishing tactics.

However, these aren’t specialized skills sets and could just as easily be provided by your regular IT staff. What Internet security firms specialize in is the proactive testing of a company’s network to determine vulnerabilities by which hackers could gain unauthorized access to exploit and damage your operations. In addition to scanning and correcting the identified vulnerabilities on either an ad hoc or subscription basis, Internet security firms offer a range of packaged solutions and services, such as:

¾ Email hosting, with filters to detect and quarantine viruses, spam, spyware, malware, and other prohibited content.

¾ Encryption, the ability to scramble information being transmitted in a way that can only be read by the intended receiver -- or someone who possesses a key to decode the transmission. Good encryption practices require additional effort to properly integrate encryption with other layers of network security.

16

¾ Firewall filtering to define and limit network user access to prohibited sites while ensuring safe Web browsing and social media use.

¾ Data protection that monitors employee external communications to external and internal networks and quarantines suspicious or unauthorized activity.

¾ Email archiving to automatically back up and store employee email communications. For some organizations, email archiving is required by law. For others, the ability to search throughout an organization’s emails can lead to insights into what drives an organization and what erodes it.

¾ Cloud services with hosted networks where your company data is stored on huge and multiply redundant servers at remote locations accessed with a Web dashboard or interface. Cloud services offer scalability, higher security, and easier maintenance and provisioning. The growing popularity of cloud services, while touted as more secure than on-site hosted networks, nonetheless introduce new access points with potential vulnerability. They have shifted the emphasis of computer security efforts from local networks to Web-server and Web-application protection.

¾ Alert services via email, text message, Twitter, chat, or RSS feed. These alerts notify users that a security monitor has been triggered and specifies appropriate response actions.

17

¾ Elasticity, which is the ability of the network to integrate with cell networks, wireless access points, remote locations and cloud services. Effective security solutions must address rapidly evolving changes in network size and scope. An Internet security provider can usually accommodate multiple interfaces while ensure accurate configurations throughout the infrastructure.

¾ Employee compliance monitoring for best practices in protecting network integrity.

¾ Actionable intelligence and insights about malware and other questionable activity on the network.

An Internet security provider can usually accommodate multiple interfaces while ensure accurate configurations throughout the infrastructure.

18

Trends in Internet Security for Businesses

¾ BYOD (Bring Your Own Device). Corporate IT departments once strictly controlled employee hardware (remember when the only corporate cell phone was a Blackberry?). However, particularly for mobile devices, employees more frequently are allowed, and expect, to use their own consumer devices within the corporate network. Consequently, network security must encompass and coordinate a range of security levels that address multiple kinds of devices using multiple operating systems and platforms.

¾ New IPv6 Internet protocol institutes fundamental changes that require additional security steps. The current standard -- IPv4 -- uses 32-bit addresses for every device connected to the Internet. The new IPv6 standard uses 128-bit addressing. The shift is necessary due to the exploding number of devices connected to the Internet. While 128-bit addressing should enable greater security, it’s not compatible with IPv4, meaning security experts will have to juggle both protocols.

¾ Emerging Web standards such as HTML5 also involve new strategies to protect against potential security breaches. One particular feature of HTML5 is geo-location, which can be exploited to place users and equipment at specific times and places, which has a myriad of security, privacy, and legal implications that are just beginning to be addressed.

19

¾ Mac Attack. Yes, Macs are not affected by most malware, since it is written primarily for Windows, which remains the dominant corporate operating system platform. And while Mac software has well-deserved reputation for smart security, there is no such thing as invulnerability. Unfortunately, this lures many Mac users into thinking they don’t need to worry about viruses, despite the threat that was posed by the 2012 Mac-focused Flashback virus. While Macs may represent only a small portion of corporate users, the fact that these users aren’t accustomed worrying about malware presents a growing possible entry point for a malware outbreak.

¾ Similarly, while Windows 8 has not been widely adopted by many corporate IT departments, users who connect to corporate networks with Windows 8 computers may represent a security risk due new firmware that is attracting hacker interest.

¾ Internet Devices are multiplying. Beyond smartphones, tablet computers, and e-readers, there is an advancing army of Internet-connected devices coming that will challenge the capabilities of any Internet security system. The list includes wearable computers, such as Internet-connected eyeglasses, health monitors and smart watches. Then there are machines that don’t need humans, like self-driving cars, smart thermostats, and remote-control flying objects. And then there are devices implanted into people, such as pacemakers and medication regulators. It’s a serious security problem if someone can gain unauthorized access to a device inside your body!

20

Business.com Checklist for Internet Security for Businesses

My Needs Vendor 1 Vendor 2

Network Security Scanning• Initial scan• Subscription• Ad hoc

Scan Scheduling• Running continually in

background• Memory scan on program

startup• On-access each time file

or folder is opened• On-demand• Entire disk/selected files

or folders• Scheduled

Network Security Services• Detection and removal of

malware (cleaning)• Virus/spyware protection• Email hosting• Spam protection• Email archiving• Firewall filtering• Backup data protection

and recovery• Real-time monitoring• 24/7 monitoring

My Needs Vendor 1 Vendor 2

Update intervals• Daily• Incremental, as required• User-configurable

Devices Supported• Private servers• Workstations• Desktop/Laptop• Tablet computers• Smartphones• Other devices

Support• Toll-free 24/7 telephone• 24/7 online chat• Security alerts• Video tutorials• Training• Compliance audits

Pricing• Per user charges• Per device charges• Per installation charges• Monthly cost• Quarterly cost• Annual cost• Incremental, as required

21

Glossary of Internet Security Terms

ActiveX Controls: Links to a Web-embedded object, such as a table or mouse click button; can help users navigate to the information they want, but they also can be pirated to download spyware. ActiveX controls can be restricted to “trusted,” preapproved websites only.

Bot: An Internet robot; an automated program that works without a human operator.

Botnet: Network of bots installed on multiple computers capable of being activated or used by one central controller.

Cookies: Small files implanted by websites on computers to enable such services as customization, personalization, and location-based recommendations. Cookies are often used by websites to track visitor actions online without direct consent.

Cracker: A hacker engaged in criminal behavior. While all hacking could be considered criminal because it involves gaining unauthorized access to networks, crackers engage in hacking with criminal intent. That is, they are hacking for the purpose of stealing, destroying, or altering data.

Spoof: A fake Web or email address very similar to a legitimate site such as a bank or credit card company. Victims who respond to the fake address are prompted to divulge personal information, frequently under the guise of ensuring security.

Zero-Day Exploit: Software and security vendors regularly announce vulnerabilities and release patches to fix the problem. Such “zero-day” announcements are prime opportunities for hackers to exploit the announced flaws before users have the opportunity to install the fix.