Contents

Take Your Information Security Beyond Antivirus Software

This content was adapted from Internet.coms Small Business Computing and InternetNews Web sites. Contributors: Larry Barrett, Ronald V. Pacchiano, and Paul Rubens.

2 4

What SMBs Dont Know About Security Can Hurt Them

13 Unlucky Security Trends SMBs Need to Watch

7 9

Endpoint Security: How to Protect Data on a Laptop

10 Steps for Protecting Your Mobile Workers

Take Your Information Security Beyond Antivirus Software

What SMBs Dont Know About Security Can Hurt Them

By Larry Barrett
mall and midsized businesses might be the lifeblood of the U.S. economy, but according to an Internet security survey from Panda Security, their generally lackadaisical efforts to protect consumer data is also making them a prime target for cyber thieves. More disturbing, particularly for customers swiping their credit cards or purchasing products and services online, the survey reveals that the vast majority of SMBs claim they dont know how to effectively prevent identity theft, lack the resources to install the technology that could thwart the majority of cyber attacks and, worse, seem to believe that its really not their problem. Panda Securitys survey of 300 executives and financial professionals at SMBs (defined as companies with between one and 500 employees) spread across 38 different industries, found that 63 percent of companies acknowledge being worried about cybercrime but say they lack the knowledge to protect their businesses. This apparent institutional ignorance is especially acute when it comes to banker Trojans, a particularly virulent form of malware that tricks people into divulging usernames and passwords for their online banking accounts. Fifty-two percent of the survey respondents said they had little or no familiarity with banking Trojans, even though

the mainstream media has provided extensive coverage of high-profile identity theft scams such as the infamous T.J. Maxx hacker attack that resulted in the theft of more than 40 million credit and debit card numbers, the largest identity theft case ever prosecuted by the U.S. Justice Department. SMBs are even more clueless when it comes to how they think these thefts will be resolved once theyve occurred. The survey found that a staggering 63 percent of companies either strongly or somewhat believed that their banks would return all of the funds stolen in these attacks, a sign that most SMBs arent particularly motivated, or capable, of implementing at least a modicum of security technology and processes to prevent themselves from being swindled. But in Pandas survey, only about 37 percent of victims said they recovered their stolen funds, while 28 percent reported most of their stolen funds were reimbursed. While online banking security is a general concern among most SMBs, most of them have little knowledge about the specific threats targeting organizations of their size, Panda Securitys Sean-Paul Correll, said in the report. Its precisely this false sense of deserved recovery that has prompted three states to recently pass legislation

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

allowing banks to recover costs and damages from retailers that endure data breaches after failing to comply with Payment Card Industry standards. U.S. law puts the burden on business owners for keeping funds secure, rather than the banks, Correll said. The majority of SMBs surveyed werent aware of this fact, which means they are operating with a false sense of security. attack, the report concluded. While 64 percent of those surveyed said they have protective and procedural methods in place to detect or prevent online banking fraud, 15 percent admitted they had not updated security software on all of their online transaction systems and were unsure of their security software altogether. Finally, 58 percent said they dont even have insurance to protect their business from banking fraud or identity theft.

Lacking IT Resources
Theyre also operating with less resources and general technology acumen than large companies. SMBs typically have fewer in-house resources and budgets for IT security, placing them at greater risk of

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

13 Unlucky Security Trends SMBs Need to Watch

By Larry Barrett

fter 2009 became a year of unprecedented proliferation of spyware, malware, and cyber attacks of all types, Kevin Haley, Symantec Security Response group product manager, posted an ironic blog entry titled Dont Read This Blog to draw attention to how Internet users have been conditioned to click any compelling link without regard to the possible and often probable security consequences of their actions. We love to click, he wrote. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show in a revision of Maslows Hierarchy of Human Needs any day now behind love, but certainly ahead of safety, he added. Whether its a come-on for what appears to be a friendly game of online Monopoly or the incessant and sinister pleadings of a bogus antivirus application, malware scams have become more sophisticated and damaging with each passing day. A report released by the Anti-Phishing Working Group (APWG) found that fake anti-malware and security software programs soared up more than 585 percent in the first half of 2009 alone. Yes, its a cheap trick and not even close to original, Haley wrote of his creative blog title. [But] since social

engineering plays such a prominent role in future trends, it seemed appropriate.

The Dirty Bakers Dozen

Whether youre using your mobile phone to check e-mail and surf the Web or an enterprise IT administrator charged with safeguarding your companys data, Symantec says the following 13 security issues will be most relevant in the near future: 1. Antivirus is Not Enough With the rise of polymorphic threats and the explosion of unique malware variants, the industry is quickly realizing that traditional approaches to antivirus (including both file signatures and heuristic/ behavioral capabilities) are not enough to protect against todays threats. We have reached an inflection point, where new malicious programs are actually being created at a higher rate than good programs. Approaches to security that looks for ways to include all software files, such as reputation-based security, will increase in importance going forward. 2. Social Engineering as the Primary Attack Vector More and more, attackers are going directly after the end user and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent.

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

as Windows 7 hits the pavement and gains traction, attackers will undoubtedly find ways to exploit its users. 6. Fast Flux Botnets Will Increase Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious Web sites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of peer-to-peer networking, distributed command-and-control, Webbased load balancing, and proxy redirection, it makes it difficult to trace the botnets original geo-location. As industry countermeasures continue to reduce the effectiveness of traditional botnets, expect to see more using this technique to carry out attacks. 7. URL-Shortening Services Become the Phishers Best Friend Because users often have no idea where a shortened URL particularly from Twitter is actually sending them, phishers are able to disguise links that the average security conscious user might think twice about clicking on. In an attempt to evade antispam filters through obfuscation, expect spammers to use shortened URLs to carry out their evil deeds. 8. Mac and Mobile Malware Will Increase As Mac and smartphones continue to increase in popularity, more attackers will devote time to creating malware to exploit these devices. 9. Spammers Breaking More Rules As more people seek to take advantage of the loose restrictions of the Federal Trade Commissions Can-Spam Act, there will be more organizations selling unauthorized e-mail address lists and more less-than-legitimate marketers spamming those lists. 10. As Spammers Adapt, Volume Will Continue to Fluctuate Since 2007, spam has increased on average by 15 percent a year. Spam volumes will continue to fluctuate

Social engineerings popularity is at least in part spurred on by the fact that what operating system and Web browser rests on a users computer is largely irrelevant, as it is the actual user being targeted, not necessarily vulnerabilities on the machine. 3. Rogue Security Software Vendors Escalate Their Efforts Expect to see the propagators of rogue security software scams take their efforts to the next level, even by hijacking users computers, rendering them useless and holding them for ransom. A less drastic next step, however, would be software that is not explicitly malicious, but dubious at best. For example, Symantec has already observed some rogue antivirus vendors selling rebranded copies of free thirdparty antivirus software as their own offerings. In these cases, users are technically getting the antivirus software that they pay for, but the reality is that this same software can actually be downloaded for free elsewhere. 4. Social Networking Third-Party Apps Will Fraud Targets With the popularity of social networking sites poised for more unprecedented growth, expect to see fraud being targeted toward social site users to grow. As this occurs, and as these sites more readily provide third-party developer access to their APIs, attackers will likely turn to vulnerabilities in third-party applications for users social networking account information, just as we have seen attackers take advantage of browser plug-ins more as Web browsers themselves become more secure. 5. Windows 7 Will Come in the Crosshairs of Attackers If youre not using Windows 7 yet, you probably will soon. And as long as humans are programming computer code, flaws will be introduced, no matter how thorough prerelease testing is. And the more complex the code is, the more likely that undiscovered vulnerabilities exist. Microsofts new operating system is no exception, and

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

as spammers continue to adapt to the sophistication of security software and the intervention of responsible ISPs and government agencies across the globe. 11. Specialized Malware on the Rise Highly specialized malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited. Expect this trend to continue, including the possibility of malware targeting electronic voting systems, both those used in political elections and public telephone voting, such as that connected with reality television shows and competitions. 12. CAPTCHA Technology Will Improve This will prompt more businesses in emerging economies to offer real people employment to manually generate accounts on legitimate Web sites especially those supporting user-generated content for spamming purposes. Symantec estimates that the individuals will be paid less than 10 percent of the cost to the spammers, with the account farmers charging $30 to $40 per 1,000 accounts. 13. Instant Messaging Spam Will Surge As hackers exploit new ways to bypass CAPTCHA technologies, instant messaging attacks will grow in popularity. IM threats will largely be comprised of unsolicited spam messages containing malicious links, especially attacks aimed at compromising legitimate IM accounts. By the end of 2010, Symantec predicts that one in 300 IM messages will contain a URL. Also, in 2010, Symantec predicts that one in 12 hyperlinks overall will be linked to a domain known to be used for hosting malware.

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

Endpoint Security: How to Protect Data on a Laptop

By Ronald V. Pacchiano
osing a laptop, whether accidentally or by theft, is a traumatic event. But the pain of buying a new computer pales in the face of losing the data from an unprotected laptop. A few simple steps toward data protection can avoid an invasion of your privacy and the real likelihood of identity theft. Do you think it wont happen to you? According to a report published by the Ponemon Institute, more than 12,000 laptops are lost at United States airports every week. Approximately 40 percent of these laptops are left at security checkpoints, while another 23 percent are left at the boarding gate. In most cases, the recovery rates of lost laptops are very low almost 70 percent of lost laptops are never reclaimed. The survey goes on to say that 53 percent of the business travelers surveyed carry sensitive information on their laptops and of those, 65 percent of those travelers have not taken steps to protect their laptop. Heres the good news: each and every one of us has the means to minimize the loss associated with losing a laptop. The tools are readily available, and in many cases theyre free. Lets take a look at some of the steps you can take right now to avoid a catastrophic data loss.

Most laptops let you set a boot password in the BIOS that will prevent the PC from booting if someone enters the wrong password numerous times. This is not an incredibly robust security deterrent, but it should stop the average person.

Set a Windows User Account and Administrator Password

The Windows operating system makes use of two main accounts: the administrator account and your user account. Each one of these accounts needs to have a unique password associated with it. This will prevent anyone from accessing your personal data or attempting to get around it via the administrator account. These security settings are harder to bypass than the BIOS password and are managed via the operating system. You can also assign an account lockout to your user account. After an unauthorized person fails to enter the correct password a certain number of times, the account is disabled automatically. Once the account is locked out, it stays that way until an administrator unlocks it. Important: Your BIOS password and your Windows password should NOT be the same. If they are, then whats the point of entering them twice? Each one needs to be unique and should follow established password guidelines.

Set a BIOS Password

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

Biometric Scanners
An alternative to passwords is biometric security, which includes things like retinal scanners, facial recognition technology, and fingerprint readers. Many laptops are equipped with fingerprint readers and if yours is so equipped, do yourself a favor and use it. While each of these security measures adds a layer of complexity to your system, theyre really only a deterrent for someone with average to moderate technical skills. In fact with the right skill set, tools, and utilities, these measures can be circumvented pretty easily. That doesnt mean you shouldnt use them. It just means you should understand that these dont make you invulnerable.

program. There are many available, but one of the most popular is TrueCrypt, which supports Microsoft Windows, both 32- and 64-bit versions, Mac OS X, and the Linux operating systems. TrueCrypt supports a total of 11 different algorithms, and can encrypt the boot partition, an entire drive or a USB flash drive. It even has the capability to create and run a hidden encrypted operating system. The user interface is a bit sparse and not overly intuitive, but if you study it a bit youll figure it out. The TrueCrypt site is also packed with extensive documentation that does a tremendous job explaining just about everything youll ever need to know about encryption and the encryption process; a Beginners Tutorial, defining each of the algorithms available; the benefits of hidden volumes; erasing signs of the encryption process, and so much more. Best of all, its free. The benefits of encryption cant be denied, but it does come at a price. The process of encrypting and decrypting data can be very hardware intensive, particularly on older systems. Should you discover that your PC is running too slowly when using entire drive encryption, try encrypting only a portion of your drive. This should speed things up a bit. The disadvantage to this approach is that sensitive data can accidentally be stored outside the encrypted area. However, using a partially encrypted drive is better than no encryption at all. The other important thing to remember is that once you encrypt your data you cannot access it without the password. If you lose or forget that password, then you might as well consider that data lost. So be responsible with your password. Remember, you have all the tools you need to secure your laptop, so use them. No one thinks it will happen to them, but as the statistics show, its not just possible its probable. Should that day come, your loss will never lead to anything more than the cost of the laptop itself.

Hardware Encryption
The most effective way to protect your data is to encrypt it. On an encrypted drive, the data remains encrypted even if the drive is moved to a different system entirely. Depending on the level of encryption you implement, it would be almost impossible for someone to recover your data without the key used to decipher it. Without question, encryption offers users the best protect against data theft and I would highly recommend you encrypt your entire hard drive. So how do you do it? Lets take a look at two of the more popular programs available. BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsofts Windows Vista and Windows 7 desktop operating systems. You can use Bitlocker to encrypt individual partitions, entire drives, and even USB flash drives. It uses the AES encryption algorithm and takes advantage of the Trusted Platform Module (TPM) found in many of todays laptops. This maximizes security by eliminating the possibility that someone might circumvent the Windows boot process. If you run a version of Windows that doesnt include BitLocker, you need to use a third-party encryption

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

10 Steps for Protecting Your Mobile Workers

By Paul Rubens
he security of your business data and the integrity of your network are put at risk whenever you travel with a business laptop. Thats because the laptop is no longer protected by the physical security that your office provides, or the security systems designed to protect the software running on it. And any malware that gets on to your laptop has the potential to infect other devices on your network next time your laptop connects to it. But mobile security need not be expensive: here are 10 ways you can minimize these risks to your laptop at little or even no cost: 1. Encrypt the Hard Drive If your laptop is lost or stolen, anyone who gets their hands on it could steal your data, read confidential e-mails, communicate with your contacts, and possibly even connect to your network and cause even more havoc. The best way to prevent this is to encrypt the laptops hard disk so that a password has to be entered before the computer will boot. This will also make your data inaccessible even if the hard drive is removed and connected to another computer. For laptops running newer versions of Windows you can use Microsofts BitLocker utility, included with the operating system, to encrypt the system drive. For other Windows, Linux, and OS X systems the open source TrueCrypt application will do the same job for free.

2. Use a VPN Connecting to the Internet from a business center, Internet caf or airport hotspot presents a serious security risk as these are environments where it is relatively easy to intercept your data. A VPN encrypts all data before it leaves your laptop, and keeps it encrypted until it reaches a trusted environment such as your home or office network. You can try the try the free OpenVPN. Other easy-to-use options include paid-for services like HotSpotVPN, which uses OpenVPN, or remote access services like GoToMyPC or LogMeIn, both of which use data encryption to connect your laptop back to a trusted office or home network. 3. Update and Patch Your Software Most operating systems allow you to download and patch your system automatically, so its wise to ensure that this option is enabled to prevent it being vulnerable to known exploits. You can check for updates to common Windows applications using Secunias online software inspector. 4. Run a Firewall and Anti-Virus Software There is some debate about how necessary anti-virus software is on Macintosh and Linux laptops, but it is wise to err on the side of caution. At the very least you should continued ensure a firewall is running. ClamWin is a free anti-virus application for Windows. Alternatively, use a portable security device such as the

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Take Your Information Security Beyond Antivirus Software

Yoggi Pico USB security appliance, which includes firewall, anti-spam and anti-virus scanners, and intrusion detection on a device the size of a USB memory stick. 5. Bolt Down Your Browser If you use a Windows laptop, switching from Internet Explorer to Firefox means you are less of a target to hackers. You can enhance you security further by installing several add-ons, such as NoScript, which can protect you against cross-site scripting and clickjacking attacks. 6. Chain Up Your Laptop Most laptops have a security cable socket (known as a Kensington slot) that allows you to physically attach your laptop to a desk or table. While this may not be necessary most of the time, using a security cable is a sensible precaution at conferences or other busy environments where you may be distracted and unable to keep watch over your laptop all of the time. 7. Encrypt Your E-Mails If you cant use a VPN then you should avoid using standard e-mail applications to connect to POP3 and SMTP servers that dont use encryption. If you do, then your user names and passwords could easily be intercepted, making all your e-mail from that moment on insecure. (This is not the case if your email servers accept SSL or TLS connection, however.) If your data is confidential it still makes sense to encrypt the contents using software such as the open source GNU Privacy Guard (GPG) and the FireGPG Firefox extension. 8. Keep Your Backup Data Secure Keeping backup copies of important data and passwords separate from your laptop is always a sensible precaution in case your laptop is lost or stolen while traveling. To keep them secure ensure they are stored in encrypted form, ideally on a USB drive. You can store files on an encrypted partition on a standard USB stick using the free TrueCrypt, as long as you can remember a long and secure password to protect it. For even more security you can secure files and passwords on a special USB stick like the IronKey The IronKey includes a feature that causes the device to self-destruct if the wrong password is entered 10 times in a row, effectively preventing brute-force attacks that involve trying millions of different password possibilities until the correct one is found, and therefore making shorter, more memorable passwords more secure. 9. Practice Safe Computing A laptop connected to the Internet outside the corporate network is not usually protected from malware to the same extent that it is when inside the corporate firewall protected by network security appliances. For that reason it is especially important to avoid opening attachments or clicking on links in emails from unknown senders, or visiting untrusted Web sites. Doing any of these things risks infecting the laptop with malware. Laptop users also often carry their computers around in bags which are very obviously laptop cases, advertising to thieves that they have a valuable piece of equipment. It makes much more sense to carry your laptop in a plain bag or briefcase that is a much less tempting target to criminals. 10. Password Protect If you are not using your laptop, its best to shut it down completely. That way anyone who gets their hands on the machine will be unable to get past the security provided by BitLocker or TrueCrypt. However, protecting the machine from coming out of screen saver mode without a password provides some (weak) security against an opportunist who may get access to your laptop for a short period while your attention is diverted.

10

Back to Contents

Take Your Information Security Beyond Antivirus Software an Internet.com Small Business eBook. 2010, Internet.com, a division of QuinStreet, Inc.