Free Information Security Training

There is a great free tool out there for companies to use to train their employees on information security basics and safe computing practices. It is geared towards the small and medium businesses that lack their own organic IT departments or those that do not have any specialty with information security.

There is a low resolution version on Google Video at http://video.iSecurityPolicy.com and there is a high resolution version at http://video.cogentlogik.com (you may need to hit F5 or refresh if the video does not play immediately with the high resolution site).

Information security training is a key part to combating data breaches and ID theft. For Oregon businesses, information security training will be mandatory according to the Oregon Identity Theft Protection Act (www.oregonidentitytheftprotectionact.com).

At the Google Video site, you can even download the video to a Sony PSP or Apple iPod device so you can watch the video at your leisure. It is 20 minutes in length, but is well worth the time since it is very educational and targeted for the average business user.

Oregon ID Theft

In one week, the State of Oregon will have one of the most comprehensive laws in the nation to combat identity theft. From an information security standpoint, this law is very much on target since it holds companies responsible for creating, implementing, and maintaining information security policies and standards to keep customer data from being stolen. It is a well-intentioned approach to force companies to strengthen their security posture and make protecting their data a conscious effort.

For companies that fail to comply with the Oregon Identity Theft Protection Act (OITPA), the State of Oregon added civil penalties to give the law teeth. At $1,000 per incident, a violation of the OITPA could be a very expensive fine for an Oregon business.

Business owners need not be alarmed, since the requirements are very straight-forward and common sense. A review of the law can be found at www.oregonidentitytheftprotectionact.com. The requirement to create and implement information security procedures can sound daunting, but it is actually very easy. An Oregon-based company, Cogent Logik, created a website that is the industry's first and only website to allow companies to create a customized and on-demand information security policy manual (ISPM). You can read more about it and even purchase it online at www.iSecurityPolicy.com. At $435, it is a fraction of the cost as compared to hiring an outside consultant or trying to do it on your own, which is ill advised at best.

Cyber Threats to Your Business

The Internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts in a variety of ways, including gateways, routers, dial-up connections, and Internet service providers. The Internet is easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network without regard to national or geographic boundaries or time of day.

However, along with the convenience and easy access to information come new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and that the computer systems will be corrupted. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet. Intruders do not need to enter an office or home, and may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can create new electronic files, run their own programs, and hide evidence of their unauthorized activity.

Learn more about protecting your company at www.isecurityconsultants.com.

It’s All a Lie – Practice Does Not Make Perfect!

If you’ve been lead to believe that “practice makes perfect,” you have been told a lie and are living in denial of the real world. Only perfect practice makes perfect! Otherwise, the bad habits and imperfections you practice are what you get in your finished product. As a West Point graduate and former military officer, I am a firm believer in the military’s saying of “train as you fight and fight as you train” since it just makes common sense and is proven to be effective in the long run.

Why is this important? As an IT professional, I constantly encounter business networks that were put together in an ad-hoc fashion, without any plan for growth, efficiency, or security. When there is no long-term plan, it is painfully evident in the inefficiencies and employee dissatisfaction. Unfortunately for the business owner, this short term focus ends up costing them more in terms of employee productivity and overall efficiency than it would have to implement a proper solution in the first place. Whose fault is that? Is it the business owner or is it the technician who installed the network?

Every company has its own unique dynamics, but most smaller businesses are either run by delegators or micromanagers. In terms of the delegators, these business owners take the advice of their staff and outsourced professionals. Since they rely upon the professional advice of their advisors, the root cause for a poorly developed network is generally the fault of the IT professional tasked with implementing a solution to meet the business needs. In terms of the micromanagers, the decision for any IT work rests squarely on the shoulders of the owner. In these cases, the professional guidance from their IT consultant may be dismissed for a less capable plan, based on the owner’s perceived idea at what IT solution best fits his or her company’s business needs. Unless the solution follows industry-recognized “best practices,” the solution will be anything but perfect. This is where it is important to hire properly certified and experienced IT professionals, who take the time to listen to your business needs and develop scalable, secure solutions. With the ability to finance even small IT projects, you cannot afford to not properly plan and equip your network.

If I told you that by spending $1.00 a day you could save $4.50 in other costs (net savings of $3.50) would that sound like a good financial decision? Of course it would! Would you believe me if I told you that the $1.00 a day is the cost of buying, maintaining, and replacing a computer every 4 years? What if I told you that the $4.50 in costs is the lost opportunity cost you face from wasted employee productivity and the downtime associated from maintaining outdated computers? By buying the appropriate computers for the job and replacing them when they are due will virtually eliminate the lost employee productivity associated with inefficient wait time, as well as downtime from age-related computer problems.

Implementing a secure and scalable network, having information security policies, following a computer lifecycle plan, and adopting industry-recognized “best practices” is an example of “perfect practice makes perfect!” After all, this is your business and if you want to ensure steady growth, you need to have your operations run as efficiently as possible. Doing what is right is proven to save you money in the long run, but it takes discipline and a plan.

Visit www.teamlogicit.com/beaverton to learn more about how professional IT services can help your business grow in 2008!

Security As A Service

The problem for most small and medium businesses (SMBs) is that they generally do not have full-time IT staff, or not enough, in order to effectively manage all the security measures necessary to fully protect their network and their data. SMBs with 25 or fewer employees often do not have a dedicated IT person at all. Even in larger businesses, IT staff wear multiple hats, which often means critical security tasks are reactionary in nature and are often judged as less important than other IT business needs.

Fortunately, a new development in security solutions is able to leverage technology to address this dilemma: security delivered as a service. The concept behind security as a service is simple. Rather than acquiring your own security expertise, you contract with security vendors to have a turnkey service to meet your demands. Outsourcing cyber-security eliminates all the labor and infrastructure, while still giving you the state of the industry solutions.

Some of the most common Security As a Service (SAaS) offerings are vulnerability assessment, firewall monitoring, content filtering, and intrusion prevention monitoring. These can generally be done remotely and allow businesses to have the protection of a full time Network Operations Center (NOC) monitoring their security status, but at a fraction of the cost.

With new Oregon legislation, such as the Oregon Identity Theft Protection Act (www.oregonidentitytheftprotectionact.com), Oregon businesses must become familiar with the security they  currently employ and ensure that mixture of technology and procedures protects against identity theft and data breaches.

If your company has never had an external vulnerability assessment, it may be well worth the cost to have one conducted. An example of this is at www.hackerview.com, where you can order a vulnerability assessment for you company for $350. This will provide you with the knowledge of how your company looks from the eyes of a hacker. There is an example policy on the site that is well worth taking a look at.

Managed Firewall Service

The management challenges for a small to medium-sized business (SMB) are no different than larger enterprises. SMBs must also contend with disparate tools to manage, monitor and report on the health of their network. Whether a business has as few as one location, managed firewall solutions offer tremendous value in providing uniform management of your firewall(s) and VPN gateway(s) coupled with the value of real-time and historical reporting.

There are many benefits of managed firewalls. One benefit is that you do not have to purchase a business class firewall / router / VPN appliance. As part of the service agreement, you are provided with business-class hardware with a same day / next day replacement agreement. You are able to pay a small monthly fee that includes the hardware, monitoring services, reporting services, antivirus & antispyware protection, content filtering, firmware upgrades, and intrusion prevention. That is an outstanding set of services that keeps you focused on your business. You do not having to worry about the configuration of your firewall and what websites your employees are squandering their time at.

Secure your network from Internet threats and employee abuse with TeamLogic IT's PerimeterGuard, our Managed Firewall Service (MFS). We support and manage all aspects of your Internet access and security, as well as providing secure connectivity to your branch offices and remote users. The TeamLogic IT PerimeterGuard service is designed to assist businesses that want to make the most of high speed Internet access while ensuring that the associated risks, liabilities, management and support issues are professionally addressed.

Our advanced firewall platform provides all of the tools and support that you need to manage your company’s Internet use and connectivity. We provide all equipment and software needed for advanced services such as web site blocking, usage monitoring, auto fail-over, encrypted VPN tunnels and unlimited expert technical support. TeamLogic IT’s PerimeterGuard is compatible with all types of high speed circuits from all major Internet Service Providers. There is nothing to purchase and no long term contract.

PerimeterGuard Overview

- Business-class firewall hardware and software
- Professional installation and configuration
- 24x7 monitoring and reporting - ability to monitor and block web use
- Gateway antivirus and antispyware protection
- Gateway Intrusion Prevention System (IPS)
- Managed content filtering – website blocking by both category and domain
- Auto fail-over to backup circuit  (dual WAN capable)
- Secure encrypted tunnels to remote offices or home offices
- Firmware updates, management and support included in the service contract
- Same or next-day replacement contract

iSecurityPolicy.com - Industry 1st!

Cogent Logik (www.cogentlogik.com), one of our partner companies, is pleased to announce the launch of www.iSecurityPolicy.com as the industry's first on-demand, customized Information Security Policy Manual (ISPM).

The ISPM is specifically tailored for the needs of the SMB. These policies cover all the aspects of Information Security needed to protect a company, its clients, its employees, and its partners. It is also a way to hold employees accountable for their actions. Small and medium businesses (SMBs) have always been at a disadvantage when it comes to securing their networks from threats.

While the United States is home to over 20 million SMBs, Information Security has largely been the focus for larger enterprises with the budgets to support this specialty. Unfortunately, the risks from hackers, viruses and spyware are just as applicable to smaller businesses as they are to Fortune 500 companies. Generally, the lack of expertise and staffing are the contributing factors, but the overwhelming issue is a false sense of security. Unfortunately, ignorance is not bliss! What your employees do not know has the proven ability to hurt your company. In terms of liability for a company, security does not exist until it is documented. This lack of due care and due diligence is a significant liability to a business of any size.

It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections, and identity theft. If you have 2 or more employees, Information Security policies, procedures, standards, and guidelines are just as important as the professional liability insurance you carry on your business.

The policies were written by a Certified Information Systems Security Professional (CISSP) and are in accordance with International Standards Organization (ISO) 17799 guidelines. Using technology, Cogent Logik LLC is able to offer a professional set of Information Security policies that are customized to your company at a fraction of the cost in comparison to hiring a consultant or performing the task on your own. The ISPM, contains 31 policies that cover all aspects of Information Security from Acceptable Use, to Data Retention, to Personal Communications Devices, to Wireless Security. The ISPM also contains an employee acknowledgement form, an equipment issue receipt form, and appointment orders for a Chief Information Security Officer (CISO).

To learn more about how Cogent Logik, LLC can help protect your business, please visit http://www.iSecurityConsultants.com. The site also contains HackverView (www.hackerview.com), which is a vulnerability assessment service. 

The Oregon Identity Theft Protection Act

Oregon Senate Bill 583, the Oregon Consumer Identity Theft Protection Act (OITPA), is now law. The OITPA is a step in the right direction and appears to be one of the most comprehensive information security regulations for businesses of all sizes. While it does not provide specifics about what steps must be taken, it covers the main Information Security categories to prompt Oregon businesses into evaluating their security posture and making improvements. There are significant enough teeth to this legislation ($1,000 per incident with a $500,000 max) to compel Oregon business to become compliant.

An excellent resource is www.oregonidentitytheftprotectionact.com to learn more about this law and resources to help Oregon businesses.  Certain categories went into effect on October 1, 2007 and the remainder goes into effect January 1, 2008.A summary of the OITPA as it relates to Oregon businesses:

Protecting Personally Identifiable Information (PII)
Effective October 1, 2007, the OITPA prohibits the disclosure of more than the last four digits of a social security number. The OITPA does not apply to the use of social security numbers for internal verification or administrative purposes. In addition, the OITPA does not apply to records that are required by law to be made publicly available.

Notification of Security Breaches
This provision of the OITPA, effective October 1, 2007, applies to any business, organization, or individual that maintains or possesses an Oregon resident's personal information that is used in the course of business. Personal information includes social security numbers, driver's license numbers, passport numbers, financial account numbers, and credit card numbers. Under the OITPA, if a business's computer files containing personal information have been subject to a security breach, the business must notify the affected individuals. The notification must be done in the most expeditious time possible, consistent with the needs and investigation of law enforcement.

The notice can be written, electronic (if that is the primary method of communication between the business and the individual), or telephonic if the individual is contacted directly. If the cost of providing notification would exceed $250,000 or if the number of individuals to be notified exceeds 350,000, a business can provide notice by both posting the notice on its website and notifying major Oregon television and newspaper media.

For the OITPA, a breach notice must contain the following information: (1) a general description of the incident, (2) the approximate date of the security breach, (3) the type of personal information at issue, (4) contact information of the business, (5) contact information for national consumer reporting agencies, and (6) advice to the individual on how to report suspected identity theft to law enforcement.

If a security breach affects more than 1,000 individuals, the business must notify, without unreasonable delay, all consumer reporting agencies regarding the timing, distribution, and content of the notification given by the business to the individuals. The business must include the police report number, if available.

If a business determines, after appropriate investigation or consultation with law enforcement, that the affected individuals are not likely to be harmed by the security breach, the business need not notify the individuals. Such a determination must be documented in writing, and the documentation must be maintained for five years.

Safeguarding Personally Identifiable Information (PII)
Effective January 1, 2008, businesses or organizations that maintain or possess an individual's personal information must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the personal information. The OITPA includes guidelines for compliance. For example, a business may implement an information security program that includes administrative, technical, and physical safeguards as follows:

Administrative Safeguards
- Designate an employee to coordinate the security program
- Identify reasonably foreseeable internal and external risks
- Assess the sufficiency of safeguards in place to control the identified risks
- Train and manage employees in the security program practices and procedures
- Select service providers capable of maintaining appropriate safeguards
- Adjust the security program in light of business changes or new circumstances.

Technical Safeguards
- Assess risks in network and software design
- Assess risks in information processing, transmission, and storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of key controls, systems, and procedures.

Physical Safeguards
- Assess risks of information storage and disposal
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of personal information during or after the collection, transportation, and destruction or disposal of the information
- Dispose of personal information after it is no longer needed for business purposes or as required by law by burning, pulverizing, shredding, or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

There is no single, established set of practices that businesses must follow to comply with the OITPA. Instead, the legislature has recognized that adequate safeguards will vary from business to business depending on the size and technical nature of the business. An excellent resource for small and medium businesses for documentation is www.iSecurityPolicy.com.

Several examples of methods used to safeguard confidential information include:

- Paper media containing confidential information should be stored in locked cabinets, and access to the locked cabinets should be limited to a few employees. Any employee with a key who leaves the company should return the key. In addition, businesses should adopt and maintain document-retention schedules so that confidential information is regularly destroyed when no longer needed.
- Businesses should restrict access to electronic confidential information to a small number of designated people, and the information should be password-protected.
- Businesses that contract with an IT company should ensure that the IT company spells out its sufficient safeguards in the contract with the business. Similarly, it would be a good idea to obtain information in writing from hardware and software suppliers regarding the safeguards used to protect confidential information.
- Many security breaches occur when laptops are stolen. A business might consider prohibiting employees from storing confidential information on business laptops and instead require that such information be stored on the server.
- Businesses should establish a written procedure for identifying and responding to security breaches.

Any business that is subject to and complies with the Gramm Leach Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) is considered to be in compliance with the OITPA.

An owner of a small business (defined as a manufacturing business having 200 or fewer employees and all other forms of business having 50 or fewer employees) must adopt measures appropriate to its size and activities and the sensitivity of the information collected.

The Oregon Department of Consumer and Business Services is responsible for enforcement of the Act.

Software Patches & Moldy Houses

Similar to getting a flu shot, where most people will not have an adverse reaction, there will still be a percentage of the population that has a negative, possibly fatal, reaction to the inoculations. The reason people subject themselves to this situation is that the risk is assessed as being worth the potential consequences of catching the flu. Similarly, computers will always have anomalous behavior to being updated, but it is worth the risk as compared to being compromised by a hacker. These random effects can be negligible or it they can be a cascading effect that disrupts the entire network – there is no way to know beforehand, so that is the risk. Just as with any piece of machinery, or living being for that point, there is a need for ongoing maintenance to keep it healthy. Even with that mindset, there are still no guarantees problems will not arise. It is all about mitigating risk.

Here is the best analogy I can make for the importance of patching a computer and keeping it updated. In this example, you just purchased a brand-new house. The house is two stories, but also comes with a basement. When you moved into the house, you put some boxes and other storage in the basement and never ventured back downstairs, since you only spend your time in the main living areas. Since then you’ve gone about your business and everything appeared to be fine. Since you do not periodically check out the basement, you missed the pipe that started leaking and has now begun to flood the basement!

While the water in the basement itself is bad, the real threat is the mold that is going to take root. You might not even know the walls are filling up with mold until you either get sick from it or just happen to stumble across the problem. At this point, regardless that your house might be only a year old and looks great from the outside, it is basically in the condition of being condemned. Most likely, it has to be torn down, since it would not be cost effective to sanitize the house properly. The same concept of preventative maintenance applies to computers.

When most people buy computers, they have them set up to meet their current needs and completely neglect the ongoing “care and feeding” to keep the computers working smoothly. Software vendors like Microsoft routinely publish patches for their products, which are basically small programs that fix weaknesses in the original program. The computer’s operating system is basically the basement of the computer that is neglected by the average user. As patches do not get applied from Microsoft and other vendors, this opens up a very vulnerable weakness that can be exploited by hackers. You might think everything is running fine, but you are wide open for compromise by hackers taking advantage of well documented weaknesses and exploits that attack unpatched machines.

Contrary to what most users think, antivirus and antispyware have nothing to do with patching – that is a separate topic entirely. Once the compromise takes place, hackers will install their hacker software on your system and it will become under the control of the hacker. Modern hacker tools also have the ability to mask their activities from antivirus and antispyware programs. Most hacker tools include rootkits that include keystroke loggers and the ability for the hacker to gain access to the computer at any time. The hacker owns the computer and nothing you do from that point forward is secure. The only secure course of action is to erase the hard drive and reload the operating system, just like leveling the mold-infested house and rebuilding it from the ground up.

While this analogy might sound extreme, it is actually the best analogy I’ve heard in over a decade of working in the IT profession. The age, speed, cost, or brand of the computer do not have any factory – it is in how the system is maintained.

Managed Services & You

When it comes to managed services, most clients have very valid questions in regards to what managed services are and what they are getting for their money.

As a Managed Service Provider (MSP), our mission is to keep client networks, consisting of servers, desktops, routers, printers, and other peripherals, operational. Even on small networks, this involves making sure the software and hardware of at least a dozen manufacturers is configured properly and remains configured so that the network is as transparent as the plumbing in the building. This sometimes sounds easier than it actually is, but the bottom line is MSPs focus on preventative maintenance to minimize overall risks to a network.

With Information Technology (IT), nothing is absolute or error free. Since no two users are exactly alike, every computer is used slightly different and has slightly different software associated with the machine from cookies to updates to versions of software. Given those differences, each computer will in some small way react differently to commands or how they experience errors. Because of this situation, it is imperative to take a proactive stance on maintenance with the goal of solving potential problems when they are small, rather than waiting for the problem to lead to a catastrophic loss of service or data loss.

Preventative Maintenance
There are two approaches to maintaining computers:

1. Focus on reactive maintenance and do nothing until there is a major problem. This mindset leads the network down the path of waiting for a catastrophic failure of some kind and then reacting to it. These situations usually lead to significant downtime and potential data loss. This is an amateurish mindset to have and has no place in a professional organization, since it completely disregards any form of risk management.
2. Focus on routine, preventative maintenance with the goal of avoiding major problems. You know there are going to be some problems, but by keeping on top of the smaller issues, it decreases the likelihood of a catastrophic failure will lead to large disruptions. Based on the level of risk the company is worth accepting, it determines the level of preventative maintenance taken. The main question is how crucial is downtime in your organization?

The bottom line is it is far less costly to deal with preventative maintenance than it is to follow the reactive route. You have to take into account the potential loss of revenue from downtime of systems. That expense justifies following a computer lifecycle plan where your server is no more than 3-4 years old.

Mitigating Risk
The risks are very real. Since you are dealing with highly confidential client data, you cannot afford to have your systems unprotected and become compromised. You have a responsibility to your clients to protect their Personally Identifiable Information (PII). It is a liability issue and our goal there is to minimize your overall liabilities in IT by focusing on due care and due diligence:

Due Care: We implement a network that suits your business needs. We set policies requiring complex passwords and configured the server for users to have least privileges.
Due Diligence: We are keeping your machines updated, we are keeping viruses and spyware off the machines, we are backing up your data, we are looking for potential problems on all the machines that could affect their security or cause downtime.

If your goal is to save a little money on a monthly basis, you will neglect the aspect of due diligence. That may comes back to be far more costly in the future if there is a compromise of client data and nothing can be shown that any effort was made to proactively keep machines on the network secure. Again, it comes down to risk management. It is impossible to eliminate all risk, but it is possible to mitigate risk to an acceptable level. The definition of acceptable is different for each organization.