E-Crime and security of 'always-on' Broadband
by Colin Bryant, TelecomsAdvice
This article has been prompted by a perceived increase in the risk of small business’s computers being attacked from the Internet through ‘always-on’ ‘Broadband’ Internet connections such as ADSL and Cable Modems.
Broadband can bring practical business benefits but, without wanting to ‘scaremonger’, owners and managers should be aware of the risks and basic precautions that are needed for all types of Internet connections and particularly for those which are always-on.
Electronic (e)-crime, e-security, information and communication technology (ICT) security, cyber crime – whatever you call it - ranges from the old fashioned physical theft of computer equipment, through internal fraud, to the external hacking/cracking of network connections and the dissemination of viruses and similar disruptive or malicious programs.
The Council of Europe’s Convention on Cyber Crime identifies and attempts to provide a common approach to legislation on:
- Illegal access;
- Illegal interception;
- Data interference;
- System interference;
- Misuse of devices;
- Computer related forgery;
- Computer related fraud;
- Online child pornography and
- Copyright and similar rights offences.
These are complex, wide ranging issues and mostly beyond the scope of this paper - we will only scratch the surface and link to more specialist sources in our ICT Directory.
IT security is in itself a complex subject involving management, office administration and personnel policies as well as technical systems. Those policies and systems should really be developed, configured and maintained by experts, but expert’s fees are often seen as too high for many small businesses. If you do have to do-it-yourself you should make sure that:
- computer operating systems, browser and access programmes have the latest updates and ‘patches’ installed (automatically if possible using ‘auto-update’);
- PCs have anti-virus software which automatically scans email as it arrives and checks disks inserted into external drives – and that the anti-virus software is automatically updated;
- a software ‘firewall’ is installed on each computer, or a heavier duty hardware/software product installed between your office Local Area Network (LAN) and the Internet;
- essential data is backed-up as regularly as is necessary to avoid expensive, irrecoverable loss; that the back-up procedure is tested to show that it actually works and data can be restored, and that copies of the back-up are stored securely with a second copy off-site, and
- staff training covers these basic security issues and in the use of specific programmes, products and their applications.
Small businesses don’t have full-time IT staff and can’t afford expensive consultants - so what are the basics they need to do to protect themselves from the most prevalent risks?
You should be able to get most of the basic security advice you need about Internet connectivity and networking, e-mail and website ownership from your service providers – the level of support and understanding of business issues is one of the things you need to consider when choosing a service provider in the first place. If you are required to deal electronically with larger corporate customers, or you want the benefits of electronic trading with suppliers or online banking, then those larger ‘partners’ may be able to help you – after all it’s in their interest that you don’t become an unwitting chink in their IT security armour – but you will need to understand the issues yourself.
There is a balance to be achieved between risk, cost and benefit, and that balance depends on the individual characteristics of your business and the sector in which you operate – if you are involved in substantial online financial transactions then you may be a more attractive target for expert professional criminals.
We will give you an overview here, focussing on always-on broadband Internet connectivity - and the lower-cost essential precautions for a small business - to help you to understand the issues and the jargon and point you to further sources of more specialist information, products and services on the TelecomsAdvice website, government, not-for-profit and commercial vendors' sites. But to put the risk of Internet crime through ‘Broadband’ into perspective it is worth reviewing other threats.
As indicated in the introduction, most reported IT crime involves the physical theft of computer equipment; this is outside the scope of this paper but see the crime prevention links below or you can get advice from the Crime Prevention Officer at your local Police Station and your insurance company.
General Internal IT Security
Make sure you back–up essential data as regularly as is necessary to avoid expensive, irrecoverable loss; that the back-up procedure is tested to show that it actually works and data can be restored, and that copies of the back-up are stored securely with a second copy off-site.
Think about access policy generally, and for individual members of staff. As a general rule exclude everyone and only give access to individuals on a ‘need-to-know’ basis. Try to ensure that the people who do have access keep passwords secure and don’t leave their PC’s ‘unlocked’ when they are away from them.
Passwords should be at least six and preferably eight characters, avoid dictionary words and try to include both upper and lowercase letters, numbers and other keyboard characters. Avoid words which can be guessed by someone who knows personal details such as children’s or pet’s names, car models or registrations. If you want a memorable password then add some numbers, make it up by replacing some letters with similar looking numbers - 0 for o, 8 for B, 5 for s, etc., or take the first letter from each word in a line from a song or poem.
A general written policy should be applied to new hardware or software installations covering access rights and default settings.
Be aware of the numerous frauds that proliferate on the web or by e-mail. Just a few examples are non-existent banks, advance fee frauds, fraudulent business financing and too-good-to-be-true high yield investment.
The falsification of accounting records can be done with or without an electronic accounting system. Don’t be fooled into a false sense of security by the fact that your accounting programme won’t allow transactions to be altered or deleted without leaving an audit trail - goods or services issued for cash may not be entered in the records at all. Get advice from your accounts package vendor or accountant about accounting records security.
Internal Data Theft and Sabotage
Employees – particularly those who are leaving – may have various reasons for stealing confidential business information or wanting to cause damage to the business. You should be prepared to change an individual’s access rights as soon as the situation warrants.
Common Internet services your business may use include ‘access’ (dial-up or broadband), a website server and an email server. These may be provided by the same or different Internet Service Providers (ISPs). Keeping server operating systems and application software up-to-date with patches to plug security flaws is a time-critical occupation and is best left to the professionals.
Your website will usually be hosted on an ISP’s computer and has nothing to do with your Internet connectivity - although these different services may be provided by the same company. The hosting ISP may take partial responsibility for the website’s security if that is part of their agreed service, but some responsibility will reside with you, the designer and anyone who has access to update files. A common form of e-crime is to surreptitiously ‘hijack’ a website which has a legitimate form mailing facility for customer enquiries, and use it to send unsolicited commercial e-mail (spam), or to be part of a denial of service attack on a third party whose system could be flooded with email from hundreds of web/mail servers like yours. This sort of crime soaks up bandwidth which will slow down your site, you may have to pay for the extra bandwidth used, it may bring you into disrepute as a ‘spammer’ and get your site suspended by your ISP, and your domain (including legitimate email) may be blocked by other ISPs.
You also need to ensure that data left by site visitors is secure in accordance with the Data Protection Act.
If you are trading by taking credit card details over the Internet then you will get specialist advice from the bank which provides your credit card merchant services as to minimum technical and operational security standards required.
Individuals and small businesses usually use an ISP’s email server rather than have an email server on their own LAN, so again, this is nothing to do with ‘Broadband’ or connectivity as such. The email server could be hijacked in a similar way as a website if email account details and passwords are not secure.
You may connect your computer and/or office network to the telephone network through a modem to allow dial-in remote access, send and receive faxes or provide pbx or voicemail functionality, and this could allow unauthorised connections. Make sure that any remote access services you need to run are limited as far as possible by their configuration and that passwords are changed from the defaults and are as secure as possible.
Connecting your computer and/or office network to the Internet allows it to be accessed from outside. You need to control that access and guard against unwanted and potentially damaging data traffic. This general rule applies whether it is a dial-up connection or an always–on broadband connection. However, with a dial-up connection you usually get a different Internet Protocol (IP) address each time you connect; with an always-on connection you will have the same Internet address for extended periods and may have it permanently allocated. This gives hackers/crackers who run automated IP scanning programs more opportunity to find insecure computers and more time to run password breaking software.
Depending upon the nature of your connection and the complexity of the Internet functions you use, your ISP may provide an elementary layer of security but there must always be open ‘ports’ to allow legitimate traffic.
A ‘firewall’ filters data traffic between computers or networks. It can close or regulate ports in either direction, allow certain programs or users access or not, or stop certain types of data traffic. It can be a simple software application on a desktop PC, part of the function of a network server or router, or a purpose made hardware/software appliance. The firewall design needs to have been tested by an independent body but the detail of the configuration is key to its effectiveness. A computer or network can, unwittingly, be made insecure by a user ‘allowing’ a new program or function to pass the firewall. Users with authority to change the firewall configuration must be trained to do it safely.
A Final Thought
As we said at the beginning, IT security is a complex subject and systems should really be configured and maintained by experts but, hopefully, taking some basic precautions is much better than doing nothing.
Reviewed January 2011
last updated : 21/01/2011
See also our UK ICT Directory for supplier lists and links
copyright 2000 - 2012 crucible multimedia ltd; all rights reserved - disclaimer