Rarely have IT security been so in fashion as right now. Yet, many people do not take very simple steps to improve its security. Paranoid Mind has performed a cursory examination of various companies in Medicon Valley and Ideon in Lund. Security was, in many cases, bad or even atrocious. Especially given how much value the databases of the various Bio-tech companies contain. It’s information for hundreds of millions that predators are relatively easy to copy and sell to competitors. These in turn can take out a patent on the work of others or take advantage of 10 years of research that victim company expense. Industrial espionage and cybercrime is, by some estimates, more than the global drug trade. It’s no longer about the curious and spotty nerds who want to see what they can do. It’s about clean-up jobs done by professional hackers. The police (in the U.S. and other countries), major credit card companies, banks, health care agencies and other companies and agencies have demonstrated inadequate knowledge and protection against leakage of sensitive information. It is no wonder that many companies have already given up in their attempts to protect themselves against hackers and other online predators.
Security costs, yes. But the costs of not having security are far greater. The question is, therefore, no longer IF your company has had a computer intrusion, but rather WHEN it happened, WHAT happened, HOW it happened and ultimately how it can be prevented in the future.
The fact that we at Paranoid Mind are paranoid regarding IT security, we have decided to share a little bit of information and knowledge that we hope you will find valuable.
All this advice is what I recommend as a minimum. Security is a trade-off between ease of use and benefit to the business. The more important you think your system is for production/storage/company, the safer the server be configured to be. But obviously, a company is not safer than the weakest link.
- Have an IT security policy. The easiest way is to follow an already developed standard such as the ISO/IEC 27000 collection.
- Make annual updates of the IT security policy. IT systems evolve and change continuously. So too do the threats and solutions.
- Perform security audits of network and systems. Often, these are set by external consultants from different companies. Perhaps a single person who is expected to know everything about user support, servers and security. Often these people do not have time or knowledge on the subject to be able to satisfy all its needs and then security tend to suffer.
- Wireless network (Wi-Fi)
- Make sure that the wireless network is encrypted. WPA2 or newer. Newer is, in this case, usually better.
- A password that is as random and possible (see below).
- The password must have letters, numbers and special characters (see below).
- A minimum of 15 characters but preferably 64. For example: “C!1*5)++1@\4ol&”.
- Absolutely no words!
- The longer the password, the more secure the encryption.
- Keep the password in a safe place. Putting the password for Wi-Fi router on the router is NOT to be considered as a safe place.
Network / Server
- Have a dedicated firewall to the Internet.
- Have the servers to the Internet in a DMZ.
- If you must have connection from the internet to a server (such as email or web server), open a specific port on that particular server.
- If you have a server in the above to the Internet do not allow traffic from this server on your internal network. It is possible to have online traffic via a so called reverse proxy.
- Do not store critical or important files on the same server as you have connected to the Internet.
- Make daily backups of the data that is important to the company.
- Make sure the back-ups work by re-reading them.
- Log everything and store the logs directly to a time-synced dedicated server.
- Make sure all servers, software and clients ALWAYS have the latest updates.
- Make sure all servers, software and clients ALWAYS are configured correctly in terms of safety.
- All clients must have their own firewall.
- All clients must have their own antivirus.
- Educate the users in security and the policy of the company. It is surprisingly often that user passwords can be easily guessed. Sometimes they are kind enough to write it down on a post-it note and attach under the keyboard or in a drawer.
- Educate users to NEVER give out their password. Never means not by e-mail, phone, or support person that are in place. You enter your own password if needed. Never, ever, ever give it out to anyone… EVER!
- Educate users in general security on the internet.
- Laptops should be able to connect to other networks, but certainly not to share anything. It is often that the traveling employees will connect to all sorts of different unsecured networks. Then it is enough to sit outside and listen (so called sniffing) to the traffic and thus pick up useful information such as usernames, passwords and confidential business information.
- If the service is business critical, have spare parts or a redundancy in place.
If you follow this advice, you reduce your risk of computer intrusion, but ultimately is safety in your own hands. IT security is a continuous and learning process that never ends. It is more than a profession to work with IT security. It’s a lifestyle.
Should you need help with your IT security, you are always welcome to contact us.