Data Security

Firewalls

Your firewall is your border fence between the world and your network, securing your borders is a trade-off between usability and security. Securing this perimeter should be the first and last thought of your Information Security (InfoSec) team. Organized crime learned a decade ago that stealing or ransoming data involved much less risk than gun-point roebbery or other physical strong-arm tactics. They have recruited disenfrachised geniuses from lawless countries to hijack unprotected computers turning them into "bot armies" to launch anonymous attacks 24 hours a day, 7 days a week. Additionally, radical religious and political idealogues use these same tactics to fund their campaigns as well as to disrupt international business flow. Our recommendations include:

Viruses and Malware

Viruses, worms, trojans, and spyware all represent unauthorized use of your computer systems. Once in place they can be used to steal, destroy or encrypt-and-ransom your most imporant and sensitive data. The downtime and consulting time required to deal with an infection will always cost more in the long run than protecting your resources to begin with. Along with the proper use of Anti-virus (AV) software, and a good maintenance plan, you should strongly consider employee security training, this has become the weakest link in the chain. Phishing and Vishing attacks have become incredibly sophisticated, gone are the days of the Spanish Prisoner (or Nigerian 419 scam) email full of mispellings and grammatical errors. Modern Phishing tools perform data-mining operations of all publically available information on a company, including org-charts, along with vendor and employee names and email addresses. This information is used to craft credible Phishing emails designed to instill either comfort or fear and intimidation.

SPAM

Once synonomous with meat from a can, SPAM now has a much darker and sinister meaning: Unsolicited Email. SPAM does not have to be a problem, there are a few solutions out there that will eradicate most of your unwanted email ads, while not throwing out valid messages. Due to the complexity and bandwidth requirements required to accept and scan email on premises, Atlantis now recommends the use of Software-as-as-Service (SaaS) internet-based anti-spam measures to eliminate unwanted SPAM email without the "false-positives" of the other solutions we've tried in the past.

Secure Authentication and Transports

Multifactor authentication should be used by all publically available services to authenticate users using the "something you have, something you know" idea. Typically the "something you have" portion will be your mobile device, either running an authenication token app, or using its texting capabilities to receivea texted authentication code from the authentication service. Ask any Hollywood Pop Tart whose naked selfies have become public record if they use Multifactor Authentication now.

As previously mentioned, the best security encryption and hashing algorithms of today will be deprecated and considered "known-vulnerabilities" within 10 years. The protocols in use by, and allowed by your network must be monitored and adjusted regularly as exploits are announced.

A Virtual Private Network allows secure computer-network or network-network communications using an insecure network (usually the Internet) as a transport. VPN's allow authorized users to access your business network while on the road, and allow telecommuting employees, to process from their homes, freeing up office space.

Unsecured communications over E-mail can lead to a loss of proprietary information. Account numbers, credit card numbers, social security numbers, PASSWORDS(!), and any information of an proprietary nature should NEVER be sent over "clear-text" email. Using a tool such as GPG (GNU Privacy Guard) can allow you to not only encrypt, but also digitally sign sensitive documents and emails. With the GnuPG-Plugin by GData, you can have email signing and encryption at your fingertips.

Low-Tech Hacks

A common misconception about computer security is that the risk is only from high-tech exploits, carried out by faceless "black-hat" hackers in the night. Realistically, many a company has been sabotaged by a disgruntled employee or ex-employee with more access than he or she should have. It takes relatively little effort for a complete stranger to compromise your systems by using an unsecured, or poorly secured workstation after-hours, or even in the middle of the day; many activities go unnoticed in a busy office. Kevin Mitnik, one of the most notorious hackers ever, relied on what he called "social engineering" to gain access to corporate networks, basically the same, low-tech confidence tricks that have been used for centuries. Just as it easier for a gas-station attendent at a rest area to get your credit card number than to hack it from an e-commerce site, it is easier for someone to gain access with a password that has been written down and stuck to the monitor, than by cracking your firewall. Employee education is the best policy and can save you thousands of dollars.

Formal Security Policies

Finally, defining your security policies from Employees use of Electronic Communications/Devices to Acceptable Encryption Technologies, will help to secure your network and protect you from lawsuits if your network is ever exploited. These documents can go a long way toward not only defining how security is implemented, but who is expected to participate in which aspects of network security.

Back to Top

Valid XHTML 1.1