A friend of mine setting up an online printing operation e-mailed me a few weeks ago to ask for advice on setting up formal computer security policies to keep his business safe from intrusion. We went back and forth on the obvious ones—keep antivirus subscriptions current; enable a properly configured firewall; block access to the darker parts on the Internet. The more we e-mailed, it became clear to both of us that it’s a real predicament for startups that do business on the Internet to ever be safe from hacker attacks. The nature of Web-based threats, drive-by malware downloads, and clever social engineering attacks make it nearly impossible to be fully secure. Having acknowledged that, we narrowed down some must-do items that could help to minimize exposure to risk.
• Invest in anti-malware protection and make sure signature databases are current. When evaluating security software, ask about approaches to "whitelisting" (application control), "behavior blocking," and the use of "herd-intelligence." • Stay on top of high-priority patches for Web server and desktop software programs. Be vigilant about software that gets installed on employee computers and stay away from programs without auto-update mechanisms. Pay special attention to patching known vulnerabilities in applications that are constant hacker targets. Some examples include Adobe PDF, Adobe Flash Player, Apple QuickTime, RealPlayer, and WinZip. • Diversify browser usage and make it a policy for employees to use certain browsers for certain sensitive transactions. Microsoft’s Internet Explorer, a popular target for hackers, should be avoided for high-value transactions. • Adopt strong password policies. A strong password should be between 8 and 20 characters and must combine random upper- and lower-case letters, numbers and symbols. The longer and more complex your password is, the harder it is to crack using dictionary-based hacking tools. • Shut off all unnecessary network services and block employees from using targeted social networks like Facebook and MySpace. Hackers prey on the trusted nature of these networks to trick users into installing malware on endpoints. If certain employees don’t need Internet access, don’t provide it. • Be rigid about controlling orphaned accounts. Have a workable system in place to deal with employees leaving the company and make sure that e-mail accounts and access to sensitive parts of the network are promptly shut off. Ryan Naraine Security Evangelist Kaspersky Lab, Americas Woburn, Mass.