Is Your Computer Data Secure?

May 2nd, 2012

One of my Mantra’s is Security, Security, Security!

Recent events have re-enforced the need to return to this very important subject related to IT and computer systems. There is no-one I know who does not have some form of security on his or her property. It does not matter whether they live in a 6-figure sum house or in rented accommodation. Measures may range from a single lock to a very sophisticated alarm and surveillance systems, but the point is they all have some form of security.

The same should be true of our computer systems. It does not matter if your system is connected with National Security or stands alone in your house, if it contains data that is sensitive to you, you should take steps to protect it.

In this article I will go through some of the steps that you can put into action to make sure that life for the would-be thief is made difficult.

Physical Steps

When it comes to the world of IT security, it is easy to overlook the obvious. When I was at school one of the ‘catch you out’ questions went like this:

“If red houses are made out of red bricks and yellow houses are made out of yellow bricks, what are green houses made of?”

The logical answer is of course green bricks but the correct answer is glass. The question is posed in such a way as to lead you down a certain way of thinking. When it comes to IT, for some reason we think of complex ways to set up security when some simple practical measures may be all thats needed.

Lock It Away

If you have a notebook make sure that you lock it away when not in use or away from your desk overnight. Although this may be inconvenient for desktops it is still an option. I know of at least one large bank that puts all its desktop pc’s into a strong room at night. It may be tedious but very effective.

Bolt It Down

If your computer is a server then shutting it down and putting it away may not be an option. Then consider bolting it down. You can buy security cages that bolt to the floor and would take far too long for the opportune thief to cut through and steal.

Many proper servers come with a lockable front panel, which prevent the computer from being opened, and/or the drives removed. Why not make use of this simple deterrent?

Monitor Sensitive Systems

If you are a business, then for relatively little money it is easy to set up surveillance. All that you need is a security camera (costs start lower than 200 pounds) connected to a basic computer. These systems not only record events but can also send images to offsite computers or even send alerts to your mobile phone. You can log into the camera from remote sites using the Internet; this is particularly useful if the alarm system goes off and you want to check your premises immediately.

Other Options

Password Protect

You would be amazed at how many systems and sensitive documents have no password security. There are at least 4 important things about using passwords.

  • Use strong passwords

A strong password has the following characteristics:

Mixture of upper/lower case letters

Includes numbers

Includes characters like @&%

At least 8 characters in length.

If your passwords do not contain the above, then your system may have the security equivalent of a rusty bolt with some of the screws loose!

Do not use one password for everything

  • Change passwords regularly

Some Servers can be set to force regular password changes every month or whatever time scale you choose. The system can also force that a password cannot be re-used within so many cycles.

  • Never use sensitive passwords on an unknown system

This is a no question policy of sound advice. Break it at your peril. You have been warned. To do so is like leaving a full set of labelled keys in a public place. There are a number of software products readily available on the market that keep a logging history of all keys pressed on a keyboard. Some even detect mouse click selections. If you have to use a password (maybe in a life or death situation) on an unknown system change your password as soon as you can from a known secure system.

  • Write down your passwords!

Yes, I know many of you will have read that twice and wonder if I have lost the plot.The advice from any bank or agency is never write down your password anywhere. Actually I agree. You should never write down your password in a form anyone can recognise. But with so many passwords we need to remember, is it any wonder that people use the same password over and over again? What I do, is write down my password in an encrypted way that I can understand but no-one else would have any idea what the numbers mean. Most, if not all credit cards work with a 4-digit pin number. What you can do is write them down in the wrong order and add 1 or 2 more numbers in the same place each time or always add the same number more to the original numbers. Also, I never write down my passwords or PIN numbers alongside the source, e.g. I do not write down the name of the bank with number next to it. I devised a system for naming the bank account and the password. If someone found my list they would never know the significance of the information and more likely than not discard it.

Good Practices

Firewall

One problem uniquely associated with IT theft is that the thief does not have to break into your property to gain access to your system or sensitive data. Thanks to the Internet the thief can be on the other side of the world, sitting drinking coffee while he is stealing from you.

All businesses should have a good firewall, full stop! Good routers come with built in firewalls of various quality. From behind these fire-walled routers, a would be thief gets no reply when he/she tries to ‘ping’ your IP address to find out if there is a computer at the other end. Don’t worry about the technical terms, Firewalls simply make your computer invisible to the outside world.

Prohibit/prevent use of file transfer and chat programmes

If you are a business your router or third-party software can prohibit access to file transfer programmes commonly used to download music or chat programmes. These programmes can act as gateways through your firewall security.

Security Software

If you are a home or business user you should consider using one of the many third-party software commonly known as Internet Security Packages. I suggest one that marks websites that are safe to search.

Protecting Mobile Devices

Many businesses have personnel who use mobile devices that contain up to date data usually like emails, dairy and reminder events. Most of these devices synchronise with the main server in the office. These devices are easily prone to theft. What many users may not know is that they can be remotely wiped of any sensitive data no matter where the devise is in the world.

Backups

In protecting your property it is common to insure against fire, theft and accidental damage. No talk about security would be complete without mentioning backups, the equivalent of accidental damage. Here, I would just like to mention one method of backup that I am being asked about more and more these days – off site backup.

A lot of third-party groups are now offering offsite backups. Options are available for the home and business user. There are certainly some good points in favour of this option, but there are limitations that I would like to draw your attention to:

Should not be considered as the total answer

It is uncommon that one solution fits all needs. For example, what happens if your broadband connection goes down?

Costs money

Naturally, as a service that is being offered there is a cost involved. Vendors of these services charge on the basis of how much data is stored offsite. The costs range widely. As a believer in ‘you get what you pay for’ you need to investigate each offer carefully.

Data Transfer rates and amounts

You have to take into account how much data you need to back up. Remember that offsite backup times will depend on how fast your broadband connection is (if you do not have broadband this option is a non starter). Most systems work on the basis of the first backup moves all the files – which can take days – then only does incremental backups thereafter.

If your service provider contract limits the amount of data you can transfer you need to make sure you do not run into the problem of excess charges.

Generally, you can’t beat doing a full backup and storing the tapes offsite yourself. I view this as a good option for small but very important files as a tool in the weapons’ arsenal.

If you would like help or advice on any of the issues raised in this article please visit my website at http://www.b-d-p.co.uk

IT Backup – How Safe Is Your Business?

May 2nd, 2012

’999 Which Emergency Service Do You Require?’

A few weeks ago I was attending an early morning call at one of my customers. As I pulled onto the car park my eyes were drawn to blue flashing lights on the nearby industrial estate. Not being nosey you understand, I thought I would just have a look to see what was going on.

No Smoke Without Fire?

Although it was still fairly dark and difficult to see there was a high degree of activity by the fire crew and a fairly large group of onlookers were standing around. However, I could not see any smoke and guessed that whatever had brought the fire engines out had been dealt with earlier and they were winding down.

As I entered the main office door of the client I had come to see, I noticed lying on the mat a leaflet which I duly picked up to hand to the MD.

Fire Affects Local Business

The leaflet turned out to be from West Midlands Fire Service. The main part of the leaflet read as follows:

“The West Midlands Fire Service has recently attended a serious fire in this area.

How Safe Is Your Business?

Due to the nature of the incident a Fire Safety Officer may visit you to ensure your compliances with the Regulatory Reform (Fire Safety) Order 2005.

You may need to produce the following items to show compliance with the Fire Safety Order:

  • A copy of the emergency action plan for the premises;
  • Evidence of staff training and fire drills;
  • The most recent Service Certificate for the fire alarm system”

The Link

This leaflet, delivered in the wake of the fire, got me thinking along the lines of how safe your business is in the aftermath of fire (or any other catastrophe) in terms of your IT systems.

This is not the first time I have covered this subject, but this time I’m looking from a different perspective.

A Copy Of The Emergency Plan For The Premises

It occurs to me that most businesses have a plan of action when it comes to fire. In fact they may even carry out a fire drill on a regular basis just to make sure they are well rehearsed. Many buildings have one day a week when the alarm is simply tested for a short burst.

Emergency Plan In Action

Recently I was on site visiting one of my customers when the fire bell went off. There was the obligatory ‘everyone looks at everyone else’ and asks is this for real. I could see the grey cells at work ‘is this the day they test the alarms? no… NO maybe for real then?’

Evidence Of Staff Training and Fire Drills;

After a short while someone called for everyone to vacant the building. We all duly assembled outside to the designated fire area. I noticed that at least one member of staff was wearing a yellow jacket with the words on the back ‘Fire Marshall’! In his hands he had the signing-in book, and began calling out everyone’s name. (Now I see the value of why companies have a sign-in book). The sight of one of the lads emerging from the building chewing on burned toast raised good humoured jeers and comments as to the culprit!

The point is, this company had an emergency action plan in the event of fire which worked. Can that be said of our computer systems?

The Most Recent Service Certificate For The Fire Alarm System;

Having a plan of action is one thing, evidence of training is another, but having a recent up-to-date certificate showing that the system is current and valid is something else entirely different again. Imagine the scenario where you have a procedure in place for fire, you rehearse for the real thing by testing the bell and occasionally filing outside. But what happens on the ‘day of reckoning’ if you grab the extinguisher and find the pressure is too low to be effective? Up to date certificates eliminate that issue.

I have heard, on a number of occasions, where companies carry out backups religiously. They change the backup tapes daily, check the log to see that the backup has completed successfully. However, come the ‘day of judgement’ – the tapes have an error and simply will not give back the data. No certificate!

If your business is like most businesses I know, backup is probably something you understand the importance of and practice on a daily basis. However, experience would lead me to believe that there is no formal plan in place of what to do in the event of serious data loss.

Backup IT Business Plan

Here are some of the things we think should be in your plan of action:

  1. If the main server is lost, stolen or damaged by fire, how long would it take to replace it?
    1. Do you know the specification of the server you would need?
    2. Do you have the driver disks?
    3. Do you know what programmes and versions are installed?
    4. Do you have the licence keys?
    5. What happens if the model of server lost is no longer available?
  2. Does your server have a warranty replacement policy?
  3. If a workstation went down could a user ‘jump’ on a spare machine, see their files and folders and go straight to work?
  4. Where is the latest backup kept?
  5. Do you have a ‘certificate’ that shows everything has been tested and is up to date?

The law requires that you have certain procedures in place to deal with the possible event of fire. The law also states that, [1]“You must safeguard your own or anyone else’s data, by appropriate precautions against loss, corruption or unauthorized disclosure”

Data Statistics

Statistics show that in the event of a company not being able to recover from data loss [2]60% of companies that lose their data will shut down within 6 months of the disaster. Further statistics show the following information:

  • [3]99% of all businesses do not do a daily backup
  • 60% of backups are incomplete
  • 50% of restores fail
  • Only 25% of backup tapes are stored off-site
  • End user compliance with backups is only 8%
  • 43% of companies that experience a severe data loss disaster, and that have no recovery plan in place, never re-open

Without scare mongering you are more likely to experience an issue requiring data recovery than you are with dealing with a real fire.

For further information about Back Ups please visit my website at http://www.b-d-p.co.uk

Notes:

[1]Data Protection Act 1998

[2]http://www.bostoncomputing.net/consultation/databackup/statistics/

[3]http://www.sequredata.com/data-loss-facts.html

How to Spot an Email Containing a Virus/Spyware Threat

December 13th, 2011
Last month I was going through my emails when I spotted one addressed to me from myself!
I looked at it for a few moments racking my brains to recall why I had sent myself an email from my Yahoo account. What’s more I noticed that several other people had been copied in on the email. My suspicions were definitely aroused when I noticed a single link in the email contents.
Within about five minutes of seeing the emails I had two calls from people that had received the email, asking me why I had sent it to them.
 
Email Spoofing
Wikipedia defines email spoofing as follows:
‘Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn’t provide any authentication, it is easy to impersonate and forge emails.
 
Although there are legitimate uses, these techniques are also commonly used in spam and phishing emails to hide the origin of the email message.’
In short my Yahoo account had been ‘hijacked’ and people listed in my contacts were being targeted by villains to cause mischief and mayhem. Fortunately I use the Yahoo account mainly for test purposes and don’t really store contacts on the account – If I did the fall out could have been a lot worse.
Here’s some top tips on how to spot an email containing a virus/spyware threat:
1.       If you do not recognise the sender (no good for spoofed emails) don’t open the email – delete it.
2.       Be especially careful opening emails that could be legitimate. E.g. you are waiting for a parcel and get an email from Parcel Force or some other well known carrier.
3.       An email that suggests that your password has expired and you need to click a link to reset it! Why would an organisation who process thousands if not millions of accounts, stop to ask ‘little old you’ to change your email password! Responsible departments like Government offices, banks, building societies etc would never contact you to ask you to log in and change or confirm account details.
4.       If the email contains no ‘Subject’ treat with extreme caution.
5.       If there is only a link in the message treat with extreme caution.
6.       If you receive a combination of an email with no ‘subject’ simply containing a link from a ‘known sender’ treat with extreme caution.
Good Anti-virus products that contain plug-ins for email scanning are not fool proof but another layer of protection you should opt for.
 
Hacking of Web Mail Accounts
Regular readers of our newsletter may recall an article I did earlier this year about the problems users have experienced with online email accounts.
The fact that my Yahoo account has been ‘hacked’ brings up another serious point of consideration. How safe are accounts held in the ‘CLOUD
Without wanting to scare monger, I did a quick web search for ‘hacking of Yahoo account’ on Google and found a surprising amount of disturbing information. Although I have not tried any of the suggestions it appears that hacking an account is simple.
I went onto the Yahoo website to see what could be done about my hacked account and found the following information:
‘If spam is being sent from your account, or data is inexplicably missing, it is likely that your account has been compromised. We urge you to complete the following steps immediately to protect your account:
1.       Change your password immediately. This will prevent a third party from continuing to access your account. If your password no longer works, please visit our password reset wizard. 
2.       Verify that your account’s alternate email address has not been changed. If it has, correct it to match your records. This ensures that a third-party will be unable to access your new password. 
3.       Check your inbox and your Yahoo! Contacts list to ensure that data has not been deleted. If data is missing, there is a limited time frame in which it can be recovered. Please contact us immediately to request a restoration attempt.  
Please visit our security centre to learn more about protecting your online security and your Yahoo! Mail account.’
 
For more help or information about Computing please visit my website at http://www.bryansdataprogramming.com/
Regards, 
Steve Bryan

Problems Sending Emails from Tablets and 3G Phones

November 30th, 2011

As IT consultants we get a steady stream of customers asking how to configure their Tablet to send emails from their pop accounts.

If the Tablet is being set up to use at home or a fixed location that has a Wi-Fi connection the solution is generally very easy. The SMTP needs to be set to the details of the ISP provider. Because of problems with spam most ISP suppliers do not allow the open relay of emails over their servers, so authentication is required.

The problem however occurs if the Tablet is being used on the moved and connection to the Internet is via 3G.

Most 3G service providers do not provide the facility for sending of emails from pop accounts. After spending hours trawling through the internet, it appears that this is a common problem. There are several different popular suggestions for solutions to the problem. However a solution that may work for one tablet, may not work for another – very frustrating to say the least.

We have come across a number of third party products that provide a facility allowing the routing of emails from devices like Tablets and Smart phones. These products do all require that you sign up for them. Nearly all the ones I have found make a charge for the service and prices vary depending on your ‘expected use of the service’. Trying to follow the many options available requires a considerable amount of effort to get the best deal for your circumstances.

Finally after all my online digging I struck gold! I’ve found there is one supplier of SMTP routing that stood out from the crowd, and would be ideal for the small time user. The service is FREE if you send less than 200 emails per month and allows you to have a generous 20 MB of data.

Most Tablets allow more than one outgoing SMTP settings to be configured. If the first fails it defaults to the next and so on. When we tested our preferred product we noticed it required to be the first SMTP settings. This is not really a problem because when you can access the Internet via Wi-Fi settings the others can be disabled.

I hope this is of help to anyone who wishes to use their tablet for sending emails whilst on the go! One of the reasons the tablet was first created!

No Backup Today = Tears Tomorrow

November 30th, 2011

What would you do if you lost part or all of your data?

Nothing strikes more terror into a computer user than when they realise, for whatever reason, that there is a problem with the system and the data is in danger of being lost.

This can be disastrous for both business and home users.

The truth hits home with the equivalent force of being hit by a bullet at point blank range. You can literally see the colour drain away from the face of anyone facing this issue. Even if the data is relatively small, the prospect of rebuilding it is daunting. For some, the consequences are more severe. the Sunday Times reports the following sobering statistics:

80% of all companies suffering a computer system breakdown go out of business within 18 months, and a further 5% cease trading within 5 years.

Only recently a customer called for help after discovering that the hard disk drive had failed in the server machine running the network. This computer contained the full trading history of his business, going back many years. He did not have a single backup he could go to. He was not even able to access the programme disks.

Protection against life’s uncertainties
Insurance is available to protect us against life’s uncertainties. The greater the potential financial loss, the more likely we are to take out insurance. Here are a few examples of situations where insurance is compulsory or highly advisable:

  • Life assurance
  • Buildings and contents
  • Motor
  • Employer’s liability
  • Travel
  • Sickness and accident
  • Loan repayments

Of course individual priorities will vary according to personal needs.

  • Death is an absolute certainty. Failure to take out life assurance would be very short sighted indeed.
  • If you own property you will not get a mortgage with a recognised lender unless you take out buildings insurance. You will also be taking a big risk if you do not cover the contents.
  • If you own a motor vehicle, you are legally required to take out insurance if you intend driving it on the roads.

Protection against computer failure
If you use computers to store valuable data you should regard it as inevitable that one day, today or tomorrow, sooner or later,  your system will encounter some sort of system that puts it at high risk. Failure to protect your data by the use of backups is like failing to take out life assurance. If (or when) the day of reckoning comes, you may wish that the ground would open and swallow you up.

It should be pointed out that the value of data should not be under estimated. Personal data on a home computer is just as valuable to a home user as data held by a business.

Imagine that you have spent weeks putting together a homework project, or years collecting data about your family history. What would your reaction be if you discover a problem that causes you to loose all of your work?

Failure to backup your data is to live under a false notion: ‘it will never happen to me.’

Types of backup:

  • Tape streamers
  • Raid controllers and Backup servers
  • Compression software
  • USB and High capacity drives
  • Off site backups

Tips about backing up

Keep backup media in a safe place
There is no point going to the trouble of backing up if you leave the backup medium in the computer. If there is a fire, or your computer is stolen, what do you do then?

Use high standard quality backup media
Failure to do so is like making a copy on a scrap or screwed up piece of paper. Don’t be suprised if you can’t read it when it matters.

Backup everything you cannot afford to loose
Gamblers have a rule that you should only bet what you can afford to lose. Use the same rule for your data. If it is important to you, back it up.

Test the backup
We know of companies that night after night have backed up religiously but come the day of reckoning they discovered that the backup does not work. A backup cannot be guaranteed until it has been tested.

Never test a backup by restoring over live data
If there is a problem with a backup you will almost certainly corrupt live data if you restore it. Test backups by restoring to a different location, or better still, to a diffrent computer.

Have a backup Strategy
If you use tapes, do not use the same tape each time. If you do, you are destroying the previous backup. Have a number of sets of tapes, clearly labelled, that can be used in rotation. Keep a written record of the backups you are doing.

One copy is not a backup
Many people use USB drives as a backup. USB’s can fail, be lost or put into the wash in your pocket easily. One copy is not a backup!

Disaster Recovery
If you ignore the need for backups there is a ‘last resort’ option avaliable. you can employ the services of a disaster recovery company. There are no guarantees that they will be able to recover your data, but one thing is certain – you are looking at a large bill that could have been avoided!

Im off to do my backups now.