The A to Z of security

Cracking the code - a guide to IT security

Horror stories about viruses, denial of service attacks and IT system shutdowns are common place in today’s media. But, how do you separate the myth from the reality?

BT Businesses ‘Cracking the code - a guide to IT security’ gives you the basics on IT security from A through to Z. It deciphers the technical jargon into plain English so you can get up to speed on what’s hot and what’s not in IT security.

‘Cracking the code’ includes basic advice for small-to-medium-sized enterprises (SMEs) on how you can protect your business from the most common IT security threats, as well as what to do in the event of an attack.

A is for authentication

How do you verify an individual’s identity before giving them access to your network? The majority of businesses use ‘one-factor’ security - users access a network with a personalised password known only to them. Companies holding highly sensitive data often combine a number of access methods. This might be passwords and pin numbers, and in the future will include biometrics such as retinal scans, finger or voice prints.

B is for backup

It’s all very well storing data on computers but if anything happens to them your business could face serious problems. After all, the cost of downtime can amount to thousands per hour. It’s therefore imperative to establish a regular regime of data backups, which can then be stored offsite. If the worst does happen, at least you can be confident that your valuable company data is secure. And don’t forget to virus scan the backups, just to be extra safe.

C is for crack

These are little programs that can be downloaded for free over the internet, enabling users to break into password-protected files. To safeguard against these attacks, you need to implement strong password encryption (see E is for encryption).

D is for disaster recovery

A disaster recovery plan provides an outline of what to do in an emergency, such as in the event of a terrorist attack or natural disaster, so that a business can be back up and running in just a short space of time. Areas covered should include key business processes and contacts, precautions and preventative measures, as well as remedies to potential disastrous scenarios.

D is also for don’t download pirated software!

Much of the pirated software that is available over applications like the Kazaa or Warez websites has been reprogrammed to contain malicious code, like Trojans which will open back doors into your systems. Regardless how tempting the offer is, or how expensive the software might be through a legitimate source, remember, if it is too good to be true, it invariably is.

E is for encryption

Essentially, encryption means converting data into code so that it cannot be read by unauthorised parties. It’s particularly useful when dealing with highly sensitive information such as confidential business plans, financial information or credit card data. Typically, encryption is based on complex computer programs, which take the data, bit by bit, and scramble it so that it cannot be read without the corresponding decryption program.

F is for firewall

A firewall is essentially an electronic barrier that sits on a network server and protects the PCs hidden behind. It serves as a defence against external threats by screening all incoming information against a number of set rules to ensure it comes from a secure source. Firewalls cost anything from about £30 for a boxed product and from £250 for an installed solution. They can also be paid for on a monthly basis with the supplier providing regular upgrades. Firewalls can be purchased online or from IT specialist outlets and systems integrators.

G is for global threat

The internet is turning the world into a huge global community through improved communications. The downside of this is that viruses can be spread faster than ever before. Companies of all sizes need to ensure they are adequately protected. Recent research by McAfee found that seven out of ten SMEs have received a virus, costing them an average of £843 and 7.2 hours in lost computing time.

H is for hackers

A commonly used term for people who gain illegal access to data held on IT systems either on the premises or via telephone connections. Often only applied to outsiders, the biggest threat can actually come from within an organisation. There are a whole raft of procedures that can be put in place to curb this type of threat, ranging from increased password protection and firewalls to network management controls.

I is for intrusion detection

Intrusion detection systems act in the same way as having a burglar alarm on your house. They pick up signs of unusual network activity and alert you that action may need to be taken if an unauthorised user is trying to access your network. This type of software can be bought online or from systems integrators and IT resellers.

J is for Javascript

This is a programming language which virus writers and hackers may use as the basis for their programs.

K is for KISS

Keep It Simple Stupid - you don’t need to go over the top. Look at what’s important to your business and take the necessary precautions to protect your core assets. Security doesn’t have to cost a fortune. In fact, too much can be more of a hindrance than a help as it can place restrictions on your day-to-day activities.

L is for loose talk

Loose talk about your passwords and security is very dangerous and you should always avoid talking freely with people about them. The easiest way to deter thieves is by safe guarding your information. Make sure you keep passwords secure and protect online access information.

M is for misuse

Email and internet abuse, such as sending offensive material, spamming or wasting company time surfing the Net is commonplace. Used in the right way, email and the internet can be of great benefit to business but in the wrong hands it can do enormous damage. Implementing email and internet policies detailing what’s considered appropriate usage makes it clear to employees what’s acceptable behaviour and what’s not. These policies must be regularly updated and promoted heavily around the organisation for them to succeed.

M is also for mobile computing

Employees like to take laptops home where they connect to the web or allow members of the family to connect to the web. Nearly all viruses are Trojans introduced to the work environment in this way. Ensure that you have policies in place to restrict the personal use of mobile computing devices and more importantly the capability to restrict the ability of users to bring malicious code (virus, Trojans and other applications) into the office.

N is for network management

Many security threats originate from inside an organisation. When you have a number of computers linked via a network, it’s important to bear in mind who should have access to what. Staff must be able to use the directories that they need to do their jobs, but access to confidential business information should be restricted to those who need to see and use it.

O is for operating system

This is the first place you should look when assessing the security of your systems as the operating system is where the most damage can be done. In some cases, older software is not as secure as the latest versions so check with the vendor for any software patches or the possibility of upgrading.

P is for password

Think about the passwords you use in your daily life? Is it your wife/husband’s name? Your pet’s name? Your mother’s maiden name? Chances are, you’ll answer yes to at least one of these questions. With just a little guesswork, someone who knows you just fairly well could probably work it out. So, how can you make passwords more secure? Change your passwords on a regular basis, use a combination of numbers and letters, and base it on something that cannot be linked to your everyday life.

P is also for physical security

Don’t forget to label equipment with security codes so that if it is stolen, it can easily be identified if recovered by the police.

Q is for qualification

It’s important that your staff are clear on your company’s security policy. You need to put pen to paper and make sure that everyone recognises the rules and guidelines within your organisation so that there are no misunderstandings.

R is for restore

Have you tested your backups? Can you restore files successfully? The worst time to find out that you can’t access your backup files is when you’ve lost your data and are trying to get it back.

S is for shoulder surfing

The practice of standing behind someone as they log on and making a note of the passwords they use. There’s only one way to protect yourself from this and that’s to watch your back!

T is for Trojan horse

Like the Trojan horse in the Greek tragedies, this is a program that may look harmless on the outside but in fact can do real damage if you let it into your system. Most anti-virus vendors offer solutions that can protect against this sort of virus.

U is for useful websites

The Web is packed with advice on IT security. It’s a great source of information, particularly when there’s a virus outbreak. A number of anti-virus vendors offer software patches as soon as they become available. They can also help you verify the seriousness of a threat and identify hoaxes.

U is for update too

It is no good having the latest cutting edge software if you don’t keep it up to date with the manufacturers’ normally freely available patches.

V is for viruses

Viruses aren’t necessarily destructive, but they are the most likely kind of attack. The definition of a virus is that it’s a program that reproduces itself. However, many do carry destructive payloads too. Viruses can enter a PC or network from disks or via the internet and email systems. There are a number of vendors offering anti-virus solutions that should be used to check every file/disk that comes into your business. In essence, even the most basic security should include an anti-virus solution.

W is for worms

Worms are a self-replicating computer program, that uses a network to send copies of itself to other systems and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses infect or corrupt files on a targeted computer.

X is for activeX

The Microsoft equivalent language to Javascript. See J is for Javascript.

Y is for why you should bother with security

Just think about what you would lose in the event of an IT security problem. How much is your IT kit worth? How would you replace lost data in the event of an attack? Can you afford for unauthorised parties to access confidential business information? What would be the effect on your business of your PCs going down? Enough said.

Z is for zero downtime

The nirvana of any security strategy - ensuring your systems are up and running 24x7. This really comes down to two things - planning and protection - and involves a combination of the measures highlighted in this guide.

In conclusion, understanding the A-Z of IT security is fundamental to keeping your organisation safe from both internal and external attack. This guide is to illustrate some of the issues and is not intended to be exhaustive. We recommend that you take appropriate advice to meet your security requirements. The absolute imperative is to develop an overall security policy that includes all requisite security solutions. This should cover every aspect of security, from virus protection to disaster recovery plans, and from authentication devices to internal audits. After all, it’s no good spending thousands on a firewall if you leave the front door wide open at night…