COMPUTER SECURITY - GONE PHISHING. American College of Trust and Estate Counsel. Big Ten Regional Meeting. Chicago, Illinois.

Size: px
Start display at page:

Download "COMPUTER SECURITY - GONE PHISHING. American College of Trust and Estate Counsel. Big Ten Regional Meeting. Chicago, Illinois."


1 COMPUTER SECURITY - GONE PHISHING American College of Trust and Estate Counsel Big Ten Regional Meeting Chicago, Illinois December 6, 2008 Kenneth P. Barczak Schober & Radtke S.C W. National Avenue New Berlin, WI (262)

2 TABLE OF CONTENTS A. Computer Security Threats Malware issues... 1 a. Hoaxes... 1 b. Botnets... 2 c. Types of botnet attacks ) Spam distribution ) Installation of keylogging software ) DoS (Denial of Service) Attacks/DDoS (Distributed Denial of Service) Attacks Theft, physical destruction, or loss, of data, computers and related hardware Hacking/crimeware Remote access computing... 4 a. WiFi hot spots/wired networks... 4 b. Home WiFi networks Social engineering/phishing/identity theft... 5 a. Social Engineering... 5 b. Phishing/Identity theft Web 2.0 applications - social networking... 6 B. Implementation of Best Practices Determine the gateway Protect the gateway... 8 a. Install... 8 b. Maintain a password policy... 9 c. Review metadata policies... 9 d. Consider Web 2.0 technologies e. Secure remote access connections ) Remote access/remote devices ) Types of remote access connectivity a) Wireless b) Wired c) Aircard ) Methods of remote access of data/applications a) Web based VPN b) Client based VPN c) Microsoft Terminal Services d) MPLS VPN e) Home VPN access f) UTM appliance connectivity ) Endpoint security a) Network access control b) Remote Wipe c) Minimum endpoint security ) Endpoint extension a) Cloud computing b) Virtualization i

3 3. Establish a backup/restore procedure a. Types of backup ) Full - normal ) Incremental or differential ) Immediate ) Disk vs. Tape ) Mirroring vs. RAID b. Types of hard drives to be utilized for backup procedures ) Direct attached ) Network attached ) Portable storage ) Online storage c. Restoring - the Key to the process - the need to reconstruct the data d. Imaging e. UPS (Uninterruptible power supply) Implement a computer use policy a. Review social engineering components b. Provide adequate training c. Exercise common sense C. Information Technology Personnel Responses to Computer Security Issues - Based on Firm Size D. Ethics ethics Metadata ethics Online Backup Systems ethics General sources a. American Bar Association Legal Technology Resource Center b. Legal E. ACTEC Website Presentation outline Computer Security: Fact or Fiction Computer Security link Technology in the Practice minutes F. Conclusion G. Informational Sources TechnoLawyer Free Newsletters via The Lawyer s PC Annual Law Firm Software Directory ABA Techshows International Legal Technology Association ADDENDUM - Links ii

4 COMPUTER SECURITY - GONE PHISHING American College of Trust and Estate Counsel Big Ten Regional Meeting Chicago, Illinois December 6, 2008 A. Computer Security Threats Computer security threat considerations have escalated over the last decade from concerns related to floppy disk exchange/transfer management, to exercising caution in opening attachments, to the point where they now encompass the following areas: - malware issues - theft, physical destruction, or loss, of data, computers and related hardware - hacking/crimeware, - remote access computing - social engineering/phishing/identity theft - Web 2.0 applications - social networking 1. Malware issues Although one of the most commonly used security threat terms is "virus," viruses actually mean different things at different times. The more appropriate terminology that gives a comprehensive overview of these concerns is malicious software (malware). Malicious software includes viruses, Trojan horses, worms, rootkits and bots. It generally has two components: a payload (i.e., a virus) and a propagation mechanism (the replication code that spreads the virus). Usually attacks are blended, exploiting technological vulnerabilities and social engineering, and challenging both and Web security. The total number of variations of malware is anticipated to reach one million by a. Hoaxes Hoax messages, which, unlike malware, are not capable of infecting the computer, still exist. They are, however, far less prevalent in scope, since a hacker s resources can be better spent on exploits culminating in monetary gain. 1

5 b. Botnets Of particular threat concern is the proliferation of (ro)bot malware, consisting of software which, once successfully installed in a computer, allows an unauthorized person remote access to the computer via the internet, resulting in issuance of remote commands. A botnet (robot network) consists of a large number (in the thousands) of compromised computers. Whereas, in prior years, virus infiltrations were primarily designed to shut down the computer, botnet installation will not disable the computer, and will remain transparent to the user, since the infected computer must remain functioning and connected to the internet for the botnet to work. c. Types of botnet attacks include: 1) Spam distribution A large percentage of spam comes from networked botnet computers. A botnet can use an infected computer to harvest addresses from the user s contact lists, and thereafter send massive amounts of spam, or phishing, s. Spam remains a major presence on the internet today. 2) Installation of keylogging software Keylogging (or keystroke monitoring) is a method of capturing information and recording user keystrokes through software programs downloaded from the internet or also through physical access to the computer. This type of malware can capture user IDs and passwords sent to web protected sites, such as online banking. The individual user names, passwords, and bank pin card numbers of the computer s owner are sent to a hacker s website. 3) DoS (Denial of Service) Attacks/DDoS (Distributed Denial of Service) Attacks The botnet instructs infected computers to contact a specific corporate server or website repeatedly, causing service to authorized users to be delayed or prevented, and, because of the sudden increase in traffic, the site may shut down. Hackers look for computers, including desktop computers in homes and low-profile small offices, that are permanently connected to the internet and not protected by firewalls. 2

6 The threats are real - evidence the following: Example: In 2008, the Storm Worm Virus spread through spam s which directed the recipient to click on a link to view an article about the FBI vs. facebook. Clicking on the suggested link downloaded malware onto the internet connected device, causing it to become infected with the virus and part of the Storm Worm botnet. The Storm Worm virus has also been spread in s advertising a holiday e-card link. Example: In 2008, CNN was targeted by a DoS attack in an attempt to interrupt its news Web site. Example: In 2008, a DDoS denial of service attack hit government websites in the former Soviet republic of Georgia. Example: In 2007, the Storm Worm Virus, again, spread in the form of a spam with subject lines like: Are you ready for football season?; Free NFL Game Tracker; Football Season Is Here!; and Do you have your NFL Game List? The contained a link to a web page with actual game results, with the lure being a Game Tracker button in the upper right of the web page meant to draw users into downloading the free 'Game-Tracker' tool, however all URLs in the page linked to a malicious file pointing to a "NFL Tracker" Storm Worm trojan download. 2. Theft, physical destruction, or loss, of data, computers and related hardware Numerous incidents of theft, or loss, of laptops, Blackberrys, PDAs, USB sticks (i.e., thumb drives), and portable hard drives have been reported. Example: In 2008, London - A computer containing banking security details of more than 1 million people was sold on ebay for $64. The computer contained account numbers, passwords, cell phone numbers and signatures. The computer was sold without wiping the internal hard drive. Example: In 2008, a survey commissioned by Dell indicated that, at airports included in the survey, over 600,000 laptops are lost each year. The majority of them had not been reclaimed. 3. Hacking/crimeware Hackers were once comprised of a group of young computer-savvy individuals whose primary motive was to gain notoriety through sophisticated computer 3

7 exploits. As evidenced by the proliferation of botnet attacks, the most apparent trend is the change in the underlying motivation behind the attacks. The attacks are now classified as crimeware incidents - attacks bent on obtaining personal and financial information on individuals and businesses driven by a profit motive. Example: At the ACTEC 2006 Annual Meeting in Scottsdale, AZ., at a Computer Workshop - Paul Cook, a representative from Microsoft, spoke on the topic: Computer Security: From Y2K to Windows Vista - Are We More Secure? In the presentation, the following examples of information available for sale on the internet black market were provided: customized Trojan program, which could be used to steal online account information - cost - $1,000 - $5,000; credit card with PIN - $500; driver s license $150; birth certificate $150; social security card $150; Paypal account log-on and password $7. 4. Remote access computing Mobile devices are exposed to a variety of threats. Remote access to the office through laptop computers or Blackberry and other PDA devices has magnified the perimeter over which malware can be introduced to the internal office network. a. WiFi hot spots/wired networks WiFi hot spots in airports, cafes and kiosks, as well as hotel wired and wireless networks, are often unencrypted, insecure connections with improper configuration of firewalls, or the total lack of end-user device security. The increased use of wireless connections to the internet has also increased the risk of MitM (man in the middle) attacks. These occur in a public setting when an hacker in proximity to a laptop user creates a soft WiFi network access point connection to intercept the user s requested connection to a targeted website. The hacker then connects to a real access point through another wireless card, thereby offering a steady flow of traffic through the transparent hacking computer to the real targeted website. In actuality, the user, by connecting to the soft access point, is communicating with the hacker s laptop computer. The hacker intercepts all requests, and the hacker can then obtain identity information from the communications relayed between the user and the targeted website. b. Home WiFi networks Home WiFi networks possess security risks since most WiFi routers use default security settings that come pre-installed by the vendor and many end 4

8 users do not reconfigure these settings. An attacker can gain access to the administrative console of the router through the default password provided by the vendor, and can download malware to steal personal information for identity theft. 5. Social engineering/phishing/identity theft a. Social Engineering Social engineering (in contrast to physical computer security) encompasses the art and science of psychological tricks to get the desired results from human beings and to make them commit to unauthorized operations. The goals of social engineering are the same as traditional hacking, with emphasis on implementing social skills and exploiting human tendencies. Also, cultural analysts generally divide today's employees into three generations: Baby Boomers, Generation X and Generation Y, each with distinct behavioral patterns that affect risk levels in different ways. Example: Social engineering the USB way. Conference attendees are increasingly becoming unwitting distributors of malware. USB sticks (i.e., thumb drives) distributed at conferences may contain malware that could infect victims computers and connect them to botnets. Attendees generally readily use such free devices due to their utility, and eventually insert them into firm computer USB slots, thus infecting the computer. The issue is usually not with the vendor who distributes the USB drives, but rather with the source of the wholesale distributor from whom the conference vendor obtains the drives. Example: In 2003, London survey of the origin of user passwords. The most common password was "password" (12 per cent) and the most popular category was the user s own name (16 per cent) or date of birth (8 per cent). Two thirds of workers had given their password to a colleague and three quarters knew their co-workers' passwords. In addition to using their password to gain access to their company information, two thirds of workers used the same password for everything, including their personal banking, website access, etc. b. Phishing/Identity theft Phishing/Identity theft attacks are the most prevalent form of the use of social engineering to steal personal identity data and financial account credentials. Social engineering schemes use spoofed s to lead users to counterfeit websites designed to trick recipients into divulging 5

9 financial data such as credit card numbers, account usernames, passwords and social security numbers, thereby having the user surrender private information that will be used for identity theft. Sites utilized for phishing attacks have included Citigroup, Bank of America, ebay and PayPal. Example: In 2008, Thirty eight individuals in the US and Romania were charged with identity theft, alleging they used complicated internet phishing schemes to steal thousands of credit and debit card numbers. Example: In 2008, messages were distributed that appeared to be official subpoenas from the United States District Court in San Diego. A link embedded in the message purported to offer a copy of the entire subpoena. A recipient who tried to view the document downloaded and installed software that secretly recorded keystrokes and sent the data to a remote computer over the internet, allowing a criminal element to capture passwords and other personal or corporate information. Another piece of the software allowed the computer to be controlled remotely. 6. Web 2.0 applications - social networking The current phase of internet (Web) usage is commonly referred to as Web 2.0. Features of this phase include social networks, online media access (music, video, etc) through peer to peer (P2P) file sharing, and RSS (Rich Site Summary) feeds such as blog entries and news headlines. The risks associated with Web 2.0 applications include vulnerability as targets for phishing scams, malicious code attacks and information exposure, not to mention associated loss of productivity. The following list of Web 2.0 technologies are presently in the mainstream: Peer to Peer (P2P) File Sharing Examples: Torrents, Kazaa Social Networking Examples: MySpace, YouTube, FaceBook, blogs Instant Messaging(IM) Examples: Yahoo/IRC (Internet Relay Chat), and phone texting Removable Media Examples: USB sticks, Camera/phones, ipod/pda, laptop, Wifi Note:, a well known social networking site, is generally considered an acceptable application. 6

10 B. Implementation of Best Practices Currently, managing computer security involves the following considerations: 1. Determine the gateway First, prepare an inventory of the various hardware devices utilized in the firm. Establish logs of when these items were acquired, purchased or leased, and their specifications. Include all remote access devices such as laptops, Blackberrys, and iphones, and all peripherals such as USB sticks, portable hard drives, Bluetooth and CD devices. Next, determine where the attorneys in the firm practice - remote offices, home, hotel rooms, airports - and the percentage of time working in each of these venues. This evaluation will determine the gateway that provides access to all of the firm s data and applications. Available software and hardware technologies and products must then be examined to protect the gateway. These issues are managed in the larger firms through IT departments numbering in the range of 10 full-time personnel to over 80 personnel, depending upon the size of the firm, with implementation of services being, for the most part, transparent to the attorneys in the firm. In a small firm setting, there is rarely an opportunity to have IT personnel on staff, therefore outsourcing of this management is prevalent, along with coordination with an on-site staff person, or attorney, knowledgeable in the technology area. In any such examination, the primary question to be asked is - why would any component of the gateway be given less credibility than any other in the examination process? For example, why would examination of the use of USB sticks be given less credence than the use of the file server at the main office, or why would examination of working at a remote site, such as a hotel room, be given less credence than working on a network connected computer at the main office? The fact is that there are widely different approaches taken when it comes to gauging the importance to be given to any of these various scenarios, and yet they are all part of the same gateway, and the only component that is required by malware for it to become operative is an entry point to the gateway. Therefore, when examination of the gateway is undertaken, give as much credence to one area as the other, obtain information regarding the available protections provided by vendors, and make any final decision based upon the usual budgetary parameters. IT personnel will always be able to find software and/or hardware applications to meet any security specifications - it is the implementation of these security based applications that will become a trade off of risk vs. productivity, 7

11 requiring a balanced approach of convenience vs. security. The following section examines available alternatives to providing appropriate computer security for the firm. 2. Protect the gateway a. Install: - antivirus software - anti-spyware and adware software - anti-spam software - a firewall - the latest updates Establish an anti-virus policy which would include not allowing the downloading of executables and documents directly from the internet, the running of unsolicited executables/documents/spreadsheets within the firm, and the playing of computer games or using screensavers which did not come with the operating system. Download updates on Microsoft's monthly Patch Tuesday. Be aware of conflicts in executables arising between different software applications when implementing new applications on the system. Wait until service pack 2" before upgrading an application to avoid being an unwitting beta tester of the product. Implement acquisition of a unified threat management (UTM) hardware appliance as another layer of security. This appliance is the next-generation network firewall. UTM appliances provide network level and content level protection through a combination of network-based zero day antivirus, antispyware, spam filtering, web and filtering, firewall, IPsec/SSL VPN, intrusion prevention, and traffic shaping capabilities. For small offices without in-house IT personnel, applying patches and updates to a single appliance is manageable. Utilize a purpose - built solution (ex. - Postini for spam protection - to allow for filtering prior to the spam reaching the UTM device) to supplement UTM appliance capabilities and to better utilize bandwidth for implementation of other applications on the UTM device itself. Recommendations: S Install the latest updates S Review protection of desktop, network, and peripheral devices 8

12 S Install an anti-malware suite for desktops for inside-of-thenetwork protection S Use a UTM (unified threat management) hardware device for the server for outside-of-the-network protection. These devices are affordable for any size firm b. Maintain a password policy Choose strong passwords - always combine letters, numbers, and punctuation. A strong password is a very powerful tool in the security arsenal. Consider the utility of using a passphrase vs. a password - usually a personal preference policy. Store passwords securely - encrypt and password-protect the file in which the passwords are saved. Consider downloading Counterpane Labs' free Password Safe utility, which utilizes Twofish encryption to encrypt the user name and password database. Use passwords securely. Use a different password for each system. Use different passwords to protect all critical accounts. Review the need for a second form of authentication, i.e., two factor authentication (also called strong authentication) - something you have (the device) and something you know (the device password). Example: Two factor authentication could require : (1) utilization of a one time password generated by a hardware key fob or token - either time based or event based, combined with (2) a personal secret PIN or password to provide authentication. The user is generally locked after a number of unsuccessful login attempts. Recommendations: S Create strong passwords. Use multiple words, mixed-case alphanumerics, and at least 12 characters to secure your passwords S Consider two factor authentication for remote access connections c. Review metadata policies Over the last several years, articles have been published emphasizing the need to review documentation to be transferred to opposing counsel (or even clients), by way of or otherwise, so that such documentation is clean from internal revisions, comments, and similar in-house product prior to being transferred out of the office. The nomenclature describing 9

13 the existence of the above documentation has come to be known under the term metadata - data about data. Metadata portrays how - when - and by whom - a specific set of data was gathered, and how the data is formatted. Metadata in itself is not malicious - ex. - consider Knowledge Management usage of metadata technology. Metadata software can be programmed with a prompt dialog to warn the user that the user is about to a document containing metadata. Affirmation of the existence of metadata concerns, along with a review of existing software solutions, should suffice to allow for requisite controls based on the desires of the user. ACTEC fellow John Rodgers, a member of the Technology in the Practice Committee, is in the process of preparing materials as part of a panel presentation on electronic data and related e-discovery issues at the upcoming 2009 ACTEC annual meeting. Recommendation: S Use metadata software that contains a prompt dialog d. Consider Web 2.0 technologies Realize the far-reaching nature of social engineering and social networking. Recognize the potential of productivity downtime with social networking sites. Facebook is noted to have over 100 million active users. Micro social networks based on specific areas of interest are also being established. Recommendations: S Maintain Web filtering policies S Block instant messaging e. Secure remote access connections 1) Remote access / Remote devices Remote access generally is thought of as the ability to access firm data and/or applications from other offices, hotels, airports, cafes, as well as from home. It could also be considered to be internal 10

14 office wireless connections to the network, although this is not a common usage of the term. Remote devices primarily include laptops, Blackberrys and PDA s, and would also include smartphones, WiFi connections, USB sticks, portable hard drives, firewire, Bluetooth and CD devices. 2) Types of remote access connectivity: a) Wireless b) Wired Public hotspot WiFi connections generally lack necessary encryption since they need to be open to all users. Unless virtual private network (VPN) or secure Web browser (HTTPS) connections are utilized, another wireless user in close proximity can monitor all localized wireless internet traffic, including passwords and messages. When searching for a wireless network, do not connect to an unsecured computer-to-computer network, also known as an ad hoc network, since this type of connection is not governed by a router and could connect directly to a computer operated by someone in the nearby vicinity. While there are published procedures to establish secure connections at any hot spot, best practice would be to avoid using remote access to the firm from any hot spot connection. Home user WiFi connections are generally less of a concern than public hot spots, and there also are published procedures available to establish secure home WiFi connections. However, as previously noted, since many home WiFi routers use default security settings that come pre-installed by the vendor, be certain to reconfigure the settings to establish another layer of security. Without this reconfiguration, administrative access is available wirelessly on most of these devices. Wired ethernet (hard wire plug-in) connections at a remote location (ex.- hotel) could be considered more secure than WiFi wireless connections, since the connection is directly from the laptop computer, with its own software firewall and antivirus applications, to the switch at the remote 11

15 location internet site. However, there is no consensus regarding this view, as some experts argue the reverse is true - that WiFi connections offer a more secure setting than wired connections. Wired connections at a home location could also arguably be considered more secure than home WiFi wireless connections, since the wired connection is generally made from the home computer, equipped with a software firewall, to a modem, or also to a router with firewall protection, and then to the cable connection. c) Aircard Usage of a wireless broadband aircard (cellular) connection for remote access is also recommended by IT administrators familiar with remote access security concerns. Aircard signals are like cellular voice signals, and communicate over different frequencies than the prevailing wireless WiFi connections, and the aircard could be used any time, anywhere. 3) Methods of remote access of data/applications For remote location users, once the internet connection has been made through the type of available connections as noted above, a method of accessing the data and/or applications at the firm needs to be established. The most common method of access is accomplished through the implementation of an encrypted point-topoint Virtual Private Network (VPN) connection. Several prevalent VPN based connections are available. a) Web based VPN Web based VPN connections operate through the SSL/TLS protocol - application layer protocol. With web based connections, data and applications remain at the firm, the remote user works with screen shots forwarded to the web page, and only applications compatible with the web based connection are available to the user. Examples of Web based VPN connections are Citrx for a larger firm and GoToMyPC for smaller firms. 12

16 b) Client based VPN Client based VPN connections operate through SSL(TLS) or IPsec protocol - tunneling layer protocol. A direct connection is established through the firewall, and full, or predefined, access to data on the firm server is made directly available to applications on the remote device, along with the attendant security risks of opening the server to the remote connection. In the client based VPN context, the availability of split tunneling, which would allow a device on the remote end of a VPN tunnel to simultaneously exchange network traffic with both the shared (public) network and the internal (private) network, would create a shared environment and potentially compromise access to the firm server. Therefore, split tunneling should be disabled to provide greater security over the connection. An example of a Client based VPN connection is the Cisco ASA remote VPN server. c) Microsoft Terminal Services Not previously considered to be a true VPN connection, Remote Desktop Protocal (RDP/RDC) is the protocol utilized for this data access alternative. This choice is considered by many IT administrators to be a less costly alternative to Citrix, and in the right circumstances is seen as an appropriate alternative. Similar to a web based VPN connection, the user obtains screen shots from the firm server. Recognizing previously documented inherent security problems with this method, Microsoft has established a Terminal Services Gateway client in the Windows 2008 server, providing a VPN level of protection to the connection. d) MPLS VPN Multiprotocol Label Switching provides a virtual private network VPN capability for large firm implementation, providing the capability to consolidate multiple local access circuits that have been dedicated to distinct types of throughput, such as data, internet, voice, and video, to a single port connection without compromising security or performance. 13

17 e) Home VPN access In addition to the method of VPN connection to be established, home remote VPN access has an additional concern due to the fact that home computers are generally utilized by other family members and could have malware placed on the computer through that usage, which malware could thereafter be allowed into the firm network through a VPN connection. For home remote access, consider utilizing a separate computer solely for VPN connection to the firm. f) UTM appliance connectivity 4) Endpoint security Unified threat management appliances acquired to protect the gateway, as noted above, are also capable of establishing a secure VPN connection to the firm. VPN connections provide secure encryption from point-to-point, however the true gateway endpoint must still be determined, since VPN security is only as strong as the methods used to authenticate the users (and the devices) at the remote end of the VPN connection. This would require the need to review endpoint security issues. Endpoint security is a strategy in which security software, through a process of network access control, is distributed to end-user devices, but centrally managed. a) Network access control Through network access control (or network admission control), a client program is installed on, or downloaded to, every endpoint, i.e., every user device that connects to the firm network. Endpoints can include PCs, laptops and handheld devices. A server, or gateway, hosts the centralized security program. Network access control allows only compliant and trusted endpoint devices onto the network by establishing a pre-connect security assessment - before connection to the firm is allowed. This assessment could include the placement of keys in the registry to validate the remote device in order to ensure compliance with firm computer security policies. The assessment can 14

18 also include examination of the configuration of the remote device, including the presence and status of behavior blocking, personal firewall, antivirus, and patch software. The procedure could include an automatic remediation process which would send updates and patches to the remote device so that compliant connectivity could then occur. Granular methods of control are available. b) Remote Wipe In the event that a remote device has been lost or stolen, remote wipe capabilities are available for Blackberrys, iphones, laptops and USB sticks. c) Minimum endpoint security 5) Endpoint extension At a minimum, the remote device should maintain updated antivirus and, if available, firewall applications to secure the true endpoint and ensure secure access to the internet, and thereby the firm, by way of wired, wireless, or aircard connectivity. The endpoint is soon likely to move again, as vendors continue to introduce concepts such as Cloud computing and Software as a service (SaaS), coupled with Virtualization of servers and desktops. a) Cloud computing Cloud computing is a computing paradigm in which tasks are assigned to a combination of connections, software, and services accessed over a network. This network of servers and connections is collectively known as "the cloud." Using a thin client or other access point, like an iphone, BlackBerry or laptop, users can reach into the cloud for resources as they need them. For this reason, cloud computing has also been described as "on-demand computing." b) Virtualization Virtualization for servers and desktops is meant to replace the current patchwork of desktop, handheld and server 15

19 operating systems - not to mention the variety of management, integration, disaster recovery and backup software that keeps most current data centers running - with a Virtual Data Center Operating System (VDC OS). The system will function as an internal-cloud computing model, allowing users to access data from anywhere, with anything, resulting in virtualization of applications, data, hardware, software and storage. Recommendations: S Maintain updated antivirus and, if available, firewall applications on the remote device S Use a UTM (unified threat management) hardware appliance S Review bandwidth requirements and usage when considering UTM acquisitions S Use secure encrypted point-to-point SSL or IPsec connections S Do not allow split tunneling on the VPN connection S Leave data and applications on the server S Use two-factor authentication for remote access S Do not access the firm remotely from airports and cafes S Use an aircard vs. WiFi S Reconfigure home WiFi router default settings to establish another layer of security S Use a separate computer for home access to the firm S Implement remote wipe on wireless devices S Find the true endpoint - consider placing an endpoint security agent on it 3. Establish a backup/restore procedure Backup/restore considerations constitute a major component of computer security. Security threats, as well as disaster losses, could render a firm unable to function if adequate storage capacity and redundancy did not exist. Backup concerns include protecting systems, firm and client data. Continuous data protection is available in most backup applications, generally capturing data changes within moments of the change. Backup includes the backup of laptops and USB drives. The key to a well implemented backup strategy is to utilize multiple layers of backups. The essence of successful backup is successful restoration. a. Types of backup 1) Full - normal Have backup software scheduled to do a full backup (not an 16

20 incremental backup) nightly. These backups also provide the ability to recover a file that was accidentally overwritten or deleted. Full backup is the fastest to restore. 2) Incremental or differential Distinctly different methods of intermediate backup of less than all of the data. 3) Immediate Additional contemporaneous backing up of an extensive file as it is being worked on (i.e., copy to a USB stick). 4) Disk vs. Tape There is increasing frequency of use of disk backup for archiving as well as first line backup - restoring data or files from disk has come to be considered as easier and more reliable then tape. 5) Mirroring vs. RAID Mirroring (RAID-1) - a server has its data duplicated on two different drives using either a hardware RAID controller or software. If either drive fails, the other continues to function as a single drive until the failed drive is replaced. The drives are generally hot swappable. RAID-5 - simultaneous use of two or more hard drives. The array distributes data across several drives, redundantly, however the operating system considers the array as one single disk. Parity is used to maintain data. If one drive fails, once the bad drive is replaced with a new one, the RAID "floods" all the data back onto the new drive from the data on the other adjacent drives. b. Types of hard drives to be utilized for backup procedures: 1) Direct attached Direct attached drives are attached to the PC via a USB 2.0, FireWire, or esata connection. The storage drive is used to back up the internal disk inside the computer connected to the drive. 17