March 6, 2012
Quick and Dirty IT Security
For those of you who don’t have the luxury of a dedicated IT-security team, here’s a quick tip from our IT staff: don’t be intimidated into inactivity.
As with any security effort, there are layers to IT security. There are a number of simple, free steps you can take to that will drastically reduce your chances of being compromised. Yes, it’s easy to spend thousands on state-of-the-art technologies that require dedicated, specialized staff to manage, but that isn’t necessary (or feasible) for most merchants. Think of IT security like securing your home: just because you don’t have electrified gates and trained attack dogs doesn’t mean you don’t lock your doors when you leave the house. We do what we can.
Perhaps the best simple resource available in the industry right now comes from Australia’s Department of Defense. Last summer, they published 35 Strategies to Mitigate Targeted Cyber Intrusions. Before you get intimidated by the techno-jargon and the fact that there are 35 things to do, consider this: implementing just their top-four strategies (three of which are free and require next-to-no technical know-how) would have prevented 85% of the breaches they researched in 2010.
Let’s break down just those top four:
Patch Applications: Patch is tech-speak for update. Patching is usually very easy. Applications that need patching will often pop up an alert in your system tray (those little icons next to the clock on the bottom right corner of your screen). All you have to do is click on them and select the option to update. We’d recommend you pay particular attention to Adobe (PDF viewer, Acrobat, Flash Player, etc.), Java, and the Microsoft Office Suite, as those are commonly compromised and therefore the most often updated.
If you haven’t seen the automatic update message pop up recently, you can often check for updates manually. Microsoft and Adobe products have a “check for updates” choice in the Help menu, and Java’s updater is in your Control Panel.
Patch Operating Systems: The first recommendation is to work with the latest operating system version (Windows 7, OSX Lion, etc.). The security measures built into these versions are (obviously) the most up-to-date. They also have added controls and features not available on previous versions. If, for whatever reason, you are not running the most recent version, you should be sure you’re running the most up-to-date build available for your version.
PCI requires all “Critical Updates” to be installed within 30 days of release. (As these patches are typically addressing new threats or newly realized vulnerabilities, patching sooner is usually safer.)
Minimize the Number of Users with Admin Privileges: This should be common-sense. The less people who have access to a system, the less likely the system is to be compromised. (Not only is there less chance of a rogue employee, but also fewer passwords to be stolen or hacked.) How many people really need administrator privileges on the computer to do their jobs? If you take time to think about it, you might find the number is much smaller than what you have in place now. Also, for added security, those with admin credentials should not use them all the time. If those employees are going to be checking e-mail or browsing the Internet, they should use a secondary set of credentials that give them only limited access.
And please, if you are at all concerned with security (and you wouldn’t be reading this if you weren’t) change your default passwords for all of your routers, access points, applications, and operating systems. (Username: admin, Password: admin is NOT a secure option!)
Applications Whitelisting: OK, what on earth is applications whitelisting? Don’t feel bad if you don’t know – this one is a little higher up the techie totem pole. Whitelisting is the opposite of blacklisting; in blacklisting you block (blacklist) certain programs and do not allow them to run on your system. Whitelisting blocks all programs and scripts except for those you specifically allow by adding them to your whitelist.
This is one area where you will want to seek help from an IT professional (they have to know not only what programs you want to run, but also which services/processes/scripts need to be authorized in the background in order for those programs to run successfully.)
If you’re running Windows 7, this process can be managed using the included AppLocker program. If not, a simple Google search for “Whitelisting Software” turns up dozens of options. If you don’t have dedicated IT staff, we recommend finding one of the solutions that automatically updates (so that you don’t have to have it reconfigured every time Windows updates).
The four steps we’ve touched on above represent 10% of the information from one source. They are by no means an exhaustive list of IT precautions, but they do combine to make a very good base for your IT security program. If you already have these basics in place, we recommend you look at the rest of the 35 strategies from the Australians, as well as the 20 Critical Security Controls for Effective Cyber Defense published by industry think-tank SANS Institute. The more layers of security you add, the better off you’ll be. Also, following the weekly updates from http://securitytracker.com/ is a good way to keep abreast of the newest threats in the industry.
Hopefully we haven’t overwhelmed you, but rather helped you to see that there’s a lot you can do (even with limited resources) to make your system more secure. Until next time, don’t forget to lock your doors!