NetDefence

Security • Compliance • Productivity

We often talk about malware here on the NetDefence blog and the importance in having effective anti-virus software on each computer you use, however sometimes even having your anti-virus software up to date will not protect you.

A Zero Day Exploit is any vulnerability in software that is unpatched at that point in time. Zero Day Exploits are constantly being found by anti-virus companies and patches are released, but the time in between is when your computer is at high risk.

Today (25th February 2009) a Zero Day Exploit has been found for Microsoft Excel and appears to be affecting all versions on all operating systems. This exploit allows someone to run code on your computer which can install a trojan called Trojan.Mdropper.AC. It is highly recommended you are very cautious in opening Excel files over the next 24 hours and ensure you run an update on your anti-virus software.

When a Zero Day Exploit like this occurs, your only defence may be using your own smarts to determine whether an email is legitimate or not. Ask yourself, do I know this sender? Am I expecting this email and attachment? If you can’t answer at lease one of these questions, it is best to delete the email and keep your computer virus free!

Even though IT managers and departments have been primarily concerned about security, ultimately it is the responsibility of business owners and chief information or executive officers (CIO, CEO) to protect an organisation from threats.

In the years since the Internet first came on the scene, the security scenario has undergone rapid changes and developments as threat and counter-threats have been developed and deployed.
As IT security threats continue the form and nature of these threats may not be what most people expect – or even suspect.

Here are some of the top security threats you will hear more about during 2009:

Lost Laptops and Careless Employees

The increasing portability of laptops and storage devices is of concern. This increases the chances of these portable computing and storage devices being stolen not only for their resale value, but for importantly the information contained within. This problem is compounded by the apparent lack of security awareness by many employees which extends to employees and their internet-based social networks.

Weak Policies
IT security experts have also expressed increasing concern over identity thefts.
While most companies limit physical access to employee records, many companies still have vulnerabilities in terms of systems and procedures in handling these.

Many companies do not purge data when the company’s computers are reassigned or disposed of; others do not even install passwords on employee computers; still more do not encrypt personal information when these are transmitted over the Internet or company networks.

Overconfidence
Some business owners feel their company’s security is more than adequate to meet existing and potential threats. Anti-virus, anti-spyware, anti-spam software and improved techniques have all contributed to the complacency of businesses.

However, security is 24/7, check, double check and triple check, random reviews and tests. It is a never-ending activity and while automation may have relieved the pressures a bit, there is no room for error or overconfidence – especially as many threats are coming from unexpected sources.

What can you do to minimise exposure to your business?
Analyse your security policies and procedures – if you don’t have any in place, start on them now.
Work with your technology providers. They should have some good ideas about what you can do to improve your protection.

Consider some of the smarter technologies now available such as managed online solutions that protect your business from outside your network. Rather than buying hardware and software which you have to maintain and replace every few years, you can ‘turn on’ security services which operate from the Internet, are updated constantly and cost less than a hamburger per person per month.

Much has been made of the Government’s $42bn stimulus package over the last few weeks. People earning under $100,000 are eligible for rebates of up to $900 each. The only catch? You must have completed your 2007/2008 tax return.

Enterprising cyber criminals will no doubt see this as an opportunity to fleece people of their personal details through a phishing scheme. The Australian Tax Office Commissioner Michael D’Ascenzo has already stated “We are worried that unscrupulous people will use the interest surrounding the payments as an opportunity to try the usual scams”.

In the US, where similar plans are taking place a scam has already surfaced. Whilst this scam seems to be inactive currently, it looks like it was designed to encourage the recipient to download a trojan disguised as an application form. This simple trick could enable the trojan to be installed on your computer in the form of a key logger, spam server or other internet threat.

The ATO (or any other organisation for that matter) will never ask you to provide personal details via email. If you receive an email you are suspicious of, do not open it. Scams can be reported at http://www.scamwatch.gov.au. If you’re not sure about an email it is better to speak with the company affected (Such as the ATO) to check if it’s legitimate than to risk compromising your computers security.

Where have you seen that expression lately?

This is a term to describe an Internet service that focuses on building online communities of people who share common interests and activities, or who are interested in exploring similar ideas and thoughts with other people.

Today there are hundreds of social networking websites on the Internet, but the ones you will probably have seen or heard are Facebook, MySpace, YouTube and Bebo.

Some large organisations use these sites to deliver internal training and communications whilst others view this communication as a tool to develop business relationships.

Currently there are different views offered online about whether real business can be developed through social networking sites, if the relationships are superficial, and if it can possibly replace face to face relationship development.

Today most businesses see social networking as a threat to office productivity; employees can spend a lot of time communicating with friends about a myriad of social issues during office time instead of working.

The Age newspaper reported that Facebook alone could be costing Australian business over $5 billion in lost productivity per year. Note this article was published in August 2007!

Outside the workplace the availability of computers with Internet access has made it much easier to communicate with friends and relatives more often.

According to a study by Nielson Online (Sydney, March 2008) the amount of time Australians are spending online has, for the first time ever, surpassed the amount of time spent watching television.

So this has created a problem for employers as they are not only responsible for employee activity on the Internet, now they need to protect themselves from staff using their computers for the wrong purposes.

Once again technology has provided the problem and the answer. There are solutions employers can use to control Internet use within their business and they typically come in two forms: in-house and managed online solutions (over the Internet).

The in-house solution requires you purchase hardware, software and ongoing management from the IT team, which large businesses can normally justify.

But it is different for small businesses that do not have a single IT person on staff. This is where the ‘online managed solution’ works for them.

They typically pay a small fee per user per month i.e. $5 which allows them to manage Internet for their company any way they choose. This means they can control where staff can go, block inappropriate or time wasting sites and view overall activity every month with sophisticated reports. Some services also provide additional threat protection against malware and viruses.

When a business decides to implement either of these solutions they should develop a company policy and make all staff fully aware of it.

One thing is for sure… Internet use in business is here to stay.