McAfee Says Security Industry Must Better Protect Users

The company's second-quarter threat report warns of increasing attacks on mobile devices

“Are we really protecting users and companies?” That’s the questionMcAfee recently asked the security industry in its second-quarter threat report—and it’s a fair and relevant question given the flood of malware, hacking incidents, and spam that has hit everyone from major corporations to small developer shops to individuals.

The growth of mobile devices, in particular Android smartphones, has also meant the growth of malware, notes ReadWriteWeb’s Dan Rowinski. The “persistent threat” to mobile devices, and the industry’s seeming inability to keep pace (let alone outpace) the growth could spell trouble for companies like Adobe, which has outdistanced Microsoft in attracting exploits.

And although it’s fine for companies to simply repeat the mantra “use common sense” it’s safe to say it’s no match for highly motivated hackers.

Read more at ReadWriteWeb.

What to Do When You Lose Your Computer

Laptop theft occurs more often than people would like to think. Here is what you should do if you lose your computer—and all the data on it.

A laptop is stolen every 12 seconds, meaning one more will be taken by the time you finish reading this sentence. Here's what to do if that stolen laptop is yours. And if you're thinking you can rest easy and skip this article because you and your employees mostly keep your laptops at home, according to a December 2010 Ponemon Institute study, the majority of laptops (43 percent) go missing off-site in employee homes. 

1. Change Your Passwords

First things first: Do not stop, do not pass go (or cry or order too many stiff drinks) - go directly to change your network username and passwords. The account you use to login to your office network needs to be changed first. If you have an IT department, let them know so they can keep an eye out for repeated authorization failures in your username. 

You'll also want to change information for all personal accounts you may have accessed: email, credit cards, bank accounts, web sites, airlines - anything web based for which you have a username and password. Access to these accounts may be available through web browser cache and cookies, so changing the password should prevent this type of access. 

In the future, think about storing passwords and other sensitive information in a storage vault app. KeePass - a free open-source app - is easy to use and has encryption.  Ditto for TrueCrypt, which is also a free open-source tool. It can be used for Windows, Mac and Linux.  You'll likely need some help using it if you're not particularly computer savvy but it does have a tutorial for how to use it. Most computers runningWindows XP will come with a built-in encryption system that owners can access. If you have Microsoft's Vista Business edition or Windows 7, you'll have BitLocker. 

A December 2010 Ponemon Institute survey found that two-thirds of companies don't take advantage of even basic security practices for their laptops. "While organizations may be aware of the lost laptop problem, it became clear as we conducted our research that most organizations, including workers, IT and CFOs, do not fully understand the adverse affect it can have on their bottom line. If they did, they'd be much more diligent in protecting their laptop fleets," said Larry Ponemon, the Ponemon Institute's chairman and founder.

Dig Deeper: Are Your Passwords Too Weak?

2. Check the Lost-and-Found

Don't automatically assume your laptop is gone for good - at least make inquiries at the Starbucks or airport or wherever it is you left it unattended. Only a third of laptops turned in to airport lost-and-found departments are reclaimed.  How much would you kick yourself if one of those sitting around is yours? If the laptop was indeed stolen, request a police report. You'll need it for your insurance. (You do have insurance, don't you?) Keep an eye on Craigslist, eBay, and local pawn shops. There's a reason there are entire websites (including dumbcriminals.com) devoted to, erm, dumb criminals. This is also where knowing your laptop serial number comes in handy. Rich Castagna, editorial director of Tech Target's Storage Media Group says, "The most important thing to do when you lose your computer is what you did before you lost it."  If you don't know yours and happen to be reading this article purely out of curiosity, go find your serial number now and store it somewhere that is not your laptop. 

Dig Deeper: How to Choose a Data Center

3. Make Clients Aware

Notify clients if they're affected. If you were storing any access to their sites or personal information, you need to let them know so they, too, can change passwords.

Dig Deeper: Does File-Sharing Threaten Your Sensitive Data

4. Utilize Computer Tracking  

If you don't already have laptop tracking software, consider contacting MyLaptopGPS, which offers free help even for non-customers. For actual customers, the company claims a 99.6 percent success rate and a 300 percent guarantee, according to chief technology officer Dan Yost.  Prices start at $9.95 per month for one computer; $49.95 covers five laptops. There are several laptop tracking services you can try. 

If you're not convinced of the value of laptop tracking, look no further than a 2009 Ponemon Institute study, which found that the average cost of a laptop is $49,246, 80 percent of which is the value of the data. A 2003 Computer Security Institute/FBI Computer Crime and Security Survey put the value much higher - at $250,000. And yours may well be worth more than that. Consider the case of hip hop artist Ryan Leslie, who in October took to YouTube and Twitter to offer $1 million for the return of his MacBook, which contained irreplaceable intellectual property. (He didn't get it back.)  

"Any business with people onthe go -- sales force, field agents, service teams --depends on laptop computing. Laptops mobilize productivity. Losing a laptop crushes productivity. Mobile employees lose their ability to work effectively, IT personnel spend time replacing and reconfiguring equipment, and customers wait for you to get back up to speed. But these are still just lightweight costs," says Yost. 

You may also want to download Prey, a free app that sends timed reports to your email with a bunch of information about your laptop's whereabouts. This includes the general status of the computer, a list of running programs and active connections, fully-detailed network and wifi information, a screenshot of the running desktop and - in case your laptop has an integrated webcam - a picture of the thief.

Dig Deeper: Three Internet Security Programs

5. Invest in an Online Backup Service

Online--or cloud--backup services not only offer the easiest way to automatically back up your laptop's data, they also provide the added safety of storing those backups offsite so the data is available at any time from anywhere. All you have to do is install the software, which then keeps track of when you create or modify files and saves a copy of the update. There are hundreds of services to choose from, but Castagnarecommends EMC's MozyPro, Carbonite Pro and Seagate's i365 EVault to help smaller companies with limited IT resources protect their data appropriately. Whatever service you choose, he advises making sure you read and understand your options for restoring your data - some companies charge for transmitting data, and if you need to restore it all at once, the process can be both time-consuming (depending on your connection speed) and expensive. Ask if the service provides alternatives, like FedExing you a disk.

Dig Deeper: How to Back Up Your Social Media Accounts

How Often Should You Back Up Files?

Rudimentary data protection can be a business life-saver.

It’s a call no business owner wants to get — a fire broke out overnight in the industrial park where your office based, reducing it to smoldering rubble. Sure, you’re thankful no one was inside, plus insurance should cover the physical damage — but what about your company’s critical computer files?

According to ADR Data Recovery, U.S. businesses lose more than $12 billion per year because of data loss due to hardware or system failure (which accounts for roughly 78 percent of all data loss), software corruption, natural disasters, or human error.

“Data loss, and the downtime suffered from it, can cause considerable damage to your business,” says analyst Bob O’Donnell, program vice president for clients and cisplays at IDC, an Internet consultant. “And if you do any kind of commerce and your current orders are lost, it can prove to be a serious blow to your business revenue.”

The only absolute protection against losing critical information on your PC is to proactively back-up important files on a regular basis.

DIY or Automatic?

Backing up your files can be handled automatically, thanks to the many scheduled onsite or offsite back-up programs available today; or manually, where it’s up to you to select which files to back-up and where to back them up to, either burned onto a recordable CD or DVD, USB memory stick, or, preferably, uploaded to a secured offsite location in case of fire, theft, or natural disasters. Backed-up discs may also be stored in a safety deposit box.

What Gets Backed Up

Each business has its own particular needs and interests, but across the board, all businesses share the common need to back up customer data, contact information, and passwords. Individuals may want to add to that list: work files such as documents, spreadsheets, presentations, Web site code, as well as calendar appointments and e-mails.

A sales office will want to make external copies of its detailed CRM files. An architect will save blueprint sketches and 3-D renders.

Deciding what to back-up is as easy as asking yourself what is irreplaceable. In some cases, the data could be recoverable, but it may cost your business money, time, or embarrassment to retrieve everything from external sources. Let’s face it — asking one of your most important clients to re-send contact information or contracts could be damaging to your relationship.

“Data loss can ruin your reputation with clients or customers,” says O’Donnell. “Because you never know when data loss can strike, back-ups should be automated and stored off-site, so you can concentrate on growing your business.”

What’s the Frequency?

Some software packages — many of which are available as a “try before you buy” download atwww.download.com — automatically back up your information at a select time every day or week.

But if you’re handling the back-up manually onto a CD-RW disc or USB thumbstick, it’s recommended you back-up important information at least once a week. This includes files such as key work documents and files, business contacts, and appointments.

If you’re working on an important document, such as a sales report or a presentation or spreadsheet, it’s not a bad idea to keep a USB memory stick inserted into the PC’s USB port to make a back-up after the work is completed. This is especially a good idea for mobile professionals working on laptops — all it takes is for you to leave your PC on a plane, in a hotel or in the back of a cab and your critical data could be gone forever.

One Million Reasons to Backup

At a recent event I was talking with the director of a 10 person non-profit, and she mentioned an important database she was trying to convert to a newer format. "Where is it kept?" I asked. "On my computer" she said. "Where else?" And then I got that look — the look that says "what do you mean — where else?" Ah. How much would it cost to replace that data? Perhaps a million dollars, which is her approximate annual fundraising income. So one more time, for you folks who have not done so — Back up your work. Please.

Google engineers did a scientific study (it's a PDF) of failure in consumer grade hard disks and found that over 56% of drives that failed didn't raise any concerns using their built-in error checking hardware. What does this mean for you? Well, when your hard disk's time is up you probably won't know it until it happens. Which is why you should back up constantly.

Jennifer Walzer, President of BackupMyInfo.com, a New York-based service provider for small business backup, told me that a common problem is "People will set up a backup — tape, CD, extra hard drive, online - and they think it is great, only to find out that it hasn't been running right. They are not testing to make sure it works. We do hand holding and monitor to ensure backups run every day."

Recently, she had a customer who runs a party and event-planning business lose 10 years worth of Quickbooks data when the owner's computer crashed. They were able to restore to another computer in the office in seconds.

"We keep multiple versions of your data and we don't delete what you delete on your side until you specifically ask us to," said Walzer. Small business can backup their offices for $55 to several hundred dollars a month. However, this is a higher level of service than a simple desktop backup, with 24 hour support.

For those looking for more simple solutions, SugarSync, Carbonite, and Mozy are very popular choices. Drew Garcia, VP of Product Management of Sharpcast, makers ofSugarSync, told me "We have lawyers, contractors, real estate developers, graphic designers, and they have important data backed up, plus they use other features such as road warriors relying on the mobile app via Blackberry, iPhone, or Windows Mobileto get their documents on the go."

Sugar Sync has real time sync — you make a change to a document and it is immediately uploaded to the cloud. Some graphic designers use sharing functionality to show work to clients via a browser. This sharing can be "View only," or permissions can be set to allow collaborators to download a document, change and re-upload it. This sharing can be done among employees or with those outside the company.

Garcia is hearing road warriors adopt Netbooks, and they use Sugarsync to sync important files from their main computers, edit them, and sync back.

The three solutions mentioned above allow backup of a certain amount of data at a fixed price. For those working with Windows and Office 2007,http://www.officelive.com gives you up to 5GB of free storage for Word, Powerpoint, Excel files. With an add-in, you can save directly from these programs to your online storage area and you can access the files anywhere there's a net connection and a browser.

Don't end up like the presenter I saw at a conference last week whose laptop had been taken from the coatroom at the reception the night before. She was lucky she had emailed her slides to the conference organizer. Please backup. Go do it now. Share your tips for backup via the comments.

Does File-Sharing Threaten Your Sensitive Data?

Whether your employees are using peer-to-peer technology to download the latest game or video or to share work-related documents, their actions may place your data and your organization at risk.

When debit cards first came out, says Internet encryption pioneer Taher Elgamal, people simply scrawled their pin numbers on the back of their cards.

He sees many businesses taking the same sort of naïve approach to security these days when it comes to file-sharing and peer-to-peer networks. Too often, businesses haven't thought through the risks involved in file-sharing. And like those early debit card users, employees often are thinking simply of convenience and ease of usage.

Yorgen Edholm, president and CEO of Accellion, a company that provides secure file transfer solutions, agrees that businesses have been slow to react, despite continued news reports about data breaches. "One of the things that surprises me is it's still such an under-discussed topic,'' says Edholm. "Two years from now, it's going to be, 'How did we do that?'"

How P2P threatens your data

In February, the Federal Trade Commission notified nearly 100 organizations and businesses that had released sensitive information about customers, students, or employees through file-sharing or P2P networks. The government agency also announced it was conducting investigations of other businesses which had exposed data through file-sharing. In conjunction with the announcement, the FTC published new educational materials for businesses.

The risk to your data from P2P technology is a two-pronged threat. Employees are placing critical data at risk by using P2P technology to transfer and to share work-related materials. However, as people become accustomed to moving much of their lives online, they often blur the distinction between work and home activities. Employees downloading the latest movies and music from file-sharing sites also create risk for their employers.

Among the dangers:

• Inadvertently sharing files. Users may accidentally save a confidential file to a folder that is shared on a P2P network or malware could change the designation of  a folder or drive where sensitive information is stored.
• Opening your network to attacks. Malware in P2P programs can lead to attacks on other computers on your network, not just the computer sharing files.
• Losing track of data. Once files are placed on a P2P network, they may be shared among other computers even after deletion on the original computer. So, retrieving and securing data you've unintentionally exposed is virtually impossible.
• Remote storage of illegal material. Malicious programs could open one of your computers to storage of stolen documents or even child pornography, cautions Randy Abrams, director of technical education for anti-malware vendor ESET.

The threat is so significant Abrams thinks P2P programs should be avoided. "Peer-to-peer file-sharing programs have virtually no place in a business environment,'' he says. "The security of the programs varies widely. However, in many cases, the default settings are not the most secure. The risks of P2P file-sharing are too great to be ignored."

While every organization is vulnerable, Sanjay Mehta, senior vice president for security solution company Breach Security, advises that your company may be particularly susceptible to P2P threats. "In many ways, small to mid-sized businesses are great targets,'' he says. Mehta notes that smaller businesses often aren't equipped with the IT assets or the staffing to evaluate P2P risks or combat data breaches that occur through file-sharing.

How you can protect your data

Like most technology-related security issues, the first steps you should take involve people rather than machines or software, say the experts. Smart business practices will go a long way toward avoiding file-sharing data losses. Make sure your organization follows this checklist:

• Establish and enforce a file-sharing policy. Awareness is critical. Your policy should spell out in non-tech speak whether you'll allow the use of P2P networks. If you allow file-sharing, you should  explain the circumstances under which it is permitted and whom you authorize to do so. Once you've created a policy, revisit it frequently since technology evolves quickly. Educate your users.
• Offer file-sharing solutions. "Ninety percent of employees just want to get their work done,'' says Elgamal, chief information security officer for Axway, which secures and manages business transactions. "Generally speaking, people like the path of least resistance. We need to tell people how the company is enabling them to do business. You can't sit down and say 'no, no, no.' Then what?"  Your employees will find ways to share documents and files when they need to get the job done, so anticipate their needs and find secure solutions.
• Classify documents. Establish a system for classifying information based on how it can be shared or the sensitivity of the data, advises Mehta. Then, arrange information in locations based on whether it can or can't be shared. Consider a separate server or network for secure information.
• Classify users. Evaluate access and who should or shouldn't be sharing information. Consider whether you'll allow home computers on your network, an option Abrams advises against. "The cost/risk ratio of allowing personal computers on a corporate network, even for small companies, cannot be justified,'' he says.
• Purchase help. Look for a vendor solution that helps you safely secure file transfers, log transfer activity, archive files that have been transferred and filter what goes into and out of your network. Accellion charges a couple of thousand dollars a year for a subscription covering 25 to 50 users, Edholm says.

Most important, says Mehta, is taking action now.  If you visited the problem of file-sharing a year ago, it's time to look again. "The threat factor moves a heck of a lot faster than every so often," Mehta says.

Are Your Passwords Too Weak?

Hacked passwords can compromise company data security. Strategies for creating the best passwords

"Breaking: Bill O Reilly is gay." That message was sent from the Fox News Twitter feed in January. A hacker had broken into Twitter's systems, thanks to a weak password chosen by a Twitter employee. By using a so-called dictionary attack -- a program that guesses passwords by systematically trying every word in the dictionary -- the hacker had figured out a Twitter employee's password:happiness. After gaining access to Twitter's systems, the hacker leaked the passwords used by Fox News and several celebrity Twitter users, including Britney Spearsand Barack Obama. Some of those Twitter feeds were subsequently filled with obscenities and links to pornography.

Then, in July, another hacker broke into a Twitter employee's personal e-mail account and was able to find a password the employee used for several Web services, including Google Apps, which Twitter employees use to share private company documents. The hacker then forwarded the sensitive information to a popular technology blog, which published many of the documents, including notes from company meetings.

As Twitter learned the hard way, data security measures are useless if a hacker manages to get an employee's password. And yet most people are pretty lazy when it comes to passwords. Security experts recommend using a different password for each application, but a survey bySophos, a security firm, found that 81 percent of respondents used the same password for multiple sites. About a third of them used the same one for everything.

Many people use very simple passwords: Two of the most commonly used arepassword and password1. Others tend to choose easy-to-remember words or dates. These weak passwords are no match for a dictionary attack, say security experts. Automated password-cracking tools can check more than a million password variations in 28 hours. Passwords composed of random strings of uppercase and lowercase letters, numbers, and punctuation, such as J, can usually withstand an attack, but those are tough to remember.

Fortunately, there are some ways to create strong, memorable passwords. Two words connected by a number can thwart many dictionary attacks. So can using a full sentence, such as Jane Smith's Salesforce login is password, or a line from a song or a nursery rhyme. For online applications that cap password lengths, try a mnemonic, or memory aid, such as an abbreviation. For instance, take the first letter of each word in the phrase Jane Smith's Salesforce login is password. Then, to make it stronger, add an 's and substitute the number 1 for the letter l and an equal sign for is. You getJS'sS1=p, a very good eight-character password. Other tricks for strengthening abbreviation passwords are to swap an @ sign for an a and the number 3 for an e. You can vary this formula for each application you use.

Vaclav Vincalek, president of Pacific Coast Information Systems, an IT and security consultancy in Vancouver, British Columbia, uses a different mnemonic. He picks a pattern on his keyboard, like the triangle formed by the c, 6, and n keys. He enters the keys of the pyramid twice: once in lowercase, once in uppercase.

If you still have trouble remembering passwords, there are some technological fixes.Bruce Schneier, a security expert who is chief security technology officer at BT, a telecom company in the United Kingdom, created Password Safe, a free program that stores passwords. Now, he needs to remember only one password -- the one for Password Safe. Other password vaults include RoboForm and Mitto.

Some programs -- Passlogix, Imprivata, and myOneLogin -- let companies manage employee passwords for applications inside and outside the firewall for as little as $3 per user per month. Such programs tout their ability to give workers a single sign-on, one login for access to their corporate network, e-mail, and applications.

There's also software that keeps tabs on whether employees use strong passwords. Password auditing programs such as L0phtCrack, which costs $295 and up, apply various hacking techniques to check user password strength. More sophisticated -- and more costly, at $13,000 and up for a software license -- security tools such asCloakware, Cyber-Ark, and e-DMZ Security can bar an employee from using the same password for, say, logging in to e-mail as for checking the company financials.

If that sounds too complex, Schneier recommends a low-tech solution: Write your passwords on a sheet of paper and store it in a safe place. Hackers are less likely to break into a locked desk drawer.