This is pretty long, but well worth the read.
Here are some helpful computer security tips as we head into 2016.
- If you use other computers to login to your work computer. Don’t, unless you know where that computer has been. Always assume that all other networks and computers are compromised. What I mean by this is that you should assume there is a keylogger on all other computers and that as soon as you enter your username and password, this information is immediately sent to bad guys.
If you absolutely need to login from computers you can’t trust, then contact us and we can set you up with something called two factor authentication where not only do you need a username and password, but also a code generated by a third product. This is actually good to have no matter what.
- Always be mindful of the type of network you are on. If you are on a public wifi, pay attention as to whether it is secure or not. If it isn’t secure, be aware of the risk you are taking. On an unsecure wifi, any information you send can be captured by anyone else on that network. I’m not sure just how much of an impact on security this has, since all sites requiring a username and password should be secure anyway.
One thing to keep in mind about this is that the way most networks are setup, incoming packets (data, transmission, however you want to refer to it) from the Internet are dropped unless requested. Most networks keep track of all outbound packets and only let packets back in that are requested. This, by itself, provides a decent amount of protection. The firewall on your device doesn’t have to work as hard, basically. Now, when you are inside a network, you are vulnerable to all other computers inside that network. That’s why it’s important for us to keep unknown systems out of the company network. When you are travelling, your system is vulnerable to attacks. There is no other system protecting it from other systems on the “local” network. Many people refuse to use wifi and instead rely on wireless broadband connections (from AT&T, Verizon, etc).
What does all that mean? If you’re in Las Vegas during one of the hacker conventions, I wouldn’t recommend turning your company on at all. Just be aware of your surroundings and understand the risks. If you are travelling, do NOT turn off the internal Windows firewall, it may not be great, but it is still better than nothing.
- Number 2 brings me to the next point. Make sure that any site you have to enter personal information, which includes username, password, credit card, etc., starts with https. If it doesn’t, assume you are broadcasting this information to the world.
- Take the time to pay attention to links in emails. Hover over the link and make sure you are going to where you think you are.
An example of this:
If you are supposed to be going to Chase, make sure you see chase.com/ in the link. Note that chase.com.gotcha.com/resetpassword is NOT Chase. Make absolutely sure that there is nothing else between chase.com and the first forward slash. If there is, even if it is chase.com.us/something it is NOT Chase. Check for misspellings. Chasse.com is not chase.com. Chase.us, chase.net, etc is not right.
Taking a few seconds to make sure you are going to a legitimate site can save you, at the minimum, hours of time, possibly thousands of dollars. There is no protection other than practicing safe internet usage from cryptolocker and its variants.
- Never send credit card information via email. Email is not secure. You might as well yell out this information in a crowded room.
- Email is not necessarily reliable. It was never designed to be. It’s never going to be. Email is designed to work on unreliable networks and sometimes it may take hours for an email to be delivered due to a temporary glitch between the two email servers. When it can’t be delivered, it will keep trying for, usually, up to 14 days. Most of the time, you will not be notified of this and will not be notified of successful or unsuccessful delivery. Sure, there are options to be notified if the email has been read or delivered, but most people have those turned off. Also, there was the option to notify you if you sent an email to someone that didn’t exist, but this has been turned off. The reason? Spammers used this against us. They would send hundreds of thousands of emails to servers and those email addresses that they did not get a “bounce” or undeliverable message on, they knew were legitimate addresses.
- Don’t send files through email. Again, the capability might be there, but it wasn’t designed to handle today’s file sizes. Send the file as a link using a third party system.
So along with this, what can businesses do to help protect their networks?
- My number one recommendation is to engage the services of a managed services provider. One of their many jobs is to protect your systems. If you aren’t, contact us about getting started.
- Only allow company owned computers to access the company network. Your IT provider has no control over other computers. You have no idea where they have been and what might be on them.
- Pretty much all businesses today have some kind of remote users. These users need protection while outside the safe confines of the company network. There are several things that should be done to help protect them and the company network.
- Invest in the DirectAccess solution from Microsoft. This provides an “always on” connection back to the company network and provides a secure connection so that whether your remote users are on public wifi or secure wifi, anything being sent back and forth between them and the company network is secure.
- Invest in a VPN solution. There are two reasons for this.
- It allows phones and tablets to have a secure connection back to the company network for access to company files.
- It can provide an additional layer of protection. I have my own VPN setup so that all traffic is routed through the VPN. While traveling, when I connect my VPN, all of my traffic is encrypted and going back through my firewall at my office. I don’t have to worry about anyone else “snooping” and capturing my data packets on an open wifi network. It’s all secure. Now, granted, the user experience is not that great when trying to use services such as Netflix because at this point, I’m depending on my internet connection at the office to receive and then upload the video from Netflix to me. If I run into problems, I can simply turn off the VPN while using Netflix.
- Use RemoteApps when possible. This is more of a usability suggestion. Applications such as QuickBooks and other database based applications transmit too much data to run across the internet, so with these applications, we use a feature called RemoteApp. This feature is similar to a full remote desktop except we are only doing the remote desktop for one particular application. The application looks like it is running locally, when in fact, only the data containing what should be viewed along with keyboard and mouse movement is transmitted.
- Help is on the way. Hopefully in the first quarter, we’ll be introducing a service that provides a cloud based firewall so that laptops in the field are always protected by the same firewall that protects the systems within the office. The service already provides a cloud based firewall for systems within the office, but the pieces of the puzzle to provide remote protection is still in development. I think this is going to be a gamechanger and can’t wait to see it released.
If you have any questions about any of this, or are interested in implementing any of the solutions mentioned above, please feel free to reach out to discuss.