Locking Down the Network to Block Malware
Dudley King is network security-conscious. He has to be. As principal of Pallas Technology, his customized software development business depends on it.
Two years ago, two of Pallas’ major clients, American Express and NetJets Inc., asked Atlanta, Ga.-based Pallas to undergo a vulnerability assessment. The result: Pallas now has an office full of dedicated hardware, dedicated routers, and networks linked to each client, and dedicated intrusion prevention systems.
“We have to do what we can to work in this arena,” says King. “Most of the changes we made were not expensive, but involved formalizing our procedures and segregating our work.”
With malware proliferation at an all-time high, and overseas hackers making more money from stealing financial information and trade secrets than ever, businesses big and small are at elevated risk. Small- to medium-sized businesses need to do more, not only to safeguard their own systems, but those of their clients. And companies know it: a December 2006 survey of 2,434 North American small- and medium-sized businesses by Forrester Research found that improving IT security was the top concern for 2007.
But how can smaller businesses -- many without the resources to deploy entire IT departments -- best protect themselves?
Create an office-wide security policy -- and then enforce it
If your business doesn’t have a uniform computer-user policy, it’s time to develop one, notes Joe Stewart, senior security researcher with SecureWorks, an Atlanta-based information security firm. “You’ve got to define a security policy, and then enforce it,” he says.
A lot of businesses have installed anti-spyware software, but don’t have any other guidelines or policies, and so employees do whatever they want, Stewart says. But allowing e-mail with attachments, or e-mail coming in from AOL, Gmail, or MSN accounts, can be an open invitation to viruses, worms, Trojans, and the lot. Stewart recommends office-wide “no e-mail attachment” policies and a standard e-mail gateway system. Solutions include a basic Linux mail gateway system, or outsourcing e-mail scanning to companies such as Message Labs or Postini. E-mail protection services have become more affordable, often running less than $100/month for an outfit with less than 100 users.
Beware of Instant Messaging and Skype
Does your business absolutely need instant-messaging (IM) capability? If not, block it, says Stewart, noting that it’s just one more way malware can infiltrate your network. If you do rely on IM, consider systems like Jabber (an open streaming XML alternative to consumer IM services) and set it for internal use only. Stewart also notes that popular voice over Internet protocol (VoIP) products, like Skype, are not immune. “Skype is an IM platform, not just VoIP,” he says. “The malware people know this.”
Set PCs to “limited user” where possible
Giving new-user workstations using Windows XP “limited user” privileges instead of “administrator” privileges (the default setting) for everyday tasks will help limit hackers’ ability to nefariously install malware, too. It will also help prevent employees from downloading “freeware” that could expose the office to still more computer diseases. If possible, reset other computers in the office, too, if it doesn’t interfere with existing applications.
Consider the Firefox browser
If your business can get by without Microsoft's Internet Explorer as your Web browser, make the switch to Mozilla's Firefox, says Stewart. Because Firefox isn’t as widely used, it’s safer: Web searches using Google off Internet Explorer are increasingly resulting in “driveby downloads,” malware that’s triggered when a user clicks on a seemingly legitimate Web link.
Not all businesses can stop using Internet Explorer -- certain business-to-business applications, for example, require its use. But companies can limit its use in favor of Firefox for many tasks. However, Stewart warns, as Firefox increases in popularity, its risk of becoming a malware target will increase, too.
While these tips won’t completely safeguard your network, they should eliminate many of the risks. But so long as hacking remains lucrative, Stewart notes, “there is no perfect solution.”