Information Security: Overview, Statistics, and Tips

• March 03, 2013
• by Kelly Cory

Editor's note: This article was written by an industry professional and guest contributor. The views and opinions in this article are of the author and do not reflect the views of PInow. If you are a blogging investigator and you have a story to share, send an email to [email protected]. The author is independent of any specific company, program or software that would benefit from the promotion of this information. This article is meant solely as an informational piece to help educate others on how to protect themselves and their companies. Any recommendations and tips should not be construed as legal or professional advice. Should you have any specific questions or concerns regarding your information security, contact a trained IT professional.

What is Information Security?

Information security, also termed cyber security, is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.

National Institute of Standards and Technology

In business, the term information would include any company policies, procedures, emails, invoices, payroll, employee data, client data, passwords and company website. For investigative agencies, for example, subject identifiers and investigation data would also be considered sensitive or confidential information that would need to be safeguarded.

Information systems include computers, networks, accounting programs, case management software, online data storage, etc.

Note: Security of information not only is relevant for computers but extends also to smartphones and any other electronic devices which are used to connect to the Internet.

Why is Information Security Important?

Internet crimes are on the rise. Internet crimes include identity theft, credit card fraud, scams, computer crimes, spam, malicious links/viruses/codes/programs, sexual predators and non-delivery payment/merchandise to name a few. The FBI reported 303,809 complaints of internet crime in 2010. The 2011 Norton Cybercrime Report estimated that the annual total cost of cybercrime is approximately $388 billion.  That number included $114 billion in direct theft and time spent resolving attacks in addition to another $274 billion for productive time lost by victims due to cybercrimes committed against them.

People often have the misconception that if they are not doing anything important online, then they wouldn’t be a target. It doesn’t matter who you are or if you stand out in some way. Hackers have software programs designed to scan about 10,000 computers an hour to identify those with a weakness to penetrate and launch attacks against them.

Having the best antivirus protection in the world still won’t protect you if you do not use strong passwords. Brute force attacks have become much easier with the advent of sophisticated algorithms specifically targeted at cracking passwords. According to Woopra, one of the world’s leading web analytics companies, the average time to hack a password with only 5 characters all in lower case using just an average computer is about 12 seconds. The average time it takes to hack a password with 8 characters all in lower case is about 2 ½ days. But if you make your password stronger (longer, include capital and lower case letters and special characters), you can significantly reduce your risk of having your account hacked by a brute force attack. For instance, if you use a password which is 8 characters long and using all character types, it would take over two centuries to hack. If you raise that to 9 with characters of all types, it would be 20 millenniums before that password was likely hacked. This is all considering the use of only an average computer used to conduct those brute force attempts. Just imagine if stronger computers were used to implement those attacks. Cyber criminals have lots of money and can afford powerful equipment to handle the efforts they need to hack numerous accounts quickly.

Less serious cyber criminals or individuals with malicious intent can still hack your accounts by brute force without sophisticated computers simply by learning something about you. People tend to use passwords that they remember. A great deal of personal information, preferences, favorite books, songs, activities and names can be found on a person’s social networking page these days. How many of you use your dog’s name as your computer password or your date of birth as your cell phone’s voicemail password?

Who is attacking?

• Experimenters and vandals-also called “script kitties” going after the notoriety and in it for the challenge (bragging rights)
• Hactivists-believe they are vigilantes fighting for a cause
• Cybercriminals-for profit (have lots of money and commission custom software and trojans to use towards small businesses who don’t have as much protection with a lot to lose)
• Information warriors-spies; going after Departments of Defense organizations of nations

Reasons for launching attacks vary and can be for money, access to additional resources, competitive advantages, grievance or vengeance, curiosity, mischief, attention or notoriety.  There are people out there who are professional cyber criminals, script kitties who hack for the thrill of the challenge and everyone in between.  Additionally, as one can imagine, in difficult economical times people may become desperate as finances get more strained.  Just like every industry which was hit by layoffs and cut backs, there are a lot of highly skilled information technology specialists out of work who have time on their hands and families to feed.  

Who and what are common targets?

Hacking has a much higher number due to the fact that hackers use sophisticated scanning software to find unprotected computers.

Specific targets are end point operations, your word processor, office software, PDF readers, social networking, emails and mobile applications. The bad guys want access to you and your client information, access to your money, your personal identifiers, to connect you to a botnet, to connect or use your information for political reasons, to use your resources for hidden file storage, and to identify anything they can use from you to make money. Your personal information is valuable and there are some people out there who want it to sell for a hefty profit.

According to the OSF DataLoss in 2010, the average number of identities exposed per data breach was as follows:

• 262,767 from hacking
• 68,418 from insiders
• 67,528 from theft or loss
• 30,572 from insecure policies
• 6,353 from fraud

Hacking has a much higher number due to the fact that hackers use sophisticated scanning software to find unprotected computers.

Small businesses are prime targets for malicious attackes. . . However, everyone is at risk! There was a 400% increase in computer infections leading to more data breaches in 2010 than in the last four years combined.

It is important to note that small businesses are prime targets for malicious attacks. It is estimated that there are 26.8 million small businesses in the US and most small businesses (89.9%) have fewer than 20 employees. Small businesses usually don’t feel like they are at risk and are largely unaware of the need for protection. Therefore, they tend to not focus on security and remain unprotected. Like any business, small businesses maintain confidential information, employee and client data, trade secrets, financial information and those are all prime targets for attacks. Some companies have even more at stake than some other businesses as they typically deal with sensitive and confidential information regularly. So, combine lack of thorough security measures with high stakes information at risk and you have a ripe target for an attack against your business.

However, everyone is at risk! There was a 400% increase in computer infections leading to more data breaches in 2010 than in the last four years combined.

Common Security Attacks

Theft of data, services and resources: stealing computer files, accessing accounts, interception of emails or internet transactions, stealing laptops or computers.

• Tip: Secure and encrypt critical data.
• Tip: Only have a cleaning crew come while you are present.

Denial of service: attacking computer or website (locks up equipment or crashes your system)

• Tip: Don’t let your domain expire. People scan domains for expiration dates and when they find ones owned by companies which are about to expire, they monitor and wait for that to happen so they can obtain them and either hold them for ransom or use them to promote their services [your domain name is a company asset].
• Tip: Review a website analytic program to keep track of who is viewing your website. 
• Tip: Have your domain and hosting set up in the company owner’s name not the IT person’s or an employee’s-so they can’t take it with them if their employment is terminated.

Malicious codes and viruses: finds and sends your files over the Internet, can find and delete critical data, lock up your computer or system, hide in program documents or create hidden files, can install on your system and record your keystrokes

• Tip: Use strong antivirus and malware programs on all computers and smartphones.

Insider threats: non-business use of computers may expose system to threats, disgruntled employees, vendors or subcontractors, unauthorized use or misuse of resources, illegal transfer or storage of information, compromised data (loss or alteration)

Other threats: spoofing, snooping, social engineering, abuse of system privileges, ransomware, insider threats, phishing, spear phishing, spam, compromised websites

Results of an attack: Costs time and money, stops/slows work and workflow, network crashes or lock outs, prevents email communication, shuts down electronic commerce, embarrassment or diminished credibility, repair costs, legal expenses, misinformation, loss of business, out of business, loss of public confidence in business

Consequences

Consider if a virus or other malicious program compromises one of your computers and steals a copy of your business’ sensitive information (employee health information, employee personally identifiable information, customer financial information or even personal identifiers or logins for restricted private databases). Such a loss could easily result in identify theft for employees and customers. It’s not unusual for business owners or managers to be unaware of the financial risk to the business in such situations. It is important to understand that there are real costs associated with not providing adequate protection for sensitive business information.

• Direct legal liability: Exposing of trade secrets, lawsuits covering improper disclosure of data, breach of contract, etc.
• Non-legal liability: Business interruption, data loss/corruption, damaged public image and reputation, increase in insurance premiums or cancellation, loss of employee productivity.
• Indirect legal liability: Copyright infringement, illegal storage on your network system (child pornography or other illegal materials), aiding and abetting (where a network is used to attack another network).
• Regulatory Consequences: Consequences for violating regulations set by the GLBA (Gramm-Leach-Bliley Act), HIPAA (U.S. Department of Health and Human Services), SOX (Sarbanes-Oxley Act), and FACTA (Fair and Accurate Credit Transactions Act).

Expectations from clients and customers

Clients and customers of businesses expect that their private information is being appropriately protected. Customers have confidence that companies should be taking the appropriate measures to keep their data and information secure; and that it will not fall into the wrong hands. If a business accepts credit cards, they are expected to be PCI DSS compliant. If a company deals with medical records, it is expected that they are HIPAA complaint.  

Some information in a business needs protection for integrity. Other information needs protections for availability. It is also important to note that some of the information used by companies requires special protection for confidentiality, and those companies are expected to keep that information secure and confidential.

Due Care (planning) and Due Diligence (taking action)

Due care means it is time to leave behind amateur efforts.

Justin Tsui, Team Logic IT

It is the company’s responsibility to conduct due diligence in protecting their information. Therefore, they must first implement due care, the care and forethought that a reasonable individual would exercise under the circumstances.  This includes planning for and taking care of information security and staying up to date on the topic as well as being thorough on protecting yourself and your business. Due care is the standard for determining legal duty. You must be able to demonstrate that you took due care in information security in court to defend against negligence in a lawsuit should you be the victim of a security breach.

Due diligence is the effort made by a reasonable individual to avoid harm to another party, and when failure to make that effort may be considered negligence. What this means for information security is keeping updated on all industry recognized best practices and making changes accordingly.  Information security is an ongoing journey not a final destination.

Information Security Tips

Don’t wait for an issue to arise to deal with the topic of information security!  Once a network security breach has occurred, it is the worst time to implement a security plan.  At that point the damage has already been done and has already become much more expensive than if security was addressed before any issue had occurred.

The following is a list of some best practice steps which a small business can take to increase their information security. This list is provided solely for information purposes only and should not be construed as legal or professional advice. Should you have any specific questions regarding your information system or how to implement security, please contact a trained IT professional.

1. Identify your risks
2. Determine the cost of: lawsuits, rebuilding data, loss of work/time
3. Assess how much risk you and your business can live with (note: You cannot eliminate 100% of all risks)
4. Protect: computers, networks, software, operations, business processes

Protecting computers and software

• Install a firewall (multiple where needed), use a strong antivirus program and malware detection software, set web content filtering, run trusted anti-spyware, anti-spam, and anti-phishing programs on your computer.
• Do not download files, click links or open attachments from unknown sources. To date you cannot get a computer virus simply by reading an email alone, but those days are coming.
• Ensure important data and records are backed up regularly and stored off-site through automated data and system backups. The goal is to be able to restore your system and data to what existed before a malicious attack, virus, code problem, theft, destruction, data integrity issue or equipment failure. When using off-site data storage be sure the information is stored encrypted and the minimum standard encryption is used: fit 140 FIPS-2 compliance. TEST YOUR BACKUPS and know how to restore your data!
• Have a security policy in place which implements best practices: enforce safe internet, email, desktop and personal practices, teach all users safe computing and Internet skills.
• Read all details of any smartphone application carefully before you download it to understand what access it will have to your information.
• Keep operating system updated and make sure all patches for applications are current.
• Keep the “automatically connect to a wireless network” feature turned off on your smartphone so that when you are just walking around you can’t have your logins and passwords scanned right off of your phone.
• Use strong passwords and change them often. Don’t use the same passwords on all accounts. If one gets hacked the bad guys know to try other likely accounts you may have with the same password. Also be cautious about where you store your passwords. A flash drive locked in a file cabinet is a good idea - stored with an online password memory program seems like a great target for hackers.
• Don’t allow online sites to save your passwords or credit card information. What happens if that company’s site gets hacked?
• Use screen locking on your computer, log off at the end of the day and power down your system at the end of the day.

Protecting operations and business practices

• Conduct a background check on yourself. Make sure there isn’t anything on your record that wasn’t put there by you (ex: criminal records, judgments, liens etc.) and run your free credit report yearly.  
• Confirm identities of people or organizations requesting your information.
• Control access to important company data.
• Use locks (buildings, file cabinets, computers), alarms, anonymity, guards.
• Accompany all vendors or repair persons who enter your business or home.
• Control employee termination/departures.
• Be cognizant of proper handling of data in remote environments.
• Change your email settings to display “plain text” to avoid any hidden codes which could be malicious
• Beware of public wireless networks. Places which offer free wireless connections can be hot spots for hackers because it is so easy to track someone’s cookies and recreate what someone is looking at on their computer screen. It’s not a good idea to access sensitive information on public wireless connections. This includes logging into databases, running DMV information, conducting online banking etc.

Protecting home/office wireless Internet networks:

• Change the default identifiers (SSIDs) and don’t broadcast them
• WPA2 (WiFi Protected Access 2) is the minimum encryption to use for wireless according to NIST
• Change the name of the wireless router box (too easy for someone to use a search engine to find out how to hack the router box by name)
• Change default encryption keys often
• Change the wireless access point administrator password

Additional Assistance and Sources:

Be sure to get professional help when you need it. Check reviews, get references (and call them) and find out how long the company has been in business.

Where to report scams/frauds: FBI Internet Crime Complaint Center www.ic3.gov
National Initiative for Cybersecurity Education: www.nist.gov/nice
National Cyber Security Alliance for small businesses and home users: www.staysafeonline.org
Federal Trade Commission: www.ftc.gov/bcp/edu/microsites/idtheft
Information Assurance Support Environment, Defense Information Systems Agency http://iase.disa.mil

What to do if you become a victim of identity theft: File a police report. Notify the top three credit bureaus to put your name on fraud watch so extra measures must be taken for accounts to be opened in your name and suspect transactions are flagged for closer attention. Change all of your passwords and request new credit cards.

About the Author

Kelly Cory is a licensed professional investigator who specializes in customized litigation support and complex investigations. Cory has been sought out for her expertise in background and cyber investigations, interviewed on the topic of database research and educates on the importance of information security. Learn more about Cory’s company, Keystone Investigative Services, Inc. at www.keystoneis.com.

Become a guest contributor

This article was written by an industry guest contributor. If you are interested in submitting a guest post or have an article suggestion, send an email to [email protected].