SmalltimeSoftware.com - Computer Security 101

' \

Computer Security 101

Sensitive information

Your computer can be a goldmine of personal information to an identity thief. If you leave your computer unattended then anyone can walk up, sit down   and see what you've been doing. As an example... Internet Explorer   has a history feature that lets you see what web pages you have been   browsing (View...Explorer...History). People also are unaware that it only takes a few seconds for a hidden file to be planted in one of your directories that can cause all kinds of mischief.

The U.S. Secret Service has estimated that consumers nationwide lose   $745 million to identity theft each year. As recently as April 2006, a notebook containing information on 3,600 Boeing employees   was stolen. This was not the first such theft;   November 2005, a laptop was stolen containing the personal data of   161,000 Boeing employees and retirees.

So what can you do if you become a victim   of identity theft? Boeing provided a free service to allow people to   check their credit history. Some signs to check for include unexplained   charges or withdrawals from your financial accounts; unexplained credit   card accounts, previous addresses listed on your credit report where you   never have lived. If you find that bills or other mail stops arriving in   your mailbox you might check to see if the thief has submitted a change   of address without your knowledge. If a credit application is denied for   no apparent reason, or debt collectors begin calling about merchandise   or services you didn't buy then you had better contact the police immediately.

According to the Identity Theft Resource Center, the average victim spends 607 hours and averages $1,000 just to clear their credit records. As with any crime, you cannot control when the event will happen. As a website owner, you might find that hackers purposely hack into your system, leave hacker graphics, and generally try to destroy the workings of your application. This of course disrupts your customer base and causes you a lot of time to re-engineer your program back to its original state. To prevent such risks from completely destroying your website it is important to back up your database and all important graphics, data, and important written procedures needed to keep your website up and running. It is important that if you are hacked into that you file an FBI report right away. Most of these criminals leave behind clues such as web urls, graphics and hidden information that can be discovered by a savvy programmer who can then help the FBI to stop these types of crimes. Besides backing up your data there are ways to minimize your risk by remaining diligent and by minimizing outside access to your personal information.

Risk management

Risk safeguards must be taken into account during all phases of the systems life cycle. Risk is defined as the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability of your systems or data. Risk Management includes risk avoidance (simply avoid the problem.. if your building is a flood zone.. move somewhere else), risk mitigation (controls that are used to reduce the risk from occurring), Risk transference (if loss is to occur another entity might be used to accept the risk...an additional backup of data is used if the main data area has been damaged by fire, etc.)

Some risk analysis formulas needed to help quantify risk includes research to determine the values of the following data:

Asset Value (AV) in dollar
Exposure Factor (EF): percentage of loss a threat would cause for an asset
Single Loss Expectancy (SLE): Loss from a single occurrence of threat (SLE = EF x AV)
Annualized Rate of Occurrence (ARO): Estimated frequency of threat in one year
Annualized Loss Expectancy (ALE): Total expected loss per year (ALE=ARO x SLE)

The quantitative analysis of information risk is measured by low, medium or high risk. What is the likelihood that a particular threat will occur? What countermeasures will be taken to reduce identified threats? What is the likelihood of risk after you have implemented safety measures?

Accountability

You can take steps to protect your data. By regularly making backup copies of your files and storing them in a separate location, you can typically get some, if not all, of your information back in the event your computer crashes.

There are also ways to document crime when someone has stolen your email address. A lot of people are finding unknown email in their inboxes. If you go into your email box and have returned emails being returned to you with your email address as the sender (but you did not send out the email) and in the body of the email you see they are selling drugs or writing strange messages that have no meaning what can you do? What happens is that most of these messages have bounced... your email address is put on a black list or deletion list.. meaning you may not be able to send to people in the future unless you backtrack and contact the person of the ip address of the computer that really sent out the email messages.

What this person is doing is posing as you and sending out spam. Spam is illegal in the U.S. and carries a very high fine of around $11,000 in some cases. ALWAYS copy the header and report the crime not only to the FBI but to the originating organization that sent out the email. In most cases you will not be able to track the spammers down because they put in several false headers, but by documenting and keeping these emails for the proper authorities, you can reduce your risk of being charged with spam. Headers usually contain IP addresses and you can prove what your computer IP address is by going into Netmeeting (Start...run...conf) and looking at the last item under the help menu. At the bottom of the help menu will be your ip address.

Make sure you include your ip address when forwarding your information to the FBI so they know that you are not the spammer. Another way to get your personal information is by phishing. I get countless emails that are telling me that they are from my bank or eBay... but when you let your mouse hover over the email link you see that the link goes elsewhere. Phishing is defined as the act of sending an email to a recipient falsely claiming to have an established, legitimate business. The intent of the phisher is to scam the recipient into surrendering their private information, and ultimately steal your identity. Never use the link in an email to log in with your personal information, it is much safer to type the link into your browser that was given to you when you signed up for your service. We cannot prevent a lot of crime, but we can plan on overcoming the results by being actively aware and by documenting the results of our actions and the actions of others.