Part II: Securing your Data and Systems

By Thomas G. Stephens, Jr., CPA, CITP

 

Last month, we discussed high-level strategies for securing data and systems, such as defining organizational policies on information and data security, ensuring that all team members are using strong passwords, and securing email.

In Part II of this series, we address practical strategies, particularly for data on mobile computers. These include whole-disk encryption, secure web browsing, and anti-virus and malware protection. All are relatively easy to implement, and provide additional layers of security.

Taking these practical steps will reduce the chances that you will ever find yourself in the embarrassing position of having to deal with compromised data.

 

Whole Disk Encryption

What would happen if your laptop computer was lost or stolen? Could the data on it – including confidential company/client data – become compromised? Is your desktop computer really secure in your office? Even if you have established a strong password for logging in to your PC, is the confidential data on the hard disk at risk? In the absence of whole-disk encryption, the risk that confidential and sensitive data on your hard drive could become compromised is elevated significantly. Consider some of recent examples of security breaches as chronicled at www.privacyrights.org:

* Workers Compensation Fund, Salt Lake City, Utah: Stolen laptop containing Social Security numbers and other sensitive information on 2,800 individuals and 1,400 companies.

* Health Net, Mountain View, California: Stolen laptop containing Social Security numbers and other data on approximately 5,000 employees along with sensitive information on a large number of healthcare providers.

* Georgetown University, Washington, DC: Stolen hard disk containing Social Security numbers on 38,000 Georgetown students, alumni, faculty, and staff.

 

In fact, according to the Privacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 now exceeds 218 million.

With whole-disk encryption, the likelihood that a lost or stolen laptop or hard drive could result in compromised data is reduced considerably. It would have ensured that data in each of the cases identified above would remain safe and secure. Whole-disk encryption works by encrypting everything on a hard drive – data, applications, and even the operating system. An encryption key is generally required to access the hard disk and make the data usable. The encryption key can be a logical key such as a password, or it can be a physical key such as a USB key.

Fortunately, from a cost-benefit standpoint, whole-disk encryption provides a very high payback, as tools for encrypting hard drives are available at little or no cost. For instance, BitLocker Drive Encryption is a standard feature embedded in certain versions of Windows Vista Ultimate and Enterprise and in Windows Server 2008. Another potential solution available at no charge is offered by TrueCrypt (www.truecrypt.org). PGP Whole Disk Encryption is another highly-rated, quality tool to provide whole disk encryption. Pricing for PGP begins at $119 per users. More information can be found at www.pgp.com.

 

Secure Web Browsing

Much of the sensitive data we access and work with is transmitted over the Internet. This leads to the logical concern of how to minimize the risk of compromised data on a network that we do not own or control. While browsing, appropriate measures must be taken to prevent you and your data from becoming yet another statistic.

The security settings in your web browser are the first line of defense against web-based attacks. Assuming you are using Microsoft’s Internet Explorer Version 7 (IE7), notable security features and enhancements include: the Security Status bar, an opt-in for Active X controls, Address Bar protection, and the Phishing Filter. Each of these, along with other IE7 security features, are discussed in detail at http://www.microsoft.com/windows/products/ winfamily/ie/features.mspx. Additionally, an excellent discussion of security settings for web browsers is available at http://www.us-cert.gov/cas/tips/ST05-001.html. For those users of previous versions of Internet Explorer, we recommend upgrading to IE7 for, among other reasons, the enhanced security provided by IE7.

An additional means of securing data while browsing is to do so anonymously. When browsing anonymously, the user’s Internet Protocol (IP) address and other personally identifiable information are hidden from the websites being visited. This helps to ensure that sessions cannot be monitored by a potential hacker, and identities and data are protected.

Anonymous web browsing is particularly recommended when browsing from a computer or network connection over which you have no control of security settings, such as at a library, kiosk or coffee shop. Anonymous browsing can be accomplished through the use of proxy servers, virtual private networks, or with services such as Virtual-Browser and BeHidden. In addition, IronKey (www.ironkey.com) provides USB-based encrypted access to a secure server, which supports anonymous browsing.

 

Anti-Virus and Malware Protection

Thirty years into the personal computer revolution, viruses and other forms of malware are an unfortunate fact of life for computer users. For years, we have been told to install appropriate anti-virus software and keep the virus signatures updated to insulate against viruses, Trojan Horses, and other forms of malware. Anti-virus software such as Microsoft’s Windows Live OneCare, Symantec’s Norton Internet Security Suite, and McAfee’s Total Protection are all solid choices in the ongoing battle against viruses, spyware, and other forms of malware.

Yet anti-virus software is not the only prescription to fight this plague on data security and productivity. Educating users on best practices for virus and malware protection is every bit as important as installing and maintaining security software. Among the precautions that every computer user should take are:

* Never open an email or instant message attachment from someone you do not know and trust.

* Never open an email or instant message attachment you were not expecting to receive.

* Never install or run software attachments that are sent through email or instant messages. This specifically includes .exe files.

* Never download software from sources you do not know and trust.

* Never click on links to websites contained in email messages you receive from unknown or untrusted sources.

* Never reply to or forward email chain letters.

Following these simple guidelines dramatically reduces the risk of infecting a computer with a virus or other form of dangerous code.

 

As mentioned last month, there are no absolute guarantees with respect to system and information security. Securing data and systems involves assessing risks and taking prudent, measured steps to mitigate those risks.

 

Next month, in the concluding segment of this series, we will take a look at information security in the future, and what types of tools and strategies might evolve into best practices moving forward.

 

Mr. Stephens is a shareholder in K2 Enterprises, where he develops and presents technology-related continuing professional education programs to accounting and finance professionals across the United States. You may reach him at tommy@k2e.com.

 

The views and opinions expressed in this column are those of the author and do not necessarily reflect the opinions of Microsoft.