How can I keep my data safe *and* accessible?

Published Jun 12, 2013 by

Your business has data vital to its operation.  Think about it for a moment: if all of a sudden you lost, or were unable to access, your most vital data, how would it affect your business?  Would it grind day-to-day operations to a halt, or would it be a minor inconvenience?  The answer to that question will help identify your data storage and backup needs.  Either way, it costs you time and can seriously affect your bottom line.

Resiliency and Redundancy

Resiliency and redundancy are two measurements that can be used to evaluate the effectiveness of a variety of technological systems.  In the case of data storage, resiliency describes the ability to avoid data loss through reliable hardware, software, and security measures.  Redundancy describes data duplication in the case where hardware, software, or security has failed.  Both are important to take into account when selecting storage solutions.

Ease of use

More important than either of these measurements, arguably, is “ease of use”.  You have to be able to use your “resilient” and “redundant” data.  If every time you want to access or backup a file, you have to enter a code to a vault and plug in an external hard drive, you will probably avoid that procedure any chance you get.  The best storage and backup solution you can have is one you do not have to think about to use.

Network Storage

There are many cost effective network storage devices available for the small-to-medium scale business that provide data resiliency, which we may cover specifically in another post.  On these devices, data is often split across several hard drives in such a way that loss of any single hard drive means no data loss.  Network storage devices provide ease of use for in-office data storage.  However, anyone who works out of the office will quickly realize their data is not as easily accessible as they may like.

Cloud Storage

There are numerous services available to store your data “in the cloud” (as with the network storage devices, I will leave evaluation of these services to another post).  Access to your files through these services has been made relatively easy these days, to the point the files almost feel like they are on your local machine.  Cloud storage solutions are excellent, until you do not have access to the Internet.  Just like Network Storage, if you do not have access to the network where the data is stored (in this case, the Internet) then you do not have access to the data.  Security is also certainly a concern on an external service, but stick with a company with a strong security track record and use a strong password for yourself and you will be pretty well set.

Combined Storage and Backup Solution

A great way to ensure the resiliency, redundancy, and ease of use of your data is to combine a network and cloud storage solution.  Data stored on an office network device can be automatically backed up to a cloud storage service for remote access as well as disaster recovery situations.  Remote users can also use the cloud storage to back up their devices.

Security

Whatever data storage solution you choose, do not forget about security: strong passwords, physical access restrictions (lock your network closet please), and encryption.  With data duplication comes an increased amount of potential access points to that data.  If you are storing any kind of personal or proprietary information, encrypt it.  TrueCrypt is an excellent (and free!) tool for file or whole drive encryption.  Data encryption adds a little more complexity to the mix, but can be as easy to work with as entering one more password in the beginning of each day.

 

Get started by thinking again about the importance of data to your business.  What is your storage solution today?  How can it be improved?  Talk to a Little Reed expert for advice.

How do I recognize a fraudulent website?

Published May 13, 2013 by

The Internet is an extremely useful tool, one that provides a multitude of services and entertainment right in front of you.  It is also riddled with bad things, places that are trying to steal your information or trick you into giving away personal data.  The risk of encountering such things is minimized if you can learn to recognize signs that indicate a site should be avoided instead.

Attention to Detail

First and foremost, make sure the domain name in the address bar is what you expect.  If you clicked on a link that you expected to take you to google.com, but instead takes you to stealyourpassword.com, that’s probably not where you want to be.  If you click on a link to a website from what you thought was a legitimate email request from your bank, the difference in the URL may not be that obvious.  For example, the website of Credit Union West is cuwest.org, but a fraudulent link might take you to cuwestonline.org.  If you are unsure of what the correct domain for a company website should be, try using your favorite search engine and put in the company name. The first result will almost always be the official website. If you still find yourself at a website wondering if all is well, this is where browser security features come in to play. By looking at the address bar, there are a few ways to tell if a website is legitimate.

Browser Features

This is a valid URL. The domain name is what we expect (google.com), the website is using https, and it has been validated by the browser, as indicated by the padlock icon.

From top to bottom: Internet Explorer, Mozilla Firefox, and Google Chrome. This website is legitimate. The domain name is what we expect (google.com), the website is using https, and it has been validated by the browser, as indicated by the padlock icon, present on all three browsers (circled in red).

The presence of a globe in the address bar means the website is not authenticated in any way.  This does not necessarily mean it is a fake, it just means there is nothing outside of your own judgement to determine if the site is the one you are wanting to visit.  It also means anything you transmit to the website is not secured and could be read by an eavesdropper.  The presence of https:// in the address bar, and a grey or green padlock indicate that the website connection is secure, and the website has been validated by a third party service.  These are very strong indicators that the site you are visiting is the one you want. A green padlock in particular is the best and most sure way to confirm a website’s authenticity, as it means the site meets additional criteria for verification.

Stay Safe

These tips should make you more adept at spotting web forgeries, but as always it is better to play it safe when it comes to your personal information.  If at any point you still feel uncomfortable putting your information on the Internet, it is best to follow your gut: take care of your business in person, or over the phone using a number from official company material.

What makes a password great?

Published Apr 30, 2013 by

Monkey, ninja, baseball, football: Words related to hurling inexplicably fast objects towards unwitting onlookers?  Not this time.  These are just four of the top 25 most stolen passwords in 2012, as reported by splashdata.comStolen is the key word here.

Two methods for stealing login credentials are:

  1. Guessing the password based on general or personal information (birthdays, spouse’s name, child’s name, workplace surroundings)
  2. Cracking a web site or server, gathering huge lists of login credentials (often not even encrypted)

Method 1 is what I will call “local threats” where the intruder probably knows you, and at least has direct access to your workspace or public-knowledge-information.  Method 2 is a “remote threat”, where an attacker is not necessarily targeting you, per se, but rather a large segment of users in which you have been included.

To protect yourself from these methods, create a password that incorporates each of the following suggestions:

Make it a “Strong Password”

The generally accepted definition for “strong password” is one of at least eight characters in length with uppercase, lowercase, number, and special (.!@# etc.) characters.  This, however, is a bare minimum recommendation.  A good password uses as many characters as you are willing to remember, and although a “strong password” is a great defense, it is not the whole defense.

Make sure it has nothing to do with you or your workspace surroundings

Password on a Post-It (Original photo by Pavel Krok)

Remove that Post-It from the bottom of your keyboard right now! Go ahead, I won’t look.

This is an important step to follow in order to avoid password theft using method 1.  Assume everyone knows everything there is to know about you.  Now, choose a password with that in mind.  “St@nford98” might be considered a “strong password”, but when you hang your 1998 Stanford degree above your computer monitor, that may be one of the first things someone tries when they sit down at your desk.  Also, you may have the strongest, most random 26 character password in the world, but if you have it written down anywhere, someone will find it.

Make it easy enough to remember

Picking a word or phrase with an easily recallable number association is a great way to come up with a password, but make sure the word is an obscure reference that nobody would think to guess.  Pick an insignificant detail from a memorable event.  For example, I recently took my daughter to her first baseball game and we had lunch together there in the 7th inning: “H@mburgerInThe7th”.  It does not mean anything to anybody but me, and I can remember it fairly easily so I do not have to write it down.

Make it unique to the web site you are creating it for

This is a very important aspect to password security.  In the case that a web site has failed to properly secure your log in information, it is important that one compromised password does not compromise every account you own.  One method I have come up with provides two fail-safes to protect your password:  Copy and paste a portion of the domain name of the website you are accessing as the start of your already-strong password: my password for google.com becomes “gooH@mburgerInThe7th”, my password for twitter.com becomes “twiH@mburgerInThe7th”.

With unique passwords, a compromised Twitter password does not also result in a compromised Google password.  Also, physically copying and pasting that portion of the domain every time makes you look at the domain name.  That means if you are the target of a phishing attack at twtter.com (notice there is no “i”) and you cut and paste “twt” for the start of your password, not only will they not get your real Twitter password, but you will probably not attempt to log in when you realize you are not actually at “twitter.com”.

Change your passwords

Finally, with all these suggestions in mind, it is time to stop using “password1”.  Coming up with a good password for new log-ins  is great, but it does nothing to protect what is already out there.

How should I secure my wireless network?

Published Apr 25, 2013 by

If you have a wireless network, you may have asked yourself, “Is a wireless network secure enough for data sensitive work, like banking?”  This is an excellent question to ask, and the answer is conditionally: “yes, if you’ve adequately secured your connection.”  What, then, is adequately secured?

Unsecured Connections

Without enabling any of the security features on your wireless access point, any traffic between your devices and the network is sent without modification.  Anyone within range of your wireless network can listen to, or “sniff”, the signal that you’re using and record the data.  Everything that you transmit is out in the open, and while some institutions such as banks protect the information you send, it is still undesirable to have this information accessible to anyone within receiving range.   Additionally, there is nothing stopping an outsider from connecting to your network and having access to your connected technology resources such as printers and network file shares.  Given the right set of tools and time, anything you transfer could be available to those with malicious intent.  As a business, it may not only be your information that is vulnerable.  Customer payment methods, contact information, and proprietary company data are just a few of the pieces of information that you want protected.

What is encryption?

Encryption is the process of taking some type of information such as text or computer data, and converting it into a different, unreadable form.  The data is known as “plain text” until it changes form, and it becomes known as “ciphertext.”  This ciphertext is not readable on its own, but requires conversion back to its original form.  Conversion of the information is done with the use of a “key”, which is a special type of data that specifies how the information is to be transformed.  As long as this key is only known to people who you want to have access to the information, it can be considered secure.  Encrypting information makes it unreadable in transit, and helps to ensure only the intended recipient has access to it.

What are my wireless encryption options?

One of the early methods of encryption for wireless networks was known as Wired Equivalent Privacy, or WEP.  The problem with WEP was that it didn’t live up to the name.  There was a weakness in the way the encryption was implemented, and it wasn’t long before anyone with Google and a little techie know-how could connect to your network.  Initially this process could take a long time, but through certain techniques this process has been reduced to minutes, making WEP ineffective at protecting wireless transmissions for the last decade.

Due to the weakness inherent in WEP, the trade association responsible for certifying WiFi products came up with a new standard known as Wireless Protected Access, or WPA.  WPA was intended as an intermediate measure to secure wireless networks until the more secure WPA2 was finalized in 2004.  While much more secure than WEP, WPA and WPA2 still suffer from vulnerability to “brute-force” attacks which rely on repeatedly guessing different passwords until a match is found.  WPA/WPA2 do not have the weakness that existed with WEP, and as of today are still considered secure as long as certain best-practices are followed when implementing networks to mitigate the vulnerability to brute-force attacks.

With WPA/WPA2, there are two options for implementation.  The first is known as “personal” mode, where all devices on the network share the exact same key.  This would be like having a regular door lock to your office, with a single key and lots of copies for all your employees.  The problem here is that if one key is stolen, you have to re-key the lock and give out new keys.  This is okay as long as you only have a handful of the same key to replace, but if you have more devices it can become a hassle to change your entire network this way.  The second method of implementation is known as “enterprise” mode, and requires an additional piece of equipment that stores credentials.  Every device on the network is given its own key to connect instead of sharing a single key.  This would be like having a keypad lock on your office, and each employee having their own combination.  If one combination is compromised or an employee leaves the company, it is a much easier task to simply invalidate the combination and give the user a new one.

Recommendation

Our recommendation is to implement WPA2, and if you do not have a large quantity of wireless devices, to use it in “personal” mode.  This represents a high level of security with lower cost than enterprise mode.  If you find yourself having to reconfigure your network regularly due to theft of devices or employee turnover, however, then enterprise mode may be appropriate for you in order to simplify management of the network.  In addition, using a strong 13 character or longer value for the key will ensure that brute-force attacks are unlikely, and reading your data would take thousands of man-years.

Remember that regardless of the encryption methods in place, given enough time and resources, your data can eventually be compromised.  The intent of encryption, however, is to make the time and resources required unreasonably large.  This is what was meant by “adequate” security.  Does your attacker really have thousands of man-years to spend trying to crack open your encrypted data?