TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Security Patches

The Real Risks Of Running Outdated Software

Michael Menor is Vice President of Support Services for Tech Experts.

Are you still holding onto your trusty old server that’s aging towards uselessness?

Or perhaps you are still running important applications on older servers with old operating systems because they’re “good enough” or “doing the job just fine.”

In many ways, your old server is like a trusty old car. You know where the kinks are and it gets you where you need to go.

But lurking below the surface of that trusty old car, and your old server, can be hidden risks that can result in very big problems, even dangers. Usually, when least expected.

Security risks are the number one danger of older technology. The older your operating system or application, the longer the bad guys have to find and exploit vulnerabilities.

This is especially true when the manufacturer is no longer actively maintaining support. Dangers can lurk across the entire aging application platform.

Your older versions of SQL Server are at risk. Perhaps you are still using an old FTP server that’s innocently sitting in the corner. Or you have some older network equipment and appliances.

The bottom line is anything that listens on the network is a potential threat to the server, and therefore your business.

If that software or firmware isn’t up to date, you’re doubly at risk of a major security incident.

Here are the top 5 risks you’re taking with running outdated software:

Crashes and system downtimec505825_m
Aging systems are more vulnerable to failure, crashes and corruption causing significant downtime.

Targeted technology upgrades can reduce total annual outage risk and reduce downtime.

Increased costs
Outdated software is more expensive to maintain than newer versions. Failing software increases costs by overloading IT personnel. The process of applying patches is also costly and time consuming.

Updated software portfolios not only decrease maintenance costs but also free up IT budgets for more strategic and innovative programs.

Decreased productivity
Aging software applications that crash or require maintenance result in reduced employee productivity.

Modernizing software increases productivity by improving the efficiency and quality of work.

Security holes
Mission critical software is more vulnerable to security breaches as it ages. A security breach can compromise sensitive customer and employee information, and proprietary company data.

Legal and regulatory compliance risks
Updated software ensures compliance to governance, regulation and policy as regulatory bodies continue to mandate new global requirements.

This is especially important for healthcare professionals that need to comply with new HIPAA regulations.

With older technology, any of the above risks can strike you at any time. The consequences can be loss of productivity, or worse, loss of critical data that negatively impacts your business.

Perhaps “good enough” isn’t really good enough after all.

(Image Source: iCLIPART)

Number One Security Risk For Small Business: Poor Patching

Symantec, one of the leading antivirus software companies, released their 2009 security review, and according to the report, the largest single threat to small business’ computer security is the failure to apply new security patches as they’re released by the manufacturers.

A “security patch” is simply a software fix to a security problem in a software application.

Once a security vulnerability is discovered, software companies rush to develop a security patch to prevent hackers from using the security breach to access PCs or servers, obtain confidential information, or erase files.

When the fix is released, cyber criminals often look at that as the best time to write a virus or trojan to exploit computer users who haven’t kept their systems up to date. That’s why regular server maintenance is so important.

With the national economy teetering on recession, more and more hackers are trying to take advantage of unsuspecting computer users. Economies of scale often come into play with cyber attacks – a well written trojan or virus can spread like wildfire in just a few hours.

Even if hackers are only successful in compromising a few hundred machines, that’s more than enough to obtain information that’s useful to steal someone’s identity or hold their electronic data hostage.

The real problem – most of the time, you can’t tell you’ve been hacked until it’s too late.

Since the majority of small business owners use their computers for everything from banking to client management, anything a hacker obtains will be useful.

PDF’s Can Be Dangerous
Adobe’s PDF application is the most hacked and exploited software program in use by small businesses. PDF-based security exploits rose to account for 49 percent of online attacks. Coming in second was Internet Explorer, accounting for 18 percent of webbased attacks.

Here’s an interesting fact: The Internet Explorer vulnerability that makes up the majority of the 18% is the Microsoft Internet Explorer ADODB> Stream Object File Installation Weakness that first came to the world’s attention in August 2003. Microsoft released a patch the following July.

Nearly six years later, this Internet Explorer exploit is still being used by hackers, which means an incredible amount of businesses simply aren’t patching their systems on a regular basis.

Regular Maintenance Is A Must
It seems strange to think of your computer this way, but it helps to think of your PC as an automobile. You know that to keep it in top running condition, you have to change the oil, rotate the tires, and flush the radiator once in a while.

Your computers and servers aren’t any different: To maintain optimal running condition, you have to perform regular, scheduled maintenance.

Downtime is expensive. When you consider the cost of lost employee productivity, the expense of the IT services to repair your network, and the amount of time it would take to recover your data by hand, the investment in regular maintenance seems a wise choice.

We perform regular, scheduled maintenance for the majority of our service contract clients – but if you’re not on one of our service plans, we should definitely talk about a comprehensive maintenance and update schedule for your business. If you’re not patching regularly, it’s only a matter of time before your system is compromised.

Network Security: Keep Your Network Environment Secure

As more and more people rely on the Internet to get things done in their daily life, network security is more important than ever. Typically, small businesses and home network users haven’t had to worry much about security.

Poor network security exposes you to viruses, spyware, and most dangerous, cyber criminals a.k.a. hackers.

These guidelines and best practices can help eliminate, or at least mitigate, the majority of network breaches and security vulnerabilities.

Security Policy
An active security policy is always the most important item for protection of your network, whether it is in your home or in a business environment.

This is simply a statement, or guideline of the rules and how security is setup in the organization.

This role will govern the level of security users are allowed access to on the network. The roles and responsibilities of each person on the network, as they are part of the system, should be clearly defined.

Passwords
Although the most obvious, it is definitely one of the most important,and often, most neglected ttems.

Be sure to enforce strong passwords across your network – a weak password could lead to a user account being compromised.

Email
Certain email attachments can become a major problem if the wrong one is opened, and a lot of the time it is by accident.

Some of the most common file types to block would be: .bas, .bat, .vbs, and .exe.

Patches/Updates
Be sure your operating system is up to date with most recent patches, security updates, and service packs. This will close many of the vulnerabilities that can be exploited by hackers.

Inventory
Keep a good inventory of your network devices by developing and maintaining a list of all hardware and software components that are implemented on the network.

Try to understand which software applications should be installed, and which provide a weak security configuration so you can monitor those applications.

Adopt The Least Privilege Concept
The least privilege concept influences the network and/or systems administrator to create custom policies for having permissions and access to network resources.

Try to allow only what access is absolutely necessary to users, not giving them more rights to the system than they should have.

Remote Access
Certain ports can be blocked to keep unwanted users from remotely accessing your network and any of its resources.

If you’re one of the many small business owners who also works from home on occasion, there should be a security policy in place for VPN (virtual private network) access and your IT support company should assist with getting connected properly.

Keeping these simple guidelines in mind when thinking security on your network, and you’ll prevent several possible problems from happening, as well as maintaining a safe and effective performing work environment for work and for pleasure, in home or in business.

Legit Or Bogus? How To Spot A Rogue Anti-Virus Program

Have you seen an advertisement or pop-up offering a free PC scan, or telling  you that your computer is infected and at risk? If so, you’ve seen first hand a harmful trojan disguised as an anti-virus program.

These types of rogue anti-virus scams are on the rise. They appear legitimate, and the number one way unsuspecting users get infected is from clicking a malicious link in the pop-up message. Most of these pop-ups have what sound like legitimate virus names, and some even ask you to pay for the  program.

They will almost always have a notice indicating you need to “click here” to install the program to disinfect your PC. Once you click on that link, you’re infected.

To take it a step further, if you actually do enter your credit card information, the hackers have your personal data and can use it at will.

I have anti-virus. Won’t that protect me?

Though the best anti-virus programs will protect you from many threats they can not protect you against all malware, especially the newer infections.

There are millions of different types of infections and hundreds created every day. Even top of the line security companies take days and even weeks to catch the infections.

What can a rogue anti-virus program do?

An infection can do almost anything to a computer, from stealing information  to destroying your valuable data. Some malware will log your password information and use it to try to infect other computers on your network.

Some infections will let your computer be used as a “bot,” which lets attackers use it to share illegal files, attack other systems on the Internet, or spread infections to your friends and family.

How do I protect myself?

Here are some basic tips to keep yourself from being a victim of a rogue anti-virus program.

1. Keep your computer updated with the latest security patches for your operating system and web browser.

2. Never click on a pop-ups that you come across on a website. Even if the  advertisement looks legitimate, chances are it isn’t.

3. Check to make sure your Internet firewall and antivirus are updated every time you use your computer.

4. Turn off any Active-X and scripting from foreign websites. Many of the infections come from these types of scripts. Almost always, your system will ask you if you want to run the script. Always pick “no.”

5. Keep a good backup. Some infections can be so severe that you will need to restore files for your PC to be disinfected and repaired properly.

6. Scan your computer on a regular basis. Most antivirus programs will do this automatically. AVG is a very good program that will scan every day, and can be set to run at night so it doesn’t slow down your work.

Think Security Is a Problem Only for Big Companies? Think Again!

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Information technology (“IT”) security is sometimes thought of as a problem only for the largest companies, whose data protection lapses expose customer information and result in front-page coverage.

Small and mid-sized businesses,of course, are just as susceptible to malware and network intruder attacks. In some cases, small companies confront a greater challenge. While large businesses and government agencies employ chief information security officers and IT security staffs, smaller firms usually don’t. This places the small business owner in a DIY situation.

Small businesses face many security vulnerabilities, but the SANS Institute, a think tank that focuses on IT training and certification, cites two pressing problems: unpatched software running on PCs and vulnerable web-based applications. Email attacks, dubbed “spear phishing,” specifically target unpatchedvulnerabilities in frequently used products, such as Adobe Acrobat, QuickTime and Microsoft Office.

The second factor, at-risk web applications, account for a sizable chunk of known security gaps. Assaults focused on web applications represent more than 60 percent of the total attack attempts observed on the internet, according to SANs.

Getting a Grip
Making sure current security patches are installed on applications and shoring up web application defense are just two chores small company owners face. They need to consider internal lapses – such as employees divulging intellectual property via e-mail – as well as external threats. In addition, many firms must meet regulatory compliance directives. A retailer handling credit card data must comply with the Payment Card Industry Data Security Standard.

With all of the security issues and products to address them, small businesses may have trouble knowing where to begin.

A vulnerability assessment, also referred to as a risk analysis, comes in handy here. Such an assessment aims to define the scope of an organization’s security issues, thereby identifying likely areas for investment in protection.

The key steps in a vulnerability assessment include taking stock of a company’s IT assets – servers, applications, networks, client-side devices among other gear. With this census in hand, a business can move on to prioritize assets according to their value to the business. The next phase is to zero in on vulnerabilities, starting with the more important assets.

Getting Started
Small businesses seeking to start down the vulnerability assessment track can turn to a few self-help resources. For example, the National Institutes of Standards and Technology (NIST) offers its eScan Security Tool, which was designed for small businesses: https://www.mepcenters.nist.gov/escan/.

The tool prompts users through a series of questions that touch upon such topics as computer virus protection, back-up policies, and the physical security of computer systems. At the end of the questioning, the tool generates a report with suggestions for improving IT security.

NIST also offers a guide to small business information security, which includes a section on identifying and prioritizing information. You can download a copy at http://csrc.nist.gov/publications/drafts/ir-7621/.

Small business owners can also opt to hire an IT consultant to help conduct theassessment. The task of automated vulnerability scanning, for instance, may call for an expert who can interpret the results and distinguish between “false positives” and legitimate concerns.

An company must take care in hiring an outsider. The consultant will learn all about your weaknesses and must be of the highest integrity. Client lists and referrals should provide the evidence. Security certifications, whether vendor-specific (e.g., Cisco Certified Security Professional) or independent (e.g., Certified Information Systems Security Professional), also help guide selection.

Take Caution Before Opening your Next e-greeting Card

According to a new article in PC Magazine, cyber criminals are now starting to exploit e-greeting card sites in an attempt to steal confidential information.

In 2007, nearly 1/3 of infected e-mail messages contained a phishing scam, while 7 percent of such e-mail messages masqueraded as an electronic greeting card and directed the target to a malicious site.

Here’s how it works: Hackers place a malicious hyperlink in the e-mail greeting, which first sends the user’s web browser to an exploit server that checks to see if the user’s machine has the most up-to-date security patches.

If it’s unpatched, the server silently force-downloads a rootkit and a keylogger onto the user’s computer before redirecting the web browser to an authentic Yahoo greetings card.

On the user-facing end, the victim clicks the link to view the card. However, the card does not let them know who sent it. The victim closes the card and goes about his business without realizing arootkit was delivered to his PC before he even picked up the card.

How do you avoid this from happening to you? First, never open emails from unknown sources. Second, make sure your PC/Servers always have the most up-to-date security patches. And finally, always maintain an active, up-to-date anti-virus software.

Almost All Windows Computers Missing Patches

Survey By Security Company Reveals 95% Of Computers Need Updating

Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a study by an Internet and network vulnerability tracking company revealed.

According to Secunia ASP, more than 95% of the PCs that have downloaded and installed its Personal Software Inspector (PSI) utility sport one or more application for which security fixes are available.

Secunia tracked the first PSI scan after its installation to get an idea of patch status before users start to update their machines, which can also be done through the utility.

Out of about 20,00 machines; 95.46% of them have an unpatched application on their hard drive. “There is a newer version available form the vendor that corrects one or more vulnerabilities,” said Jakob Balle, Secunia’s development manager. “But the users have yet to install the secure version.”

Some of the other statics cited by Balle were just as damning: 41.94% of the machines scanned by PSI have 11 or more vulnerable applications; and more than two-thirds, or 67.63%, of the PCs have 6 or more unpatched programs.

“Close to all computers are running with several insecure application installed,” Balle pointed out.

And the picture is probably even darker than the one he painted. “These results should be considered ‘best case’ scenarios; The real numbers are likely to be worse,” he said, citing the self-selected group that the data represents.

“The users of the Secunia PSI are most likely more vigilant and security minded/conscious than your ‘average’ user.”

Secunia released the free patch detection utility a year ago, but shifted it to Release Candidate 1 (RC1) stage earlier this month. The Copenhagen based company claims nearly 191,000 users have downloaded and run the program.

PSI runs on Windows 2000, XP, Vista, and Server 2003, and can be downloaded from the Secunia site, at https://psi.secunia.com/.