Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

When you look at the desktops, laptops and other devices in your business, do you realize the number and variety of software applications running on these devices?  Applications include Adobe Reader, Adobe Flash, Microsoft Office, off-the-shelf accounting software, and other similar types of applications.  Beyond these normal applications found on most computers, custom applications may also be used in your business such as credit card processing, accounting or other business-oriented software applications.  Most business owners and managers do not realize the number and variety of applications running on the computers they use.  Studies have shown that businesses spend most of their security efforts updating and securing the computer’s operating systems and not the software applications.

I have written numerous articles covering the different elements and aspects of security, but one issue I have never touched on is the importance of having quality information to make good security decisions for your business.  Quality or complete information is key to any business decision including security issues, but most businesses fail to track security incidents or issues at their company.  I have worked with a lot of small and medium-sized businesses over the years, and I have not run into one yet who does.

If you have not already heard, in mid-January Internet Explorer was under attack by the same attack method that was used by the Chinese to break into Google’s network.  Since then, a number of security researchers, security companies ,and even some governments have recommended that computer users switch to other web browsers such as Firefox, Chrome, Opera and Safari.  Currently, it appears the attack code is mainly geared towards IE (Internet Explorer) 6 and possible IE 7 so businesses that are still using IE 6 should change to another web browser or at least upgrade to IE 8.

I was planning on writing about endpoint security near the end of last month, but with the holidays and numerous other business and personal activities occurring at the end of the year I had to take a little sabbatical from writing posts for our website.  It is good to be back into the swing of things again, and I hope everyone has a great and successful year with their business.  As always I will be here to help you with any security issues that you may have for your business so feel free to leave comments or contact me using my contact form on my About page.

The use of smartphones has led to a whole new set of security issues. Since there is no standard definition of a smartphone, for the purpose of this article and for future reference, I will refer to them as a mobile phone which provides advanced capabilities similar to those found on a personal computer.  These capabilities can include internet access, e-mail, downloadable applications and even e-book reading capabilities.  As time goes by, as with all technology, the capabilities of smartphones will increase and change just as they do for computers.

It seems like almost every book or article I read defines computer security a little differently.  Often the terms computer security, information security, network security, information system security and information assurance are used interchangeably even though each of these terms covers a slightly different portion of security.  I feel that computer security is the overall general term used to indicate the protection of a company or organizations data, network and computer systems.  The other terms  (information security, network security, information system security, etc.) fall under the main heading of computer security.

A rootkit is a collection of software programs that contain a variety of tools and allow an attacker root or administrative level access to a computer or network.  Attackers install rootkits usually after having obtained basic user level access to a system, then gaining higher access to the account by using a cracked password or through some other vulnerability on the system which allows them to install software on the system.  Once a rootkit is installed, it allows the attacker to bypass security measures and hide the intrusion.  Rootkits do this by replacing normal operating system components or altering existing system tools or software so as to escape detection.

In the computer security field, a backdoor is basically a computer program that gives an attacker easy access to a computer system and bypasses security measures that are currently in place.  Computer programmers sometimes install backdoors in the programs they write, but they use the backdoor  to access the program for the purpose of troubleshooting the software.  For this definition, we will limit our discussion to backdoor programs that attackers use.  Backdoors, whether used as a troubleshooting tool or as a means of gaining undetected access to a computer system, are a security risk.

In securing your computer network, you have probably thought about servers, desktops and laptops, but what about the other devices that you have on the network such as webcams, printers, network switches, routers, voice over IP phones, or NAS (network attached storage that can store 1 terabyte or more of information)?  All these devices recently were studied and tested by researchers at Stanford University, and out of the 21 devices they tested, not one was secure.  Because the devices were manufactured by sixteen different manufacturers, the security issue is not limited to one manufacturer.