IncTechnology.com > Systems Security

Device Detection Protects Your Site from Fraud

Minda Zetlin — 2009-06-25T16:40:27-05:00

2Checkout.com is a hosted solution that lets small businesses accept credit card and PayPal payments online. With 20,000 to 30,000 companies using its service for hundreds of thousands of customers, fraud is a constant concern.

2Checkout.com used to avoid fraud through address verification (making sure credit card billing address matches the one provided by the user), bank identification number (BIN) matching, and verifying computer IP addresses, according to Sebbe Jones, manager of fraud and disputes. But as the operation grew, and technological changes affected its automatic fraud controls, 2Checkout found it was having to flag more and more of its transactions for review by a human employee before completion. “Our review rate went from around 25 percent to around 45 percent,” Jones says. “We got very behind in verifying orders -- as much as three or four days behind. We knew vendors wouldn’t stay with 2Checkout.com for very long if we didn’t do something about it.”

Device "fingerprinting" solution

For 2Checkout.com, part of the solution is a technology variously called “device detection,” “device identification,” or “device fingerprinting” that allows an e-business or other site to collect and analyze data about the device connecting to the website, wholly separate from that provided by the human using it.

“We can monitor whether the computer’s time stamp matches the location where the user claims to be, whether the fonts in use on the computer match the local language in that location, and whether the computer is pretending to use a different operating system than what is actually installed -- a Linux computer running a Windows simulation, for instance,” says Reed Taussig, CEO of ThreatMetrix, a subscription device detection provider. Of course, there could be a perfectly innocent explanation for any of these -- they simply serve as red flags that indicate a transaction may require human review.

Device detection alone is probably not enough to protect your business, but it can be a powerful addition to your fraud-prevention arsenal, along with address verification, behavior-based analysis, and other more traditional tools. “Unlike some systems, with fraud management you’re fighting an intelligent being on the other end who will intentionally avoid normal behavior. As a result, rational systems have a hard time identifying fraud on their own, without human interaction,” explains David Britton, senior vice president of product development at 41st Parameter, the fraud detection service 2Checkout.com uses. “The best approach is to have a number of tools at your disposal, including device identification. That allows you to have the fewest manual reviews.”

These tools are especially important these days, because checking a device’s IP address no longer provides the fraud protection it once did, he adds. “Most people think it’s a silver bullet, but an IP address can easily be spoofed.”

Tips for successful device detection

If you decide to add device detection to your e-business anti-fraud arsenal, here are some tips for getting the most out of this technology:

Know the rules -- and how they should apply to your customers. You should understand exactly what attributes are likely to flag a device and which rules are appropriate, or inappropriate, for your customer base. “Once I was talking to the CTO of a gaming company, and I mentioned that our software could flag a computer that was cloaked,” Taussig recalls. “He said, ‘We don’t care about that. Gamers all cloak their computers.’”
Use device detection at all three stages of interaction with customers. “One advantage is that you can use device identification when a customer first creates an account, when he or she logs in to that account, and when processing a purchase,” Taussig says. This, he notes, gives you the best chance of identifying fraudsters before they can do any harm.
Plan for change. The one thing you can be sure of when it comes to fraud detection is that nothing will stay the same for long. You should be constantly reviewing and adjusting the rules used to flag possibly fraud, while surveying the horizon for new fraud innovations, and new technologies for fighting them. “Companies that do this well are watching the technology news, and reading about security breaches at other organizations,” says Shane Sims, director at PricewaterhouseCoopers. “They’re using that information to constantly adjust their fraud controls.”

Be Very Afraid of Scareware

Minda Zetlin — 2009-05-26T15:00:08-05:00

CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED!

Confronted with a message like this, most computer users feel compelled to take urgent action. Fortunately, instructions for what to do are right in front of them: click on a box to scan the computer. Once the scan is complete, and dozens of infections have been identified, they must go to a security website and pay $49.99 to download software that will remove the infections and safeguard their systems.

“A lot of people feel that is $49.99 well spent,” notes Paul Ducklin, head of technology, Asia Pacific, for the security firm Sophos. “They don’t realize they’ve been fleeced.”

At best, the downloaded software will have done nothing. At worst, it could conceivably be malware that could steal financial and password information, or cause the computer to distribute spam. The user has been the victim of “scareware” -- bogus security software that pretends to find infections and then pretends to remove it after the user has paid for a license.

Scareware is a rapidly growing problem. “Approximately five to 50 new samples of scareware are turning up every day,” Ducklin says. There’s a good reason for scareware’s rapid growth: It’s the easiest way for criminals to make money on the Internet, with millions of frightened computer users paying to download the stuff every month. For obvious reasons, it’s hard to get precise information about exactly how much money scareware scares out of users. But by most estimates, scareware is a billion-dollar industry.

Sophisticated deception

One reason scareware is so lucrative is that much of it uses very sophisticated techniques to fool users. Many scareware warnings reference security threats in the news (such as the Conficker worm), or display the four-color shield logo of the Microsoft Windows Security Center. “The design is almost identical to Windows, so it all looks very inviting and non-threatening,” says Dennis Fisher, editor of threatpost, Kaspersky Lab’s security news site.

If users click to accept the scan, a realistic-looking animation will run, showing filenames flying by, much as they would during a real antivirus scan operation. Once the scan is complete the software will report on the viruses it found. “Scareware often promises to find viruses other products miss,” Ducklin explains. “So, to really scare you, it’ll report on all sorts of exotic viruses that infect mobile phones, or unusual applications you probably don’t have installed. If you research them on bona fide websites, you’ll find they are listed as legitimate threats.”

The result of all this sophistication is that most people are deceived. And if you think your company’s users are different, consider this: In a recent experiment at North Carolina State University, 63 percent of participants were fooled into clicking on scareware -- even though they’d been warned that some messages they saw would be fakes.

Protecting users

Given these figures, it’s smart to assume your company’s users are as likely to be sucked in by scareware as everyone else. Here are three steps that can help keep your computers scareware-free:

Make sure security is up-to-date, and consider blocking all pop-ups. Generally, there’s no reason to accept any kind of pop-up advertising, Fisher says. “Even if there’s no malware link in the pop-up, it could be sending users to sites you don’t want,” he says. A pop-up blocker can always be overridden if necessary.
Consider website filtering. “It can help to get some Web filtering software or appliance,” Ducklin says. “It will pre-filter websites your users are visiting, and analyzing the content coming in from them. That way, if a user does fall for the trick, and tries to visit a bad site, you can head it off.”
Make sure users know what not to do. Education is your best tool in fighting scareware. Begin by making sure users know what brand of security software your company is using, and that no other security software should run on company-owned equipment. Next, make sure they know that if a pop-up or balloon appears, they should not click anywhere on it.

“Don’t touch it!” warns David Bateman, who leads the Internet Safety Group at K&L Gates, a law firm representing Microsoft in its joint lawsuits with Washington state against eight scareware purveyors. “Even if you think you’re clicking the X button to close the window, sometimes those are fake and will begin a download. But nothing can download without the user taking some action.”

Instead, users should either use control-alt-delete to close the window from the Windows Task Manager, or call for IT assistance. What if the balloon is a legitimate Windows Security Center warning? “If you need to run security software, open the Control Panel, go to the Windows Security Center, and run it from there,” Bateman advises. “That way, you’re safe.”

The Downside to Virtualization: Security Risks

Minda Zetlin — 2009-03-22T16:23:24-05:00

It’s hard not to love virtualization. The ability to create dozens of virtual servers (or “appliances”) as files within a single physical server can cut power consumption, save space, make IT admins’ jobs easier, and allow them create separate environments for testing new applications at will. No wonder this is one of the fastest growing technologies in businesses large and small.

But everything has its drawbacks, and virtualization is no exception.

“There’s no free lunch,” says Woflgang Kandek, CTO of Qualys, which offers on-demand compliance and vulnerability management. “Security is one of the things you have to worry about more when you use virtual servers.”

Virtualization security risks

Why does virtualization mean paying more attention to security? Here are the reasons, and tips for addressing them:

You’re adding an operating system. This aspect of virtualization is easy to forget, because most virtual servers act like real servers, running a Microsoft Windows or other platform. But in fact, the virtualization application itself (VMware, Microsoft Hyper-V, Xen, etc.) becomes the operating system on the server where it resides, with the operating systems of the virtual servers running as applications hosted on that system. Like any other operating system, virtualization software needs to be patched and updated regularly, to ward off security threats, in addition to the patch management you still need to maintain whatever operating system the virtual server or servers are running. “So now you have two operating systems to monitor and patch, instead of one,” Kandek says.
Traditional intrusion detection won’t work on virtual servers. Intrusion detection (and intrusion prevention) generally functions by monitoring network traffic and raising a red flag if there’s a traffic spike or type of traffic not explained by legitimate operations. But because there’s no way to monitor traffic between virtual servers on one physical host, you can’t count on them to alert you to a security breach in a virtual server.
Malware can spread among virtual servers. With traditional intrusion detection blind to activity between virtual servers, it’s easy for a virus or other malignant software to spread from one virtual server to another. And beyond -- because virtualization is often used in conjunction with clustering that moves data and applications among two or more servers, to provide load-balancing and “failover” in case one server in the cluster encounters a problem. “This is not something any network monitoring system can analyze,” says Amir Ben-Efraim, CEO of Altor Networks, which provides virtual firewalls that protect virtual servers. A virtual firewall can add a layer of protection at the virtual level, to fill the gap left by traditional security methods.
Confidential data can be compromised. Because there’s no way to monitor traffic flow between virtual servers sharing the same physical server, there’s no way to tell whether confidential or legally protected data (such as medical records or credit card numbers) have been compromised. “I would suggest keeping such data segregated on a separate physical sever,” Kandek says.
Today’s malware is virtual-aware. Viruses often meet their fate in virtual servers where IT staff test applications and then destroy the server once the malware is detected. People who write viruses are aware of this, and have begun creating special “virtual-aware” viruses that can tell when they’re in a virtual environment. Though they’ve mostly used this knowledge to hide so far, they could easily be adjusted to attack virtual servers’ vulnerabilities instead. According to research by the antivirus company ESET, more than 200,000 virtual-aware malwares were at large in November 2008. What this means is that if you’re running virtual servers, virus protection is especially critical.
Your outsourcer may not know any of the above. If you’re outsourcing some or all of your IT security, or using hosted servers, make sure your provider is fully aware of the special security issues surrounding virtualization and has appropriate protections in place. “Those extra protections should be part of the outsource agreement,” Kandek says.

Virtualization offers many advantages over working with physical servers. Staying aware of its special security issues can keep those benefits from putting your data at risk.

What’s New in Server Software?

Minda Zetlin — 2009-01-27T10:17:36-05:00

Considering new servers or new server software? Two new offerings from Microsoft might be worth a look. Windows Small Business Server 2008 is intended for companies with up to 75 computer users. It’s especially useful for small companies that have little or no in-house IT expertise, especially if they’re installing their first server, as a step up from simply using networked personal computers.

One of the biggest benefits of Small Business Server 2008 is that it integrates many of the functions a small business needs: Microsoft Exchange, SharePoint, and support for mobile devices that let users sync calendars and contacts. It’ll even help you buy a domain name for your business, and correctly route your website and email from your domain.

“It’s integrated,” says Rick Gines, server solutions architect with LANDesk, which provides IT management and security software. “If you’re Joe’s Bakery and you’re opening a small shop, you’ve got everything you need in one box, and you don’t need to be a technical expert.”

In fact, “The server kind of becomes an IT person for you,” says Steven VanRoekel, senior director, Windows Server Solution Group at Microsoft. For instance, since security and data protection are top priorities for many small businesses (especially ones that are adding a server because they’ve experienced data loss), Small Business Server 2008 deploys automatic patches and updates to all Windows users on the network, and automatically backs up of the server to a USB drive or other device several times a day.

One caveat for small companies looking to upgrade to Windows Small Business Server 2008 is that some of its integrated features it comes with, including Exchange 2007, require 64 bit processors, Gines notes. “Upgrading might require new hardware for some companies.”

Designed by admins

For businesses with between 75 and 300 computer users, Microsoft recommends Windows Essential Business Server 2008. Though it offers many of the same features as Small Business Server 2008, “The difference is that we do assume you have an in-house IT person,” VanRoekel says.

In fact, he worked with a group of them to help design the product. “The mid-size market has unique needs,” he explains. “IT professionals in this size company tend to be very constrained for resources. They wind up supporting everything in the organization that has a plug, including clearing paper jams in printers and supporting home computers for employees working at home.”

So when VanRoekel set out to create Essential Business Server 2008, he began by assembling a 25-member advisory board, made up of administrators from mid-size businesses. “I invited them to design their dream product, and they helped write job descriptions for the development team,” he says. “The mandate from them was to save them time,” he says, and he reports that customers say Essential Business Server cuts their server administration time by 50 percent.

The open source option

There is an alternative to Windows on servers: Linux. The open source operating system has so far failed to significantly penetrate the desktop market, but its share of server revenues keeps growing, reaching 13.4 percent worldwide in the second quarter of 2008, according to a recent IDC report. (Since Linux is widely available for free, revenue share may not reflect all the servers running Linux.)

Linux is probably a poor choice for a company (such as the imaginary Joe’s Bakery) that wants to manage its IT infrastructure with little attention or in-house expertise, because it lacks the ease and one-stop shopping qualities of Windows Business Server. On the other hand, running a server on Linux (which doesn’t preclude using Windows on desktops) can offer some serious advantages. For one thing, there’s licensing cost: Linux, being open source, has none, though most companies still do pay for support.

But no licensing fees mean it doesn’t cost your company to grow, as it would with Microsoft, which requires a license for every user or computer. “We find that customers want to scale smoothly, without additional license purchases,” says Douglas O'Flaherty, senior product marketing manager for Red Hat, a Linux provider whose Red Hat Enterprise Linux is used by businesses large and small.

And no license fees can also make it easier to keep things up and running, Gines says. “Redundancy can be a big question,” he says. “If I have a nine-to-five business, where it doesn’t matter if the server goes down at night or on the weekend, it might not be a problem. But when things need to stay up and running, with Linux, I can load the operating system on multiple servers.” That gives you the flexibility to switch to a backup server in case your main server encounters a problem.

Ultimately, the choice to go with Linux over Windows probably depends on how comfortable your IT staff is with Linux, and also on which applications matter most to your company, according to Urvish Vashi, general manager of dedicated hosting at The Planet, a server and Web hosting company that serves the small business market.

Whereas Microsoft provides one piece of software to meet each business need, Linux users can typically choose from a variety of open source options, he says. “They have both the burden and the flexibility of finding out which applications are right for them,” he says. In general, he adds, companies that focus most on e-mail and calendaring applications, such as Exchange, are more likely to prefer Windows, while companies that consider their websites and Web applications most important might be likelier to opt for Linux.

And then there’s a third option: no server at all. “A lot of companies are using Web-hosted solutions for things like e-mail and collaboration that were traditionally hosted on servers,” he says. “Then they don’t have to worry about the platform. That’s probably the fastest-growing trend.”

Downsizing Dilemma: Dealing with Orphaned Accounts

Kim Boatman — 2009-01-27T09:36:25-05:00

Insider impropriety already presents a considerable headache for IT managers. But as companies downsize and lay off employees in large numbers, the likelihood of insider security threats escalates.

Businesses are left particularly vulnerable when employees leave but their user accounts aren’t disabled. These so-called “orphaned accounts” can lead to the loss of your customer list to a competitor, the malicious disabling of your critical databases and the loss of other proprietary information. It’s the sort of damage a small to mid-sized business can find difficult to overcome.

“The smaller organizations can be more vulnerable,’’ says Ellen Libenson, vice president of marketing for Symark International, which produces systems access management solutions. “The smaller your business, the harder it is to recover.’’

The danger of ignorance

Yet orphaned accounts are frequently overlooked. A May 2008 survey of more than 800 IT professionals found that 42 percent of those surveyed didn’t know how many orphaned accounts existed within their business. The survey, commissioned by Symark, also found that 30 percent had no procedure to locate the orphaned accounts, and more than 48 percent had no way to determine whether an orphaned account had been used to access information.

Lean economic times make it more likely that IT personnel will forget to disable accounts, says Libenson. IT departments are often short-staffed, and a harried worker might sit down to close an account, only to respond to a pager instead. “In the back of their mind, they think, ‘Well, they weren’t really bad people, it will be okay,’’’ says Libenson.

However, the economic climate can affect your employees’ behavior, cautions Michael Miora, founder of ContingenZ, which offers companies training and management for disaster recovery and security threats. “In tough economic times, people who are basically honest can sometimes yield to temptation,’’ Miora says.

The importance of precautions

To protect your business, it’s critical to remove that temptation, whether it’s financial or revenge-oriented in nature. There are several steps you can take to sidestep the risks involved with layoffs and orphaned accounts:

Establish a process. Make sure you have a formal procedure in place for dismissing employees -- and stick with it. In small companies, the sense of tight-knit community can override practical considerations when it comes to the emotion-filled act of laying off an employee, say the experts. Put together a checklist involving IT access. Make sure the employee signs a document attesting that he or she is not taking anything with them, says Miora.
Terminate access immediately. Business owners are sometimes tempted themselves, says Miora. You might want to get a couple of days’ more work out of an employee, or you might want to soften the blow of the layoff by having the employee work another week or two. “A couple of days of extra work could end up costing you months and years of hard-earned customer lists,” says Miora. “Grab that computer. You can’t let them keep it another day, another minute. Remove that person’s access to everything. The instant you tell them they’re gone, they have to be gone." Escort the employee out the door, says Miora. It might feel awkward and rude, but not allowing them to log on one last time is critical. “It goes against the grain a little bit, but as I say, security is contrary to politeness.”
Monitor log events. “Knowing there’s an accountability process in place actually deters a lot of people,’’ says Libenson. Current employees might be tempted to log in through an orphaned account to cause mischief. There are security products on the market that enable you to log key strokes, prevent the erasure of logs and send alerts to management when someone attempts to access an unauthorized area.
Inventory access. Maintain a list of every employee and what systems they are permitted to access, advises Libenson. Doing a regular inventory of this list can help ensure that employees only have access to data they truly need. You’ll also know just what access you need to disable when an employee leaves.
Practice good password management. Libenson hears stories about passwords scrawled on whiteboards in IT departments. “A small company is even more vulnerable because you have fewer IT people, so hence they tend to share a lot,’’ she says. “If administrators are sharing one password, that’s a big no-no. You have no accountability.” Products that dynamically change passwords have come down in cost, Libenson says. And vendors such as Symark are eager to recruit new business in this down economy.

Keep in mind what’s at risk if you don’t take the time to disable an orphaned account, say the experts. “The sad thing is it’s so easy to set up roadblocks.”

Tech Talk: Networking Vendor Automates Backup

Elizabeth Wasserman — 2008-11-26T16:05:32-05:00

Vyatta is a three-year-old networking vendor based in Belmont, Calif. The company sells commercial open-source-based router and firewall solutions. The company's senior IT manager, Ray Zhu, tells IncTechnology.com that a new open-source backup and recovery system that supports Linux has helped the company automate regular backups, generate reports and conduct data recovery painlessly.

Elizabeth Wasserman: What type of data do you need to back up?

Ray Zhu: We have Web servers, software repositories, customer download sites (because we have hundreds of thousands of downloads of our software), databases, etc. We conduct weekly full backups and daily incremental backups.

Wasserman: Why did you look for a new backup solution?

Zhu: We did not have a commercial solution before. We were a startup and, in the beginning, someone developed a script for backing up that supported Linux. As we grew, we realized we needed to have something more scalable. Before, every time we had to add a new server, we had to have a developer write a new script. We needed to have something more manageable.

Wasserman: How did you decide which product to choose?

Zhu: We started by looking to see what our requirements were. We support all different flavors of Linux -- RedHat and Debian and Ubuntu. Then we looked at our time frame for recovery. We were looking at a few hours, if not up to the minute. Based on a few more of those criteria -- we needed to have a graphical user interface and wanted somewhat of a dashboard -- we started looking at commercial packages from Acronis, Netbackup, EMC Networker, and a few others. We tested a few. We put them in the lab and ran experiments. Most of the packages don't have support for Debian so that was a deal breaker. Our servers run on Debian. Our networking software runs on Debian. The software that we sell to customers is backed up on Debian. Most companies when they say they support Linux what they mean is Red Hat.

Wasserman: What did you go with and what have the results been?

Zhu: We went with Zmanda because it met the criteria. It supports all the flavors of Linux. It's got a beautiful GUI interface. And it's able to recover in a few hours. The results have been beautiful. We have nothing to complain about. What I need to do is once in a while look at the dashboard. If it is red, then something is missing. If it's green, then it's working. Now when we add a new machine, I can just go the Web-based GUI and type the server host name, which directory we need to back up on and which schedule. The interface is designed in an intuitive way based on what we want to back up and to where and when we want to back up. We have done quite a few tests and we've recovered all the machines each time.

What to Look for in a Data Encryption Solution

Todd Wasserman — 2008-10-28T15:19:21-05:00

Already 44 states have enacted laws stating that if businesses lose customer or employee data they are responsible for it.

So far the most aggressive state in this regard, California, levies fines of $250,000 for every third party that gets an unauthorized look at a customer’s medical records. That is, if 10 people see such a record, the fine is $2.5 million.

All this would seem to be a powerful incentive for any kind of business to invest in encryption software, which is deemed the most effective method of protecting such data. Yet according to Richard Gorman, president and CEO of the Santa Clara, Calif.-based Vormetric, one of the biggest players in the encryption market, the compliance rate is still fairly low. “It’s a small percentage, less than 10 percent,” Gorman says.

Awareness may be lacking

Why? Though encryption solutions can range in price from $30,000 to more than $100,000, Gorman says the main reason for the low adoption rate is lack of awareness. “Most companies just don’t realize how easy it is to do it,” he says.

According to Eric Ouelette, vice president of research and security for Gartner, of Stamford, Conn., there are two main types of encryption solutions for businesses -- e-mail and database encryption.

Ouelette says of the two, e-mail may be the most important. “E-mail [encryption] is definitely something a lot of small and medium businesses need to have,” he says. Such encryption isn’t a standard option or feature for common applications like Microsoft’s Outlook or Entourage. The most cost-effective e-mail encryption solutions are services from companies like IronPort and ZixCorp range from $10 to $20 per user per year. Moreover, Ouelette says only a small number of employees -- those that are sending sensitive information to customers -- need it.

Despite the relatively low prices, Ouelette echoes Gorman’s claim that most small businesses aren’t using e-mail encryption or database encryption. “No one’s ever really shed light on it until now,” Ouelette says. “But now you have regulatory compliance issues. There are some very specific rules.”

Complying with regulations

Regulatory compliance was the major reason Automated Collection Control (ACC), a 20-person Montville, N.J., data delivery and data management firm that deals with the collections industry, opted for a Vormetric hardware/software solution in “the five figures,” according to Barry Kornspan, vice president of technology. The firm had always had an encryption solution in place for data “in transit” (i.e. sent over the Internet using SSL protocols), but just addressed its “at rest” data on databases and in flat files late last year because of new laws

“The nature of the data we receive from folks is information on bad accounts -- names, addresses, credit card numbers -- and we need to encrypt that data,” Kornspan says.

He found Vormetric’s answer to the problem satisfactory since it performs seamlessly. “There were no programming changes which was good since we weren’t looking for an intrusive solution,” Kornspan says.

Though ACC is a good illustration of a company drawn to encryption for legal reasons, Gorman is quick to point out that there are lots of other catalysts to adoption, especially in a down economy. After all, a disgruntled former employee can wreak a lot of damage. “A salesperson can walk off with key customer data,” Gorman says. Of course, with an encryption solution in place, those contacts will read as lines and lines of gibberish.

To Save or Not to Save: E-mail Storage

Michelle V. Rafter — 2008-10-28T15:10:21-05:00

There’s a term for the e-mail overflowing from your company’s PCs, laptops, and PDAs -- a digital landfill.

The Association for Information and Image Management coined the phrase to bring attention to the massive amount of data companies get and store in email without considering how smart, safe or practical it is to keep it there.

According to the AIIM, a trade association with 60,000 members, 90 percent of business is conducted through e-mail and a substantial portion of the information contained in it could be classified as business records, documents that are essential to a company’s livelihood for legal, regulatory, continuity, or other reasons.

Despite that, a majority of companies -- especially small businesses -- have no formal e-mail storage policies, according to Bob Larrivee, AIIM’s education services director. But ignoring the situation and allowing employees to stockpile old e-mails on their desktops is dangerous, Larrivee says. Without policies, companies put themselves at risk if a natural disaster were to wipe out their business, he says. Also, as of 2006, any type of electronic records, including e-mail, can be used as evidence in federal lawsuits. Going PC by PC to retrieve e-mail in the event of a lawsuit is time consuming and expensive -- and if you can’t produce relevant e-mail because it was accidentally deleted, the other side could use it to raise the question of whether you maliciously deleted things you didn’t want them to find, Larrivee says.

“The best advice to small businesses is taking action sooner is better than not doing anything at all,” Larrivee says. “Start doing something.”

Creating an e-mail retention policy

Before you can tackle those overflowing inboxes, decide what the definition of a business record is for your company. No two businesses or industries are alike, but experts say if an e-mail meets any of the following criteria it’s a business record and should be saved:

It’s needed for legal purposes.
Regulators require it.
It addresses a business-related transaction, event, activity, discussion or issue.
It explains vital company policies or operations.

“Ask yourself: would we have retained this document the old-fashioned way, in a file cabinet,” says Nancy Flynn, executive director of the ePolicy Institute, a Columbus, Ohio, electronic communications consultant and author of numerous email books. If so, keep it, Flynn says.

How long companies should retain e-mail business records depends on the company, the industry, and what the record is. Securities and other regulated industries have specific rules for how long companies need to keep records. Otherwise, the norm is to keep them for seven years, according to Flynn. Whatever your policy, stick to it. If it calls for destroying e-mail every 90 days, make sure you consistently purge every 90 days, Flynn says. If you delete on a hit-or-miss basis, and you’re ever involved in a lawsuit, you could find yourself facing charges of destroying evidence, she says. “When that happens, brace yourself for a huge fine or a negative jury award.”

Destroying electronic business records once they’ve reached the end of their useful life isn’t as simple as hitting the delete key. It’s important that old records be deleted in a way that shows the information did exist at one time, should the company be sued or just to be able to confirm that a former employee worked there in the event of a reference check, according to Larrivee. If a small business uses electronic records management (ERM) software the application will take care of properly purging old information, Larrivee says. Vendors that make such ERM software for small businesses include Microsoft SharePoint, LaserFiche, Docubase Systems, docSTAR, etFile or Hyland Technologies.

If you adopt e-mail records policies, teaching employees about them is critical, experts say. Include instructions in your employee handbook, and walk new hires through procedures during orientation. Getting existing employees to change how they handle email could be the hardest task of all, Larrivee says. He recommends a steady diet of communications to alert staff to changes and “if you’re using a technology solution, train them on how to use it,” he says.

SIDEBAR: E-mail Business Records Resources

Want to learn more about managing e-mail records? Here are some online resources:

Association for Information and Image Management -- The 65-year-old non-profit was originally founded as the National Microfilm Association and now supports the business records and content management industry. Among other resources, AIIM runs an online social network called InformationZen.org, which hosts an electronic records management discussion board.
Vital Records Protection -- This website from a group of disaster recovery technology vendors provides generic information on storing and protecting vital records, a subset of a company’s business records that includes many of its most important documents.
OnlineOrganizing.com -- Explains how long a company should save different types of common business records.

Data De-duplication for Disaster Recovery

Cindy Waxer — 2008-09-28T10:12:11-05:00

For today’s time-strapped, resource-limited small businesses, the prospect of having to write backup data to magnetic tape each night and deliver it off-site for secure storage is daunting, to say the least. But while factors ranging from hackers to hurricanes make strict backup policies a business necessity, a relatively new technology is helping to ease the burden.

Although best known for slashing storage costs, data de-duplication technology is making a name for itself as a key component of any disaster recovery strategy. Traditional backup systems store countless copies of the same information again and again -- bytes and blocks of data that greatly accumulate throughout the course of a business day.

Data de-duplication, on the other hand, works by only storing the changes that have been made to that data. Instead, redundant data is replaced with pointers indicating unique copies. By carefully eliminating redundant data, data de-duplication essentially reduces the volume of backup data -- and bandwidth -- required for transmitting large amounts of information to a recovery system. The result is a technology that not only allows for increased storage capacity with fewer hard drives and longer data retention periods but faster recovery times in the event of a disaster.

Greater simplicity -- and space

That’s a huge relief to many small businesses. “For smaller companies that don’t have a lot of IT resources to handle data recovery, they want to make the backup process as simple as possible," says Lauren Whitehouse, an analyst with Enterprise Strategy Group, of Milford, Mass. "Reducing their dependence on things like tape media and tape devices helps bring more simplicity to the IT environment.”

But that’s not all. “Data de-duplication squishes the data down so much that you recapture disk space that you didn’t have before. So instead of backing up once a day, you can back up four times a day,” says Whitehouse. In practical terms, if a network outage occurs at 4 p.m. on a busy Wednesday afternoon, an IT manager need only retrieve data stored between the hours of 1 p.m. and 4 p.m., for example, rather than the past 24 hours, as is often the case when a company is working with limited storage capacity and/or tape media.

No wonder then that data de-duplication is fast catching on. According to a survey by The 451 Group, while only 23 percent of IT organizations are using data de-duplication in their backup and data protection infrastructure, 28 percent of non-adopters said they plan to use it within six months, and another 23 percent said they would adopt it within a year.

Caveat emptor

However, there is some controversy surrounding data de-duplication’s powers of recovery. “The downside of storing more data on a given disk drive is it might actually take you longer to do backup and recovery,” warns Greg Schulz, founder of StorageIO Group, a Stillwater, Minn-based consulting firm. “That’s because de-duplication looks at the data as its being ingested into a storage system and has to do some heavy thinking. That’s a time constraint so if you need to restore, recover, and repopulate that data very quickly, performance can be a concern.”

Of course, lightening fast data recovery for one company may seem painstakingly slow to another. It’s all the more reason, says Schulz, for companies to carefully consider their unique disaster recovery needs when turning to data de-duplication for protection.

Psst! What’s the Password?

Michelle V. Rafter — 2008-09-03T14:48:46-05:00

If your IT manager took off tomorrow, or worse, got hit by a bus, would you know where to look for the administrative-level password he uses to run your company’s computer network?

It’s not a trick question. In fact, it’s a question IT security consultants routinely pose to new clients to find out what they’re doing -- or not doing -- to safeguard their computer networks.

The importance of adequately managing high-level IT passwords hit home in July, after a disgruntled network administrator went to jail rather than divulge the password he’d created to lock up a multi-million dollar computer system the city of San Francisco’s technology department used to store payroll files, inmate bookings and other sensitive files.

The incident exposed the reality that even large organizations don’t always do what they should when it comes to high-level administrative passwords, which IT managers also call super-user or “God account” passwords.

But business owners need to do a better job of managing network passwords because Sarbanes-Oxley, HIPAA, and other state and federal regulations as well as credit-card processors have set standards for digital information security that demand it.

Keep passwords under lock and key

One of the best ways to guard against sabotage or accidental disaster is to avoid using top-level administrative passwords as much as possible, says Irving Popovetsky, principal consultant with ProStructure Consulting, a Portland, Ore., security firm. Choose one high-level person, preferably the IT director, company officer or someone else who’s personally liable for happens in IT, and entrust them with the password. “But it should never be used except in emergencies,” Popovetsky says.

Instead, lock it away -- in a bank vault if you have to -- and have that person use a separate account for daily tasks such as reading e-mail, visiting websites, or using software programs. Popovetsky suggests that any IT staff person who has access to a password for even a portion of a company’s computer network also be required to use a separate, second account for routine daily tasks. Why? For one, it makes it easier to audit activities in accounts used for network administration and maintenance to see who’s making changes to what. Even more importantly, it eliminates the risk of a hacker breaking into one of those high-level administrative accounts and using it to steal company information or launch a Trojan horse or other vicious software program, Popovetsky says.

Companies should also practice what IT security professionals call role-based management or the principle of least privilege, where employees have the minimum access to the company’s computer network they need to do their job, says Javed Ikbal, principal at zSquad, an IT security consultant in Boston.

Non-knowledge workers such as secretaries or call-center employees don’t need full access to their own workstations, so there’s no reason to give them administrator passwords for the machines. On the other hand, programmers and other knowledge workers need some additional administrative rights in order to do their jobs and their passwords should be tailored accordingly.

Other password precautions

Other steps companies can take include the following:

Change the name of system administrator accounts. Hackers look for default names for administrator accounts, such as “Administrator” on Microsoft systems and “root” on Unix systems. Foil them by changing these names to something hard to guess. Popovetsky’s clients have changed the names of their administrator accounts to “Barney Rubble” or “Fred Flintstone.” “That right away reduces the risk a little,” he says.
Use strong passwords. Make passwords for top-level accounts hard to crack by using at least eight characters and including mixed capitalization and at least one character that’s not a letter or number.
Be consistent. Companies often use strong security measures around key computer networks but not on other, less critical ones. That’s short-sighted because hackers can use the less critical systems as a way into the more secure ones. It’s like putting a lock on your front door but forgetting to close the window right next to it, Popovetsky says.
Use software. Companies that run Microsoft-based networks can use a free program called Microsoft Baseline Security Analyzer to scan servers and workstations to see if they’re running under optimum security settings, and if they’re not, get recommendations for what could be changed.

According to Ikbal, companies can also use privileged identity management technology to secure, automate and audit passwords for applications, databases, and servers. Companies that make PIM technology include Cyber-Ark, e-DMZ, Quest, and Symark.

But don’t rely entirely on software for protection. IT security is a process, and a business owner who uses software but doesn’t change their security procedures usually finds out the hard way that one doesn’t work without the other, Popovetsky says. “The problem with security is it’s hard, it’s really hard. The deeper you get into it, the more complex it is.”