Case Studies

Risky Business

IT security doesn't have to break the bank. A strong risk assessment and strategically chosen tools can keep small businesses safe and on budget.

by Melissa Delaney posted Jan 01, 2005

This story appears in the March 2005 issue of BizTech Magazine.

Nick Ferguson, IT manager, Peregrine Pharmaceuticals

How long could your company survive without its most critical server?

When Nick Ferguson, IT manager at Tustin, Calif.-based Peregrine Pharmaceuticals, posed that question to department heads, he was surprised by the answer: The server that handles Peregrine's finance application could sit idle for five days before negatively affecting the business. "Five days is a huge amount of time to be down, but that gives us five days to get hardware replaced and up," he says.

Viruses, denial-of-service attacks, spyware, phishing schemes—even major corporations with their armies of IT pros and state-of-the-art tools have a hard time keeping up with the growing list of cyber-threats. Small businesses need to identify their unique vulnerabilities and arm themselves with the appropriate tools. "It all comes down to having a strong risk analysis in place," says Ferguson.

Most organizations conduct some form of economic evaluation of their security expenditures, according to the 2004 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey. And the numbers add up. Security breaches cost each of the U.S. businesses surveyed $141 million in one year, according to the 2004 report. That's down from nearly $202 million, as reported in the 2003 survey, due to increased IT security measures by businesses.

"Companies need to budget technology into their finances," says Aaron Tuomala, data communications manager at Bowermaster & Associates, a commercial and personal insurance agency in Downey, Calif. "It can be a big initial investment, but you soon see the return."

Recognizing Weaknesses

The Sarbanes-Oxley Act prodded Peregrine to analyze the numbers behind its IT security measures. Like the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act sets a minimum security bar that companies must meet to protect financial data.

"It's cumbersome," says Ferguson, whose IT department has been buried under paperwork as it tries to document all its processes.

But the exercise has helped him tighten company security. Is Peregrine immune to attack? No. But he knows which servers need the greatest protection and, thanks to clearly documented IT policies, he can spot irregularities and act immediately.

Through the risk-assessment process, Ferguson learned that removing terminated employees from the network took days although they were always immediately classified as inactive users. Now all processes are time- and date-stamped and require management sign-off.

Identifying IT risks and documenting processes, he adds, "have helped other departments in the company realize that IT plays a critical role."

Staying Focused

For most businesses, Web-filtering tools combined with intrusion detection and prevention systems make sense. But White House Custom Colour uses a different system.

Computers at the St. Paul, Minn.-based photography lab aren't assigned to each employee. Instead, a bank of machines is available when employees need them, often for just minutes at a time.

IT Takeaway

Conduct a risk analysis to determine what's truly mission-critical.

Document processes so that all staffers understand how to address problems.

Deploy antivirus protection at network end-points computers, servers, gateways and firewalls.

Since employees don't have much opportunity to surf the Web, IT Director Chris Hanline doesn't worry about Internet-based worms. But with files constantly being e-mailed to and from clients, he does worry about infected attachments. "I'm most scared of some sort of e-mail virus," says Hanline. "I try to keep everything patched and up to date."

Knowing that e-mail viruses are his biggest vulnerability, Hanline has invested in a server to scan files at the gateway. A Cisco firewall and constant reminders to employees about safe e-mail practices help him sleep better at night.

It's up to technology chiefs like Hanline to present business leaders with a coherent picture of specific threats facing companies and a list of strategic IT security tools to alleviate those threats.

"Don't cut corners on that stuff," advises Hanline. "Some things are definitely worth the money."

Common Threats

Every company faces unique cyber-threats, but here are some of the most common risks, along with strategies to keep them at bay.

Viruses and Worms

The good news, according to the 2004 CSI/FBI Computer Crime and Security Survey, is that 99 percent of the companies surveyed use antivirus software and 98 percent use firewalls. The bad news: Viruses still account for companies' biggest financial losses.

"Some companies don't worry about cyber-threats until an attack happens, and then they pay for it," says Aaron Tuomala. "Sometimes all it takes is one disaster to open a company's eyes."

Desktop antivirus software alone isn't enough to keep businesses safe. Companies need antivirus protection at every end point—computers, mail servers, the gateway and firewalls—as well as regular virus scans and definition updates.

In addition to a firewall and five layers of antivirus and spam filters, Bowermaster, which has had no security incidents during Tuomala's five-year tenure, uses Web-filtering software to keep employees from sites where they may download worms.

"I think I have a pretty good handle on security," says Tuomala. "My main approach is preventative maintenance."

Many companies are learning that signature-based protection isn't enough to guard against today's viruses, which strike hours or even minutes after new vulnerabilities are uncovered.

Along with antivirus, which checks traffic for known signatures, intrusion detection and prevention systems, companies need systems that look for anomalies that violate standard HTTP protocol and must be prepared to take immediate action to guard against potential threats.

Peregrine Pharmaceuticals has one intrusion detection system monitoring Internet activity and a second that monitors its Web servers. IT Manager Nick Ferguson plans to install a third to watch clients on the network.

Spyware

Asked how to eliminate cyber-threats, Ferguson chuckles: "Disconnect yourself from the Internet."

Although he's not likely to do that anytime soon, the recent spate of spyware makes it tempting.

"Spyware is a huge deal," Ferguson says. "We're slammed with it."

As long as port 80 stays open and employees access the Web, spyware finds its way in. Ferguson has had to reload some computers. "It's taking ownership of some machines," he complains.

Ferguson uses a combination of three spyware-removal products to cleanse his machines, and he's switching to a new browser in hopes it will provide some relief.

The problem is that most firewalls don't address traffic inside the network, so once spyware is unwittingly downloaded onto machines, it works from the inside out, explains Tuomala.

While most virus-removal tools are automated, spyware is more difficult to tackle. Setting strict Web-browsing policies helps keep spyware off machines, says Tuomala. But, he adds, "It's a real headache."

Hackers

To keep unwanted visitors out of a network, it is important to authenticate and control access to the gateway, encrypt data and guard devices with personal firewalls.

User names and passwords provide one level of gateway access control. Bowermaster also screens for preapproved Media Access Control (MAC) addresses before letting machines access its network.

Firewalls with staple packet inspection, which blocks unusual packets from entering the network, provide extra security. Deep packet inspection on the gateway, which looks at the data portion of packets rather than just the headers, goes a step farther by protecting against viruses that propagate within applications (i.e., e-mail and instant-messaging programs).

Encrypting data is especially important for wireless networks. WiFi Protected Access (WPA) and 802.11i, which was released last year, both offer dynamic security: They assign each user a different key that is encrypted and constantly changing.

The original wireless security standard, Wired Equivalent Privacy (WEP), is not as secure because it offers only static security: Keys are the same for all users, and they never change, giving hackers time to decode the key and gain access to the network.

For now, says Tuomala, WEP is strong enough for the wireless networks in Bowermaster's four locations since it sits on top of the company's regular gateway access control. But, he adds, "It's definitely something I want to beef up in the future."

Human Error

When Ferguson sent e-mails to Peregrine's employees asking them to click on a link where they could supply passwords and other sensitive information, several employees gladly complied.

Ferguson shared the results with employees and warned them about phishing scams—e-mails disguised as notices from legitimate companies that direct victims to fraudulent sites to collect their account or credit card information. When he repeated the experiment, the results were better, but some employees again fell into the trap. Next time, he plans to hire a consultant to see how much information can be culled from employees. "We're only as strong as the weakest point on our network," says Ferguson.

Sometimes companies' biggest threats are right under their noses: users who download content from questionable Web sites, log onto company networks from unprotected home computers or turn off desktop firewalls. As many security breaches originate from inside networks as from outside, according to the Computer Crime and Security Survey.

Companies need to educate users about cyber-security so they can spot symptoms of possible trouble with their systems—running slowly or lethargically, experiencing frequent crashes, running out of space unexpectedly—and notify IT.

Remote users can leave a big hole in a network, but administrators can seal it off by requiring them to access the network via a virtual private network (VPN).

Bowermaster plans to redesign its Web presence this year, giving clients the ability to access their account information online. The Web interface software already has user-level security built in, requiring user names and passwords, but in order to tighten security, Tuomala plans to add a Secure Socket Layer VPN and encryption.

"It's definitely a concern," he says. "Your network is the core of your operations. Not to put thought into keeping it secure makes it a big crapshoot."