The Low-Tech Attack Is Often The Best

By Larry Seltzer  |  Posted 2003-06-06 Print this article Print

Protecting your small business' information is more than just fancy computer security. Stop info-thieves from walking up and stealing your data.

Discuss this column in our forum. Bit-heads such as myself tend to get hung up around the cool techie aspects of security, like data encryption and authentication systems. But many of the most important information theft attacks are based, at least in part, on the breakdown of the more human elements of security.

Could I just walk into your business, go up to one of your computers and access your data? Ive seen, even worked at businesses where this was the case. Especially early in the morning, late in the evening, or at lunch hour, offices can be vulnerable to someone with enough nerve.

The end result can be a compromise of company information, which can be a compromise of client information or employee information, or even investor information. Im sure I can think of even worse possibilities, but you get the idea.

Maybe I dont even have to sneak in. Most information compromise comes by way of "social engineering," in which the attacker takes advantage of the natural tendency in decent people to want to help others. If I were to call up your office and claim Im with your network consulting firm and I needed the person who picked up to help me run a test, would they help? This sort of thing happens all the time: "Could you log in and log out of the network please? OK, that looks fine. Could you do it again? ... Still not there... Maybe if I tried your account from here. Could I have your username and password?"

Well-meaning duped employees can be damaging enough, but think of the damage an employee could cause if they deliberately went out to rip you off. In terms of your company information, malicious employees could abuse company or customer credit cards, sell private customer information, perhaps even embezzle funds if they have access to the appropriate accounts. To some degree you have to trust your employees, so you cant prevent it, but if youre good at keeping confidential information available only to the employees who need access to it, then people will know they are more accountable for the use of that information.

You will have to rely, to an extent, on computer security to keep information private. Dont completely rely on it though. For example, if an intruder has physical access to your computers they can, with some time, gain access to the data on the computers. No physical security fundamentally means no data security. And some password systems are worse than others. For example, password-protected QuickBooks and Quicken files are easily cracked.

A related issue under the general heading of information protection is backup; if you keep your information on your computers with no effective backup, you are rolling the dice with your companys assets. Taking it a step further, to have a true sense of security with your companys data you need a secure remote backup facility. There was a time when this meant you needed to have tapes couriered to vault in a mountain, but the Internet has brought us cheap backup services (see a PC Magazine review of some of these services) that, for a trivial amount of money, give you the confidence to know that if your building burned down or there was some other sort of disaster (think World Trade Center) you could recreate your computer infrastructure and get your business functioning again not too long after the hardware was set up.

Distasteful as it may be, you have to think like a thief and tell your people that access to the computers and network is a matter of serious confidentiality. They shouldnt take it casually. Its an information economy; protect your assets or someone will steal them without a second thought. Spend some time thinking about what could go wrong and plan for the possibility. Some education and a little money will accomplish a lot. But the more technological you get in this, the more youll need a consultant you can trust.

Discuss this column in our forum.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel