Public Wi-Fi: Be Very Paranoid

March 12, 2008 from BusinessWeek – “You have an hour before your flight, so you log in to the Wi-Fi network at the airport. You look up some stock prices, check your e-mail, pay a couple of bills online, and surf a few Web sites. Has it occurred to you that curious or hostile eyes could be peering into your computer and your network? It pays to be paranoid.”

180 View – An ounce of prevention is worth a pound of cure…

Concerned about wireless security

WEP (Wired Equivalent Privacy) is often the security method chosen for wireless networks. Did you know that it would be easy for someone to break into your wireless network, and this person could do this in less than an hour? There are tools such as Cain & Abel, which according to their website

• “is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.”

These tools can be useful but in the wrong hands can pose a threat especially if there is something on your network that would be considered valuable. In any event, do yourself a favour and use WPA (Wifi Protected Access) instead of WEP.

Watching the Watchers: Why Surveillance Is a Two-Way Street

January 2008 from Popular Mechanics “The recent boom in video monitoring—by both the state and businesses—means we're all being watched. It's like something out of George Orwell's 1984. Except that, unlike Orwell's protagonist Winston Smith, we can watch back—and plenty of people are doing just that. Which makes a difference.

The widespread installation of recording devices is not all bad: ATM cameras helped prove that Duke students accused of rape couldn't have committed the crime. And we all sympathize with the goals of preventing terrorism and crime, though it is not proven that security cameras accomplish this.

Nonetheless, the trend toward constant surveillance is troubling. And even if the public became concerned enough to pass laws limiting the practice, it's not clear how well those laws would work. Government officials and private companies too often ignore privacy laws…

The widespread availability of digital cameras and video-capable cellphones means that ubiquitous surveillance on the part of the little guys is moving, if anything, even faster than ubiquitous surveillance on the part of the big boys. And distribution tools like YouTube make it easier to get the footage to a large audience.”

180 View – 9/11 changed everything. It seems that most people are ok with less privacy in favour of more security. Technology is also changing everything when it comes to privacy vs security. Some claim that satellites in space can already read a license plate. London’s so-called Ring of Steel, is an extensive web of cameras and roadblocks designed to detect, track and deter terrorists. New York is in the process of doing something similar. According an article entitled “Surveillance: A New Look at Big Brother” published by CIO Today on December 26, 2007, “There are about 30 million surveillance cameras in the U.S. -- inside ATM machines, at traffic lights, in department store dressing rooms.” How long will it be when the cameras can find someone based on a retina scan?

10 Tips To Secure Your Laptop

November 24 from InformationWeek – “As more people use laptops for their primary work PCs, the chances for being compromised because of wireless miscreants loom large. Here are 10 how-to tips to protect yourself and make the best use of a wireless network, whether you are at home, at work, or in between.

1) Make sure you are connecting to the right network. Although this sounds sort of obvious, I've noticed in my travels that there are lots of unscrupulous people who purposely name their wireless connection "Linksys," or some other common vendor's name, in hopes of getting someone who is less than careful to connect to them. The security industry calls these sorts of conditions "evil twins"…

When you are out on the road, look carefully at the screen that shows the available network connections, and particularly at the different icons next to the connections. The icon that looks like a light beacon indicates an access point, while the one showing two computers with connecting lines indicates a peer-to-peer connection. These peer-to-peer connections are the ones to avoid…”

180 View – We thought there were a few good tips in the article that you may not know about.

Data Leak in Britain Affects 25 Million

November 21, 2007 from The New York Times – “The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era…

In sheer numbers, the breach was smaller than several in the United States over the last few years. Last year, a computer and detachable hard drive with the names, birth dates and Social Security numbers of 26.5 million veterans and military personnel was stolen from the home of an analyst, but recovered apparently without any harm. In 2003, a former software engineer at America Online pleaded guilty to stealing and selling 92 million user names and e-mail addresses, setting off an avalanche of up to seven billion unsolicited e-mail messages.

But the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16.”

180 View – “The disks were protected by a password, the government said, but were not encrypted.” How many wake-up calls are necessary before sensitive data is routinely encrypted?

Cafe Latte attack steals data from Wi-Fi PCs

October 17, 2007 from NetworkWorld – “If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee. At the Toorcon hacking conference in San Diego this coming weekend, security researcher Vivek Ramachandran, will demonstrate a technique he's developed to attack laptops that use the WEP (Wired Equivalent Privacy) encryption system to log on to secure wireless networks.

Developed in the late 1990s, WEP was the default method of securing Wi-Fi networks. Though the WPA (Wi-Fi Protected Access) system replaced it, about 41 percent of businesses continue to use WEP. That percentage is even higher among home users, security experts say.

That's unfortunate because WEP has been riddled with security problems. In fact, WEP was blamed for the recent TJX Companies Inc. data breach in which thieves were able to access 45 million credit- and debit-card numbers."

180 View – Why take chances? Upgrade to WPA.

Data protection a "contradiction in terms"

June 27, 2007 from ITBusiness - “"What's interesting in financial services is that it is the combination of data that becomes valuable information when it comes together to create an identity," Axelrod said. "If you are just going to file away social security numbers with no way to tie them to identity, they're actually pretty innocuous; but even if you just have a way to associate that information to a phone number or other data, someone can put things together..."

Axelrod said for the record that "data protection is a contradiction in terms," and that the process will never be perfected, based on the nature of IT systems and the need for businesses to easy retain access to important information…

Regulations like the Sarbanes-Oxley Act have proven less effective than legislators might have initially hoped they would be at improving overall data security because businesses have focused on meeting the terms of the guidelines versus boosting their overarching protection schemes, Fusco and other panelists agreed.

However, some industry-driven security requirements, such as the PCI (payment card industry) standard forwarded by credit card issuers, have had the desired effect, experts said.

Well-written guidelines can help make the difficult task of convincing senior executives to increase their IT security budgets easier, alleviating one of the most significant challenges of the entire data protection process, according to Steve Peltzman, chief information officer at the Museum of Modern Art in New York…”

180 View – Take a look at Payment Card Industry (PCI) Data Security Standard https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf to see the “well-written guidelines”. We see a lot of overlap between the various regulations and authorities on security, and sympathize with organizations struggling to protect their data as well as comply with regulations.

Google Is Watching You

June 22, 2007 from BusinessWeek – “The Internet's most popular services enable people to do everything from research ailments to virtually tour Times Square—for free. But when you type in a Web search, your words are stored by Google and other search providers, along with information tying those words to your personal computer. If you surf the Web, the pages you visit and what you do on them are tracked with "cookies," tiny text files that download to your computer so they can report back to their ad network owners..."

180 View – Although Google’s business model does not include extortion, there are security concerns which need to be addressed. But the potential threat of getting exposed, may be good incentive for some people to clean up their act.

How Secure Is Your Wi-Fi Connection?

January 4, 2006 from New York Times – “Long-time readers know that I’m not exactly one of the privacy paranoid. I’ve accepted that we all live in thousands of databases. The state of New York knows where and when I drive, thanks to my E-ZPass (electronic toll-booth badge). Stop & Shop knows what I eat, thanks to my grocery discount card. Blockbuster knows what kinds of movies I watch. Verizon knows whom I call, MasterCard knows what I buy–it’s just hopeless.

Frankly, I consider the details of my life so boring to other people that I really couldn’t care less. I’ve got nothing to hide, so why not accept it?That attitude spilled over to a “From the Desk of David Pogue” e-column I wrote in 2004, in which I attempted to throw water on scare-tactic computer-magazine articles that said, in effect: “Ooooh! If you use your Wi-Fi laptop at public Internet hot spots, the bad guys will see everything you’re doing and rifle through your files!”I’m back again today to throw that water right back into my own face.

On this topic, my eyes have been opened.It came about like this: I recently filmed six episodes of a new TV series (”It’s All Geek to Me,” which airs in February on The Science Channel, Discovery HD and Discovery Europe). In one of them, I wanted to get to the bottom of this Wi-Fi snooping business. I wanted to see exactly what is, and is not, possible for the bad guys to intercept when you’re sitting there in Starbucks or the hotel lobby.I put a note up on my blog, seeking a guest who could appear on the show and show me the hacky ropes. I found John Baer, a technical consultant who seemed just right for the part.

We met (John, the camera crew and I) in a Manhattan Wi-Fi coffee shop. Turns out there was absolutely nothing to it. John sat a few feet away with his PowerBook; I fired up my Fujitsu laptop and began doing some e-mail and Web surfing. That’s all it took. He turned his laptop around to reveal all of this:

• Every copy of every e-mail message I sent *and* received.
• A list of the Web sites I visited.
• Even, incredibly, the graphics that had appeared on the Web sites I had visited.

None of this took any particular effort, hacker skill or fancy software. Anyone could do it. You could do it. All John needed was a “packet sniffing” program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot. Now, the fact that it’s so easy to intercept your Internet signals in a public hot spot doesn’t mean that somebody is *doing* it. In fact, of course, most of the time, nobody is. Nonetheless, John’s little demonstration made clear that somebody *could* intercept your transmissions extremely easily.

So are you supposed to crawl into a hole, turn off your Wi-Fi, and go back to dial-up?Not exactly. You can take steps to protect yourself:

• If you see the little padlock in the corner of your Web-browser window (or if the Web address begins with “https://” instead of “http://”), you’re connected to a secure Web site. Your transmissions are encrypted in both directions, so you have little to fear from casual packet sniffers. Banking and brokerage sites, for example, are protected in this way.
• You can sign up for encrypted e-mail services or programs, too, if avoiding e-mail eavesdropping is that important to you.
• You can connect to your company over a VPN (virtual private networking) connection, which encrypts *all* data to and from your laptop. This is something a network geek would have to set up for you.
• Otherwise, you can just conduct your online transactions with the awareness that a stranger could be “overhearing” them. Wait to visit Web sites, or to send e-mail messages, of a delicate nature until you’re on a wired connection or a private wireless one.

Truth be known, since my eyes were opened, my Wi-Fi habits haven’t actually changed much. I still open the laptop in the hotel lobby, exchange e-mail with readers, editors and friends, and check a few news sites or blogs. None of it would really mean anything to an evil eavesdropper nearby. But at least I’m aware that I *could* be observed. And isn’t it always better to know than not to?

180 View – We have replicated the article in its entirety. We think that many people share the concern expressed in the article and this article is short, well-written and informative. The author, David Pogue, “writes a technology column that has appeared each Thursday in The Times since 2000. Each week, he also writes the Times e-mail column "From the Desk of David Pogue," creates a short, funny Web video for NYTimes.com, and posts entries to his Times blog. In his other life, David is an Emmy-winning correspondent for CBS News, a frequent contributor to NPR's "Morning Edition," creator of the Missing Manual series of computer books, and father of three.”

IT Security Survey

January 5, 2007 from Canadian Technology News – “More than 1,600 North American IT managers (including over 1,000 Americans and 550 Canadians) were asked to rate the importance of security against seven different security threats, including security policy user compliance, internal user malfeasance, generic external threats (like viruses), random attacks (like password crackers), targeted external attacks, and protection of the physical server room or data centre.

The results, which were calibrated from the respondents' ranking of certain kinds of threats as “very” or “extremely” important, showed that Americans' and Canadians' attitudes toward IT security seem virtually identical, never straying farther than a few percentage points' difference.

The No. 1 concern was generic external threats, with more than 70 per cent of both Canadian and American IT managers calling it “very” or “extremely” important. This didn't surprise Brian Bourne, president of security consulting firm CMS Consulting and a member of the steering committee of the Toronto Area Security Klatch, an IT security user group. “Everyone gets spam and viruses, and it's a very visible problem. Its impact on security is easy to understand. But what most people don't understand is that when you do security really well, nothing happens. It's hard to understand the value of nothing happening,” he said.

Bourne has found that companies tend to get worked up over spam and viruses because it has an easily identifiable impact on productivity. Said Bourne: “When it comes to a leakage of information, which could also obviously have an effect on productivity, they really don't seem to worry that much.”

They're not blind to the data-leakage problem -- the second-most feared security threat is random attacks, which 60 per cent of Canadian IT managers and 56 per cent of American IT managers rated as “very” or “extremely” important in the battle against IT breaches (the fear of targeted attacks came in second-to-last, with half of the American respondents, and just over half of the Canadians, saying it was “very” or “extremely” important). Bourne said that this concern isn't even close to the fever pitch it should be hitting, in spite of the threat's easy understandability: “password cracking is happening on a mass basis.” He estimated that issues like server vulnerability are resulting in even small businesses getting five to 20 attacks daily, while larger companies get many more.

180 View – We think that the survey asked the wrong people. The CEO and CFO will be a lot more concerned.

2006 Csi/Fbi Computer Crime and Security Survey

The Computer Crime and Security Survey is conducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. The survey is now in its 11th year and is, we believe, the longest running continuous survey in the information security field. This year’s survey results are based on the responses of 616 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. The 2006 survey addresses the major issues considered in earlier CSI/FBI surveys, thus allowing us to analyze important computer security trends. The long-term trends considered include:

• Unauthorized use of computer systems;
• The number of incidents from outside, as well as inside, an organization;
• Types of attacks or misuse detected, and;
• Actions taken in response to computer intrusions.

This year’s survey also addresses several emerging security issues that were first probed only with the 2004 CSI/FBI survey. All of the following issues relate to the economic decisions organizations make regarding computer security and the way they manage the risk associated with security breaches:

• Techniques organizations use to evaluate the performance of their computer security investments;
• Security training needs of organizations;
• Organizational spending on security investments;
• The impact of outsourcing on computer security activities;
• The use of security audits and external insurance;
• The role of the Sarbanes–Oxley Act of 2002 on security activities, and;
• The portion of the information technology (IT) budget organizations devote to computer security.

This year’s questionnaire also included some questions being introduced for the first time. In particular, an open-ended question about the current concerns of respondents has provided insight into the relative perceived urgency of concerns about issues such as data protection and instant messaging. Some of the key findings from the participants in this year’s survey are summarized below:

• Virus attacks continue to be the source of the greatest financial losses. Unauthorized access continues to be the second-greatest source of financial loss. Financial losses related to laptops (or mobile hardware) and theft of proprietary information (i.e., intellectual property) are third and fourth. These four categories account for more than 74 percent of financial losses.
• Unauthorized use of computer systems slightly decreased this year, according to respondents.
• The total dollar amount of financial losses resulting from security breaches had a substantial decrease this year, according to respondents. Although a large part of this drop was due to a decrease in the number of respondents able and willing to provide estimates of losses, the average amount of financial losses per respondent also decreased substantially this year.
• Despite talk of increasing outsourcing, the survey results related to outsourcing are similar to those reported in the last two years and indicate very little outsourcing of information security activities. In fact, 61 percent of the respondents indicated that their organizations do not outsource any computer security functions. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is rather low.
• Use of cyber insurance remains low, but may be on the rise.
• The percentage of organizations reporting computer intrusions to law enforcement has reversed its multi-year decline, standing at 25 percent as compared with 20 percent in the previous two years. However, negative publicity from reporting intrusions to law enforcement is still a major concern for most organizations.
• Most organizations conduct some form of economic evaluation of their security expenditures, with 42 percent using Return on Investment (ROI), 21 percent using Internal Rate of Return (IRR), and 19 percent using Net Present Value (NPV). These percentages are all up from last year’s reported numbers. Moreover, in open-ended comments, respondents frequently identified economic and management issues such as capital budgeting and risk management as among the most critical security issues they face.
• Over 80 percent of the organizations conduct security audits.
• The impact of the Sarbanes–Oxley Act on information security continues to be substantial. In fact, in open-ended comments, respondents noted that regulatory compliance related to information security is among the most critical security issues they face.
• Once again, the vast majority of the organizations view security awareness training as important. In fact, there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.

Security: Don't Spring a Data Leak

July 12, 2006 from Baseline – “The most notorious snafu: The U.S. Department of Veterans Affairs disclosed in May that it lost data on 26.5 million veterans and their spouses plus 2.2 million active military members when a worker's computer was stolen out of his home. Other organizations that have reported thefts of computers with sensitive data include Aetna, American International Group, Ernst & Young, Equifax, Union Pacific and the YMCA.

Even the Federal Trade Commission, responsible for enforcing privacy laws, disclosed in June that a laptop with unencrypted private data on 110 people was stolen from a car used by its attorneys.

From February 2005 to mid-June 2006, such security breaches have exposed information on more than 88 million individuals, according to the Privacy Rights Clearinghouse, a San Diego privacy advocacy group.

"Everyone spends a lot of time focusing on external threats," says Gartner analyst Avivah Litan, "but most of the threats are either from insiders or employees who take data home. It has nothing to do with criminals hacking into your databases."

Litan says many organizations are unprepared for accidental or deliberate data breaches: She estimates that businesses today encrypt less than 10% of all sensitive customer data. A survey this year by research firm Ponemon Institute, sponsored by encryption vendor PGP, found that 4.2% of companies use encryption across their entire enterprise (as opposed to only in select departments).

Litan predicts that companies will be fast-tracking security projects to prevent information assets from leaking out, including deploying software that stops any sensitive data from being e-mailed or copied to any outside party or device.

"Pretty soon, there's not going to be any employee privacy—everything is going to be monitored," she says.

Regions Financial, for one, has taken steps to seal the cracks. The 25,000-employee company, which operates 1,300 bank branches in 16 states, encrypts the entire hard drives of its thousands of laptops. (Zimmerman wouldn't name the encryption software Regions is using or say exactly how many laptops it maintains.)

Is scrambling every bit of data on every laptop overkill? Not to Zimmerman. "I can guarantee you that there would be confidential information on almost every laptop in the organization," he says.

But the danger of data leaks obviously extends beyond portable computers. Regions also uses software from Vericept to monitor all outgoing e-mail to make sure it doesn't include confidential information. The software uses statistical analysis on text in messages and attachments to find content that violates the company's policies. Most often, transgressions are accidental, Zimmerman notes: "People don't realize they've hit 'reply to all.'"

Some I.T. executives say portable storage devices—namely, thumb-size USB drives—scare them more than the possibility of a laptop vanishing. "If you were stealing something, why would you carry a laptop out the door when you could throw data on a 60-gigabyte USB drive?" asks Jim Brockett, chief information officer at Washington Trust Bank in Spokane, Wash.

Washington Trust this year plans to deploy software from security vendor NextSentry that will prevent any of its 900 employees' computers from using USB storage devices, and will provide other monitoring functions like flagging e-mail for certain keywords and phrases (say, "account number").

"We're not informing users about [the project]," Brockett says, "but we've let them know we have the right to monitor them."

Another lesson from the rash of data losses in the headlines is that "user education" is only effective to a point. It's certainly true that employees should be regularly updated on good data-handling hygiene. But no amount of education will eliminate careless mistakes or stop a disgruntled employee from violating a policy. Security technologies like encryption and digital rights management software, which controls access to specific pieces of content, can act like seat-belt laws—to help computer users from hurting themselves.

"We can do training, we can do policies, but unless we monitor every laptop every single day, there's no way we can control what people put on their laptops," says Jacob Mays, assistant vice president of information technologies at Stillwater National Bank and Trust in Stillwater, Okla.

To make sure no data can be read on a lost or stolen computer, the bank fully encrypts all of its 80 laptops with PGP software, a measure it initiated last year. Employees must enter a password before Windows even boots up.

Like seat belts, security mechanisms have to be easy to use. "You can talk until you're blue in the face about the need for it, but unless it's practical, people aren't going to use it," says Jason Elizaitis, director of information technology at Fairfield Greenwich Group, a New York-based asset management firm.

Fairfield Greenwich Group, which manages $10 billion in assets for high-net-worth individuals and institutional investors, uses Liquid Machines' Document Control digital rights management software at six offices worldwide. The software lets employees encrypt and assign privileges to documents (such as flagging them for "internal use only" or "do not print"), using a drop-down menu that is installed in the menu bar of Microsoft Office applications.

Why hasn't every company on the planet put in similar safeguards?

Cost may be one issue. A sophisticated digital rights management system, for example, can run to $500 per employee, while content-filtering packages start at around $25,000. Encryption products have entry prices of $125 to $300 per employee; vendors in this market include PGP, Pointsec Mobile Technologies, Utimaco Safeware and WinMagic.

Microsoft promises to bring encryption to the masses in the forthcoming Windows Vista operating system, which includes a feature called BitLocker that can automatically encrypt a PC's entire disk.

Meanwhile, some I.T. managers still have a perception that deploying and managing encryption products is extremely complicated, says Andrew Krcik, vice president of marketing at PGP. "There's still a hangover from people having looked at encryption seriously five years ago and said, 'It's way too complex,'" he says.

Stillwater National Bank's Mays found setting up and managing laptop encryption straightforward, requiring employees to leave their laptops overnight to perform the initial full-disk encryption. He was at first concerned that the PGP encryption software would slow down the machines, but found that on any laptop less than three years old, "there's not a noticeable performance hit."

To Zimmerman of Regions Financial, the justification for encryption and content-monitoring measures boils down to this: What's the company's reputation worth? As Zimmerman puts it: "Whether we lost one record or 1 million records, our credibility with customers would be shot."

5 Steps to Prevent Data Loss

1. Guard against human error. Use security technologies, such as data encryption, as a safety net for honest mistakes.

2. When in doubt, encrypt. All laptop hard drives should be encrypted.

3. Monitor outgoing messages. Use software to block e-mail messages or file transfers with confidential data.

4. Ensure security is easy to use. Otherwise, employees will find ways to get around it.

5. Audit security practices regularly. Experts say such reviews should happen at least monthly.

180 View – We replicated most of this interesting article. Good policy, training and the right tools can go a long way to mitigate the risks.

Safe Driving? Is Your Lap Strapped In?

September 1, 2006 from webCPA – “If you think this article doesn't pertain to you, your firm, or your clients-either because your business is too small, too big, or because it's the perfect size for guarding against IT security threats-think again.

Security woes even hit computer security software company McAfee, which in February had to warn some 9,000 current and former employees that their names and Social Security numbers were on an unencrypted CD that was lost after being left on a plane by an employee of auditor, Deloitte & Touche.

That same month, Ernst & Young confessed to some of its clients that their Social Security numbers and other personal data were lost on a laptop stolen from a locked car belonging to one of the firm's employees.

And closer to home, in May the American Institute of CPAs had to tell its approximately 330,000 members that a hard drive containing their Social Security numbers and other data-sent out for repair in direct violation of the AICPA's internal control procedures-was lost in transit by FedEx.

That faux pas was particularly galling since this year's rendition of the AICPA's Top Ten Technology list ranked information security as the No. 1 technology issue.

"From the standpoint that every AICPA member was affected, if that doesn't serve as a wake-up call for CPAs, I don't know what will," says Susan Bradley, a recognized IT security expert who is a CPA and partner at Fresno, Calif.-based Tamiyasu, Smith, Horn and Braun Accountancy Corp., where she is the network administrator.”

The article gives some suggestions to improve security:

"Most firms think they have a good firewall, so they think they're not at risk," he says. "But many are using consumer-grade firewalls that are not updated or not strong enough to protect their networks."

Higher levels of protection are available from companies like Sunnyvale, Calif.-based SonicWall and WatchGuard Technologies of Seattle, Johnston and others say.

SonicWall's "unified threat management" technology features solid-state firewalls and VPN appliances that incorporate anti-virus, anti-spyware, and network-intrusion prevention features for both wired and wireless networks. It also provides constant monitoring of firewall performance, Johnston says. Similar features are available through WatchGuard's firewalls.

IT managers also need to ensure proper installation of firewalls, and that all crucial network ports are properly protected.

"Many times firms pay extra fees for a firewall installer, and [do] not realize that firewalls weren't installed correctly," Johnston says. "Installers will leave ports open, making a network vulnerable to attack-for example, file transfer port 21, Internet browser port 80, or mail port 25. They all need firewalls."

The growing popularity of wireless networks, along with the growth of Microsoft's Mobile 5 wireless devices, is coinciding with more options for securing wireless operations. For one thing, users should make sure they're using the security pack that is available with Mobile 5 devices, experts say.

Accounting firm Abalos & Associates in Phoenix uses the Sentinel S3 USB key from Mesa, Ariz.-based Sweet Spot to control access to laptops and other mobile computing devices, says Cheryl Folkerth, a CPA and technology manager at Abalos.

The S3 key, which a user must insert into a computing device to access the firm's wireless network, incorporates two-factor authentication that involves 128-bit encryption along with a user-defined PIN. It also integrates a secure virtual private network, or VPN, tunnel to encrypt critical data being transferred between client and host computers.

"No one has been able to get onto the wireless network without the USB key," Folkerth says.

SonicWall also provides a SonicPoints system of securing multiple access points throughout a wireless network, which Johnston says he has used successfully. A SonicPoints system can be configured, managed, and updated through a centrally managed SonicWall security application.

Another tool for protecting laptops is Palo Alto, Calif.-based PGP Corp.'s PGP Desktop, which encrypts an entire hard drive. "If the laptop is stolen, it has no data value," Johnston says.

But technology applications alone aren't sufficient to protect wireless networks, experts say. At Tamiyasu, Smith, IT security chief Bradley enforces a multi-part policy that dictates how employees can access the firm's network. Employees working remotely must not use a public kiosk or any other computing device other than their own anti-virus-software-loaded machine.

Her accounting firm also has remote employees access the Remote Web Workplace, a feature built within Microsoft's Small Business Server 2003, which ensures that sensitive data can't be downloaded to computers outside the office. "They can view but not download the data," she says.

While e-mail has done wonders for improving the service that accounting firms can offer their clients, it also presents huge risks for stolen data when e-mailed client communications are not encrypted.

"Not encrypting e-mail is a glaring error among businesses," Johnston says. If a hacker knows a CPA firm's URL and corresponding IP address, he can figure out how to receive a copy of all e-mail traffic a firm sends its clients, he adds. "A firm's e-mail might reach the right client address," Johnston says, "but the firm won't know if it also reached another destination."

Technology such as AMPLock encryption from Madison, Wis.-based SmartSoftKey, can ensure that only intended recipients can receive and unlock e-mail messages and files, Johnston says. AMPLock integrates with Microsoft Outlook.”

180 View – This article includes the following point - “The realm of security technology is still like the Wild West to most people, with hucksterism and snake oil vying side by side with really well throughout security software and hardware-based tools” Huge investments are being made or will be made to improve security by organizations across the country. Hopefully, you’re not being sucked in by the hype, but investing in practical solutions that are justified based on the risks.