Preparing for a data breach incident

Posted on August 11, 2015 in Data Breach, IT Security, IT Security Assessment

Preparing for a data breach incident
1. Make a disaster recovery plan that details very specific steps for what to do and what each employee’s exact responsibilities are if a data breach occurs. From an IT perspective, ascertain what type of breach it is (virus related, private data accessed or other malicious activity) and develop very concise steps to take to address each type of instance. Have multiple data restoration options available and test them regularly for reliability. Build contact lists of vendors and key response personnel and create a business continuity plan in the event that your IT systems are rendered unusable. Your IT group should also document baseline configurations so as to use them for comparison purposes.

2. Test and work the plan on a regular basis in an effort to better train your key personnel and to keep your disaster recovery plan updated with your ever-changing office environment. Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur. Training should include employee awareness for all of the overall security plan and the related response measures so that they help rather than hinder the recovery process.

3. Commit the proper amount of resources to prevent an attack. And this means committing monetary resources on an annual basis to proactively address security issues. It is much less costly to be proactive than to be reactive. The “It won’t happen to me” security approach is a recipe for disaster.

4. Consider data breach insurance which will help offset much of the cost of a data breach incident. These plans are not new and should become a staple item when reviewing annual insurance coverages.

[Top]
The Best Free Ways to Send Encrypted Email and Secure Messages

Posted on July 7, 2015 in Secure Email

Infoencrypt
Infoencrypt is a free, web-based service for easily securing your messages. Simply enter the text of your message and the encryption password that will be used for both encryption and decryption. The program encrypts your message using a strong encryption algorithm, making it secure to send. Anyone who intercepts the encrypted message without the password will not be able to read the original message.

SafeGmail
SafeGmail is a free extension for Google Chrome that allows you to send encrypted emails to anyone. The messages are encrypted and decrypted within the browser and remain encrypted in both the sender’s and receiver’s email inboxes. The messages also automatically expire after a random amount of time.

RMail
RMail allows you to easily send emails with end-to-end security and compliance. Send encrypted email from your current email address (10 free messages allowed per month) and automatically receive a Registered Receipt™ record proving encrypted delivery and compliance with open tracking.

Sendinc
Sendinc is a web-based service that makes it safe and simple to transmit sensitive information via email. You and your recipients can use Sendinc for free. No software is required.

Sendinc secures your message by ensuring that your data remains encrypted from the time it leaves your computer through the time your recipients retrieve it. At no point in the process is your message data transmitted or stored in an unencrypted format. Sendinc further ensures the safety of your messages by verifying your recipients are in fact your intended recipients.

Messages are encrypted with a powerful randomly-generated encryption key that is emailed to your recipients in the form of a link. Sendinc does not save a copy of your recipients’ encryption keys and your message can not be decrypted without the key – not even by Sendinc. This means only your recipients can decode the message data.

Hushmail
Hushmail is a secure web-based free email service that looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. It uses standards-compliant encryption and provides mobile access (Android, iPhone, BlackBerry, etc.).

Lockbin
Lockbin is a free web application for sending private email messages and files. Lockbin ends message persistence, which means your email message will not be backed up on email servers or stored in backup files. Network sniffers can also spy on your email traffic while in transit. Use Lockbin to obscure the content of your message and avoid these hazards to your privacy.

No registration is required to use Lockbin. Your message and file attachments are protected by strong AES-256 bit encryption and your secret password. You invent the password and deliver it to the recipient using a different secure method, not email.

iSafeguard
iSafeguard is a software package that provides easy-to-use and highly secure encryption and digital signature solutions for everyone from big companies to individual users. The software allows you to sign and encrypt files, folders, and emails and verify digital signatures and countersignatures. It provides a secure text editor and allows you to wipe files, folders, and free disk space. It also integrates with the Windows shell.

The freeware edition of their software is for non-business, individual users. Although it lacks some of the features the enterprise and professional editions have it does provide powerful encryption and digital signatures capabilities, and security is as strong as the enterprise and professional editions.

Hushmail
Hushmail is a secure web-based free email service that looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. It uses standards-compliant encryption and provides mobile access (Android, iPhone, BlackBerry, etc.).

Paid plans are also available that provide additional storage, unlimited email aliases, dedicated technical support, and desktop access.

Crypto Anywhere
Crypto Anywhere is a program that is small enough to fit on a USB flash drive, providing free secure email on the go. Don’t have a computer yourself but want to protect your web based e-mail at your local internet cafe? Crypto Anywhere is for you. If you run Crypto Anywhere from a USB flash drive, you can encrypt your email without even installing software on your workstation. With Crypto Anywhere you can send and receive secure email to and from anyone with an email account – the recipients do not have to have Crypto Anywhere themselves.

Crypto Anywhere is free for personal and corporate use.

The information is the blog post was accumulated from multiple sources but especially http://www.howtogeek.com/

 

 

 

 

, [Top]
What is covered during an IT Security Assessment?

Posted on July 2, 2015 in Data Breach, IT Security Assessment

There are many pieces of your business computer system and you may not be aware of where security weaknesses may be hiding. IT often becomes an afterthought or something that a business owner does not want to think about, much less worry about. But, like a business vehicle, your IT system needs regular attention if you expect it to work when you need it.

The major items covered in an IT Assessment:
Data backups-Are they automated? / Do they happen consistently and reliably? / Is there a layered approach with multiple options for restoration?
Disaster recovery – Is there a plan to quickly restore computers, servers, and even your entire network in the event of a catastrophe?
Front-line Internet protection-Does your network’s firewall have the latest security patches? / Are there open windows from the outside into your network? / Is the firewall unit a business-class device? / Are you relying on the firewall functions of your Internet modem?
Anti-malware protection-One of the most effective ways for hackers to gain access is lax, expired or total lack of security software.
Remote access to your internal network-Does your office utilize a wireless guest network or do you give visitors direct access onto your corporate LAN? / Is your employees’ remote access secure? / Do you opt for convenience over security?
Privacy policies-Are your employees educated on best practices for protecting your customer data? / Is there an Internet and computer usage policy? / Are field computing devices using encryption?
Data breaches and IT security threats are becoming more prevalent. The longer that you wait to address your IT weaknesses; the more likely it is to become a problem.

, [Top]
Some basic strategies for safe and private web browsing

Posted on June 2, 2015 in IT Security

Some basic strategies for safe and private web browsing

 

  1. Spam email filtering

Spam email introduces web links or attachments in emails that entice your users to click potentially introducing viruses/malware on business computers/networks. These spam emails can also redirect your employees to websites where they offer up information (either personal or business) that should remain private or confidential.

  1. Internet content filtering

An effective web content filtering solution is essential for because granting your employees unfettered access to the Internet opens your company to a multitude of problems.

  • Security: Grave risk to the companies’ security.
  • Legal Trouble: Liability of inappropriate content.
  • Productivity: Loss of employee productivity due to Internet abuse.

 

  1. Use private browsing options for your browser

Mozilla Firefoxhttps://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history

Google Chrome https://support.google.com/chrome/answer/95464?hl=en

Internet Explorerhttp://browsers.about.com/od/internetexplorertutorials/ss/How-To-Activate-Inprivate-Browsing-Mode-In-Internet-Explorer-11_3.htm

  1. User alternate web browser

WhiteHat Aviator – blocks holes through which most malicious sites infect your computer. It cuts out all ads and disables the media autoplay.

  1. VPN (virtual private network) web browsing
  • VPN cloaks and encrypts your signal, making your online activity completely illegible to any eavesdroppers.
  • VPN manipulates your IP address, making you appear to come from a different machine/location/country.

 

, , [Top]
Remote Employees and IT Security

Posted on in IT Security, Remote Access

Q: What are some IT standard practices and procedures that we should implement when dealing with our field or remote employees?

A: Depending on the technology needs of your remote employees you should implement the following as standard security practices:
(a) You should have a plan in place where the technology in the field returns to the main corporate office on a regular basis for security and software updates; (b) Field computers should have local firewall software installed for browsing the Internet off-site (Windows firewall does not count!); (c) Limit or forbid use of public wireless networks (Use personal mobile hot-spots instead); (d) Eliminate and restrict actual data on the local computers (use remote application servers for running apps and storing data. Use the local computer as a “dumb-terminal”); (e) Make it policy that employees are using VPN (virtual private network) when accessing company servers and data remotely; and (f) If data must absolutely reside locally on the remote computers, use hard drive encryption built into the notebook’s base system or use third-party encryption software.

Q: Smartphones have become an increasingly large part of our field employee’s toolkit. What should I do to protect ourselves with regard to these computing devices?

A: (a) Make certain smartphones are owned by the company and used for the company business ONLY! (You cannot dictate IT policy on an employee’s personal phone); (b) Again, use local cellular data plan rather than public Wi-Fi access for accessing data and browsing the Internet for information; (c) Password protect and auto-lock your devices; (d) Use remote find and/or remote wipe capabilities of the smartphones if they are lost or stolen; and (e) Limit your use of document sharing/sync apps (Sugarsync, Box.net) and of course … iCloud! I95

, , [Top]
<< previous posts || next posts >>