If you still think natural disasters are the leading causes of data loss – and that the chances of it happening to you are pretty slim, take a look at the results from a study by Strategic Research Corporation of the leading causes of business continuity and disaster recovery incidents:

• Hardware Failures (servers, switches, disk drives, etc) – 44%.
• Human Error (mistakes in configurations, wrong commands issued, etc) 32%
• Software Errors (operating systems, driver incompatibility, etc)14%
• Viruses and Security Breach (unprotected systems are always at risk) 7%
• Natural Disasters 3%

Establishing a disaster recovery plan can be done in the following four steps:

1) Take a potential risk inventory. Make a list of every potential cause of data loss and the solutions to each. Your list should include losses that won’t affect the business very much, and those that would shut the business down temporarily or permanently. Information Technology experts can assist you with creating the potential risk inventory – as they will have the knowledge and experience to identify possibilities that you are not likely to think of but need to plan for all the same. These IT experts will also be able discuss preventative solutions to guard against each type of potential data loss.

2) Rate each of your potential data loss situations. How likely is it for each of the items on your risk inventory to occur? Rating them in order of importance and likeliness to occur will help you determine where to focus your disaster recovery plan efforts.

3) Develop your disaster recovery plan. Go through each of your potential risks and their solutions, and determine how long it would take you to recover from the loss of data for each risk. Could your business be offline for 24 hours? A week? Depending on the nature of your business, being offline for even just 24 hours could result in your losing customers to your competition. Look at ways to reduce the length of time it would take you to recover from each type of data loss risk.

4) Put your disaster recovery plan to the test. Once you’ve created your plan of action for recovering lost data, you should test your solutions. A disaster recovery plan is just a plan until it can be tested and proven.

Content by Managed Services Provider University

Free Windows utility, Identity Finder scans your hard drive looking for sensitive information, like credit card numbers and passwords. The utility will bring the information to your attention so that you can do something about it – perhaps moving it to a more appropriate location.  The “Pro” version of the application will allow you to encrypt and store this information safely. 

Knowing what information you have stored out there is the first step to securing it. Securing the information is especially important for laptop users who could be susceptible to loss or theft.

Hope this helps.

-Justin

Many wireless routers available at local big-box stores are unsecured right out of the box. The reasoning for this is that the less complicated the manufacturer can make the configuration of their product, the less potential frustration for the end user – but this is a double edged sword as ease of use and security tend to be mutually exclusive.

Some simple things you can do to secure a wireless router are as follows:

1.) Change the default configuration.

This should be the first thing you do with a new router. Every manufacturer ships their devices with a default username and password as well as a default SSID (which is the "name" of your wireless network). Change the password and wireless SSID (or name) in the router’s configuration. Many routers will include a CD that will help you to configure these parameters. If you have questions, consult the manufacturer for specific instructions.

Also, its never a good idea to name your wireless network based on your address, business name or last name. This just gives any potential attacker even more information. Its always best to use a non-identifiable name.

2.) Enable encryption -

All wireless routers will support some kind of encryption. The three most popular are WEP, WPA and WPA2. Of these three, WPA2 is the most secure. WEP and WPA have some inherent technical weaknesses that can allow, even a novice hacker to circumvent relatively easily (which, in this case is very relative). Encryption can be enabled either by accessing your router’s configuration interface via a Web Browser from your computer or by using the manufacturer’s supplied CDs. Enabling encryption will prevent the casual would-be thief from accessing your wireless network but as the old adage goes, where there is a will, there’s a way – which is a resonating undertone to all things computer security related. For businesses or individuals dealing in highly-sensitive information, basic encryption is not enough. Businesses should always consult an IT professional before setting up wireless access to their computer networks and/or information systems.

Doing these two things will go a long way to secure a person’s home network.

With all of the Advertisement Sharing Services that websites are using nowadays, it makes it harder for major websites to control content being displayed on their sites. What I’m getting at is that these exploits can sometimes come from big name, legitimate sites and not some shady back-alley website as you might expect – this is affectionately referred to as malvertizing. See: MSN Norway serving Flash exploits through malvertising and MySpace, Excite, and Blick Serve Up Malicious Banner Ads and Rogue ads pushing malware — how it works.

This specific vulnerability affects Mac, PC, Unix and Solaris Operating Systems. There is no known software patch for this issue – Adobe has announced that they are working on it. However, there is a workaround.

Mitigation techniques are discussed here on Adobe’s official Security Bulletin: http://www.adobe.com/support/security/advisories/apsa10-01.html

Clients of Teklogic that are on a Netcare plan have this workaround in place and are already protected. If you do not have a Netcare plan or are not a client of Teklogic’s please Contact Us and we will get you fixed up.

Thanks!

: — Justin Carter
: — Teklogic, Inc.
: www.Teklogic.net

Identity theft emerged, of course, and began ruining lives. Now, the analyst notes, "There are more obligations than ever to report an ‘asbestos spill’ and more consequences if you don’t."

So today, we know better than to put our customers, employees, and others at risk because of sloppy practices with personally identifiable information (PII) and other sensitive data.

Or do we? 

A sizable number of U.S. small businesses still do not have privacy policies, or have ones too vague to be of any value. Meanwhile, companies of all sizes continue to scrimp on data security, or allow poorly trained employees easy access to sensitive information. Data breaches such as these compiled by the nonprofit Privacy Rights Clearinghouse  are now legendary.

‘Do unto others how you’d want them to do unto you’

If you run a small business, you likely handle some PII, even if it is simply the e-mail addresses you collect for newsletter distribution.

You owe it to your customers and employees to protect them from ID theft, scams, spam, fraud, and other toxic by-products of the Internet. And you owe it to your company and business partners to follow best practices, and the law, when it comes to collecting and storing sensitive business information. 

"It doesn’t have to be that complicated. If you think about the data that businesses collect about you, and you do unto others how you would want them to do unto you, you will have [privacy] top of mind," says Carolyn Hodge, vice president of communications for online privacy specialist TRUSTe.

Here are six tips to help you be smart and responsible when it comes to privacy.

1.  Take inventory of the personal information you collect and store. Privacy analysts recommend  compiling a written inventory of the PII you collect. PII generally includes names and contact information, physical addresses, e-mail addresses, credit card numbers, Social Security numbers, and the like. For example, does your Web site use cookies to capture info about who visits your site?

Know that any contracts and agreements you have with other businesses, and any trade secrets of other businesses that you may possess, also constitute sensitive information. Failure to protect such information could violate insider trading laws, among other statutes.

For more help, see this guide and tutorial from the Federal Trade Commission.

2.  Analyze how safely you use and store this data. Believe it or not, many small businesses are known to store private information on their customer-facing Web sites, which could easily be hacked. Many others allow employees unfettered access to such data. Still others are nonchalant about sending spreadsheets containing PII unencrypted over the Internet via e-mail.

Store private information on password-protected internal sites, and limit employee access to only those with a legitimate need to know, experts recommend. If you must send PII or other sensitive information via the Internet, encrypt it through password-protected ZIP files, encrypted e-mail, or S/MIME, PGP, and similar applications. Don’t make it easy for hackers by scrimping on data security.

3.  Make sure you’re complying with industry or federal laws. Strong privacy policies and practices may be mandatory if your business is governed by certain government or industry regulations. Here is a look at some of the statutes governing the privacy of information:

• The Health Insurance Portability and Accountability Act of 1996  regulates businesses in the U.S. health-care industry.
• The Graham-Leach-Bliley Act, passed in 1999, governs the U.S. financial services industry.
• CPNI (Customer Proprietary Network Information)  governs customer information gathered by companies in the telecommunications industry.
• With its Security Standards Council, the Payment Card Industry  self-regulates retailers and other businesses that collect credit card numbers and related personal financial information.
• The European Union Directive on Data Protection  regulates U.S. companies serving European consumers and businesses.
• The Children’s Online Privacy Protection Act of 1998  oversees the collection of personal information from children under 13.  

If necessary, companies such as WeComply, a Mt. Kisco, N.Y., concern, develop training programs for businesses on how to comply with federal laws regulating privacy.

4.  Post a privacy policy that is clear and comprehensive. A handful of states have their own privacy laws that are stronger than the federal laws, including California. Its Online Privacy Protection Act of 2003  requires all online businesses that collect personal information from California residents to post a privacy policy on their Web site(s) and to comply with their policies.

Yes, you need a policy, even if it is not required by law. Today’s more discerning Internet consumer demands it, experts agree. "Simply having a privacy policy link on your site builds trust and confidence," writes Jeff Finkelstein of Boulder, Colo., in his Customer Paradigm  newsletter. Conversely, consumers may be suspicious of businesses that don’t clearly display their policy.

What should you include in your policy? Essentially, what PII you collect, use, and share in your business. Here are some key elements to disclose:

• Whether you buy or sell e-mail lists or mailing lists
• Any sharing of PII in co-marketing agreements with partners
• Use of cookies
• Information for customers to contact your business to be removed from a list
• If you sell online, how you comply with the Payment Card Industry’s Security Standards

Your policy need not be lengthy — large conglomerates may have privacy policies of 10 pages or longer, but a small business doesn’t need that. Conversely, some small businesses offer vague statements amounting to a single paragraph or two, says TRUSTe’s Hodge.  Shoot for a page or less of clearly written text, and make the link visible on your site. (For more tips on how to write a privacy policy, download this PDF from TRUSTe.)

5.  Have your policy reviewed by an attorney or by a privacy seal program. It’s wise to get an outside opinion on your privacy policy, either from an attorney or privacy expert. Another option is using an online privacy service such as TRUSTe  or BBBOnline.

The advantage of using a service such as TRUSTe or BBBOnline is that if you meet their privacy policy requirements, you are awarded a seal to display on your site — which may boost the confidence and trust of your customers.

"The Web privacy seal is one of [TRUSTe's] most popular products," says Hodge. A privacy seal may be most beneficial to small e-tailers with little or no name recognition outside their hometown or region.

TRUSTe has partnered with buySAFE  to bond purchase transactions and to supply privacy policies to small online retailers with monthly sales of $1 million or less. The buySAFE program runs $240 a year.

6.  If you have employees, make sure their personal information is protected too. It’s easy to overlook employee data, as most privacy policies deal strictly with the interests of customers and clients.  But with today’s increasing use of laptops, mobile devices, and social-networking applications as marketing tools, employee privacy is also in danger.

The nonprofit Privacy Rights Clearinghouse offers this guide to preventing ID theft  through responsible information-handling practices in the workplace.

One disturbing trend: An increasing number of ID theft cases have been traced back to dishonest employees obtaining sensitive information about fellow employees and customers and providing it to identity thieves.  Take note of two best practices in the Privacy Rights Clearinghouse guide: (1) Do background checks on anyone you hire and (2) restrict data access to employees with a legitimate need to know.

(from Monte Enbysk: http://smallbusiness.officelive.com/ResourceCenter/expertadvice/startingabusiness/Get_serious_about_privacy)

Sadly, the technique was first demonstrated in 2001 at @tlantacon, a hacker convention. Microsoft was aware of the vulnerability but there were so many mitigating factors and patching it would have broken backwards compatibility with specific applications, they decided to leave it unpatched. This recently released patch essentially further mitigates the vulnerability without truly "fixing" it. As this article is not meant as a technical dissertation on the vulnerability, if you want more technical information about this vulnerability and the recent patch, I suggest this article.

At Teklogic, we developed scripts to deploy this patch to our client base the day it was released. If you have an unpatched home PC, or know someone that does, you should get on over to Windows Update and ensure your system is up-to-date with the latest patches and Service Packs.

This is just more fodder for all of the Mozilla Firefox zealots. Although the now, very mature, browsing software has not been without its own issues lately – just proving that the only absolutely "secure" system is one that is unplugged and not in use.

When you are ready to donate or dispose of your computer, it is prudent to remove its information by way of  securely wiping your hard disk. I have seen some reports lately of discarded data coming back to haunt people. This is surely one way to fall victim to identity theft or be in violation of privacy laws when customer data is at stake.

Securely wiping your machine is a relatively simple operation. My favorite utility to accomplish this is Darik’s Boot and Nuke. This utility allows you to make a bootable CD or Floppy disk that can be used to boot your computer and subsequently wipe all information from the disk using security standards that range from very secure to KGB-proof. You should expect this wiping process to take some time, especially if this is the old IBM XT 5160 sitting in your closet.

Do yourself a favor and make sure to wipe (or have wiped) your hard drive clean before donating or discarding your old PCs or hard drives.

Nowadays I certainly don’t spend nearly as much time on Spyware-related issues -but when I do, it seems like we have made a trade-off of sorts. What I mean is -sure we see less Spyware, but when we do see it, they seem to be much more sophisticated.  I can honestly say I enjoy the challenge of removing some of the trickier ones because this can truly test the skills of any experienced technician.

Case in point, I thought I’d share a recent experience:

I received a call from a remote office of one of my customers complaining that when they started their computer, all they would get is a blank blue-screen. They would get no icons, no start menu, nothing.  Luckily I was able to remote into this system using the Teklogic management software and I was then able to start Task Manager and attempted to launch ‘Explorer.exe’ which is the "Shell" in Windows that gives you your desktop and Start menu (among other things). I found that Explorer.exe would not start complaining that "Windows Could not find the file". I then proceeded to open a Command Prompt and drill down to where the actual Executable lives (‘C:windowsExplorer.exe") and I noted that it was there and it had the appropriate permissions to launch… I checked that the environment path was correct and that the Shell key (HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonShell) did indeed contain the appropriate text for launching Explorer upon startup. At this point I went ahead and extracted another copy of the Explorer.exe executable from the original installation media, finding that this did not solve the problem either. I was quite perplexed.

After some digging around, I found some references to a "feature" of the NT family of Windows Operating systems that was meant for developers to use when debugging applications. This feature is called "Image File Execution options" and lives at ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options’. If you want to know more about this feature read here. One of the things you can do with this is to essentially tell Windows that every time XYZ process is attempting to launch, to launch ABC process instead. This is a perfect example of how a very useful feature can be turned against us (as the computer users) by ill-intentioned Spyware. The Spyware had used this feature of Windows to configure the machine so that every time the process, Explorer.exe was launched, it instead launched something else altogether. This, I thought, was a very clever way to utilize a relatively unknown feature and turn it against the user. Once I removed the entry for Explorer.exe, we were then able to get to the Windows Shell and proceed removing the Spyware entirely.  A fun one indeed!!