Security risks increase when your business moves outside of the safety net of your main workplace. Mobile executives carry sensitive data around with them, and often times open it up to vulnerabilities just for the sake of convenience.

It all seems perfectly innocent. Connecting to wireless Internet in your hotel room, or syncing up to free wi-fi in a restaurant just to get a little work done. Convenient? Yes. Necessary? Sometimes. Is working remotely a down trending habit? Absolutely not. And so, we must learn (and educate our workforce) about how to work remotely more safely.

Protecting your mobile workforce is essential to protecting your business. And it can be accomplished (or at least done more successfully) by following a few simple tips to help keep your business safe from hackers, no matter where you go:

Stay Off the Free, Open Wireless

More and more public places are providing free, or shared wireless Internet. These open networks are dangerous. They’re risky for personal communications, but they are absolutely not suitable for conducting business without protection.

When jumping on public shared wireless connections, it’s essential to do so using a secure VPN connection with the latest encryption methods. This will funnel all your online activities (email, surfing, chat, etc) through this secure connection so prying eyes can’t see what you’re doing. Several companies offer this service but we’ve heard good things about Anonymizer.

As an alternative, Verizon, Sprint, AT&T, and others have mobile broadband services available for a reasonable monthly subscription. Spring for the mobile Internet access card. It’s a small expense for what you get in exchange – the ability to conduct business more securely outside the office.

Bonus Tip – turn off your wireless connection at all times when not in use so you are 100 percent sure about when you are connected to the Internet. If you’ve previously connected to default network names (like Linksys) then anytime that network name reappears at another location, you will be automatically connected to the network opening you up for risks.

Let Hardware Do the Hard Part

We’re joined at the hip to our laptops, mobile devices, iPads, and other mobile gadgets. These crafty handheld devices help us work more effectively, and their processing capabilities and compatibilities increase every day. There’s no turning back from the convenience they provide, and believe me, we wouldn’t want to because the benefits in most cases far outweigh the risk.

Next time you’re packing for a trip, or just to work remotely for the day, think twice about your hardware requirements.

• Use a “travel only” laptop. A stripped down version of your of your regular workhorse but with limited history and minimal applications installed. Of course, passwords and all the “conveniences” of your regular machine won’t be readily available, but do you really need it all when you’re on the road? For some trips, perhaps, but always weigh the risks against the convenience.
• Use Web access rather than physical software for email when possible. Obviously, this is more convenient if you subscribe to the “travel only” laptop model. Either way, take pause to consider all the confidential information that may be stored on your physical machine’s email software if it fell into the wrong hands.
• Clear browser history every time you close Safari, FireFox, Chrome, etc. If anything, this will make it more difficult for cyber thieves to retrace your steps.
• Don’t store documents, presentations, spreadsheets, PDFs, etc, locally. Always connect to your designated location on an approved network and put your information there. The goal is to make your physical hardware as useless as possible. This way, if your laptop goes missing, none of the important information goes with it.
• Don’t store or “remember” passwords, type them in every time unless you want to give unlimited free passes to cyber criminals.
• Don’t leave home without “lojack-like” software, such as Computrace, that can wipe the contents of your mobile device. This provides an extra layer of protection in case your phone or laptop falls into the wrong hands.
• Anti-virus software can be installed on most laptops. There are several reputable virtual security companies that provide reliable service, but in a pinch you can download a free version that is better than nothing, as they say.

Pull the Fire Alarm

Two-factor authentication (aka 2FA or “the fire alarm”) provides an additional layer of protection and awareness for user systems. It’s incredibly simple, affordable, and effective, so there’s no excuse to not have this service for your users 100 percent of the time, but it can easily be enabled for users on the road.

It works like this: When (stolen or legitimate) credentials are successfully entered into a login prompt, the “fire alarm” software places a phone call to the authorized user to 1) alert the authorized user that a designated system is being accessed and to 2) retrieve a secret pin and complete the authentication. With this service enabled, attempted security breaches can be identified quickly, snuffing our suspicious activity before a full-blown crisis ensues.

Watch Your Back, Jack

Your coffee cup is empty, so you grab your wallet and ask the nice person next to you to “watch” your laptop while you go refuel. For an experienced cyber criminal, it takes just second to grab some data off of your computer, phone, or tablet. And lesser skilled (however not necessarily less malicious) hackers could just grab your goods and run. Thieves are everywhere and they park themselves in places where people work for this very purpose.

The coffee shop isn’t the only crime scene. Airports, car rental shuttle, hotels, and the back seat of your car are equally susceptible to theft. Check your bags at every turn. Make sure you’ve got the correct luggage and account for all your personal and professional belongings. Report any stolen items to the police and your IT staff at once.

Be Responsible. Your Business Depends on It.

Anytime you’re doing business on the road without security in place, you’re open for business, but for the wrong customers. You wouldn’t take your customers’ money and let it hang out of your pockets for anyone to grab would you? By leaving data access points open to hackers, you’re essentially doing just that.

Be conscious of how easy it is for hackers to take your company’s valuable information. Take the time to ensure that your company, and your customers’ data, is always protected and accountable, no matter where you are in the world.

A version of this article appeared in eCommerce Times on June 22, 2010.

Attacks against popular web applications such as these constitute more than 60% of all attacks on the internet, and some of the exploits don’t even require a user to open the downloaded document or file. Victims’ computers may be compromised by simply visiting an infected website masked with the perception of being a trustworthy, big, software brand.

Client-side vulnerabilities are so powerful because they give hackers a mask behind which to carry out exploits. Users feel confident downloading files from trusted sources or using tools and applications such as Microsoft SQL, FTP, and SSH that are perceived to be safe because of popularity and industry-wide user-acceptance.

Did you know that:

• websites are most often compromised by SQL injection, Cross-site Scripting (XSS), and PHP File Include attacks.
• web servers are primarily exploited and compromised  by brute force password guessing attacks and web application attacks.

It’s scary, but true; there are a number of automated tools designed to make it easier for even novice hackers and script kiddies to carry out such attacks. Once deployed, these attack methods give cyber criminals the ability to quickly discover and infect thousands of  websites or computers at once in such a way that will propagate infections across other computers and servers around the globe.

Most importantly however, client-side vulnerabilities provide an open doorway through which many hackers can achieve their ultimate goal – stealing sensitive data for financial gain.

Security experts believe social networks like Twitter and Facebook are targeted because of the sheer number of users. Defacement is the most common motivation for ego-driven hackers, and these high traffic, high involvement communities are a great way to disrupt many victims at once.

A study by Webroot sheds light on a few other reasons why social networks make a ripe targets for hackers.

• 36% of social networkers admit they don’t hide personal information
• 33% admit to using the same password for all of their online accounts
• 28% accept “friend requests” from strangers

With such a high percent of social networking users being unaware of the dangers, “hackers lure users into taking actions they shouldn’t by making it appear as if a friend within their social netowrk has sent them a message – only the message is from a hacker who has hijacked the friend’s account,” warns Mike Kronenberg CTO of Webroot’s Consumer Business division.

The technique described by Mr. Kronenberg is known as phishing, and it’s one of the most preventable ways hackers obtain access to confidential information. SQL injections, Cross-site Scripting (XSS), and Cross-site Forgery Requests (CSFR) are more covert, technical methods that hackers use to get the infomation they need.

“As a web service or SaaS provider, you can help protect your users from these attacks by hosting your applications in a secure environment. Users need to be savvy, and when they can’t stay up to speed on all the risks, community users should be weary and overly cautious at all times,” suggests Chris Drake, CEO of FireHost.

In reality, the latest sum TJX has to pay is small potatoes compared to the capital outlay the retailer has made since 2007 to mitigate the security breach that exposed 45 million credit and debit card numbers. When the leak was discovered, TJX set aside $107MM to deal with the fallout and the expenditures to date are in that range. In two of the largest settlements, they’ve paid $24MM to MasterCard and $41MM to Visa banks. In addition, TJX has been ordered to undergo costly external audits every other year for 20 years by the FTC.

Is it 100% possible for companies to avoid costly and negative public facing situations such as this?

Maybe not, but there is quite a lot you can learn from past system compromises to help prevent making the same mistakes. In fact, PCWorld Canada has compiled a “top ten” list of vulnerabilities companies maintaining a serious presence online should know about.

1. Operating System Flaws
2. SQL Injections
3. Drive-by Downloads
4. Compromised Password(s)
5. Social Engineering
6. Malicious Email
7. Physical Access
8. Compromised Network
9. Wireless Hacking
10. Weak Access Points

These vulnerabilities require more than software patches and basic anti-virus software to keep your network and data safe from hackers, and most companies don’t have all the resources available necessary to provide complete protection.

“Instead of relying on costly, in-house expertise, many firms are looking outward to goal-focused security consultants to help identify openings hackers could easily exploit,” said Chris Drake, FireHost CEO. “We recommend that every client undergo a security audit just to ensure everything within your power is being done to help prevent confidential internal and consumer data from leaking into the wrong hands.”

An article on FoxNews.com revealed the most recent committee member to be Jeff Moss, aka Dark Tangent. Mr. Moss is widely recognized as founder of the DefCon and Black Hat hackers’ conferences. He has worked in information security for accounting giant Ernst & Young and presently works as an independent cybersecurity consultant for a variety of corporations.

Mr. Moss looks forward to bringing  “a skeptical outsider’s view” to the HSAC, but admits he was surprised by President Obama’s invitation to join the council stating, “I always figured that because of my associations in the past that I would be kind of out of the running for anything like this.”

The US’ strategy of inviting hackers to join governmental agencies is not unique. Britain is taking a precautionary stance on cyber warfare as well by hiring former computer hackers to join a newly formed security unit aimed at protecting cyberspace from foreign spies, thieves, and terrorists.

The cyber security prevention unit will be based at Britain’s Government Communications HQ (GCHQ) in Cheltenham, western England. Britain’s Security Minister, Lord Admiral Alan West said British government systems have probably come under cyber attack, but that he did not know of any specific cases where sensitive data had been lost.

Private organizations, individuals, and corporations should take a proactive stance on cyber crime and identity theft as well.

Chris Drake, FireHost’s Chief Executive Officer recommends every individual and professional organization maintaining a presence online to align themselves with experts in web site security. Speaking from experience he states, “You can prevent negative press, unnecessary expense, downtime and a ton of headache by identifying and resolving website security risks before problems strike.”

Read more about how FireHost can help identify vulnerabilities in your web site by visiting our Website Security Consulting services page.

$ whois mitnicksecurity.com

MITNICKSECURITY.COM.HACKED.BY.NERD.FROM.WEB-HACK.COM
MITNICKSECURITY.COM

In a phone conversation today, Mitnick disclosed to FireHost’s Chief Security Officer that he was using secure hosting practices on his site, but the hackers got to his website through his hosting company’s DNS provider. They compromised the control panel for his domain names and redirected his site to a defaced version.

FireHost’s CSO responded to the event, “DNS security has been a hot button since last summer’s poisoning attack discovered by Dan Kaminsky. Mitnick’s attack was much more straight forward, and this is an example of why we don’t rely on third party providers to secure our customers. By maintaining the infrastructure in-house, we can help ensure the integrity and security of our customers’ web sites.”

We reached out to Lance James, CTO of Secure Science and author of Phishing Exposed for a comment on how he recommends protecting website from a similar attack. Lance says part of the answer is partnering with a secure web host that can provide protection from DNS vulnerabilities.

“Control Panel software has a history of successful attacks, and it is not surprising that a high-profile site such as mitnicksecurity.com is susceptible to vulnerabilities. His site is a natural target, and unfortunately, it can be extremely embarrassing when an expert in security chooses a hosting provider with such vulnerabilities,” Lance James.

According to a survey by Robert Half Technology, seven out of ten CIOs interviewed reported their companies would be investing in new information technology initiatives over the next year. 43% of the respondents overall reported information security as a top priority, and in the financial services and transportation sectors, information security was cited most often as the top priority.

“Although times are lean, many companies are finding that they can’t afford to postpone IT investments that lead to increased security, efficiencies or revenues,” stated Dave Willmer, Executive Director of Robert Half Technology. “Organizations also are trying to make sure they are prepared for growth when conditions improve, and enhancing their IT infrastructure is part of that process.”

Over the past year, there has been a significant rise in the number of malicious attacks on company websites. Symantec identified a 165% in malicious code signatures and cited that the explosive growth can be attributed to the professionalism of malicious code development, supporting the demand for goods and services that facilitate online fraud.

Vulnerable targets are numerous, however increased threat awareness and security investments can help stem the tide. The two biggest threats to website security are open source vulnerabilities and injection attacks, which often allow the disruption and infiltration of web servers. The results can be devastating for companies and their customers, ranging from the theft of confidential information to the insertion of malware.

Properly securing your company’s website and online databases can reduce the risk of a hacking attempt. FireHost uses enterprise, web application firewalls, traffic monitoring, threat detection, automated attack mitigation, and constant monitoring by human personnel to help prevent the serious application-level attacks that negatively impact hundreds of companies and millions of customers every year.

Click here to learn more about our advanced secure web hosting techniques.

USA Today reports:

FireHost is in business to address website security needs of the “smaller guys” Mr. Neray mentions above. It’s imperative your company respond to the threat of cybercriminals swiftly and effectively because SQL attacks strike governments and credit card companies every day. FireHost can help your company avoid the negative spotlight.

SQL attacks are preventable when your website, email, databases, and other applications are hosted with a security-focused web hosting provider. We’ve taken industry-leading measures to make enterprise-level security attainable for every business because we know that the last thing you need to do with your time is mitigate a high-profile website attack on customer information.

Most hosting providers don’t invest the resources required to maintain a prevention-focused, secure hosting environment. If your company does business online however, you owe it to your customers and employees to make sure their most important information is protected.

Here’s just a sample of what puts FireHost secure web hosting in a class of its own:

Network Layer Security
FireHost runs dual Sonicwall internet security devices, providing firewall redundancy for every client. This layer safegaurds websites, emails, and databases from unauthorized intrusions, like SQL attacks.

Application Protection
We also run a web application firewall to close the holes within your website’s applications, the entry-point for SQL attacks.

Vulnerability Monitoring
FireHost partners with McAfee to provide you with web-based website vulnerability auditing and remediation mangement, completing scans every fifteen minutes.

Register here to have a FireHost Security Agent perform a vulnerability report for your website. We will contact you shortly with the eye-opening results.