Introduction

Protecting Data

What is it?

You owe it to yourself and your customers to make sure that at least the basics of security are in place. This applies whether you just have a single PC or a networked installation. We will deal with logical security (user names, passwords, privileges), backups, physical security (locks on doors) etc in order to get a basic set in place that will satisfy your insurers. The objective here is that you never lose data when it was avoidable.

Logical Security - User names, Passwords, Logging in/out and Privileges

The choice of meaningful user names is crucial to a business. Picking general user names is often tempting which is why hackers quite frequently try the regular "accounts", "master", "backup" etc when trying to gain access to a system. Also if you are looking back through logs having user names that relate to people does help you work out who might have done what when you are trying to work out what happened or went wrong. All this means give user names to people rather than functions and make sure the people use their own users rather anyone else's. If you want to vary the user name to still be meaningful but be that bit harder to guess then add a prefix or suffix to the user name. For instance Carole Smith might become Carole_Smith_823.

We all know how easy it is to have simple passwords because we remember them better. The truth is though that again hackers target simple or well known passwords. It is essential that users give themselves passwords that are only known to them and not their date of birth or the name of their favourite football team etc. Follow the simple rules below to improve considerably your security position:

• Passwords should be at least 8 characters long, include at least one uppercase character and should contain at least two digits. These are much harder for a hacker to crack.
• The system should enforce this minimum password length where possible.
• Do not use well known phrases or names - e.g. Arsenal, Chelsea
• The system should, if capable (and XP, Vista, NT, Linux etc are all able), require passwords be changed periodically. Yes its a nuisance but it does increase levels of security. Old passwords should NOT be reused.
• Passwords must NOT be shared around the office
• The form used to login should not show that last logged in user - ie. the user name field should be blanked.

It is important that users login and logout from their PCs each time they leave them. This can be a bind but it is important no one comes along and uses their session to do some dirty work with your data. Screen savers can be set up to enforce password entry - this means setting a short screen saver lead-in time. With out good login/out discipline then you will no hope of tracking back through any audit records you may have set up to see precisely who did what transactions. This is a security weakness.

In respect of privileges it is paramount that you do not share the administrator or root password outside of the system admin function/team. With that password you can do anything to the PC. It is not an uncommon "hack" to see the administrator password used by an intruder (after guessing it) and a new user with administrator privileges setup so the hacker can return later and do his/her damage. So make sure the administrator password is not guessable and do not share it. The main points about privileges are as follows:

• Do not give out privileges to user accounts unless they are needed. e.g. Do not create other administrator or power type users unless it is essential.
• Turn on and monitor any facility you have to view security audits records associated with privilege use.
• Turn on and monitor any facility you have to track security policy changes.
• Turn on and monitor any facility you have to track login activity so you can see who came and went and when they did so.
• Make sure the rules above are followed for the administrator password in respect of password length, changing etc
• Add a password to the PC's BIOS so that no one can change your settings on an unauthorised basis.

Physical Security - The Basics

Physical security is making sure the actual PC or network is physically protected. This means the environment the equipment is in, how its is secured etc. We will start with a list of "do" this and follow on with a "do not" list

• Make sure your premises are secure. Door locks and window locks are essential.
• Have your premises alarmed.
• If you have a server room then add a key lock and a key press code device to that room's door to gain entry.
• Avoid putting equipment in the view of the public passing by - its a temptation to thieves.
• Make sure you have properly cabled your equipment so that mains power won't be interrupted or data cables damaged by say someone tripping over a cable.
• Lock and remove the keys to PC cabinets
• Add an alarm to each PC case so that if it gets moved the alarm will trigger.
• Configure the alarm in the PC's BIOS to trigger if the case is opened.
• Place the case in a safe place so it does not get kicked or damaged.

Backups

To avoid everything ending in tears when a disc fails it is wise to make sure you have copies of your software and data on a backup medium. There are several options here which become many more options when you have networked system and remote sites where servers reside. We cannot hope to cover all of these here so we do the basics.

Irrespective of the type of system you are using you need to make sure you backup copies of your software. Your licence to use software will set out what you can do but usually you can copy an original for backup purposes. This copy ensures you have something to use if the original is lost or damaged. Please be sure to comply with your licence agreement when doing this though!

For a single PC you should make a copy of your important data and place it on a tape device each day. If you have no such device then use a CD/DVD -RW each day. Reuse the media after say 3 days (blank the CD-RW each time of course) so you get a cycle of three generations of data always saved away. Make sure you secure this copy away from your normal site. A fire that destroys your PC will destroy the copies also - which makes all your disciplined security activity a waste of time!

If you have a network system with a server you might make a copy onto the server and then copy it to tape/CD/DVD from there. This might make the recovery of data faster if and when its needed. For systems that utilise the server's disc system such that the PC has no data then you may well find you have a database management system that has backup utilities. Follow the database suppliers recommendations on how to backup. Whatever you do though make sure you have off-site copies of your data.

Wherever you choose to use tape or disc it is imperative that you make sure the backup succeeded. Checking that the media and files thereon are readable after you have written them is crucial. From experience - picking up the backup tape thinking it will save you only to find it is corrupt is a heart dropping experience! So if were say using Microsoft backup utilities (in Accessories/System Tools) then make sure you verify the medium before you take it off site. There is a check box in the backup wizard to help you do this.

Resilience Options

Redundant Array of Inexpensive Discs - RAID

Increasingly resilience options to cover for disc failures are becoming available for PCs. The use of RAID (Redundant Array of Inexpensive Discs) makes it possible for a PC to withstand a disc failure as, for example, an allocated RAID disc takes over from the failed disc unnoticed by the user. In a mirrored configuration (RAID has many configurations to meet different needs) the mirrored disc is an exact copy of the main disc you were using. Using the mirroring option the PC notes the failure, normally sounds an alarm to advise of the failure event but carries on using the mirror copy as if nothing untoward had happened. The equipment must have the capability to support RAID of course but if it can then this adds a useful opportunity to protect data availability. RAID has traditionally been a server based technology and may well remain so largely. Having said that it is of course possible to have this functionality in a standalone PC and for smaller businesses this may be an option. The net effect of RAID is that systems continue to operate after a fault which means unanticipated down time is avoided. The only time you can access the data on the mirrored drive(s) (or whatever other RAID configuration you have chosen) is when a failure occurs. Its also true that if you write rubbish to your disc then the same rubbish also gets written to the mirrored disc(s). RAID is not a reason to stop taking security copies and moving them off-site by the way!

Data Replication

For networked systems that have servers and a database it can be an option to have data transactions replicated to another server. This may even be on a different site - say at a second branch office of your business. This allows two systems to have up to date or very nearly up to date data. The term "nearly up to date" means of course that when the data is put on your main server it then either sends it to your replication server or logs it and waits for a read of it from you replication server. (Those two approaches compete with each other at this time and vary from database product to product. The first approach is used where the servers are synchronised the second approach is used where the servers are in asynchronous mode) Should it fail to do this transfer to the second server because it has, for example, malfunctioned you may be that transaction or so out of date. This approach through the use of replication is a regular means of achieving higher levels of data availability for many large organisations and is now available to smaller organisations.

If you need help in improving any aspect of your security then do please click the contact link and let us help you with your needs.