Cyber Security Awareness

Check out some old World War II propaganda posters and you’ll see the phrase “Loose lips sink ships” popping up now and then. Various armed forces have used some equivalent, like the British “Keep mum” posters, Germany’s “Schäm Dich, Schwätzer!” which translates to “Shame on you, blabbermouth!” The essential message is the same: Be careful who you talk to and what you say when dealing with details best kept private.

When there’s a leak, it’s easy to start wondering who’s mad at you. Maybe you passed someone over for a promotion and they’re getting revenge by leaking sensitive information to a competitor. Maybe somebody you lost in a downsizing is having trouble getting work so they’re not afraid to burn their bridges. Or maybe… someone had a little too much to drink and started bragging about your company’s government contract or cutting-edge tech design in order to impress people at the bar.

In the movies, we see corporate espionage experts cracking code and even sneaking into government and corporate buildings in elaborate plans to get some juicy data on a thumb drive. In real life, it may well be that leaks are, more often than not, just embarrassing accidents.

Insurance may be able to help you recover when certain data is leaked, but it’s best if it doesn’t come to that. Cyber security won’t do you much good when your employees fail to appreciate the importance of keeping mum. Here are a few tips to ensuring that your people know how to keep a secret:

• Repetition of the message. Repetition is the difference between confidently sharing a piece of trivia as a “commonly known fact” or qualifying it with “I think I read somewhere that…” A briefing on company security and discretion will help, making sure that confidentiality is a consistent part of your business culture will help more.
• Hire people you can trust. If they have experience with sensitive data, then they already know the drill.
• Establish a Need To Know protocol. If someone isn’t on a sensitive project, they don’t need to know about it.
• Non-disclosure agreements. People who risk breaching their contract if they spill the beans have a little extra incentive to keep a secret.

Most employees don’t want to jeopardize their employer, and most secrets are leaked by accident. Just make sure to impart to your people the importance of keeping sensitive information under wraps.

Copyrights can’t protect everything. Namely, they don’t protect ideas. Copyrights can protect a finished work, a concrete, patented piece of software or an invention. The idea, on the other hand, is pretty much up for grabs. In other words, there’s really nothing to stop, say, a competitor in the mobile games industry from taking a prototype of your next release and paying their staff to clone it. As long as they’re not actively copying and pasting code and graphics from your game into theirs, there’s not much you can do about it.

Copyrights protect literary works, computer programs, dramatic and musical works, recordings, film and video, magazine articles, basically anything that exists in concrete, finished form. Copyrights do not protect names, slogans, phrases, titles, or industrial processes. Patents and trademarks can cover some of the items mentioned, but the gist of it is that copyrights are only there to keep people from taking credit for your finished work. Copyrights won’t stop anyone from stealing your ideas and developing them on their own.

Candy Crush is a famous example of a piece of software that many believe was taken piece-for-piece from an existing app. Candy Swipe predates Candy Crush, plays almost identically, but was produced for less money and released with less marketing. By 2014, Candy Crush had over 60 million likes on Facebook, while Candy Swipe had just over 50,000.

So what can we do when our ideas aren’t protected? Sometimes, the answer is “not much.” In the case of Candy Swipe, it wasn’t really their fault. Their product designs weren’t leaked, the game had already been publicly released, and a larger company seems to have borrowed their design without a second thought. Luckily, there are measures that sometimes work to keep others from taking our ideas:

• Cater to a niche market. A massive corporation has no interest in stealing a piece of software with a market of only a few hundred users.
• Offer what our competitors won’t. Better support, for instance.
• Stay secure. With strong security measures and insurance in place, you at least don’t need to worry about any idea-swipers beating you to launch. This includes letting your staff know not to leak anything before you’re ready to go public. On that note…
• Always budget for marketing. It’s not just about making sales, it’s about staking your claim to an idea in the public consciousness.

Dealing with the occasional plagiarist is part of doing business. You can’t stop anyone from cloning your app, but there are ways to stay a step ahead of companies with no ideas of their own.

When people talk about viruses and malware and worms, they might say something like “Won’t that mess up my computer?” In truth, viruses cannot damage the hardware directly. All a virus is is a piece of code that self-replicates to attack the data on your computer.

There is something of a gray area there, of course. There are instances where viruses can stop your hardware from working properly, but they can only do this by messing  with your data. In other words, anyone who tosses a computer in the trash because viruses brought it to a halt is probably throwing money away.

If your hardware stops working after a nasty infection, you’re probably looking at malware that has attacked your driver software. By deleting or corrupting the software that, say, allows your keyboard to communicate with your motherboard, it may seem as if the virus has just broken your computer, but all you really need to do is eliminate the virus and then download the driver software again.

A virus could, in theory, damage the hardware by causing overheating, but this is hardly a concern with modern computers. Back when you only had about half a GB of storage space, a virus could stop your fans from working, for instance, and if you keep running your computer in that condition, then yes, overheating and eventual hardware damage may take place. This is hardly a concern for computer users in the 2010’s, though. Computers are considerably more durable today.

Any damage that a virus can do to your computer can be reversed with a fresh install. You might lose some data in the process, which is why regular backups and cloud based computing are always a good idea. Generally speaking, hardware damage is not a real concern when it comes to viruses. Viruses seek to mangle your data, not your hard drive.

The general understanding of viruses is that you can pretty much avoid them if you just never download anything that ends in dot exe, unless it comes from a source that you know for certain is legit. What some might not know is that simply browsing an unsafe website can infect your computer with a virus.

You’re probably thinking of those scuzzy websites that offer illegal torrents, adult content and so on. In fact, one of the worst places to go without any security software in place used to be MySpace. Youtube and Facebook have both been afflicted with cross-site scripted viruses and worms, as well  (in other words, there may be more than one reason to restrict your employees from checking their social media accounts at work if you enforce that policy).

The way it works is fairly simple: Cross-site scripting means that if Youtube or MySpace grants a website permission to cross-post content from their own site, then they may also grant them permission to post any content from that site. The website may take advantage of this to spread viruses and worms without even needing to host them on Youtube, simply using an ad placement or a comment thread as a channel through which to spread viruses from their own site.

Why do people do this? In some cases, cross-site scripting may allow them to gain higher access levels to the content on the targeted site, such as user information. On the other hand, some people who write viruses are just vandals and they like the idea of messing up your private data.

Most major websites are fairly vigilant when it comes to seeking out and dealing with cross-site scripts. Making sure that the right software is installed should generally help to keep your hardware from being infected, but if something seems off, don’t write your concerns off simply because you haven’t downloaded anything recently.

The computer virus seems to have spawned into existence in the 1990’s when users started hopping online with AOL. In truth, the history of the computer virus dates back about forty years. The modern virus, which spreads over the internet and across networks, really took off in the 80’s and 90’s, but developers and programmers have been experimenting with viruses in closed environments since the early 1970’s.

The very first virus was the Creeper. The Creeper wasn’t as harmful as today’s viruses, it just displayed a message reading “I’m the creeper, catch me if you can!” The virus was detected on the ARPANET, a sort of proto-Internet. Creeper was written as an experiment by Bob Thomas of BBN Technologies back in 1971. Thomas just wanted to see what would happen with a self-replicating program, infecting the TENEX operating system.

This brings us to the first software security program, the Reaper, designed specifically to kill the Creeper.

Another major forerunner of the modern virus was 1982’s Elk Cloner, the first virus to be released outside of a closed environment. The virus was written in 1981 by Richard Skrenta, attaching to the Apple DOS 3.3 OS via floppy disk. Skrenta wrote this virus while still in high school. It displayed a short poem that began with “Elk Cloner: The program with a personality.”

Neither of these proto-viruses were truly harmful, but they helped to show programmers, white hat and black hat alike, how vulnerable computer systems could be. No doubt, Skrenta and Thomas inspired coders of both viruses and antiviral software.

The modern virus really took off in the 1990’s with America Online and the worldwide web. Here, self-replicating viruses had global access for the first time, and best of all, the average computer user was no longer as computer-savvy as they had been in the 1970’s and 1980’s. It was the perfect breeding ground for viruses.

Today, there are a few hundred specific strains of viruses and malware, with millions of variations. Viruses have come a long way since the Creeper, and so have the counter-measures.

By definition, there’s nothing really wrong with viruses. They’re just self-replicating, that’s all. If the cash in your wallet was self-replicating, you probably wouldn’t complain. Virus researcher Fred Cohen has even put out a $1,000 bounty for the first developer who can come up with a truly helpful virus. So far, he hasn’t paid out, but theoretically, a good computer virus is possible.

“Helpful” worms, however, may prove that even a “good” virus is a bad idea.

Helpful worms like Welchia, Den_Zuko, Cheeze, Mellenium and CodeGreen were designed in the name of helping the user. Welchia’s design was actually kind of clever, finding and eliminating the Blaster worm by seeking out the same vulnerabilities as the Blaster worm, and then, usually, applying a security patch to keep any other worms from working their way in. The Welchia worm was programmed to automatically remove itself at a set date.

Here’s the problem though: The main thing that worms do is slow down your network by feeding a constant stream of data through it. Whatever else they might do, that’s the main thing people hate about worms. A helpful worm slows down the network just as much as a harmful worm will. Additionally, helpful worms are known to reboot the computer without the user’s consent, which can be a major problem if you’re right in the middle of a project that you haven’t saved recently.

Helpful viruses are an interesting idea in theory, but they still self-replicate without the user’s consent, they still eat up RAM and other resources, they still slow the network down. As technology advances we may see a day when helpful viruses are able to actually improve a computer’s performance without any adverse effects. For the time being, however, there is that old saying about where the road paved with good intentions leads to…

Pop quiz time. What’s more secure; financial records locked in a filing cabinet or financial records stored in the cloud?

If you don’t understand how cloud security works, you probably said the filing cabinet. It’s time for a little mythbusting about how secure your paperless office could be.

Last week, Cindy Bates posted on the Microsoft SMB Blog about the benefits of a completely paperless office. Like Delta Airlines, who recently switched to the paperless cockpit, it’s possible for any office or organization to ditch the dead trees and move entirely into the digital space.

One of the first questions decision makers ask when considering the paperless office is “how secure is this?” It’s a fair question, so let’s consider Delta’s paperless cockpit example and overall data security.

The problem with paper is that, well, it’s paper. Paper gets lost, it burns, it can be misfiled and disappear. It’s only as secure as its physical location. If that location is a locked filing cabinet (or a vault under Fort Knox), if someone really wanted to get to it, they could.

A file in the cloud cannot burn, be stolen, accidentally left behind in a restroom, or any other number of things that could affect a hard copy of important information. For a recent example, take a look at the Internet Archive, whose scanning facility in San Francisco recently caught fire. Although no data was stored in their San Francisco office, if it had been, cloud redundancies would have prevented any loss.

But what about a data center, such as what powers Windows Azure or Office 365? Let’s start with physical security: data centers are monitored 24 hours a day, 365 days a year. A team of ninjas could, in theory, break in, but they’d still have to know which of the thousand machines contained your exact data—so unless you’ve upset the cast of Ocean’s 11, it’s significantly less likely than an office fire that could destroy physical data.

In addition, with Office 365, data transmitted across networks is encrypted—so if some agency (or other villain) happens to tap the wires, they still won’t be able to read your files.

While a move to a paperless office does not entirely guarantee data security—there are still those ninjas to think about—it is significantly more secure than leaving your information in paper form, where it could be destroyed or stolen with greater ease.

It’s just one more reason to go paperless.