The Guardian
Email YouTube Facebook Instagram Twitter

Safeguard your data, outsmart the criminals

Related

Eudora Kelley

Eudora Kelley

Millions of Nigerian consumers and businesses are exposed to fraudsters and data hackers. Victims of data breach are almost likely to be hit by identity fraud. When you think about it, the most valuable thing on your computer or network is the data you create. After all, that data is the reason for having the computer and network in the first place—and it’s the bits and bytes that make up that data that are your first priority when putting protective strategies in place. Operating systems and applications can always be reinstalled, but user-created data is unique and if lost, may be irreplaceable.

Some data are also confidential; not only do you not want to lose them, you don’t want others to even access it without authorisation. Exposure of your debit cards, credit cards, and bank account information can subject you to identity theft. Company documents may contain trade secrets, personal information about employees or clients, or the organisation’s financial records.

Let’s look at some ways to protect your all-important user data from loss and/or unauthorised access. While identity theft can happen to anyone, there are some things you can do to protect yourself.
Back up early and often

The single most important step in protecting your data from loss is to back it up regularly. How often should you back up? That depends—how much data can you afford to lose if your system crashes completely? A week’s work? A day’s work? An hour’s work?

You can use the backup utility built into Windows (ntbackup.exe) to perform basic backups. You can use Wizard Mode to simplify the process of creating and restoring backups or you can configure the backup settings manually and you can schedule backup jobs to be performed automatically.

There are also numerous third-party backup programmes that can offer more sophisticated options. Whatever programme you use, it’s important to store a copy of your backup offsite in case of fire, floods, or other natural disasters that can destroy your backup tapes or discs along with the original data.

Use file-level and share-level security
To keep others out of your data, the first step is to set permissions on the data files and folders. If you have data in network shares, you can set share permissions to control what user accounts can and cannot access the files across the network. With Windows 2000/XP, this is done by clicking the permissions button on the sharing tab of the file’s or folder’s properties sheet.

However, these share-level permissions won’t apply to someone who is using the local computer on which the data is stored. If you share the computer with someone else, you’ll have to use file-level permissions (also called NTFS permissions, because they’re available only for files/folders stored on NTFS-formatted partitions). File-level permissions are set using the Security tab on the properties sheet and are much more granular than share-level permissions.

In both cases, you can set permissions for either user accounts or groups, and you can allow or deny various levels of access from read-only to full control.
Password-protect documents
Many productivity applications, such as Microsoft Office applications and Adobe Acrobat, will allow you to set passwords on individual documents. To open the document, you must enter the password. To password-protect a document in Microsoft Word 2010, go to Tools | Options and click the security tab. You can require a password to open the file and/or to make changes to it. You can also set the type of encryption to be used.

Unfortunately, Microsoft’s password protection is relatively easy to crack. There are programmes on the market designed to recover Office passwords, such as Elcomsoft’s Advanced Office Password Recovery (AOPR). This type of password protection, like a standard (non-deadbolt) lock on a door, will deter casual would-be intruders but can be fairly easily circumvented by a determined intruder with the right tools.You can also use zipping software such as WinZip or PKZip to compress and encrypt documents.

Use EFS encryption
Windows 2000, XP Pro, and Server 2003 support the Encrypting File System (EFS). You can use this built-in certificate-based encryption method to protect individual files and folders stored on NTFS-formatted partitions. Encrypting a file or folder is as easy as selecting a check box; just click the Advanced button on the General tab of its properties sheet. Note that you can’t use EFS encryption and NTFS compression at the same time.

EFS uses a combination of asymmetric and symmetric encryption, for both security and performance.
To encrypt files with EFS, a user must have an EFS certificate, which can be issued by a Windows certification authority or self-signed if there is no CA on the network. EFS files can be opened by the user whose account encrypted them or by a designated recovery agent. With Windows XP/2003, but not Windows 2000, you can also designate other user accounts that are authorized to access your EFS-encrypted files.

Note that EFS is for protecting data on the disk. If you send an EFS file across the network and someone uses a sniffer to capture the data packets, they’ll be able to read the data in the files.

Use disk encryption
There are many third-party products available that will allow you to encrypt an entire disk. Whole disk encryption locks down the entire contents of a disk drive/partition and is transparent to the user. Data is automatically encrypted when it’s written to the hard disk and automatically decrypted before being loaded into memory. Some of these programs can create invisible containers inside a partition that act like a hidden disk within a disk. Other users see only the data in the “outer” disk.

Disk encryption products can be used to encrypt removable USB drives, flash drives, etc. Some allow creation of a master password along with secondary passwords with lower rights you can give to other users. Examples include PGP Whole Disk Encryption and DriveCrypt, among many others.

Make use of a public key infrastructure
A public key infrastructure (PKI) is a system for managing public/private key pairs and digital certificates. Because keys and certificates are issued by a trusted third party (a certification authority, either an internal one installed on a certificate server on your network or a public one, such as Verisign), certificate-based security is stronger.

You can protect data you want to share with someone else by encrypting it with the public key of its intended recipient, which is available to anyone. The only person who will be able to decrypt it is the holder of the private key that corresponds to that public key.

Hide data with steganography
You can use a steganography programme to hide data inside other data. For example, you could hide a text message within a .JPG graphics file or an MP3 music file, or even inside another text file (although the latter is difficult because text files don’t contain much redundant data that can be replaced with the hidden message). Steganography does not encrypt the message, so it’s often used in conjunction with encryption software. The data is encrypted first and then hidden inside another file with the steganography software.

Some steganographic techniques require the exchange of a secret key and others use public/private key cryptography. A popular example of steganography software is StegoMagic, a freeware download that will encrypt messages and hide them in .TXT, .WAV, or .BMP files.

Protect data in transit with IP security
Your data can be captured while it’s traveling over the network by a hacker with sniffer software (also called network monitoring or protocol analysis software). To protect your data when it’s in transit, you can use Internet Protocol Security (IPSec)—but both the sending and receiving systems have to support it. Windows 2000 and later Microsoft operating systems have built-in support for IPSec. Applications don’t have to be aware of IPSec because it operates at a lower level of the networking model.

Encapsulating Security Payload (ESP) is the protocol IPSec uses to encrypt data for confidentiality. It can operate in tunnel mode, for gateway-to-gateway protection, or in transport mode, for end-to-end protection. To use IPSec in Windows, you have to create an IPSec policy and choose the authentication method and IP filters it will use. IPSec settings are configured through the properties sheet for the TCP/IP protocol, on the Options tab of Advanced TCP/IP Settings.

Secure wireless transmissions
Data that you send over a wireless network is even more subject to interception than that sent over an Ethernet network. Hackers don’t need physical access to the network or its devices; anyone with a wireless-enabled portable computer and a high gain antenna can capture data and/or get into the network and access data stored there if the wireless access point isn’t configured securely.

You should send or store data only on wireless networks that use encryption, preferably Wi-Fi Protected Access (WPA), which is stronger than Wired Equivalent Protocol (WEP).

Use rights management to retain control
If you need to send data to others but are worried about protecting it once it leaves your own system, you can use Windows Rights Management Services (RMS) to control what the recipients are able to do with it. For instance, you can set rights so that the recipient can read the Word document you sent but can’t change, copy, or save it. You can prevent recipients from forwarding e-mail messages you send them and you can even set documents or messages to expire on a certain date/time so that the recipient can no longer access them after that time.
To use RMS, you need a Windows Server 2003 server configured as an RMS server. Users need client software or an Internet Explorer add-in to access the RMS-protected documents. Users who are assigned rights also need to download a certificate from the RMS server.
Back it up or else

The surest way to guarantee that your company information is at your fingertips is to backup on a regular basis with an automated backup system. According to Davis, there are external/offsite backups and internal/onsite systems, and each type has its pros and cons.
Also known as cloud backups, offsite backups eliminate the need for a server to hold data. “Such systems store your data out on the cloud, which is the Internet, and the information is securely replicated and backed up constantly,” says Davis, who advises that while offsite cloud backups have their advantages, it’s important to keep in mind their limitations. If your system fails and you have a lot of data, you must wait for the cloud provider to overnight you a disc with your information. It can also be costly to have someone put the data back on your system.

When you’re switching over to a cloud backup system, it’s also important to realize that sending the information up to the cloud can take weeks when there is a lot of information to replicate, so you’ll need another form of backup in the meantime.

Onsite backups through a network-attached storage feature copy your information on to a hard drive. In some instances tape drives are also used—the combination of which provides ready access to a backup at all times.

Take advantage of virtual servers
Within the last couple of years, virtualization has become much more affordable to the small-business owner. This technology involves essentially running two computers simultaneously, which ensures no downtime if you have a hardware failure on one of the systems, because you have an exact replica of your server.

Maintain firewalls
Intrusion prevention provided by firewalls blocks your data from the outside world, preventing intruders from accessing your information. According to Davis, when it comes to firewalls it’s best to have an appliance that protects your data, rather than software.

“Hardware firewalls sit between the Internet and your data, capturing intruders before they even enter your network,” he says. “When you use a software firewall, the harmful data is allowed to enter your system and uses up Internet space while the software attempts to block it and push it back out.”

Employ content filters
Content filtering protects you and your employees from entering websites that are potentially harmful to your computer system. Filtering also enables you to promote a more productive work environment by limiting what websites your employees are able to view.

Use anti-virus and spam filters
Anti-virus software continually scans your computer, ensuring that no viruses compromise your computer or e-mail. When a virus is detected, the software quarantines the harmful data and deletes it. The best e-mail virus software scans incoming and outbound mail, which ensures that you don’t inadvertently pass on any viruses to your e-mail recipients.

While everyone gets spam e-mail, programs exist that substantially reduce the amount of spam you receive, which protects the integrity of your computer and ensures that your system stays clean and runs fast.

Rely on UPS power support
Essentially a giant backup battery, a UPS (uninterrupted power supply) protects your computer from harmful power outages, spikes and drops. Such an appliance is particularly important in this day and age, as electricity has become “dirtier,” which means that it fluctuates in strength, says Davis, who notes that electrical variations can be particularly harmful to computers.

“A UPS is essentially a giant surge protector with a battery behind it that cleans the power,” he says. “In the case of a sudden power outage, the UPS acts as a buffer. If the power remains off, the device allows the computer to power down safely rather than turn off abruptly, which avoids corruption of the computer’s operating system and loss of critical company data.”

Data protection
Norada follows mission critical data backup and management process. All data is written to multiple disks instantly and backed up to our archiving system at least once each day. To address the possibility of a catastrophic event, backup archives are also copied to a second geographic location. Files that you upload are stored securely on Amazon’s S3 service. S3 uses decentralized storage techniques to improve upload/download response time. All files stored on S3 are also backed up to our internal systems regularly ensuring we are able to safeguard your data.

At any time you can quickly export a copy of all of your information you’ve saved. The export is provided in a standard format that can be imported into most spreadsheet or database applications. All data backups are encrypted and are not readable without access to the secured authorisation keys.

All web content that is shown inside your account, such as email messages and content received from online forms, is automatically cleaned of any malware code. This is similar to virus scanning for web content.

Authentication
The system encodes the Solve password using one-way encryption (64 byte hash function) which cannot be decoded.
Sequential failed login attempts are tar-pitted and reported to systems engineers.

The session key your browser uses to communicate with cannot be read by JavaScript. This prevents a hacker from reading the key stored temporarily in your browser memory and accessing your account from another location.Two-factor authentication is available by logging in through Google Apps SSO and not setting a Solve specific password.

Data transmission
All data transmitted between your computer (or mobile device) and the application servers are encrypted using 256 bit Secure Socket Layer (SSL) technology. This prevents anyone from reading the information as it is transmitted over the networks. This the same method online banks use to keep your information secure.

Internal process
Norada adheres to a comprehensive privacy policy and a very limited number of Norada employees are able to access your information. These employees are specifically trained and experienced with regard to the practices and importance of maintaining your privacy and are only authorised to access your account information on an as needed basis to complete tasks related to the maintenance and operation of our service, or at your request.

Service isolation
The Solve service is physically separate from ancillary services such as website, forums, etc. to decrease the probability that any issue in these areas would affect our core service.

Network and computer room environment
Our primary production servers are owned by Norada and operated by authorised Norada staff. This equipment is located in our Global Internet Data Center (GIDC) in Atlanta, Georgia. This location is connected directly to the Internet backbone through nine global Internet providers and is SAS-70 type II certified. The GIDC provides the physical environment necessary to keep our service up and running 24×7. The facility is purpose designed with raised floors, rack mounted equipment, dual air control systems, fully redundant on premise power, and backup generators. A complete set of physical security features, including detection suppression systems, protect the equipment and connections.

Our equipment hosted at the facility is subject to around-the-clock systems management with personnel trained in the areas of networking, Internet, and systems management.
High reliability is provided through a number of redundant subsystems, such as multiple fiber trunks coming into the IDC from multiple sources.Penetration tests are performed against our services periodically by a specialised computer security auditing firm.

Server configuration
Our environment is configured with numerous Web, Email, Database, Storage and Security servers. Our application servers use state of the art load-balancing software to enable multiple servers to act as a single, easily managed system. Through software agents on every server, our load-balance solution monitors the system’s health and availability and then directs requests to the server best able to maximise service levels. The modular architecture of the platform also allows for horizontal scaling of the system in the event of overall increases in platform requirements or specific spikes in concurrent user numbers or messaging volume.


In this article:
AOPRnigerianNTFSvictims

No Comments yet