At this point, physical security systems mainly consist of video or security camera systems along with access control systems.  Just as I wrote in a recent article on copier security issues, most of these systems have vulnerabilities and are subject to network attacks either from outside a business or from those within a business, such as employees and third-party contractors. Lately, there have been attack methods published on both networked video or security camera systems and access control systems.

Security Camera System

At the last DEFCON conference, a security research firm showed that a brand-name security camera system was vulnerable to attack.  In the demonstration, the firm simply captured some video footage of an object and replayed it so that when the object was removed, it still appeared to be in the same location.  It reminds me of some older action movies and TV shows which portrayed this kind of event as fiction.  Now this type of capability is reality for those with the necessary technical skills.

You can download and read more about this type of attack from the DEFCON site or listen to audio of the presentation along with other resources on this DEFCON resource page.  Make sure you scroll down to the “Advancing Video Application Attacks with Video Interception, Recording and Replay”, which is a little over half way down on the page.  The audio and PDF versions of this information are available on this page.

Access Control System

At another security conference, a security researcher showed how a networked access control system could be attacked.  The researcher showed how he was able to gain access to the system as well as how to search the internet to find access control systems which are vulnerable to attack.

You can view and download the security researcher’s presentation of the access control system attack .  It will help you gain a better understanding of the vulnerabilities you might face if you are currently using a networked access control system or are considering one in the future for your business.  The video is quite lengthy but does provide some good information if you are considering using a networked access control system.

While no computer or networked device is a hundred percent secure, make sure that you understand and know what security features the system has prior to purchasing and installing them on your network.  The capabilities and features of these types of networked physical security systems are constantly changing and improving so my best advice is to be aware of the issue and shop around before installing one on your network.  Also, you should do a web search for security vulnerabilities related to specific devices or systems.  Then, evaluate the security of your business network overall because poor network security or changing things on your network such as adding a networked physical security system can affect your overall security.  Lastly, make sure you change the default passwords on networked devices before deploying them on your network.  This is a simple but often forgotten security step.

Leave a comment if you can provide further insight regarding networked physical security systems or have installed such systems on your own business network.

Post from: Business Security Information © 2010

Physical Security Systems on the Network

Related posts:

1. Security Issues With Network Devices
2. Security Camera Systems
3. Should Your Business Use Security Cameras?

Businesses just like yours spend time, money and energy every day trying to protect their assets from a variety of security issues.  How do you know if you are expending that time, money and energy covering the right security issues?

This month I came across a survey of security directors from a variety of companies that covered the major security issues they face and the cost of security incidents when they did occur.  I will highlight some of that information in this article so you can see the type and cost of a variety of security issues.  You can use this information to evaluate if you are addressing the right security issues in your own business.  Here is the list of security issues based on the highest annual dollar losses to the lowest dollar losses:

• Business Interruption and Disaster Recovery – 32% of those surveyed reported experiencing this issue in the past year with an average loss of $100,000.
• Data Breaches – 32% of those surveyed stated they had experienced one with an average annual loss of $50,000.
• External Theft and Vandalism – 65% of those surveyed stated they had problems with this security issue with an average annual loss of $20,000.
• Fraud or White Collar Crime – 37% of the surveyed respondents stated they had experienced this security issue with an average annual loss of $11,000.
• Theft of Laptops – 58% reported experiencing this security issue with annual losses of $10,000.
• Employee Theft – 68% of security directors had experienced employee theft with an annual loss of $10,000.

This survey primarily covered security directors who are responsible for physical security and fraud.   This is probably why data for computer security-related issues are lacking in these findings.  This is probably also why the percentage of data breaches is lower than I have seen in other information sources.

Limitations of the Survey

With experience in several areas of security, I know that when you discuss security issues with someone who is responsible for and experienced in only one area of security, you will always get more information related to their area of responsibility.  This is what I feel has occurred in this survey.  Those responsible for this survey are very experienced and thorough, but again it surveys mostly those security directors with physical security responsibilities.  If you gather similar information from those responsible for computer security, the information would cover more computer security issues with only some physical security.  Be aware of this survey’s limitations but also realize that this information is still useful in deciding where to direct your security efforts.

While disaster planning and recovery issues should be high on a business’ list, it is usually one of the last security issues address by most businesses.  Most businesses also address external threats (criminals) without addressing employee threats.  Review the  survey information and use it as one source of information when planning what security issues you are and should be addressing in the protection of your business.

Post from: Business Security Information © 2010

Addressing the Most Important Business Security Issues

Related posts:

1. Security Issues Related to Insider Threats
2. Cybercrime Small Business Survey
3. Security and the Economic Downturn

When you get rid of the copier because the lease is up or it is old and you want a newer model, all your information is left on the copier’s hard drive. Are most old copiers junked and disposed of, or are they resold? If you said they are resold, you are correct. Most old copiers are resold to others either in the United States or, more likely, to others overseas. All the old documents on the copier’s hard drive are still there until the hard drive fills up and starts overwriting older information and is available to the new owner of your old copier.

Copier Security Issue

Other Security Concerns

Beyond the issue of having a copy of all your personal, private, and business information on the copier’s hard drive, you should be aware of some other security issues related to copiers. Most copiers these days are networked either through the local area network or a wireless network. Basically, today’s copiers are computers and if not configured correctly, they can be exposed to the same security issues of any other computer on the network. An insider such as an employee, contractor, or other person at your business can simply plug a laptop into the copier and retrieve the information off the copier’s hard drive. Someone with a little technical ability can also access the information remotely. Remember to configure copiers as securely as you do any computer that is on your network.

Copier Security Solutions

1. Contact the manufacturer of your current copier or the one you are looking to lease or purchase to see what privacy and security features they have for their copiers. Some manufacturers such as Xerox and Sharp have software available that will overwrite copied documents on the copier after the document has been printed or copied.
2. Remove and erase the hard drive’s contents before disposing of the unit. Another option is to remove the hard drive and replace it with a new one before you get rid of the unit.
3. When you get a new copier or if you have never done it on your existing copier, change the default password and, if possible, the default log-in. There are sites dedicated to finding and publishing default log-in names and passwords for routers, copiers, printers and other network devices. In my opinion, changing default passwords and log-ins is critical. Recently I added a new network printer to my network, and it had a default of admin for both the log-in and password. I could have easily set up the printer to work on the network without ever changing the default password, but the printer’s configurations would have been easily available to anyone who looked at the website of the printer manufacturer. The default log-in and passwords are clearly stated in their help information.

Any device on your network needs to be securely configured and protected just as any computer on your network needs to be. Please let me know if you have come across any security issues with your printers. Your thoughts and opinions are always welcome.

Post from: Business Security Information © 2010

Are Office Copiers Keeping Your Company Secrets?

Related posts:

1. Trying to Comply With the Red Flags Rule?
2. Updating Software Applications
3. Encrypted USB Flash Drive Flaw

Garage Door – I Am In!

Securing Your Garage Door

As you can see from the video, it does not really take any time or high tech tools to get into some garage doors. Even though the garage door is usually the largest exterior opening to a home or business, it is an opening that is often not protected as well as others. Unfortunately, most criminals know this.

An often-recommended security tip is to remove the pull cord, but as you can see from the video that really would not stop the criminal from opening the garage door using this break-in method. Of course, I would still remove the pull cord because it can be used against you by criminals using other very similar methods.

After removing the pull cord, secure the lever that the pull cord was attached to. One method used by some is to simply zip tie the pull cord lever to the bar so that someone cannot hook and pull the lever without first removing the zip ties which is hard to do from the outside. Remember, in most security situations, you do not have to have perfect security. You just have to be a harder target than your neighbor. Most of the time, the criminal is looking for the highest return with the lowest risk so if it is easier for them to break into someone else’s business or home, they will choose that location and not yours.

Locking the garage door is another very effective recommendation, but I have found most people do not do this. Most people want to use their automatic garage door openers without having to get out of their vehicle and unlock the garage door. While locks are recommended for homes, they should definitely be used by business garage doors. A lot of businesses do not have any exterior locks on their garage doors. Lever sliding locks, padlocks, or both can be used on the interior of these types of garage doors. I would recommend the use of some type of locking mechanism on garage doors used in business but is also a good idea for garage doors in your home.

If you have any other thoughts or recommendations for securing garage doors at your home or business, please leave a comment and share your thoughts with the other readers of this site.

Post from: Business Security Information © 2010

Is Your Garage Door Secure?

Related posts:

1. Security Door Plates
2. Jamb Pins: Better Exterior Door Security
3. Door Security Solution

An example may bring some clarity to the point I am trying to make.  Recently, I was working with a small business that had less than 10 employees.  Their first thought was to simply protect the critical information they had on their computers by using a local backup as well as a remote (off-site) backup for any critical business information.  Upon looking further into disaster planning issues for the business, it was noted that they also needed to address issues related to internet access since the business required uninterrupted internet access.  Another issue that came to light is the cross-training of employees so that if there is a loss of a key employee for any reason, the business can still function.  I feel that this issue is important for any business but especially for the small business where an employee may fill more than one critical role in the small business.  Lastly, the business realized they also needed to look at key delivery systems or shipping channels so that a loss of one would not affect the function and profitability of the business.  As you can see from this example, there are a lot of things to think about when preparing even small businesses for a disaster.

7 Key Elements of Disaster Planning

How do you get to the point of being able to prepare and recover from a disaster that may affect your business?   Here are some essential steps to take to reach that point.

1. Determine the threats or risks to your business – Some of these will be general in nature such as a natural disaster while others may be more specific to your particular industry.  Threats include tornadoes, fire, flood, virus infections, power outages, or simply the loss of a computer hard drive with critical information.  More complex threats may include a cyber attack by criminals trying to gain access to business accounts or an activist group trying to stop you from selling a certain product.  The list can be endless,  but businesses should look at events that have the highest probability of occurring as well as the types of threats that would have the greatest impact on the business.
2. Determine the essential elements and needs of your business -  These include information, hardware, software, suppliers, transportation systems, employees and other elements which are critical to the survival of your business.  Determining what elements of the business are most critical is necessary to properly prepare your business.  This should include the items or supplies that will be important to have on hand to manage and recover from a disaster.  When a disaster strikes, it is usually very hard to get essential supplies because of limited availability and competition from others who also need supplies.
3. Locate all critical business resources -  This is especially important for information or data.  Many businesses don’t know where all the critical information that they use is stored.  When planning for a disaster, you should ask these questions:  Which server or computer is used to store this information?  Is there a current backup?  Where is the backup kept?  Would it be accessible during a disaster?  All these questions and more must be answered before an event actually occurs.  As stated above, do not forget other critical business resources, especially your employees and other related resources that you need to operate your business.
4. Look at current measures being used to protect your company –  How will these measures reduce the impact of a disaster if one were to occur?  It is always more effective to prevent a disaster from occurring than to respond and recover from one.
5. Determine costs – What are the costs to the company if a disaster does occur?  Per hour?  Per day, etc.?  Also, what will be the estimated costs to adequately prepare for a disaster.  You don’t want to spend more than you should.  Cost benefit analysis is critical in any business decision.
6. Develop the plan -  If the hard work is done in steps 1 – 5, developing a plan should not be as difficult.
7. Train employees and test and maintain the disaster plan – Once the plan is developed, you have to train employees so they know what to do.  Then, the plan must be tested to see if something has been missed and to find any glitches in the plan.  This also help employees put into action what you have just trained them in.  Also, a schedule should be set up to review and update the plan.  If the plan is not updated and tested on a regular basis, all efforts up to this point will have been wasted.

By thinking through, planning and implementing a disaster plan, you and your business can be prepared to handle almost any disaster that you may face.  Remember the survival of your company is at stake.

Post from: Business Security Information © 2010

Disaster Planning For Your Business

Related posts:

1. Addressing the Most Important Business Security Issues
2. Cybercrime Small Business Survey
3. Is Security Only Needed for Big Business?

Since Facebook privacy issues have been a hot topic in security, I thought it would be a good idea to take a look at some of the add-ons or plug-ins you can get for the Firefox web browser that will help  protect your privacy when on-line.  While a lot of businesses and users still use Internet Explorer, many people and businesses are switching to Firefox which has a ton of plug-ins available.  When I wrote this article, there were 221 add-ons or plug-ins available for Firefox that touched on some element of privacy.  If you search for security-related add-ons, the list gets even bigger.  While I cannot address all of them in this article, I want to highlight a few that can help protect your privacy.

Privacy Plug-Ins

1. NoScript – This is a very popular add-on that I actually use on Firefox for one of my Windows computers.  This add-on blocks the use of scripts such as Java, Flash, JavaScript and other similar types of scripts but is not full proof.  As I noted in a recent article on TabNapping, a new form of phishing attack, there is malicious code available that can bypass the NoScript plug-in.  No-script is useful in protecting against cross-site scripting and clickjacking attacks.  The user can temporarily or permanently allow certain scripts on a website, but the user must understand what should be allowed, or otherwise they will end up allowing everything just so they can use a particular website.  While this plug-in is helpful, it can also be a nuisance until you have basically trained it to do what you want.
2. Better Privacy – This helps protect against what is called Flash cookies which are a newer form of cookie that stores information about you and your online activities.  Flash cookies do not expire and can’t be deleted by the browser even if you delete recent history.  The Better Privacy plug-in allows you to manage and remove this new type of cookies.  Another similar type of plug-in is Privacy+ which manages Flash cookies.  Better Privacy is rated high and such a plug-in is necessary since so many websites I have seen recently are using the newer Flash Plug-ins.
3. Torbutton -  This plug-in allows you to configure Firefox to use Tor. You must have Tor installed on your computer to use this plug-in.  Tor allows you to use a community-run network that allows the user to have some anonymity when using the internet. Another similar plug-in is FoxTor.

Other plug-ins that I did not put on the short list, but I noted during my review are Safecache and Finjan Secure Browsing.  Take a look at these add-ons and plug-ins and let me know what you think.  If you already use one or more of these and want to share your insight, send me an email using my contact form or leave a comment.

Post from: Business Security Information © 2010

Firefox and Privacy Plug-Ins

Related posts:

1. Web Browser Security
2. cPanel CSRF Security
3. Choosing a Secure Web Browser

New internet attack methods or new variations of old ones seem to be developing on a regular basis.  This makes it hard to keep up with all the ways your business’ computer system can be attacked as well as adequately protecting your most vital business asset–information.

Recently, a new form of phishing attack has been developed that is called “TabNapping”.  While it has a cool sounding name, there is reason to be concerned.  Many businesses that use a number of websites throughout the business day keep them open in different tabs.  In my experience, very few people use multiple browser windows and instead use multiple tabs.  If that describes you in your business, you should understand the basics of this new form of phishing attack .  If you don’t use tabs and open websites in new browser windows instead of tabs, then this form of attack should not affect you.

TabNapping basically allows the attacker to change the contents and label of an open but not active tab.  For example, an attacker can take an open browser tab that is not currently being used and make it look like the amazon.com log-in screen, your webmail log-in screen, a bank or credit card log-in screen, or any other type of website that requires you to log-in.  The purpose of the attacker changing the inactive browser tab to resemble such a site is to collect your log-in information such as user name and password.  An attacker can then use this information to log in to your account and use or steal funds or gather other personal or business information.

TabNapping Method

Information from current researchers shows that a user must first visit a malicious or compromised website in order for the attack to be carried out. The attacker will then look for browser tabs that have not been active and use JavaScript to change the label and contents of the tab.  The user or victim then scans their open tabs and sees the label for a familiar site such as Facebook and clicks on the tab.  Since the attacker has changed the label and content to show that the account has timed out, the user needs to re-authenticate.  The user then enters their log-in information which is sent to the attacker.  From there, the attacker redirects the user to the actual page which the user was never logged out of in the first place.

The particulars of this form of phishing attack will probably evolve and change over time, but this is currently the basic elements of this type of attack.  Right now the attack method does not allow the attacker to change the URL in the browser; only the browser tab’s label and content.  In the future that may change, but, at this point, if you look at the URL for each tab it should show the URL for the site you are actually on.  For most users this may not mean a lot since it may be hard to tell the difference between a URL for the log-in of an online bank site and the website page you are on while you are actually logged into the online bank website.  Also, in order to be attacked, you must visit a website that has been compromised.   In the future this form of attack may only require allowing JavaScript, which is almost essential if you are going to use the web these days.

Reducing the Risks of TabNapping

TabNapping affects all major browsers for Windows and Mac, but I also recently tested the Firefox browser using Linux, and this form of attack was successful; therefore, it is a browser issue and not an operating system issue.

Since the attacker must first infect your computer with malicious code, use web filtering or other methods that warn users of malicious sites.  If your computer does not visit one of these sites and does not become infected, then at this point all is good.

Do not trust an inactive tab that is asking you to log-in if you have not actually opened the site yourself.  In this case, retype the URL for the site or click on your bookmark for the site to actually take you to the website.  If you were never logged out of the site, the tab will usually open in the site without logging back in.

Another way to reduce the risk of the attack is to look at the URL when you click on the tab.  The URL should not match the fake log-in screen or tab.  Most users do not do this.  They trust what the tab label says which is what this type of attack is banking on.  If you look at the URL and it does not match up or you’re not sure, go back and type in the correct URL or use your bookmarks to go back to the site instead of using the current log-in screen in the browser tab.  Be aware, though, that determining if the URL is correct for the site is not always an easy task for most users.

Script blocking add-ons for the Firefox browser such as NoScript may help prevent this type of attack although recently other research has shown that the NoScript add-on can be circumvented.  Also, the use of password managers may help because if you saved the log-in information while at the real website, the password manager will not enter the user name and password for you when the URL does not match.

While there are no bulletproof answers at this point, you can reduce the risk of this type of phishing attack.  As always, the only way to eliminate risk is to not be in business at all, and what fun is that!

Post from: Business Security Information © 2010

TabNapping: A New Type of Phishing Attack

Related posts:

1. Changes in Spear Phishing Attacks
2. New Twist in Phishing Scam
3. Phishing Update

If you are like most businesses, you have more on your plate than you have time to deal with.  Keeping up with all the security issues that face your business can be a daunting task.  One resource that can help you is the new Mozilla Plug-in Checker.  This tool lets you determine which of the computer plug-ins you are currently using are outdated.  While this may not have concerned you before, there is good reason to pay attention to your plug-ins.

Keeping your browser plug-ins up to date is important because browser-based attacks have increased over the past few years.  Attacks against browser-based plug-ins, such as Adobe Reader used to view PDF files, have increased dramatically this year.  Some researchers and vendors estimate that just the attacks using PDF exploits account for almost 30 percent of malware attacks.  Like so much of the software we use, we must keep them updated to prevent or reduce security threats to our computer systems.  Many operating systems and other software can be configured to automatically check for updates, but this type of feature for browser plug-ins is not currently available.

Plugin Checker

Mozilla’s plug-in checker is a web-based tool that allows you to see which plug-ins are outdated and should be updated and which ones are up to date.  If the status of a plug-in cannot be determined, there is a research tag.  When I tested the plug-in checker using one of my Linux computers, I received the research tag for a number of plug-ins that Mozilla had no information on.  The checker is not one hundred percent effective, but, overall, it is a neat tool that saves you time determining the status of the plug-ins you are using.

Last year, Mozilla had a limited version of this, and I remember trying it a couple of times and thought it was a useful tool but had not done any further research into it at that time.  As of the date of this writing, the plug-in checker works with Safari 4, Google Chrome 4, Opera 10.5 and Microsoft Internet Explorer IE7 and IE8.  Of course, it also works with the Firefox browser.    The plug-in checker currently compares plug-in versions you are using against the newest editions to determine if they are out of date.

This tool is integrated into Firefox 3.6 with the Firefox version having a few additional features such as warning users if they try to load or install an out dated plug-in.  Mozilla also stated they will be adding a plug-in update service like they do for Firefox extensions some time in the near future.

Mozilla Plug-In Checker is a useful tool to make sure you have patched and updated the plug-ins you use so often with your browsers.  It is especially important if you are not using Firefox 3.6 as your browser.  If you have any opinions regarding the Plug-in Checker,  please leave a comment.

Post from: Business Security Information © 2010

Web Browser Security

Related posts:

1. Choosing a Secure Web Browser
2. Firefox and Privacy Plug-Ins
3. Obfuscated What?

When I walked into the business, everyone, including the shop manager, was back in the shop area and did not see me standing at the counter for a number of minutes.  It would have been easy for me to reach over and take a set of keys.  The keys were tagged so it would not have been really hard in this small of a shop to figure out which vehicle the keys went to. The vehicles with keys with unlocking remotes attached to them would have been especially easy to find.

Since customers don’t always pick up their vehicle at the end of the business day, the business may not notice that the vehicle or keys are gone until the customer returns to pick up their vehicle another day.  This allows the criminal in many cases to come back after hours and either steal the vehicle or remove anything valuable from the vehicle.  In a case of a dealership, a missing vehicle on the sales lot may not be noticed for some time depending on how often the dealership does a count of lot vehicles.  Even if you are not a service garage or dealership, this issue may apply to you depending on the number of company vehicles you have and where you store those company vehicle keys when the vehicles are not in use.  It is obviously extremely important that you protect the keys for the vehicles you sell, service or own.

Key Security

There are a couple of things I would recommend this business change to improve security.  I have listed them in succession ranging from very minimal security improvements up to more secure solutions.

1. Move the key storage board away from any entrance or exit.  This makes it harder for someone to grab one or more sets of keys.
2. Move the key board to a location that is not easily accessible to the customers or the general public.  This could be behind the counter where it would force someone to step behind the counter to get a key or in the office located next to the service counter.  Basically, any area customers do not frequent and would obviously stand out would work.
3. Move the key board out of view of anyone coming into the business.  In this case, it could have been stored under the counter or in the owner’s office in a drawer or other area.
4. Store keys in a locked key storage cabinet, similar to the one in the picture.  There are a different kinds of key cabinets that can be locked with a key, a code, or electronically.  Select one that is appropriate for your business.

These are just some of the steps you can take to improve the security of your customers’ keys and vehicles as well as vehicles you own.  Remember, small security improvements like this can really make a big difference in security for your business as a whole.  It is easier to take steps before a crime happens than have to deal with the theft or damage of a vehicle in your possession.

If you have used other solutions to improve a similar security situations, please leave a comment so  other readers can learn from your experience.

Post from: Business Security Information © 2010

Key Storage

Related posts:

1. Security Benefits of Key Cabinets
2. Robbery Security Measure
3. Bulletproof Enclosures

A couple of weeks ago, I wrote an article called “Bulletproof Enclosures” where I discussed movable bandit barriers or bulletproof enclosures.  Just today I read about a different but very similar type of robbery security measure called a security screen.  The concept is very similar to the movable bulletproof enclosure, but different in that it is a bullet-resistant metal wall.

The wall is made of carbon steel that is encased with an anti-ricochet, composite, bullet-resistant material.  Also, this type of robbery barrier is actually installed in the counter where customers cannot see it and when activated, rises to the top of the counter opening, providing a barrier between the employee(s) and the robber(s).  When the metal screen is activated, a sign appears on the side of the screen facing the robber(s) stating that the alarm has been activated, and the police will arrive shortly.

SAFETELL states that the metal wall can be completely closed within a half of a second after it has been activated.  The mini-mart where the metal screen was installed is in the United States, but the company’s (SAFETELL) offices are in the United Kingdom (UK).  The owner of the store where the wall was installed had considered the movable bulletproof enclosures like I discussed in my previous article but decided on the the bullet-resistant metal screen because it would keep his employees safe as well as provide an open and friendly atmosphere for his customers.

When activated, pneumatics are used to lift the bullet resistant screen into place.  The bullet resistant screen can be activated by one of several buttons located in the employee area.  Also, this particular store has some dollar bills tied into radio devices that activate the bullet-resistant screen when the money is removed.  This particular store also installed bulletproof glass in the exterior windows of the cashier area of the store.  This addresses the first issue I noted in the Bulletproof Enclosure article.  Refer to this previous article for other security details you must consider no matter if you want to install a bullet-resistant screen or a movable bulletproof enclosure.

There are limitations to any security measure so make sure you research anything you plan to implement.  The bullet-resistant security screen is just a different version of the bulletproof enclosures I have discussed in the previous article.  In making security decisions, I would always look at the cost versus the function.  In this case, both barriers appear to provide the same type of protection.  One is installed above the counter and comes down during the high risk hours where the SAFETELL product stays hidden until it is needed no matter the time of day or night.  Understand your security risks and needs prior to implementing either type of bandit barrier.

Post from: Business Security Information © 2010

Robbery Security Measure

Related posts:

1. Bulletproof Enclosures
2. Key Storage
3. Greeters Help Improve Security?