Getting Physical Part 2

In the second part of this post I am going to point out a top ten list of ideas and concepts that should be used to ensure the safety and security of your environment. Remember that we aren’t just concerned with strangers or outsiders perpetrating crimes against our organization we must also be vigilant about how we keep our own employees from turning against us. (get part 1 here)

Top Ten Interior Physical Security Measures

  1. Funneling People – Entry ways should funnel people. If you walk into a building you should be directed a single point of authorization. This means no open doors, offices or hallways. Any access into or out of the building at this point should be locked.
  2. Receptionists – Use a receptionist or security guard. The physical presence of someone greeting you upon entry establishes control.
  3. Limit Network Access – Remove all network jacks, computers, and networking  equipment. If the security guard or receptionist uses a computer is should be behind the desk with no physical access to it from visitors. Network jacks should
    not be present at all. It will only take one time that you forget to disable it. The easiest method is to eliminate it.
  4. Clear the Area – The lobby areas should be free and the furniture should be minimal and simple. Lobbies are for people waiting brief periods to be seen.
  5. Logs – Use a sign in book. The receptionist or guard should check a picture ID before assigning a visitor pass over to a person. No one should ever be granted access without an escort.
  6. Visitor Badges – Badges should expire. And be clearly displayed. It should be easy for an employee to quickly identify a visitor. The easiest way to do this is with a brightly colored visitor badge. Although I personally dislike wearing badges around my neck that is exactly where a visitor should wear it, if a visitor badge has a clip most males will attach it to a belt loop.
    Just eliminate that option all together and place visitor badges on a string or lanyard to be worn around the neck.
  7. Employee Badges – Employees should have badges as well and should have a picture of them on it. Too often employee badges, if present, only have a name. Also the idea of not having employee badges and only having visitor badges is a mistake. This uses the idea that everyone without a badge is an employee. So a visitor could throw their badge away and then be accepted as an employee.
  8. CCTV – Again the use of a visible CCTV system should be used. As we move on to the heart of operations just as we would use VLANS and ACLS within our LAN we should use restrictions within the environment.
  9. Segment Access – Areas with sensitive data should be locked at all times and only those employees that need access be granted keys. These areas should have sign in logs as well.
  10. Server Access – Server rooms should be kept in the center of a building with no windows. Exterior walls of the server room should carry all the way from the floor to the true ceiling and never stop short at drop ceilings. Entry and exit should be scrutinized and logged and should have some type of CCTV monitoring.

Although this is not by any means an exhaustive physical security plan it is one that as IT professionals we should work on and develop. Physical security is becoming more and more IP enabled. That means that we are going to become more and more
involved in the physical security planning and architecting of our environment. I intentionally avoided a fair amount of physically securing computers and network equipment as I am going to post an entire blog entry just on that premise in the near

Be Sociable, Share!

Getting Physical Part 1

Physical security is probably one of the most misunderstood aspects of a corporate environment. Physical security is changing just as fast as our logical security but our attitudes about it aren’t.

I am going to make this a two part series with the top five things that you can do for outside of your building to make it more secure and safe and a top ten for the inside. These methods are relatively inexpensive but are not exhaustive.

Let’s start with the outside of the building/ office and work our way in to look at appropriate measures that can be taken to better enhance our security posture. The outside of a building should first and foremost fit in with the community where you work.
If you take your security measures too high on the outside people are going to begin to get curious as to what is on the inside.

Five Exterior Physical Security Measures

  1. Appearances –  Your building/ office should be visible and limit any area where a person could hide.
  2. Lighting – Keep the surrounding area well lit at night. Entrance should always be well lit for the safety of your employees and to deter people from approaching your building while after working hours.
  3. Entry and Exit -Limit the number of entry and exit points to your building/ office. By narrowing the number of ways that you can get in and out you are also limiting the number of ways that an unauthorized person can enter or exit. This includes
    scrutinizing first story windows.
  4. Cameras -If you have it in the budget, invest in a Closed Circuit Television System (CCTV). When placing cameras make them easily visible and ensure that there are no dead spots within the coverage. The mere presence of a camera is
    a deterrent in and of itself. Never use the fake cameras. Criminals know about these and they are easy to spot. You are only advertising your lack of a security budget.
  5. Prying Eyes – Obscure the view of outsiders looking in. Use either blinds that are shut after business hours or tint the windows. Often blinds are left open and thieves can then window shop your business.

With these five items you can greatly improve your security and increase the safety of your employees. The next post is going to dive into the interior and look at the top ten items you can put in place for a better security posture and safer work environment.

Be Sociable, Share!

How Anonymous Are You?

You may think that you are anonymous as you browse websites, but pieces of information about you are always left behind. You can reduce the amount of information revealed about you by visiting legitimate sites, checking privacy policies, and minimizing the amount of personal information you provide.

What information is collected?

When you visit a website, a certain amount of information is automatically sent to the site. This information may include the following:

  • IP address – Each computer on the internet is assigned a specific, unique IP (internet protocol) address. Your computer may have a static IP address or a dynamic IP address. If you have a static IP address, it never changes. However, some ISPs own a block of addresses and assign an open one each time you connect to the internet—this is a dynamic IP address.
  • domain name – The internet is divided into domains, and every user’s account is associated with one of those domains. You can identify the domain by looking at the end of URL; for example, .edu indicates an educational institution, .gov indicates a US government agency, .org refers to organization, and .com is for commercial use. Many countries also have specific domain names.
  • software details – It may be possible for an organization to determine which browser, including the version, that you used to access its site. The organization may also be able to determine what operating system your computer is running.
  • page visits – Information about which pages you visited, how long you stayed on a given page, and whether you came to the site from a search engine is often available to the organization operating the website.

If a website uses cookies, the organization may be able to collect even more information, such as your browsing patterns, which include other sites you’ve visited. If the site you’re visiting is malicious, files on your computer, as well as passwords stored in the temporary memory, may be at risk.

How is this information used?

Generally, organizations use the information that is gathered automatically for legitimate purposes, such as generating statistics about their sites. By analyzing the statistics, the organizations can better understand the popularity of the site and which areas of content are being accessed the most. They may be able to use this information to modify the site to better support the behavior of the people visiting it.

Another way to apply information gathered about users is marketing. If the site uses cookies to determine other sites or pages you have visited, it may use this information to advertise certain products. The products may be on the same site or may be offered by partner sites.

However, some sites may collect your information for malicious purposes. If attackers are able to access files, passwords, or personal information on your computer, they may be able to use this data to their advantage. The attackers may be able to steal your identity, using and abusing your personal information for financial gain. A common practice is for attackers to use this type of information once or twice, then sell or trade it to other people. The attackers profit from the sale or trade, and increasing the number of transactions makes it more difficult to trace any activity back to them. The attackers may also alter the security settings on your computer so that they can access and use your computer for other malicious activity.

Are you exposing any other personal information?

While using cookies may be one method for gathering information, the easiest way for attackers to get access to personal information is to ask for it. By representing a malicious site as a legitimate one, attackers may be able to convince you to give them your address, credit card information, social security number, or other personal data

How can you limit the amount of information collected about you?

  • Be careful supplying personal information – Unless you trust a site, don’t give your address, password, or credit card information. Look for indications that the site uses SSL to encrypt your information. Although some sites require you to supply your social security number (e.g., sites associated with financial transactions such as loans or credit cards), be especially wary of providing this information online.
  • Limit cookies – If an attacker can access your computer, he or she may be able to find personal data stored in cookies. You may not realize the extent of the information stored on your computer until it is too late. However, you can limit the use of cookies .
  • Browse safely – Be careful which websites you visit; if it seems suspicious, leave the site. Also make sure to take precautions by increasing your security settings, keeping your virus definitions up to date , and scanning your computer for spyware.

Understanding Hidden Threats: Corrupted Software Files

What types of files can attackers corrupt?

An attacker may be able to insert malicious code into any file, including common file types that you would normally consider safe. These files may include documents created with word processing software, spreadsheets, or image files. After corrupting the file, an attacker may distribute it through email or post it to a website. Depending on the type of malicious code, you may infect your computer by just opening the file.

When corrupting files, attackers often take advantage of vulnerabilities that they discover in the software that is used to create or open the file. These vulnerabilities may allow attackers to insert and execute malicious scripts or code, and they are not always detected. Sometimes the vulnerability involves a combination of certain files (such as a particular piece of software running on a particular operating system) or only affects certain versions of a software program.

What problems can malicious files cause?

There are various types of malicious code, including viruses, worms, and Trojan horses. However, the range of consequences varies even within these categories. The malicious code may be designed to perform one or more functions, including

  • interfering with your computer’s ability to process information by consuming memory or bandwidth (causing your computer to become significantly slower or even “freeze”)
  • installing, altering, or deleting files on your computer
  • giving the attacker access to your computer
  • using your computer to attack other computers 

How can you protect yourself? 

  • Use and maintain anti-virus software – Anti-virus software can often recognize and protect your computer against most known viruses, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your definitions up to date.
  • Use caution with email attachments – Do not open email attachments that you were not expecting, especially if they are from people you do not know. If you decide to open an email attachment, scan it for viruses first. Not only is it possible for attackers to “spoof” the source of an email message, but your legitimate contacts may unknowingly send you an infected file. If your email program automatically downloads and opens attachments, check your settings to see if you can disable this feature.
  • Be wary of downloadable files on websites – Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a website certificate. If you do download a file from a website, consider saving it to your computer and manually scanning it for viruses before opening it.
  • Keep software up to date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
  • Take advantage of security settings – Check the security settings of your email client and your web browser. Apply the highest level of security available that still gives you the functionality you need.

Good Security Habits

How can you minimize the access other people have to your information?

You may be able to easily identify people who could, legitimately or not, gain physical access to your computer—family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult.

  • Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it’s enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information.
  • Disconnect your computer from the Internet when you aren’t using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean disabling a wireless connection, turning off your computer or modem, or disconnecting cables. When you are connected, make sure that you have a firewall enabled .
  • Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate.

What other steps can you take?

Sometimes the threats to your information aren’t from other people but from natural or technological causes. Although there is no way to control or prevent these problems, you can prepare for them and try to minimize the damage.

  • Protect your computer against power surges and brief outages. Aside from providing outlets to plug in your computer and all of its peripherals, some power strips protect your computer against power surges. Many power strips now advertise compensation if they do not effectively protect your computer. Power strips alone will not protect you from power outages, but there are products that do offer an uninterruptible power supply when there are power surges or outages. During a lightning storm or construction work that increases the odds of power surges, consider shutting your computer down and unplugging it from all power sources.
  • Back up all of your data. Whether or not you take steps to protect yourself, there will always be a possibility that something will happen to destroy your data. You have probably already experienced this at least once— losing one or more files due to an accident, a virus or worm, a natural event, or a problem with your equipment. Regularly backing up your data on a CD or network reduces the stress and other negative consequences that result from losing important information. Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don’t need to back up software that you own on CD-ROM or DVD-ROM—you can reinstall the software from the original media if necessary.

Safeguarding Your Data

Why isn’t “more” better?

Maybe there is an extra software program included with a program you bought. Or perhaps you found a free download online. You may be tempted to install the programs just because you can, or because you think you might use them later. However, even if the source and the software are legitimate, there may be hidden risks. And if other people use your computer, there are additional risks.

These risks become especially important if you use your computer to manage your personal finances (banking, taxes, online bill payment, etc.), store sensitive personal data, or perform work-related activities away from the office. However, there are steps you can take to protect yourself.

How can you protect both your personal and work-related data?

  •  Use and maintain anti-virus software and a firewall – Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall . Make sure to keep your virus definitions up to date.
  • Regularly scan your computer for spyware – Spyware or adware hidden in software programs may affect the performance of your computer and give attackers access to your data. Use a legitimate anti-spyware program to scan your computer and remove any of these files. Many anti-virus products have incorporated spyware detection.
  • Keep software up to date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities . Many operating systems offer automatic updates. If this option is available, you should turn it on.
  • Evaluate your software’s settings – The default settings of most software enable all available functionality. However, attackers may be able to take advantage of this functionality to access your computer. It is especially important to check the settings for software that connects to the internet (browsers, email clients, etc.). Apply the highest level of security available that still gives you the functionality you need.
  • Avoid unused software programs – Do not clutter your computer with unnecessary software programs. If you have programs on your computer that you do not use, consider uninstalling them. In addition to consuming system resources, these programs may contain vulnerabilities that, if not patched, may allow an attacker to access your computer.
  • Consider creating separate user accounts – If there are other people using your computer, you may be worried that someone else may accidentally access, modify, and/or delete your files. Most operating systems (including Windows XP and Vista, Mac OS X, and Linux) give you the option of creating a different user account for each user, and you can set the amount of access and privileges for each account. You may also choose to have separate accounts for your work and personal purposes. While this approach will not completely isolate each area, it does offer some additional protection. However, it will not protect your computer against vulnerabilities that give an attacker administrative privileges. Ideally, you will have separate computers for work and personal use; this will offer a different type of protection.
  • Establish guidelines for computer use – If there are multiple people using your computer, especially children, make sure they understand how to use the computer and internet safely. Setting boundaries and guidelines will help to protect your data.
  • Use passwords and encrypt sensitive files – Passwords and other security features add layers of protection if used appropriately. By encrypting files, you ensure that unauthorized people can’t view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Follow corporate policies for handling and storing work-related information – If you use your computer for work-related purposes, make sure to follow any corporate policies for handling and storing the information. These policies were likely established to protect proprietary information and customer data, as well as to protect you and the company from liability. Even if it is not explicitly stated in your corporate policy, you should avoid allowing other people, including family members, to use a computer that contains corporate data.
  • Dispose of sensitive information properly – Simply deleting a file does not completely erase it. To ensure that an attacker cannot access these files, make sure that you adequately erase sensitive files.
  • Follow good security habits – Review other security tips for ways to protect yourself and your data.

When Online, Free Isn’t Always Free

There are a lot of free services online these days. You can store pictures “in the cloud,” develop documents, send email, and connect to people. And it doesn’t cost you a single penny.

But free isn’t always free. Many “free” services sell information about you — your likes, hobbies, salary, family members, friends, location, profession, purchase and viewing history, and other demographics — to advertisers to make money.

Be aware of what information you’re providing online. Read websites’ privacy policies and terms of use. Don’t post information that could be exploited by a bad guy or that you don’t want made public. Don’t store unencrypted sensitive information in the cloud. You don’t know with whom you’re sharing the cloud!

Benefits of BCC

What is BCC?

BCC, which stands for blind carbon copy, allows you to hide recipients in email messages. Addresses in the To: field and the CC: (carbon copy) field appear in messages, but users cannot see addresses of anyone you included in the BCC: field.

Why would you want to use BCC?

There are a few main reasons for using BCC:

  • Privacy – Sometimes it’s beneficial, even necessary, for you to let recipients know who else is receiving your email message. However, there may be instances when you want to send the same message to multiple recipients without letting them know who else is receiving the message. If you are sending email on behalf of a business or organization, it may be especially important to keep lists of clients, members, or associates confidential. You may also want to avoid listing an internal email address on a message being sent to external recipients.

    Another point to remember is that if any of the recipients use the “reply to all” feature to reply to your messages, all of the recipients listed in the To: andCC: fields will receive the reply. If there is potential for a response that is not appropriate for all recipients, consider using BCC.

  • Tracking – Maybe you want to access or archive the email message you are sending at another email account. Or maybe you want to make someone, such as a supervisor or team member, aware of the email without actually involving them in the exchange. BCC allows you to accomplish these goals without advertising that you are doing it.
  • Respect for your recipients – People often forward email messages without removing the addresses of previous recipients. As a result, messages that are repeatedly sent to many recipients may contain long lists of email addresses. Spammers and email-borne viruses may collect and target those addresses.

    To reduce the risk, encourage people who forward messages to you to use BCC so that your email address is less likely to appear in other people’s inboxes and be susceptible to being harvested. To avoid becoming part of the problem, in addition to using BCC if you forward messages, take time to remove all existing email addresses within the message. The additional benefit is that the people you’re sending the message to will appreciate not having to scroll through large sections of irrelevant information to get to the actual message.

How do you BCC a MESSAGE?

Most email clients have the option to BCC listed a few lines below the To: field. However, sometimes it is a separate option that is not listed by default. If you cannot locate it, check the help menu or the software’s documentation.

If you want to BCC all recipients and your email client will not send a message without something in the To: field, consider using your own email address in that field. In addition to hiding the identity of other recipients, this option will enable you to confirm that the message was sent successfully.

Effectively Erasing Files


When you delete a file, depending on your operating system and your settings, it may be transferred to your trash or recycle bin. This “holding area” essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. However, you may have experienced the panic that results from emptying the trash bin prematurely or having a file seem to disappear on its own. The good news is that even though it may be difficult to locate, the file is probably still somewhere on your machine. The bad news is that even though you think you’ve deleted a file, an attacker or other unauthorized person may be able to retrieve it.

What are the risks?

Think of the information you have saved on your computer. Is there banking or credit card account information? Tax returns? Passwords? Medical or other personal data? Personal photos? Sensitive corporate information? How much would someone be able to find out about you or your company by looking through your computer files?

Depending on what kind of information an attacker can find, he or she may be able to use it maliciously. You may become a victim of identity theft. Another possibility is that the information could be used in a social engineering attack. Attackers may use information they find about you or an organization you’re affiliated with to appear to be legitimate and gain access to sensitive data.

Can you erase files by reformatting?

Reformatting your hard drive, CD, or DVD may superficially delete the files, but the information is still buried somewhere. Unless those areas of the disk are effectively overwritten with new content, it is still possible that knowledgeable attackers may be able to access the information.


Some people use extreme measures to make sure their information is destroyed, but these measures can be dangerous and may not be completely successful. Your best option is to investigate software programs and hardware devices that claim to erase your hard drive, CD, or DVD. Even so, these programs and devices have varying levels of effectiveness. When choosing a software program to perform this task, look for the following characteristics:

  • “Secure Erase” is performed – Secure Erase is a standard in modern hard drives. If you select a program that runs the Secure Erase command, it will erase data by overwriting all areas of the hard drive, even areas that are not being used.
  • data is written multiple times – It is important to make sure that not only is the information erased, but new data is written over it. By adding multiple layers of data, the program makes it difficult for an attacker to “peel away” the new layer. Three to seven passes is fairly standard and should be sufficient.
  • random data is used – Using random data instead of easily identifiable patterns makes it harder for attackers to determine the pattern and discover the original information underneath.
  • zeros are used in the final layer – Regardless of how many times the program overwrites the data, look for programs that use all zeros in the last layer. This adds an additional level of security.

While many of these programs assume that you want to erase an entire disk, there are programs that give you the option to erase and overwrite individual files.

An effective way to ruin a CD or DVD is to wrap it in a paper towel and shatter it. However, there are also hardware devices that erase CDs or DVDs by destroying their surface. Some of these devices actually shred the media itself, while others puncture the writable surface with a pattern of holes. Many paper shredders will also shred CDs and DVDs. If you decide to use one of these devices, compare the various features and prices to determine which option best suits your needs.

Reducing Spam

What is spam?

Spam is the electronic version of “junk mail.” The term spam refers to unsolicited, often unwanted, email messages. Spam does not necessarily contain viruses—valid messages from legitimate sources could fall into this category.

How can you reduce the amount of spam?

There are some steps you can take to significantly reduce the amount of spam you receive:

  • Don’t give your email address out arbitrarily – Email addresses have become so common that a space for them is often included on any form that asks for your address—even comment cards at restaurants. It seems harmless, so many people write them in the space provided without realizing what could happen to that information. For example, companies often enter the addresses into a database so that they can keep track of their customers and the customers’ preferences. Sometimes these lists are sold to or shared with other companies, and suddenly you are receiving email that you didn’t request.
  • Check privacy policies – Before submitting your email address online, look for a privacy policy. Most reputable sites will have a link to their privacy policy from any form where you’re asked to submit personal data. You should read this policy before submitting your email address or any other personal information so that you know what the owners of the site plan to do with the information.
  • Be aware of options selected by default – When you sign up for some online accounts or services, there may be a section that provides you with the option to receive email about other products and services. Sometimes there are options selected by default, so if you do not deselect them, you could begin to receive email from lists those lists as well.
  • Use filters – Many email programs offer filtering capabilities that allow you to block certain addresses or to only allow email from addresses on your contact list. Some ISPs offer spam “tagging” or filtering services, but legitimate messages misclassified as spam might be dropped before reaching your inbox. However, many ISPs that offer filtering services also provide options for tagging suspected spam messages so the end user can more easily identify them. This can be useful in conjunction with filtering capabilities provided by many email programs.
  • Report messages as spam – Most email clients offer an option to report a message as spam or junk. If your has that option, take advantage of it. Reporting messages as spam or junk helps to train the mail filter so that the messages aren’t delivered to your inbox. However, check your junk or spam folders occasionally to look for legitimate messages that were incorrectly classified as spam.
  • Don’t follow links in spam messages – Some spam relies on generators that try variations of email addresses at certain domains. If you click a link within an email message or reply to a certain address, you are just confirming that your email address is valid. Unwanted messages that offer an “unsubscribe” option are particularly tempting, but this is often just a method for collecting valid addresses that are then sent other spam.
  • Disable the automatic downloading of graphics in HTML mail – Many spammers send HTML mail with a linked graphic file that is then used to track who opens the mail message—when your mail client downloads the graphic from their web server, they know you’ve opened the message. Disabling HTML mail entirely and viewing messages in plain text also prevents this problem.
  • Consider opening an additional email account – Many domains offer free email accounts. If you frequently submit your email address (for online shopping, signing up for services, or including it on something like a comment card), you may want to have a secondary email account to protect your primary email account from any spam that could be generated. You could also use this secondary account when posting to public mailing lists, social networking sites, blogs, and web forums. If the account start to fill up with spam, you can get rid of it and open a different one.
  • Use privacy settings on social networking sites – Social networking sites typically allow you to choose who has access to see your email address. Consider hiding your email account or changing the settings so that only a small group of people that you trust are able to see your address. Also, when you use applications on these sites, you may be granting permission for them to access your personal information. Be cautious about which applications you choose to use.
  • Don’t spam other people – Be a responsible and considerate user. Some people consider email forwards a type of spam, so be selective with the messages you redistribute. Don’t forward every message to everyone in your address book, and if someone asks that you not forward messages to them, respect their request.