Blog | Jason Palmer, CPA, CITP

Securing your Email – Assigning and Using a Digital Certificate for Secure Email in Outlook

August 27, 2012 By Jason Palmer Leave a Comment

In order to use a Digital Certificate for Secure Email, you need to install the Certificate in to your specific version of Outlook and assign it to the correct profile. This is usually the default profile if you are the only one that uses your copy of Microsoft Outlook.

In most cases, when you retrieve the Digital Certificate for Secure Email, the Internet Explorer Web Browser will automatically store it in the Windows Digital Certificate Store for you. Most editions of Microsoft Outlook can automatically access the Microsoft Windows Digital Certificate Store. If for some reason the Digital Certificate for Secure Email does not properly appear visible in a version of Outlook, use the tutorials below to verify the settings.

If you used FireFox to request and retrieve your Digital Certificate for Secure Email, you may need to Export/Backup then Import/Restore the Digital Certificate for Secure Email in to Internet Explorer so that it is visible to Microsoft Windows Digital Certificate Store.

Please visit the following links for excellent tutorials on the process.

Outlook 2003
https://www.globalsign.com/support/personal-certificate/per_outlook03.html

Outlook 2007
https://www.globalsign.com/support/personal-certificate/per_outlook07.html

Outlook 2010
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1348

Outlook Express – Versions 5 and 6
http://www.comodo.com/support/products/email_certs/oe_5_6.php

Microsoft Outlook 98 – 2000
https://www.globalsign.com/support/personal-certificate/per_outlook9800.php

Windows Mobile PDA
https://www.globalsign.com/support/personal-certificate/per_wm_pda.php

In general, to Digitally Sign or Encrypt an email message, when composing the message look under the OPTIONS tab, – More Options, Security Settings, or Permissions – depending on your version of Outlook. There you will be presented with the option to Digitally Sign and/or Encrypt your message.

REMEMBER: Before you can encrypt a message to a Recipient, you must have that Recipients PUBLIC key. To exchange your key with a potential recipient, send him or her any email message that is Digitally Signed. This message will include your PUBLIC key and for future Authentication, allow the Recipient to store your key in his or her contact list. Then, the Recipient should reply back to you with his or her Public key. Once you have your intended Recipients Public Key, you can encrypt your email communications on a selective basis and vice-versa.
To learn more about Public Key and Private Key encryption read my article, “Securing your Email – Understanding Public Key and Private Key Encryption.”

Securing your Email – Understanding Public Key and Private Key Encryption

August 24, 2012 By Jason Palmer 2 Comments

With Public Key Encryption, also known as asymmetric key encryption, two different keys, a Private Key and Public key are used simultaneously to both Digitally Sign and Authenticate an email message and/or encrypt it.

The Private Key and Public Key are a mathematically related unique pair of really long random that are 100% mated to each other. The Private and Public Keys are created by using the information from your “Personal or Business Digital Certificate for Secure Email” and a “Key Generation Utility.” The Certificate authenticates your email address and optionally your identity. (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.) Note: The Key Generation Utility is usually included as part of the Email Client Software or Web Mail Browser Plug-In. It may not be necessary to explicitly create the key pair as it may automatic.

So, how does Public and Private Key Encryption work? For starters, recall that the Private Key and Public key are a related pair – they work together. Important Safety Tip: As the names imply, the Private Key must remain private and its’ “pass phrase” (the password to use the key) must remain “private” and ONLY known to you personally. The Public Key is widely distributed to everyone you want to communicate with so that the recipients can either Authenticate a message from you as genuine, decrypt an encrypted message you send them, or they can encrypt a message that only you can decode with your Private Key. The Public Key can also be placed on a “Trusted Public Key Server” (think phone directory for everyone’s Public Key) so that others can look up your Public Key to encrypt messages to be sent that only you can decrypt with your Private Key.

NOTE: For purposes of this discussion we need to assume that regardless of if you are using a Class 1 (Email Address Validated) or Class 2 (Email Address and Identity Validated) Digital Certificate for Secure Email, that YOU are the one and only person associated with your email account and that the Pass Phrase to your Private Key is known ONLY to you. With a basic Class 1 Digital Certificate for Secure Email, ANYONE who has access to your email account and who may have requested a Digital Certificate for Secure Email without your knowledge could masquerade as you for purposes of sending Digitally Signed and Encrypted Email.

If I want to Digitally Sign an email message so that a recipient will have a high degree of assurance that I was the actual sender of the message, similar to when I have a paper document Notarized, I use my Private Key along with my Public key to tell my Email Client to “Digitally Sign” the message. I then attach my Public Key with the message as I send it to the recipient. The Recipients’ Email Client uses the attaché Public Key to process my Digital Signature and verify that the Digital Signature is Authentic and Genuine. (Recall when I have a paper document Notarized, a licensed independent third party Authenticates my signature by reviewing other Identity documents. This is similar to what a Certificate Authority would do when issuing a Class 2 Digital Certificate for Secure Email.)

You may be wondering, “How is this any different than if I just sent a regular message since I included the Public Key, the part required for the recipient to authenticate the message?” The answer is that when I Digitally Signed the message with my Private Key, I had to enter in my super-secret, ultra-secure “pass phrase” known only to me. The Private Key and Public Key are a mated pair that must be used together to be of any value. Since only my Public Key can be used to authenticate a message that I personally, Digitally Sign, the message has to be authentic and sent by me. Assuming that the Recipient uses either the Public Key that I sent along with the message or retrieves my Public Key from a Trusted Public Key Server, the message can be authenticated as legitimately Digitally Signed by me.

Technical Note: The Email Clients are performing a massive amount of mathematical calculations in the background creating hash totals and checksums which are shorter strings of numbers that represent the original extremely long numbers to expose tampering. It is possible that the body text which is not encrypted in a Digitally Signed Message could be altered in transit. The message would still correctly show the Digital Signature as “Authentic” however the “math” would also show that the message had been altered from its’ original content.

To Encrypt a message requires one extra step: Before I can send a recipient an encrypted message, I need to know their Public Key. My Email Client software will use the Recipients’ Public Key to encrypt the message. Then, the Recipients’ Email Client will use the Recipients’ Private Key to decrypt the message.

Taking it one step further, if I use my Private Key and the Recipients Public Key at the same time, I can both Digitally Sign the message and Encrypt it so that the Recipient can Authenticate that I actually sent the message with my Public Key and Decrypt the message with the Recipients Private Key so only the Recipient can read it.

The best way to get started in using Digital Signatures and encrypting email, when appropriate, is to obtain a Digital Certificate for Secure Email and then send a Digitally Signed message to people you want to be able to communicate with securely. (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.) Since your Public Key is automatically included in your Digitally Signed Message, the Recipients’ Email Client will automatically store it so that it can be used to either decrypt messages sent by you or encrypt messages that are sent to you from the Recipient.

Note: If you are not using Microsoft Outlook or Lotus Notes, you will need an “Add-on” application for your email client or web browser. Options will be discussed in a future article.

Securing your Email – Digital Certificate for Secure Email

August 23, 2012 By Jason Palmer Leave a Comment

A Digital Certificate for Secure Email enables you to digitally sign your email and authenticate that the message was actually sent from your email account. Optionally, you can also encrypt the email message to secure it against unauthorized viewing. (Encryption of email will be discussed in a future article.)

A Digital Certificate for Secure Email is issued by one of the well-known Certificate Authorities, the same group of companies that issue SSL (Secure Socket Layer) Certificates that encrypt web browser communications. (The “lock” in your browser when connected over HTTPS:// )

A Class 1 Certificate requires only that you enter your First Name, Last Name, Email Address and a pass-phrase which secures the Certificate itself from unauthorized use or for revocation if the Certificate is compromised or lost. The only Authentication performed is that the email address submitted is valid and that you have access to that email account to retrieve the Certificate. It is important to note that the Certificate is ONLY validating the existence of the email address. Anyone who has access to the specific email account can request a Certificate and can most likely use it to authenticate a message sent from that specific email account. This is critical to understand if you share your email account with others.

For many non-business users, a Class 1 Certificate is adequate and available at no cost from a Comodo, a Certificate Authority Provider. (There are a few other free providers but none as quick or as easy to use as Comodo.) Most people have an email account that they do not share and that is properly secured with a strong password. (Well at least they have an email account they do not share. Not everyone follows good password creation guidelines.) The point being that if you send an email message to jason@palmer.net confidence is high that I am the only one sending and receiving mail from that account. In fact, the entire point of using a Digital Certificate for Secure Email is that you as the recipient could immediately tell if the message was sent from the real jason@palmer.net email account (most likely me if a Class 1 Certificate and definitely me if a Class 2 Certificate) or if it was spoofed. (There are other ways of determining a Spoofed email, specifically by reviewing the Full Headers of the Message and spotting inconsistencies in the email addresses and Servers.)

For added assurance, you may want to consider a Class 2 Certificate whereby you need to provide the Certificate Authority with proof of identity, such as a Government issued ID (Driver’s License, Passport, Passport Card, Birth Certificate, or similar). A Class 2 Certificate validates both the email address and that you are its’ owner and a real person. Email signed with a Class 2 Certificate is similar sending over a notarized document. An independent third party has verified your identity so when you use the Certificate a certain level assurance can be assumed by the recipient that you are the actual, legitimate sender of the message.

Class 2 Digital Certificates for Secure Email come in two flavors: “Personal”, that specifically identify you as an individual and “Business”, that specifically identify you and that you are a legitimate employee of a specific company.

You may be wondering, “Wow, this sounds great! Why isn’t everyone using a Digital Certificate for Secure Email on every message?” The answer would be because it is a little cumbersome to setup and use. First both you and everyone you want to send and receive mail from need to obtain his or her own Digital Certificate for Secure Email. Next, you need to configure your email client to work with the Digital Certificate for Secure Email. This is relatively straightforward in Microsoft Outlook, Mozilla Thunderbird, or Lotus Notes. Not quite as easy for Web Mail Users of Gmail, AOL, Hotmail, Yahoo, and similar services as it requires a plug-in or extension installed in the web browser. (A plug-in or extension is a specialized helper application that enables additional features and capabilities in your web browser.)

If the recipients’ email client is properly configured to understand a Digitally Signed email message, when you send a Digitally Signed Message, the recipient will see a notation on the email that the message was Digitally Signed. However, if the recipients email client is not setup properly, the recipient will see an additional text attachment to your message that is meaningless and contains the Digital Signature Information. This can become very annoying to your recipients as every message would you send them would have an attachment.

Securing your email all starts with either a Class 1 or Class 2 Digital Certificate for Secure Email. At least visit Comodo below and start with a FREE Class 1 Digital Certificate for Secure Email, and then tell all of your friends to do the same. A Class 1 Digital Certificate for Secure Email takes only minutes to request and install, they are valid for one year, and are available free of charge

Stay tuned and read my future articles on how to implement Secure Email Communication for transmission of sensitive and confidential information over the wild Internet through Email.

Important Technical Note: Make sure that you use the same computer and web browser to request and access the retrieval of Digital Certificate for Secure Email. You will also need to make sure that Java is enabled and that your web browser accepts Cookies to complete the process successfully. The Certificate is actually being created and added to your web browser’s certificate store, and then you have to export it for your specific email client. Microsoft Internet Explorer and Microsoft Outlook do not require this step as they both can access the same Certificate Store in Windows. Firefox and the Thunderbird Email client or Lotus Notes might require some additional steps to configure properly. Instructions are provided by both the Certificate Authority and your Email Client Vendor.

Digital Certificate for Secure Email Authority Vendors:

Free Class 1

Comodo – FREE AND RECOMMENDED CHOICE
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Symantec TrustCenter – FREE (Not as fast or easy as Comodo.)
https://www.trustcenter.de/RetailStore/cid/CustomerData!input.action

StartSSL – Free but cumbersome to apply for and install
https://www.startssl.com/?app=1

CACert – Free and very cumbersome to apply for and install
https://www.cacert.org/

Paid Class 1 and 2 Personal and Business
NOTE: There is no reason to pay for a Class 1 Certificate. Use the Free options above.

Comodo – Business Class 2 Certificates – Value Priced Leader
http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

*Prices and Features vary widely with Vendors listed below – Read Carefully before purchasing.

GlobalSign – Personal and Business Class 1 and 2
https://www.globalsign.com/personalsign/comparison.html

IdenTrust – Personal and Business Class 2
http://www.identrust.com/certificates/trustid.html

Symantec TrustCenter – Personal Class 2
http://www.trustcenter.de/en/products/tc_personal_id.htm

Symantec TrustCenter – Business Class 2
http://www.trustcenter.de/en/products/tc_business_id.htm

Symantec/Verisign – Personal Class 1
http://www.symantec.com/verisign/digital-id

Internet Email is NOT Secure even with SSL/TLS Engaged

August 22, 2012 By Jason Palmer Leave a Comment

The first rule of using email is to NEVER put anything in an email message that you would not want published on the cover of the New York Times or for the entire world to know.

Many Web Mail providers make a big deal of giving you the option of using HTTPS (Secure HTTP Web Access) instead of HTTP (Standard Web Access) to your email account. When you type HTTPS://mail.some-provider.com, if properly supported, you definitely engage an SSL (Secure Socket Layer) Certificate that fully encrypts every keystroke you type and every thing that you view. It is a secure connection between your computer and the web email provider.

The problem and major misunderstanding is that only thing “secure” is the connection between your computer and your email provider. Once you type an email message and press the SEND button, your message goes out in to the wild Internet in “clear text” just like the text on this web page. A message sent in clear text can be read at any point during its’ journey from your email provider to the recipients email provider. From a practical standpoint, even though your email message may pass through a number of Mail Servers on its’ way to the recipient, the likelihood that it will be intercepted is remote. Most email messages “travel time” from sender to recipient is a matter of seconds.

You may be thinking, “But I am sending from my Gmail account to another user on Gmail. Why is that message not secure?” Again, even though both the sender (you) and the recipient may have a secure HTTPS:// connection to Gmail, the message will be transported in “clear text” as it moves either between the various Gmail Servers and Mail Accounts.

The exposure to prying eyes is significantly reduced when sending to and from the SAME domain name such as user1@gmail.com to user2@gmail.com as the message never leaves the Internet Providers Network. However, remember the message is still in “clear text” and can be easily read by a System Administrator or anyone else who may have access to the message during its’ journey. Realize extremely large Internet Providers have many email servers in many locations and most have secure connections between their locations but some use the Public Internet instead.

There is an exception to the above: If you are using a Corporate Email Server such as Microsoft Exchange or Lotus Notes and are sending intra-company mail, that is mail that is to and from other users in your organization with the SAME domain name, i.e. user1@palmer.net and user2@palmer.net, then all mail will be 100% secure. This is because there is either a secure HTTPS:// (SSL) or TLS (Transport Layer Security) protocol engaged between your email client, Microsoft Outlook, and the Microsoft Exchange Mail Server and all email is stored in encrypted format in the Microsoft Exchange Mail Database. The same holds true for Lotus Notes. (Caveat: Although usually configured to be “secure” by default, in some cases, Microsoft Outlook or Outlook Web Access may have been configured to use a standard non-encrypted connection instead of a secure one. Check with your Corporate IT person to confirm.)

Keep in mind that both the Government and Criminals may have “sniffers” setup at various points on the Internet. This allows the snooper to view every single data packet, like the ones containing your email message, and read it.

With the trillions and trillions of data packets and email messages moving across the global Internet daily, the risk that your specific email message containing sensitive or confidential information will be intercepted is remote but the potential is very real.

Using a secure connection to your email provider is not enough. If you or your Company are the specific target of a Government Agency or Hacker, the only solution is to properly encrypt your message. Otherwise, the contents of that document or the photo attached might just make the cover of the New York Times.

[A future article will discuss options for encrypting email messages.]

Securing your Desktop – Antispam Software

August 21, 2012 By Jason Palmer Leave a Comment

Amazing, as it seems, some Internet email providers do not offer an Antispam service for filtering out Unsolicited Commercial Email (UCE) – the proper name for what is affectionately called “SPAM” or Junk email.

Some email client software such as Microsoft Outlook and Mozilla Thunderbird include their own Antispam filters but you may want something more robust. Many of the Antivirus software vendors in their “Internet Security Suite” products include an Antispam component. For the most part, the Antispam component, like the rest of the Suite is “set it and forget it.” However, since no automated process is perfect at detecting UCE, most usually have the ability to create whitelists (always accept) and blacklists (always deny) specific senders. Many dedicated desktop Antispam solutions exist as well and some are listed below.

Antispam filters use a combination of the following techniques to differentiate between legitimate email and UCE. Some use a form of Heuristic pattern matching. The filter looks for a combination of known phrases used in UCE messages such as the ever popular “In deepest confidence” and “the sum of X million dollars” and “need your assistance.” These may not be the actual phrases tested but they demonstrate the concept of the type of language used in the classic scam email of someone contacting you to assist with the movement of money in/out of the country if you will just show good faith with money of your own. In all cases, the phrases are scored with either with positive (more likely spam) or negative (more likely legitimate) and the net number determines if the message is allowed through or moves to your junk folder.

Another technique is the straight automatic blocking of messages that originate from specific IP (Internet) addresses and senders that are known to be bulk Spammers. The Antispam program will check with a well-known service such as Spamhaus.org or the DNS Black List, which maintain a continuously updated list of known originators of Spam and act accordingly.

Many will apply Bayesian content filtering which is a content filtering technique that looks at the words in the body of the message, the email message headers (detailed information about the sender and the path the message took to be delivered to your IN box), the amount of HTML code (colors and graphics), word pairs, phrases, and the general location and context of the words and phrases and assigns a score that determines if the message is or is not UCE/Spam. What makes Bayesian content filtering reasonably successful is that the initial analysis of UCE/Spam is from a pool of email that you personally classify as UCE/Spam. In this way, the program knows what you deem as UCE/Spam so it can analyze the messages received and score them appropriately as UCE/Spam. At the same time, the Bayesian content filters also look at known good non-spam email to create similar scores as a basis of comparison.

Technical NOTE: Bayesian filters work best against a pool of homogeneous mail for a single person or single company. Since the scoring is based on a large population and the algorithm is looking for patterns and trends, Bayesian filters break down when Good email can be confused with Bad email. Let us assume that a husband who is an Accountant and wife who is a Doctor share the same family email account address. The wife may receive a large number of email messages from Big Pharma that discuss well know drugs such as Celebrex or Viagra. The Bayesian filter can get easily confused because the husband might classify all Pharma email as UCE/Spam when in fact it is legitimate to the wife who is the Doctor. But how is the filter to tell the difference between an offer to purchase Celebrex (illegally) over the Internet and a legitimate email from Pfizer the makers of Celebrex? The answer is the Bayesian filters usually goof.

The last method I will discuss is called Challenge-Response, which maintains a list of permitted senders. Every time you receive an email, if the sender is not already whitelisted (permitted), the Antispam Component will send an automatic auto-reply to the sender and ask them to visit a web site to enter in a “challenge” like two plus two equals (fill in the blank) or some other simple test that verifies that the email was sent by a human. If there is no response, as would be the case from a list server (vendor mailing list program), then the message is placed in the quarantine or junk folder for later review by you. The use of Challenge-Response, although extremely reliable, can be problematic as every Challenge email sent out, if sent to a sender that was a fake address, will just bounce back and create even more mail traffic.

You can find extensive in-depth details about the above techniques and the more advanced ones by searching out “Antispam Filtering Techniques” in your favorite search engine.

If your Internet Service Provider, email host, or email client do not filter for UCE/Spam or you want a more robust solution at the individual level, consider the “Internet Security Suites” or Dedicated packages from the well known providers below.

Popular Internet Security Suites

NOTE: These are the Consumer Product Listings – Equivalents Exist for Business

Vipre Internet Security
http://www.vipreantivirus.com/VIPRE-Internet-Security/

Kaspersky Internet Security
http://usa.kaspersky.com/products-services/home-computer-security/internet-security

Trend Micro Titanium Internet Security
http://www.trendmicro.com/us/home/products/titanium/internet-security/index.html

McAfee Internet Security
http://home.mcafee.com/store/internet-security

Norton Internet Security
http://us.norton.com/internet-security/

Dedicated Antispam Solutions

MailFrontier Desktop
http://www.mailfrontier.com/products_matador.html

Cloudmark DesktopOne
http://www.cloudmark.com/en/products/cloudmark-desktopone/index

SpamFighter
http://www.spamfighter.com/Product_Info.asp

Mailshell
http://www.mailshell.com/mail/client/oem2.html/step/client

Sonicwall Anti-Spam Desktop
http://sonicwall.com/us/products/Anti-Spam_Desktop.html

Securing your Desktop – Firewall Software

August 20, 2012 By Jason Palmer Leave a Comment

We have all heard the expression, “Fences make good neighbors.” I will build on that by saying that adding a Gate helps too as you may occasionally want to leave or invite a visitor in. A Firewall is just like a Fence around your home and you control who is allowed to pass through the Gate – both in and out. Although not impossible to break through the Fence it is much easier to pass through the Gate.

In the same manner, a Firewall is an added layer of digital protection around your Data (the information stored on your computer) that helps control who and what are allowed access. Think of a Firewall as an overly attentive Nanny or Parent. As a kid, you may have been allowed to play in the yard but not the street. Or, you could walk to school but not to the Mall and you were not allowed out after dark. These examples introduce the concepts of Firewall rules – what you are allowing your computer to do.

Put in a business context, you might restrict the ability for a computer (or your entire company) to only access Facebook during lunch hour or for one or two hours before or after business hours. At one client, there is a computer on the shop floor to make Labels. We set the Firewall to prevent all Internet access, as the job function does not require any Internet access.

Firewalls also keep unwanted intrusions out. Unless you are running a Network Server, there is almost no reason to allow any access to your computer from the Internet. If you are in a Small Office or Home Office network environment, you may share a folder on your computer (Public Folder) or share a Printer attached directly to your computer. In this case, Windows (and Macs) will open up the specific ports (doorways and gates) to allow the computers to share their resources. You can have different Firewall settings for Internal (Local) vs. External (Internet) networks at the same time.

We know for a fact that no computer operating system is perfect and they all have security flaws. A Firewall puts up an added layer of protection around the operating system so that the intruder cannot reach the operating system to exploit the Security Flaw.

Firewalls come in many flavors, such as Personal, Network, and Application, depending on what you are trying to protect. The important thing to understand is that the premise is the same: Set a specific rule to allow or disallow a specific activity or type of connection to or from a computer or your entire network.

The key differences between the Free Firewalls including with your computer operating system and the Paid Firewalls available as part of “Internet Security Suites” is the degree to which they automate the Rule creation function and what they monitor. For example, the Free Firewall included in Windows is predominantly a network port based Firewall. It will allow you to restrict or allow access to your computer or a network resource based on the specific network connection say (wired or wireless) and the protocol being used (Web Browsing, Port 80, or File Transfer, Port 21). If you look at a more comprehensive product like the ones included in Suites from Vipre, Kaspersky, Trend Micro, McAfee, or Norton they include Application Firewalls. These will monitor the specific activities of your Web Browser to make sure it is only going to “Safe” places. Or, if you have Quickbooks, the Application Firewall will alert you every time, (and allow you to set a rule), Quickbooks goes out to the Internet to get updates.

The more advanced Firewall products monitor every single attempt that your computer makes to access the Internet (or any outbound connection to a network resource – even to a network printer) and every attempt by something to access your computer (knock on your front door) and either block that access or allow you to “open the door and let them in.”

In general, the default settings of most Firewall products are sufficient if you mostly use your computer for Web Browsing, Email, and Document Creation activities. If you have specialized Line of Business applications (Accounting or Database), secure connections to remote or Corporate offices, or extensive File Transfer applications, you may need to adjust the Firewall Rules to allow these applications to operate properly.

The baseline for all of the Paid Companies is an Antivirus product. The addition of the phrase “Internet Security” usually adds a Firewall and the ability to monitor application activity and web-browsing to make sure that you are protected from accidentally visiting known malware and virus sites. Sometimes they add the phrase “Total Security” which may include the ability to monitor Chat and Instant Messenger sessions for transmission of viruses and other malware. In short, as each vendors solution increases in price, they add more and more security and monitoring features for different types of computer activities: email, chat, web-browsing, file transfer, etc.

Popular Internet Security Suites

NOTE: These are the Consumer Product Listings – Equivalents Exist for Business

Vipre Internet Security
http://www.vipreantivirus.com/VIPRE-Internet-Security/

Kaspersky Internet Security
http://usa.kaspersky.com/products-services/home-computer-security/internet-security

Trend Micro Titanium Internet Security
http://www.trendmicro.com/us/home/products/titanium/internet-security/index.html

McAfee Internet Security
http://home.mcafee.com/store/internet-security

Norton Internet Security
http://us.norton.com/internet-security/

Securing your Desktop – Antivirus Software

August 19, 2012 By Jason Palmer Leave a Comment

With so many different Antivirus Software products available, it is easy to get overwhelmed with choices. Sometimes, the hardware vendor pre-installs a specific Antivirus Software product. The problem is that these are usually trial versions that are only valid for a short time period. If you forget to purchase a subscription, you are completely unprotected.

Any Antivirus Software is better than none at all. Understand that you are under no obligation to use the Antivirus package pre-installed on your system. The system manufacturer made the selection of Antivirus vendor based on a financial incentive or revenue share not because it was the best or most cost effective solution for you.

There are three basic considerations in selecting an Antivirus Software package: Price, Feature Set, and Frequency of Updates.

Free versions of Antivirus software offer basic file level and memory protection. If the Antivirus program detects a virus on your hard disk drive or malicious program attempting to execute, it will clean and remove the virus.

Paid versions of Antivirus software usually add additional features such as Safe Web Browsing. They will check the web site name (URL) against a list of known bad sites and help prevent a possible infection by blocking access to the site.

Perhaps the most critical aspect of a Free vs. Paid Antivirus software program is how frequently the definition database that contains the signature patters of known viruses and malicious programs is updated. Free Antivirus programs usually update once per day and Paid versions update multiple times per day. Some of the more advanced Paid Antivirus software products support an emergency update mode that is triggered when a widespread outbreak has occurred. This is especially beneficial for “zero day” viruses, those that appear with no notice and spread quickly via email or that exploit a Security flaw in the computer operating system.

It almost goes without saying that when it comes to support for the Free Antivirus products there really isn’t any. Support may be available through a Forum where you can ask questions of others, read documentation, and Frequently Asked Questions. For some Paid products, support is not much better. Even though you may have Paid for an Antivirus Software product, there may be a separate charge for Support if you want to ask a technical question via email or call and speak with someone. It is important to read the description of the package you are purchasing and understand exactly what is included with your purchase.

At the bare minimum, take advantage of one of the Free Antivirus programs and if you budget allows, consider a Paid Antivirus program to get more frequent updates and support for removing the virus should one get through.

Purchasing Note: Many of the Paid versions of Antivirus Software have upsell options that include more than just Antivirus software. They may include cookie monitors, added Firewall Software, Anti-Spam software, and other more advanced monitoring and alerting tools. Windows includes a basic firewall and most email providers include Anti-Spam filtering. Only purchase the tools you actually need.

Popular Free Antivirus Software Programs:

Microsoft Security Essentials – Windows
windows.microsoft.com/mse

AVG Free – Windows
free.avg.com

Avast Free – Windows or Mac
www.avast.com

iAntivirus.com – Mac

ClamAV – Windows
www.clamav.com

ClamXav – Mac
www.clamxav.com

Popular Paid Antivirus Software Programs

Vipre Antivirus – Windows
http://www.vipreantivirus.com

Kaspersky Antivirus – Windows
http://www.kasperskey.com

Trend Micro Antivirus – Windows
http://www.trendmicro.com

McAfee Antivirus – Windows
http://www.mcafee.com

Norton Antivirus – Windows
http://us.norton.com/antivirus

Lock your Computer Desktop Screen

August 18, 2012 By Jason Palmer 1 Comment

How often do you walk in to an office and see a computer screen with a Document, Spreadsheet, or Email message open but no one sitting at the desk in front of it? Too often would be the correct answer.

When you leave your desk without locking the computer desktop screen, anyone can see whatever is visible on your computer desktop screen at that moment.

What if a co-worker decides this would be a golden opportunity to sit down at your desk for a few minutes and “browse around?” Are you sure that nothing is “open” that might be of a sensitive nature? What if you had your personal Facebook page open or if you were logged in to your Personal Email Account? What if it were your Resume, an employee annual review, financial statement information, or something confidential? Do you really want anyone who might sit down at your desk to have immediate and unrestricted access to every document that is open and any web site you are logged in to? I think not.

You are probably thinking that none of this applies if you are in a one to three room office with less than ten people. You would be wrong. Quiz Time: Assuming you are in Commercial Office space, how many of you either do not log out of your computer nor lock your desktop screen when you leave at the end of the day? Almost no one? I thought so. Now, how many of you have a Professional Cleaning Service come in every evening. Who here is comfortable with a complete stranger possibly sitting down at your computer and “looking around?” Anyone? No? Again, I thought so.

If you are in a larger office with dozens of co-workers, delivery people, cleaning people, and visitors, it is critical that you secure your desktop by locking it every time you leave your desk. Even if you think you will only be gone a minute, you just never know. You might be called to a meeting or stop in the hallway for an extended chat. All the while, your computer is exposed to anyone who might pass by and “take a look” at what you are doing.

Just like in the physical world, Locks keep honest people honest. It takes only seconds to Lock your Desktop. In Windows, just press the Windows Key and the “L” key simultaneously. When you return, press “CTRL-ALT-DELETE”, like you normally would to get the User Name and Password Prompt. Enter your Password, and you are back at your desktop EXACTLY where you left off.

Mac users, you can press CTRL-SHIFT-EJECT or you can click on the LOCK in the top menu bar and select “Lock Screen.” NOTE: Many Mac users still do not have a password set so locking the screen on a Mac is of limited value unless you set a Password that is required to be entered AFTER the screen saver engages.

Locking your Desktop Screen helps maintain your privacy and protects you and your company from prying eyes.

Share Dessert, Not your Password

August 17, 2012 By Jason Palmer Leave a Comment

In many offices, people think nothing of giving their computer login User Name and Password to a co-worker. In general, this is a bad idea. Once a co-worker has the Password associated with your Login, the co-worker can masquerade as you. There is no technical way to differentiate actions taken by you vs. your co-worker should something inappropriate transpire.

For example, perhaps your co-worker is targeting your job and acts maliciously by sending out a sensitive document to a competitor using your email account. It would be extremely difficult to prove that you did not send it. Whoever did send it had your User Name and Password and gained access as you. Management will ask who else could have sent it but you? As an IT Auditor, I can assure you that most companies do not have the forensic skill to perform a proper investigation to save your job. The facts will appear to be self-evident and Management will take the path of least resistance and fire you.

It is extremely common for an Assistant to an Executive to have the Executive’s User Name and Password. This too is still a bad idea. The mitigating factor is that in most cases, the Assistant’s have the explicit trust of the Executive especially if they have been together for many years. I fully understand that the entire purpose of an Executive Assistant is to “assist” and act on matters that the Executive may not be able to attend to directly. However there are alternatives that do not compromise the Executive’s personal privacy, allow the Assistant access to selected functions, and still maintain an audit trail of access.

The problem with providing an Assistant your User Name and Login Password to your computer, corporate network or any other account is that this is an “All or Nothing” proposition. There is no ability for you as the Executive to keep anything “private” from your Assistant. This means that every single email, document you receive or draft, message from a family member to your work email (and possibly your personal email) – you entire life – potentially – is completely exposed to your Assistant.

On a practical level, this may not seem like an issue to you. You might say, “My Assistant only uses my Computer when I ask him or her to check something for me.” And I would say, “Are you absolutely sure that is the ONLY time he or she has ever sat down at your computer and looked around?” Giving your Assistant your Password exposes you as the Executive to the same kind of risk as any other Staff member. Information that was to be private and remain within the Company or that was for your “Eyes Only” is now potentially shared with your Assistant and whomever he or she sees fit to share it with.

Here is a better solution: Depending on your specific environment, if on a Corporate Network, your Assistant can use his or her own login to access your Computer and Files provided that you give (or more likely your IT Person gives) the appropriate permissions to the directories that contain your personal files that are either stored on the local computer hard drive or on the Corporate Network. In this manner, there is an “Audit Trail” of who accessed what file and when.

The best solution is to take advantage of the fact that you have Corporate Network environment and create “Shared Folders” that only you and your Assistant can access. This allows your Assistant access to files you deem unclassified in the Shared Folder while still allowing you to store sensitive information privately that only you can access in your own personal folders.

Both of the above options work regardless of if you have a Corporate Network and a File Server where files are stored centrally or if you have a Single stand-alone PC. Even on a Stand-Alone PC (or Mac) you can have individual user accounts, each with their own 100% private storage area that can only be accessed while that specific user is logged in under their user name and a common storage area that all users can access regardless of which specific user is logged in.

The most popular excuse (reason) for the sharing of the Executive User Name and Password is for the co-worker or Executive Assistant to check and respond to email. Most Corporate Email Servers, specifically Microsoft Exchange, support the ability for you to give Proxy Permissions to a co-worker or Assistant. This enables someone other than yourself to read, reply, create, and send mail as you depending on what permissions you allow. The subtle difference is that there is an Audit Trail that shows that the correspondence, even if appearing to have been sent by you to the outside party, was actually sent by your Proxy – the co-worker or Assistant acting on your behalf. The other key advantage is that if a message is marked as “private”, a function of some Corporate Mail Servers, the co-worker or Assistant cannot see it. Only you can only open the message with your specific User Name and Password.

User Names and Password are personal and should remain specific to you. As you can see, there are a number of ways to share files and enable access to email with co-workers and Executive Assistant’s that do not compromise your personal privacy.

There is one exception to sharing your Password with someone and that is usually the IT Administrator. Having your specific User Name and Password makes it easier to diagnose problems with your account and enables the IT Administrator to see exactly what you are seeing and the problem you are experiencing. Understand that your IT Administrator has a “Super User” (Administrator) account that would allow him or her to see, in most cases, absolutely every file, email, and piece of data on the Corporate Network regardless of if he or she had your specific User Name and Password or not. (The few cases where this is not true are when a separate encryption program is used to securely encrypt specific files and directories or a specific password is set on a file. In those situations, only the person who set the encryption or the password on the file or directory knows the password to decrypt (access) it. Neither the IT Administrator, nor anyone else for that matter, can access or read the file.)

In general, do not share your user name and Password with co-workers or your Assistant if you can possibly avoid it.

Share Dessert instead. Much tastier and the only risk is a few extra calories.

The Security Value Context – Data vs. Information

August 16, 2012 By Jason Palmer Leave a Comment

All Information is comprised of Data but not all Data leads to useful Information.

Data should be protected where possible but it is Information that needs to be actively secured.

The Security Value Context is the degree to which Data or Information needs to be protected and secured based entirely on the context of how it is organized and how it will be used.

Let me explain: If I have a Tax Preparation Business with thousands of individual client returns, considered Data, no one specific return is particularly interesting (unless perhaps the return belongs to a Public figure, then it becomes Information.) In fact, if I published one random Tax Return, (say Mitt En), on a Billboard in Times Square (without the Social Security Number), chances are no one would give it a second glance. Even if someone knew Mitt En, there is little practical value to the Data presented on the Tax Return. Big deal, the world now knows how much “Mitt” took home last year. The point being made here is that this Tax Return is just random Data. Unless someone is specifically interested in Mitt, and most people are not interested in Mitt, there is extremely limited security value risk to Mitt in the public exposure of his Tax Return. In short, the scope of the Context is singularly “Mitt” himself. No one else really cares.

(For the moment, I am excluding the possibility of Identity Theft from this discussion.)

On the other hand, if this is the Tax Return of Mitt Romney instead of our average individual Mitt En, what a moment ago was random unimportant Data now becomes specifically useful Information. The Tax Return will most likely list all of the Charitable Donations that Mitt Romney has made. This Information will imply the causes that he supports which in turn may suggest the types of Policies he will try to legislate based on his beliefs and values. This has a very high security value risk and therefore needs to be actively secured. The scope of the Context is huge. The majority of the voting population of the United States cares.

If I take the thousands of individual client returns and start to analyze and segregate them based on factors like income, mortgage interest paid, charitable donations, type of employment, dependents, or any other element, I have taken the raw disorganized Data and turned it in to incredibly valuable Information.

Used in a good way, the Internal Revenue Service aggregates the Data from Filed Tax Returns in just this manner to present anonymous profile statistics about the American Tax Payer. This provides valuable information that Congress can use to manage Tax Policy. Since the Data is presented in anonymous, aggregate format, there is a very low security value risk to any one individual return.

Used in a bad way, an unscrupulous person could use the identifiable Data that created this incredibly useful Information against specific groups of individuals for nefarious purposes. For example, groups of individuals that have high mortgage interest deductions might become the target of predatory refinancing lenders. Since each person can be identified, there is a very high security value risk.

It is impossible to know exactly how raw “Data” will be organized or its’ eventual value in producing Information which is why it is important to take appropriate action to protect it. For example, we manage user access with Password protected Software Applications and we encrypt the files to keep the Data as secure as practicable away from unauthorized access.

Conversely, we know exactly how “Data” can instantly become valuable “Information” which is why we go to such great lengths to actively secure it in its final form. We know that a Tax Return contains a Social Security Number, Birth Date, and the full legal name and address of an individual. In the wrong hands, like that of an Identity thief, the information on a Tax Return contains everything necessary to steal the Taxpayers identity and create financial chaos.

Actively securing access to valuable Information, like a Tax Return, requires more than a Password. It requires a policy that explicitly defines how the Information will be stored or transmitted and who will have access to it.

The simplest analogy to the difference in managing “Data” security vs. “Information” security is to think of “Data” as a Credit Card and “Information” as Cash.

With a Credit Card, if a fraudulent transaction is discovered, it can be reversed, the Card cancelled and your perfect credit score remains intact. Data stored on your computer works pretty much the same way: If a file becomes corrupted or damaged, that one data element can usually be isolated or fixed with minimal risk to the remainder of the data. It is one random element among many.

With Cash, if you lose it or it is stolen, it is completely gone with zero recourse. With valuable Information, like a Tax Return in the wrong hands, you can never get it back. The person’s identity may be stolen along with the creation of a financial mess that may take months to clean up.

Determining the Security Value Context of Data vs. Information requires an understanding of how each will be stored, accessed, and presented.

One person’s Data is another person’s Information.

« Previous Page