1. De-militarized zone (DMZ)

One computer network security device is a "firewall." Firewalls allow the outside world to access only those parts and files of your computer that you give them permission to. For instance, it allows people to access a web site via the internet, but they will not have access to make changes to it.

The web site sits on a server, which is surrounded by a firewall. This area is called the “de-militarized zone,” or "DMZ" for short. A second type of firewall can be added as a second layer of security. This is oftentimes a router, and is used to guard against information that is meant to be kept private. A properly designed and installed DMZ is critical to corporate security.

2. Keep back-ups

It is very important to make sure that you back up all information. Everyone has been through the headache of losing information or a document that was not saved to the computer. It is irritating, but imagine if you lost every file on your computer, or your entire web site from your server. It would be impossible to get everything back exactly as it was, not to mention the time lost trying to collect everything. For businesses this would be be very devastating. This is why it is important to regularly make back up copies of your entire computer/server including any web sites that may be quite to hackers. When you have an updated backup of your entire system, you can have it back up and restored in its original state should someone try to break into your server and delete information. Properly done, back-ups not only restore the original Web site content but also the fixes and patches that have been applied.

3. Day-to-day maintenance

Make sure that you keep your software up to date. When software manufacturers offer updates do not hesitate to install them. These "Patches" areoften fixes to problems or weakneses that they have found with their product. Keep in mind that one of the most important updates that you need to stay on top of is with your anti-virus software. Yes, these subscriptions often come wih a small fee, but spending a little each year to help your computer stay on top of the latest viruses is well worth the money.

4. Get an intrusion detection system

These systems give you a "heads up" when something, such as a hacker, is trying to access your computer. It allows you to look at the threats to your system by monitoring traffic into your system and looking for irregularities in network performance.

5. Make sure coding is up to standards

If web site programming is not done properly, your system could become more vulnerable to hackers. Normally, programming has been set up to allow users to interact with your server, but hackers have access to special commands that give them more access than what it normally allowed. They then have free reign to your server, changing and/or damaging anything they wish. Good programming stops this type of attack by using a technique called "error detection and handling."

Another problem can occur when interaction has a large effect on the performance of your system as a whole. And this can happen quite innocently. Improper coding could allow the interaction of a single browser to use up all the power of your CPU (the central processing unit that processes requests to your system) causing things to move quite slowly.

Proper coding would prevent problems such as these by ensuring that what is being passed on to the server is a legal operation.

6. Implement company-wide security policies

Make it a company policy that only computer administrators are allowed to install new technology. Employees should not be allowed to hook up their own equipment to the network on their own. This especially should be enforced with wireless equipment. The reasoning behind this is because the problem with hooking up wireless technology is that it requires a wireless access point, which essentially punches a hole behind the firewall and other security measures that have been set up. Hackers need only to have a lap top computer, and be in the area of a vulnerable network (due to unsecured wireless equipment) to access it was a company employee.

This kind of security breach isn’t a problem if the access point is configured to be safe, which usually means putting in place extra encryption. If an employee hooks up wireless equipment on his own, it's likely such security measures won't be taken. There will always be an interest in setting up the latest technology, not to mention the commercial pressure to do so, but it's important that these technologies are hooked up by the people who know how to do it properly.

7. Social Engineering:

Hackers or terrorists don’t necessarily have to be computer wizards or technical geniuses in order to cause untold damage to a company or network. More often than not, they just have to be charming and easy to talk to. Many hackers, terrorists and other criminals can often get exactly what they want just by asking for it. A few phone calls to unsuspecting employees can net information that can result in serious breeches of security. People who are especially good at this deceptive practice are called “social engineers”.

Deceivers may call in to a company claiming to be someone they aren’t, nonchalantly provide a scrap of evidence that “proves” that they are who they say they are. Thereafter they may ask for a piece of information that is confidential, but regularly exchanged between employees. A few examples of such a piece of information may be an employee number, a merchant account number, an employee schedule or whereabouts, administrator identities, passwords, or even information about customers. Larger corporations are more at risk than smaller ones, for in small companies, most people know who is trusted and who isn’t. But in a large corporation, “Sally in Accounting” may have no idea what “Carl in Management” even looks like or sounds like on the phone. A look at the company directory might indicate that he is indeed an employee, and Sally may go ahead and give “Carl” the piece of information he wants. These bits of information can then be used to gain trust at even more critical levels, with more unsuspecting employees who are just trying to be helpful. The adept social engineer is able to smoothly talk his way through situations, gaining trust, and consequently gaining access to vital company information that will ultimately be used against that company.

Companies should implement a strict set of company policies that outline a set of rules that dictate how and when information is to be given out, and to whom. If employees don’t have an absolute set of rules to follow concerning sensitive company information, they will eventually run into a social engineer who is able to talk them into giving away information while making them believe that they have been a Good Samaritan. For more information and details about the methods employed by social engineers, please see Kevin D. Mitnick’s book entitled, The Art of Deception: Controlling the Human Element of Security. In this book he outlines several blueprint plans that can be used to tighten a company’s security policy with regard to the dangers of social engineering.

Sources: FEMA and the CBC (Canadian Broadcast Network news story), and The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick