DavidOverton.com
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
David Overton's Blog » Security Discussion
Security Discussion

While many people poo-poo the site, have a look at the get safe online site – it does do the job that people are asking for.

John and Peter raised some interesting points.  Some customers just do not believe that security is a threat they have to pay attention to, or that it requires real management to fix.  This is something we can start to work towards.  We do have materials on bCentral.co.uk around security which is key for business and obviously the www.microsoft.com/security newsletters to our partners.

I was also asked “how long should I wait before I apply a patch”.  This is always a difficult question in the real world, but you basically have to weigh between – what is the impact if I don’t apply the patch and what is the worst case if I do.  On the “If I do not” front, then the system could be compromised, data lost or the server turned into a bot.  If it is really nasty, it could also gather information from the employees potentially impacting both the business and it’s staff personally.

On the flip site, applying a patch could potentially BSOD the system – not something we hear about often.  With major changes such as SP1 for Windows Server or SP2 for XP, we built in a removal script that could be used with the Command Console (\i386\winnt32.exe /cmdcons to install from a windows cd) to remove the product.  More likely is that nothing bad will happen.  Should something “bad” happen it is more likely to be that an application has hit a problem with the patch.  In this case, look at how to protect the system and then remove the patch.  At each conference I speak at I ask about auto patching – for Audiences of 150-200 people I normally get between 1 and 4 who say they have had a problem with a patch.  More raise their hand to say they have been hit with viri etc.

John also pointed out some absolutely top adverts / video from Microsoft, which I have linked to in the downloads section, on Security and Livemeeting.  John’s Blog can be found at http://blog.roundtripsolutions.com

If you want to share thoughts on security, either reply to the blog, or post in the forum (http://uksbsguy.com/forums/thread/203.aspx) for a thread on this. 

You can also find out what we are saying at http://www.bcentral.co.uk/security

On the Safety Online campaign, have a look at the following bits of information that you can share with your customer who is not quite interested in Security.

What are the risks around security - http://www.getsafeonline.org/nqcontent.cfm?a_id=1143

How to evaluate an IT Partner -  http://www.getsafeonline.org/nqcontent.cfm?a_id=1107 – includes a link that takes you to the MS Find a SBSC partner page

A bit on how hackers work – skip over the “packets” bits - http://www.getsafeonline.org/nqcontent.cfm?a_id=1170

Terms defined - http://www.getsafeonline.org/nqcontent.cfm?a_id=1168

A great section that outlines how people can get fooled into sharing information with the “bad” people.

http://www.getsafeonline.org/nqcontent.cfm?a_id=1169

Criminals use the internet’s reach and efficiency against us. They can:

·         Send out millions of emails in a day.

·         Download DIY virus kits from the internet.

·         Hijack tens of thousands of computers to spread viruses and spam.

·         Use viruses to find vulnerable computers or private information.

·         Anonymously subcontract techy stuff to bad hackers.

·         Buy and sell vast quantities of personal information.

·         Use software to guess most passwords in seconds.

·         Host fraudulent websites on other people’s computers.

·         Impersonate real users using stolen identities.

·         Operate clandestinely almost anywhere in the world.

And it costs them next to nothing. On the other hand the rewards are substantial:

·         If someone signs up for a gambling site after clicking on a spammer's advert, the spammer receives up to half of the money they spend gambling as a 'reward' for bringing in the customer.

·         Or a share of their spending on online porn or product sales.

·         With a stolen identity, they can empty your bank account or max out your credit cards.

·         E-commerce sites can suffer extortion or risk having their site jammed.

·         Criminals can impersonate legitimate buyers and sellers online.

Top online safety myths – covering the view that  “someone will fixed it for me or pay me back or take responsibility”.  One of the things to bring out is how much time & effort it takes to sort things out.  People should ask their partners if they are willing to spend the 60 hours and several days to solve problems?  I like the ones below:

http://www.getsafeonline.org/nqcontent.cfm?a_id=1167

I’ve got a backup

A backup on its own won’t protect you against anything. It’s a bit like having a spare car in the garage at home in case you crash the one you’re in.

I’ve got insurance

Insurance companies usually exclude virus attacks from their cover. Specialist cover is available for businesses but usually comes with a requirement for extra security.

If I lose money, the bank or credit card company will sort it out

If you can prove you were not responsible for a debt that was run up fraudulently using your stolen information, you will be reimbursed.

However, there is no compensation for the time and stress required to sort it out. It isn’t pleasant when someone drives a bulldozer through your credit history.

A typical case might take a week or more to put right but there are extreme examples of identity theft that have taken people months to straighten out.

It’s too time-consuming to do anything about security

It can take 60 hours, on average, to sort out a case of identity theft and a couple of days to clean up a computer that has been infected with viruses and spyware. An ounce of prevention really is worth a pound of cure.

My internet service provider protects me from online threats

Some internet service providers (ISPs) provide some elements of security such as scanning emails for viruses or providing you with a firewall, but you need to understand exactly what they do and, more importantly, what they don’t do.
Some ISPs do nothing to protect you. Not only that, an ISP can do nothing to protect you from conmen or hoax emails. Assuming that your ISP is doing it all could be an expensive mistake.

 

Ttfn

 

David

Posted Thu, Mar 30 2006 12:57 PM by David Overton
Filed under: , , ,

Comments

Tim Long wrote re: Security Discussion
on Thu, Mar 30 2006 6:20 PM
I'm not sure why anytone would poo-poo GetSafeOnline. I was looking at it just the other day and thinking what a great site it is - it's presented in clear, easy to understand language that is just what the non-technologist needs. In fact, I liked it so much, I wrote an article about it for my company newsletter. The business section even has advice on finding a business-class IT partner with a link to the bCentral partner finder. It is not a comprehensive reference for the IT professional, but it is certainly a useful site for the majority.

Add a Comment

(required)
(optional)
(required)
Remember Me?

(c)David Overton 2006-23