In the 21st century, a business without a network mirrors a city with no roads. Small businesses, in particular, arguably have a greater need for network connections and information systems. Small businesses rely on information systems for several things, to include their communication and customer database. Small businesses rely on network connectivity for communications. With the advancement in Voice Over Internet Protocol (VOIP), many businesses are using the internet to save on phone costs. Additionally, it is common for a business to have an in-house communications system. Take some installations in the Air Force for example; they use an Instant Messaging (IM) service for member-member contact. Many times, it is easier to reach someone through IM or social networking. However, these commodities present their own challenges about IT security. However, that is not all that needs protection. In fact, in a more broad view, communication is viewed as a small bite. When a business sells its product/s online, it is at distinct advantage over mom and pop stores because they have to collect certain data to complete the transaction; shipping, credit card, billing, and personally identifiable information (PII).
(Bradley, 2010)
This system is located on a network accessible to employees in order to conduct business. Companies are not only morally obligated to protect customers’ information; it’s the law. The May 2002 Financial Information Safeguards Rule requires businesses to develop a written information security plan that describes, among other things, the specific ways their employees should protect consumer information. The plan must be appropriate to the business’s size and complexity, the nature and scope of its activities, and the sensitivity of the information its employees encounter, and must be regularly monitored. (Federal Trade Commission, 2002) The company must consider all areas of its operation, including three that are particularly important to information security: employee management and training; information systems; and managing system failures. (Federal Trade Commission, 2002) These rules are in place to provide customer protection from theft or misuse.
The top ten most common database attacks are excessive privilege, privilege abuse, unauthorized privilege elevation, platform vulnerabilities, SQL injection, weak audit, denial of service, database protocol vulnerabilities, weak authentication, and exposure of backup data. (Schulman, 2012) The majority of these attacks can be mitigated by firewalls, password protection, and appropriate permissions. A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet (i.e., the local network to which you are connected) must pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. In protecting private information, a firewall is considered a first line of defense; it cannot be the only line of defense.
Firewalls are generally designed to protect network traffic and connections, and therefore do not attempt to authenticate individual users when determining who can access a particular computer or network. Furthermore, firewalls can be set up to prevent employees from accessing certain content or downloading programs onto the system. (Indiana University, 2012) However, firewalls only prevent and block so much. Since the firewall is the first line of defense for cyber attacks on a network, there has to be something in place in the event the firewall fails; the password. Today, good password security strategy is more important for the business owners to keep any kind of their business information privacy online. Since a customer database is usually accessed via a network, password protection is vital to customers’ PII. Not only does this practice speak to the credibility of the company, it also prevents hackers from gaining access to network systems. A password is a relatively weak form of protection though. Passwords are the most common form of authentication used to control access to information, ranging from the personal identification numbers we use for ATMs, credit cards, telephone calling cards, and voice mail systems to the more complex alphanumeric passwords that protect access to files, computers, and network servers.
Passwords are widely used because they are simple, inexpensive, and convenient mechanisms to use and implement. At the same time, passwords are recognized as being an extremely poor form of protection. In 1995, the Computer Emergency Response Team (CERT) estimated that about 80 percent of the security incidents reported to them were related to poorly chosen passwords. Password problems are very difficult to manage because a single local computer network may have hundreds or thousands of password-protected accounts and only one needs to be compromised to give an attacker access to the local system or network. With today’s interconnectivity, the problems are potentially devastating on an even larger scale; a skillful intruder may break into one system and never harm it, using it instead as a platform for attacks on a population of millions of targets. [ (Kessler, 1996) ] Many individuals like to use familiarity in their passwords. What is often forgotten is, that is exactly how the system is hacked, easy passwords.
A common concern is the password will be forgotten if it is too complex. Maybe a memory phrase or an easy keyboard pattern would be better options. Nevertheless, passwords, like a spouse or child’s name, address, or social security number should be avoided. In order to beef up “the weak link,” passwords should be eight characters long at a minimum; preferably ten. The more characters the better. This way, the time taken for an unauthorized individual to gain access will be longer. Finally, use password complexity. The password should contain at least one character from each of the four groups; lowercase, uppercase, special characters, and numbers. Using these guidelines will dramatically strengthen any business network. [ (Natarajan, 2008) ] In order to simplify things, businesses often create one network for their staff. The staff will then access the network with either a common or an individual password. However, what prevents an employee from accessing a corporate file or folder?
On a network of computers, each account used to log on has specific attributes that determine what that user can and cannot access. Those attributes are commonly known as Network Permissions. Network permissions most commonly affect what files and folders a user can access on a network. Permissions are a way of giving individuals access to certain files or folders within a network. Permissions should be set up consistent with the individual’s level of access or need-to-know. This will prevent them from gaining information they are otherwise not allowed to see. Small business, arguably, is the backbone of the world economy. With our ever growing information systems, it has never been more important to protect information; especially that of a customer base. Firewalls, passwords, and network permissions are just a few basic examples in a plethora of never-ending possibilities and variables. However, these concepts, regardless of their complexity, are some of the most important facets of security in regard to information technology.
References
Bradley, H. (2010, April 21).
Customer Databases as Marketing Tools. Retrieved November 20, 2012, from Small Business Computing: http://www.smallbusinesscomputing.com/emarketing/article.php/3877761/Customer-Databases-as-Marketing-Tools.htm Federal Trade Commission. (2002, October 17).
FTC Offers Guidance on How to Protect Customer Information. Retrieved November 20, 2012, from Federal Trade Commission: http://www.ftc.gov/opa/2002/10/safeguard.shtm Indiana University. (2012, August 21).
Knowledge Base. Retrieved November 20, 2012, from University Information Technology Services: http://kb.iu.edu/data/aoru.html Kessler, G. C. (1996, January).
Passwords – Strengths and Weaknesses. Retrieved November 20, 2012, from garykessler.net: http://www.garykessler.net/library/password.html Natarajan, R. (2008, June 8).
The Ultimate Guide For Creating Strong Passwords. Retrieved November 20, 2012, from The Geek Stuff: http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/ Schulman, A. (2012).
Top 10 Database Attacks. Retrieved November 20, 2012, from The Chartered Institute for IT: http://www.bcs.org/content/ConWebDoc/8852