By Alan Brill, Senior Managing Director
Kroll, The Risk Consulting Company

©2001 Kroll, Inc. – Used by Permission

With more and more of us taking highly confidential work home to process either on a laptop or a home computer, it has become vital to consider whether you are adequately protecting that information. We have seen cases that when confidential data was comprimised that the weak link was that work was being done at home. Here are some ways to handle confidential work papers and computer files that will frustrate the hackers, crackers and cyber-spies...

Using a combination or readily available programs, often sold as a bundle, or a package, you can minimize your risk of becoming a victim of online crime. Here are some of the most important:

By good we mean one that produces confetti, not long strips of paper. The problem with strip shredders is that the documents can be reconstructed, and the basket fills up very quickly. With a crosscut shredder, the capacity of the basket is greater, and the ability to reconstruct is greatly reduced. Shredders that will do a great job are now priced at $50 and under.

By the way, since many municipalities now require recycling of paper, it makes it easier for someone to grab your waste paper without having to sort it from your other garbage. Not only should you be shredding confidential drafts and other work related material, but in light of identity theft, consider shredding things like credit card solicitations, and similar materials.

Fast connections are either cable modems or DSL lines. They are very fast, they are on all the time, and in most cases, they have what is called a fixed IP address that can make you very vulnerable to having someone access everything on your computer remotely, without you ever knowing about it. Most of us use Microsoft's Windows operating system. The settings on most of our computers permit what is called file sharing. No problem if your computer is not connected to the Internet, but when it is connected with a fixed IP address, it is possible for a person to hook up to your machine through that cable or DSL modem, and to read and copy everything on your PC.

An outsider can also load programs onto your machine (for example, a program designed to attack other computers in a distributed denial or service attack). To prevent this, you can use a firewall. Home firewalls are not hard to install or to use. In fact, you can probably do the entire process – downloading the software, installing the software and configuring it in less than one hour. Sometimes, your cable or DSL provider will do this for you, but you have to be sure it gets done, even if you have to do it yourself.

Popular home firewalls include ZoneAlarm (free from ZoneLabs at www.zonelabs.com); BlackIce Defender (purchase online at www.networkice.com for about $50); and Norton Personal Firewall (purchase online from www.symantec.com for about the same price.) If you have two or more PC's at home and use Internet Connection Sharing, consider using a device known as a cable/DSL router in-between the cable/DSL modem and your PC's to provide for significantly greater security.

Even if you only have one PC, you should still consider the addition of a cable/DSL router for its protection if you are working on highly confidential documents. The cost is under $150. (Linksys at www.linksys.com provides one of the most popular lines.)

Confidential files sent by standard email can be intercepted. The most likely points of interception are nearest to the source of destination points. Also remember that copies are easy to make. You may want to consider ways to send confidential material that is more secure than standard email.

For example, simple file compression programs like WinZip give you the option of creating a password protected, file in the form called a self-extracting archive. You tell the software the files you want to send, and it converts them into an executable file (a program) that you send as an attachment to a regular email. When the recipient gets the attachment, they run it, and are asked to put in a password. You give them the password independent of the email (e.g. face-to-face, by phone, fax or some other means). They enter the password, and the files are decrypted, expanded to full size, and placed whenever the recipient wants to store them.

The advantage of this is that the recipient does not need specialized software. More secure solutions usually require the sender and recipient to share software and digital encryption keys. One solution using this approach is free to individual users (not to organizations) using a program called Pretty Good Privacy (PGP) protect your sensitive information.

If you use software like Word, WordPerfect, Excel, etc. you probably know that you can password-protect a file. Earlier versions of some of those programs did not actually decrypt the files as part of password protection, but newer versions really do encrypt the data. But you should know that there are various software packages that can break that encryption, sometimes in seconds.

Even where the latest versions of these packages are used, we routinely break passwords in a matter of hours or days by using a parallel processing system. With up to 100 PCs working on the problem (many in their spare time at night, or when the user is not running program) we can test millions of code combinations every second, and it's only a matter of time until we get the right code.

The problem is that these packages use very simple encryption algorithms with limited key lengths. (We still are faced with checking just over one trillion keys, but this is no longer a big problem.) The moral of the story is this: don't trust that the encryption in your word processor or spreadsheet is going to give you world-class protection.

Aside from viruses, you could find yourself with software that does things you don't know about, like reporting to an outsider what you are doing, or transferring files, or something else you wouldn't approve of.

Don't use names of family members, birthdays or the names of your pets. In fact, you should avoid any word that is in the dictionary (since hackers use dictionary files to break into systems. The best passwords don't have to be hard to remember, just hard to guess.

For example, if you want to use the name of Yosemite national park as your password, it is a lot harder for a hacker to come up with y0sem1te (substituting the numbers for the letters o and I) than Yosemite. A substantial percentage of penetrations of online and corporate databases can be traced to bad passwords.

If you are not using an anti-virus package on your home computer – one that is updated regularly with new virus definitions, and which can scan email attachments for viruses – you are asking for trouble. You already know this, but it bears repeating.

If something goes very wrong with your computer – through a virus destroying your files, a hacker running a malicious program, or a hardware failure, could you recover your files and programs? It is not difficult to use backup software to create a recovery copy on something as simple as a CD burner. But remember this: If you make backup copies, you have to protect them. Stealing or copying a backup disk or tape is as good as grabbing the computer. Safeguard them, and when you no longer need them, destroy them (physically break the CDs).

To help ensure that you are maintaining the highest level of security, keep your browser up to date with the most current version and download security patches as they are released.

When the time comes to get a new computer and retire the old one, remember that the hard drive on the old machine can contain a lot of very confidential data. Even reformatting the disk does not necessarily remove that information. The best way to get rid of it is with a shredder program (some of which are available at no cost). Also be cautious when sending a machine out for maintenance. Unless you encrypt files on your hard drive, the technicians could read anything on your disk while they have your machine.

Finally, don't overlook basic physical security, like a small UL-rated safe for valuables, valuable documents and computer back-up files, and for under $35, a good cable lock will help prevent its theft should your home be broken into.

© 2010. Digital Federal Credit Union