Beating cyber crims

As Mastercard and Visa customers worldwide discovered last week, even the most secure computer networks can be compromised.

However, the hackers and phishers who managed to illegally obtain credit card details from those organisations and their customers had a large, lucrative target in sight. By comparison, smaller computer systems tend to be probed at random without the hacker knowing what they are attacking.

Though these less organised attacks can be thwarted by fairly simple security measures (more on this later), small businesses still have plenty of cause for concern.

Why? Because the incidence of some electronic crimes jumped by more than 300 per cent between July and December last year.

In March, security software and services firm Symantec released its bi-annual report into internet attacks, vulnerabilities and security risks. The report, which covered the period from July 1 to December 31, found malicious code designed to expose confidential information represented 54 per cent of the top 50 malicious code samples received, a leap of 44 per cent for the first six months of last year.

Alarmingly for online retailers and those that offer customer access to internal computer systems, Symantec also found the number of phishing attacks - a method cyber criminals use to fool people into divulging confidential online information - is increasing exponentially. By the end of December 2004, Symantec's antifraud software filters were blocking an average of 33 million phishing attempts a week, up from an average of nine million per week in July 2004. That's an increase of 366 per cent.

Yet despite growing sophistication and professionalism in electronic crime, independent research consistently shows small businesses are inclined to sit back and hope for the best.

John McNulty, CEO of international security software and services firm Secure Computing, says most phishing scams prey on easy targets, and a layered security approach and user education are equally important.

"Just as password policies can be undermined by a simple Post-it note, users must be aware of the risks of being careless with identity credentials. [They] need to be educated by their organisations and financial institutions about the risks that are out there," he says.

Along with user education, businesses should take a simple three-step approach to system security: install and update security software, configure a firewall to guard systems against unwanted internet traffic, and keep operating systems regularly patched.

It's not a new message, but it remains an important one: although many businesses do run security software and a firewall, too many ignore the easiest and probably cheapest security option of all - patching the operating system.

Brett Roberts, manager platform strategy and security for Microsoft New Zealand, says he is constantly amazed by the number of people who overlook this option.

"I run a firewall, security software and regularly patch the operating system and have never had a major security breach personally or professionally," he says.

Patching, the process of downloading software updates to "plug" security vulnerabilities and other operating system problems is straightforward, usually free and painless - providing it is done regularly.

And there are good reasons for patching.

Reflecting the dominance of Microsoft's Windows operating systems, Symantec's report shows that more than 7360 new Microsoft Windows viruses and worms were documented for the last six months of last year - an increase of 64 per cent over the first half of 2004.

By December 31 the total historical number of Windows variants documented was close to 17,500.

Roberts says that though patching Windows couldn't be simpler (see box), software providers such as Microsoft also sell tools that help businesses keep an eye on the security of their operating systems.

By mid-July, these will include Systems Management Server 2003 Inventory Tool for Microsoft Updates, a product designed to help large organisations scan and manage operating system patching across a large computer network, and Microsoft Baseline Security Analyser 2 for small businesses.

But Microsoft Windows isn't the only operating system that needs patching.

Despite a widespread belief that the Apple Mac operating system doesn't have security vulnerabilities, Apple knows better.

It encourages users to regularly download free security updates from its website and provides Mac operating system and network management tools.

How to patch your operating system

Microsoft Windows: Updates available online for versions from Windows 98 and up. Go to Windows Update page. Click "Scan for Updates." When you are presented with the list, you can remove some updates if you know you don't need them. However, if in doubt, it's wise to install all updates.

Apple Mac OS: Go to Apple Support. Scroll down the page and click on the link that provides updates for your version of the Mac OS, or use your computer's automatic software update function.