I am researching the internet but I wanted to pose my questions here as well.

I work for a very small company (4 of us). All of our computers are networked. I need to secure the network.

1. Is there a better way to secure individual computers and the hard drives so if they are stolen, the information could not be accessed? Right now we only use the windows log-on password that activates when the screen saver activates.

2. I want to protect our network from being hacked by outside persons through the internet. Is ZoneAlarm good enough for this?

3. I have a network attached storage that I use to back up our working data every night. How can I secure those hard drives if the network attached storage is stolen? Would it be better to pay for on-line storage to back up our files?

4. Do you have any suggestions for email security? We send medical records and such by email.

Its not like we have data that people actually want to steal. Its more that we dont want our data out their for all to see if the computers are stolen.

Thanks.

You can use TrueCrypt to encrypt individual folders or entire hard drives. I don't use it for the whole drive, but I used it for folders and such and it's very reliable. Gmail encrypts your mail.

http://gmailblog.blogspot.com/2008/07/making-security-easier.html

Most routers have a hardware firewall built in, making a software firewall unnecessary. I got tired of messing with ZoneAlarm and Comodo a while ago since they both used to be so buggy and crash prone. Maybe they are better now.

1) There is numerous software out that encrypts hard drives. The easiest way though, IMHO, is to look in the BIOS of the computer if you can set a HD Password. Basically the SATA controller will then always querry at boot for that password, and if it isn't entered it will not open the HD. The windows password itself does not protect data since you can simple plug the "stolen" drive into as a secondary drive into a different system and it could be read then. A HD password does still work even if the drive is put into a different computer and opened with a different OS.

2) How are you accessing the internet? Basically any cheap hardware router will do, preferable a NetGear or Linksys. These will by default setup block all incoming requests from the outside. Then add a decent software virus scanner (Avast or Trendmicro are my current picks) on the systems themself to defend against trojans and other data-grabers.

3) There is software that will backup directories and files into an encrypted file with PW protection. Also, all the NAS I've ever seen can be setup with an administrator password and a password needed to access the shared drives. That would do. What are you currently using to copy the data to NAS?

4) For email, there are payware solutions from PGP (Pretty Good Privacy) that will encrypt and decrypt mails, but it's not very convenient if the receiver does not have PGP setup. A simpler way would be to mail out password protected ZIP or RAR files containing the data, and to share the password with the reciever over phone or personal conversation. You can use 7Zip Freeware to create password protected archives.

My network attached storage is a netgear sc101. It uses proprietary software (driver) to access the drives. I didnt think of this til you mentioned it but in order to access the 2 hard drives on the netgear device you have to load your computer with the netgear program. When you run the program, the software asks if you want to attach the drive to your computer so you can access it. The program asks for a password to do this.

So I would think if someone takes the netgear storage device and tries to hook it up to their computer, he or she would need the software and passwork to attach the drive in order to access the files.

As far as my other concerns, you and speedbump gave some good suggestions thanks.

Our company deals with insurance companies and medical records and I am trying to ensure the records that we have stay private.

For the NAS, you ought to take the time and "learn" to set it up manually. I never trust the configuration that some wizard program makes for me. The NAS should have a webinterface (so if you type it's IP adress into your web-browser, you will hit the admin interface). From there you normally can create folders and manage rights on this folders. Make sure that default admin PW is not still active, and check the rights on the data folder.

Normally in Windows you then just map it as network drive with the user/pw you set. Then you can be absolutly sure that the rights management is working correctly.

If you're handling medical records, HIPAA compliance needs to be part of your considerations and that's going to include a lot of security requirements. Talk to people in your line of work, or a trade organization if you have one, and know your exposure to HIPAA. If something bad happens with records in your possession, you don't want it to be because you were out of compliance.

A security evaluation isn't one-dimensional. It isn't just about stopping someone from hacking into your network or breaking in and stealing your computers. What you do to protect against that is going to have an effect on recovering from something like a drive failure and how easy it is for your staff to do its work. Everything is a trade off and you have to find the best balance for your needs.

That's why I'm inclined to not recommend encrypting everything. As protection against physical theft, encryption is only as strong as your user password policy. Encryption is great for protecting data being sent across a public network or files that are stored on a server that multiple users can access. But it comes with some big drawbacks. Backing up encrypted files takes a lot longer than regular files, and the encryption process increases the chance of a file being corrupted as its being backed up. It also creates an exposure to internal sabotage. If a user changes the password for an encrypted file and quits, you're probably going to lose that data. There are ways to reset the password in Windows, or if you have an administrator account set up you can get to any file on the system. You can't do that with encryption programs.

With four users I'm guessing that you're on a workgroup and not a domain. I'd recommend setting up the administrator account on all of the workstations if you haven't done that already, and enforcing a strong password policy. No words that are in the dictionary, require at least one capital letter and number or character, and do not allow anyone to keep their password written down. Explain that it doesn't have to be random, something like "S@ints123" will work fine. If you are on a domain you can enforce it through the user account and security settings, but make sure the passwords for the local machine meet the same requirements. (On XP, you'll want to turn of simple file sharing, too: http://support.microsoft.com/default.aspx?scid=kb;EN-US;307874)

About your NAS, the ones I've worked with offer password protection for the admin and users to access files. If you want to use encryption at this level, make sure you test the backups regularly. Off-site backups are a great idea, but if you have a lot of files online services can get expensive in a hurry. A lot of our clients have two NAS drives that they swap out every day and the drive not in use that day is kept out of the building.

On network security, I think you're looking at it through the wrong end of the telescope. Zone Alarm is fine for stopping external threats. But the much bigger threat are malware and viruses that users unknowingly install on their machines, and these programs then send information out in a way that's likely to go unnoticed by any firewall program. You have to address this threat from a number of angles. Workstations have to have good antivirus/antimalware programs and they need to be kept up to date, and users have to be educated about the potential damage they can cause by installing software on their computer.

About email, most POP3 and Exchange providers encrypt all messages. If yours doesn't, go to someone who does. We use AppRiver for our clients and have been very happy with their service.

HTH

Hi,


Your security solutions need to be serious.

1) Use full HD encryption. TrueCrypt is very good for this, and free. It can be installed on your existing systems.

2) Next, get a disk wiping program and wipe all the free space of all your hard disks. This will make TC overwrite these areas with encrypted data as well as wiping unencrypted deleted data that didn't get encrypted when you encrypted the disk.

3) Get a hardware firewall. Home use routers for internet connections that use N.A.T. (network address translation) ARE NOT FIREWALLS AND ARE NOT SECURE!!!!! If you want help just ask back here and I'll recommend a few. Expect to pay up to around $600.

4) Get NOD32 anti-virus. Currently the best on the market, but as with all anti-virus software, it can be very paranoid and asks a lot of questions or flags things that are otherwise safe. Common sense is required.

5) Any 3rd party encrypted e-mail provider can not be considered secure as you do not have sole possession of the cryptographic keys. To send/receive encrypted e-mail requires that both parties have S/MIME or PGP compatible keys. This is the single biggest PITA to ensure. It is absolutely no good just encrypting stuff on an e-mail server - the e-mail must be encrypted whilst being sent to the recipients. The whole point is to prevent eavesdropping in transit.

e.g. even if GMail encrypts all your mail, but you write to me, the e-mail will NOT be encrypted, as I do not have a key with which you can encrypt the message to me with.

I appreciate this sounds very complex, but once it is set up it is transparent.

If you have any questions, post back here.

--TangoShadow

Is there something wrong with using the EFS with NTFS?

Yes - it isn't secure.

MS have made an effort to try and secure the system, but the way it operates is fundamentally flawed. First, the swap file is not subject to encryption, so data can leak there. Second, any temporary files created my reside outside of encrypted folders. Third, it is possible for developers to set the flag of a file it creates to not encrypted, so a temporary file created by a word processor could store sensitive information in plain text on the drive.

In short, EFS allows the possibility for data to be leaked in plain text all over the drive, which is counter to the whole point of using file encryption.

The only secure method is to use full disk encryption, which ensures EVERYTHING that touches the disk is in encrypted form regardless of what the OS or application does.

--TangoShadow.

Thanks Tango

You're welcome!

O/T: It says you have made 4321 posts!

--TangoShadow.