Many accounting firms funnel time, energy and money into products to maintain network security. However, despite the continued efforts to secure their networks, the biggest threat to these organizations frequently comes in the form of the uninformed computer users on the inside. A security program is only as strong as its weakest link - that is where the human element comes into play.
Computers and Internet access are valuable in the accounting industry, and although security software should be used in any office, attention should be focused on the potential threats that accompany the use of the technology. Even small accounting firms or individual accountants working out of their homes need to protect their computers and the sensitive information residing on them. Too many organizations have already learned the hard way that security technology alone cannot completely secure a company network.
Being uninformed about security issues can expose computers and information to unnecessary risks that could have a direct impact on revenue, productivity and the costs of doing business. Although security tools such as anti-virus software, personal firewalls and intrusion detection tools greatly reduce the security risks, any accounting professional should be aware of common security mistakes, and take measures to avoid them.
Social engineering tactics
Most internal threats to security can be traced back to social engineering tactics. Social engineering is the act of creating a computer security threat that invites users to activate it. It plays upon peoples' natural inclination to trust others and desire to help out. Attackers will succeed if they can get insiders to fall for their tricks.
But social engineering tactics will not work if employees are informed and aware. Social engineering methods can take a number of different forms. Every method is intended to entice unsuspecting users into helping the attacker out - whether it is by opening attachments that will unleash a virus, or providing the attacker with sensitive information that will help their efforts.
Common methods
Social engineering attempts can include a virus inside a file that appears to be an official document. It may be a "joke" e-mail with an attachment that claims to be a game, when in fact it is a malicious computer worm. These types of attempts can pop up anytime during a normal workday, in a seemingly unthreatening manner.
The insiders of any firm or accounting group need to be aware of the following threats so they will not be easy prey for such attacks:
* E-mail threats. E-mail can cause several types of security breaches. Viruses and inappropriate e-mails (which may open up a company to legal liability) are two examples.
One of the biggest threats from computer worms and viruses comes through e-mail. "Mass mailers" - viruses that propagate and send themselves out to large numbers of other computers via e-mail - can spread very rapidly. The "Anna Kournikova" and "I Love You" viruses are successful examples of social engineering attacks, as the enticing subject lines piqued the recipients' curiosity and resulted in many people opening up the infected e-mail. The key to combating this threat is educating computer users.
If a person opens unsolicited e-mail attachments or does not scan attached documents for viruses before opening them, a computer or network becomes vulnerable to virus attacks. Computer users should be educated about viruses, the danger of opening unexpected or suspicious-looking attachments, and also the potential damage that can occur if a virus is launched.
At the same time, inadvertently allowing inappropriate e-mail, sexual in nature or otherwise offensive, to be sent within an organization is also a threat, and companies can be vulnerable to financial consequences or perhaps even legal action.
Virus software should be installed on each computer, including laptops, to help deal with e-mail threats. Virus definitions, or digital files that help identify and deal with viruses, should be updated frequently to ensure protection against the latest threats.
* Peer-to-peer file sharing. Peer-to-peer networking has existed since the birth of computing networks. Recently, however, peer-to-peer networks have gained momentum with searchable peer-to-peer network file databases, increased network connectivity and content popularity. The use of file sharing applications is a practice that attackers often take advantage of.
Many peer-to-peer (P2P) programs, which allow people to swap electronic files over the Internet, today contain "spyware." Spyware allows the author of the program, and other network users, to see what a computer user is doing and where he may be visiting on the Internet, and even use the computer's resources without a user's knowledge.
Other dangers include the risk of downloading a file that appears to be harmless, but contains a virus or worm. Some worms can disguise themselves by making their file extension appear as though they are a common music file.
* Instant messaging and Internet relay chat. Accountants who use IRC and instant messaging services such as Yahoo Messenger, AOL Messenger and others should know about ploys that might be used to lure them into downloading and executing malicious software that would allow an intruder to use the systems as attack platforms for launching distributed denial-of-service attacks.
Virtually all free instant message systems lack encryption capabilities, and most have features to bypass traditional corporate firewalls, making it difficult for administrators to control their use inside an organization. Many of these systems have insecure password management, and are vulnerable to account spoofing and potentially to denial-of-service attacks as well.
Instant messaging systems also allow users to exchange files with each other - again, in an unencrypted form. Such file transfers can cause the spread of traditional viruses, worms and Trojan horses, as well as blended threats.
The best protection against any threat spread through IM file transfers is to deploy up-to-date anti-virus software on all client desktops - preferably with protection for IM applications.
* Surfing. The Internet is an amazing and useful tool for communication and research in any industry, including accounting. However, when surfing the Web, people might download more than they anticipated.
Accountants who use the Internet for work often spend time surfing the Internet for personal use as well. Non-work-related surfing increases the chances that people will visit a site using ActiveX or Java. These languages can be used to create "malicious code" that can communicate directly with the user's machine, giving hackers access to data and, potentially, the network.
If users download free software or screen savers from unknown sources, their systems may be infected with a virus or Trojan horse, which may inflict damage ranging from file deletion to stealing passwords. However, experts say that larger and more popular sites that use these computer languages are fairly safe, because the sites employ security measures.
* The password challenge. Some computers and networks are protected by passwords as a security precaution. Passwords are a major vulnerability in many offices. It's not unusual for people to try to save time by sharing passwords or choosing a simple password. Weak passwords make it easy for unauthorized users to gain access.
A potentially weaker spot in your network security may not be the user passwords, but the users. A carefree attitude toward passwords is what social engineers are banking on. Weak passwords make it easier to break in to those networks and use your network for other illegal activity.
* Request for information. Attackers will not always try their tricks over the computer. Sometimes they also try to make contact with insiders over the phone or in person. An attacker might call an insider and imitate someone in a position of authority or relevance with an urgent need for information, and try to get that information out of the user.
Help desk employees and office secretaries are often subjected to social engineering tactics, and should be especially aware of this. Employees should be made aware that if anyone asks them for their passwords, or any other sensitive information, they should proceed with the greatest amount of caution.
In an accounting firm, the most effective, yet often neglected, method for addressing the insider threat is to establish a policy of regular and consistent user training, with a focus on the organization's security objectives. For individual computer users, the best protection is common sense and security software that will block common attacks.
Laura García-Manrique is director of product management for consumer security products at Symantec Corp. (www.symantec.com), where she is responsible for competitive assessment, product positioning and pricing.
