6 best practices for email security

Former Secretary of State Hillary Clinton's use of a private email server to conduct State Department business has left IT pros dumbfounded. They thought the days of executives acting autonomously were over and that governance within organizations was sound enough to prevent these actions.

"When you're doing official business for an organization, you should use an official account," says John Pescatore, director of emerging security trends at the SANS Institute. Otherwise, organizations cannot follow regulatory and compliance mandates, protect intellectual property or maintain proper records.

But Pescatore acknowledges that progress still has to be made in the email best practices arena to ease the burden on users and IT. For instance, mandating that someone use two devices -- the issue Clinton cited as reason to circumvent State Department policy -- is antiquated thanks to software that supports secure access to multiple accounts on a single device. "IT no longer can say ‘this can't be done'," Pescatore says. "There has to be a compromise and then a recommendation from IT."

At the same time, hacks like the one at Sony Corp. have organizations on edge about email security. Craig Gormé, information security manager at academic health center University of Florida Health, says organizations must adapt their policies and practices to the changing threat landscape. "We used to be concerned about malware and anti-virus coming through email, but tools have solved that. Now the biggest threat is phishing," he says, adding that best practices must reflect this evolution.

Here are some ways to update your email best practices.

1. Re-evaluate the role of email in your organization.

"Companies understand that security is important, yet they still do email in an insecure way," says Seth Robinson, senior director of technology analysis at CompTIA.

He recommends studying how your organization uses email and ensuring that it matches your risk tolerance. "What do you need to accomplish with email?" Robinson says to consider and then protect the entire system, including application, server and connection, accordingly. He adds that many organizations built their email infrastructure long ago and have not reviewed their vulnerabilities since.

Companies understand that security is important, yet they still do email in an insecure way.

Mandates like HIPAA have forced Gormé's organization to revisit email guidelines, especially when it comes to those that include personal health information (PHI). "Users can only send emails with PHI internally. They cannot send it to outside email addresses and we prohibit the use of third-party email systems," he says.

If they need to send communications with PHI, then they must find another more secure method such as encrypted messages or secure file transfer. Another option, Gormé says, is to deploy automated policy-based encryption, which scans all email for medical record numbers, Social Security numbers or other personally identifiable information. If it is found, the data is held for inspection or re-routed to an encrypted pathway.

Duke Prestridge, CIO of Community One Bank in North Carolina, says his institution has had to be very clear with users: "Corporate email is just that -- corporate email. It's not to be used for personal use."
He credits regulatory oversight for his ability to keep a tight rein on email and to keep users from litigious situations. "FINRA standards dictate that we have to manage all email and save it for seven years," he says. The organization itself, though, has to determine how to deal with the influx of embedded video and attachments. "We need more policies around how to handle them," he says.

2. Revisit governance.

As he grapples with federal and financial industry mandates, Prestridge says he is glad that his bank's executives have his back. "Email policies have to have teeth in them," he says, and the only way to do that is with proper governance, enforcement and solid backing from business leaders.

Like many of his peers, Prestridge believes Clinton's situation could have stemmed from the CIO not having adequate support to uphold email policies. "When we first established our corporate standards based on regulatory guidelines we got pushback, but not since then," he says. Executives fully endorse his position as CIO and as a risk manager. "As things change risk-wise with public breaches like those at Target and Home Depot, the position of CIO must be elevated and given the authority needed to protect the organization," Prestridge says.

Peter Firstbrook, vice president at research firm Gartner, says a finely tuned governance body could help broker a tricky situation like when an executive uses rogue resources. A cross-functional body (with representatives from departments such as legal, IT and human resources) could explain the compliance risk of using non-compliant resources to the executive while encouraging IT to help find a secure workaround.

Pescatore says governance bodies also can help ensure that if an organization switches to cloud-based email, incident response processes are tested regularly. If a server is on-premises and something bad happens, IT can turn it off quickly. Organizations must understand and test the equivalent process in the cloud, he says.

3. Make acceptable use policies usable.

Governance bodies also can ensure that acceptable use policies are updated to address mobility, the cloud, social networking and other essential topics.
"We have found that organizations don't have thorough acceptable use policies and that they don't train users well enough on them or remind them enough about them," says Michael Osterman, president of Osterman Research.

Gormé believes acceptable use policies should be refreshed annually and should become more user friendly. "Customers need to clearly understand what and what not to do and more importantly why," he says.
For instance, many acceptable use policies are presented blandly on a Web site or on paper. In the future, he would like to see them shared in ways that users communicate, such as text.

Also, he feels users should be made to take a quiz to show their understanding of the policy. That, he feels, would help IT fill the gaps in user knowledge.
To Prestridge, it's important for users to understand the delta from previous acceptable use policies. "We need to explain the business reason and risk of why they can't do certain things with email anymore," he says.

For instance, users might not fully understand that when they forward an email, they might be forwarding an entire thread that includes sensitive or confidential information. By pointing it out as an example in an acceptable use policy, users might comprehend the risk and avoid doing it.

4. Consider educated users your best weapon against phishers.

Hand in hand with acceptable use policies should be education about phishing, according to Osterman. "People are still very gullible and don't think hard enough about the content they receive," he says.

While technology such as data loss prevention (DLP) can help detect phishing attempts, users need to be the first line of defense, according to Osterman. "The integration of email and social file sharing is opening up possibilities for bad things to happen," he says.

Educating users also helps you plug more security holes with less budget. "Organizations sometimes feel training is too expensive, but avoiding one average-size phishing incident every five years puts you ahead of the game cost-wise," SANS' Pescatore says.

5. Personal email and corporate email can coexist… on the same device.

Like Clinton and the State Department, Prestridge and his bank faced the multiple device issue. Users did not want to carry two smartphones or tablets but Prestridge didn't want personal and private email accounts to co-mingle insecurely either.

Rather than saying no and risking data leakage, Prestridge deployed Good Technology's container service on users' personal devices. He did away with corporate Blackberrys and the Blackberry Enterprise Server and reallocated that money to subsidizing users for a portion of their iPhone and Android devices as well as supplying the Good application.

To access corporate data, users must download the Good app onto their mobile device. Good ensures that personal email accounts are apart from corporate accounts and that users are not able to copy or forward corporate data. Good keeps a record of user activity so if data is leaked or stolen, IT can backtrack to find it.

Also if the device is lost or stolen, it can quickly be located and/or scrubbed.
"Users still have full functionality of their devices without compromising data security," Prestridge says.
While Prestridge has addressed email security and compliance for now, he knows email best practices will change again in the near future as technology evolves.

Take unified communications. He wants to see what regulators will require for voicemail integrated with email systems. Would financial institutions have to save them similarly as traditional email? If so, best practices would be needed for that realm as well.

Gormé is expecting two-factor authentication, such as having a code sent to your phone, to be a best practice for email systems soon, especially in the healthcare arena. "I see us getting away from passwords and more into tokens and the like," he says.

There are many instances, Firstbrook says, where a best practice could be not to use email at all. For example, if a board wants to discuss the latest financials or executives and the CFO have to work with a rival company on a purchase, then email is just not a secure option. Instead, users should go out of band to a private portal or a confidential platform that erases data as soon as the session ends and does not allow for copying or forwarding.

Don't panic! How to fix 5 common PC emergencies

Your PC may not be as essential to you as your smartphone, but chances are it’s still pretty damn important. So it’s completely understandable if your first reaction is to freeze and freak out when you run into a PC emergency, such as a broken screen, accidentally-deleted important file, or a virus. But panicking is counter-productive, because time is often of the essence.
Don’t worry. While you can’t call 9-1-1, here’s what you can do to fix five common PC emergencies.

Broken laptop screen

A few months ago, I was working on my MacBook Air next to my French bulldog, Blanka. For some unexplained dog reason, Blanka suddenly decided he needed to be in my lap, so he jumped on me—and landed on my laptop’s screen. A laptop screen is no match for a 27-pound Frenchie, so, needless to say, my screen was toast.

ADVERTISING

 

First things first: Check to make sure that only your laptop’s screen, and not something more important (such as the graphics card) has been damaged. If your screen is visually damaged or cracked, just continue to use your computer normally to see if any other issues arise.
If there’s no visible damage, but the screen is acting weird, you can try plugging an external monitor into your laptop. You will need an output port (HDMI, mini-HDMI, DisplayPort, mini-DisplayPort, DVI, or VGA) and an external monitor or TV to do this, as well as the correct cable. Some laptops also have an external display mode that you will need to activate, usually via Function keys. If your laptop’s output looks fine on the external display, you likely have a simple screen issue and not something more serious.
Fix it: The good news about a broken screen is that you don’t need to fix it right away. If your screen has a hairline crack along the edge, you can continue to use your laptop as usual, though it’s probably a good idea to avoid moving it, closing it, or traveling with it, because any pressure on the screen can cause the crack to get bigger. If you have an external monitor on hand, you can simply use your laptop as a desktop for the time being.

Connect your laptop to an external monitor to ensure it’s truly the screen that’s broken and not something deeper.

If you do want to fix your screen, you have two options: You can do it yourself, or you can have it repaired by a third-party repair shop (or, if you purchased an extended, accidental damage-covering warranty, by the manufacturer). A DIY repair on a basic laptop screen is simpler than you think, but if you have a specialized laptop such as an Ultrabook, a two-in-one, or a MacBook, it’s better to see an expert. Ultra-thin screens, such as those found on Ultrabooks and MacBook Airs, can be especially tricky to replace, and sometimes aren’t even worth replacing at all.

Deleted an important file

There are two types of “important” files: The ones that are important to you, such as the pictures from your teen’s high-school graduation, and the ones that are important to your computer, such as system files. Hopefully you don’t make a habit of snooping around your PC’s root folders and indiscriminately deleting files, but critical files can sometimes be deleted or corrupted by system crashes, malware, or overzealous antivirus programs.
First things first: If you accidentally hit delete on an important photo or document, don’t panic. First, see if you can find it—open up Windows Explorer and type the file name into the search box in the upper right corner. It’s possible you didn’t delete the file at all, but just moved it to a different folder with some inadvertent mouse action.

If you can’t find it in a search, open up your Recycle Bin, which is located on your desktop, and look for the file. If there are a lot of files in the Recycle Bin, right-click inside the window, hover over Sort by and click Date Deleted. The most recently deleted files will appear at the top of the window.
If that doesn’t work, try using a deleted-file recovery tool like the superb Recuva to reclaim your lost data. (Recuva’s on PCWorld’s list of the 22 free programs new PCs need for a reason.)

If your file is not in the Recycle Bin and can’t be found by Recuva, you may be able to restore it easily from a backup. Windows 7 automatically creates “previous versions” of your files, but in Windows 8 you will have to manually turn on a feature called File History in order for this to happen. In Windows 7, open Windows Explorer and find the folder that contained the file. Right-click on the folder and click Restore previous. You’ll see a list of folder backups by date modified. Click on a backup that was created before you remember deleting the file, and click Restore…

In Windows 8, you can recover deleted files by opening the File History menu and clicking Restore personal files.
Fix it: If you can’t find your deleted file or easily restore it from Windows’ File History, you’re still not completely out of luck. If you regularly back up your computer, you can try looking for the file on your backup drive—and if your backup “drive” is a cloud service, such as Dropbox, Copy, or OneDrive, you may be able to recover your file from the cloud service’s website.
If you don’t regularly back up your computer, shame on you. But now is the time to try a professional fix: You can either use recovery software, which will deep-scan your drives for the deleted file, or you can go to an expensive, but very effective, data recovery service such as DriveSavers.
If the deleted file is not a personal file, but a critical system file, you will probably need to repair your PC with a System Restore, or possibly even completely reinstall Windows.

Spilled something on your stuff

It happens to everyone – you’re drinking at your desk, when all of a sudden whoops! There’s Diet Coke all over your keyboard.
First things first: Liquid damages electronics because things in the liquid, such as salts and minerals, conduct electricity (technically, spilling pure water on your computer would be perfectly safe). If your computer or component is turned on when you spill something on it, that random, free-flowing electricity conduction can cause the circuits to short. So the first thing you need to do, before you do anything else, is turn off your computer as fast as possible—unplug it and remove the battery (if applicable) pronto. The faster you can get it into a powerless state, the better.
Fix it: Once your computer is turned off, remove all cables, components, media cards, and swappable drives and turn it upside-down. If it’s a laptop, you’ll want to try to avoid getting liquid near the screen; if it’s a desktop, you’ll probably want to turn it on its side rather than completely upside-down. Turn the computer toward the spill (i.e. if you spilled something on the left side of your keyboard, lay it on its left side). You can mop up any liquid on the outside of the PC with a lint-free cloth.

Loyd Case

Disassemble your PC as much as possible if you’ve spilled liquid inside it—after disconnecting it from power, of course.

After most of the liquid has drained, you should try to disassemble the PC as much as you are able. If you can completely take it apart, great. If you can’t, don’t hurt yourself, but you should probably try to at least pry the keys off of a keyboard to get all the liquid out. If you spilled anything other than water, it’s a good idea to clean your PC with some circuit cleaner, as many drinks are sticky and corrosive and will wreak havoc on your PC’s insides.
Once your PC is powerless, disassembled, and cleaned…leave it there and wait. Wait for as long as you possibly can, and then wait for another two days (ideally, at least a week). Then, pray to the PC gods that you were just quick enough, and try turning it on.

No Internet access

There’s nothing quite like sitting down at your computer to watch cute puppy videos, only to discover that your Internet is down. Aside from cursing your ISP, here’s what you can do if you find yourself in an Internet desert.

First things first: There are three or four possible sources of your Internet woes, depending on what type of connection (wired or wireless) you have. Source #1 is your ISP. There could be a local, regional, or national outage. Source #2 is your modem, which could be malfunctioning. Source #3 is your wireless router, which could also be malfunctioning. And Source #4 is your computer.
Fix it: To check if your ISP is having an outage, go to DownDetector (on your phone, since you don’t have Internet access) and click on your provider. DownDetector is a crowd-sourced website that lets users report issues with their Internet service. Their Live Outage Map will show you a heat map of where most of the reports are coming from. If your area is covered in red, you could be experiencing an outage. There’s not much you can do here, except call your ISP and ask them to refund you for the outage time.

If there’s no outage—or you can’t access DownDetector in some way—you should go ahead and check your modem and router. First, unplug the router, then, unplug the modem. Wait at least 30 seconds, and plug the modem back in. Wait another 30 seconds and plug the router back in. Restart (or boot up) your PC. You should now have Internet! If you don’t, check to see whether the issue is your router by plugging your PC directly into the modem using an ethernet cable. If you have Internet after this step, your router is the problem.
If you do not have Internet after this step, your modem could be the problem, or your ethernet cable itself. Try a different ethernet cable if you have one handy.
If everything thus far works fine, the problem could be with your PC. The easiest way to test this is to try to connect to the Internet with another device—a PC, phone, or tablet. If you can, then your PC is the problem. Check to make sure your network adapter is turned on by going to Control Panel > Device Manager > Network adapters.

Right-click your network adapter and click Enable if it’s disabled. Otherwise, click Properties and check the device status (it should say “This device is working properly”). If the device is not working properly, you may need to update its driver. Click the Driver tab and click Update Driver….
If you’re using Wi-Fi, check to make sure your Wi-Fi is turned on—some laptops have a switch or a Function key that toggles the Wi-Fi on and off.

You got a virus

Maybe you let your antivirus subscription lapse, maybe you clicked on a sketchy pop-up, maybe you downloaded something you shouldn’t have—no judgment. But no matter how you ended up with it, you now have a virus and it’s quickly eating up your PC.
First things first: Determine whether you might have a virus. Viruses and malware can present themselves in many ways. You may be seeing unexplained pop-up ads, your PC may be running extremely slowly, or maybe your PC is crashing constantly. Unless you have an antivirus program that alerts you to a virus’ presence, it’s not easy to tell whether you have one or whether you just have a faulty motherboard (or some other hardware issue), but it’s better to be safe than sorry.
Before you do anything else, disconnect from the Internet. Viruses love the Internet, and the last thing you need is for it to get some sort of killer update from its host that bricks your PC or turns it into a zombie.

Fix it: Restart your PC in Safe Mode. To boot into Safe Mode, restart your computer and press the F8 key repeatedly—don’t just hold it down continuously—until you see the Advanced Boot Options menu. Use the arrow keys to choose Safe Mode with Networking and press Enter.
Once you’re in Safe Mode, use an antivirus program and an antimalware program to run some scans. You’ll want to install a new antivirus program even if you already have one on your PC, because the old antivirus program clearly missed something. You can do this by loading the program on a flash drive and installing it from there so you don’t need to reconnect your PC to the Internet. In addition to an antivirus scan, you should also run an antimalware (on-demand) scan with MalwareBytes just to be sure.

Hopefully, the antivirus/antimalware programs will be able to root out the virus and fix it. But if they don’t work—or if they disappear or crash when you try to run them (because some viruses are damn smart, and know when programs are designed to destroy them)—you may need to reinstall Windows, and restore your files and settings from that that backup you made earlier.
There’s one kind of virus you might not be able to fix this way, and that’s ransomware. Find out how to remove ransomware, and remember: If you suspect you might have ransomware, the first thing you need to do is disconnect and disable any automatic cloud syncing services you have set up. Because the last thing you want is for ransomware to lock down your cloud folder and sync itself onto all of your other devices.

5 Steps to Help Defend Your Network

The threat to your business from malware and cybercriminals is significant and growing. Fortunately, so are the defensive capabilities of your Cisco network.
To protect your data, your customers, and your reputation, take full advantage of your Cisco network investment by following these five steps:

1. Enable Cisco IOS Flexible NetFlow to understand your baseline for normal traffic and proactively identify suspicious behavior.
2. Deploy Cisco TrustSec network segmentation technology to contain attacks and shrink the attack surface with contextual, role-based topology and access independent control.
 3. Encrypt links and use Cisco Catalyst integrated security features to protect your data in motion.
4. Deploy Cisco Intelligent WAN to secure branch offices with direct Internet access.
5. Deploy Cisco APIC Enterprise Module to accelerate security configuration and threat mitigation.