SECURITY-PRONOUNCED "SECURE-I-T"

Rough Notes, Mar 2005 by Chivvis, John

Tips, techniques, and thoughts for keeping computing systems and resources safe and secure

For many insurance agencies, when computers stop computing, servers stop serving, and networks stop networking, there is no IT support staff on call to handle the problem. "It's in these agencies of 20 employees or fewer-and there are a lot-where you find an employee has assumed or been delegated the job of 'computer person' due to a perceived knowledge of computers," says Jerry Petty, president of the Sterling Heights, Michigan-based Computer Networking Services (www.compserv.net).

It's these same employees to whom Fetty speaks at seminars, sessions and conferences such as the Michigan Association of Insurance Agents' Great Lakes Automation Day. Petty knows that it is no easy task to keep an agency's computer resources safe and secure from problems stemming from spyware, intrusion, spam and viruses. As he "preaches" to the masses, Fetty says that by implementing some simple policies, establishing some basic procedures, and following some simple tips and techniques, some of the IT problems agencies face could be reduced or eliminated-thus reducing IT expenses and increasing productivity for the IT staff.

Passwords-secret, strong and shifting

"Passwords are the keys to the network; if someone else knows them, then a firewall, for example, is useless," says Fetty. "Most agencies running Applied or AMS systems still have the administrator passwords set as the default. This means there are literally tens of thousands of people who know the password to an agency's system."

Fetty says that while at first it may seem difficult to do, an agency must define a password policy for employees. Passwords should be at least seven characters with a mix of upper and lower case letters, numbers and even special characters such as #$%*. According to Fetty, simple passwords like dictionary words, home addresses, and numbers are usually the first to be tried by hackers.

The password policy should also set an "expiration date" after which employees must change their password. "This is where a principal must not give in," says Fetty. "Too often, employees will freak out the first time they have to change their password. Even though it may throw employees for a loop at first, training and persistence is important, because eventually it becomes a non-event."

Spyware-show no mercy

Fetty is a strong proponent of agencies implementing an Internet usage policy, if anything, just to keep spyware off computers. "A good number of the agencies that call us about computers that are slow or not running turn out to have a spyware issue," says Fetty. "However, if an agency uses the Internet for business purposes only, how much spyware do you think they'll get from a vendor or carrier Web site?"

While not technically a virus, spyware is any program that is unknowingly or unwittingly installed on a computer and uses the machine's bandwidth, memory and file space to record and send information across the Internet regarding the employee's computer usage patterns. With computers being used for more than just office work-even something as innocuous as listening to music on a computer or online-the opportunity is great for spyware to propagate on a machine or on a network. To illustrate the point, Fetty describes an experiment he conducted using a simple music-sharing program called Kazaa.

"All we did was install Kazaa on a computer," says Fetty. "We didn't download any music or use it in any way, but just left it for 12 hours. When we came back, there were already a couple hundred spyware programs that had installed themselves on the computer."

To seek and destroy spyware, Fetty recommends installing anti-spyware software and running it on a regular basis (usually once a week or as needed). While there are commercial grade spyware blockers on the market, Fetty notes that for most agencies, simply downloading, installing and running Lavasoft's free Ad-Aware application will identify most of the programs. As an overlap, Fetty also recommends Spybot Search & Destroy to catch what Ad-Aware may miss and vice versa.

Viruses-not just for office desktops anymore

"When a principal tells me that the agency doesn't have a virus scanning solution in place, I can't figure how they managed to get to this point without problems," says Fetty. And considering the increase in technology investments beyond an employee's desktop, such as mail servers, databases, laptops, and file servers, it's even more puzzling why an agency would put that investment at risk by not having an antivirus solution.

First and foremost, Fetty says, an agency needs an antivirus solution that will protect the agency's entire network including servers and all workstations. "The same holds true for remote users," says Fetty. "Those that dial in from home also need to have antivirus protection on their remote workstations or laptops."

Second, Fetty says that antivirus software must be checked regularly to see if updates are being received and applied. For agencies with limited IT support, checking five computers for current virus definitions may not be difficult but as the agency grows to 10 or 20 users, the task becomes greater. According to Fetty, that's where advanced features in commercial packages such as McAfee's Active Virus Defense or Symantec/Norton Antivirus make it easier.