Seated behind his desk in his office overlooking Sorrento Mesa, Jim Matteo ponders a paradox: Can a computer network ever be completely secure?
He offers the analogy of a bank. A bank can have a vault, it can havae armed guards, it can have special glass. Each step can take the institution closer to 100 percent security. However, security can never be a 100 percent proposition.
“It’s not a perfect world,” says Matteo, CEO of Bird Rock Systems.
Some say network security can only be achieved if a computer is severed from a network. However, by then, there is no network, hence no network security.
“The Internet is not a friendly place,” said Thomas Powell, a San Diego businessman and UC San Diego instructor, noting that a presence in cyberspace immediately makes someone neighbors with the Eastern European hacker community.
Indeed, there are hackers of unknown origin constantly trying to break into connected computers. They are opportunists who, in Powell’s words, jiggle the doorknobs as they walk down the street to find an unlocked door. There are also people on the lookout for something specific: trade secrets or credit card numbers or Social Security numbers.
Tips From the Experts
The San Diego Business Journal recently contacted several people who work on computer networks for a living, and asked them for tips on computer security, particularly for small to medium-sized businesses.
Take Inventory: Stephen Cobb, whose job title is “security evangelist” for antivirus maker ESET North America, says a firm ought to know what is on the network and who is on the network.
To get details on the first aspect, companies ought to compile an inventory of hardware and software. “It’s a good exercise to map your network,” he said, adding that it may turn up surprises, such as the revelation that employee Joe has unauthorized software running.
Knowing who is aboard is helpful too, Cobb said, noting that growing firms should take the step of handing out unique usernames and passwords. “As a company gets to be 10, 20, 30 employees, it gets more and more important,” he said.
Understand What You Are Trying to Protect: Different data call for different levels of security, noted Patrick Luce, director of consultative services at Vector Resources Inc. Both Luce and Vector are based in Torrance; Vector has a San Diego office.
Consult With a Specialist
For example, companies have a legal obligation to protect medical information under HIPAA, the federal Health Insurance Portability and Accountability Act. People dealing with this — or with credit card transactions, Social Security numbers or certain data related to public companies — would do well to consult with a security specialist, said Luce.
Especially sensitive data may call for “two-factor authentication,” requiring a person to submit two forms of proof that they have permission to look at the data. This might be a password coupled with biometric information such as the user’s fingerprint.
Matteo displays a different security device used in two-factor authentication: A plastic token about the size of a house key. The device, from EMC Corp. subsidiary RSA, contains a liquid crystal display which shows a code number. The number changes every 60 seconds according to a mathematical pattern. To gain access to sensitive information, a computer user might key in their personal password as well as the number from the SecurID device.
Employ Basic Security Techniques: Businesses need appropriate electronics, such as a firewall or a universal threat management device, to make it harder for hackers to get in, said Luce.
“Next generation firewalls that are application aware are a great tool for businesses of all sizes,” Matteo said. These might uncover software that a computer owner was previously unaware of its presence.
And the computer infrastructure must be kept up to date. That includes applying software patches at regular intervals. “Doing it monthly is better than not doing it at all,” said Luce.
Luce also recommends protecting devices with difficult-to-guess passwords. Ideally these should include letters, numerals and at least one special character. “It is far more important than people think,” he said. Characters such as a percent sign or hash mark make a password “exponentially more difficult,” he added.
Have an Acceptable Use Policy: Free downloads of normally expensive software, free porn sites and emails from mysterious sources may double as delivery vehicles for malicious software. Employees ought to know what’s off-limits and what is imprudent to touch, several of the computer industry leaders said.
“Spending a little bit of time coaching employees on what’s acceptable and what’s unacceptable can be invaluable,” said Matteo.
Privately held Bird Rock Systems has eight employees and reported $6.2 million in sales in 2011, up from $4.44 million in 2010. It works with midsize and large enterprise users, including defense contractors. With 111 percent growth between 2008 and 2010, Bird Rock ranked 29th on the San Diego Business Journal’s 2011 list of fastest growing private companies. The 2012 list appears on July 16.
Powell, the UCSD instructor, operates Web agency PINT Inc., Port80 Software Inc. and ZingChart. Collectively the businesses employ about 50 people. They do not disclose revenue.
“Security is not a feature,” Powell said. “It’s an attitude. It’s a posture.”
What’s more, Powell said, network security requires active participation: “You can’t just set it and forget it.”