Ajay Gupta began working in information technology 10 years ago and has co-authored two books about cyber-security. In January, he was named director of security services for Prince George's Community College. Before he became the college's first computer security officer, he was president of Gsecurity Inc., a cyber-security and data privacy firm he founded in 2002.
Gupta lives in Potomac and is a faculty member of the digital security program at Golden Gate University in San Francisco. He teaches courses there on security policy and computer network monitoring via the Internet.
Gupta talked about how small businesses can protect their computer networks from hackers and discussed his books, "Hack I.T. -- Security Through Penetration Testing," and "Defend I.T.: Security by Example," this week with Krissah Williams, who writes about business in Prince George's County.
Q How do you keep a network with as many users as Prince George's Community College's safe?
A There are a lot of things that we're trying to do. I'm developing a security policy for the college. One of the tasks I need to do is document computer usage policies. It includes how people use the computer and what kind of security is in place on the computer network. It is kind of a large-scale task. It's written almost like you would write laws for a government. It's written over a long period of time.
Viruses have become one of the main security-related problems, and we fight them as best we can. If you read The Washington Post or any newspaper, you quickly surmise that there are viruses running around the Internet all the time. Viruses are a problem, and we do what we can at the community college to deal with them. We can't say we're perfect, but we do a pretty good job given our budget and [with] so many different people using the system. We use the same recommendations anybody in the industry uses -- anti-viruses and keeping up with our patches, [to protect against new technology that has the ability to penetrate computer networks.] We have recommendations not to download and execute attachments.
"Hack I.T." published by Addison-Wesley in 2002, has sold about 10,000 copies and teaches people how to penetrate computer networks. How do you teach your students to use the information you're giving them responsibly?
"Hack I.T." does discuss a method for doing penetration techniques. I think that to defend against something you have to know how that operates. I'll use an example in the medical industry. We create vaccines against certain diseases, and we have to know how to defend against those diseases and sometimes use that disease itself in very minute quantities.
We deal with ethics in a way that's similar to a way that faculty of any industry deals with ethics. We teach from the perspective of how, at the end of the day, are you going to be able to better secure your network. Most tools can be used for nefarious and good purposes. What we teach them is this is the tool's capability. This is how you use it and make efforts to better secure yourself.
How do small business owners defend their networks against cyber-attacks?
Stop using HTML-based e-mail. A lot of viruses are now written directly into HTML-based e-mail. I would just use text-based e-mail. I would keep up with [virus] patches as best as possible. . . . There can be a lot of patches that you have to do, and that sometimes can swarm your [information technology] personnel, but if you're a small business, keep up with patches as best as possible. It does help.
After that I recommend companies installing desktop firewalls, even use the free version because that does help. Like any other software, you'll have to spend some time getting used to it, but it's free. It offers some additional level of security. There are several [free] tools on the Internet that will do a scan of computer vulnerabilities. You can get them online at my Web site, www.gsecurity.com/defendit. That tool will help make sure that the top 20 [cyber-security] vulnerabilities aren't on your system. That's a basic, good approach for small business to try to keep themselves secure.
Security threats do change, but if you have a good anti-virus tool and a good desktop firewall, it adjusts [to changes in technology] over time itself. Tomorrow there could be a new thing that makes computers insecure.