Skip to main content

Digital Currency

Tax Season e-Security Update — A Mixed Bag Of Goodies

Column: The eSecurity Advisor

From the Jan./Mar. 2008 Issue

Happy New Year! I hope 2008 has started off in a good way for you. For me,
it is that annual time of the year where my thoughts turn more to accounting
than technology as those of us in public accounting all spend the next three
and a half months working like mad to help our clients file their annual paperwork.
But even as those of us in public practice start working on our clients’
accounting records, we still need to be mindful of the technology threats that
face us every day, even during tax season. The hacker never sleeps (he/she uses
automated tools for much of their work) and so we, as accountants, cannot be
asleep at the switch either. While those of us in public practice tend to put
our technology upgrades on hold during this time of year, we need to remember
that the hacker or identity thief is still out there breaking into systems and
stealing information. We need to remain vigilant this time of year even though
we are busy working for our clients. As we go forward into this busy time, we
still need to ensure that we are working at peak efficiency to protect our clients’
data.

FEDERAL DESKTOP CORE CONFIGURATION
The Federal Desktop Core Configuration (FDCC) was developed under the direction
of the Office of Management and Budget (OMB) in collaboration with DHS, DISA,
NSA, USAF, and Microsoft by the National Institute of Standards and Technology
(NIST). This set of standards provides resources for federal agencies, which
allows them to test, implement, and deploy Windows XP and Windows Vista securely.
While this protocol was designed for use within the government, the OMB, through
the NIST, has also made this core configuration available to the public. This
provides businesses, nonprofits, and individuals with a process for securely
configuring their computers.

The FDCC contains checklists, sample virtual machines that can be downloaded
for testing, and other tools. These tools can be used to first test the FDCC
configuration in a non-production environment. These same tools can then be
used to roll out the FDCC to all production equipment.

These standards are important for accountants because we can use them to secure
our computers. All these agencies, which are very much at the forefront of securing
our country’s infrastructure as well as protecting our secrets, have worked
with Microsoft to develop this protocol. Irrespective of public opinion about
how competent our government is or is not, these guidelines provide exceptional
help in securing our computers on our network. By following this standard without
deviation, it provides you with a useable defense in the event the firm network
is compromised and client data is stolen. The FDCC can be obtained from the
NIST at http://csrc.nist.gov/fdcc.

PEER-TO-PEER
NETWORKS

In recent months, we have heard more and more discussion about which type of
network to implement in a firm. The decision is between a domain-based network
and a non-domain-based network, also referred to as peer-to-peer. With all the
security threats on the Internet today, the peer-to-peer network has reached
the time when it needs to be removed from use as a valid network system for
a business and especially an accounting organization. This is not because of
the fact that it does not work well for public accounting firms and other small
businesses; it does. The issue is how peer-to-peer networks handle authentication.
Each machine on the network by default trusts the other machines on the network
to which they are connected. To make a peer-to-peer network, the user needs
to simply create a set of networked computers with the same workgroup name and
then share files on one or more computers. Once the files are shared, any one
computer on the network that can be compromised by a hacker now makes the information
on all the other computers available to the hacker, as well.

In a domain-based network, many features prevent these sorts of problems from
occurring. Domain networks are better because they are:

  • Much more secure by using a more robust authentication protocol.
  • Microsoft’s recommended method for setting up a network.
  • Much easier to manage users, computers and the related security.
  • Much easier to secure files and folders on computers or network-shared locations
    to prevent inappropriate access.
  • Much better at providing security through user authentication to a central
    gatekeeper who grants or denies access based on assigned rights for that user.
  • Much better at controlling access by authenticated users to features and
    services that are available on domain-based servers.

Many other valid reasons support the use of a domain-based network versus
a peer-to-peer. In fact, there is absolutely no legitimate reason to not use
a domain in setting up a network. Should a peer-to-peer network still exist
in the firm and be used to store client data, you should talk with your network
consultants today about putting together a replacement plan for just after the
end of busy season. They can work on obtaining the components now while you
are focused elsewhere so when the time comes after busy season, the project
can start.

MICROSOFT BASELINE SECURITY ANALYZER
This is a great tool for discovering areas that may need improvement in terms
of security. This software tool is free from Microsoft. After it is installed,
you should run it on your system. The resulting report will provide a listing
of the vulnerabilities found as compared to a database of known vulnerabilities.
This may include things that you may not be aware of such as Microsoft hot fixes,
patches, and service packs that may not yet be installed on your system. The
report may also contain instructions on registry changes or system permission
changes to make the computer more secure. Download and run it today on all the
workstations and servers in your firm. Search on Microsoft.com for Baseline
Security Analyzer to obtain the link to download this tool.

SOME OTHER RESOURCES
Here are some additional resources that are important for accountants to know
about and, in some cases, important to visit on a fairly regular basis. Some
of these items are tools anyone can install and use. Others contain information
helpful in ensuring the ability of firm members to stay current with trends
and changes in technology security.

CERT Coordination Center & SANS Internet Storm Center
These two organizations are responsible for two very important tasks on the
Internet. CERT takes care of collecting and releasing information about security
vulnerabilities in software and how to counter them. SANS collects information
about the state of the Internet and what types of malicious activity are going
on at the current time. CERT can be found at www.cert.org.
SANS Storm Center can be found at http://isc.incident.org/infocon.php,
and the SANS Institute can be found at www.sans.org.

WindowsSecurity.com
This is a great website to find information, articles and tutorials on security-related
issues for Windows computers: www.windowssecurity.com.

Microsoft Windows Defender
This is a great tool for finding and removing spyware. Microsoft is certainly
going to be adept at removing spyware from Windows because they know what
should be in the system and what shouldn’t. In Windows Vista, this comes
pre-installed. In prior versions, it is available for download on Microsoft’s
website at www.microsoft.com/athome/security/spyware/software/default.mspx.

National Institute of Standards and Technology
Earlier in this column, the FDCC was introduced as an available tool from
the NIST. Other tools are available from the NIST related to computers and
may be helpful to you. They have guides and helpful information on Cryptographic
Standards, Security Testing, Security Research/Emerging Technologies, and
much more. Check them out at www.nist.gov. Note: There are a large number
of other standards promulgated by the NIST so don’t get lost reading
about all the other interesting stuff on this site. To go directly to the
computer-related information, go to http://csrc.nist.gov.

IN CLOSING
Security in a public accounting firm is not just about locking the doors and
setting the building alarm when walking out at night. It is also about securing
your network and, most importantly, your data. Your data represents the collective
work of your employees as well as the livelihood of your clients. It is very
important information that is valuable to your firm, and it needs to be well
protected. The Internet; various magazines with security information such as
The CPA Technology Advisor or Information Security (http://searchsecurity.techtarget.com);
the AICPA IT Section; and many other sources provide helpful information for
keeping a tax and accounting firm ahead of the bad guys, which is the real objective.
The firm only needs to stay far enough ahead so the hackers and hucksters go
bother someone else who is less secure and less knowledgeable.

I want to again wish you a happy and prosperous 2008 and, most importantly,
a trouble-free tax season. I look forward to visiting with you again in April
as we continue to explore various security issues at the intersection of technology
and public accounting. Enjoy!