Tax Season e-Security Update — A Mixed Bag Of Goodies

Article Tools

• January-March 2008 Issue
• Post a Comment
• Print This Article
• Email This Article to a Friend
• Save This Article
• Order a Reprint

From the Jan./Mar. 2008 Issue

Happy New Year! I hope 2008 has started off in a good way for you. For me, it is that annual time of the year where my thoughts turn more to accounting than technology as those of us in public accounting all spend the next three and a half months working like mad to help our clients file their annual paperwork. But even as those of us in public practice start working on our clients’ accounting records, we still need to be mindful of the technology threats that face us every day, even during tax season. The hacker never sleeps (he/she uses automated tools for much of their work) and so we, as accountants, cannot be asleep at the switch either. While those of us in public practice tend to put our technology upgrades on hold during this time of year, we need to remember that the hacker or identity thief is still out there breaking into systems and stealing information. We need to remain vigilant this time of year even though we are busy working for our clients. As we go forward into this busy time, we still need to ensure that we are working at peak efficiency to protect our clients’ data.

FEDERAL DESKTOP CORE CONFIGURATION
The Federal Desktop Core Configuration (FDCC) was developed under the direction of the Office of Management and Budget (OMB) in collaboration with DHS, DISA, NSA, USAF, and Microsoft by the National Institute of Standards and Technology (NIST). This set of standards provides resources for federal agencies, which allows them to test, implement, and deploy Windows XP and Windows Vista securely. While this protocol was designed for use within the government, the OMB, through the NIST, has also made this core configuration available to the public. This provides businesses, nonprofits, and individuals with a process for securely configuring their computers.

The FDCC contains checklists, sample virtual machines that can be downloaded for testing, and other tools. These tools can be used to first test the FDCC configuration in a non-production environment. These same tools can then be used to roll out the FDCC to all production equipment.

These standards are important for accountants because we can use them to secure our computers. All these agencies, which are very much at the forefront of securing our country’s infrastructure as well as protecting our secrets, have worked with Microsoft to develop this protocol. Irrespective of public opinion about how competent our government is or is not, these guidelines provide exceptional help in securing our computers on our network. By following this standard without deviation, it provides you with a useable defense in the event the firm network is compromised and client data is stolen. The FDCC can be obtained from the NIST at http://csrc.nist.gov/fdcc.

PEER-TO-PEER NETWORKS
In recent months, we have heard more and more discussion about which type of network to implement in a firm. The decision is between a domain-based network and a non-domain-based network, also referred to as peer-to-peer. With all the security threats on the Internet today, the peer-to-peer network has reached the time when it needs to be removed from use as a valid network system for a business and especially an accounting organization. This is not because of the fact that it does not work well for public accounting firms and other small businesses; it does. The issue is how peer-to-peer networks handle authentication. Each machine on the network by default trusts the other machines on the network to which they are connected. To make a peer-to-peer network, the user needs to simply create a set of networked computers with the same workgroup name and then share files on one or more computers. Once the files are shared, any one computer on the network that can be compromised by a hacker now makes the information on all the other computers available to the hacker, as well.

In a domain-based network, many features prevent these sorts of problems from occurring. Domain networks are better because they are:

• Much more secure by using a more robust authentication protocol.
• Microsoft’s recommended method for setting up a network.
• Much easier to manage users, computers and the related security.
• Much easier to secure files and folders on computers or network-shared locations to prevent inappropriate access.
• Much better at providing security through user authentication to a central gatekeeper who grants or denies access based on assigned rights for that user.
• Much better at controlling access by authenticated users to features and services that are available on domain-based servers.

Many other valid reasons support the use of a domain-based network versus a peer-to-peer. In fact, there is absolutely no legitimate reason to not use a domain in setting up a network. Should a peer-to-peer network still exist in the firm and be used to store client data, you should talk with your network consultants today about putting together a replacement plan for just after the end of busy season. They can work on obtaining the components now while you are focused elsewhere so when the time comes after busy season, the project can start.