McFarland-CPA Security
The U.S. Congress’s reversal of the Obama Administration’s FCC rule preventing your ISP from selling your internet usage data has dropped electronic security back onto the stage. Mention the adjective Russian now and hacking easily comes to mind. In this age of aggressive hacking, several clients have contacted us about our security measures. We’ll cross-post this text in our FAQs but wanted to get this the widest dissemination, so it’s starting on this blog. As all blog articles end up in our monthly newsletter, it will go out that way too.
As an office-free firm, our security is procedural and network centric. We keep our desktops locked when not in use (actually we disconnect). We store no information on premises and have no physical files. If we encounter paper documents, we scan them and return them immediately or shred them. Unlike in the case of traditional firms, we do not present a target for physical server theft with thieves then selling your information on the dark net.
We Use HTTPS and Cloud Security
Unlike the DNC (and some say the RNC was equally deficient), we have state of the art security. To start with, all of our applications force the use of the HTTPS protocol in line with Electronic Frontier Foundation best practices. Forced HTTPS use causes a uniform resource locator (URL) request sent by unsecured to be re-established in an encrypted session between your browser and our servers.
GoDaddy hosts our web-facing servers. They, in turn, have encrypted tunnels to our accounting data servers that are virtualized deep inside the Amazon cloud. We adopted this architecture to build in an additional layer of security for client’s sensitive financial information.
Unlike a local, storefront operation, or even more sophisticated global scope firms, we do not store any customer information on local computers. We use Chrome OS devices since they are the most secure off-the-shelf computers and tablets. Then, we only use them as thin clients, granting us access to our web applications through our virtual private network (VPN) and encrypted browser sessions, and to Amazon’s cloud-hosted servers. We also have a few Ubuntu Linux machines online for specific processes that are not convenient on Chrome OS.
Connecting From Unsecured Locations
Some of our clients access our platform from places that are even more unsecured than just the general hacking climate (which is bad enough). Even their internet service providers (ISP) are highly suspect. In those cases, say, if you are expat living and working in Russia or China, we recommend you take additional measures. First, all of your internet traffic should be in a VPN that you run either from your device or your home router. We discuss Wi-Fi below. You should use a Chrome OS device (not to be confused with the browser of the same name) such as a Chromebook or a Chromebox. Neither Windows nor MAC OS can be trusted these days regardless of the measures you take to secure them (unless you use a thin client and reboot after every session).
Wi-Fi Security
There are a lot of myths out there about Wi-Fi security. But first, let’s just get this out there: Wi-Fi doesn’t stand for anything, especially not “wireless fidelity.” It was just a catchy name for the IEEE 802.11 standard. The most important issue is to ensure you are using at least WPS2-PSK to secure your network. Your password should look like h&5U2v$(q7F4*. If it doesn’t, change it. Do not use the WPS option. Don’t turn off SSID broadcasting, DHCP, or bother locking down IP ranges or limiting access to specific MAC addresses. Those only keep out people who wouldn’t know how to penetrate your network anyway. Anyone who qualifies as a hacker will have the tools to defeat those measures faster than you can set them up and maintain them.
An added measure of security is to use a VPN originating at your device over the Wi-Fi. With this configuration, you will be secure even using open Wi-Fi systems such as at libraries, coffee shops, or airports. VPNs do slow down your internet experience a bit. However, you won’t notice unless you are trying to stream video or use internet video telephony like Google Hangouts (our preferred product) or Skype. In those cases, just turn off the device VPN but make sure to turn it back on when accessing your U.S. bank account from Moscow.
TOR and Other Onion Proxy Systems
Should I use a multi-hop proxy system like TOR for more security? That’s a question we’ve heard more than once. Keep in mind that the purpose of systems like TOR is to hide who you are from those with whom you are interacting or third parties trying to monitor your activities. In the case of banking or accessing our systems, do you really want to hide from us who you are? What you want to do is to ensure that no one in between you and us can read your traffic. That’s an encryption issue, not an identity issue. So, keep systems like TOR for when you are doing something that demands you hide your identity, not protecting content. Of course, you can do both, and if you are a sophisticated user and want to explore that possibility, there are many tutorials available for configuring these measures.
What Level Of Encryption
We use 128-bit encryption which is the same level used by the U.S. financial system. It is a good balance between speed (encrypting and decrypting incurs overhead costs on processors at each end) and security. If the industry increases to 256 bit or higher levels, we’ll be an early to middle term implementer. We won’t blaze the way, we’ll let others bear those costs, but we won’t hesitate either since security is one of our primary values.
Discussion and Advice
We’ll set up a thread on our forum for discussing these issues if you, dear reader, want to follow up on some point we made here. For CPAs and other small businesses interested in advice, if you are considering any of these technologies, please feel free to contact us or our implementing partner, CPA Network Solutions (they have a link at the bottom of the page). If you contact them directly, we ask that you mention us as the referral source.