- Physically secure computing assets when appropriate.
|
Think about it: it's easy for a thief to just pick up a laptop or desktop computer and walk away with it. How much information would you lose if this were to happen to you? What would be at risk? Purchase locks, tracking devices, etc. for systems which store your important data. In the case of a file server or other mission-critical device, control access by placing the device in a locked room with limited access. Don't just think about people when thinking about security - think also about water, fire, electrical, or other elemental damage. Whenever possible, keep computers away from unnecessary pipes, electrical devices, fire hazards, etc. |
- Don't leave a logged-in system unattended.
|
Whether you connect to an internal network or the Internet, leaving a logged-in system unattended is simply asking for trouble. Someone who just walks up to the system can immediately access everything your user ID normally provides to you. Either logoff before walking away from your system or setup a password-protected screen-saver that takes effect after just a couple of minutes. |
- Never use your server as a workstation.
|
Although many of today's servers come with friendly user interfaces and have the capability to run the same applications as the workstations attached to them, using your server as a workstation is simply asking for trouble. Besides the reduction in system stability, storage space, and available memory you'll introduce by installing applications on a server, using your server as a workstation also allows users and programs to access confidential files and settings on the server directly, bypassing many of the security features that are built into the server software. |
- Require passwords to access sensitive data.
|
Configure your server(s) and/or key application(s) to require passwords to access sensitive data. Many of today's password schemes can limit users from having access to certain data or to be prevented from executing certain functions. Ensure that the administrator account (which is used to assign passwords to other users) is accessible only by one or two employees who will be responsible for its use. Remember, someone can't change data (even accidentally) if they can't access it. |
- Use strong passwords and frequently change them.
|
A strong password is NOT your name, the name of your pet, or the name of your significant other. Use at least six characters with a mixture of letters and numbers and don't use easy-to-remember or obvious words. Change your passwords on a regular basis and always change your password if you suspect it has been discovered by others. |
- Don't write down or tell others your passwords.
|
What good is a secret password if you leave it on a note taped to your computer monitor? Keep your passwords secret and don't tell anyone else. A common scam among hackers is to contact you and tell you that they are performing network upgrades, account maintenance, etc. and they need your password to ensure everything is working. If other people legitimately need access to your computer, have them get a password of their own from the appropriate administrator. |
- Perform regular backups of your important data and frequently test them.
|
In the event that your data is destroyed or rendered inaccessible by a virus, etc., your only recourse is going to be to restore a known good copy from a backup. But just having a backup disc or tape does not ensure that you have a good copy of your data. Tapes break, discs get scratched, and people make mistakes all of the time. Periodically restore files at random from your backup media and try them out just to be sure that you have backed up everything you need and that the media is actually good. |
- Lock up backups and keep the most recent copy offsite.
|
A backup is as vulnerable as the real thing when it comes to security. It's easy for a thief to just walk off with a tape or disc. Always make sure to take the most recent backup of your data offsite, just in case something (fire, flood, terrorism, etc.) should happen to the building in which the original copy of the data is stored. |
- Apply the latest patches and fixes for your operating system and applications software.
|
Most software vendors regularly offer patches and bug fixes for their software, and in most cases, these updates are free of charge if you simply know to ask for them or to check the vendor's web site. Don't fall victim to a hacker attack or virus simply because you didn't apply a fix for a known problem. |
- Purchase quality antivirus software, apply it to ALL systems, and keep it updated regularly.
|
Don't forget to install your antivirus software on systems which may not be permanently connected to your network, such as PDAs, notebook computers, etc. Keep your antivirus software updated with the latest virus signatures on a regular basis - new viruses and worms are discovered almost every day. Most quality antivirus software provides automated methods of distributing updates across the Internet or the local network. |
- Regularly check your system for spyware.
|
Spyware is software which runs in the background, watching what you do and periodically sending information about your web-surfing habits to someone over the Internet. Some of these programs only collect information for statistical purposes, but many of them collect as much information about you as they can - some even attempt to steal passwords, capture keystrokes, send screen-shots, etc. What's even more upsetting is that these programs aren't viruses - in many cases, you agree to have them installed when you install other software (such as file-sharing apps, browser add-ins, system tray utilities, etc.) It's also common to find these programs after visiting some web sites or opening certain e-mails. Removing these programs from your system will not only make your system more secure, but will also speed up your computer. |
- Periodically erase your web browser's cache.
|
Everything you view on the Internet is also temporarily stored in a special folder on your computer called a browser cache. This is helpful to your browser because it allows pages to be displayed faster, but what would be revealed if someone else saw the same information? Erase this folder from time to time to keep curious people at bay. |
- Be careful with WHAT you e-mail.
|
You should never send critical or confidential information via an unencrypted e-mail message. If you must e-mail such information, invest in a software package which will let you encrypt the contents so that they can only be opened by the intended recipient. Otherwise, anyone with a network monitoring program can intercept and read your message without your knowledge. |
- Be careful with WHO you e-mail.
|
Make sure you have the e-mail addresses of recipients spelled correctly. Make sure you're not responding to everyone on the original distribution list when you only intended to respond to one person. Simply including the wrong person on an important e-mail may inadvertently put critical information in the inbox of someone who shouldn't have it. |
- Don't open e-mail attachments you weren't expecting.
|
Most viruses these days spread as attachments to e-mail messages. Many cleverly-named attachments are actually destructive programs just waiting to be opened to infect your computer. |
- Don't trust software patches you didn't request from the publisher.
|
Many e-mail viruses/worms falsely claim to be needed patches from software manufacturers. Legitimate software publishers NEVER e-mail patches as attachments to end-users; instead, they post the files on their web sites or require you to request patch discs via mail. Also be wary of files which you find on various "patch" Internet sites - you should always download files from the original software publisher's web site whenever possible to avoid the possibility of tampering. |
- Setup your e-mail software to block access to executable attachment files.
|
Executable attachments are actually programs or scripts which cause code to be executed when they are opened. For this reason, you should setup your e-mail software to block access to such attachments. Have trusted friends and colleagues send you attachments in .ZIP form or .PDF files (neither of which is executable) instead. |
- Turn off and uninstall any unnecessary communications protocols and/or server applications.
|
Most operating systems ship with many common networking protocols and/or server applications enabled by default. These are common avenues of attack for both worms and hackers. If you don't use them, turn these programs off and uninstall them to reduce the number of attack avenues on your computer. |
- Install a firewall program or device and configure it appropriately.
|
Firewalls (software or hardware) are mechanisms that restrict the type of networking traffic that is allowed to enter into your computer. By blocking the types of traffic which your computer should not see, you effectively reduce the number of entryways into your system, and thus reduce the possibility of becoming a victim of a hacker or worm. |
- Keep workstations behind a proxy server or network address translation (NAT) device when possible.
|
It's more difficult for hackers and worms to attack your computer if they can't see it. Proxy servers are special computers that sit between your workstation and the Internet. Your workstation tells the proxy server what it wants from the Internet and the proxy server gets that information for your computer. As far as all the other computers on the Internet know, your computer is not connected, only the proxy server. You should not keep important information on a proxy server, since it actually is attached to the Internet and is therefore more vulnerable to access by hackers and worms. |
- Implement security on wireless networks.
|
By default, most wireless networking hardware is shipped and installed with security turned off. This means that anyone within range of your access point and with the appropriate wireless equipment can share your signal and your network without your knowledge. Hackers in the parking lot or the house next door can take their time to investigate your network without ever entering your building. Turn on passwords, change your SSID, and implement wireless security. |
- Don't add equipment to your office network without informing the network administrator.
|
We've all heard the old adage "a chain is only as strong as its weakest link." The same holds true for network security - you only need one pathway into a network to defeat an entire security plan. Adding equipment without informing your network administrator may allow unintended access to your network, bypassing all of the integrated security that has already been implemented. |
- Isolate computer systems which are known to be infected or compromised.
|
Once you know that security has been compromised on a computer, immediately remove that system from all networks (including the Internet) by physically disconnecting any networking cables and/or cards. Keep the machine isolated until the damage has been inspected and corrected and the original entryway to the machine has been closed. Change all appropriate passwords and restore all data from a known good backup. |
- Implement a computer-usage policy within your business.
|
Simply by putting into writing what is considered acceptable and expected computer usage, you can inform your employees about the dangers (technical and legal) of inappropriate computer usage and influence them to think before they use office computers to do something which may have legal or financial repercussions on either themselves or your business. |
- Be aware that critical information may be stored outside your direct control.
|
This is commonly the case with web sites and web-based e-mail accounts. If your web site collects critical customer data (credit card information, financial transactions, etc.) or your e-mail contains such information, then you could be liable for this data even if it is stored on someone else's computers (such as your web host's). Discuss security with your ISP or web host and ask how they protect your data from both the world at large and their own employees. |
- Invest in an intrusion detection system.
|
While these systems can be quite costly, intrusion detection software/hardware can help you block intrusions in real-time and record what happened in an un-editable log (which can be admissible evidence in case you have to take legal action against the offender). These systems can also help you control what users inside your firewall can view on the Internet and usually have the ability to block certain types of web sites and activities. |
- Stay up-to-date on the latest security threats and solutions.
|
Many software vendors and organizations offer regular reports of newly-discovered security threats, workarounds, and solutions. Make sure that your systems are protected against the latest threats as soon as they become known. A good place to start is our CANs home page. |
- Regularly review, test, and maintain your security.
|
Hackers and virus creators are always hard at work to find new ways around your security. You have to be hard at work to stop them. Remember, simply applying one level of security does not make your system impenetrable - it takes many levels of security working together to make a good security defense. Use automated testing tools to test your security, regularly review known security threats to make sure you haven't overlooked anything, and maintain your security at all times to keep your systems safe. |