Home
 
   
 
  ServicesReport IncidentsBest PracticesResources
 
Site sarch:
Search
Report your Incident Report your Incident
Contact us Contact us
Latest news:
 
  Internet fraud tips
   
  Password security
   
  How to improve browser performance by Microsoft
   
 
 

Best Practices/Tips

Organisations' and people's dependency, use and application of information is not only all pervasive but so are the risks to this information. Information could be lost due to a system failure, corrupted by user processing errors, modified as part of some computer fraud, or disclosed to unauthorized users. Understanding what the risks are and assessing how these risks affect and impact business are vital to being able to manage them effectively.

Subjects

  1. Some general good security habbits
  2. A few words on Passwords
  3. When browsing
  4. Making Internet Explorer more secure
  5. About Autofill
  6. Completely wiping data from your PC
  7. Accidents and Risks
  8. Bots, Botnets and Rootkits

When surfing the Internet, it is wise to take some basic steps to safeguard sensitive information.

  • Do not give your full name to people you do not know or trust
  • Do not give credit card details to untrusted people or organisations
  • Do not give out social security numbers, phone numbers, addresses or other sensitive information out in chat rooms or emails
  • Never think that you have nothing important on your machine so you do not need protection. If you have any financial or personal information on your computer then the attackers could use it for their own gain. They could also gain control of your computer and use it against attacking other people (DoS attacks)

Some general good security habbits

  • Lock your computer when you are not at your desk. This will prevent someone from accessing all your information.
  • When you are not browsing the internet, dicsonnect it from the network. This way you minimise the possibilities of attackers scanning your network or causing any type of harm to it.
  • Make sure you do regular back ups to all your important information in case of a disk failure or power failure.
  • Do not think that having a firewall and an antivirus software will keep you 100% secure from intrusions. Although they form an important role into protecting your information, they do not guarantee to protect you from an attack. Combining these technologies with good security habits is the best way to reduce your risk.
  • Make sure you keep your firewall and antivirus software up to date.

A few words on Passwords
Why they matter
Passwords are a way of proving who we are in order to use a particular service. We use them for email access, banking, access to systems etc. If someone borrows our access to the system they can impersonate us.
Think of passwords as locks in your house doors. For each lock in your house there is
a different key, that way someone who gets one of your keys will not be able to open all the doors in your house. You should not share your keys with strangers and you should not hide them under the mat or in a flowerpot outside your house. Each key has its unique making, different grooves that separate them from others. It is the same thing with passwords for computers.


Managing passwords
Managing to remember a few passwords is not a great deal, but as we use more computers and we have access to more programmes or websites, they can get out of hand.
It is better to use different passwords for different services you use. Each password should be unique and you should not write them in post-it notes near your desk or share them with others. Use as complex keys as possible using different combinations of word letters, characters and numbers.
The most important thing is that the combination of your key is not too easy and not too complicated so you are able to remember it without having to write it down.
Passwords sent over the Internet can be sniffed and stolen, that is why it is wise to use different passwords for Internet access and different for your Local Area Network.

Computer attackers use brute-force techniques to discover your passwords. It is the same with a thief trying different key combinations to open your house door. If the attacker has some information about you, then he/she could use to reveal your password and narrow down the options, so it is wise not to use any reference to your personal life like birtdays, pet names or any other combination.
Another technique that attackers use is sniffing. This way, no matter how strong
a password you may have (long string of characters, capital letters, numbers all random), the attacker will be able to see it and use it. What you need to do against sniffing is that you use a different password with every account access that you have. You can test the strenght of your password here.
A study at Cambridge University in 1999 examines the memorability and security of passwords. A paper describing it can be found here.

When browsing
While browsing, sometimes we get those popup windows that pose as a security warning that you might be having. They can be very disturbing, and vendors of those products try to trick people into visiting their website. By clicking on that popup window,
it takes you to their website from where you can download their product. This is very misleading because it tricks people to think that they might be having a security problem and that maybe they should download this programme to be on the safe side.
What you should not do is react quickly to those messages and click on the to see what they are for.
Internet Explorer and Mozilla browsers have popup window blockers that you can configure youself. For instance, on trusted websites or the websites that you usually open and you want them to allow pop ups then you can set your browser to accept them
from that particular website. You can do the opposite for sites you do not trust.

Making Internet Explorer more secure
The default settings of IE can be changed to enhance security. They are set to allow users to view web pages with everything they have to offer, this sometimes though
is not a secure practice and can cause security risks.
In its security zones you can manualy change the Custom level to the settings you want. In each setting you can either choose the Enabling, Prompting or Disabling function.
For ActiveX controls you can chose to run only the signed ones. You can find out more
on IE security settings from here.

About Autofill
It is a new trend that for the ease of use, browsers now use the Autofill feature that enable you to enter addresses, credit card numbers and other data with only a couple of keystrokes as it stores that information the first time so when you visit a website you only need to put the first couple of letters or digits and it shows the whole string of characters that you want to use.
It might sound helpful but it can lead to a few problems. For example someone who has access to your computer can view your details, make purchases in your name and discover where you live. You do not need to do much to avoid this, just follow a couple of best practices:
Use different passwords for logging in and for accessing files or websites, or even better, disable the Autofill feature and delete all the information that already has been stored in your computer.
For Mac's Safari browser you go to Preferences, click on AutoFill, and deselect User Names And Passwords and Other Forms. Then click on the Edit button next to each of these options, and, in the sheet that appears, click on Remove All and then on Done. In Firefox, choose Firefox: Preferences, click on Security, and deselect Remember Passwords For Sites. Then go to /Users/your user name/ Library/Application Support/Firefox/ Profiles/your profile and delete the formhistory.dat file.

Completely wiping data from your PC
If you are planning to sell or give away your PC, even if you give it away to be recycled,
it is important that you make sure you wipe out all the data in your hard drive as there
might be some personal data like financial information that could be used for identity theft.
Simply deleting personal files or email boxes is not enough as they can leave traces of your account information. Even emptying the recycle bin does not totally remove data from the hard disk. What happens is that when we are deleting a file, windows only removes the file name from its directory files and not the data itself. There are some tools that can be used to view the hard drive and undelete the information you thought you have got rid off.
Another more efficient way of permanently deleting data is by formating your disk.
You need to delete the disk partition and format the disk.
More information on how to delete a partition here.

Accidents and Risks
Lost laptops
It has been a growing concern to many IT security experts of the increasing numbers of portable laptops. This, at the same time increases the possibilities of these portable computers of being stolen or lost with the information they contain being also lost. They are an easy target to thiefs as they are easily identifiable. Not all employees are aware of the security risks that they impose to their organisation, and that can only change through training and even sanctions when cases like these happen.
Most criminals use laptops to sell their hardware or get the value of the machine but companies cannot risk having their critical data fall to the wrong hands.
It is imporant that data in a laptop is protected. Just using a password is not enough as hackers can use dictionary attacks to uncover them. However, encrypting your hard disk with all its date within, leaves nothing for the thief to uncover. Another thing that users can do, is carry their laptops in casual bags rather than laptop cases. Backing up their data every so often is also important. There is also tracing technology that can be put on laptops that can help users get it back. Ztrace is one of them.
Some good practices on laptop use:
Treat your laptop like cash. Always look out for it.
Keep it locked. Secure it with a cable that attaches to a desk or chair.
Keep it off the floor. It is easier for people to steal it when its on the floor, without you noticing. Its better to keep it between your feet.
Do not leave it in the car. Not even for a minute. Someone might even break your car to get access to your laptop.

Bots, Botnets and Rootkits
Bots are little programmes installed in a system without any user intervention.
Botnets are networks of computers on which a bot has been installed. They are managed remotely from a Command and Control (C&C) server. Those programmes are used
to hijack computers for online criminal activities such as identity theft, scams, spam email. They usually involve computers from different countries, making tracking more difficult. Computer users are the weakest link in this situation as well. Educating everyday users in detecting malicious activity in their computers is essential.
Botnets represent an increasing problem theatening everyday users, governments, industries and companies.
A rootkit is a piece of software that can be installed in a system without you knowing. It is not always malicious, as it can be pafrt of a larger software package that is not supposed to cause any harm. On the other hand, it is used by attackers to open access for them, monitor your actions, modify programs and even perform actions on your computer unoticed.

return to top

Internet Storm Center Infocon Status

 

 


 
FORTH Logo  
 
Home