Good Security Practices for Computer Users

Ultimately, computer security is the user's responsibility. You, the user, must be alert to possible breaches in security and adhere to the security regulations that have been established within your agency. The security practices listed are not inclusive, but rather designed to remind you and raise your awareness towards securing your information resources:

Protect your equipment:

• Keep it in a secure environment

• Keep food, drink, and cigarettes AWAY from it

• Know where the fire suppression equipment is located and know how to use it

Protect your area:

• Keep unauthorized people AWAY from your equipment and data

• Challenge strangers in your area

Protect your password:

• Never write it down or give it to anyone

• Don't use names, numbers or dates which are personally identified with you

• Change it often, but change it immediately if you think it has been compromised

Protect your files:

• Don't allow unauthorized access to your files and data, never leave your equipment unattended with your password activated – sign off before leaving your computer workstation.

• Activate your screen saver with a password logon required.

Protect against viruses:

• Don't use unauthorized software

• Back up your files before implementing ANY new software

• Lock up storage media containing sensitive data: If the data or information is sensitive or critical to your operation, lock it up!

Back up your data:

• Keep duplicates of your sensitive data in a safe place, out of your immediate area.

• Back it up as often as necessary.

Report security violations:

• Tell your manager if you see any unauthorized changes to your data

• Immediately report any loss of data or programs, whether automated or hard copy

Network Printer:

Today's network printers contain built-in FTP, WEB, and Telnet services as part of their OS. Enabled network printers can be readily exploited and are often overlooked by system administrators as a security threat. These network printers can and are often exploited as FTP bound servers, Telnet jump-off platforms, or exploited by web management services.

• Change the default password to a complex password.

• Explicitly block the printer ports at the boundary router/firewall and disable these services if not needed.

Simple Network Management Protocol (SNMP):

SNMP is widely used by network administrators to monitor and administer all types of computers (e.g., routers, switches, printers). SNMP uses an unencrypted "community string" as its only authentication mechanism. Attackers can use this vulnerability in SNMP to possibly gather information from, reconfigure or shut down a computer remotely. If an attack can collect SNMP traffic on a network, then he can learn a great deal about the structure of the network as well as the systems and devices attached to it.

Disable all SNMP servers on any computer where it is not necessary. However, if SNMP is a requirement, then consider the following.

• Allow read-only access and not read-write access via SNMP.

• Do not use standard community strings (e.g., public, private).

• If possible, only allow a small set of computers access to the SNMP server on the computer.

Network Security Testing:

• Test regularly the security of all of the following computers on the network: clients, servers, switches, routers, firewalls and intrusion detection systems.

• Do this after any major configuration changes on the network.

Block Certain E-Mail Attachment Types:

There are numerous kinds of executable file attachments that many organizations do not need to routinely distribute via e-mail. If possible, block these at the perimeter as a countermeasure against the malicious code threat. The specific file types that can be blocked are:

.bas	.hta	.msp	.url
.bat	.inf	.mst	.vb
.chm	.ins	.pif	.vbe
.cmd	.isp	.pl	.vbs
.com	.js	.reg	.ws
.cpl	.jse	.scr	.wsc
.crt	.lnk	.sct	.wsf
.exe	.msi	.shs	.wsh

It may be prudent to add, or delete files from this list depending upon operational realities. For example, it may be practical to block applications within the Microsoft Office family, all of which can contain an executable component. Most notable are Microsoft Access files, which unlike other members of the Office family have no intrinsic protection against malicious macros.

Guidelines to Protect Information

In the modern world of computer and information technology, personal computers, on-line and Internet access, has placed the power of the computer into the hands of the users. These users are developing and using many different types of computer applications, and perform other data processing functions which previously were only done by the computer operations personnel. These advances have greatly improved our efficiency and effectiveness but have also presented a serious challenge in achieving adequate data security. This section will make you aware of some of the undesirable things that can happen to data and will provide some practical solutions for reducing your risks to these threats.

Some common-sense protective measures can reduce the risk of loss, damage, or disclosure of information. Following are the most important areas of information systems controls that assure that the system is properly used, resistant to disruptions, and reliable.

Make certain no one can impersonate you. If a password is used to verify your identity, this is the key to system security. Do not disclose your password to anyone, or allow anyone to observe your password as you enter it during the sign-on process. If you choose your own password, avoid selecting a password with any personal associations, or one that is very simple or short. The aim is to select a password that would be difficult to guess or derive. "1REDDOG" would be a better password than "DUKE."

If your system allows you to change your own password, do so regularly. Find out what your agency requires, and change passwords at least that frequently. Periodic password changes keep undetected intruders from continuously using the password of a legitimate user.

After you are logged on, the computer will attribute all activity to your user id. Therefore, never leave your terminal without logging off-even for a few minutes. Always log off or otherwise inactivate your terminal so no one could perform any activity under your user id when you are away from the area.

Safeguard sensitive information from disclosure to others. People often forget to lock up sensitive reports and computer media containing sensitive data when they leave their work areas. Information carelessly left on top of desks and in unlocked storage can be casually observed, or deliberately stolen. Every employee who works with sensitive information should have lockable space available for storage when information is not in use. If you aren't sure what information should be locked up or what locked storage is available, ask your manager.

While working, be aware of the visibility of data on your personal computer or terminal display screen. You may need to reposition equipment or furniture to eliminate over-the-shoulder viewing. Be especially careful near windows and in public areas. Label all sensitive diskettes and other computer media to alert other employees of the need to be especially careful. When no longer needed, sensitive information should be deleted or discarded in such a way that unauthorized individuals cannot recover the data. Printed reports should be finely shredded, while data on magnetic media should be overwritten. Files that are merely deleted are not really erased and can still be recovered.

Install physical security devices or software on personal computers.

The value and popularity of personal computers make theft a big problem, especially in low-security office areas. Relatively inexpensive hardware devices greatly reduce the risk of equipment loss. Such devices involve lock-down cables or enclosures that attach equipment to furniture. Another approach is to place equipment in lockable cabinets.

When data is stored on a hard disk, take some steps to keep unauthorized individuals from accessing that data. A power lock device only allows key-holders to turn on power to the personal computer. Where there is a need to segregate information between multiple authorized users of a personal computer, additional security in the form of software is probably needed. Specific files could be encrypted to make them unintelligible to unauthorized staff, or access control software can divide storage space among authorized users, restricting each user to their own files.

Avoid costly disruptions caused by data or hardware loss. Disruptions and delays are expensive. No one enjoys working frantically to re-enter work, do the same job twice, or fix problems while new work piles up. Most disruptions can be prevented, and the impact of disruptions can be minimized by advance planning.

Proper environmental conditions and power supplies minimize equipment outages and information loss. Many electrical circuits in office areas do not constitute an adequate power source, so dedicated circuits for computer systems should be considered. Make certain that your surroundings meet the essential requirements for correct equipment operation. Cover equipment when not in use to protect it from dust, water leaks, and other hazards.

For protection from accidental or deliberate destruction of data, regular data backups are essential. Complete system backups should be taken at intervals determined by how quickly information changes or by the volume of transactions. Backups should be stored in another location, to guard against the possibility of original and backup copies being destroyed by the same fire or other disaster.

Maintain the authorized hardware/software configuration. Some organizations have been affected by computer "viruses" acquired through seemingly useful or innocent software obtained from public access bulletin boards or other sources; others have been liable for software illegally copied by employees. The installation of unauthorized hardware can cause damage, invalidate warranties, or have other negative consequences. Install only hardware or software that has been acquired through normal acquisition procedures and comply with all software licensing agreement requirements.