AO Logo
AO Industries, Inc.
Application Infrastructure ProviderApplication Infrastructure Provider
Sign UpWhat's NewClient AreaContact UsSite Map
your location:   home page ··· articles ··· security articles ··· security tutorial
Security Tutorial
Article Summary

Title: Security Tutorial
Description:Things clients can do to increase their own security.
Key Words:server, security, standards, encryption, passwords, PKI, physical, power-down, keys
Category:Security Articles
Last Updated:2003-12-01 15:02:50

Security Tutorial

Below is a brief summary of things that Clients can do to maximize security from their end. While this list is not exhaustive, implementing these suggestions will make it extremely difficult for unauthorized individuals or groups to gain access to information you would like to keep secure. Really and truly, security is (mostly) a matter of common sense. Very little in this list will come as a surprise to anyone. The trick is consistent implementation and development of good security habits.

Passwords and Certificates/PKI
All confidential information should be password protected (and probably encrypted). Computers that house such information should require users to enter a password at startup (BIOS password) and logon, or any time they access the information you wish to keep secure. It is also a good idea to use screensavers that lock and require the use of a password to unlock, as this helps prevent unauthorized access of information while the user is away without forcing the user to completely log out of the computer.
Strong Passwords
Don't use weak passwords. Examples of weak passwords:

Jamie (someone's name)
JFSebas1 (someone's user ID)
AOIndustries (company name)
monsters (dictionary word)
B2pxQ (too short)

Strong passwords should be gibberish, no less than eight (8) characters long, and contain letters (lower and uppercase) and numbers. Examples of strong passwords:


While strong passwords may seem somewhat difficult to remember and type, they will go a very long way in keeping your information away from prying eyes. Clients for whom security is a priority should also make it a policy to change their passwords at least once a month. Never reuse your password (e.g. don't use the same password for logging on to your computer and accessing your account information). And don't use rotating password lists.
Don't disseminate passwords
While this seems like it should be a no-brainer, you would be amazed at how quickly most people will give out their passwords. To give you an idea:

In an interview with one of the more infamous crackers, an interviewer asked the cracker how he managed to bypass the security of so many corporations. Everyone, including the interviewer, was expecting to be hit with some great code-cracking secret. They were quite surprised when the cracker responded, simply "People." After a dramatic pause, the cracker gleefully continued to explain how all he had to do was call the front desk of some company. Once the operator/secretary answered the phone, he would ask to be transferred to maintenance. As soon as someone in maintenance answered the phone, the cracker would then ask to be transferred to accounting (or some other appropriate department). As soon as someone in the accounting department picked up the phone, the cracker was set. All he had to do was pretend to be a person in maintenance and tell the accountant that he needed to fix some files which required the use of the accountant's password. According to the cracker's recollection, he said he would be given the password about 80% of the time.

LESSON: People in maintenance don't need passwords. In fact, nobody but YOU needs your password. Since only YOU need your password, don't give it to anyone else - regardless of who they say they are. To the best of our knowledge, no one has ever been reprimanded for NOT giving out their password.

The only exception to this rule concerns the possible use of encryption. If you encrypt corporate data with a private key, your maintenance folks may want the key just in case you get hit by a bus or something.
Be aware of who is physically present when you enter your password
If you don't want the person standing behind you to know your password, ask them to back off or look away. Simple? Yes. Often implemented? No.
Don't keep passwords and encryption keys on the same computer as the data it protects
For people looking to compromise your data, finding a file full of passwords and encryption keys is like winning the lottery - except it's your money they're getting. The best place to keep password lists is on paper, in a safe - or at least in something with a lock on it. Keeping such information on Personal Information Managers is generally not a good idea because they are small and easy to misplace/steal. The same holds true for laptops.
Keep user, file, and directory permissions set in such a way that only authorized users have access to confidential information
Though this procedure is fairly self-explanatory, it is a little more technical and requires both an operating system and personnel with the ability to manipulate file and directory properties.
Remove unneeded accounts
It is not uncommon for an unneeded account to sit around for months (or possibly even years) before being removed from a computer. Such accounts are just another way for unauthorized individuals to seek access to your information. For this reason it is important to delete these accounts as soon as it is clear they will no longer be needed.
Use Secure Shell and Secure FTP to our server whenever possible
When connecting to any machine (or in this case, our machine) it is always a very good idea to use an encrypted protocol such as Secure Shell, Secure FTP, or HTTPS. Utilizing secure connection protocols prevents you from having to send passwords in a way that is easily observed, and helps prevent the possible compromise of information you wish to keep private.
Basic physical security
Physical security does not necessarily mean hiring thick-necked thugs to threaten people with bodily harm for standing in the wrong place at the wrong time, though depending on your budget we suppose it could. For most people, physical security is simply a matter of remembering to lock doors and file cabinets at the end of the day.
Laptops, like PIMs, are small. This makes them convenient for both the individuals who own them and the individuals who would like to own them by means of theft. If you're lucky, the thief will only pawn your new tech for beer money. If you're not, well... you can probably use your imagination. For this reason maintaining close physical proximity to your portable computer gear is very important. Be especially mindful in airports, as that's where most thefts occur. It's 10:00 p.m., do you know where your laptop is?
Power down
Locking doors and file cabinets isn't the only thing you should do at the end of the day. Shutting down your computer is also a good idea. Not only does this help lower your power bill, it makes it harder for people to access your computer while you're gone. Remember that part earlier about setting your BIOS and logon passwords? This holds especially true for computers that maintain a constant, static connection to the internet. It's hard to crack a computer when it doesn't have any electricity running through it.
Keep virus scanners updated and running at all times
You can never go wrong with virus scanners. Keep them up and active every second your computer is on. You never know when they're going to catch something. Also, make sure the "auto update" options are switched on. This will make the upkeep of your virus scanning software more convenient and, at the same time, provide better protection.
Don't open anonymous email attachments
It's never a good idea to open a file you get via email, period - regardless of whom it's from. If you MUST open attachments, don't do it on a machine that holds important information, and at least have some idea who sent the file. Remember the Melissa virus?
Maintain the newest versions of your software
Companies are constantly coming out with patches and newer versions of software. Usually this is because there was a problem with the older version and they've fixed it, though sometimes it's just because they want more money. In the former case, it's usually a good idea to purchase or download the update/patch (assuming it is cost effective). This is especially true for patches to programs which deal with the Internet and security. Keeping such files current helps users stay ahead of the vulnerability curve.
Copyright © 2000-2024 AO Industries, Inc.