| | | | | | | | | | | | | | Article Summary
Title: | | Security Tutorial | Description: | Things clients can do to increase their own security. | Key Words: | server, security, standards, encryption, passwords, PKI, physical, power-down, keys | Type: | Articles | Category: | Security Articles | Last Updated: | 2003-12-01 15:02:50 |
| | | | |
| | | | Security Tutorial
Below is a brief summary of things that Clients can do to maximize
security from their end. While this list is not exhaustive, implementing
these suggestions will make it extremely difficult for unauthorized individuals
or groups to gain access to information you would like to keep secure.
Really and truly, security is (mostly) a matter of common sense. Very little
in this list will come as a surprise to anyone. The trick is consistent
implementation and development of good security habits.
| | | | |
| | | |
Passwords and Certificates/PKI
All confidential information should be password protected (and probably
encrypted). Computers that house such information should require users
to enter a password at startup (BIOS password) and logon, or any time they
access the information you wish to keep secure. It is also a good idea
to use screensavers that lock and require the use of a password to unlock,
as this helps prevent unauthorized access of information while the user
is away without forcing the user to completely log out of the computer.
Strong Passwords
Don't use weak passwords. Examples of weak passwords:
Jamie (someone's name)
JFSebas1 (someone's user ID)
AOIndustries (company name)
monsters (dictionary word)
B2pxQ (too short)
Strong passwords should be gibberish, no less than eight (8) characters
long, and contain letters (lower and uppercase) and numbers. Examples of
strong passwords:
Hp46nQu2
5i921gGe4zJ8y1
While strong passwords may seem somewhat difficult to remember and type,
they will go a very long way in keeping your information away from prying
eyes. Clients for whom security is a priority should also make it a policy
to change their passwords at least once a month. Never reuse your password
(e.g. don't use the same password for logging on to your computer and
accessing your account information). And don't use rotating password lists.
Don't disseminate passwords
While this seems like it should be a no-brainer, you would be amazed
at how quickly most people will give out their passwords. To give you an
idea:
In an interview with one of the more infamous crackers, an interviewer
asked the cracker how he managed to bypass the security of so many corporations.
Everyone, including the interviewer, was expecting to be hit with some
great code-cracking secret. They were quite surprised when the cracker
responded, simply "People." After a dramatic pause, the cracker gleefully
continued to explain how all he had to do was call the front desk of some
company. Once the operator/secretary answered the phone, he would ask to
be transferred to maintenance. As soon as someone in maintenance answered
the phone, the cracker would then ask to be transferred to accounting (or
some other appropriate department). As soon as someone in the accounting
department picked up the phone, the cracker was set. All he had to do was
pretend to be a person in maintenance and tell the accountant that he needed
to fix some files which required the use of the accountant's password.
According to the cracker's recollection, he said he would be given the
password about 80% of the time.
LESSON: People in maintenance don't need passwords. In fact, nobody
but YOU needs your password. Since only YOU need your password, don't give
it to anyone else - regardless of who they say they are. To the best of
our knowledge, no one has ever been reprimanded for NOT giving out their
password.
The only exception to this rule concerns the possible use of encryption.
If you encrypt corporate data with a private key, your maintenance folks
may want the key just in case you get hit by a bus or something.
Be aware of who is physically present when you enter your password
If you don't want the person standing behind you to know your password,
ask them to back off or look away. Simple? Yes. Often implemented? No.
Don't keep passwords and encryption keys on the same computer as the
data it protects
For people looking to compromise your data, finding a file full of passwords
and encryption keys is like winning the lottery - except it's your money they're
getting. The best place to keep password lists is on paper, in a safe - or at
least in something with a lock on it. Keeping such information on Personal
Information Managers is generally not a good idea because they are small and
easy to misplace/steal. The same holds true for laptops.
Keep user, file, and directory permissions set in such a way that only
authorized users have access to confidential information
Though this procedure is fairly self-explanatory, it is a little more technical
and requires both an operating system and personnel with the ability to
manipulate file and directory properties.
Remove unneeded accounts
It is not uncommon for an unneeded account to sit around for months (or possibly
even years) before being removed from a computer. Such accounts are just another
way for unauthorized individuals to seek access to your information. For this
reason it is important to delete these accounts as soon as it is clear they will
no longer be needed.
Use Secure Shell and Secure FTP to our server whenever possible
When connecting to any machine (or in this case, our machine) it is always a
very good idea to use an encrypted protocol such as Secure Shell, Secure FTP,
or HTTPS. Utilizing secure connection protocols prevents you from having to send
passwords in a way that is easily observed, and helps prevent the possible
compromise of information you wish to keep private.
Basic physical security
Physical security does not necessarily mean hiring thick-necked thugs
to threaten people with bodily harm for standing in the wrong place at
the wrong time, though depending on your budget we suppose it could. For
most people, physical security is simply a matter of remembering to lock
doors and file cabinets at the end of the day.
Laptops
Laptops, like PIMs, are small. This makes them convenient for both the
individuals who own them and the individuals who would like to own them
by means of theft. If you're lucky, the thief will only pawn your new tech
for beer money. If you're not, well... you can probably use your imagination.
For this reason maintaining close physical proximity to your portable computer
gear is very important. Be especially mindful in airports, as that's where
most thefts occur. It's 10:00 p.m., do you know where your laptop is?
Power down
Locking doors and file cabinets isn't the only thing you should do at
the end of the day. Shutting down your computer is also a good idea. Not
only does this help lower your power bill, it makes it harder for people
to access your computer while you're gone. Remember that part earlier about
setting your BIOS and logon passwords? This holds especially true for computers
that maintain a constant, static connection to the internet. It's hard
to crack a computer when it doesn't have any electricity running through
it.
Keep virus scanners updated and running at all times
You can never go wrong with virus scanners. Keep them up and active
every second your computer is on. You never know when they're going to
catch something. Also, make sure the "auto update" options are switched
on. This will make the upkeep of your virus scanning software more convenient
and, at the same time, provide better protection.
Don't open anonymous email attachments
It's never a good idea to open a file you get via email, period - regardless of
whom it's from. If you MUST open attachments, don't do it on a machine that
holds important information, and at least have some idea who sent the file.
Remember the Melissa virus?
Maintain the newest versions of your software
Companies are constantly coming out with patches and newer versions of software.
Usually this is because there was a problem with the older version and they've
fixed it, though sometimes it's just because they want more money. In the former
case, it's usually a good idea to purchase or download the update/patch
(assuming it is cost effective). This is especially true for patches to programs
which deal with the Internet and security. Keeping such files current helps
users stay ahead of the vulnerability curve.
| | | | |
| | | | | このサイトに掲載の記事・写真の無断転載を禁じます。著作権はAOインダストリーに属します。 |
|