copyright © center for systems security and information assurance lesson two practicing safe...

Copyright © Center for Systems Security and Information Assurance

Lesson Two

Practicing Safe Personal Computing


Lesson Objectives

• Review best practices in safe and secure personal computing.

• Focus on individual responsibilities in personal computing.Password ProtectionsPhysical ProtectionsE-mail ProtectionViruses and Malicious Code ProtectionPersonal Identification Protection


Lesson Objectives Continued• Identify the five components of practicing personal

information security.• List the best practices related to:

to password usage and management instituting effective physical security related to personal

computingPersonal protection against malicious code and viruses

• Identify guideline to protect against Threats launch via e-mail.The theft of credit and personal identification.


Terms

Password generator Patch or service pack


Essentials of Password Protection

• Select a good, secure password • Change passwords frequently • Do not use a blank or null password. • Do not use the word "password". • Do not use common words that can be found in

a dictionary. • Do not use passwords that are directly related

to you like names, address, or anything that someone could guess.

• Do not choose passwords that can be found in DNS records.



• Choose passwords that are a minimum of eight characters in length.

• Use a combination of letters, numbers and special characters ($, *, !, etc.). Use the first (or second, or last, ...) letter of each word in a phrase.

• Make sure that no one is peering over your shoulder when you type in your password.



• When more than one user is sharing a machine, ensure each has a different username and password.

• Change the “administrator” account name.• Disable the guest account.• To defeat automated scanning tools, set the

windows registry key for "Restrict Anonymous" to 2.HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2

http://www.winguides.com/registry/display.php/97/


Essentials of E-mail Protection

• Personal e-mail usage has provided an easy conduit for malicious code delivery.

• The ILOVEYOU worm and a host of more recent attacks, have highlighted the vulnerability of modern email systems.

• The Microsoft e-mail clients have especially experienced widespread targeting for malicious code writers due to the popularity and rich programming model supported by MS Outlook.


Essentials of Email Protection

• Email based attacks come in two forms: Code that rely on the cooperation of the victim to

open an email attachment Code that exploits known vulnerabilities within the

email client

• Attacks have taken advantage of security weaknesses that allow attachments or scripts embedded in the message to execute simply by previewing the message.


Essentials of Email Protection• If you are have difficulty selecting a good

password, a good method is to use is first letter of each word in a phrase you can easily remember.

Example: “Give Me Liberty Or Give Me Death” would be GMLOGMD

• Another method is to intentionally use misspelled words, or words with a number or punctuation mark suffixed.

Example: pastword, m!ss!ss!pp!, icu812, and 4cast1ng Don't use any of these examples!


Essentials of E-mail Protection


NSA Recommended Countermeasures

The implementation of the following countermeasures can greatly minimized e-mail based attacks.

1. Install all email client updates (read the white paper for more details)

2. Keeping Up-to-Date with Patches

3. Displaying File Extensions


NSA Recommended Countermeasures

1. Install Anti-Virus Products and Perimeter Attachment Blocking

2. Use of Internet Explorer Security Zones

3. Changing File Associations or Disabling WSH

4. MS Office Macro Protection

5. Securing the System Registry & Directories

6. Education


What is Physical Security

• Measures adopted to prevent unauthorized access, damage, loss or interference to organizational information, information systems, services or equipment.

• Measures are determined by a physical risk assessment.

• Risk assessment evaluates both physical and electronic access to information



Measures and practices agencies should consider controlling access to the workplace. Access control should:

Cover all possible means of access including doors and other entrances, ground floor windows, etc.

Be reviewed at regular intervals. Be reviewed when the use of a building or the

level of risk changes.



Include controls on entry into the workplace, where warranted including:

Questioning unrecognized persons The use of identity passes by personnel and/or visitors Maintaining a record of personnel who have after-hours

access Maintaining logs of all after-hours access (including late

departures and early arrivals) Require written permission for after hour access to

workplace



Managing visitor access by: Requiring all visitors to have a designated 'host'

official, except for designated public areas Identifying or confirming a visitor by a staff

member prior to being allowed entry Issuing all visitors a visitor identity/entry pass


Essentials of Physical Security

• Keep floppy disks and other media in a secure place. • Seek advice on disposing of equipment. • Report any loss. • Ensure sensitive or personal data is deleted from

internal disks prior to disposal or transfer of desktop equipment.

• Protect your system from unauthorized use, loss or damage.


Essentials of Physical Security

• Switch computers off overnight• Take measures to guard information systems

from ground floor access via windows doors. • Keep portable equipment secure. Position

monitor and printers so that others cannot see sensitive or personal data.

• Require written authorization and strict inventory control before taking equipment off-site.


Viruses and Malicious Code Protection

Malicious software covers all software which has been deliberately designed to harm computer systems. Such software is spread from one system to another through:

downloading of files for network or Internet email (normally attachments) infected floppy disks or other storage devices embedding into computer games sharing resources on the network



Be aware that anti-virus software cannot automatically detect newly developed viruses. Take the following precautions to guard against attack:

Staff must become familiar with the operation of the anti-virus software and must not change the scanning properties.

Staff must not open email attachments from unsolicited or untrusted sources.

Staff should monitor 'IT announcements' email for new virus alerts and take appropriate action.



The following precautions to guard against attack: Staff must only acquire software and data files from

reputable sources. Staff must not load unauthorized software (particularly

games) onto their computer. Staff must not use unsolicited floppy disks or CD-

ROMS received from untrusted sources.


Personal Identification Protection

• With an increase in online banking, Internet purchasing, automatic bill payment and payroll deposit, more and more people are susceptible to electronic fraud.

• If you understand how they can occur, you can better protect yourself.



Account fraud and identity theft occur when someone uses your personal information including bank account number or Social Security number to either withdrawing money from your account or run up debt in your name, or both.



• Do not have checks pre-printed with driver’s license, Social Security or telephone numbers.

• Never give out financial information such as checking account, credit card or Social Security number on the phone or online unless you initiate the call and know the person or organization you’re dealing with.

• Never give this information to stranger, even one claiming to be from your bank or credit card company.



• Always report lost or stolen checks or credit cards immediately.

• Always review new checks to make sure none have been stolen in transit.

• Always notify your bank of suspicious phone inquiries such as those asking for account information to "verify a statement“.



• Always guard your Personal Identification Numbers (PINs) for your ATM and credit cards, and don’t write on or keep your PINs with your cards.

• Be creative in selecting Personal Identification Numbers and passwords that enable you to access other accounts.

Remember: If someone has stolen your identity, he or she probably has some or all of this information.



• Don’t put outgoing mail in an unsecured mailbox. • If bank and credit card bills fail to reach you, call

the company to find out why. • Periodically contact the major credit reporting

companies to review your file and make certain the information is correct.


Personal Responsibilities

• Comply with the regulations, and report security breaches.

• An information security incident is an event which may compromise the confidentiality, existence, accuracy or availability of stored information in the organization.


Reporting of Incidents

• If you become aware of any security incident that affects you or your colleagues, report it.

• In the first instance, contact your supervisor and the individual identified in the organization’s incident reporting policy.

• The incident should be logged and passed to the Information Security Officer for evaluation and possible further action.


What is a Security Incident?

• A Information Security Incident is any event that resulted in, or could resulted in:

Disclosure of confidential information to an unauthorized person.

The integrity of the system or data being compromised.

Embarrassment to the organization. Financial loss. Disruption to information processing

systems.


Examples of Incidents

• Computer Virus InfectionAll virus infection detected, whether automatically removed or not should be reported.

• Computer Files MissingUnexplained deletion of personal or organizational file that are deleted intentionally or unintentionally must be reported.

• Unexplained Changes to System Data / ConfigurationAny unexplained change system configurations or data should be reported.


More Examples of Incidents

• Password CompromisedIf you witness password theft or comprise you should report it. Even if you were the personal at fault.

• Account Access Disabled You should always report account access that has changed. Many systems are disable accounts when the wrong password was entered three times.

• Hacking AttemptIf your account was disabled because someone else was attempting to access it then a security incident has occurred.


More Examples of Incidents

• Theft / Loss of IT EquipmentIf you discover missing equipment or experience the loss or theft of equipment, you must following the organizations guidelines for reporting such incidents.

• Unauthorized Physical Access

You should challenge and report any persons in areas

without proper credentials.


Exercise 2.1

• Installing and Managing Microsoft Windows Update.


Exercise 2.2

• Install and use the password generator to generate a dozen passwords for the users in your department.


Exercise 2.3

• Changing File Associations and Disabling WSH


Exercise 2.4

• Turn on Macro Protection for the following applications:

• Word• Excel• PowerPoint• Access

copyright © center for systems security and information assurance lesson two practicing safe...

Documents