November 14th, 2001, 03:44 PM
I think this will be helpful to some of you, check it out.
by Anton Chuvakin, Ph.D. and Ken Dunham, A-Z Computer Consulting
last updated November 5, 2001
As the complexity of information systems increases, security decreases. For example, Microsoft Word macro viruses and e-mail script viruses play upon the "ease of use" features embedded within Microsoft products. Such software is very complex, prone to containing multiple bugs and security vulnerabilities. Unfortunately, current trends indicate that software will become increasingly complex and less secure (even though measures are being taken to make them more secure). As the number of users on home and business networks naturally increases, the importance of user education rises accordingly. Security checklists offer a framework of secure behavior that can and should be implemented by all users, regardless of their level of expertise, the sophistication of application being used of the context in which it is being used.
This article will offer readers a simple basic security checklist that will enable users and managers to increase the security level in their organization without any additional financial investment. It is axiomatic in computer security that the weakest link in the security chain is user error. Since the measures listed below are aimed at promoting secure user behavior, they are extremely effective in lowering the risk of a security breach. Readers should keep in mind that regardless of how well written a security checklist is, such a document will be effective on one condition: that the people who are targeted by the checklist actually read, understand and follow the suggestions given.
Why Use a Security Checklist?
So, what can be done to motivate people to follow an information security checklist? User education is the key. In organizations, management can institute enterprise-wide security awareness-training programs, making the checklist mandatory reading. Making the users accountable for risky practices is an important element of any security program. Therefore, employees should not only read the security checklist, they should be asked to sign off on it prior to using the organization's systems.
If you are a manager reading this checklist, ensuring that employees Follow the guidelines will save money for your company in a variety of ways:
Lowers the risk of virus/malware infection, saving money in productivity and virus/malware mitigation time.
Establishing and enforcing a sound e-mail usage policy may save your company the expense and hassle of litigation. It may also save the organization from damaging negative publicity that can result from a security incident.
Protecting client machines with personal firewalls can prevent confidential information from being seen by outsiders.
Critical business operations will not be interrupted as often, if at all (dependent upon many factors), when employees practice safe computing within a security oriented organization.
The security checklist should be available for all system users. As such, copies should be made available either on network shares or in hard copy at each workstation. By the same token, home users should always keep a security checklist by the workstation. Parents should take the time to go through the list carefully and patiently with children to ensure that all users understand the importance of implementing secure computing practices.
Malware - Viruses, Worms and Trojans
Malware can cause loss of productivity, corruption of files, network slowdown or Denial of Service, e-mail delays and loss, confidential file disclosure, extensive and expensive mitigation procedures (such as malware backed up in corporate archives). Furthermore, inadvertently passing malware on to other users or organizations, can be a cause of tremendous embarrassment and loss of credibility. To lower the risk of contracting a virus, worm or Trojan, users should follow these steps: a. Purchase a leading anti-virus software package, one that will scan incoming mail messages and files on-access automatically.
b. Update anti-virus software definitions weekly, if not more often (ideally, the AV software should update the virus definitions automatically.) Updates are available at the vendor's Web site and are very simple to perform.
c. Use the anti-virus software to run full disk scans (i.e. scan the entire computer) monthly, if not more often. Full disk scans should also be scheduled to run automatically.
d. Learn how to identify virus hoaxes from real threats. Over-reaction to hoaxes can cause unnecessary panic and overload network bandwidth. To determine whether or not a virus warning is legitimate, visit one of the following sites: F-Secure, McAfee's Virus Information Library, Trend, or Vmyths.
e. Install a firewall, such as ZoneAlarm, which is free to home users, to protect against Trojans and other unauthorized access to a machine.
f. Scan all floppies, CDs, or other external media that have been used on external systems or that you receive from others (including friends and family.)
E-mail can serve as a medium for e-mail viruses and other malware attacks. Unsolicited e-mails can lower productivity. Furthermore, unencrypted e-mail may lead to information leaks that can disclose proprietary information or lead to litigation and negative publicity. To lower the risks inherent in e-mail:
a. Do not open attachments unless absolutely necessary, especially if they are sent by someone unknown to the recipient.
b. Do not open EXE, BAT, VBS, and SCR type attachments ever, since they are common vectors for virus/malware infections. Consider installing updated packages or the Microsoft Office 2000 E-mail Security Update, to block such attachments.
c. Always scan attachments manually with antivirus software before opening them, if they must be opened.
d. Open up scanned attachments, such as a DOC files, from within the program rather than simply double-clicking on an attachment. If a document is in question, such as a DOC file, it can be opened up in a program like WordPad to view the text contents without the risk of a macro virus infection.
e. If you are using Outlook or Outlook Express e-mail software configure e-mail messages as "Restricted Zone" (go to Tools/Options /Security, then choose Zone in the window below.)
f. Consider using a plain text (non-HTML) e-mail reader such as Eudora or The Bat!
g. If possible, set your e-mail client to send messages in plain text (for Outlook go to Tools/Options/Mail Format, and then choose Plain text from the windows below). HTML mail is a potential risk and allows for snooping and malicious code infection
Web-Based E-Mail Services
Web-based e-mail services, such as Yahoo! and Hotmail, present an additional risks to users. These risks may include increased spam, privacy violations, and unauthorized information disclosure. Further, in the workplace they may lead to the loss of productivity due to personal e-mail. Finally, because they present a more open forum of e-mail exchange, they add to the risk of virus or malware infiltration. To lower these risks:
a. Do not use Web-based e-mail systems for the communication of any sensitive information.
b. However boring it might be, you should review the licensing agreement with the service before you click "I Agree". Some free e-mail services actually own the content of your messages sent through their web service.
c. Follow the same attachment policy as with company and personal e-mails.
Web browsing might subject the user to privacy violations, theft of data and passwords, virus deployment. To lower these risks:
a. It is strongly suggested to disable dangerous web features, such as ActiveX. ActiveX applets (or "controls" as they are called) are downloadable programs that are run by your system. Unlike the normal EXE files, ActiveX can be run transparently in your Internet Explorer to perform any action such as erasing files or stealing your passwords. For more information on ActiveX dangers see http://www.digicrime.com/activex/.
Network connection is the basis of the Internet. It is virtually impossible to derive the full benefits of computing without connecting to a network. Unfortunately, connection to a network also means that the network, and all the threats that exist upon it, are also connected to your computer. This can create vulnerability to hacker attacks, unauthorized access, information theft, malicious program attacks, and legal liability. To lower the risk of network connections:
a. Turn off Windows file sharing: on Windows 98 go to Start/Settings/ Control Panel, find File and Printer Sharing and click the remove button below). If sharing must be enabled, make sure it is password protected, only sharing necessary directories.
b. Install a personal firewall such as ZoneAlarm, to protect your computer from intrusion attempts and Trojans.
c. Avoid the use of insecure network applications such as ICQ, AIM or IRC for discussing private information. The content of such communication can be seen by third parties, used for attacking your system and deploying viruses.
d. Consider using more secure operating systems such as Windows NT, 2000, or the new Windows XP due out this fall
Other Dangerous Software
Other dangerous software can increase the risk of successful malware and other malicious attacks. To lower the risk:
a. Remove Windows Scripting Host (WSH), as described on Symantec, Datafellows, and Sophos web sites.) WSH was used by such viruses as ILOVEYOU to spread via email. While removing WSH will not stop all e-mail viruses, it can prevent some of their damaging actions.
b. Remove dial-up server. If you machine has a modem connected to a phone line and Windows dial-up server is installed, anybody can connect to your system. Remove the server if you are not using it. Windows dial-up server is not a full-strength enterprise remote access solution, thus securing to a reasonable level is hard. To remove the software go to Control Panel and then go to Add/Remove Software, then find a DialUp server and click "Remove"
General Security for Home Users
General security tips for home users are provided below:
a. Stay informed of relevant information security development by visiting Internet security news sites, such as SecurityFocus.
b. Perform system manufacturer security patch updates on a regular basis.
c. Use a lower risk format to exchange documents, such as RTF or text files, which are not vulnerable to the transmission of viruses and other malware.
d. Backup your files regularly on ZIP disk or CD-ROM. This measure ensures that vital information will not be lost in the case of viruses and general hardware failures.
e. Create an emergency boot disk for your computer and keep it in a safe place (to do that go to Start/Settings/Control Panel/Add/Remove Programs, then click on Startup Disk and insert a new diskette into a drive.)
f. Ensure that effective passwords are used. Use a long, easily remembered password: one method is to use passwords made up of the first letters of a phrase that is meaningful to you. Passwords should consist of 6 - 9 characters and should include upper and lower case letters as well as numbers and other symbols. Passwords should also be changed on a regular basis.
g. If you are using Windows NT/2000 do not use administrator account for routine activities.
Information security is not possible without the user cooperation. You can have the best technology in the world protecting end-users in every way and still suffer a security breach! Whatever argument you used to convince yourself to follow this checklist, recognize the value in actively supporting IT/IS security and end-user practices BEFORE a security breach occurs