Tuesday, November 30, 2010

Risks of File-Sharing Technology

What is file sharing?

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy.

What risks does file-sharing technology introduce?

  • Installation of malicious code - When you use P2P applications, it is difficult, if not impossible, to verify that the source of the files is trustworthy. These applications are often used by attackers to transmit malicious code. Attackers may incorporate spyware, viruses, Trojan horses, or worms into the files. When you download the files, your computer becomes infected.
  • Exposure of sensitive or personal information - By using P2P applications, you may be giving other users access to personal information. Whether it's because certain directories are accessible or because you provide personal information to what you believe to be a trusted person or organization, unauthorized people may be able to access your financial or medical data, personal documents, sensitive corporate information, or other personal information. Once information has been exposed to unauthorized people, it's difficult to know how many people have accessed it. The availability of this information may increase your risk of identity theft.
  • Susceptibility to attack - Some P2P applications may ask you to open certain ports on your firewall to transmit the files. However, opening some of these ports may give attackers access to your computer or enable them to attack your computer by taking advantage of any vulnerabilities that may exist in the P2P application. There are some P2P applications that can modify and penetrate firewalls themselves, without your knowledge.
  • Denial of service - Downloading files causes a significant amount of traffic over the network. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet.
  • Prosecution - Files shared through P2P applications may include pirated software, copyrighted material, or pornography. If you download these, even unknowingly, you may be faced with fines or other legal action. If your computer is on a company network and exposes customer information, both you and your company may be liable.

How can you minimize these risks?

The best way to eliminate these risks is to avoid using P2P applications. However, if you choose to use this technology, you can follow some good security practices to minimize your risk:
  • use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current.
  • install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer. Some operating systems actually include a firewall, but you need to make sure it is enabled.

Understanding Voice over Internet Protocol (VoIP)

What is voice over internet protocol (VoIP)?

Voice over internet protocol (VoIP), also known as IP telephony, allows you to use your internet connection to make telephone calls. Instead of relying on an analog line like traditional telephones, VoIP uses digital technology and requires a high-speed broadband connection such as DSL or cable. There are a variety of providers who offer VoIP, and they offer different services. The most common application of VoIP for personal or home use is internet-based phone services that rely on a telephone switch. With this application, you will still have a phone number, will still dial phone numbers, and will usually have an adapter that allows you to use a regular telephone. The person you are calling will not likely notice a difference from a traditional phone call. Some service providers also offer the ability to use your VoIP adapter any place you have a high-speed internet connection, allowing you to take it with you when you travel.

What are the security implications of VoIP?

Because VoIP relies on your internet connection, it may be vulnerable to many of the same problems that face your computer and even some that are specific to VoIP technology. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, taking control of your phone, making fraudulent calls from your account, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, may affect your VoIP service.
There are also inherent problems to routing your telephone over your broadband connection. Unlike traditional telephone lines, which operate despite an electrical outage, if you lose power, your VoIP may be unavailable. 

How can you protect yourself?

  • Keep software up to date - If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.
  • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current.
  • Take advantage of security options - Some service providers may offer encryption as one of their services. If you are concerned about privacy and confidentiality, you may want to consider this and other available options.
  • Install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer. Some operating systems actually include a firewall, but you need to make sure it is enabled.
  • Evaluate your security settings - Both your computer and your VoIP equipment/software offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk.

Understanding Patches

What are patches?

Similar to the way fabric patches are used to repair holes in clothing, software patches repair holes in software programs. Patches are updates that fix a particular problem or vulnerability within a program. Sometimes, instead of just releasing a patch, vendors will release an upgraded version of their software, although they may refer to the upgrade as a patch.

How do you find out what patches you need to install?

When patches are available, vendors usually put them on their websites for users to download. It is important to install a patch as soon as possible to protect your computer from attackers who would take advantage of the vulnerability. Attackers may target vulnerabilities for months or even years after patches are available. Some software will automatically check for updates, and many vendors offer users the option to receive automatic notification of updates through a mailing list. If these automatic options are available, we recommend that you take advantage of them. If they are not available, check your vendors' websites periodically for updates.
Make sure that you only download software or patches from websites that you trust. Do not trust a link in an email message—attackers have used email messages to direct users to malicious websites where users install viruses disguised as patches. Also, beware of email messages that claim that they have attached the patch to the message—these attachments are often viruses.

Avoiding Copyright Infringement

How does copyright infringement apply to the internet?

Copyright infringement occurs when you use or distribute information without permission from the person or organization that owns the legal rights to the information. Including an image or cartoon on your website or in a document, illegally downloading music, and pirating software are all common copyright violations. While these activities may seem harmless, they could have serious legal and security implications.

How do you know if you have permission to use something?

If you find something on a website that you would like to use (e.g., a document, a chart, an application), search for information about permissions to use, download, redistribute, or reproduce. Most websites have a "terms of use" page that explains how you are allowed to use information from the site. You can often find a link to this page in the site's contact information or privacy policy, or at the bottom of the page that contains the information you are interested in using.
There may be restrictions based on the purpose, method, and audience. You may also have to adhere to specific conditions about how much information you are allowed to use or how the information is presented and attributed. If you can't locate the terms of use, or if it seems unclear, contact the individual or organization that holds the copyright to ask permission.

What consequences could you face?

  • Prosecution - When you illegally download, reproduce, or distribute information, you risk legal action. Penalties may range from warnings and mandatory removal of all references to costly fines. Depending on the severity of the crime, jail time may also be a possibility. To offset their own court costs and the money they feel they lose because of pirated software, vendors may increase the prices of their products.
  • Infection - Attackers could take advantage of sites or networks that offer unauthorized downloads (music, movies, software, etc.) by including code into the files that would infect your computer once it was installed. Because you wouldn't know the source or identity of the infection (or maybe that it was even there), you might not be able to easily identify or remove it. Pirated software with hidden Trojan horses is often advertised as discounted software in spam email messages.

Understanding Bluetooth Technology

What is Bluetooth?

Bluetooth is a technology that allows devices to communicate with each other without cables or wires. It is an electronics "standard," which means that manufacturers that want to include this feature have to incorporate specific requirements into their electronic devices. These specifications ensure that the devices can recognize and interact with other devices that use the Bluetooth technology.
Many popular manufacturers are making devices that use Bluetooth technology. These devices include mobile phones, computers, and personal digital assistants (PDAs). The Bluetooth technology relies on short-range radio frequency, and any device that incorporates the technology can communicate as long as it is within the required distance. The technology is often used to allow two different types of devices to communicate with each other. For example, you may be able to operate your computer with a wireless keyboard, use a wireless headset to talk on your mobile phone, or add an appointment to your friend's PDA calendar from your own PDA.

What are some security concerns?

Depending upon how it is configured, Bluetooth technology can be fairly secure. You can take advantage of its use of key authentication and encryption. Unfortunately, many Bluetooth devices rely on short numeric PIN numbers instead of more secure passwords or pass phrases.
If someone can "discover" your Bluetooth device, he or she may be able to send you unsolicited messages or abuse your Bluetooth service, which could cause you to be charged extra fees. Worse, an attacker may be able to find a way to access or corrupt your data. One example of this type of activity is "bluesnarfing," which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost. You should also be aware of attempts to convince you to send information to someone you do not trust over a Bluetooth connection.

How can you protect yourself?

  • Disable Bluetooth when you are not using it - Unless you are actively transferring information from one device to another, disable the technology to prevent unauthorized people from accessing it.
  • Use Bluetooth in "hidden" mode - When you do have Bluetooth enabled, make sure it is "hidden," not "discoverable." The hidden mode prevents other Bluetooth devices from recognizing your device. This does not prevent you from using your Bluetooth devices together. You can "pair" devices so that they can find each other even if they are in hidden mode. Although the devices (for example, a mobile phone and a headset) will need to be in discoverable mode to initially locate each other, once they are "paired" they will always recognize each other without needing to rediscover the connection.
  • Be careful where you use Bluetooth - Be aware of your environment when pairing devices or operating in discoverable mode. For example, if you are in a public wireless "hotspot," there is a greater risk that someone else may be able to intercept the connection than if you are in your home or your car.
  • Evaluate your security settings - Most devices offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features or Bluetooth connections. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. Make sure that all of your Bluetooth connections are configured to require a secure connection.
  • Take advantage of security options - Learn what security options your Bluetooth device offers, and take advantage of features like authentication and encryption.

Understanding Internationalized Domain Names

What are internationalized domain names?

To decrease the amount of confusion surrounding different languages, there is a standard for domain names within web browsers. Domain names are included in the URL (or web address) of web site. This standard is based on the Roman alphabet (which is used by the English language), and computers convert the various letters into numerical equivalents. This code is known as ASCII (American Standard Code for Information Interchange). However, other languages include characters that do not translate into this code, which is why internationalized domain names were introduced.
To compensate for languages that incorporate special characters (such as Spanish, French or German) or rely completely on character representation (such as Asian or Arabic languages), a new system had to be developed. In this new system, the base URL (which is usually the address for the home page) is dissected and converted into a format that is compatible with ASCII. The resulting URL (which contains the string "xn--" as well as a combination of letters and numbers) will appear in your browser's status bar. In newer versions of many browsers, it will also appear in the address bar.

What are some security concerns?

Attackers may be able to take advantage of internationalized domain names to initiate phishing attacks. Because there are certain characters that may appear to be the same but have different ASCII codes (for example, the Cyrillic "a" and the Latin "a"), an attacker may be able to "spoof" a web page URL. Instead of going to a legitimate site, you may be directed to a malicious site, which could look identical to the real one. If you submit personal or financial information while on the malicious site, the attacker could collect that information and then use and/or sell it.

How can you protect yourself?

  • Type a URL instead of following a link - Typing a URL into a browser rather than clicking a link within a web page or email message will minimize your risk. By doing this, you are more likely to visit the legitimate site rather than a malicious site that substitutes similar-looking characters.
  • Keep your browser up to date - Older versions of browsers made it easier for attackers to spoof URLs, but most newer browsers incorporate certain protections. Instead of displaying the URL that you "think" you are visiting, most browsers now display the converted URL with the "xn--" string.
  • Check your browser's status bar - If you move your mouse over a link on a web page, the status bar of your browser will usually display the URL that the link references. If you see a URL that has an unexpected domain name (such as one with the "xn--" string mentioned above), you have likely encountered an internationalized domain name. If you were not expecting an internationalized domain name or know that the legitimate site should not need one, you may want to reconsider visiting the site. Browsers such as Mozilla and Firefox include an option in their security settings about whether to allow the status bar text to be modified. To prevent attackers from taking advantage of JavaScript to make it appear that you are on a legitimate site, you may want to make sure this option is not enabled.

Understanding Web Site Certificates

What are web site certificates?

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption (see Protecting Your Privacy for more information):
  • a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
  • a URL that begins with "https:" rather than "http:"
By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything.
If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:
  1. the web site address matches the address on the certificate
  2. the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority
If the browser senses a problem, it may present you with a dialog box that claims that there is an error with the site certificate. This may happen if the name the certificate is registered to does not match the site name, if you have chosen not to trust the company who issued the certificate, or if the certificate has expired. You will usually be presented with the option to examine the certificate, after which you can accept the certificate forever, accept it only for that particular visit, or choose not to accept it. The confusion is sometimes easy to resolve (perhaps the certificate was issued to a particular department within the organization rather than the name on file). If you are unsure whether the certificate is valid or question the security of the site, do not submit personal information. Even if the information is encrypted, make sure to read the organization's privacy policy first so that you know what is being done with that information.

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate's unique fingerprint by calling the organization directly, there is no way to be absolutely sure.
When you trust a certificate, you are essentially trusting the certificate authority to verify the organization's identity for you. However, it is important to realize that certificate authorities vary in how strict they are about validating all of the information in the requests and about making sure that their data is secure. By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal information, you may want to look at the certificate.

How do you check a certificate?

There are two ways to verify a web site's certificate in Internet Explorer or Firefox. One option is to click on the padlock icon. However, your browser settings may not be configured to display the status bar that contains the icon. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:
  • who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
  • who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
  • expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

Browsing Safely: Understanding Active Content and Cookies

What is active content?

To increase functionality or add design embellishments, web sites often rely on scripts that execute programs within the web browser. This active content can be used to create "splash pages" or options like drop-down menus. Unfortunately, these scripts are often a way for attackers to download or execute malicious code on a user's computer.
  • JavaScript - JavaScript is just one of many web scripts (other examples are VBScript, ECMAScript, and JScript) and is probably the most recognized. Used on almost every web site now, JavaScript and other scripts are popular because users expect the functionality and "look" that it provides, and it's easy to incorporate (many common software programs for building web sites have the capability to add JavaScript features with little effort or knowledge required of the user). However, because of these reasons, attackers can manipulate it to their own purposes. A popular type of attack that relies on JavaScript involves redirecting users from a legitimate web site to a malicious one that may download viruses or collect personal information.
  • Java and ActiveX controls - Different from JavaScript, Java and ActiveX controls are actual programs that reside on your computer or can be downloaded over the network into your browser. If executed by attackers, untrustworthy ActiveX controls may be able to do anything on your computer that you can do (such as running spyware and collecting personal information, connecting to other computers, and potentially doing other damage). Java applets usually run in a more restricted environment, but if that environment isn't secure, then malicious Java applets may create opportunities for attack as well.
JavaScript and other forms of active content are not always dangerous, but they are common tools for attackers. You can prevent active content from running in most browsers, but realize that the added security may limit functionality and break features of some sites you visit. Before clicking on a link to a web site that you are not familiar with or do not trust, take the precaution of disabling active content.
These same risks may also apply to the email program you use. Many email clients use the same programs as web browsers to display HTML, so vulnerabilities that affect active content like JavaScript and ActiveX often apply to email. Viewing messages as plain text may resolve this problem.

What are cookies?

When you browse the Internet, information about your computer may be collected and stored. This information might be general information about your computer (such as IP address, the domain you used to connect (e.g., .edu, .com, .net), and the type of browser you used). It might also be more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).
Cookies can be saved for varying lengths of time:
  • Session cookies - Session cookies store information only as long as you're using the browser; once you close the browser, the information is erased. The primary purpose of session cookies is to help with navigation, such as by indicating whether or not you've already visited a particular page and retaining information about your preferences once you've visited a page.
  • Persistent cookies - Persistent cookies are stored on your computer so that your personal preferences can be retained. In most browsers, you can adjust the length of time that persistent cookies are stored. It is because of these cookies that your email address appears by default when you open your Yahoo! or Hotmail email account, or your personalized home page appears when you visit your favorite online merchant. If an attacker gains access to your computer, he or she may be able to gather personal information about you through these files.
To increase your level of security, consider adjusting your privacy and security settings to block or limit cookies in your web browser. To make sure that other sites are not collecting personal information about you without your knowledge, choose to only allow cookies for the web site you are visiting; block or limit cookies from a third-party. If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.

Shopping Safely Online

Why do online shoppers have to take special precautions?

The Internet offers a convenience that is not available from any other shopping outlet. From the comfort of your home, you can search for items from countless vendors, compare prices with a few simple mouse clicks, and make purchases without waiting in line. However, the Internet is also convenient for attackers, giving them multiple ways to access the personal and financial information of unsuspecting shoppers. Attackers who are able to obtain this information may use it for their own financial gain, either by making purchases themselves or by selling the information to someone else.

How do attackers target online shoppers?

There are three common ways that attackers can take advantage of online shoppers:
  • Targeting vulnerable computers - If you do not take steps to protect your computer from viruses or other malicious code, an attacker may be able to gain access to your computer and all of the information on it. It is also important for vendors to protect their computers to prevent attackers from accessing customer databases.
  • Creating fraudulent sites and email messages - Unlike traditional shopping, where you know that a store is actually the store it claims to be, attackers can create malicious web sites that mimic legitimate ones or create email messages that appear to have been sent from a legitimate source. Charities may also be misrepresented in this way, especially after natural disasters or during holiday seasons. Attackers create these malicious sites and email messages to try to convince you to supply personal and financial information.
  • Intercepting insecure transactions - If a vendor does not use encryption, an attacker may be able to intercept your information as it is being transmitted.

How can you protect yourself?

  • Use and maintain anti-virus software, a firewall, and anti-spyware software - Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall. Make sure to keep your virus definitions up to date. Spyware or adware hidden in software programs may also give attackers access to your data, so use a legitimate anti-spyware program to scan your computer and remove any of these files.
  • Keep software, particularly your web browser, up to date - Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
  • Evaluate your software's settings - The default settings of most software enable all available functionality. However, attackers may be able to take advantage of this functionality to access your computer, It is especially important to check the settings for software that connects to the Internet (browsers, email clients, etc.). Apply the highest level of security available that still gives you the functionality you need.
  • Do business with reputable vendors - Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information. Locate and note phone numbers and physical addresses of vendors in case there is a problem with your transaction or your bill.
  • Take advantage of security features - Passwords and other security features add layers of protection if used appropriately.
  • Be wary of emails requesting information - Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. Legitimate businesses will not solicit this type of information through email.
  • Check privacy policies - Before providing personal or financial information, check the web site's privacy policy. Make sure you understand how your information will be stored and used.
  • Make sure your information is being encrypted - Many sites use SSL, or secure sockets layer, to encrypt information. Indications that your information will be encrypted include a URL that begins with "https:" instead of "http:" and a padlock icon. If the padlock is closed, the information is encrypted. The location of the icon varies by browser; for example, it may be to the right of the address bar or at the bottom of the window. Some attackers try to trick users by adding a fake padlock icon, so make sure that the icon is in the appropriate location for your browser.
  • Use a credit card - There are laws to limit your liability for fraudulent credit card charges, and you may not have the same level of protection for your debit card. Additionally, because a debit card draws money directly from your bank account, unauthorized charges could leave you with insufficient funds to pay other bills. You can further minimize damage by using a single credit card with a low credit line for all of your online purchases.
  • Check your statements - Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately.

Evaluating Your Web Browser's Security Settings

Why are security settings for web browsers important?

Your web browser is your primary connection to the rest of the internet, and multiple applications may rely on your browser, or elements within your browser, to function. This makes the security settings within your browser even more important. Many web applications try to enhance your browsing experience by enabling different types of functionality, but this functionality might be unnecessary and may leave you susceptible to being attacked. The safest policy is to disable the majority of those features unless you decide they are necessary. If you determine that a site is trustworthy, you can choose to enable the functionality temporarily and then disable it once you are finished visiting the site.

Where can you find the settings?

Each web browser is different, so you may have to look around. For example, in Internet Explorer, you can find them by clicking Tools on your menu bar, selecting Internet Options..., choosing the Security tab, and clicking the Custom Level...button. However, in Firefox, you click Tools on the menu bar and select Options.... Click the ContentPrivacy, and Securitytabs to explore the basic security options. Browsers have different security options and configurations, so familiarize yourself with the menu options, check the help feature, or refer to the vendor's web site.
While every application has settings that are selected by default, you may discover that your browser also has predefined security levels that you can select. For example, Internet Explorer offers custom settings that allow you to select a particular level of security; features are enabled or disabled based on your selection. Even with these guides, it is helpful to have an understanding of what the different terms mean so that you can evaluate the features to determine which settings are appropriate for you.

How do you know what your settings should be?

Ideally, you would set your security for the highest level possible. However, restricting certain features may limit some web pages from loading or functioning properly. The best approach is to adopt the highest level of security and only enable features when you require their functionality.

What do the different terms mean?

Different browsers use different terms, but here are some terms and options you may find:
  • Zones - Your browser may give you the option of putting web sites into different segments, or zones, and allow you to define different security restrictions for each zone.For example, Internet Explorer identifies the following zones:
    • Internet - This is the general zone for all public web sites. When you browse the internet, the settings for this zone are automatically applied to the sites you visit. To give you the best protection as you browse, you should set the security to the highest level; at the very least, you should maintain a medium level.
    • Local intranet - If you are in an office setting that has its own intranet, this zone contains those internal pages. Because the web content is maintained on an internal web server, it is usually safe to have less restrictive settings for these pages. However, some viruses have tapped into this zone, so be aware of what sites are listed and what privileges they are being given.
    • Trusted sites - If you believe that certain sites are designed with security in mind, and you feel that content from the site can be trusted not to contain malicious materials, you can add them to your trusted sites and apply settings accordingly. You may also require that only sites that implement Secure Sockets Layer (SSL) can be active in this zone. This permits you to verify that the site you are visiting is the site that it claims to be. This is an optional zone but may be useful if you personally maintain multiple web sites or if your organization has multiple sites. Even if you trust them, avoid applying low security levels to external sites—if they are attacked, you might also become a victim.
    • Restricted sites - If there are particular sites you think might not be safe, you can identify them and define heightened security settings. Because the security settings may not be enough to protect you, the best precaution is to avoid navigating to any sites that make you question whether or not they're safe.
  • JavaScript - Some web sites rely on web scripts such as JavaScript to achieve a certain appearance or functionality, but these scripts may be used in attacks.
  • Java and ActiveX controls - These programs are used to develop or execute active content that provides some functionality, but they may put you at risk.
  • Plug-ins - Sometimes browsers require the installation of additional software known as plug-ins to provide additional functionality. Like Java and ActiveX controls, plug-ins may be used in an attack, so before installing them, make sure that they are necessary and that the site you have to download them from is trustworthy.
You may also find options that allow you to take the following security measures:
  • Manage cookies - You can disable, restrict, or allow cookies as appropriate. Generally, it is best to disable cookies and then enable them if you visit a site you trust that requires them.
  • Block pop-up windows - Although turning this feature on could restrict the functionality of certain web sites, it will also minimize the number of pop-up ads you receive, some of which may be malicious.

Understanding Your Computer: Web Browsers

How do web browsers work?

A web browser is an application that finds and displays web pages. It coordinates communication between your computer and the web server where a particular website "lives."
When you open your browser and type in a web address (URL) for a website, the browser submits a request to the server, or servers, that provide the content for that page. The browser then processes the code from the server (written in a language such as HTML, JavaScript, or XML) and loads any other elements (such as Flash, Java, or ActiveX) that are necessary to generate content for the page. After the browser has gathered and processed all of the components, it displays the complete, formatted web page. Every time you perform an action on the page, such as clicking buttons and following links, the browser continues the process of requesting, processing, and presenting content.

How many browsers are there?

There are many different browsers. Most users are familiar with graphical browsers, which display both text and graphics and may also display multimedia elements such as sound or video clips. However, there are also text-based browsers. The following are some well-known browsers:
  • Internet Explorer
  • Firefox
  • AOL
  • Opera
  • Safari - a browser specifically designed for Macintosh computers
  • Lynx - a text-based browser desirable for vision-impaired users because of the availability of special devices that read the text

How do you choose a browser?

A browser is usually included with the installation of your operating system, but you are not restricted to that choice. Some of the factors to consider when deciding which browser best suits your needs include
  • compatibility - Does the browser work with your operating system?
  • security - Do you feel that your browser offers you the level of security you want?
  • ease of use - Are the menus and options easy to understand and use?
  • functionality - Does the browser interpret web content correctly? If you need to install other plug-ins or devices to translate certain types of content, do they work?
  • appeal - Do you find the interface and way the browser interprets web content visually appealing?

Can you have more than one browser installed at the same time?

If you decide to change your browser or add another one, you don't have to uninstall the browser that's currently on your computer—you can have more than one browser on your computer at once. However, you will be prompted to choose one as your default browser. Anytime you follow a link in an email message or document, or you double-click a shortcut to a web page on your desktop, the page will open using your default browser. You can manually open the page in another browser.
Most vendors give you the option to download their browsers directly from their websites. Make sure to verify the authenticity of the site before downloading any files. To further minimize risk, follow other good security practices, like using a firewall and keeping anti-virus software up to date

Monday, October 4, 2010

Supplementing Passwords

Why aren't passwords sufficient?

Passwords are beneficial as a first layer of protection, but they are susceptible to being guessed or intercepted by attackers. You can increase the effectiveness of your passwords by using tactics such as avoiding passwords that are based on personal information or words found in the dictionary; using a combination of numbers, special characters, and lowercase and capital letters; and not sharing your passwords with anyone else. However, despite your best attempts, an attacker may be able to obtain your password. If there are no additional security measures in place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?

Many organizations are beginning to use other forms of verification in addition to passwords. The following practices are becoming more and more common:
  • two-factor authentication - With two-factor authentication, you use your password in conjunction with an additional piece of information. An attacker who has managed to obtain your password can't do anything without the second component. The theory is similar to requiring two forms of identification or two keys to open a safe deposit box. However, in this case, the second component is commonly a "one use" password that is voided as soon as you use it. Even if an attacker is able to intercept the exchange, he or she will still not be able to gain access because that specific combination will not be valid again.
  • personal web certificates - Unlike the certificates used to identify web sites, personal web certificates are used to identify individual users. A web site that uses personal web certificates relies on these certificates and the authentication process of the corresponding public/private keys to verify that you are who you claim to be. Because information identifying you is embedded within the certificate, an additional password is unnecessary. However, you should have a password to protect your private key so that attackers can't gain access to your key and represent themselves as you. This process is similar to two-factor authentication, but it differs because the password protecting your private key is used to decrypt the information on your computer and is never sent over the network.

What if you lose your password or certificate?

You may find yourself in a situation where you've forgotten your password or you've reformatted your computer and lost your personal web certificate. Most organizations have specific procedures for giving you access to your information in these situations. In the case of certificates, you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No matter what happened, the organization needs a way to verify your identity. To do this, many organizations rely on "secret questions."
When you open a new account (email, credit card, etc.), some organizations will prompt you to provide them with the answer to a question. They may ask you this question if you contact them about forgetting your password or you request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. While the theory behind the secret question has merit, the questions commonly used ask for personal information such as mother's maiden name, social security number, date of birth, or pet's name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions without much effort.
Realize that the secret question is really just an additional password—when setting it up, you don't have to supply the actual information as your answer. In fact, when you are asked in advance to provide an answer to this type of question that will be used to confirm your identity, dishonesty may be the best policy. Choose your answer as you would choose any other good password, store it in a secure location, and don't share it with other people.
While the additional security practices do offer you more protection than a password alone, there is no guarantee that they are completely effective. Attackers may still be able to access your information, but increasing the level of security does make it more difficult. Be aware of these practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don't be afraid to ask what kind of security practices the organization uses.

Effectively Erasing Files

Where do deleted files go?

When you delete a file, depending on your operating system and your settings, it may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. However, you may have experienced the panic that results from emptying the trash bin prematurely or having a file seem to disappear on its own. The good news is that even though it may be difficult to locate, the file is probably still somewhere on your machine. The bad news is that even though you think you've deleted a file, an attacker or other unauthorized person may be able to retrieve it.

What are the risks?

Think of the information you have saved on your computer. Is there banking or credit card account information? Tax returns? Passwords? Medical or other personal data? Personal photos? Sensitive corporate information? How much would someone be able to find out about you or your company by looking through your computer files?
Depending on what kind of information an attacker can find, he or she may be able to use it maliciously. You may become a victim of identity theft. Another possibility is that the information could be used in a social engineering attack. Attackers may use information they find about you or an organization you're affiliated with to appear to be legitimate and gain access to sensitive data.

Can you erase files by reformatting?

Reformatting your hard drive, CD, or DVD may superficially delete the files, but the information is still buried somewhere. Unless those areas of the disk are effectively overwritten with new content, it is still possible that knowledgeable attackers may be able to access the information.

How can you be sure that your information is completely erased?

Some people use extreme measures to make sure their information is destroyed, but these measures can be dangerous and may not be completely successful. Your best option is to investigate software programs and hardware devices that claim to erase your hard drive, CD, or DVD. Even so, these programs and devices have varying levels of effectiveness. When choosing a software program to perform this task, look for the following characteristics:
  • "Secure Erase" is performed - Secure Erase is a standard in modern hard drives. If you select a program that runs the Secure Erase command, it will erase data by overwriting all areas of the hard drive, even areas that are not being used.
  • data is written multiple times - It is important to make sure that not only is the information erased, but new data is written over it. By adding multiple layers of data, the program makes it difficult for an attacker to "peel away" the new layer. Three to seven passes is fairly standard and should be sufficient.
  • random data is used - Using random data instead of easily identifiable patterns makes it harder for attackers to determine the pattern and discover the original information underneath.
  • zeros are used in the final layer - Regardless of how many times the program overwrites the data, look for programs that use all zeros in the last layer. This adds an additional level of security.
While many of these programs assume that you want to erase an entire disk, there are programs that give you the option to erase and overwrite individual files.
An effective way to ruin a CD or DVD is to wrap it in a paper towel and shatter it. However, there are also hardware devices that erase CDs or DVDs by destroying their surface. Some of these devices actually shred the media itself, while others puncture the writable surface with a pattern of holes. Many paper shredders will also shred CDs and DVDs. If you decide to use one of these devices, compare the various features and prices to determine which option best suits your needs.

Understanding Encryption

What is encryption?

In very basic terms, encryption is a way to send a message in code. The only person who can decode the message is the person with the correct key; to anyone else, the message looks like a random series of letters, numbers, and characters.
Encryption is especially important if you are trying to send sensitive information that other people should not be able to access. Because email messages are sent over the internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information.

How is it different from digital signatures?

Like digital signatures, public-key encryption utilizes software such as PGP, converts information with mathematical algorithms, and relies on public and private keys, but there are differences:
  • The purpose of encryption is confidentiality—concealing the content of the message by translating it into a code. The purpose of digital signatures is integrity and authenticity—verifying the sender of a message and indicating that the content has not been changed. Although encryption and digital signatures can be used independently, you can also sign an encrypted message.
  • When you sign a message, you use your private key, and anybody who has your public key can verify that the signature is valid. When you encrypt a message, you use the public key for the person you're sending it to, and his or her private key is used to decrypt the message. Because people should keep their private keys confidential and should protect them with passwords, the intended recipient should be the only one who is able to view the information.

How does encryption work?

  1. Obtain the public key for the person you want to be able to read the information. If you get the key from a public key ring, contact the person directly to confirm that the series of letters and numbers associated with the key is the correct fingerprint.
  2. Encrypt the email message using their public key. Most email clients have a feature to easily perform this task.
  3. When the person receives the message, he or she will be able to decrypt it.

How to Protect Your Privacy?

How do you know if your privacy is being protected?

  • Privacy policy - Before submitting your name, email address, or other personal information on a website, look for the site's privacy policy. This policy should state how the information will be used and whether or not the information will be distributed to other organizations. Companies sometimes share information with partner vendors who offer related products or may offer options to subscribe to particular mailing lists. Look for indications that you are being added to mailing lists by default—failing to deselect those options may lead to unwanted spam. If you cannot find a privacy policy on a website, consider contacting the company to inquire about the policy before you submit personal information, or find an alternate site. Privacy policies sometimes change, so you may want to review them periodically.
  • Evidence that your information is being encrypted - To protect attackers from hijacking your information, any personal information submitted online should be encrypted so that it can only be read by the appropriate recipient. Many sites use SSL, or secure sockets layer, to encrypt information. Indications that your information will be encrypted include a URL that begins with "https:" instead of "http:" and a lock icon in the bottom right corner of the window. Some sites also indicate whether the data is encrypted when it is stored. If data is encrypted in transit but stored insecurely, an attacker who is able to break into the vendor's system could access your personal information.

What additional steps can you take to protect your privacy?

  • Do business with credible companies - Before supplying any information online, consider the answers to the following questions: do you trust the business? is it an established organization with a credible reputation? does the information on the site suggest that there is a concern for the privacy of user information? is there legitimate contact information provided?
  • Do not use your primary email address in online submissions - Submitting your email address could result in spam. If you do not want your primary email account flooded with unwanted messages, consider opening an additional email account for use online. Make sure to log in to the account on a regular basis in case the vendor sends information about changes to policies.
  • Avoid submitting credit card information online - Some companies offer a phone number you can use to provide your credit card information. Although this does not guarantee that the information will not be compromised, it eliminates the possibility that attackers will be able to hijack it during the submission process.
  • Devote one credit card to online purchases - To minimize the potential damage of an attacker gaining access to your credit card information, consider opening a credit card account for use only online. Keep a minimum credit line on the account to limit the amount of charges an attacker can accumulate.
  • Avoid using debit cards for online purchases - Credit cards usually offer some protection against identity theft and may limit the monetary amount you will be responsible for paying. Debit cards, however, do not offer that protection. Because the charges are immediately deducted from your account, an attacker who obtains your account information may empty your bank account before you even realize it.
  • Take advantage of options to limit exposure of private information - Default options on certain websites may be chosen for convenience, not for security. For example, avoid allowing a website to remember your password. If your password is stored, your profile and any account information you have provided on that site is readily available if an attacker gains access to your computer. Also, evaluate your settings on websites used for social networking. The nature of those sites is to share information, but you can restrict access to certain information so that you limit who can see what.

How Does Your Information Spread Across the Internet?

What information is collected?

When you visit a website, a certain amount of information is automatically sent to the site. This information may include the following:
  • IP address - Each computer on the internet is assigned a specific, unique IP (internet protocol) address. Your computer may have a static IP address or a dynamic IP address. If you have a static IP address, it never changes. However, some ISPs own a block of addresses and assign an open one each time you connect to the internet—this is a dynamic IP address. 
  • domain name - The internet is divided into domains, and every user's account is associated with one of those domains. You can identify the domain by looking at the end of URL; for example, .edu indicates an educational institution, .gov indicates a US government agency, .org refers to organization, and .com is for commercial use. Many countries also have specific domain names. 
  • software details - It may be possible for an organization to determine which browser, including the version, that you used to access its site. The organization may also be able to determine what operating system your computer is running.
  • page visits - Information about which pages you visited, how long you stayed on a given page, and whether you came to the site from a search engine is often available to the organization operating the website.
If a website uses cookies, the organization may be able to collect even more information, such as your browsing patterns, which include other sites you've visited. If the site you're visiting is malicious, files on your computer, as well as passwords stored in the temporary memory, may be at risk.

How is this information used?

Generally, organizations use the information that is gathered automatically for legitimate purposes, such as generating statistics about their sites. By analyzing the statistics, the organizations can better understand the popularity of the site and which areas of content are being accessed the most. They may be able to use this information to modify the site to better support the behavior of the people visiting it.
Another way to apply information gathered about users is marketing. If the site uses cookies to determine other sites or pages you have visited, it may use this information to advertise certain products. The products may be on the same site or may be offered by partner sites.
However, some sites may collect your information for malicious purposes. If attackers are able to access files, passwords, or personal information on your computer, they may be able to use this data to their advantage. The attackers may be able to steal your identity, using and abusing your personal information for financial gain. A common practice is for attackers to use this type of information once or twice, then sell or trade it to other people. The attackers profit from the sale or trade, and increasing the number of transactions makes it more difficult to trace any activity back to them. The attackers may also alter the security settings on your computer so that they can access and use your computer for other malicious activity.

Are you exposing any other personal information?

While using cookies may be one method for gathering information, the easiest way for attackers to get access to personal information is to ask for it. By representing a malicious site as a legitimate one, attackers may be able to convince you to give them your address, credit card information, or other personal data. 

How can you limit the amount of information collected about you?

  • Be careful supplying personal information - Unless you trust a site, don't give your address, password, or credit card information. Look for indications that the site uses SSL to encrypt your information. Although some sites require you to supply your social security number (e.g., sites associated with financial transactions such as loans or credit cards), be especially wary of providing this information online.
  • Limit cookies - If an attacker can access your computer, he or she may be able to find personal data stored in cookies. You may not realize the extent of the information stored on your computer until it is too late. However, you can limit the use of cookies.
  • Browse safely - Be careful which websites you visit; if it seems suspicious, leave the site. Also make sure to take precautions by increasing your security settings, keeping your virus definitions up to date, and scanning your computer for spyware.

Monday, September 27, 2010

Defending Cell Phones and PDAs Against Attack

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:
  • abuse your service - Most cell phone plans limit the number of text messages you can send and receive. If an attacker spams you with text messages, you may be charged additional fees. An attacker may also be able to infect your phone or PDA with malicious code that will allow them to use your service. Because the contract is in your name, you will be responsible for the charges.
  • lure you to a malicious web site - While PDAs and cell phones that give you access to email are targets for standard phishing attacks, attackers are now sending text messages to cell phones. These messages, supposedly from a legitimate company, may try to convince you to visit a malicious site by claiming that there is a problem with your account or stating that you have been subscribed to a service. Once you visit the site, you may be lured into providing personal information or downloading a malicious file.
  • use your cell phone or PDA in an attack - Attackers who can gain control of your service may use your cell phone or PDA to attack others. Not only does this hide the real attacker's identity, it allows the attacker to increase the number of targets.
  • gain access to account information - In some areas, cell phones are becoming capable of performing certain transactions (from paying for parking or groceries to conducting larger financial transactions). An attacker who can gain access to a phone that is used for these types of transactions may be able to discover your account information and use or sell it.

What can you do to protect yourself?

  • Follow general guidelines for protecting portable devices - Take precautions to secure your cell phone and PDA the same way you should secure your computer.
  • Be careful about posting your cell phone number and email address - Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam. Cell phone numbers can be collected automatically, too. By limiting the number of people who have access to your information, you limit your risk of becoming a victim.
  • Do not follow links sent in email or text messages - Be suspicious of URLs sent in unsolicited email or text messages. While the links may appear to be legitimate, they may actually direct you to a malicious web site.
  • Be wary of downloadable software - There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate. If you do download a file from a web site, consider saving it to your computer and manually scanning it for viruses before opening it.
  • Evaluate your security settings - Make sure that you take advantage of the security features offered on your device. Attackers may take advantage of Bluetooth connections to access or download information on your device. Disable Bluetooth when you are not using it to avoid unauthorized access.

Cyber Security for Electronic Devices

Why does cybersecurity extend beyond computers?

Actually, the issue is not that cybersecurity extends beyond computers; it is that computers extend beyond traditional laptops and desktops. Many electronic devices are computers—from cell phones and PDAs to video games and car navigation systems. While computers provide increased features and functionality, they also introduce new risks. Attackers may be able to take advantage of these technological advancements to target devices previously considered "safe." For example, an attacker may be able to infect your cell phone with a virus, steal your phone or wireless service, or access the data on your PDA. Not only do these activities have implications for your personal information, but they could also have serious consequences if you store corporate information on the device.

What types of electronics are vulnerable?

Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks. The outside connection provides a way for an attacker to send information to or extract information from your device.

How can you protect yourself?

  • Remember physical security - Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or easily accessible areas.
  • Keep software up to date - If the vendor releases patches for the software operating your device, install them as soon as possible. These patches may be called firmware updates. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.
  • Use good passwords - Choose devices that allow you to protect your information with passwords. Select passwords that will be difficult for thieves to guess, and use different passwords for different programs and devices. Do not choose options that allow your computer to remember your passwords.
  • Disable remote connectivity - Some PDAs and phones are equipped with wireless technologies, such as Bluetooth, that can be used to connect to other devices or computers. You should disable these features when they are not in use.
  • Encrypt files - Although most devices do not offer you an option to encrypt files, you may have encryption software on your PDA. If you are storing personal or corporate information, see if you have the option to encrypt the files. By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.

Securing Wireless Networks

How do wireless networks work?

As the name suggests, wireless networks, sometimes called WiFi, allow you to connect to the internet without relying on wires. If your home, office, airport, or even local coffee shop has a wireless connection, you can access the network from anywhere that is within that wireless area.
Wireless networks rely on radio waves rather than wires to connect computers to the internet. A transmitter, known as a wireless access point or gateway, is wired into an internet connection. This provides a "hotspot" that transmits the connectivity over radio waves. Hotspots have identifying information, including an item called an SSID (service set identifier), that allow computers to locate them. Computers that have a wireless card and have permission to access the wireless frequency can take advantage of the network connection. Some computers may automatically identify open wireless networks in a given area, while others may require that you locate and manually enter information such as the SSID.

What security threats are associated with wireless networks?

Because wireless networks do not require a wire between a computer and the internet connection, it is possible for attackers who are within range to hijack or intercept an unprotected connection. A practice known as wardriving involves individuals equipped with a computer, a wireless card, and a GPS device driving through areas in search of wireless networks and identifying the specific coordinates of a network location. This information is then usually posted online. Some individuals who participate in or take advantage of wardriving have malicious intent and could use this information to hijack your home wireless network or intercept the connection between your computer and a particular hotspot.

What can you do to minimize the risks to your wireless network?

  • Change default passwords - Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don't provide any protection. Changing default passwords makes it harder for attackers to take control of the device.
  • Restrict access - Only allow authorized users to access your network. Each piece of hardware connected to a network has a MAC (media access control) address. You can restrict or allow access to your network by filtering MAC addresses. Consult your user documentation to get specific information about enabling these features. There are also several technologies available that require wireless users to authenticate before accessing the network.
  • Encrypt the data on your network - WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA, so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to access your network from viewing your data.
  • Protect your SSID - To avoid outsiders easily accessing your network, avoid publicizing your SSID. Consult your user documentation to see if you can change the default SSID to make it more difficult to guess.
  • Install a firewall - While it is a good security practice to install a firewall on your network, you should also install a firewall directly on your wireless devices (a host-based firewall). Attackers who can directly tap into your wireless network may be able to circumvent your network firewall—a host-based firewall will add a layer of protection to the data on your computer.
  • Maintain anti-virus software - You can reduce the damage attackers may be able to inflict on your network and wireless computer by installing anti-virus software and keeping your virus definitions up to date. Many of these programs also have additional features that may protect against or detect spyware and Trojan horses.

Using Caution with USB Drives

What security risks are associated with USB drives?

Because USB drives, sometimes known as thumb drives, are small, readily available, inexpensive, and extremely portable, they are popular for storing and transporting files from one computer to another. However, these same characteristics make them appealing to attackers.
One option is for attackers to use your USB drive to infect other computers. An attacker might infect a computer with malicious code, or malware, that can detect when a USB drive is plugged into a computer. The malware then downloads malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer.
Some attackers have also targeted electronic devices directly, infecting items such as electronic picture frames and USB drives during production. When users buy the infected products and plug them into their computers, malware is installed on their computers.
Attackers may also use their USB drives to steal information directly from a computer. If an attacker can physically access a computer, he or she can download sensitive information directly onto a USB drive. Even computers that have been turned off may be vulnerable, because a computer's memory is still active for several minutes without power. If an attacker can plug a USB drive into the computer during that time, he or she can quickly reboot the system from the USB drive and copy the computer's memory, including passwords, encryption keys, and other sensitive data, onto the drive. Victims may not even realize that their computers were attacked.
The most obvious security risk for USB drives, though, is that they are easily lost or stolen. If the data was not backed up, the loss of a USB drive can mean hours of lost work and the potential that the information cannot be replicated. And if the information on the drive is not encrypted, anyone who has the USB drive can access all of the data on it.

How can you protect your data?

There are steps you can take to protect the data on your USB drive and on any computer that you might plug the drive into:
  • Take advantage of security features - Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost.
  • Keep personal and business USB drives separate - Do not use personal USB drives on computers owned by your organization, and do not plug USB drives containing corporate information into your personal computer.
  • Use and maintain security software, and keep all software up to date - Use a firewall, anti-virus software, and anti-spyware software to make your computer less vulnerable to attacks, and make sure to keep the virus definitions current . Also, keep the software on your computer up to date by applying any necessary patches.
  • Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location's security personnel, your organization's IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.

Securing Portable Devices II : Data Security

Why do you need another layer of protection?

Although there are ways to physically protect your laptop, PDA, or other portable device, there is no guarantee that it won't be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks.

What can you do?

  • Use passwords correctly - In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don't choose options that allow your computer to remember passwords, don't choose passwords that thieves could easily guess, use different passwords for different programs, and take advantage of additional authentication methods.
  • Consider storing important data separately - There are many forms of storage media, including CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access. It may be helpful to carry storage media with other valuables that you keep with you at all times and that you naturally protect, such as a wallet or keys.
  • Encrypt files - By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Install and maintain anti-virus software - Protect laptops and PDAs from viruses the same way you protect your desktop computer. Make sure to keep your virus definitions up to date. If your anti-virus software doesn't include anti-spyware software, consider installing separate software to protect against that threat.
  • Install and maintain a firewall - While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and using different networks. Firewalls can help prevent outsiders from gaining unwanted access.
  • Back up your data - Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network. Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.