Computer security is an ongoing process — 24 hours a day, 365 days a year. Developing and maintaing an effective computer policy involves dealing with the causes of security breaches and not the symptoms. This article deals with a few sound rules, but also misconceptions in computer security.
Overview
A sound security policy should include, but not be limited to, regularly checking for software updates and security patches, installing them where and when appropriate and maintaining a firewall and anti-virus policy. It must be noted here that firewall (networking) and anti-virus products can lend a false sense of security. Your management of risks and your weakest links will minimise security breaches while maximising productivity and performance. The most effective methodology in computer security is to assert and maintain an intelligent policy to risk manage your workstation use and functionality without inflicting a denial-of-service to the people who rely on access to your computer or network.
=What computer security is not=
Installing a firewall or anti-virus Software.
Something provided by a product.
Turning off services on your computer.
Denying access to services on your computer or network.
=What computer security is=
Measuring productivity against limiting the functionality of your computer or network.
Developing and maintaining a dynamic and ongoing security policy.
Knowing the weakest link of your system or network.
Assessing and maintaining a risk management policy for your hardware, software and the people who use it.
Researching new security issues and adapting your policies without degrading the performance of your computer or network.
Managing physical access to your Personal computer or laptop.
Doing all of the above, without causing disruption and inconvenience to those who rely on your network.
= Example of an internal security issue =
During the Sasser worm outbreak in Spring 2004, Sampo, Finlands third largest bank, closed 130 of its branches and offices on the grounds that their network might be vulnerable to the virus. Most security issues are internal, and in this case, the bank self-inflicted a denial-of-service to its customers and staff based on mass-hysteria. Do not react to security issues by self-damaging your company/home network functionality and productivity.
Origins of software vulnerabilities
The majority of software from the Internet is safe, since vendors would not risk their reputation by bundling their products with Malware. You should however, endeavour to question the purpose of software before installing it. Do you really need the program and how often will you use it Will the software degrade the performance of your computer
Sometimes software can contain a non-Microsoft certificated device driver, which can damage your system by over-writing existing drivers. Windows XP will notify you if you attempt to install non-compatible drivers. Damage to operating systems owing to bad drivers can lead to data corruption and system-wide failure.
Most computer viruses are propagated by email. The view that commercially available software and software downloaded from newsgroups contains viruses is false (occasionally, it may contain Adware, however). Email is an efficient way to spread viruses. You should not open email attachments ending with the following extensions: .exe; .pif; .zip; .com; .cab; .scr; .vbs or any other extension relating to executables. Some email viruses have a double extension; e.g., mpeg.exe or jpeg.zip to trick you into thinking the attachment is a movie or picture.
Typical set of rules
Users of a company or home workstation or network should read and abide by the following:
I will not download computer games, viral vectors. However, there is wide disagreement among virus experts, since boot sector viruses do not tend to spread easily.
I will not open email attachments from unknown or untrustworthy sources. I understand that the authors of viruses use social engineering to encourage users to open attachments, thus installing backdoor components of your machine. You should always question the source and purpose of emails containing attachments. I will disable the preview pane in Outlook and/or Outlook Express and stop the auto-execution of attachments. I will not open emails matching this description. I will delete them immediately.
I will ask my postmaster to filter the SMTP gateway [port 25] for viruses.
I accept that firewalls and anti-virus software will not necessarily prevent viruses, adware and spyware from affecting my workstation. Once Malware is discovered, it is too late and the damage is already done. I understand that only risk management will keep my workstation free of malware.
I will not allow anyone to visit pornographic Websites using my workstation or network. Such websites often force users to download adware, spyware and premium rate dialer(s), even if the download is cancelled. I understand the reputation of my employer could be put at risk, if pornographic material were to be discovered on their machines and/or servers. See [http://news.bbc.co.uk/1/hi/technology/3701907.stm Work porn risk for businesses - BBC News]
I will not open links embedded in spam (e-mail) nor will I hit the reply button. You could be notifying the spammer that your email address is active. The spammer may sell your email address to third parties, resulting in even more SPAM. I will delete all emails matching this description.
I will not open links in spam emails that purport to unsubscribe you from their mailing list. By opening the link, you are telling the spammer that your address is in use. I will delete all emails matching this description.
I will not forward hoaxes, chain-letters, spam, special offers and fake business deals. I will delete all emails matching this description.
I will not give out confidential information to third parties under the following circumstances: 1. In response to any emails purporting to be sent by a bank or company requesting passwords, PIN numbers, telephone numbers, addresses and other confidential information. Banks already have this information and would never ask for it under any circumstances in an email. 2. When submitting information to websites, I will read the privacy policy of websites before submitting information, including my email address. 3. Accidentally sending an email to the wrong recipient(s).
I will create regular back-ups of data and system critical files.
I will set up passwords for access to the accounts stored on my computer and manage physical access to machines.
I will not restrict the functionality of my computer or access to the machine under circumstances including, but not limited to; potential viral infection, potential hacking, media hysteria, the factoids of false authorities, and any other misinformation designed to create fear, uncertainty and doubt (see FUD).
FAQ
Q. Why do spyware, adware and viruses keep affecting my PC Surely, it is impossible for these programs to get past the firewall and anti-virus software.
A. Not so. You need to control your Internet surfing habits in order to prevent reoccurrences of this nature. You should also manage your email policy and not blindly open attachments.
Q. I still get viruses and spyware, even with anti-virus software installed.
A. If you do not keep your virus definitions up-to-date, then your anti-virus software will fail to do its job. If you do not enforce a security policy, viruses may compromise your machine, even if virus definitions are up-to-date. Only risk management will prevent security compromises. You must tackle the causes and not the symptoms.
Q. Why do I need to back-up my files
A. Good security practice is to back-up your Data, program files and system files in case of a system-wide failure.
External Links
[http://www.vmyths.com The truth about computer security hysteria]
[http://www.grcsucks.com Site devoted to debunking media security charlatans]