Protection

[ Up ] [ Information Sources ] [ Updating ] [ Testing ] [ Physical Protection ] [ Child Protection ] [ Virus Protection ] [ Firewalls ] [ Privacy ] [ Suites ] [ Content Security ]

There are number of things you can do to protect your information. Using simple policies in tandem with applications, utilities and services can help you with this. This section provides some information for both home and business users.

Any products or services provided by any organisation mentioned in the e²chameleon Information Security Resource are outwith of the control of e²chameleon. You acknowledge that any reliance upon any advice, opinion, recommendation, statement or other information displayed or distributed through the Web site is at your sole risk.

Before buying or using any products or services mentioned on this site you should confirm pricing, functionality and service in order for you to make an informed decision of about its suitability for you or your organisation.

e²chameleon shall have no liability arising from your purchase or use of any products or services based upon the information provided on the e²chameleon Information Security Resource.

Keep up to Date

Make sure that you software is up to date. Vulnerabilities (mistakes or omissions made by the author that makes the software vulnerable to exploitation) are often found in software and the publishers regularly release patches to protect against them. Many vendors publish alerts to let you know when vulnerabilities are found and patches are available. Microsoft runs a free security bulletin service which alerts customers to vulnerabilities found in its products. More information on this can be found at http://www.microsoft.com/technet/security/notify.asp. Microsoft's security web site can be found at http://www.microsoft.com/security. Visit the web sites of other vendors to get details of their notification services.

The Information Services section has got details of news and vulnerability information sources. The Testing section has information on vulnerability assessment tools and the Updates section has information on tools you can use to update your system/s.

Securely Configure your Software

In a way software is like a suit of clothes. If you buy a suit "off the peg" it may not fit properly and you need to have it altered so that it fits perfectly. If you install software and use all the default settings it may not be right for you, especially the security settings. You should be able to configure web browsers, email and other applications that interact with the Internet to maintain your required level of privacy and security. Read the help files and documentation (in print, on disk or on the vendors web site) for your software. A little bit of reading can go a long way. Microsoft's security web site can be found at http://www.microsoft.com/security and provides information on how to securely configure applications like Internet Explorer and Outlook.

The Testing section has information on tools that can check you systems for configuration issues.

Install & Maintain Anti-virus Software

Viruses and Worms invade systems mostly through email. Install a product that provides on-demand or scheduled scans as well as on access scans and can check disks, email and Internet downloads. The on-access function will ensure that a virus is caught before it can cause any damage and the on-demand or scheduled scan option allows you to routinely check your system for infection. This is especially useful as you can scan you system after you have updated the virus signature database. It has not been unknown for a new virus or worm to "sneak" past on-access software because the virus database cannot detect it. As with all software, keep up to date. Hundreds of new viruses are written each month and anti-virus software needs to be constantly updated. A number of vendors routinely update their detection databases on a weekly basis with special updates when dangerous threats appear. Vendors determine the risk of a new virus or piece of malicious code using their own rules. Some vendors may put a virus on medium alert while others may rate the same threat as high or low. Most products can be updated over the Internet and a number of them can be scheduled to update automatically.

Look at the Virus Protection section for information on some of the tools (some of which are free) that you can use to protect your system/s.

As part of the keeping up to date process you should subscribe to some of the virus alert services available. It is almost certain that the anti-virus solution you are using includes some form of notification of new viruses. The Information Services section has got some details of virus notification services.

Even when you have software installed and maintained there are some things you can do to increase your protection.

Tips

	Do not open any files attached to an email from an unknown, suspicious or untrustworthy source
	Do not open any files attached to an email unless you know what it is, even if it appears to come from a friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it
	Do not open any files attached to an email if the subject line is questionable or unexpected
	In order to stop the spread of Macro Viruses, if possible, don’t send Word document attachments outside the company in their native .DOC format. Instead use pure Rich Text Format for your Word documents, because that doesn't support the macro language. Simply Save as... and select Rich Text format (.rtf). Similarly, save your Excel files as CSV (Comma Delimited) (.csv). Tell the people that you deal with that you would rather they sent you RTF or CSV files rather than DOC or XLS files if possible

All files have to be virus checked before use and applications must be approved for use before installation (by authorised personnel)
Write protect floppy disks before inserting them into other users' computers, not only with this stop viruses being able to infect your disk, it will also ensure that data on the disk cannot be accidentally modified

Install a Firewall

Most organisations implement firewalls to control data flowing into and out of their networks. This provides centralised protection for the tens, hundreds or thousands of servers or workstations under their control. Home users, who typically have one or two computers also need to protect their data and personal firewalls can help with this. More and more home users are connecting to the Internet using "always on" connections such as Broadband or ADSL and this means that you have a constant visible presence on the Internet (by way of an assigned static IP address - go to Whatis.com for a definition of IP address). This is a bit like publishing your name in a phone book when you really want to be ex-directory. It is becoming more important for home users to have a personal firewall. Users connecting via dial-up connections are also prone to attack although they are not as vulnerable as those using "always on" connections.

Personal firewalls reside on each PC to be protected whereas corporate firewalls reside between the Internet and the network to protect all PC's in an organisation. The use of personal firewalls within organisations, in support of their gateway based firewalls, is increasing where businesses realise that hacking attempts can come from both outside and inside their network. Go to the Firewalls page for information on personal firewall products, some free, that you can use to protect your Internet connection. A section on corporate firewalls is being considered.

Use Privacy and Content Security Services

Privacy is a double edged sword. The personal privacy of individuals needs to be protected to allow them to go about their lawful business. Organisations need to be sure that their data can be protected against theft by rivals or destruction by hackers. Political activists organising change through peaceful protest need to be sure that authorities are not tapping their phone lines and intercepting their communications. Should this go so far as to allow paedophiles and other criminals to use technology to organise their crimes without detection? The Privacy Protection section gives some information on things you can do and tools you can use to maintain your personal privacy. This includes using strong passwords and securely deleting sensitive files you no longer wish to keep.

The Child Protection section gives details of things you can do to protection your child when online. It includes information on browser content rating, software to restrict children's access to inappropriate sites and further sources of information to assist parents in this area.

The Content Security area lists software that businesses may consider installing to reduce their legal liabilities with regard to staff access to email and the Internet.

Back Up Your Data

You should always back up your important files. You can get broken equipment repaired / replaced and software can be reinstalled or new copies bought. Your business or personal information is different. It cannot be replaced except by you doing all the work again, UNLESS you regularly back up your data and store the disk/s tape/s in a secure area.

Physically Protect Your Property & Data

As well as ensuring that the data you store and process on your computer is safe, you need to make sure that the equipment itself and the environment it is stored in does not become a target for theft. There are a number of pieces of equipment which can be used to physically protect your equipment and deter would-be thieves. The Physical Protection section has some information on this. The Privacy Protection page has a section on secure deletion of paper files. You don't need to just protect your information, depending on the data, you may need to positively destroy it when it is no longer required.

Define, Implement and Publicise Policies

Companies should write staff usage policies to define how company systems should be used. Technical policies that define the security aspects of infrastructure, support and management of systems is also needed. Companies have a responsibility to abide by the law and policies their associated standards and procedures can help do this. Once a policy has been written it needs to be publicised so that staff are aware of their responsibilities. The Law section has information on some of the laws governing the use of computers and communications equipment. Codes of practice such as BS7799, its international equivalent (ISO 17799) and the Information Security Forum standard of Good Practice are also mentioned in this section. There are many resources to help you define policies. The ePolicy Institute has a lot of information on usage policies for Internet and email.