Computer Security: How to Keep Your Machines Safer Without Breaking the Bank (or Your Brain)

-

*Note: This was originally written for a newsletter at UNC-Chapel Hill. As such, there are many references to university-specific issues and solutions. Even if you ignore those bits, I feel many readers can glean something useful from this, which is why I'm posting it here.


----------------


It doesn’t matter where I am, what time of day it is, or who I’m talking to; once someone finds out I work in IT security, the first words out of his or her mouth are, “Hey, I’ve got a quick question for you…”


Most people would find this irritating. As my wife can attest to, I simply smile and say, “What’s on your mind?”


More often than not, the question is, “I’m using XYZ program to keep my data secure. Is it as good as advertised?”


The short answer is, “No, not really.” The less cryptic, but more depressing comeback is, “No computer is ever really secure,” and the long, informative explanation is…somewhat more complicated.


There are many factors that go into the long, complicated answer, and it almost always leads to more questions than answers. The type of data, device, and operating system are the major factors that come into play when determining how to keep information safe. If you’re trying to keep your cousin away from your mother’s famous lemon torte recipe stored on your laptop, your needs are vastly different from someone who is attempting to keep corporate secrets on the company server out of the hands of the competition.


Where and how you use said device is also important. Those who travel frequently and rely on free wifi hotspots with regularity are going to have a much tougher time keeping prying eyes from viewing their files than someone who sits at their desk using a desktop jacked into a hardline (that is to say, an Ethernet connection). Now, given how prevalent free wireless access is these days, one might not think much about using the service provided by a national coffee chain or a popular restaurant. However, that’s actually one of the most important things you should think about, even before your own security needs at home or at work.


You’re More Vulnerable Than You Think


Let’s say, hypothetically, you’ve got a layover at a fairly large airport somewhere, and decide to sit in a coffee shop to browse your email and work on some payroll stuff while you wait for your flight to board. You log into your office’s file server so you can update some information regarding changes in pay rates and some addresses so that your employees receive their paychecks on time. You save the changes, log out, and that’s that, right?


Not quite.


In your mind’s eye, see that younger guy in the corner, sipping his double shot, non-fat latte and tapping away at his laptop? He’s not working on his novel; he’s watching the flow of traffic on the cafĂ©’s wifi, and unless you used an SSL or VPN client to access your company server, you basically just handed him a bunch of information that he will, in turn, sell your competitor, the name of which was also in those files. He’ll make top dollar, and your opponent will be able to poach your top 3 employees by offering them more money than they make with you. All for the cost of an espresso.


And no, the scenario isn’t all that far-fetched.


A much bolder and less subtle crook will simply wait for you to head into the bathroom, then walk over, pick up your laptop, and leave. Since it was open and you were logged on when he took it, there’s nothing stopping him from backing up EVERYTHING from the hard drive and your office’s servers. Then he can reformat the machine and sell it on the black market for a little extra cash, even though the big money is in the information you left exposed.


General Rules for the General Populace


If you don’t want this to come to pass, you’ll need to be more vigilant, and in more ways than one. There are many things you can do to minimize your chances of a breach, and not all of them are tech-intensive. In fact, most of them can be filed under, “Am I taking the appropriate security measures for the type of data I store and have access to?”


Rule #1: Be aware.


Situational awareness is the most important tool in any security arsenal, yet, it is the most oft-overlooked. Whether you’re out and about, or sitting at your kitchen table, pay attention to your real-world and online surroundings.


If you’re using free wifi, before you even open up your laptop or switch on your iPad, ask yourself, “Am I about to access something I don’t want anyone else to see?” If the answer is “yes,” then don’t do it in public! You wouldn’t shout your bank information to the heavens at the top of your lungs in the middle of a crowded room, would you?


If you log into your checking account to check the balance on an unsecured network, that’s essentially what you’re doing. Heck, even if the network is secure, Joe Q. Public could look over your shoulder while you’re logging in and memorize your password and username. Best not to risk it.


There are a few ways you can keep your devices physically secure. One option is to chain your machine to your workspace, even if you’re not traveling with it. Ever been to an electronics store, and seen all those bicycle lock-looking things used to strap the display models down? That’s not exactly a bad idea if you keep sensitive files on your laptop or desktop. Another layer of protection is to have your computer set to lock out the user after 60 seconds of inactivity, and/or have your tech support rep install whole disk encryption software to your machine. One or both of these will make it more difficult for someone to access your information should your computer get lost or stolen.


You can also purchase privacy screens for your monitors and laptops that prevent anything displayed from being seen from side or top angles. This way, you can work without worrying about someone sneaking glances over your shoulder and seeing what you’re doing.


As to web awareness, when you click a link in an email or an instant message, take a moment to look up at the address bar at the top of your browser window when the link opens. Does the web address seem off? Does it have extra characters and slash commands at the end of it? If it does, this may be a “dummy” site, and when it prompts you to log in, it could very well be storing that information for nefarious purposes rather than allowing you to look at your Gold Deals at Amazon.com. If it looks “phishy,” toss that runt back in the lake (by closing the window), then cast for a better one by opening a new window, and typing the web address you normally use for said site by hand. Guaranteed you’ll reel in a winner. Or, at least, a less suspicious one.


Rule #2: Create strong passwords.


Now, we’ve been over this in other posts and articles, but it bears repeating: A good password is worth its weight in gold.


Most sites require a minimum of 8 characters in a password, and some go further by requiring at least one numeral and one special character. This is a great start, but remember, using things that are easy to remember leave you vulnerable to anyone who can deduce your favorite things, like color, food, or pet. Birthdates and maiden names are out, too, because anyone can (and will) Google that info these days. Personally, this author formulates his passwords to be at least 15 characters and uses a mix of capital and lowercase letters, with the occasional numerical substitution, such as, “5^nT@nl0tInissM@rt!!” Looks pretty complicated right? How about now: “Sun tan lotion is smart!!”


Rule #3: Update, update, update.


The reasons for running updates are many, and have been mentioned in a previous article (http://oasis.unc.edu/howwedoit/publications/newsletters/september-2010-newsletter/whats-with-all-these-updates-anyway), so I won’t bore you with all that here. This go around, I’ll just list the updates you should have for the most common operating systems I encounter.


Anything before Windows 7 is out of date and not secure. If you have Windows XP with anything other than Service Pack 3 (SP3) or Vista Service Pack 2 (SP2), your machine is at risk for picking up all kinds of nasties. Do your updates now, and routinely check for updates in the future.


Rule #4: Virus scanners are your best friends.


For those of you reading this that work at UNC-Chapel Hill, you should be using Symantec Endpoint Protection, per campus policy. If your computer routinely accesses or stores sensitive data (see this page for the definition of sensitive data according to UNC- http://help.unc.edu/6475), then please install the sensitive data version on your computer.


For everyone else, you can visit http://filehippo.com/software/antimalware/ and download AVG, Antivir, or Avast. All three are good, reliable (and free) antivirus applications. Pick ONE, and ONLY one. If you have 2 virus scanners running at the same time, they tend to conflict with each other and drastically reduce computer performance.


Rule #5: Backing up your data is not an option, but a requirement.


What would you do if your computer fell into a lake, was backed over by a truck, or dropped off a 5th floor balcony? Personally, I’d be angry about inadvertently littering the landscape with bits of plastic and metal, but most people would be horrified at the loss of important files. Photos, music, financial records, vital research, articles and theses, all gone in the blink of an eye. It can take forever to reconstruct and recollect what was on your hard drive, and even then, things will never be the same.


Unless, of course, you back up your hard drive on a regular basis. Then you’ve got nothing to worry about.


On campus, OASIS now offers CrashPlan for data backup and recovery for College of Arts and Science’s customers. This service has been paid for by the college and does not cost additional funds, unlike Xdrive and Iron Mountain. (Speaking from personal experience, I recommend avoiding anything to do with Iron Mountain, as it is poorly designed. You can do much better, even if you don’t opt to use the university’s choice of back up service.)


If you’re not keen on CrashPlan, you can go with Mozy, Carbonite, or Dropbox, which are all available online. Dropbox is my first choice for free, online backup for files, as you can get up to 8 gigabytes of space free by referring people to their site, and it’s user-friendly. Barring all that, you can do things the old fashioned way, and copy your important files to a thumb drive or an external hard drive for safe keeping and easy retrieval should you have a hard drive failure or your computer is compromised. Just to remember to do this on a fairly regular basis. If your computer goes belly up in 2011, and the last time you updated your medical records was 2009, you could wind up with a bit of problem on your hands, which was what you were trying to avoid in the first place. Also, note that physical back-up drives, while convenient, won’t help you if your home or office burns down with your computer inside it. Food for thought when you make your choice about data backup options.


Rule #6: Pop-ups are the enemy.


Ever been surfing the web and had a message pop up that looks something like this:


YOU MAY HAVE BEEN INFECTED! Click here to start a free virus scan!


If you encounter such a message, first and foremost;


DO NOT CLICK ON IT, OR ANYTHING THAT LOOKS EVEN REMOTELY SIMILAR TO THAT SAMPLE MESSAGE.


When something like this pops up, you have two choices that will help you avoid trouble. One, hold down the power button on your computer until it turns off, or two, hit ctrl-alt-del and end-task the web browser. Naturally, you may want to save anything you were working on before doing this, just to be safe, and that’s a good instinct to run with. After the computer has powered down, you can turn it back on. Once you have done so, run a full scan with Symantec (or AVG or whichever antivirus you have chosen) and SuperAntiSpyware. NEVER BUY ANYTHING that is offered by such pop-ups, as they are scams, and will further infect your machine! The programs you have installed on your computer (or were installed by your tech support representative) will do the job just fine.


Rule #7: Remember that crooks and ne’er-do-wells use social networking sites, too.


Think twice before you click on anything you see on Facebook, MySpace, or Twitter. Your friends and family may not be as safety-savvy as you. I’ve often called or emailed friends to notify them that their Facebook or Myspace pages have been compromised, and they had no idea their account had been spamming their contacts with security threats in the guise of funny forwards and false news articles.


I retired one of my passwords forever after stupidly clicking on such a link sent to me by someone on Facebook, only to realize it was a virus and that my account had just been compromised. When something like that happens, immediately change your password, and, if you can, disconnect that computer from the internet and use another machine (or even your smartphone) to change said password a second time, just to be safe. After that, go back to the original device and run scans to clean the virus and/or spyware out of the system.


Rule #8: Be discreet.


While no one should have what they say online used against them, people can (and will) do just that. Mentioning anything that could be used to make an educated guess about security questions or passwords online, such as on social networking sites, online photo albums and so forth can put you at risk. Keep personal information such as your mother’s maiden name, your favorite food, the hospital you were born in and the like to yourself. Yes, much of that information can be found with a bit of digging, but at the very least, don’t make things easy for those who would do you harm by posting them, and please, don’t use such information as your password for anything sensitive! It’s tempting, I know, because these things are easy to remember, but believe me, a small inconvenience of having to type in a complicated set of characters that have nothing to do with each other is better than the major inconvenience of a security breach or identity theft.


But Wait, There’s More!


These are just some of the preventative measures one can take to help improve security and reduce risks. There are many more options that can be engaged to provide the tightest safety net possible, but for most of us, what’s listed above is a very good start. If you’re really interested, the links provided below will get you started, and if you’re a UNC employee, you have the added advantage of the university-level precautions that are in place.


But, you must remain vigilant, and avoid becoming complacent. The bad guys aren’t a bunch of dummies looking for a quick buck anymore. They’re just as smart as we are, and while the members of your IT security team do what they can to keep them at bay, you have to do your part. Only together can we keep them from winning.

Comments

Post a Comment

Popular posts from this blog

Virtualization: What is it and do I need it?

-
There is a lot of talk about Virtual Machines now but the reality is that it's not for everyone.  TLDR:  Do you play online or graphic intensive games? Don't use a VM.               Do you do heavy video editing or work?  Don't use a VM.               Do you browse on the web ALOT?  It might be a good idea to use a VM.               Do you watch a lot of porn? It might be a good idea to use a VM. Now, for a more in depth look at when and why to virtualize a computer.  Let's say you are heavily into gaming, but you want to keep your work stuff separate from your gaming stuff.  So on your Windows computer you create a Virtual Machine which is basically a computer within the computer.  Microsoft does this through a special service called Hyper-V which is just a fancy name for software based hardware. There are other virtual machine vendors out there like VMware, Virtual Box, Parallels. What a virtual machine does is create a virtual physical computer which you c
Read more

Smart Home tips.

-
Smart home technology is becoming ever more popular.  But everyone forgets about one key component that can ruin your experience.  Your home router.   Most people who are not tech savvy use their providers router.   These are typically capable of handling up to 6 devices without major slow downs.   Once you add that 7th device, things become sluggish.  Add 8 and your network may seem downright slow.    My home has about 18 devices 7-12 of which are active all the time.   I use a mid-high end ASUS router with 8 antenna and 3 networks across multiple channels.   I divide my traffic up by putting TV's, Lights, and other appliance types on 1 network.    I put computers, desktop and laptops on the second wireless network. And my phones and kids tablets are on the third network.   I also have an Akita Smart home Monitoring device in addition to my routers packet inspection and firewall features.    I also enable all the default firewall capabilities of every device (where applicable).  F
Read more

Is it possible to have to much security?

-
Part of me really wants to say No, there is no such thing as to much security.  But the reality is that there is such a thing as too much security! What, but in this age of digital everything, Equifax, target, Facebook hacks/leaks how can there be too much security? Simple! When it drastically impedes your ability to do your fu(k!ng job, it is to much security. I was troubleshooting a networking issues for my day job a couple months back and it took 8 people at 6 companies to identify on which network segment and what piece of equipment was the source of the problem.  There were, routers, switches, and firewalls from different vendors and different networks all looking at packet traces to figure out which stupid piece of equipment was responsible because there were so many different layers of security and routing.  (8 firewalls in between.) This is what I'm talking about.   IT WAS NOT NECESSARY.  All those extra layers of firewall and routing were completely unnecessary f
Read more