What Are Computer Security Best Practices?

by

William G. Perry, Ph.D.
www.paladin-information-assurance.com

Best practices associated with information security focus on maintaining the confidentiality, integrity and availability of your mission critical information. You need to be aware of how to properly use your digital resources in a safe manner.

The security of information is everyone’s job. Each person as an individual or employee in an organization must have his or her responsibility specified and followed through upon in his or her day-to-day activities. People who work with information must understand the critical nature of providing for the confidentiality, integrity and accessibility of digital assets.

Safe work procedures and activities need to be built around procedures that promote safety and what should activities should be implemented or avoided.

To obtain a high level of awareness, in an organization, security policies must be developed. Information security policies are based upon an understanding of vulnerabilities as well as risk.  For example, an employee who works on the Internet most of the day risks his or her system to external attacks.

Each person (as an individual, employee or owner) must understand his or her role, responsibility and what constitutes the appropriate use of information technology.  Securing information assets has now become a matter of national security.

Security Best Practices include the adoption of routine activities and follow through on the part of each and every individual including employees.

Everyone should be concerned about computer security. It determines whether your private information is safe from cyber thieves. Computers with weak defenses can endanger your financial health and your family's personal safety.

The number of computer criminals and attacks continues to rapidly expand and so does their level of sophistication. Cyberspace is becoming increasingly dangerous as the capability of the technology has grown. You must take steps now to protect yourself, your family, employer and business. You can do so by proactively following what is known as "security best practices".

What are security best practices? The phrase refers to procedures; awareness of processes and habits that you routinely perform to "harden" your computer. Let's examine a few.

1. Use robust passwords - Your password should consist of at least 11 characters and include one uppercase letter and one special character. Avoid using common, pop culture words, birthdays of families and friends, the name of your pet, or other easy terms that could be easily discovered.  A pass phrase, for example, is safer than a single word.

2. Always lock you machine - When you leave your computer unattended lock the workstation. Otherwise your machine would be accessible to anyone who is nearby.  Make sure that your workspace is clear.

3. Avoid downloading apps, screen savers and software from unknown sources. Malicious hackers frequently use malware embedded inside desirable products and offer them free. Once you have downloaded the software it can hide in your computer system and wreak havoc. Your computer may even become a "bot" and attack others.

4. Avoid opening email attachments from unknown senders - Malicious software could be installed on your system.

5. Double-check requests for information that you receive from a company with whom you do business. It could be a "phishing attack". Cyber criminals are skilled and can present to you a screen that appears to be from a trusted source. Crackers have duplicated a fake request for information from PayPal, for example, to gain personal information under false pretenses.

6. Avoid questionable websites that focus on gambling, porn or get rich quick schemes. Many of these sites will automatically scan your computer for known vulnerabilities and, once found, exploit them. Your system will be compromised.

7. Install an antivirus software package and use it. There are a number of excellent products on the market. Antivirus software looks for virus signatures and blocks them.

8. Change your wireless router's default password from the factory setting. Certain routers ship with a default password that may be known to hackers. Anyone who is within range trying of your signal can intercept it and access your network.

9. Avoid sharing storage media from other computers (e.g. your spouse or children). Malicious software could be downloaded onto your machine from a friend or associate's USB drive, for example, without your knowledge.

10. Perform a "white hat hack" on your system. Such a procedure can identify any vulnerabilities that exist. Gibson Research has an excellent and free program.

11. Keep your software updated. Install recommended patches from the publisher. Consider automating the process. Malicious computer users are up-to-date on vulnerabilities and know what to attack.

12. Install and use a firewall. There are both hardware and software firewalls. You can block specific senders and outgoing addresses when using a firewall.

13. Terminate your Internet connection when you finish working The Internet is one of the biggest attack venues. Disable your connection to the Internet and reduce the attack surface that nefarious hackers can use.

14. Encrypt your critical information. A number of free or inexpensive encryption programs are published, such as PGP (Pretty Good Privacy).

15. Consider using multi-factored authentication to access your computing resources. A password is one level of authentication (something you know). Consider using a token (which you possess). Use a fingerprint reader (something you are).  Another method would be to require a second password to be entered by a random number generator.

16. Be discrete when using social media. Cyber criminals prowl sites of this type for scraps of information that can be used in exploits against you.  Companies should have procedures to follow based upon official policies.

17.  Provide awareness training for your employees, if you are the manager or owner of a business.

Business owners, managers and other leaders must visibly demonstrate a concern for information security.  Employees and others take follow the information security tone set by their leaders.  However, the leader must make a concerted effort to explain each person’s responsibility for maintaining the confidentiality of digital assets.

18.  Do you have a back-up of your critical data.  Maintaining back-ups of your mission critical information is necessary because it’s only a question of “when” you are going to lose data rather than “if”.

19.  Are you, if you are an employer, in compliance with all relevant privacy laws and regulations?

You must be aware of information security laws (e.g. Florida Statute 501.171, HIPPA, Safe Harbor, etc.).  You could suffer real financial losses as well as customers if you are out-of-compliance with any number of laws, rules and protocols.  Computer owners and operators need to be aware.

20.  Are you following a multi-layered approach to information security (e.g. combination locks, photo-id’s, etc.)

Use more than one technique or level of authentication to your information systems (e.g. photo id’s, muti-factored log-ins, etc.)  Computer technology has advanced so far that “cracking” passwords is an easier task than it used to be.  Multiple-factors should be used.

21.  Do you have a plan to destroy information (software, hardware, paper copies, etc.)?

All organizations and individuals need to have a plan to destroy confidential information.  Doing so in a pre-determined manner is essential.  There needs to be a policy that is approved by management and consistent with the law.

22.  Conducted a threat analysis?

Threats may be people, Acts of God, software, hardware or any other circumstance that puts your information system at risk.  A threat could be an employee, vendor, the weather or an electrical surge.

23.  Conduct a vulnerability analysis?    

You need to pay as much attention to the vulnerabilities that malicious users and crackers do when studying how to intrude upon your information assets.  Mitigate any vulnerabilities that you discover.  Make studying weaknesses and openings to your information system routine and official.

24.  Develop and implement an official information security plan.  Educate your employees and/or family members.

Having a plan that provides for the protection of your digital processing infrastructure is essential.  You and others working within the system are otherwise without a sense of direction purpose when it comes to the protection of the confidentiality, integrity and availability of information.