Ten Common Sense Steps

From William Paterson University - Information Technology's Wiki
Jump to navigation Jump to search

 

Updating your Operating System

Most desktop security incidents are centered around flaws in the operating system. As these flaws are discovered, vendors release patches to cover these security holes: by updating your operating system you ensure it has all the latest patches.

Updating your OS is perhaps the most critical and simplest of all the methods for securing your computer. Nearly all modern operating systems have some easy method to make sure you have the latest version of all of your operating system software.

For instructions on updating your computer, follow the appropriate link below:


Updating Windows



Microsoft Windows is both the most popular and most compromised operating system available. While an out of the box configuration of Windows is not a secure option, Microsoft regularly releases patches (or collections of patches called "Service Packs") that address these issues, usually before they become a problem. There are several ways to update Windows, the two most common of which are discussed in this article.

Windows Update - details

Automatic Updates with Win XP Service Pack 2 systems (New Way)

  1. Click on "Start" → "Control Panel" → "Security Center" icon
  2. Select "Automatic Updates"
  3. Select Automatic updates and select a time that your computer is normally on at.


Windows Update Website

Windows can be updated through the web via http://windowsupdate.microsoft.com (Internet Explorer only). You can either go their by entering the URL listed above into your web browser or clicking on the "Windows Update" shortcut from your Start Menu.

  • Update-windows-1-600px.png


Once you are at the site, click on Scan for updates to get started. You may be prompted to install Microsoft software before scanning starts; to continue, install the software.

Once your operating system has been scanned (this can take a few minutes), you will be presented with a list of available updates. If you've never patched Windows, the list may be quite long; start by installing the latest service pack for your operating system (it will be under Critical Updates). The service pack will download (depending on your connection speed, this may take a long time) then extract itself and start to install. When it's finished, you will be asked to reboot.

Once you've installed the latest service pack, install all other critical updates. You will probably be asked to reboot your system several more times during this process (depending on the particulars of the updates you need to install).

You may also wish to install additional updates from your specific Windows version section. However these patches are not for everyone: be sure to read the description carefully before installing them. Similarly, updated device drivers can be downloaded from Driver Updates- make sure you've read the description carefully downloading and installing those updates to your system.


Automatic Updates with BITS (Old Way)

To simplify the process of updating your operating system, Windows 2000 and XP also have automatic updating services that can check for updates on a regular basis and install them if any are found. You must have administrative control of your computer to enable the appropriate settings.

To enable the automatic updates service with BITS, you need to enable two services. Get started in Windows XP by going to Start → Control Panel → Administrative Tools → Services; for 2000, go to Start → Settings → Control Panel → Administrative Tools → Services. From the services control panel, double-click Automatic Updates and change its Startup Type to Automatic. Finally, hit OK. Do the same for Background Intelligent Transfer Service (BITS).

  • Update-windows-2-600px.png

When you are finished, simply close the services control panel and reboot. Once you log back into your computer (after reboot), and connect to the network, Windows will prompt you to configure Automatic Updates. Read the options and choose the one most appropriate for your situation (generically we recommend you allow it to automatically update and install patches).

If you aren't prompted with pop-up notification, you can manually access it through Start → Control Panel → System → Automatic Updates (XP) or Start → Settings → Control Panel → Automatic Updates (2000).


Updating Macs


Like all software products, bugs are found in Mac OS X after it is released. Although OS X is a very secure operating system, not patching the system means your computer is vulnerable to compromise from a less than well intentioned individual. To counter this, Apple has built automatic updating into the OS.

Mac Update - details

By default, OS X checks once a week to see if there are any patches for its software. If there are, you will automatically be prompted to install those updates. You may wish to increase the frequency of those checks, however, or check for update manually.

To access the Software Update control panel, go to Apple → System Preferences → Software Update. Increase the update frequency by clicking on the first drop-down menu and selecting daily. Manually check for software updates by clicking Check Now.

Once you are finished, simply click the red X in the upper left-hand corner to save any changes.


Updating Linux


Most desktop security incidents are centered around flaws in the operating system. As these flaws are discovered, vendors release patches to cover these security holes - by updating your operating system you ensure it has all the latest patches. While nearly all Unix/Linux OSes have some easy mechanism for doing this, so mechanism varies from distribution to distribution.

Linux Update - details

The most reliable method for ensuring you are running the latest version of networked clients is simply to subscribe to announce-lists for the programs and recompile or patch to the latest version when one is released. The number of lists you would be subscribed to can be significantly reduced by simply reducing the number of running services to a minimum (and installing/configuring a firewall). At a minimum, you should watch for updates to the kernel, inetd, or distribution specific services.

For Linux systems, your distribution may have a command-line or even graphic software update tool (for example, up2date for Red Hat, apt-get for Debian, swaret for Slackware, or autoupdate for other RPM-based distributions). If nothing else, the makers of your distribution will keep a mailing list for notifying users of updates to the distribution. Check at your distribution's website for more specifics.

For SunOS and Solaris systems, the patches are available at http://sunsolve.sun.com. We recommend you install the "Recommended and Security Bug Patches."

For any other Unix systems, contact your operating system vendor for information.



 

Use Your Computers Firewall

Firewalls are generally used to prevent unwanted network traffic from the outside world (such as someone trying to find a security vulnerability in your computer); additionally, they may be used to limit the scope of communications allowed outgoing from your computer. Running firewall software is a critical component of keeping your computer secure.


Windows - documentation on the Windows XP built in firewall.


Note: Requires to have at least service pack 2 installed. Refer to Windows Update info page for information to make sure your current system is up to date.

  1. Click on "Start" → "Control Panel" → "Security Center"
  2. Select "Windows Firewall"
  3. Select "On Recommend"

Running a firewall is part of safe computing's best practices and is highly recommended for any computer, but especially for computers running the Windows operating system.


Macintosh - introduction to Mac OS X's built in firewall.


A firewall is a device, generally a software program for desktop computers, that monitors and controls network traffic. The Mac OS X operating has an easy to use, secure firewall built right into the operating system.

To enable the firewall, simply go to Apple → System Preferences → Sharing → Firewall. To enable the firewall, simply click Start.

  • Firewall-mac-465px.png

To allow your computer to act as a server for a particular service, simply make a check next that service in the list. Please note: client access is not affected by the firewall. So, for example, to make an outgoing SSH connection, you do not need to enable SSH in the firewall. You'd only need to enable SSH if you are running an SSH server (allowing remote access from other computers).


Unix/Linux - information about firewall solutions.


Generally most Unix/Linux systems use firewalls built into the operating system kernel. Normally they are configured from startup scripts; often basic scripts are included by your distributions vendor. Check your documentation for more information or take a look around your rc directory.

Often it is easiest simply to modify the existing scripts to your preferences. You can also create your own startup script, which is called either from a rc.local script or through inetd.

Linux Distributions - details

The Linux kernel includes netfilter, which handles filters all traffic coming into and leaving the operating system kernel. There are a number of features of netfilter, but for firewall-type configuration, you'll use iptables. Netfilter/iptables is included in kernels 2.4 and later; version 2.2 of the kernel included a similar system called ipchains, version 2.0 and earlier used a ported version of the BSD ipfw system (below) relying on the ipfwadm interface.

Netfilter/iptables is backwards compatible with the syntax of both the ipchains and ipfwadm allowing scripts written using those commands to be used with minimal adjustments.

For more information on netfilter and the iptables firewall, see:

Netfilter Homepage - website (with docs) for netfilter and its usage.


Learning Curve

Unlike most Windows and Mac firewalls, which emphasize using a GUI front end as well as interactive popups to configure your firewall, most Unix firewalls are designed for those who already know precisely what their firewall should do. Correspondingly, configuring the firewalls usually follow a very terse command syntax.

For example, the following command tells the Linux iptables firewall to block pings from outside the University campus (the backslash simply tells the shell not to interpret the newline and is not necessary for a script): iptables -A INPUT -p icmp --icmp-type echo-request / -i eth0 -s !128.135.0.0/16 -j DROP Script to ease the learning curve

This script creates the long iptables -A INPUT -p icmp --icmp-type echo-request commands for you. So all you have to do is tell it what ports you would like open. Visit the link below for more information about the firewall script.

Shorewall firewall script - website (with docs)


OpenBSD

OpenBSD systems rely on pf, a packet filter built into the operating system kernel. Like netfilter, pf is a general purpose packet filter that can be configured for network address translation, packet redirection, and firewall rules.

OpenBSD PF FAQ - a general introduction to pf on OpenBSD systems.


Other BSD Based Unix

Other BSD based systems (such as FreeBSD and Mac OS X) use ipfw and dummynet to control network traffic and filtering. This system allows for many of the same systems as Linux's netfilter/iptables and is configured either through the command line or by startup scripts.

For more information on ipfw, try the man pages (by typing man ipfw) or visit the FreeBSD project's tutorial on the subject:

FreeBSD Handbook: Security and Firewalls - an introduction to ipfw from the FreeBSD administrators handbook.


Other Unix

Most other Unix systems do not come with firewalls already compiled into the kernel. You can easily install a full-featured firewall, however, and we recommend you do. Check with your distributions vendor for their recommended solutions; generically we recommend IP Filter (ipf).

IPF How-To - the how-to guide for ipf

Please note: A firewall is just one part of a layered approach to system security. It is totally meaningless if, for example, you don't update the software that is allowed network access.


Firewalls are a new topic for most users; unfortunately, running them successfully often demands a basic understanding of how information is moved from one computer to another.

 

Install and Update Antivirus Software

Viruses are the most well known of several categories of maliciously targeted programs (generically called malware); most malware programs install themselves through vulnerabilities in the operating system, software, or through plain old social engineering. Characteristically, once installed they will deliver some sort of a payload (from simply spreading itself again to installing a keylogger to track everything you type) and attempt to spread itself further. While the specific patterns of malware programs vary significantly, the need for a good antivirus program to watch for that is constant.

IT utilizes Symantec Endpoint Protection for Windows and Mac OS X.


Antivirus software is only as affective as its latest definitions, the list of viruses the software can detect. Because of the high number of viruses for Windows, most Windows antivirus software has this capability built into the program to automatically update its definitions on a set schedule (preferably once per day). For Mac and Unix/Linux operating systems, this process is usually done manually and once a week is sufficient.

 

Email Safely

Avoid Phishing Scams


A phishing scam is an email fraud in which the perpetrator legitimate-looking emails that appear to come from a well-known and trustworthy website in an attempt to gather personal and financial information from a recipient. There are two types of phishing scams. The first type of scam asks you to respond to an email with your account password or Social Security number in order to prevent immediate closure of your bank account, email account, or other service. If you receive a message that asks you to send in your WPUNJ password, it is a fraudulent email.

The second type of scam asks you to click on a link to a fake site and log in with your password to verify your account. Be advised that IT Services will never request your password, nor will we ask you to change or "validate" your password at a site other than www.wpunj.edu. If you receive a message that asks for your WPU password, it is a fraudulent email. Once you've responded to either of these types of scams, you've placed your personal information in the hands of scammers who can misuse it.

Here are a few simple guidelines to avoid falling into phishing scams. See the Identify Phishing Scams page for a step-by-step guide on how to identify phishing emails, and the Phishing Examples page for real-life phishing examples.

  • Be suspicious of any email with urgent requests for personal information
  • Do not click links in email messages, if you suspect the message might not be authentic or if you don't know the sender.
  • Never share password, personal or financial information over email.
  • Don't trust offers that seem too good to be true.

Email Attachments and Viruses


One of the most common means by which computer viruses and worms spread is through email attachments. When opened, these attachments can give hackers complete control of your machine, or intiate an attack on another machine, or start sending out copies of itself to email addresses it finds on your hard drive - or all of the above. Malevolent software of this type has crippled personal machines, email servers, and networks at the University and everywhere on the Internet multiple times - and will again.

Here're a few simple guidelines to ward off malicious attachments:

  • Don't open unexpected attachments.
  • Don't open attachments from strangers.
  • Don't open unusual attachments.
  • Don't open attachments from strange-looking messages.


 

Safeguard Your Personal Information

Practice Safe Social Networking


Blogs and social networking can be fun to use and they can be helpful in staying in touch with friends or forging professional relationships. But posting personal information on your webpage can lead to unwanted attention. The lack of physical interaction provides a false sense of anonymity and security. It is easy to forget that more than just your friends and family can gain access to your site and view your information. When you post personal information in a social network site (such as Facebook or MySpace), you significantly increase the odds of people outside of your intended audience viewing your profile. Posting inappropriate material can lead to problems ranging from earning strikes against you from a potential employer to much more serious encounters with predators and criminals.

Think twice before posting:

  • Personal information (things like your phone number, email address, home address, name and age).
  • Photos or descriptions of illegal activities (advertising a party where underage drinking will be present, photos of yourself or others using illegal drugs)
  • Material that might be considered pornographic (especially photos of children-even if you consider the photos perfectly harmless, nude photos of children under 18 could be considered child pornography)
  • Any postings you might consider to be a joke can be taken seriously by a potential employer. Remember, the web can make a strong first impression.
  • If others post inappropriate material of you on their site, such as Facebook, and tag you, remember to untag any unwanted material.


Secure your personal information

  • Always use the strongest privacy account settings.
  • Make your profile viewable to friends only, and not to everyone in your network.
  • Use Google to search your name. The results are what potential employers will see, as well as anyone else on the internet if they Google you. Make sure there is nothing online that you don't want others to see.

Specific Steps to Social Network Safely

  1. Limit your personal information and never post your whereabouts.
  2. Be aware of who can see your pictures and comments.v
  3. Be selective about who you accept as a friend on a social network.
  4. Use caution when you click links that you receive in messages from your friends on your social Web site. Don't trust that a message is really from who it says it's from.
  5. To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book.
  6. Avoid Online Quizzes
  7. Be careful about installing extras on your site and delete unused widgets.
  8. Choose your social network carefully and only use sites with clearly stated terms of use.


 

Protect Your Passwords

Keeping Your Password Secure

You use passwords to access many services through the University, your online credit card and bank accounts, eCommerce sites like Amazon, and popular social networking sites like Facebook and MySpace. It is important to choose good passwords and make sure no one gets access to your private information. Here are some tips on how to keep your passwords secure.

Maintaining Your First Line of Defense - details


Choose good passwords

Secure passwords have at least 8 digits and are not based on dictionary words. Pick a password using a combination of letters, numbers, and symbols.


Never share your password with anyone!

Don't give out your password to friends or family members, and never give out your password online to others. Email requests for your password and other private information are scams. University administrators and your banking representatives will never request this kind of information through email, fax, or phone.


Don't use the same password for all your accounts

Never use your CNet password for your social networking pages or low-security accounts. You should choose separate, unique passwords for each account or service.


Avoid using non-secure networks

Don't access sensitive information using your CNet password on public networks or public computers (e.g., computers in a hotel lobby, library or Internet cafe). Hackers can more easily access your username, password, and other private information by tracking your keystrokes using remote software.


Change your password after using a non-secure network

You should change your password after using a public or internet cafe network the next time you are at a secure machine.


Change your password after traveling abroad

If you frequently access wireless networks overseas, you should change your password the next time you are at a secure machine.


Change your password once a year

You want to choose a password you can remember, while also making sure to change it periodically. Find a method that works best for you.


Never store your password in a program

Many email programs offer to store your password. This is a bad idea. Many computer viruses and spyware programs can retrieve stored passwords from these accounts.


Never write down your password

Writing down passwords makes it easier for others to access your private accounts and information. Choose a password that you can remember.


Specific Methods for Selecting Good Passwords

  • Use letters from a phrase or song lyric.
  • Combine a few pronounceable "nonsense" words with punctuation.


Handling Large Numbers of Passwords

In the modern Internet environment, people often find that they need to juggle multiple passwords for their email accounts, web sites they visited, and different Internet-based services that they wish to use. While it is impractical to create a completely different password for every web site or account, using the same password in multiple locations is very dangerous: if the password is stolen from any one of the places where it is used, it can be used elsewhere as well.

Here are a few ideas on various ways to handle the increasing number of passwords that seem to be required these days while not making the passwords easy to guess.

  • Consider what the password is protecting when choosing a password. Some services may not require as secure a password if they do not contain any private information.
  • Consider your password as multiple parts: a central core of the password and a prefix and/or suffix which is specific to the service that is being protected.
  • The passwords protecting your most sensitive information should always be different than other passwords.


 

Remember to Log Out of Web Applications

Browser Security

This seems obvious, but many people forget: If you're using a web browser (e.g., Internet Explorer, Firefox, or Safari) on a publicly accessible computer (e.g., one in a Lab, the Library, or an Internet cafe), someone else is going to be using that same browser not long after you walk away. If you've left that browser running, and especially if you've left yourself logged in to your email account or any other account, then whoever sits down next will have full access to that account -- including any personal information and the ability to send email as you.

So before you walk away, you should always explicitly log out of any account you've logged into. Then (to be on the safe side) explicitly exit out of the web browser (using the "Quit" or "Exit" option, not just closing the window). If you're extra-paranoid, tell the browser to clear cached or temporary files and cookies before you exit out.

 

Be Careful When Using Wireless Networks

Using Wireless Networks: Safety Tips

Wireless networks are convenient, but they are also inherently insecure. Therefore, it is your responsibility as a user to exercise caution when connecting wirelessly. Firstly, before using any wireless network, be sure that your operating system patches and firewall software are up-to-date. Disabling file and printer sharing while you are using a wireless connection will also decrease the vulnerability of your machine. For maximum security, never join an untrusted wireless network.

What Is An Untrusted Network? - details


Before logging on to a wireless network, ask yourself these questions:

  • Do I personally know and trust the owner of this network?
  • Is this network restricted in some way so that anyone using it can be identified and/or removed if they do something illicit?

If the answer to either of those questions is "No," you are about to use an untrusted network. To use an untrusted network to bank, buy or send private information is the equivalent of standing in the middle of a public space and loudly reciting your account number, credit card number or other personal information into a cell phone: It's possible that nobody will steal your information, but why take that risk? What Can I Do To Ensure Security?

The safest way to use the internet is to connect via a secure wire and use secure websites. However, if you want to use a wireless network you can follow the steps outlined below to maximize your computer's security.

  1. Do not connect when using a wireless network other than the University's wireless service via University Clean Access authentication system.
  2. Never save passwords in your browser.
  3. Wireless networks are extremely vulnerable to "sniffing," which is to say it's possible for someone to attach themselves to a wireless network and record all traffic that's going by without even logging on to the network in question (this is also a concern with wired connections, but it's worse with wireless). Accordingly, whether you are using a trusted or untrusted wireless network, you should always check the URL of any website you visit that involves personal information (banking sites, email, etc).
  4. If the URL begins with http://, the connection is not encrypted and is easy to sniff.
  5. If the URL begins with https://, the connection is encrypted and, while it can be sniffed, it's much harder to sniff anything useful out of it.
  6. Look for the lock icon in the bottom status bar or the URL field of your browser if you are unsure if the connection is encrypted. By clicking or double-clicking on the lock icon, you should see a window detailing the type of encryption used by the site.

 

Data Security

What is sensitive information?

Stolen information can result in identity theft and compromise. Unprotected information can be stolen from anywhere. It can be taken when you least expect it. Sensitive information is not limited to social security or credit card numbers. It also includes:

  • Student information and grades
  • Human resource data
  • Financial data
  • Private research data
  • Other types of personal information


What can you do to keep information safe - details

Make sure you are following safe computing guidelines as listed throughout this site. Here are a few additional things you can do to keep sensitive information secure.
  1. Avoid Accidental Exposure
    • Do not keep unnecessary records: Always know what personal information is required to complete any transaction.
    • Never ask for or supply more than is necessary.
    • Close sensitive documents and applications and lock your workstation screen when you leave, no matter how briefly.
    • Do not write down password or other sensitive information and leave them on your desk.
    • Put away and secure all documents with sensitive information immediately.
    • Do not take the easy way out: Never bypass security protocols for an easier way or an old habit. Future consequences can far outweigh the few seconds you may save.
    • Avoid Improper handling: Everyone capable of accessing sensitive information should be made aware of its importance and be trained in handling it.v
    • Avoid Forgetfulness: Be aware of the location of any sensitive information at all times. See Identity Finder below for help with finding sensitive information on your computer.v
  2. Encrypt high risk files
    • When storing or sharing a high risk file, you should first encrypt the file so that you don't disclose private information in ways that may harm yourself or someone else.
    • Faculty and Staff: see below for tools to help you locate sensitive information on your computer
  3. Share a high risk file safely
    • Read our Keeping High Risk Files Safe tipsheet for proper procedures.
  4. Avoid theft and misuse of laptop and other portable devices (CD, flash drives, cell phone)
    • Password protect your laptop to discourage theft, and consider investing in one of the many physical laptop locks on the market.
    • Keep your laptop yours. Only loan your laptop to those you trust; whatever spyware, viruses or illegal content that end up on your laptop will be yours to deal with.
    • Wipe your hard drive before recycling or disposing of an old computer. Students, faculty, and staff may have a hard drive wiped by contacting the Help Desk. Someone will reply with a date, time, and location for you to drop off your hard-drive. You may not drop off the entire computer.

You might also consider using free disk-wiping software such as Darik's Boot and Nuke or Active@ Kill Disk. These are both available from download.com.


University efforts to secure information

IT Services and William Paterson University are taking significant steps to protect the security of your personal information, most notably your Social Security number, against the possibility of unauthorized access that could result in identity theft or other misuse of that information. The University is implementing several short-term and long-term plans for greater security of University members' SSNs, including the creation of a new "WPUID", a number that will be included on student and employee WPU Cards and that will serve as the primary University identifier. Additionally, IT Services and the University are taking steps to ensure that individual departments within the University adopt procedures that more tightly secure sensitive information.

 

Think Before You Share

Think before you share: Do not share copyrighted material.

Read the IT Services File Sharing Policy and find out how to disable file sharing on the most common peer-to-peer clients.


Disabling Peer-to-Peer File Sharing

Any sharing of copyrighted materials on the University network is a violation of the University's IT Appropriate Use Policy, and may lead to disciplinary proceedings and, in some cases, legal action. Inform yourself of the IT Services File Sharing Policy.


EDUCAUSE hosts this page of links to legal sources of online content.




Network Services