HIPS Series > Protecting Your Computer

How to take this course

Learning to protect the personal computers you use for work is a critical part of that training.  Computers can contain very sensitive data -- sometimes very large quantities of it.  It's bad enough when a paper file is compromised.  A compromised computer can risk hundreds or thousands of times as much information.  That's potentially a security disaster.

Fortunately, some relatively simple steps can dramatically reduce vulnerabilities.  Even if you don't consider yourself a "techie," most of these measures are well within your capabilities.

First, the bad news:  An army of crackers, hackers and other malefactors is eager to make your computing life miserable.  Risks include:

• an email inbox flooded with spam, spoofs, phishes and hoaxes;
   
• sensitive data extracted by spyware and other malicious snoop-ware;
   
• corrupted, erased or stolen computer data due to malicious software (malware) attacks;
   
• hijacking of your computer as a vector for "zombie" attacks against others.

Malicious humans are not the only source of risk.  Technical problems, accidents and environmental assaults can also compromise your computer and all the data on it.

Now the good news.  The security steps discussed in this course can substantially reduce the risks to your computer and your data, as well as the risks to others. 

It is usually much less costly to prevent a security problem than to recover from one -- in both time and money.  And, if something bad does happen despite your best efforts, some of these steps will substantially reduce the time and monetary costs of recovering. 

There are no guarantees.  On the world's physical highways, fastening seatbelts and practicing defensive driving doesn't assure safety.  On the information highway, it is the same.  Caution and good practices can only tilt the odds in your favor.

If your interactions with computers are confined to an office, you may be able to rely on security measures taken by your organization's information technology (IT) staff. 

Before taking any actions on your own with an office computer, ask your IT staff about what they recommend.  Otherwise you may do things that aren't needed, or that are actually counter-productive.

If you have a computer of your own, at home or elsewhere outside the office, you will probably have do-it-yourself responsibilities.  Even then, you may be able to rely on advice from your organization's IT staff about outside-the-office security practices.  Many organizations provide security support for outside-the-office computer use by workers.  Ask your IT staff about what's available.

Whether you're worried about a single computer or a network of thousands, security begins with asking what you want to protect and why.

Usually it is important to protect the computer equipment itself -- because it would be time-consuming, disruptive or expensive to replace it.  For that, it's crucial to secure the physical environment in which the computer is located.

Usually it is even more important to protect what's on the computer -- the data itself -- to assure your own access and that of other legitimate users, and to prevent "leaks" of sensitive information to persons who shouldn't have access.  

It can be very time-consuming, disruptive and expensive to replace lost or corrupted data.  It can be costly in terms of legal fees, fines and bad publicity to have a leak. 

A secure physical environment is also important for protecting data.  So are a range of "technical" protections, which we will describe in this course.

There are many "electronic" ways of attacking a computer connected to the Internet.  However, it's even simpler for an attacker if they can gain physical access to your equipment -- and then access your data, or simply carry the computer away.  Does your environment prevent that?

Offices can be relatively secure places, given locks, guards, alarms and the like.  But an office with many outsiders around can still be risky.  Office computers should be kept in secure, non-public locations whenever possible.  Computers that must be in public areas should be positioned so that they cannot easily be seen or accessed by non-staff. 

Outside the office, physical security for computers should be the same as for any other valuable possession.  If you keep sensitive personal information on your own computer it may be among your most valuable assets, at least as measured by the risks it presents.

We want you to worry about, and take basic steps to prevent, threats from malicious humans.  But you should also keep in mind the other, much more common threats: equipment damage and data losses due to technical malfunctions, accidents and environmental insults.

Careful behavior can prevent or reduce the likelihood of some of these, but you may still want to consider special property insurance for an expensive computer. 

The only true insurance for your data is making frequent backup copies.  Office systems usually have provisions for automatic backups in place, but you need to learn exactly how yours works so you'll know how protected you are.  Outside the office, backups usually only get made if you do them yourself.

We can't stress enough how important it is to have backup copies of hard-to-replace information.  (Here's a thought experiment to test your current level of protection:  What would it take to restore the data on your computer if its hard drive were to fail catastrophically while you are reading this sentence.)

Whatever backup option you choose, be sure to keep those copies in a secure place.  Ideally, it should be a secure place far from where your computer is kept -- so a single catastrophe doesn't destroy everything.  But wherever it is, backups containing sensitive information should be protected as carefully as you protect the computer they came from. 

While we're on the subject, the same goes for all the other copies of sensitive information -- such as printouts you've made, faxes you've sent or received, and so on.

If you've used a shared computer system, you know that almost all of them require login passwords.  You may not know that personal computers come out of the box with the option of having a login password.  Many add-ons like removable storage devices have the capability of adding password protections.  Many types of software can use access passwords as well.

You should at least enable a login password and a password-protected screensaver for your computer.  (Tokens and biometric authenticators can be even better.) 

When available, you should also use passwords for software and Web sites that access sensitive data.  These are a critical protection against intruders who manage to get physical access to your computer.  While they can be defeated by a determined, knowledgeable attacker, they will protect against lesser threats.

When you use passwords for login, access to software and for Web sites, take the time to pick good passwords.  Be sure to protect them appropriately too. 

It can be dangerous to keep passwords in a text file on your computer, however well hidden you think that is.  Consider using password manager software or password manager hardware.  Avoid writing down your passwords; but if you do, be sure to keep that critical piece of paper hidden in a safe place.

While we’re on the subject, it's generally a bad idea to use the "remember my password" option for web sites you visit.  If access to your computer is compromised, you'll potentially be compromising access to all these login-protected web pages.

For more tips, see the Picking and Protecting Passwords course.

11. Technical protections

If physical access to your computer were the only issue, we could end the course here.  A secure physical environment and access protections like login/screensaver passwords would generally be enough.

Unfortunately, almost everyone who has a computer now uses it at least in part to connect to the global Internet -- in order to send and receive electronic mail, exchange data files and software, access information on the World Wide Web, or connect to office networks from remote locations.

Why is that "unfortunate"?  Because a link to the Internet also can leave open many backdoor means of access.  Fortunately, there are a range of technical protections available to counter this kind of attack, which we will now discuss.

Of all the technical security tasks, one of the most critical is keeping your computer's operating system (OS) up to date.  That's true whether you use Windows or some other type of OS.

New versions and patches that cure old flaws are continually being issued for every operating system.  Failure to apply such OS patches promptly leaves your computer extremely vulnerable to attack.

Fortunately, all operating system vendors offer some kind of mechanism for updating via the Internet.  It is relatively easy -- and in most cases it can be fully automatic once configured.

In many workplaces, your IT staff will have put automatic updating measures in place.  (As always, you should check with them to see what protections are in place.)  For your personal system outside the office, automatic updating usually won't happen without at least some initial action from you. 

Software updating work does not end with the operating system.  It is also important to keep the rest of your software current.  For example, Microsoft Office products like Word have vulnerabilities that are independent of Windows.

Here's the rule: You should assume that every piece of software you use presents some risk if not kept current.  

Updating is particularly critical for antivirus, anti-spyware and firewall products, which must be kept current to be effective at all.  (More about those in the sections following.)

Alas, not all software vendors offer automatic updating, so keeping current may require periodic visits to Web sites for downloads.   The good news is that more and more vendors are moving to automatic methods. 

All personal computers should have antivirus software installed -- even if your office network or ISP also has a virus-checking capability.  Free or low-cost versions are available.

Antivirus software is essentially useless unless it is kept current with frequent virus "signature" updates.  (Signatures are the digital patterns that allow a particular virus to be recognized.)  We strongly recommend that you set your antivirus software to do this automatically.

Antivirus software must also be correctly configured to be effective.  It should be set to scan automatically all new files, such as those arriving in email or via portable storage like a CD.  You should also configure it to periodically scan all existing files, in case any malicious software arrivals were missed initially.

It's also a good idea for personal computers to make use of software that detects spyware and adware.  Antivirus software can detect some kinds of spyware and adware, but cannot usually be relied upon to identify all of it. 

If you do a lot of Web surfing, and particularly if you do a lot of downloading from freeware or peer-to-peer sites, you are at high risk for spyware. 

Anti-spyware programs for Windows PCs are available free on the Internet.  As with antivirus software, installation alone is not enough.  You have to run them periodically to check for new infestations.  You also must keep them current with new spyware signature files. 

Some utilities will do these things automatically.  For others, you'll have to remember to do it as part of your security housekeeping.

If you are using a computer on an workplace network, it is almost certainly protected by a firewall and other intrusion detection/prevention measures.

If you are using a computer elsewhere, particularly over an "always on" broadband connection outside the office, you will probably need to add firewall protection for yourself.

Hardware firewalls now come built in to many small routers, and can protect every attached computer.  Alternatively, software firewalls can be installed on any computer (but only protect that particular computer).

Windows XP has a built-in firewall that you should activate, but also consider an added software firewall for full protection.  For Apple systems and older versions of Windows, add-ons are your only option.  (As with antivirus, free or low-cost firewalls are available.)

Not long ago, connecting a computer to a local network or to the Internet required wires, as did connecting devices like printers to the computer itself.  Today computers can connect to networks and to other devices wirelessly. 

On workplace networks, you can usually rely on local IT staff to secure these wireless links.  Outside the office you need to take steps to secure your Wi-Fi (802.11) and Bluetooth wireless connections.

Computers accessing sensitive data may also need to use available capabilities for secure end-to-end communications via a "virtual private network" (VPN).  VPNs use encryption technology to create a secure private communications channel on public networks like the Internet.

Ask you organization's IT staff about what is appropriate given your computing practices.

In addition to communications security, you can also use encryption for protection of individual files and directories.  If the capability is not built in to your computer's operating system, or other software you already have, it can be added via a range of products.

Encryption can add a virtually impenetrable level of security for data, but at the price of a degree of inconvenience.  Some encryption systems are unlocked with a password for the protected files or directories (which you must then remember).  Other systems require use of a physical device, such as a USB key, in conjunction with a simple PIN number. 

Whether the extra inconvenience of encryption is "worth it" depends on the sensitivity of the data and the security of your computer otherwise.  Your organization probably has policies about when encryption is required.  Find out what those are.

Be conservative about "lending" your computer for others' use.  You can expose sensitive data to snooping, unless you've been very careful with your password protections.  (This is another reason you should refuse the "remember my password" offer from Web sites.)

Be careful about relying on others' computers yourself.  You can leave sensitive information behind when you access the Internet, email or other applications.  If a computer is infected with a key logger or other form of spyware, you can leave a lot of information behind. 

Ideally, you should only use a system you trust -- where you're reasonably sure that appropriate security steps have been taken.  Failing that, personal server devices (built into USB keys) are available for added security.

Sooner or later every device reaches the end of its productive life.  When you no longer need a computer, it is critical that you take steps to clean it of any sensitive information.

Paper can be shredded.  So can optical media like CDs and DVDs (though it may take a powerful shredder).  Hard drives inside computers must be systematically over-written or physically destroyed.  Floppies and magnetic tapes require the same.  Solid-state (flash) memories must also be over-written or physically destroyed. 

If you dont understand the secure disposal specifics for your computer and other hardware, find someone who does.  Don't ever just throw a device in the trash!  That's one of the most common ways that sensitive information is exposed.

Do you really need to do all the things we've discussed?  Maybe yes, maybe no.  You must assess your own vulnerabilities, given how and where you use your computer, and the sensitivity of what you keep on it.   If you're not sure, ask someone with the requisite expertise.

A secure physical environment is important for every computer user.  Adding a login/screen-saver password is also a task for everyone. 

If your computer is in an office, you can probably count on your local IT staff to attend to software updates and installation of protections like antivirus and firewalls. 

Outside the office, particularly for a computer attached to the Internet via an always-on broadband connection, you usually must attend to those technical protections yourself.

Don't be intimidated.  The rules for computer safety are not that difficult, and are well worth your attention.

(1) Maintain a secure physical space for your computer. It's always the first line of defense.

(2) Set login and screen-saver passwords (and use biometrics or access tokens if available).

(3) Keep up with patches for the operating system, as well as upgrades to whatever browser, email and other applications software you use. 

(4) Anti-virus, anti-spyware and (outside an office network) firewall protections need to be installed, correctly configured and kept up to date.

(5) If you use a wireless communications, enable its security features.  Consider whether you need secure end-to-end communications for some applications.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •