General Security Best Practices

Transcription

1 General Security Best Practices 1. One of the strongest physical security measures for a computer or server is a locked door. 2. Whenever you step away from your workstation, get into the habit of locking it. Usually this can be done by using the keyboard Windows and letter L keys at the same time or pressing Ctrl + Alt + Delete and selecting the lock option. 3. When not in use, set your computer to lock automatically. Require a password to unlock. 4. Always make sure your antivirus program is up-to-date and running. This program needs to be on at all times. 5. Do not install programs onto your computers without permission from your IT administrator. Installation of unauthorized programs may result in loss of data, financial loss, and disruption to the network. 6. Be suspicious of untrusted removable media (e.g., USB drives, etc.). Viruses may attempt to copy themselves onto the media thereby affecting other devices to which you attach the drive. 7. Social Engineers may call to ask what your or someone else s password or user credentials are. They might impersonate someone high-up in the company or threaten some form of negative action against you. Never share your network credentials with anyone. 8. Encryption for computer devices can be an effective method for protecting sensitive data. Ask your IT administrator how best to utilize encryption methods. 9. Always wipe or destroy old storage media that is no longer needed or prior to being recycled. 10. Report anything suspicious to your supervisor.

2 Password Security Best Practices 1. Never tell your password to anyone. 2. Do not post your passwords on your displays, leave it under your keyboard, or store it anywhere around your computer. 3. Don t store a digital list of passwords in an unencrypted file labeled Passwords on your computer. 4. Passwords should not contain birth dates, employee names or initials, the organization s name, or any part of the user ID. 5. Passwords should be at least 8 characters long and complex (a combination of capital and lowercase letters, and at least one number or symbol). 6. Passphrases are like passwords, but longer and much more difficult to crack. Passphrases involve the use of a memorable phrase, rather than simple words. For example, ilikech0c0late!. Avoid common famous quotes or song lyrics. 7. Passwords cannot be reused and should be changed at least every 90 days. 8. Passwords should be changed immediately when first assigned by your IT Administrator or if it s ever shared with anyone. 9. s that come from trusted sources will NEVER ask for your password.

3 Security Best Practices 1. Do not click on links within s that you weren t expecting. These links may result in installation of malicious software. 2. Open only attachments you are expecting and that are from a trusted sender. 3. Do not respond to spam or otherwise suspicious . This merely confirms your address to cybercriminals, who will then target you for even more spam and viruses. 4. Use the Unsubscribe link at the bottom of legitimate to remove yourself from a mailing list. Do not click the Unsubscribe link of a suspicious . Then you are unintentionally confirming that your account is active to cybercriminals. 5. Immediately delete suspicious s, or mark them as spam/junk, in order to keep the risk of computer infection to a minimum. 6. Reduce the amount of junk you receive by being cautious and selective where you share, post, or submit your address. 7. Use a spam and malware filter for Never send personal, confidential, classified, or otherwise sensitive information via unencrypted .

4 Secure Web-Browsing Best Practices 1. Click with caution: The Internet is full of potentially harmful websites and programs. Avoid them by not clicking any link that you don t know where it will take you. Many websites can put you at risk by installing unwanted software without your permission. 2. Do not install toolbars or untrusted add-ons for your web browser. Often times these collect data, log passwords, and gather other sensitive identification. 3. Do not click on links or popups telling you your computer is infected, or that you owe the government money. You may owe the government money, but they re not informing you via unsolicited web pop-ups. 4. Malware may come as part of a free deal offer. Do not accept free deals over the Internet. 5. When visiting a website, type the address directly into the browser rather than following a link. 6. When available, use HTTPS rather than HTTP in URLs (i.e., web addresses). 7. If you receive notification of an invalid SSL certificate while browsing a web page whether via a red bar in the browser s address field or via a pop-up window leave the page without submitting any personal information. Your privacy cannot be assured. 8. Keep your operating system, web browser, and other Internet applications (e.g., Java, Flash, etc.) patched and up-to-date. 9. Read website privacy policies. 10. Avoid transacting private business over public WiFi. 11. Only provide personal or sensitive information on sites that have HTTPS at the beginning of the web address.

5 Social Media Security Best Practices 1. Consider strongly how much personal information you provide on social networking sites. The more information you post, the easier it may be for a cybercriminal to use that information to steal your identity, access your data, or commit other crimes (e.g., stalking). 2. Protect your reputation on social networks. What you post online stays online. 3. Be selective about who you accept to become your friend. Once you have accepted someone as your friend, they will have access to any information (including photographs) you have marked as viewable by your friends. 4. Read website privacy policies and understand how your personal data may be used without requiring your explicit permission. 5. Learn about and use the privacy and security settings on your social networking sites. You control who sees what you post as well as manage your online experience. 6. Refrain from posting about your out-of-town vacation on social media websites until after your return. Doing otherwise, essentially advertises that your home is unoccupied. 7. Social media website passwords should be at least 8 characters long and complex (a combination of capital and lowercase letters, and at least one number or symbol). 8. When available, use HTTPS rather than HTTP in URLs (i.e., web addresses) to access social media sites. 9. Click with caution: Social media sites are full of potentially harmful links. Avoid them by not clicking any link that you don t know where it will take you. Many links can put you at risk by installing unwanted software without your permission. 10. Be wary of URL shortening (e.g., This is a recipe for criminals to hide their malicious sites using obfuscation.

6 Mobile Device Security Best Practices 1. Set your portable devices (e.g., tablets, phones, etc.) to lock automatically when not in use. Require a password to unlock them using the strongest password supported. 2. Make sure all operating system and application updates and patches are installed. 3. Encryption is an effective method for protecting sensitive data. This feature will turn the data on your phone into garbled text until properly unlocked with a password. 4. Enable a remote wipe feature, if available. This allows you to clear you phone of sensitive data should it be lost or stolen. 5. Disable wireless access (e.g., Bluetooth, WiFi, etc.) when not actively in use to dissuade unauthorized wireless access to the device. 6. Disable the geotagging feature on your phone. Geotagging adds GPS coordinates to your photographs, which creates the potential for stalking. 7. Do not install apps from unofficial app stores. You should only download from trusted app stores, and then only the more popular apps. This minimizes the chance of inadvertently installing malware onto your devices. 8. Regularly backup your mobile devices using a trusted cloud-based backup application. 9. Be wary of conducting sensitive business over public WiFi. 10. Wipe or destroy storage media that is no longer needed or prior to being recycled. 11. Report lost or stolen mobile devices with company data to your supervisor immediately. 12. Jail-breaking or rooting a phone means significantly weakening the security of the device. Much of a phone s security is tied to code-signing and software sandboxing that is undermined by removing the digital-rights management. 13. Antivirus for phones and tablets remains a controversial topic. Based upon the current lack of known mobile device threats, AV is handled on a case-by-case risk-reward basis. 14. Log out of banking and shopping apps/sites when not in use. This will minimize the negative impact of a compromised device. 15. Avoid texting or ing personal information (especially pictures). Once it leaves your device, you lose any control of its distribution.