What is cyber security?
The first (and most obvious) way to protect yourself is to keep the bad guys out. You wouldn’t go out and leave your front door wide open so why do it to your computers? A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Nearly everyone that uses a computer is sitting behind a firewall whether they know it or not. There are two main classes of firewall:
A program usually installed to each computer designed to intercept, inspect and ultimately allow or prohibit the transmission of data beyond it.
A purpose-built device attached usually but not exclusively to a network between that network and beyond, (the internet for example). These devices often offer more granular control; are more capable of handling a higher amount of traffic; are more powerful; free up resources on individual computers.
A network may have several firewalls installed at various places within it, each with its own set of rules. For example, there may be a publicly accessible area like a web server where anyone can visit; a user area where only logged on staff can visit; a management area for managers and a top‑secret product development area which is only accessible by the research team.
A firewall is controlled by rules which determine which network traffic is allowed to pass through it and which is not. Close monitoring of both these rules and the firewall logs is essential to ensure that only traffic that is allowed passes through.
Anti-malware software is software that protects computers from malware such as ransomware; viruses; spyware; and worms. It scans the system for all types of malicious software that manage to reach the computer. An anti‑malware program is one of the tools to keep the computer and personal information protected. It is designed to detect and eliminate malware from the computer and warn the user.
You should monitor your anti‑malware software regularly to ensure it is functioning correctly and always up to date. You should also periodically perform manual scans of your system and if anything suspicious is found, perform an online scan with a product like Trend Micro’s HouseCall
Effective backup procedures
You have the tightest firewall rules in the world, your antivirus definitions are right up to date. Staff have been trained on dealing with email attachments and safe browsing procedures. So, you are good to go right? Then you have a catastrophic fire or flood, you are burgled in the night and everything is gone. You can replace the computers but what about the data on them?
That is where having an effective backup and recovery plan comes into its own. It is said that when talking about security, there are two types of people; those that backup regularly and those that haven’t ever lost data through a computer failure or malfunction; robbery etc.
It is not enough to merely back up, you need to test the disaster recovery procedure to ensure that if the worst should happen, you can get back up and running in the shortest possible time.
Effective password procedures
There is little point implementing all the procedures outlined above if you have little or no password security. If you use “password” or “1234” as your password, it is fairly obvious that those can be guessed fairly easily. The following are general recommendations for creating a Strong Password.
A Strong Password should:
- Be at least 8 characters in length
- Contain both upper and lowercase alphabetic characters (e.g. A‑Z, a‑z)
- Have at least one numerical character (e.g. 0‑9)
- Have at least one special character (e.g. ~!@#$%^&*()_‑+=)
A Strong Password should not:
- Spell a word or series of words that can be found in a standard dictionary
- Spell a word with a number added to the beginning and the end
- Be based on any personal information such as user id, family name, pet, birthday, etc.
Some recommendations for maintaining a Strong Password
Do not share your password with anyone for any reason
Passwords should not be shared with anyone. Use delegation of permission options. For example, Microsoft Exchange calendar will allow a user to delegate control of his or her calendar to another user without sharing any passwords. Passwords should not be shared even for the purpose of computer repair. An alternative to doing this is to create a new account with an appropriate level of access for the repair person.
Change all your passwords upon indication of compromise
If you suspect someone has compromised your account, change your passwords immediately. Try to change your passwords from a computer you do not typically use.
Consider using a passphrase instead of a password
A passphrase is a password made up of a sequence of words with numeric and/or symbolic characters inserted throughout. A passphrase could, for example be a favourite quote or a lyric from a song. Passphrases have added benefits such as being longer and easier to remember. For example, the passphrase “My p@ssw0rd is $uper $tr0ng!” is 28 characters long and includes alphabetic, numeric and special characters. It is also relatively easy to remember.
Do not write your password down or store it in an insecure manner
As a general rule, you should avoid writing down your password. In cases where it is necessary to write down a password, that password should be stored in a secure location and properly destroyed when no longer needed. Using a password manager to store your passwords is not recommended unless the password manager uses strong encryption and requires authentication prior to use.
Avoid reusing a password
When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, either knowingly or unknowingly, reusing a password could allow that user account to, once again, become compromised. Similarly, if a password was shared for some reason, reusing that password could allow someone unauthorised access to your account.
Avoid using the same password for multiple accounts
While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an attacker to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your online bank account or credit card accounts etc. These passwords should differ from the password you use for Facebook; instant messaging; web‑based email and other web‑based accounts.
Do not use automatic logon functionality
Using automatic logon functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic logon configured, he or she will be able to take control of the system and access potentially sensitive information.