by Sunil Hazari
|Secure Online Behavior: Developing Good Security Habits
by Sunil Hazari
last updated May 28, 2001
The Internet has evolved to be a fundamental business innovation with a clearly demonstrated ability to positively affect organizations as well as individuals. Unfortunately, the Internet was not designed with security in mind - it is inherently insecure. Regardless of how many anti-virus programs, firewalls, and other security programs computer users may use, security continues to be a serious issue. And human error continues to be the weakest link in the security chain.
While human error can never be entirely eliminated, it can certainly be minimized. One of the best things that users can do to protect themselves and their information is to be aware of which behaviors may place them at risk, and to eliminate those behaviors. This article is the first in a series of three that will attempt to introduce readers to good security habits. This installment will offer a brief overview of some of the security threats that prey on bad user habits, and will introduce some fundamental secure habits that should be used for all computer applications. The ensuing articles will offer more in-depth examinations of the threats posed specifically by e-mail and Internet usage, and the habits that users can adopt to minimize the risks posed by these threats.
Today, e-mail makes up most of the traffic on the Internet. E-mail messages convey not only text, but also audio, video, and other executable programs; unfortunately, this means they are also capable of transporting viruses. There are many different ways in which e-mail can be sent or received. Two popular options for using e-mail are (i) client-based, and (ii) web-based e-mail.
Client-based systems, such as Outlook and Eudora, require the user to install software on the computer, and use the e-mail program to go online and connect to a mail server that handles delivery and receipt of users' messages. Advantages of using a client-based e-mail program include: the ability to store mail locally, save on connection charges, and keep attachments on the local computer for easier access. There are also many disadvantages to client-based e-mail. For example, large attachments can tie up system resources while downloading mail from the server. Furthermore, any attachments with downloaded viruses may corrupt the entire system and delete files without users' knowledge.
Web-based programs, such as Hotmail and Yahoo, offer a web interface to send and retrieve mail. In this case, no program needs to be downloaded to the users' machine. Other advantages of this option include the ability to easily access e-mail from anywhere, controls (such as large file limitation) offered by the server itself, and filtering rules (such as automatically deleting spam messages,) which are handled by the system.
However, despite the protections that web-based mail may offer, users are not completely protected against risks such as viruses. They must take steps to protect themselves. In addition to providing software security solutions, such as anti-virus programs, users should also develop secure e-mail habits, such as turning off (or limiting) the ability to accept attachments, setting up filtering rules to block unsolicited messages, scanning all messages for viruses, and if possible, selecting the increased security option when accessing messages from web e-mail clients. Users should also refrain from saving passwords to login automatically if using shared computers. The next article in this series will go into a more detailed examination of e-mail security threats and what behaviours users can adopt to protect themselves against those threats.
World Wide Web
The World Wide Web is currently used for many purposes, from the aforementioned e-mail, to e-commerce shopping, to viewing videos and listening to audio. Recently, through such services as Napster and Gnutella, file sharing has become increasingly popular. Users must keep in mind that the easy accessibility and universality of the World Wide Web comes at a cost. In general, the more accessible and user-friendly computer applications are, the less secure they are. The same is true of the Internet. Among the web-based security issues that this series will attempt to address are: the secure exchange of data, privacy, on-line credit card transactions
Other Miscellaneous Issues
In addition to developing good habits while online or using e-mail, users should be aware of basic security steps that they can take in order to protect themselves and their systems from intrusions, viruses and other threats, regardless of the application that they are using.
Updating Anti-Virus Software
Without exception, anti-virus programs should be considered the most important tool in a user's security arsenal. With viruses now having the capability of proliferating without a user's knowledge and of immediately destroying any data they come in contact with, and with the added threat of new, sophisticated viruses being written daily, users have to remain vigilant and defend their computer systems. There are many free anti-virus programs that can be downloaded from the Internet, but a wise user may want to invest few dollars in purchasing a respected commercial anti-virus program. This will ensure that the virus protection is not only comprehensive but can be kept current by using the 'update' feature. With this in mind, it is also crucial that users update their anti-virus programs on a regular basis. This means not just updating the known-virus file, but also updating the engine of the anti-virus program as well to defend against new viruses.
Users should make it a habit to scan files from unknown sources. This should include all e-mail attachments, as well as all floppy disks on which the user is importing information into his or her system. For more information on anti-virus software, please read Evaluating Anti-Virus Software for Home Use by Paul Schmehl.
Intelligent Use of Passwords
Our social and economic life revolves around information technology systems that require users to constantly authenticate (prove who we are) before granting us access to resources. As a result, we are tied to our phone number, fax number, ATM PIN number, credit card number, drivers license, and many other tokens of identification that enable us to perform day-to-day functions. With more web sites requiring user registration, one may be tempted to use a simple password to make life easier. After all, in this age of information overload, who can remember another different password when accessing the web!
It would seem that a single password would make sense - it would certainly make life easier. However, a security-conscious individual should think twice before putting all their eggs in the same basket. The first step in protecting data is to select not only ONE good password but MANY good passwords. Should a web site security be compromised, this will prevent accounts held by the same user on other systems from being compromised. User passwords should be complicated (but make sense to the user so they can be remembered) and changed regularly to prevent theft. For a more in-depth discussion of strong passwords, please read Password Crackers - Ensuring the Security of Your Passwords, by A. Cuff.
Mobile Computing Devices
Mobile computing devices such as laptops, personal digital assistants (PDAs), and Web-enabled wireless phones are becoming increasingly popular. They are capable of holding a broad range of data including engineering drawings, contact lists, personal e-mail, and other proprietary information. Due to their small size, light weight, and portability, these devices are attractive targets for thieves who may be interested not only in the device itself, but also the information contained in the device (which often is more valuable than the device).
In September, 2000, Qualcomm CEO Irwin Jacobs had his laptop stolen off the podium of a hotel conference room where he had just finished giving a talk to the Society of American Business Editors and Writers. The laptop contained vital corporate information. Because laptops and other mobile computing devices are at risk of being physically stolen or lost, users should make it a practice to store only information that is absolutely necessary for a particular time or function on those devices at any one time. Although this may not minimize the risk of losing the device, and all the information that is stored on it, it will at least reduce the damage caused by such a loss.
In order to minimize the possibility of losing mobile computing devices, users should use electronic as well as physical deterrent and countermeasures to protect the data and the device. Electronic countermeasures would include using passwords to start-up the device and keeping data in an encrypted format. It is advisable that users remain vigilant at all times. Another step that may act as a physical deterrent is a prominently displayed laptop security cable or a motion alarm, which can be used when the user needs to step away from the laptop (such as when talking to people after making a presentation).
Protect Always-On Connections with Firewalls
As mentioned above, access to e-mail and other Internet resources is very much a necessity for conducting business and accessing information. However, along with the convenience that network connectivity brings, this also raises serious security concerns. With always-on connections such as cable modems and DSL lines, Internet users need to be increasingly vigilant of security issues, as network traffic coming into the computer can modify, damage, or steal files and programs even when the user is away from the computer and the computer is idle. In conjunction with other security measures, tools such as firewalls can help to prevent such damage.
Firewalls are used to enhance security of computers connected to a network, such as a LAN or the Internet. A firewall separates a computer from the Internet, inspecting packets of data as they arrive at either side of the firewall - inbound to, or outbound from, your computer - to determine whether it should be allowed to pass or be blocked. Firewalls act as guards at the computer's entry points (which are called 'ports') where the computer exchanges data with other devices on the network. They ensure that packets that are requesting permission to enter the computer meet certain rules that are established by the user of the computer.
Firewalls operate in two ways, by either denying or accepting all messages based on a list of designated acceptable or unacceptable sources, or by allowing or denying all messages based on a list of designated acceptable or unacceptable destination ports. Although they sound complex, firewalls are relatively easy to install, setup and operate. For an overview of what firewalls are, how they work, the different types of firewall technology and their suitability for small office/ home office and personal computer users see Firewalls for Beginners.
Information security has received a lot of attention in the press. Non-technical users or security newbies can be overwhelmed about news about data security issues. Almost daily, newspapers report computer break-ins, system shutdowns, and data theft. What is a user to do then? In addition to learning about the various security threats and employing the appropriate software to combat those threats, users must educate themselves to act in ways that will minimize the risks. This article has offered a brief overview of such good security habits. The next article in this three-part series will examine the security risks associated with e-mail, and will give an overview of secure user behaviors that will allow users to minimize their exposure to these threats.
To read Secure Online Behavior, Part II: Secure E-Mail Behavior , click here.
Dr. Sunil Hazari is a faculty member in the R. H. Smith School of Business and Office of Information Technology at University of Maryland, College Park. His teaching and research interests are in the areas of E-commerce security, usability, and infrastructure design.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.