Home of Consult-X
Security

   Security Check List   Security Links

INFORMATION SECURITY - CHECK LIST

Simple Check List & Action Plan
- for Small Office & Home Users

ESSENTIAL...
   Back Up
   Emergency Boot Disk
   Anti Virus Software
   Update OS & Browser Patches
   Email Attachments
STRONGLY RECOMMENDED...
   Install Personal Firewall
   Subscribe to Virus Alert Service
   Disconnect When Not In Use
   Send Safe Attachments
   Don't Run Programs of Unknown Origin
   Dispose of Media and Hardware Safely
FURTHER TIPS...
   Think Before Forwarding
   Junk Email
   Privacy Issues
   Authentication, Confidentiality, Integrity
   Use Common Sense
MANAGEMENT ISSUES...
   Acceptable Use Policy
   Incident Handling & Disaster Recovery
   Training
   Legislation
   Manage Your Risk
ADVANCED...
   Disable Hidden Filename Extensions
   Disable Scripting etc In Outlook
   Disable Windows Scripting Host

Useful Online Resources & Links (Separate Page)
These links lead to more in depth information and discussion about the topics on this page. Opens up in a new window, so you can easily switch between the Check List on this page and the Links page.


ESSENTIAL...

Back Up

Make a 'Back Up Plan' to suit your circumstances - and do it!
Decide what programs and data you need to back up, and how often (full back up, incremental back up).
Think about what you would miss if your Hard Drive were to crash irrecoverably now - email, address book, diary, correspondence, accounts, projects?
If possible keep all your work on a separate Drive or in specified Folders to make it easier to identify what needs backing up.
Tip: move your email correspondence, address book etc to folders that are regularly backed up - many people forget to back up email.
Keep the back up media (tape, CD ROMs etc) in a separate location from the computer(s). Check every now and then that the back ups you have taken can be restored successfully.


Make Emergency Boot Disk   

Make a boot disk on a floppy to help recover your computer's operating system after a security breach or hard disk failure.
But you must create this disk before you have a problem!
(In Windows select Start > Settings > Control Panel > Add/Romove Programs, select Start Up Disk tab, then Create Disk...).


Use Anti Virus Software

Install the program and read the Help files so you know how to use the application.
Update the software (signature or definition files etc) at least every few days.
Do not open, run or forward any new files or downloaded programs without first checking with the Anti Virus software first.


Update OS & Browser etc.

Check for security patch updates for your Operating System, Browser, Email Client and Plug In modules regularly, or subscribe to auto update or notification services.
Note: Well over 90% of security breaches are through known vulnerabilities, for which security patches are freely available.
Check that Security settings (e.g. High, Medium, Low) in your Browser are appropriate for your situation (safety vs. convenience and functionality).

Care with Email Attachments   

Do NOT open any email attachment if it is unexpected - even from a friend or colleague. Phone or email the sender to confirm they have sent you an attachment.
Do NOT open any files with a double extension (e.g. iloveyou.txt.vbs). The second extension may be concealed so that a file appears to be an innocuous text file (iloveyou.txt). See below for instructions to make a Windows system display full file extension(s).


STRONGLY RECOMMENDED...

Install a Personal Firewall

If you have an 'always on' connection (e.g. cable or DSL), this is a must have.
Even if you have an ordinary 'dial up' connection and you are online for lengthy periods, it is still advisable to install Personal Firewall software. See the security reference section for some suppliers - many have free versions.
A Personal Firewall is a software program installed on a computer connected to the Internet, to provide an extra layer of protection against external hacker attacks. Personal Firewalls can usually be run in their default configuration, but time spent reading the Help files, and setting up to suit your circumstances will improve your security.
More complex Firewalls for corporate networks comprise both hardware and software. They implement an Access Control Policy (as specified by management) and require expert setting up to be effective.


Subscribe to a Virus Alert Service

Only take notice of warnings from authoritative sources which provide a professional advisory service. It is generally best to ignore warnings from colleagues, friends or emails from unknown sources - at least take no action without first checking with a recognised authority first. See Security Reference section.


Disconnect From Internet When Not In Use

An intruder cannot attack your computer remotely, if it is powered off, or otherwise completely disconnected from the network.


Send Safe Attachments   

Send documents in Rich Text Format (RTF) where possible, instead of *.doc for example.
Send spreadsheets as Comma Separated Values (CSV) where possible, instead of *.xls for example.
This avoids macro-virus threats (so long as users have updated their security patches recently!).


Don't Run Programs of Unknown Origin

Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send clips or attachments of unknown origin to others, simply because they are amusing - they might contain a Trojan horse program.


Dispose of Media and Hardware Safely

Take care when you sell or give away old computers, tapes, disks etc. If these hold sensitive information they must be specially processed or re-formatted to remove all data.
Just deleting files does not remove the data, which may be easily recovered.


FURTHER TIPS...

Think Before Forwarding Emails

Do NOT pass on virus warnings - however credible or impeccable the source. Many are hoaxes, or well intentioned mis-information.
Do NOT forward anything that looks like a 'chain letter'.
This just causes network congestion and annoyance.


Avoid Junk Email

Do NOT reply to 'spam' or unsolicited email from companies/people you do not recognise - this only confirms your email address is live!
Report persistent offenders.
Do not give out your email address unnecessarily.
Use a disposable address in situations that are likely to generate 'spam' (e.g. Newsgroup postings, surveys, online forms).


Privacy Issues   

Do not give out any personal details unless you really have to, and only after checking the published 'Privacy Policy' to ensure it is acceptable to you.
Check for 'Spyware' you may have inadvertently downloaded onto your computer, and remove - see Ad-Aware in the Security References section.
Delete unwanted 'Cookies' on a regular basis if you are worried about these.
If you are concerned about data that may be held about you (e.g. how much and how accurate it is) then you may apply to the Data Controller of the organisation concerned and request a right of subject access to any information they may have on you.
When sending email to a large circulation list do use the Blind Copy facility. This ensures recipients can't see who else is on the list, so they cannot appropriate the list for targeting with 'spam email'.


Authentication, Confidentiality, Integrity

If you want to be sure that:

  • you are communicating with the right person or organisation (not an impostor)
  • your communications are not intercepted, viewed or corrupted by a third party.

- then use digital signatures and encryption.


Use Common Sense & Native Caution

Don't believe everything you see on web sites or in email!
Don't rely exclusively on technology for protection.
Don't act on anything without thinking about it first.
Don't abandon your native common sense!
Don't hand over money or anything of value (e.g. address, password, account details) to anyone without first satisfying yourself within reason that they are genuine.


MANAGEMENT ISSUES...

Acceptable Use Policy   

Who is allowed to view/download what type of content, and when?
Consider bandwidth abuse, pornography, racial content, games, non-work related activities during working hours etc.
Also consider legal issues such as (thoughtless / unintended) defamation of other people or organisations by employees.
The Acceptable Use Policy should be defined and explained to users - even if it's only in informal terms.


Incident Handling & Disaster Recovery

Who is in charge when things go seriously wrong?
What is the plan to recover all applications and data if everything is lost in a disaster such as fire, theft, software or hardware failure, internal or external attack.
Who is responsible for preparation and planning?
How are incidents to be handled and reported to minimise disruption?


Training

All users of computer(s) in a company must be informed of the security issues, the potential threats and vulnerabilities, and precautions to be taken. Regular training to raise awareness and build a safety conscious workforce is most important for all companies - no matter how large or small.


Legislation   

Be aware of user rights and company obligations.
Note, especially the UK Data Protection Act 1998, and The Consumer Protection (Distance Selling Regulations) 2000.


Manage Your Risks

Assess the value of the assets (information, software, hardware etc.) that you hold.
Assess how vulnerable these items are, and what threats they might be subject to. Where are the weakest links?
Decide what measures you need to put in place to protect your assets.
Balance the costs of security with the risks of loss or damage.


MORE ADVANCED...

Warning: Do not make changes to your system if you are unsure, or lack confidence in being able to return it to its previous condition if you hit problems.

Disable Hidden File Name Extensions   

Make sure you can see double extension file names before opening files.
Windows operating systems have an option to "Hide file extensions for known file types". The option is enabled by default, but you can disable it to have full file extensions displayed by Windows.

To configure Windows 9x and NT 4.0 to show full file names and extensions:

  1. Open the Windows Start menu
  2. Select Settings > Control Panel to open the Control Panel
  3. From the View menu, select Options
  4. Click on the View tab
  5. Ensure "Hide files of these types" and "Hide file extensions for known file types" are both unchecked
  6. Ensure "Show all files" is selected
  7. Click OK to complete the changes.

       For Windows 2000:

  1. Open the Windows Start menu
  2. Select Settings > Control Panel to open the Control Panel
  3. From the Tools menu, select Folder options
  4. Click on the View tab
  5. Under "Hidden files and folders", ensure "Show hidden files and folders" is selected
  6. Ensure "Hide file extensions for known file types" is unchecked
  7. Ensure "Hide protected operating system files" is unchecked. Note, Windows 2000 will display a dialogue asking for confirmation. Be sure to read and understand the information contained in the dialogue and then click on Yes.
  8. Click OK to complete the changes.

After disabling this option, there are still some file extensions that, by default, will continue to remain hidden. There is a registry value which if set will cause Windows to hide certain file extensions regardless of user configuration choices elsewhere in the system. The NeverShowExt registry value is used to hide the extensions for basic Windows file types.

To remove all occurrences of the value NeverShowExt from the Windows registry:

  1. Open the Windows Start menu
  2. Select Run and enter regedit to open the registry editor
  3. From the Edit menu, select Find
  4. Uncheck the Keys and Data entries under Look at, and ensure the Values entry is checked
  5. Enter NeverShowExt in the Find What box and click Find Next
  6. When a value is found, right click on the value name and select Delete
  7. Press F3 to find the next occurrence of NeverShowExt.
  8. Repeat the previous two steps until all occurrences of NeverShowExt have been deleted from the registry
  9. The computer will need to be rebooted for changes to take effect


Disable Scripting & Other Unsafe Options In Outlook Express   

It is recommended that Outlook Express is configured for maximum security to avoid vulnerabilities due to embedded scripting etc. Otherwise malicious code may be activated without even opening an attachment.
The following will disable scripting and other unsafe E-mail options, but may have some impact on functionality of messaging:

  1. Open Outlook Express.
  2. From the Menu, choose Tools > Options and then click the Security tab.
  3. Choose Restricted Sites zone (More secure) and then click OK.
  4. Open Internet Explorer, from the Menu, choose Tools > Internet Options and click the Security tab.
  5. Select the Restricted Sites icon and then click the Custom Level... button to open the Security Settings window.
  6. Change the security setting options as follows:
    1. Check all the Disable options.
    2. Check High Safety for Software Channel Permissions.
    3. Check Prompt for user name and Password under User Authentication.
    4. To save these settings, click OK to close the Security Settings window, then Yes when asked if you are sure, OK to close the Security window, and OK again.

Disable Windows Scripting Host      

This feature automates some tasks under Windows, but also makes users vulnerable to Visual Basic Script (.vbs) viruses and worms (e.g. kournikova.jpg.vbs).
Windows, Internet Explorer and MS Office work quite adequately without Windows Scripting Host (WSH), but some other applications may need it.
To limit the risk of infection and prevent .vbs scripts from running, consider disabling WSH. Some view this as an extreme measure, and it could result in unpredictable or non performance of some applications.
Think of this as an alternative to the options above to show all file extensions, and disabling of scripting in Outlook Express - but it gives the user far less discretion.

For Windows 98 - To Disable WSH
Click on Start > Settings, Chose Control Panel, Click on Add/Remove, Chose the Windows Setup tab, Click on Accessories to obtain details, Uncheck Windows Scripting Host if it is checked. Click on OK to save any changes

For Windows NT - To Disable WSH
Open My Computer, select View/Options, click on File Types tab, find VBScript Script file, select Remove, click OK.

For Windows 2000 - To Disable WSH
Open My Computer, select Tools/Folder options, click on File Types tab, find VBScript Script file, select Delete, click OK.

 

Finally - Don't Panic!

If you have any questions, or suggestions to improve the above recommendations, please contact me.

In the mean time:

Chaos reigns within
Reflect, repent and reboot
Order shall return!
to Top of pageHome © 1999 - 2005 Consult-X Ltd, Hertfordshire, UK        email: business@consult-x.com