Differences between revisions 14 and 15
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Best Practices =

== Security ==

Keep your Operating System up to date. Operating System manufacturers release regular updates to patch security holes in their operating systems. Cyber Security is a dynamic and rapidly evolving field, new threats are discovered every day and it is safe to say that no modern operating system is completely free from potential security exploits. Staying up to date is the front line of defense when securing your machine.

=== Anti-Virus Software ===

All users should be sure that they have some form of anti-virus software installed and updated regularly on their machine. ITS provides [[http://its.ucsc.edu/service_catalog/software/apps/sophos.php|Sophos]] anti-virus for Staff, and [[http://its.ucsc.edu/service_catalog/software/apps/mcafee.php|McAfee]] anti-virus for Students free of charge. If these anti-virus applications don't float your boat, there are also free anti-virus solutions available on the web. Of those available we have tested and can recommend [[http://free.avg.com/|AVG]] anti-virus.

=== Flash Drives ===

Flash drives are quickly becoming one of the primary vectors for virus propagation. The United States Military has banned flash drives among their enlisted men and women in foreign theaters because of the numerous high level systems that had been compromised due to dirty flash drives.

 1. Windows machines will by default automatically execute the 'autorun.ini' file found on most flash drives. This is what brings up the screen that asks you what you'd like to do with the device that you've just connected. It's a good idea to disable autorun on your system whenever possible. Here is a link to a site that describes how to disable autorun on [[http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/|Windows XP Pro]], and on [[http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/|Vista / Windows 7]] feel free to contact us for assistance in doing this.

 1. Be wary of which machines you plug your flash drive into, does the machine have anti-virus, is it used by lots of people, is it running very slowly? Those are all things you may want to ask yourself before returning to your own machine with that flash drive.

 1. Run regular anti-virus scans on the flash drive. It doesn't take very long, and it can provide some peace of mind.

=== Browsing ===

Adhering to a few simple "smart browsing" techniques can greatly increase your individual level of security.

 1. Keep your browser up to date. Often times security threats can be eliminated by the most recent updates.

 1. Set your browsers privacy and security options/preferences to appropriate levels for your location and skill level. If you are using an unsecured coffee shop network you may want to tighten down your security a bit. If you're an expert user, consider yourself a smart browser, and are almost always working only from a wired or secure home or office network then you can likely get away with loosening your security settings a bit to improve speed and functionality.

 1. Look at the browsers status bar when hovering over links to check that the actual destination matches that indicated by the link. For example, if a link indicates that it will take you to You Tube to watch a video, but when you hover over the link the browsers status bar shows the destination URL as http://mischief.about-to-get-a-virus.cn/trojan.zip, then you may want to reconsider clicking on that link.

 1. Do not store passwords in your browsers cache. If the unfortunate ever happens and your machine is compromised, you don't want an intruder to be able to open an instance of your browser and go to the bookmark of your bank site and log in as you.

 1. If you're unsure about the validity of a particular website or file that you want to access, open another browser window and do a search on the website or file in question. If you are in deed looking into a potential threat, there are sure to be several posts among the top results that indicate the nature of the threat.

 1. Never enter sensitive personal information or passwords into forms or fields on a website unless you are at a secure (https not just http) site for which you trust the security certificate. Large organizations and financial institutions use security certificates which they purchase from valid certificate authorities like Verisign. By default your browsers are set to trust security certificates that come from valid certificate authorities. Self signed security certificates should trigger your browser to ask your permission to accept the certificate, and you have the opportunity to view the certificate first to be sure that the issuing authority matches the site you intended to visit. This will help to prevent man-in-the-middle attacks in which an intruder/observer can snoop your network traffic and, if unencrypted (i.e. http), can extract username and password combinations with relative ease.

=== Email ===

Email remains among the primary vectors for compromising/hacking a system. Learning to steer clear of junk messages and unknown attachments will significantly reduce the risk of your system being compromised.

 1. If you are using an email client (i.e. Thunderbird, Mac Mail, Outlook), make sure that your preferences are NOT set to automatically open attachments. Setup email filters for the most common strings that appear in junk emails, this will reduce the chance of you accidentally opening or being duped by a junk email message.

 1. Do not open attachments that you do not trust. If you are unsure about a certain attached file then you can opt to download it to your desktop without opening it and use your anti-virus application to scan that individual file for known viruses. While never a 100% fool proof method, this will greatly reduce the risk of contracting a virus through email attachments.

 1. NEVER send sensitive information like passwords, SSNs, account numbers, or other personal information in an unencrypted email. You have to assume these days that an unencrypted email message can and will be read by a number of people before or after reaching its desired destination. If you absolutely have to send sensitive information in an email, take the steps to encrypt your message and exchange public keys (preferably in person or via telephone) with the person you are communicating with. It is relatively easy to setup a secure email channel between two users these days. All of the tools necessary to generate keys and create certificates are freely available online. One such tool is [[http://enigmail.mozdev.org/home/index.php|Enigmail]] for Thunderbird. It is available for all platforms and their website will guide you through the process of setting up secure mail with a friend or colleague.

=== Passwords ===

 A good system for creating and managing your passwords is crucial to protecting your digital identity these days.

 1. Try keeping 3-5 passwords of varying levels of strength that correspond to theimportance of the different accounts that you maintain. If for example you often log into a blog or forum to leave a comment, you can have a relatively short password that is easy to remember and may not be that strong, this password can then be used for several similar low risk accounts. If you have one or more email accounts that you maintain, you will want a somewhat stronger password since through an email account it is possible for a hacker to solicit other organizations for personal information, or submit requests for another accounts password to be reset. If you are entering your email password multiple times a day then you may want to keep it fairly short (8-12 characters), but also make it fairly complex so it is not easily broken. This same level of frequently used but fairly complex password can also be used for example to log onto your computer. Finally, if you have an account with a financial institution or company that is tied to your bank account such as paypal or iTunes, then you'll want that password to be very strong and of considerable length to reduce the chances of someone cracking it with a brute force algorithm.

 1. Avoid using dictionary based words or names in your strong passwords. Mix them up with letters, numbers, and if permitted some punctuation as well.

 1. Social engineering is still one of the most successful ways to obtain a password. Take care not to use birthdates, room numbers, license plate numbers, and other information that is unique to you and fairly easy to acquire, those would be among the first guesses by an individual attempting to gain access to your password.

 1. Change them periodically. No one wants to have to change their passwords and spend time struggling to remember a set of new passwords, but it's better to change them of your own accord than to have to change them after several years because someone finally cracked them. It would be ideal to change your most important passwords every 6 months, but given that most people will not do this, try to at least change them every 1-2 years.