IT Security

1. Protect your passwords.

2. Lock your computer before leaving it unattended

3. Keep your operating system, network and application software up to date.

4. Make sure you have anti-virus software installed.

5. Make sure your anti-virus software is running.

6. Update your anti-virus software regularly.

7. Use the administrator or root account only when you need to administer your computer.

8. Watch out for phishing.

9. Avoid dangerous data sharing and Web surfing practices.

10. Configure your applications for safety.

11. Destroy all data before discarding or giving away your computer (or other storage media).

Your password is your key to your system.  Anyone who knows your password can access, alter or destroy any piece of information that you can, either on your computer or on any network system to which you have been given access.  As such, it is important that you:

• Protect all accounts on your computer, both administrtor and user accounts, with strong, difficult-to-guess passwords.

• Encourage all users of your system to change their passwords regularly.

• Do not share your passwords with anyone.

• NEVER leave the password for the administrator account of any piece of software blank or set to its default value.

For information about what makes passwords vulnerable and how you can make your passwords strong and easy-to-remember, visit our password site by clicking here.

Before you walk away from your computer, lock the screen so that passersby cannot view any private information accessible via your computer or make use of applications running on your computer.  Both Windows and Macs have built-in screen locking functions.  The OIT knowledgebase contains entries showing how to lock the screen on both Windows PCs and Macs.

Many computer attacks succeed by exploiting security flaws in common software products such as operating systems, network software, Web servers and browsers, packaged applications, etc. It is important to keep in mind that no piece of software is perfect.  Both test organizations and malicious hackers, worldwide, continually attempt to find flaws in commonly used software products.  Once a flaw is found, testing organizations will quietly inform the appropriate vendor so the flaw can be corrected, while malicious hackers will write software to exploit the flaw and will begin to use the exploit to attack target systems across the Internet.

When the software vendor learns of the flaw, the vendor's support team often corrects it within a day or so, and will make an updated version of the software available to the general public on the vendor's website.  But until the corrected version of the software is downloaded to and is installed on your computer, your system is vulnerable to attack.  So, the timely updating of software products is a critical component in protecting your system.

Many vendors, such as Apple, Microsoft, Red Hat, etc., provide a facility that automatically checks the vendor's website for updates and, if new versions of your software are found, it asks if you would like to update your system and, if you answser yes, will download the new software version and will install it over the flawed version.  For software products that do not offer such a facility, you will need to manually check the vendor's website for any updates and to download and install them yourself.

As a rule of thumb, whenever a software product has the option of automatically distributing corrected software versions to your system, you should take advantage of that option to reduce the risk of having the uncorrected flaw exploited.  In cases where a product does not provide for automatic updates or where the automatic updating of a piece of software would be impractical, you should check your vendors' websites at least once a week for updates, and should manually apply all available updates as soon as possible.

Anti-virus software has the ability to detect viruses and other forms of malicious software by opening executable programs and documents and looking for specific command sequences used by known viruses. These command sequences are called "signatures."  Additionally, the better anti-virus programs use a technique called "heuristics" which improve its ability to detect unknown viruses by looking for command sequences that may not match a specific signature, but are somewhat suspicious.

For anti-virus software to detect malicious software, it must be actively running on the system. There are two ways you can use anti-virus software to protect the system. Most anti-virus products can be configured in a "real time" mode where it automatically starts up when your system is powered on or rebooted and scans every program executed and every document opened. Anti-virus products also offer a "batch" mode of operation where, upon execution (either manual or at a scheduled time), the program scans every program and document located on specified disk drives and directories. Always configure your anti-virus software to perform "real time" scanning. While you are at your workstation, regularly check to ensure that the "real time" anti-virus process is running. Additionally, to ensure that dormant programs and documents have not been infected, run a "batch" scan at least once a week.

Most anti-virus vendors have a subscription service that provides you with virus signature updates, and occasionally updates to the product itself. It is strongly recommended that you subscribe to the service and update your virus signatures at least once a week and when new virus alerts are announced. If your virus signatures are out of date, you will have an increased risk that your anti-virus software will miss any new viruses that have been developed since your last update.

In most cases, malicious software can only do what the currently logged in user can do. If you do your normal work with full administrative privileges to your system, any piece of malicious software that is triggered during your session can do anything to your system (e.g., update operating system software, install new products, add new user accounts).  When you are logged in with general user privileges, the capabilities of malicious software would be limited.

Phishing is an attempt by a malicious individual to obtain your personal information, such as your social security number, or your password by contacting you via e-mail or phone in a manner that appears to be legitimate.  For example, you may receive an e-mail message that looks exactly like the website of your bank, complete with the bank's logos asking you to confirm your personal information, a message could appear to come from the Princeton University Help Desk or the "Princeton Web Support Team" stating that your computer account will be closed if you do not provide your ID and password to verify your identity.  It is important to note that reputable organizations do not ask for such information via e-mail or over the phone.  So, if you receive such a message, delete it.  For more detailed information about phishing, please click here.

Whenever your workstation contacts data from another source, e.g., a USB key, a CD, a DVD, a diskette, the network, e-mail, web surfing, you increase the risk that your workstation will become infected.

As a rule, you should AVOID:

• copying programs and documents onto your system from removable media (e.g., USB keys, CDs, DVDs, Zip disks, diskettes) provided by unknown, untrusted sources,

• opening and/or saving e-mail attachments provided by unknown, untrusted sources,

• surfing websites managed by unknown, untrusted sources,

• downloading files from sites managed by unknown, untrusted sources.

The extent to which your computer will permit access to your computer files is something you can control. Be sure that you understand how the access control settings work for your specific operating system and that you proactively take measures to block the general public and "guests" from updating your files.

Configure your word processing and spreadsheet software to prompt you if macros are present. Only enable those macros if you know and trust the source.

While it is often not practical, configuring your browser to disable script execution significantly reduces risk especially when you surf unknown, untrusted sites.

One way that malicious individuals obtain private information, including passwords, social security numbers, bank account numbers, etc., is through computers that have been discarded or given away:  even information that was deleted!

The reason the information can be obtained is that major computer systems usually delete files only by marking their directory entries as "deleted".  The data is still on the disk.  Emptying the computer trash bin, still does not erase the data.  The file name just doesn't show up on your directory listing.

Removable media holding private information, such as CDs, diskettes, USB keys, etc. should be physically destroyed when they are no longer necessary.

For computer hard drives, there are a number third party tools that you can use to completely erase the contents of your hard drive.  For Windows and Linux systems, one alternative is a tool called "Darik's Boot 'n Nuke" that you can download from the Internet.  Click here to connect to the Darik's website.  For Mac OS X systems, there is a hard drive wiping program on your OS X installation DVD.  For assistance in using either method, please contact the OIT Help Desk at 258-HELP.