Our team has put together these Best Practices for home-users and businesses alike. Although this is not an exhaustive list, it will be helpful as you navigate the internet. This information is essential for kids, employees, employers, and just about everyone these days.
Personal Computer Basics
Usernames and Passwords
Users should change default/simple passwords and use strong passwords. Passwords should not be shared. Passwords should not be written down.
Software Patch Updates
Be certain that applications and operating systems are up-to-date with patches.
Anti-Virus Software
Anti-virus software should be installed. Anti-virus software should be configured to update daily. Do not disable anti-virus software. Frequently back up important documents and files. Back up your data frequently. This protects your data in the event of an operating system crash, hardware failure, or virus attack.
Physical Security
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Log-off or shut down computers when leaving desks devices, or, device is unattended. Secure portable devices in the office and while traveling.
Unnecessary Application/Services
If a service is not necessary for the intended purpose or operation of the device, that application/service should not be running.
E-mail Management
In general, do not open unsolicited or unrecognized e-mail. Do not send confidential or sensitive information without proper authorization.
Beware of email or attachments from unknown people, or with a strange subject line: Never open an attachment you weren't expecting, and if you do not know the sender of an attachment, delete the message without reading it. To open an attachment, first save it to your computer and then scan it with your antivirus software; check the program's help documentation for instructions.
Fraud and misrepresentation
Dishonest users sometimes attempt to forge mail messages to others to gain personal information, such as account passwords or even credit card information. Do not ever divulge such personal data in a reply, even if the sender looks legitimate; instead, forward the suspicious mail to the postmaster at the address where the message originated.
Avoiding spam
Spam has increasingly become a problem on the Internet. While every Internet user receives some spam, email addresses posted to websites or in newsgroups and chat rooms attract the most spam.
To reduce the amount of spam you receive:
-
Filter your email: Your email client or web-based email provider may have other methods for setting up email filtering. Many offer blacklisting, which prohibits mail sent from email addresses that you list. Even more restrictive is whitelisting, which blocks mail sent from anyone except those that are on the list.
-
Don't reply to spam under any circumstance.
-
Be careful releasing your email address, and know how it will be used
Every time you communicate on the Internet or browse a website, there are opportunities for spammers to intercept your communications to obtain your email address and other personal information. Otherwise reputable companies may sell or exchange your email address with other companies, and this information may eventually find its way to a spammer. Consider the following guidelines:
-
Subscribe only to essential discussion lists, and ensure that they are moderated.
-
Think twice before offering your email address to a website. Check the privacy policy for that site.
Data Security
If maintaining confidential or sensitive data, be certain that data encryption of the network traffic and any local copy is enabled. Do not store confidential or sensitive data on external drives or media.
Restrict remote access
It is recommended that you disable Remote Desktop (RDP) and Remote Assistance, unless you require these features. If you do, enable the remote connections when needed, and disable them when you're finished. Note that you only need to enable RDP on the computer you intend to connect to; disabling RDP on the computer you're connecting from will not prevent you from making a connection to another computer.
Remove data securely
Remove files or data you no longer need to prevent unauthorized access to them. Merely deleting sensitive material is not sufficient, as it does not actually remove the data from your system.
How can I protect data on my mobile device?
Like desktop computers, mobile devices (e.g., smartphones, tablets, laptops, and notebook computers) are frequently used to access and store both personal and institutional information. However, because of their portability, mobile devices are more susceptible than desktop systems to loss and theft. The following are safeguards you can use to reduce the risk of someone accessing data when your mobile device is lost or stolen:
-
Apply appropriate safeguards to the device to mitigate the risk of information exposure due to loss or theft.
-
Wipe (i.e., erase) all data stored on any device before transferring ownership (e.g., by sale or trade-in).
Web Browsing
Limit Web browsing to work-related sites
Be vigilant of downloading software or files from the Internet. Do not visit "adult" content sites.
Do not click random links
Do not click any link that you can't verify. To avoid viruses spread via email or instant messaging (IM), think before you click; if you receive a message out of the blue, with nothing more than a link and/or general text, do not click it. If you doubt its validity, ask for more information from the sender.
Do not download unfamiliar software off the Internet
Some programs will appear to have useful and legitimate functions. However, most of this software is (or contains) spyware, which will damage your operating system installation, waste resources, generate pop-up ads, and report your personal information back to the company that provides the software.
How can I tell if a computer virus alert is a hoax?
Two key factors make a successful virus hoax: (1) technical-sounding language and (2) credibility by association. If the warning uses the proper technical jargon, even the technologically savvy can be fooled. Nevertheless, if a virus alert you receive contains technical-sounding language and comes from a seemingly authoritative source, it may also be a true virus alert.
How can I be sure that a website is genuine?
Some web links, especially ones that are a part of phishing schemes, will redirect to fraudulent web pages; even when entering Internet addresses into your browser by hand, you might end up at a phisher's site if the address you enter is non-secure or incomplete, or is automatically completed or redirected by your browser.
Unfortunately, when you access non-secure websites (i.e., those sites whose addresses use an http:// prefix), you can do nothing to verify that you have not been redirected to a fraudulent site. However, when accessing secure sites, including most commercial, financial, and university services, you can protect yourself by making sure that the site you are visiting is actually the page you want to get to. To do this, type the entire URL, including the initial https://, into your browser.
Be proactive
Adjusting the security settings in your web browser is a good preventive measure. For a higher level of security, have your browser disallow:
-
Accepting cookies
-
Listing your name and other personal information in your browser profile
-
Filling in form fields for you
This will help reduce the amount of personal information transmitted to sites at the expense of full functionality, since many legitimate websites require you to accept cookies.
Server Security
Practice the principle of least privilege. Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator (or as a Power User in Windows) leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access. When you do need to perform tasks as an administrator, always follow secure procedures.
Home Networks
Wireless Local Area Networks (WLANs) and Wi-Fi allow you to access the Internet at broadband speeds without the need for a completely wired network, and allow many different workstations to use one central access point. However, wireless networks have security risks beyond those of a typical wired connection: since anyone within range can potentially connect to your wireless access points, you should take extra security precautions when setting up your home wireless network. The methods listed below vary in their effectiveness, but a hacker will probably try to find the path of least resistance to break into a network. The more of these measures that you take, the greater the chance that someone will move on and attempt to locate a less secure network.
-
Stay up to date with patches and updates
-
Choose a strong administrator password
-
Disable remote administration
-
Use encryption
-
Change your default SSID
-
Use MAC address filtering
Social Networking Sites
Social sites such as Facebook allow users to meet new people, share pictures and information, and interact with others in online communities. The popularity of these sites continues to rise; however, unfortunately, so does the risk of information misuse.
The United States Computer Emergency Readiness Team (US-CERT) suggests the following:
-
Use sound judgment when it comes to the information you choose to share with others online, for example:
-
Avoid providing personal information that can be used for identity theft, such as your Social Security number, your birthdate (instead, say you are in your early twenties), your full address (instead, give only the city name), or your mother's maiden name.
-
Avoid providing information that would allow a person to stalk you, such as your full address (instead, give only the city name), your class schedule (instead, state only your major), or your telephone number.
-
-
Remember that the Internet is a public resource and anyone can see what you post. In addition, web pages are routinely archived, so don't assume a picture or information is completely deleted from the Internet if you've removed it from an active site. Always think twice about what you post, and what's posted about you.
-
As a precaution against ill-intentioned strangers or people who misrepresent themselves, restrict who can view your information.
-
Be skeptical of the information you read about others.
-
Read and understand the privacy policy of the site, and be aware of how your information can be used.