Vision Statement

How To...

How to use a Personal Firewall

A personal firewall is a technology that helps prevent intruders from accessing data on your PC via the Internet or another network, by keeping unauthorized data from entering or exiting your system. Hackers don't just target national security organizations for cyberattacks: They want your tax returns, network passwords, or bank account numbers. And you don't want your PC to participate in the latest denial-of-service attack on the Internet. Now that "always-on" broadband connections such as cable modems and digital subscriber line are becoming more popular, home users are at risk. Fortunately, you can protect your data. Firewalls can block malicious attacks and protect your PC from outside threats.
Here's what you need to know:

New packages aimed at home users and small businesses are inexpensive and require little setup on your part.

When you're connected to the Internet, you're sending and receiving information in small units called packets. A packet contains the addresses of the sender and the recipient along with a piece of data, a request, a command, or almost anything having to do with your connection to the Internet. But just as with postal mail, not every package that arrives at your computer is one you want to open. A firewall examines each data packet sent to or from your computer to see if it meets a set of criteria. The firewall then selectively passes or blocks the packet.

Examining Data for Cracks

The criteria a firewall uses for passing packets along depends on the kind of firewall you use. The most common type you'll find for home and small business use is called an application gateway firewall. An application gateway, often called a proxy, acts like a customs officer for data: Anything you send or receive stops first at the firewall, which filters packets based on IP addresses and content, as well as the specific functions of an application. For instance, if you're running an FTP program, the proxy could permit file uploads while blocking other FTP functions, such as viewing or deleting files. You can also set the firewall to ignore all traffic for FTP services but allow all packets generated during Web browsing. Other kinds of firewalls include packet filters, which examine every packet for an approved IP address; circuit-level firewalls, which allow communication only with approved computers and Internet service providers; and the newest type, stateful inspection firewalls, which note the configuration of approved packets and then pass or block traffic based on those characteristics. Packet-filter, circuit-level, and stateful inspection firewalls are mostly found in corporate network setups. They require major upkeep, so they aren't suitable for most smaller companies and home users.

How to Write a Security Policy

One of the most important reasons for creating a computer security policy is to ensure that efforts spent on security yield cost effective benefits. Although this may seem obvious, it is possible to be mislead about where the effort is needed. As an example, there is a great deal of publicity about intruders on computers systems; yet most surveys of computer security show that, for most organizations, the actual loss from "insiders" is much greater.

Risk analysis involves determining what you need to protect, what you need to protect it from, and how to protect it. It is the process of examining all of your risks, then ranking those risks by level of severity. This process involves making cost-effective decisions on what you want to protect. As mentioned above, you should probably not spend more to protect something than it is actually worth.

One step in a risk analysis is to identify all the things that need to be protected. Some things are obvious, like valuable proprietary information, intellectual property, and all the various pieces of hardware; but, some are overlooked, such as the people who actually use the systems. The essential point is to list all things that could be affected by a security problem.

Categories include:

  1. Hardware: CPUs, boards, keyboards, terminals, workstations, personal computers, printers, disk drives, communication lines, terminal servers, routers.
  2. Software: source programs, object programs, utilities, diagnostic programs, operating systems, communication programs.
  3. Data: during execution, stored on-line, archived off-line, backups, audit logs, databases, in transit over communication media.
  4. People: users, administrators, hardware maintainers.
  5. Documentation: on programs, hardware, systems, local administrative procedures.
  6. Supplies: paper, forms, ribbons, magnetic media.

Once the assets requiring protection are identified, it is necessary to identify threats to those assets. The threats can then be examined to determine what potential for loss exists. It helps to consider from what threats you are trying to protect your assets. The following are classic threats that should be considered. Depending on your site, there will be more specific threats that should be identified and addressed. These include:

  1. Unauthorized access to resources and/or information
  2. Unintended and/or unauthorized Disclosure of information
  3. Denial of service

The characteristics of a good security policy are:

  1. It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods.
  2. It must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
  3. It must clearly define the areas of responsibility for the users, administrators, and management.

The components of a good security policy include:

  1. Computer Technology Purchasing Guidelines which specify required, or preferred, security features. These should supplement existing purchasing policies and guidelines.
  2. A Privacy Policy which defines reasonable expectations of privacy regarding such issues as monitoring of electronic mail, logging of keystrokes, and access to users' files.
  3. An Access Policy which defines access rights and privileges to protect assets from loss or disclosure by specifying acceptable use guidelines for users, operations staff, and management. It should provide guidelines for external connections, data communications, connecting devices to a network, and adding new software to systems. It should also specify any required notification messages (e.g., connect messages should provide warnings about authorized usage and line monitoring, and not simply say "Welcome").
  4. An Accountability Policy which defines the responsibilities of users, operations staff, and management. It should specify an audit capability, and provide incident handling guidelines
    (i.e., what to do and who to contact if a possible intrusion is detected).
  5. An Authentication Policy which establishes trust through an effective password policy, and by setting guidelines for remote location authentication and the use of authentication devices (e.g., one-time passwords and the devices that generate them).
  6. An Availability statement which sets users' expectations for the availability of resources. It should address redundancy and recovery issues, as well as specify operating hours and maintenance down-time periods. It should also include contact information for reporting system and network failures.
  7. An Information Technology System & Network Maintenance Policy which describes how both internal and external maintenance people are allowed to handle and access technology. One important topic to be addressed here is whether remote maintenance is allowed and how such access is controlled. Another area for consideration here is outsourcing and how it is managed.
  8. A Violations Reporting Policy that indicates which types of violations (e.g., privacy and security, internal and external) must be reported and to whom the reports are made. A non- threatening atmosphere and the possibility of anonymous reporting will result in a greater probability that a violation will be reported if it is detected.
  9. (9) Supporting Information which provides users, staff, and management with contact information for each type of policy violation; guidelines on how to handle outside queries about a security incident, or information which may be considered confidential or proprietary; and cross-references to security procedures and related information, such as company policies and governmental laws and regulations.

There may be regulatory requirements that affect some aspects of your security policy (e.g., line monitoring). The creators of the security policy should consider seeking legal assistance in the creation of the policy. At a minimum, the policy should be reviewed by legal counsel.

Once your security policy has been established it should be clearly communicated to users, staff, and management. Having all personnel sign a statement indicating that they have read, understood, and agreed to abide by the policy is an important part of the process. Finally, your policy should be reviewed on a regular basis to see if it is successfully supporting your security needs.

How to Protect Yourself from Email Viruses

The easiest way to protect yourself from email viruses is to follow these three simple rules:

Keep your anti-virus software running all the time.
Keep your virus definition files weekly.
Do not open attachments unless you are certain of what they are and who they are from.

If you are using Microsoft email programs, such as Outlook or Outlook Express there are two things you can do to minimize the spreading of viruses:

Disable the "Preview Pane." The Preview Pane is the part that displays the contents of the email when you click on it from the list.
Disable "Sending as HTML."

For Microsoft Outlook 2000:

Disable the Preview Pane:

Click on "View" in the menu bar.
Click on "Preview Pane" from the list.
This is a toggle- clicking will disable or enable the Preview Pane. These steps must be done for every folder.

Disable Send as HTML:

Click on "Tools" in the menu bar.
Click on "Options" from the list.
Click on the "Mail Format" tab.
In the "Message format" section is a drop down list next to the caption "Send in this message format:" Select anything from the list except HTML.
Click on the "OK" button.

For Microsoft Outlook Express 5:

Disable the Preview Pane:

Click on "View" in the menu bar.
Click on "Layout..." from the list.
On the "Layout" tab, locate the "Preview Pane" section. In it is a check box next to the the caption "Show preview pane." Remove the checkmark.
Click on the "Apply" button.
Click on the "OK" button.
This is a toggle- clicking will disable or enable the Preview Pane. These steps affect all folders.

Disable Send as HTML:

Click on "Tools" in the menu bar.
Click on "Options" from the list.
Click on the "Send" tab.
In the "Sending" section, remove the checkmark next to the caption "Reply to messages in the format in which they were sent"
In the "Mail Sending Format" section, click on the circle next to "Plain Text"
In the "News Sending Format" section, click on the circle next to "Plain Text"

Back to top