Monday, September 29, 2008

Ten Baseline Security Standards for Home PC Security

Policeman sacked after P2P data leak

The officer, who worked for the Metropolitan Police Department in Tokyo, accidentally revealed the details via peer-to-peer (P2P) file-sharing software on his PC.He had allegedly installed the Winny file-sharing software on to his machine and was unaware that sensitive data was being made available to other users via the P2P network.According to reports, the personal details of 12,000 people related to criminal investigations have been spread across the net from the officer’s computer and around 6,600 police documents have been compromised, including interrogation reports, victim statements, and classified locations of automatic licence plate readers.

The story above illustrates the inherent risks of allowing unapproved software to install itself on PCs. Most P2P software installs itself via the Internet, often accompanying a downloaded media file. P2P software is used extensively among teenagers to share media files.

Business sensitive information can be exposed when employees are allowed to use home PCs to process business data. Discussions on ARC Training courses reveal that this practice is more common than many companies realise, the essential problem being that businesses are failing to communicate to their employees that this is expressly forbidden. And there are serious compliance and liability exposures when company holdings of personal private data are processed on home PCs.

At very least, home PCs should be protected to the following 10 baseline standards:

1. ANTI VIRUS SOFTWARE Up-to-date anti virus software should be installed. (Free at http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html
2. AUTHENTIC WINDOWS The system should use a registered (legal) copy of Windows, which should be updated (patched) automatically – in some parts of the world, over 50% of households are using bootleg Windows, which can expose data to extreme risk.
3. FIREWALL The system should have a firewall stronger than the one provided by Windows. Zone Alarm is recommended (Free at www.zonealarm.com)
4. SPYWARE PROTECTION The system should be protected against, and regularly scanned for data-stealing spyware. (Free from www.SpySearchDestroy.com)
5. P2P There should be no P2P file sharing software installed.
6. PASSWORDS The system should be protected by a strong (alphanumeric) password. A Windows password is good; a boot-sector password is better. Individual MS Office document passwords can be broken in minutes using web-based tools.
7. ENCRYPTION The system should include an encrypted area. (Free from www.truecrypt.org), or folders at least should be password protected. (Free from www.folder-password-expert.com).
8. WI-FI If wi-fi is used, it should be secured to WPA standard. (An earlier encryption standard, WEP, has many weaknesses).
9. VPN AND ENCRYPTED EMAIL – Two considerations for secure communications.
10. HARD DRIVES Even after deleting or reformatting hard drive data remains recoverable. Hard drives, upon disposal, should therefore be degaussed, disintegrated or wiped using special software. You should never simply delete data and send to local recycling, as your bank details may end up with a scammer on the other side of world! (Try the free Eraser tool to irretrievably delete data http://www.heidi.ie/node/6 )