With the increasing real risk of abuse on the internet, cyber
security is increasingly important and you are strongly commended to
consider and implementing the following and creating/nurturing a culture
within the business/organisation of awareness, good practice conscious
behaviour, and understanding of the real potential and actual risks.
Just imagine what it might be like for a Hacker to access your social
media - look at takethislollipop.com. No, this is not for real and you
have not been hacked, simply an online program to provide food for
thought!
1. Ensure you have your firewall set up on all devices
used be it desktop, laptop, tablet, or mobile. Disable all unnecessary
service features that may be included in the firewall package.
2.
Disallow all connection attempts to and from us inside unless you are
sure that this is what you want and is authorised. Allowing any inbound
connections to your system provides a mechanism hackers might be able to
exploit to establish connections to Trojan horses or by exploiting bugs
in service software.
3. Do not rely upon Windows ISA Server built-in filtering alone to protect your connection.
4.
Do not use simple packet filtering or packet-filtering services from
the Internet Service Provider (ISP) as a replacement for
application-layer firewalls. They are not as secure.
5. Make sure there is no way for a hacker to tell which firewall product is in use.
6. Never publish a list of user or employee names on the Web site. Publish job titles instead.
7. Set the TCP/IP stacks to accept connection only on ports for services that machine specifically provides.
8.
Install the latest version of the operating system software. Check your
computer or device for update, better still set-up for auto updates to
ensure that this occurs.
9. Do not allow clear text-password authentication.
10.
Record the IP addresses of the source computers, (assuming they look
valid), and try to determine the source of the attacks so legal measures
can be taken to stop the problem.
11. As a part of security
conscious awareness, make sure users know to report all instances of
denial of service whether they seem important or not. If a specific
denial of service cannot be correlated to known downtime or heavy usage,
or if a large number of service denials occur in a short time, a siege
may be in progress.
12. Great care must be taken when downloading
information and files from the Internet to safeguard against both
malicious code and also inappropriate material.
13. Avoid using
one of the smaller Internet service providers. Hackers frequently target
them as potential employers because they often have less security
awareness and may use UNIX computers, rather than dedicated machines, as
gateways and firewalls-making spoof attacks easy to perpetrate. Ask the
service provider if they perform background checks on technical service
personnel, and reject those that say they do not.
14. Plan and
have regularly tested to ensure that damage done by possible external
cyber crime attacks can be minimised and that restoration takes place as
quickly as possible. Check with your online provider as to what
measures they have in place in this event. Try and undergo an 'APR' -
Aware - Intelligent insight to monitor evolving threats and anticipate
risks. Prepare - Setting and implementing the right technology and
cultural strategy to manage evolving cyber threats. Respond - Crisis
management, diagnostics and solutions so you can minimise the material
impact of cyber attacks in real time at any time. You can visit also
'Google Digital Attack Map' and 'Digital Attack Map' - simply use a web
browser search engine and use the named description phrases as key words
to find.
15. In order to reduce the incidence and possibility of
internal attacks, access control standards and data classification
standards are to be periodically reviewed whilst maintained at all
times.
16. Have procedures to deal with hoax virus warnings are to be implemented and maintained.
17.
Antivirus software is to be deployed across all PC's with regular virus
defining updates and scanning across servers, PC's and laptop computers
+ tablets. For Mac's please visit their website.
18. Personnel
(be they paid or unpaid staff/volunteers), should understand the rights
granted to them by your business/ organisation in respect of privacy in
personal e-mail transmitted across the business/organisation systems and
networks.
19. Confidential and sensitive information should not
be transmitted by mail unless it is secured through encryption or other
secure means.
20. E-mail should be considered as an insecure
communications medium for the purposes of legal retention for record
purposes. With the usage of digital signatures and encryption, reliance
upon e-mail may soon be available; however, if in any doubt, treat
e-mail as transient.
21. External e-mail messages should have
appropriate signature footers and disclaimers appended (E-mail Signature
File). A disclaimer is particularly important where, through a
miss-key, the e-mail is sent to an inappropriate person. The disclaimer
should confirm the confidential nature of the e-mail and request its
deletion if the addressee is not, in fact, the intended recipient.
22.
You should not open e-mails or attached files without ensuring that the
content appears genuine. If you are not expecting to receive the
message or are not absolutely certain about its source do not open it.
23.
(a) If you have ANY e-mail or message that image wise look legitimate
but you are not sure please DO NOT click and open it. It will tell and
alert the Hacker you mail box is live and can then monitor you - how
many people have had spam mail unwittingly from genuine friends who did
not know have accessed their e-mail box (and looked at the undeleted
'sent' e-mails which will likely be almost full with the e-mail
addresses of everyone you have contacted).
(b) Instead point your
cursor over the URL link and simultaneously on down the command key
button. This will show you options two of which are open in 'new tab' or
'new window" in your browser. Point one of these and release so that it
does this. This way the hacker does not know you are have done this.
You will see the URL address on at the top of your browser as it is
opening.
(c) It is almost a certainty that in most cases when you
look at the web address it will not be the company purporting to be
where it is coming from, e.g. It will be PayPal dot com or PayPal dot
co.UK but an entire altered redirection website which will have been set
up to image something like the login web page of the legitimate site.
NEVER, EVER, pleeesssee proceed to login - it is a fake and you will
compromise your security login and your identity with potentially
serious implications. As this point you can clearly see it is not from
whom it is purported to be. Simply closure the window.
d)
Secondly, where personal data, especially where payment is required,
e.g. bank, eBay, PayPal, Amazon etc, the web address (not matter whether
it is a big well known business or a small one), will begin with HTTPS.
If it does not end with the 's' - no matter even if it is a genuine
website and you know them, never every make a payment or provide
details. 's' = secure - the opposite is obviously = unsecured so can be
infiltrated and again cause you potential problems and loss of data.
(e)
Lastly, as simple good housekeeping practice, (1) if you have accessed a
website that it not legitimate or where you have given personal data,
go to your 'settings' in your browser(s) and locate the 'cookies' and
delete all of these. A little frustrating as you will be used to
starting to type regular sites visited and it will automatically find,
but you can rebuild this again. Best where you have regular sites, e.g.
Facebook, save to your web browser(s) 'favorites' - no not misspelt,
bless the USA in differing from tomato and tomarto!!
d) Have
anti-virus software installed (and always set the software to
auto-update), irritating when in the middle of some task on screen that
this will suddenly come to the forefront, but this is in your interest
as it will update the definitions - which more often than not are
updates against the latest threats and will isolate such things as
considered virus-infected e-mails.
Sounds a lot to do, but when
you do, it is barely takes a few moments and will help reduce eCyber
threats and risks particularly the most common ones that people
inadvertently fall into.
24. Users should be familiar with general
e-mail good practice e.g. the need to save, store and file e-mail with
business content in a similar manner to the storage of letters and other
traditional mail. E-mails of little or no organisational value should
on the other hand be regularly purged or deleted from your system.
25.
Use standard TEXT (ASCII) messages where possible; these are both
smaller, (in terms of file size), and are less able to 'hide' executable
code e.g. HTML-based e-mails which can 'run' upon opening.
26.
The sending of inappropriate messages should be prohibited including
those, which are sexually harassing or offensive to others on the
grounds of race, religion or gender.
27. The 'Cyber Streetwise'
campaign aims to change the way people, (you and I), view online safety
and provide the public + businesses with the skills and knowledge they
need to take control of their cyber security. The campaign includes a
new easy-to-use website and online videos.
28. It is also worth
visiting and engaging with the 'Get Safe Online' website - a unique
resource providing practical advice on how to protect yourself, your
computers and mobiles device and your business against fraud, identity
theft, viruses and many other problems encountered online. It contains
guidance on many other related subjects too - including performing
backups and how to avoid theft or loss of your computer, smartphone or
tablet. Every conceivable topic is included on the site. There is also
guidance on protecting your website, backing up your website, and
working towards ways of protecting your products/services from pirates.
29. Registering, if not already done so with the DMCA will help slightly in locking down copying of your site.
30. Added to this is the Publishers Licensing Society PLSClear scheme.
31.
Even the major Publishers have an issue and set up their own sites to
report this so that they go through the motions of having the sites
involved reported to sources such as Google and taken down.
32.
Norton Identity Safe available by using your search engine and type in
these three words can hep you get a Safe Web rating for every website
you visit, plus get one-click access to your favourite sites.
33.
For further informative reference, please download the IT Governance
publication entitled "Cyber Security: A Critical Business Risk", again
available by typing in this total in your search engine to get the URL
link to access the material.
34. The Cyber-security Information
Sharing Partnership (CiSP), part of CERT-UK, is a joint
industry-government initiative to share cyber threat and vulnerability
information in order to increase overall situational awareness of the
cyber threat and therefore reduce the impact on UK business. CiSP allows
members from across sectors and organisations to exchange cyber threat
information in real time, on a secure and dynamic environment, whilst
operating within a framework that protects the confidentiality of shared
information. For other sources to help consideration on the subject
please visit Microsoft Security TechCenter and CERT-EU.
Please also see web accessibility statement for further guidance
and information, including links from the Author's web site links. FAQ's
http://pub23.bravenet.com/faq/show.php?usernum=1893242183 are also available covering the issues and also available from the Author, as required.
Posts
