Common Computer Station Mistakes
Common Computer Station Mistakes –
8 Rules Every Employee and Employer Should Be Aware Of
Shlomi Adar, Security and Information Security Specialist
It usually happens innocently, due to lack of knowledge and sometimes even maliciously! In order to protect your organization from daily web threats, you should know the most common mistakes employees make while using the computer, which expose them to cyber attacks and other threats such as viruses, spyware and adware and computer worms, and raise the chance of breaches in the organization's information security that may lead to dangerous cyber attacks and to financial and image damages.
It is important to make an effort in securing your PC (Desktop or Laptop) to protect the computer from various threats that come from the Internet. Here are 8 important rules you should know!
1. Custom Permissions according to Position and Necessity – using organized permission definitions, the organization can supervise the employees' activities in the computers. People install various applications that come from many sources and often it is not possible to tell if they are safe, and each such installation may become an opening for hacking and a substantial threat over the organization's information security. It is highly recommended to limit the installation permissions for employees according to their position and allow installation of specific applications that serve the position, while providing installation permissions only to IT employees or employees who have skills, expertise, knowledge and awareness of information security.
2. Surfing the Internet – we recommend avoiding visiting websites that are not required for work such as free games sites (in many cases these sites contain spyware or tracking software or they are "attached" to the games or plug-ins that enable playing), sports sites and using online chats that increase the risk of file and content leakage out of the organization.
Surfing such websites exposes the organizations to external threats. We recommend installing systems designated to monitor websites employees are able to enter and block the access to sites that are considered problematic. These systems are used as filters and are able to mark the "rebellious" employee who is not following the guidelines, by tracking employees surfing habits.
3. Using a Laptop – it is very common for employees to use a laptop, take it home and then back to work and vice versa. By doing that, they are actually taking the laptop into the home environment, which is not as secure as the organizational environment. At home, there may be other people or children using the laptop, thus increasing the level of risk and exposure to threats for the organization that are not supervised and controlled. Therefore, it is important to separate work and home and not allow children and other users to use the laptop. It is also recommended to install encrypted remote access systems (Such as VPN) to use from home, and make sure the laptop itself contains all information security means matching the organization's security level. There are designated systems for that matter that deny access (Local or remote) if the device does not match the organizational security standards.
4. Loss or Theft of Laptops – Laptops in particular and mobile equipment in general such as tablets, Smartphones etc. are more prone to loss or theft since people take it with them when travelling abroad, on the train, in the car, and are inherently mobile, smaller and easier to carry. It is recommended to encrypt the entire laptop/mobile device and install a system that can locate the laptop and erase information remotely if necessary. This way, if there is a risk of information and content theft, the laptop becomes just like any other laptop and the damage caused to the organization sums up to the value of the lost or stolen equipment, which is negligible in comparison to the value of data it contained, and the systems sometimes enable tacking the thief and returning what was lost or stolen.
5. E-Mail – the most common threat is Online Phishing, which is the masquerading of hackers in order to commit identity thefts and obtain sensitive information. The bait is usually sent to the user as an innocent forum message or an Email spam message sent in the disguise of important e-mail or notification about winning, a special lottery or an attractive sale and even e-mails that pretend to be the security service of a well-known service such as PayPal, banks, Gmail, Facebook, LinkedIn etc. Many hackers disguise and send suck links, and a single click on such links may implant a virus in the computer or make the users update their personal information in a dummy imposter site and that is how they actually give away extremely sensitive details to the hacker, including passwords, unknowingly. Today, it is very easy to send organizations aggressive e-mails, and although there are targeted systems that can filter most viruses and phishing e-mails, it is best to refrain from opening e-mails that were sent from an unknown source and certainly to avoid clicking suspicious and unidentified links. Links that appear to be sent from an identified source are most suspicious, since they are mostly sent from a known organization, but such that the user has never contacted before, and this, of course, is a significant "red flag".
6. Setting Passwords – Setting a complex password is recommended - combine upper case letters and lower case letters with numbers and special characters to prevent automatic password cracking softwarefrom easily cracking the password. A simple combination increases the chance of cracking. These malware run every possible combination (also known as Brute Forcing method) and of course, the simpler it is to guess the password, the time required to crack it is shorter. If the password is complex enough, it is less likely to be cracked by cracking software. You should also avoid using birth dates, children's names, ID numbers etc. as passwords or any information that can be linked to the user or that can be guessed using reasonable combinations (known as Dictionary Attack method). The passwords must be changed relatively often and avoid using passwords similar to the older ones. Organizations should implement the mentioned password policy in their systems, Hard coded, to prevent this severe cracking, and today, most systems are well prepared for that.
7. Physical Security – in order to prevent manual hacking, it is best to lay down a policy regarding people who visit the offices and are not a part of the organization such as external suppliers, technicians and IT men, which defines they must be closely escorted while visiting the organization and will be let in only after identifying themselves and documenting their arrival and departure, including ways to identify them. External people can manually implant something in the computers or copy data and content using a disk on key. Sometimes, even a seemingly innocent and random visitor like "fundraisers" or a person who claims to be lost, turn out to be hackers or sent by malicious competitors. There were even several cases of fictitious candidates for a position that were actually "industrial spies" or ones who were planted in Human Resources companies that provide external services such as office cleaning (and then the office is well cleaned off the sensitive information it holds).
8. IT Department – it is important to define on an organizational level that one of this department's responsibilities is to be regularly responsible for information security, control and monitoring. Using fluent updates offered by the operating system, using anti-virus software, various cleaning tools and firewall components to block undesired communications and hacking and preventing data leakage from the organization. The current standard is hiring an IT man at the rate of 1:8 for every employee the organization employs. A well functioning IT department can prevent information security breaches and minimize threats using work procedures, assimilating a clear policy and providing limited authorizations according to necessity and position. The IT department is also responsible for the implementation of the system procedures to prevent human error. The organization has to make sure the IT people hold the proper knowledge and skills and that they are trained in the field of information security. Also, the organization has to hire external advisors (specialists) to fill in the needs the IT department is not expected to answer, such as handling emergency incidents and events or general unusual occurrences of information security.
Participated in the preparation of this article Advocate Paz Itzhaki-Weinberger- Information Security Specialist