Embed Size (px)
Citation preview
ccording to the Government survey conducted in 20131, over 80% of Hong Kong households own a computer. Thanks to the extensive broadband network of the city, Internet
connection has never been this accessible, whether at work or at home. With just a few clicks, we can make the most out of the multimedia device for business, education or entertainment purposes.
AIn recent years, it has become a common practice for computer vendors to offer university students and staff special discounts for purchasing personal computer. The computers sold usually contain the most updated operating system and software, including antivirus, while some of them use cloud platform such as Office 365 and Adobe Cloud. With connections to both the Internet and school Intranet, students and staff are well-equipped to complete the tasks at hand with abundant resources.
While computers continue to occupy a central role in daily assignment and work, users must be aware of the potential IT security threats posed to their personal computers.
Unlike their counterparts in commercial sector, users’ personal computers are generally not well-managed as most of them lack centralized services, such as Active Directory from Microsoft, to monitor and maintain their well-beings. For example, without regular system health check, personal computers may be exposed to the latest vulnerabilities if the patch level is not up-to-date. Therefore, the protection of personal computers, though neglected at times,
should be made the top priority for any computer users.
The following paragraphs will introduce eight essential protection areas for users to secure usage of their personal computers.
1 – Cookies and Plug-inSoftware vulnerability is not limited to software installed on top of the operating system, Internet browser is another security concern that user should be aware of.
Cookies2 – It is a small piece of data that helps browser to track user behaviour and the websites that user visited. Even though cookies itself does not contain malware or carry any virus, it still raises concern about user privacy. Authentication cookies issued by websites may subject user to potential Man-in-the-middle attack. Hackers can easily access the website using the victim’s personal information with the help of cookies and fish for financial gain.
Page 1
Protection of Personal ComputerBest Practices for General User
Figure 1 – The statistics of browser plug-in vulnerabilities
3
Cookies Removal4:
Although cookies may not pose any threat to our software, it could expose user privacy, such as user login ID, password and other Internet surfing hobbies. Users may find the following instructions useful if they wish to remove cookies.
Plug-in5 – It is a software component that adds a specific feature to an existing software application. The most common plug-in is web browser plug-in such as Adobe Flash player, Apple QuickTime player and Oracle Java.
The most crucial browser plug-ins are Microsoft Active-X, Adobe Flash and Oracle Java, users should update the plugin-in from Microsoft, Adobe and Oracle when prompted. Do not accept any update request of Active-X, Flash and Java from untrustworthy websites. User should be careful when opening unsolicited attachments from email message, the usage of anti-spyware software is also appropriated for the protection and scanning of incoming documents, not just only from the web site.
ATTENTION: As user may be using browser of different versions, the steps explained below may be slightly different:
For Google Chrome version 14 or above:
1. Select Options from the wrench button in the upper-right corner of the Chrome window.
2. In the page of Options, click Under the Hood.3. At Privacy section, click Content Settings.4. At Cookies section, click All Cookies and Site
Data.5. Click Remove All button to delete all cookies.
Figure 2 – Google Chrome setting about Cookies
For Mozilla FireFox version 37.0.1 or above:
1. Select Tools, Options of FireFox pull down menu.2. In the page of Options, click Privacy tab. 3. At Privacy section, click Show Cookies button,
click Remove All.
Figure 3 – Mozilla FireFox cookies setting
For Apple Safari version 5 or above:
1. Select Gears menu in the upper-right corner of the Safari window.
2. Click Reset Safari.3. Check the last item, Remove all website data
and uncheck the remaining items if you would like to remove cookies only.
Figure 4 – Safari cookies setting
For Microsoft Internet Explorer, the latest version is highly recommended:
Page 2
1. Select the menu from top-right corner of the browser window, choose Internet Option (This is also available from Control Panel).
2. Select the General tab from the Option window3. Click Delete under Browsing History4. Select Cookies and Website Data, click Delete
Figure 5 – Internet Explorer browsing history setting
Browser Plug-in Management6:
Different from cookies, plug-in works as part of the browser application. Plug-in sometimes not only slows down the Internet browsing speed but also introduces security holes, especially to Java. User can disable any plug-in which is no longer used or one that poses security concern.
For Google Chrome, click the top right corner option, and choose Extensions, a list of extensions (plug-in) can be disabled by unchecking the boxes or even removing the extensions:
Figure 6 – Google Chrome extensions settingFor Mozilla FireFox, choose Tools, Add-ons to select which Add-on (plug-in) would like to disable (deactivate):
Figure 7 – Mozilla FireFox Add-on setting
For Apple Safari, the setting page can be found in Preferences page. Safari does not install any Extensions (plug-in) by default.
To disable all extensions, simply check the OFF button as shown below:
Figure 8 – Safari extension switch
For Internet Explorer, select Programs tab from Internet Option window, choose Manage add-ons.
Page 3
A list of installed plug-in is shown in Manage add-ons window, user can right-click specific plug-in to choose either Enable or Disable:
Figure 9 – Internet Explorer add-on setting
2 – Software PatchingPatch is a small program that not only fixes security vulnerability but also improves software usability and performance. Patch update is a MUST for keeping operating system and software at an up-to-date security level, regardless of the operating system and software employed.
How does patch secure our computer?7
New patch is available for handling new threat throughout regular audit process. After comprehensive testing, deployment and review, operating system and application are deemed to be secure against malware attack. This audit cycle will then come to a halt when a new version of operating system or application is released.
The update behaviour for both operating system and applications should be configured automatically.
Users should neither ignore the update notification messages from software vendor nor disable the update function. During the patch update process, for example like Windows Update, users can still use the computer as usual, but reboot is required for the changes to take place. Users should make sure that current files are saved before clicking the reboot button.
What kind of operating system and application needs patching? Windows from Microsoft, Mac OSX from Apple, UNIX, and Linux, including CentOS or RedHat, all require regular patching. Applications such as Adobe Reader, Flash, Shockwave, Microsoft Office 2007 or above, signature-based antivirus software such as McAfee, Norton 360, all need to be updated regularly.
For Windows, users can check the default settings of Windows Update and make sure it will download the latest patch from official Microsoft and install them automatically.
3 – Computer UpdateWhile hardware update such as BIOS update rarely happen, the release aims at fixing certain critical vulnerability or hardware fault. Users need to ensure that all data has been backed up and AC
Page 4
Figure 10 – Patch Cycle
Figure 11 – The default settings of Windows Update is “Install updates automatically (recommended)”
power connected before performing update of this kind. Now most of the computers will only allow user to update the BIOS when it is AC plugged-in, other hardware updates are mainly driver-driven, that means new driver for specific hardware is released for hardware vulnerability fix. Users should pay attention to the source of driver update – it should be downloaded only from the official website from the hardware vendor, such as Lenovo.
4 – Antivirus Signature UpdateAntivirus update is essential because it enables the system to block any known attack. Therefore, users should follow the update instruction when it is prompted. Most of the well-known antivirus programs are now bundled with firewall, which is another defensive setting that prevents remote attack, users MUST NOT DISABLE it.
User can check and update the antivirus manually but the software will perform the update automatically. Figure 12 is an example of Norton Security setting for user reference.
5 – Password ManagementPassword functions as the key to open the door. A good password practice can help prevent unauthorized accesses of the computer system.
Below are best practices for users to strengthen password protection: 1) create a strong password, 2) do not share the password, 3) change the password regularly, 4) do not configure accounts without password protection. Users may also consider using a password manager software to store their passwords securely and retrieve them when necessary.
Users can refer to a previous JUCC newsletter for more details about best practices of password management.8
6 – Spyware or Malware Awareness
Whenever connected to the Internet, a computer can become the target of all forms of remote attacks. Users should be wary of the suspicious website links (URLs) received via email system and instant messaging applications such as Skype, and never set the browser to accept cookies automatically. Most of the antivirus programs should be able to detect if a website link is safe to browse or if it contains malicious code.
Page 5
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
7 – Regular System BackupThe main objective for system backup is to resume the operating system functions when it accidentally crashes, or when it does not boot normally after certain patches are applied. System backup is different from backing up files and folders in the way that system backup crones an image of the entire operating system and application environment for recovery purpose.
This task may take longer time to complete, depending on the number of applications installed and the operating system patching level. Users are highly recommended to perform system backup when the computer is idle with minimum activities to speed up the process. Under Windows operating system, users can choose to create a system image under the backup and restore control panel item.
8 – Software Download and Installation
There are all kinds of software and freeware available on the Internet. However, users must be cautious and select carefully before installing them. Users should always verify the source of the downloaded files – only downloads from official website is highly recommended. Also, users should make sure the operating system is compatible with the programs.
For the daily usage of personal computer, users should perform essential security checking to ensure that the computer system is secure. The checklist focuses not only on system setting but also computing habits among users.
Healthy computing habits include turning off Bluetooth and WiFi when unnecessary, enabling Pop-blocker in browser and disabling of widgets. Users should always make sure that the firewall and antivirus software are both up-to-date.
One crucial habit always ignored by users is the regular cleaning of touch screen and keyboard, this can reduce the risk of password guessing by fingerprint trace. Users should also bear in mind the reliability of website: never download and install any fonts or freeware from untrusted site as mentioned earlier in this article. Also, when a computer is left idle, it is better to lock the screen with password.
In addition, the free space in the computer system is important not only from the functional point of view, but it is also a security concern as malicious software can take up a lot of available space in the system. There is no standard answer for the recommended percentage of free space storage, as different operating systems have different disk space requirement.
Another important checkpoint is the DNS server setting of the personal computer. DNS server information is provided by an Internet Service Provider (ISP) when the Internet connection is made. The illustrations below show the steps to check DNS server setting on Windows platform:
Type “Command” at Windows Start Menu:
Figure 13 – Windows command prompt starting
Then key the following command at Command Prompt:
IPCONFIG /ALL
It shows the existing IP address and DNS servers setting which may change when another network is connected:
Page 6
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Signature is out-dated.
Click “Live Update” for signature update.
Updating is in progress.
Essential Security Checklist
Figure 14 – DNS setting
The abnormal changing of DNS server setting can imply several security risks9, like users being diverted from the real banking site to the fake one (Refer to Figure 15). Users should check and make sure the DNS server settings are correct when using different networks (school, home and café free WiFi).
Internet
www.abcbank.comWhen DNS functions normally
www.abcbank.com
Internet
www.abcbank.comWhen DNS hijacking happen...
www.abc-bank.com
Figure 15 – Illustration of DNS Hijacking
To sum up, users should always be aware of insecure practices and software which can cause harm to the system via the Internet connection. The
table shown below is the essential security checklist for personal computer users.
How system vulnerability can affects our lives? Users can draw a lesson from the examples below:
Cybertheft Incident10
Former Secretary for Security Regina Ip Lau Suk-yee became one of the victims of Internet scam earlier this year, as her email account was hacked and about HK$500,000 was transferred from her Swiss bank account. Although the bank stopped such transfer, Ip’s story reiterates the importance of constant vigilance against cyber security threat.
Unsecured devices open to attack!11
In March 2015, a group of self-described security “amateur” discovered hundreds of devices connected to the Internet without any password protection. These devices, ranging from cameras to industrial control systems, are easy targets for exploitation as they can be easily turned on and off by a single click of mouse.
Patch Adobe Flash now!12
Also at the same month, Adobe released a critical security patch for Flash Player browser plug-in for users of Windows, Mac OSX and Linux system. Although there has been no reports of the flaws
Page 7
BEST PRACTICEThe computer protection methodologies mentioned here are required by the usage of privilege account -“Administrators” group account from Windows. If the daily usage of computer system does not require any software installation and update, users are highly recommended to set up and use a non-privilege account (“Power User” in Windows) instead.
Item To-do List Checklist1 Disable widgets when not in use2 Keep certain amount of disk space
free3 Check DNS server settings4 Turn off Bluetooth or WiFi when
not in use5 Turn on Pop-blocker from Internet
browser6 Do not install software or fonts
from insecure web site7 Enable built-in Firewall8 Use reliable anti-virus software
and update it when prompted9 Lock the computer with password
protected when it is left idle10 Clean keyboard and touch screen
regularly
Security Incidents Affecting Personal Computers
fixed being targeted, it is believed that hackers are prone attacking users who do not perform a timely update.
Page 8
References
1. “HKSAR - Thematic Household Survey Report No. 50” January 2013. PDF. 20 April 20152. “Wikpedia - HTTP cookie” Web. 20 April 20153. “Symantec – Vulnerability Trends” Web. 20 April 20154. “PCWorld – How to Delete Cookies” 2 November 2011 Web. 20 April 20155. “Wikpedia – Plug-in (computing)” Web. 20 April 20156. “How-To Geek – How to View and Disable Installed Plug-ins in Any Browser” Web. 20 April 20157. “Wikpedia - PatchMgmt’” Web. 20 April 20158. “Password Management – Best Practice for General User” Web. 6 May 20159. “Wikipedia – DNS spoofing”, “Wikipedia – DNS hijacking” Web. 6 May 201510. “News100 – Hong Kong lawmaker Regina Ip falls victim to HK$500,000 cybertheft” 5 May 2015. Web. 20 April 201511. “ComputerWorld – IoT’s dark side: Hundreds of unsecured devices open to attack” 6 June 2015. Web. 20 April 201512. “Patch Flash now: Google Project Zero, Intel and pals school Adobe on security 101” 12 Mar 2015. Web. 20 April 2015
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.
A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below:
[email protected] Universities Computer Centre Limited (JUCC)c/o Information Technology ServicesThe University of Hong KongPokfulam Road, Hong Kong
