14 Golden Rules of Computer Security - Security Corner
Home > IT Blogs > Security Corner > 14 Golden Rules of Computer Security
>>VIEW ALL POSTS  

Security Corner

« Twitter Security: TwitBlock Blocks the Spammers
Have You Noticed? Phishing Attacks Are Down »
Aug 31 2009   2:05AM GMT

14 Golden Rules of Computer Security



Posted by: Ken Harthun
Security, Security management, Security tools, Opinion, Secure Computing, Security maxim

In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:

#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install  and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as  the encryption key.
#8: Physical security is  almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.

In the book, each one of these rules is explained in detail with links to tools and other information.

I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

MichaelArgast  |   Aug 31 2009   3:34PM GMT

There are great things on this list, but also amazing is what is left off.

For example, you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.

Likewise, you recommend a NAT router for home use, but no client firewall software. So, if you’ve got 3 machines at home and one gets infected, they likely all will be…

Your advice on password security is good (#4), but you should add “Don’t reuse passwords - for example on websites, etc”.

#13 - WPA with TKIP has been cracked already (WEP has been broken for years). Use WPA2 with AES, and turn off beaconing when possible. Use secure passwords for your wireless networks.

Lastly, was surprised to not see “When in doubt, a default closed policy is better than a default open one when it comes to security”. Lock down your firewall policy, don’t run as administrator, etc, etc.

A good list of security practices though, in general…

Michael, Security Analyst, Sophos


 

Ken Harthun  |   Sep 4 2009   12:51AM GMT

Michael, thank you for your insightful comments and critique.

I agree with you on all counts; however, in my defense, these rules are statements that have been boiled down from more lengthy discussions of the problem. I have also assumed certain out-of-the-box configurations of consumer PCs which normally include some flavor of Internet security suite that would have anti-virus and client firewall software.

That said, I intend to review my book and make it very clear what is assumed to be in place prior to the application of the Golden Rules.

Your help is greatly appreciated and you can be sure that your company’s products will be mentioned in the “Resources” section of the book.

Ken