Security Corner

Aug 31 2009   2:05AM GMT

14 Golden Rules of Computer Security

Ken Harthun Ken Harthun Profile: Ken Harthun

In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:

#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install  and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as  the encryption key.
#8: Physical security is  almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.

In the book, each one of these rules is explained in detail with links to tools and other information.

I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • MichaelArgast
    There are great things on this list, but also amazing is what is left off. For example, you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don't actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you're violating rule #1 and much more likely to run into rule #12. Likewise, you recommend a NAT router for home use, but no client firewall software. So, if you've got 3 machines at home and one gets infected, they likely all will be... Your advice on password security is good (#4), but you should add "Don't reuse passwords - for example on websites, etc". #13 - WPA with TKIP has been cracked already (WEP has been broken for years). Use WPA2 with AES, and turn off beaconing when possible. Use secure passwords for your wireless networks. Lastly, was surprised to not see "When in doubt, a default closed policy is better than a default open one when it comes to security". Lock down your firewall policy, don't run as administrator, etc, etc. A good list of security practices though, in general... Michael, Security Analyst, Sophos [A href=""][/A]
    0 pointsBadges:
  • Arian Eigen Heald
    Michael, thank you for your insightful comments and critique. I agree with you on all counts; however, in my defense, these rules are statements that have been boiled down from more lengthy discussions of the problem. I have also assumed certain out-of-the-box configurations of consumer PCs which normally include some flavor of Internet security suite that would have anti-virus and client firewall software. That said, I intend to review my book and make it very clear what is assumed to be in place prior to the application of the Golden Rules. Your help is greatly appreciated and you can be sure that your company's products will be mentioned in the "Resources" section of the book. Ken
    75 pointsBadges:
  • Michael Larsen
    It's been a few years since this message was posted (and I came to it from another discussion about cyber security) and it emphasizes a point from that later article I wanted to make. This list is a good rubric for looking to secure and not step into obvious areas of trouble. It would be interesting to see how this would be updated for the virtualized space becoming more prevalent and the mobile software that now pervades our world. It may be a bit premature, but it strikes me that we have forgotten many of these lessons when it comes to mobile devices.
    6,160 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: