Internet Security Guidance

With the increasing real risk of abuse on the internet, cyber security is increasingly important and you are strongly commended to consider and implementing the following and creating/nurturing a culture within the business/organisation of awareness, good practice conscious behaviour, and understanding of the real potential and actual risks. Just imagine what it might be like for a Hacker to access your social media – look at takethislollipop.com. No, this is not for real and you have not been hacked, simply an online program to provide food for thought!

1. Ensure you have your firewall set up on all devices used be it desktop, laptop, tablet, or mobile. Disable all unnecessary service features that may be included in the firewall package.

2. Disallow all connection attempts to and from us inside unless you are sure that this is what you want and is authorised. Allowing any inbound connections to your system provides a mechanism hackers might be able to exploit to establish connections to Trojan horses or by exploiting bugs in service software.

3. Do not rely upon Windows ISA Server built-in filtering alone to protect your connection.

4. Do not use simple packet filtering or packet-filtering services from the Internet Service Provider (ISP) as a replacement for application-layer firewalls. They are not as secure.

5. Make sure there is no way for a hacker to tell which firewall product is in use.

6. Never publish a list of user or employee names on the Web site. Publish job titles instead.

7. Set the TCP/IP stacks to accept connection only on ports for services that machine specifically provides.

8. Install the latest version of the operating system software. Check your computer or device for update, better still set-up for auto updates to ensure that this occurs.

9. Do not allow clear text-password authentication.

10. Record the IP addresses of the source computers, (assuming they look valid), and try to determine the source of the attacks so legal measures can be taken to stop the problem.

11. As a part of security conscious awareness, make sure users know to report all instances of denial of service whether they seem important or not. If a specific denial of service cannot be correlated to known downtime or heavy usage, or if a large number of service denials occur in a short time, a siege may be in progress.

12. Great care must be taken when downloading information and files from the Internet to safeguard against both malicious code and also inappropriate material.

13. Avoid using one of the smaller Internet service providers. Hackers frequently target them as potential employers because they often have less security awareness and may use UNIX computers, rather than dedicated machines, as gateways and firewalls-making spoof attacks easy to perpetrate. Ask the service provider if they perform background checks on technical service personnel, and reject those that say they do not.

14. Plan and have regularly tested to ensure that damage done by possible external cyber crime attacks can be minimised and that restoration takes place as quickly as possible. Check with your online provider as to what measures they have in place in this event. Try and undergo an ‘APR’ – Aware – Intelligent insight to monitor evolving threats and anticipate risks. Prepare – Setting and implementing the right technology and cultural strategy to manage evolving cyber threats. Respond – Crisis management, diagnostics and solutions so you can minimise the material impact of cyber attacks in real time at any time. You can visit also ‘Google Digital Attack Map’ and ‘Digital Attack Map’ – simply use a web browser search engine and use the named description phrases as key words to find.

15. In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times.

16. Have procedures to deal with hoax virus warnings are to be implemented and maintained.

17. Antivirus software is to be deployed across all PC’s with regular virus defining updates and scanning across servers, PC’s and laptop computers + tablets. For Mac’s please visit their website.

18. Personnel (be they paid or unpaid staff/volunteers), should understand the rights granted to them by your business/ organisation in respect of privacy in personal e-mail transmitted across the business/organisation systems and networks.

19. Confidential and sensitive information should not be transmitted by mail unless it is secured through encryption or other secure means.

20. E-mail should be considered as an insecure communications medium for the purposes of legal retention for record purposes. With the usage of digital signatures and encryption, reliance upon e-mail may soon be available; however, if in any doubt, treat e-mail as transient.

21. External e-mail messages should have appropriate signature footers and disclaimers appended (E-mail Signature File). A disclaimer is particularly important where, through a miss-key, the e-mail is sent to an inappropriate person. The disclaimer should confirm the confidential nature of the e-mail and request its deletion if the addressee is not, in fact, the intended recipient.

22. You should not open e-mails or attached files without ensuring that the content appears genuine. If you are not expecting to receive the message or are not absolutely certain about its source do not open it.

23. (a) If you have ANY e-mail or message that image wise look legitimate but you are not sure please DO NOT click and open it. It will tell and alert the Hacker you mail box is live and can then monitor you – how many people have had spam mail unwittingly from genuine friends who did not know have accessed their e-mail box (and looked at the undeleted ‘sent’ e-mails which will likely be almost full with the e-mail addresses of everyone you have contacted).

(b) Instead point your cursor over the URL link and simultaneously on down the command key button. This will show you options two of which are open in ‘new tab’ or ‘new window” in your browser. Point one of these and release so that it does this. This way the hacker does not know you are have done this. You will see the URL address on at the top of your browser as it is opening.

(c) It is almost a certainty that in most cases when you look at the web address it will not be the company purporting to be where it is coming from, e.g. It will be PayPal dot com or PayPal dot co.UK but an entire altered redirection website which will have been set up to image something like the login web page of the legitimate site. NEVER, EVER, pleeesssee proceed to login – it is a fake and you will compromise your security login and your identity with potentially serious implications. As this point you can clearly see it is not from whom it is purported to be. Simply closure the window.

d) Secondly, where personal data, especially where payment is required, e.g. bank, eBay, PayPal, Amazon etc, the web address (not matter whether it is a big well known business or a small one), will begin with HTTPS. If it does not end with the ‘s’ – no matter even if it is a genuine website and you know them, never every make a payment or provide details. ‘s’ = secure – the opposite is obviously = unsecured so can be infiltrated and again cause you potential problems and loss of data.

(e) Lastly, as simple good housekeeping practice, (1) if you have accessed a website that it not legitimate or where you have given personal data, go to your ‘settings’ in your browser(s) and locate the ‘cookies’ and delete all of these. A little frustrating as you will be used to starting to type regular sites visited and it will automatically find, but you can rebuild this again. Best where you have regular sites, e.g. Facebook, save to your web browser(s) ‘favorites’ – no not misspelt, bless the USA in differing from tomato and tomarto!!

d) Have anti-virus software installed (and always set the software to auto-update), irritating when in the middle of some task on screen that this will suddenly come to the forefront, but this is in your interest as it will update the definitions – which more often than not are updates against the latest threats and will isolate such things as considered virus-infected e-mails.

Sounds a lot to do, but when you do, it is barely takes a few moments and will help reduce eCyber threats and risks particularly the most common ones that people inadvertently fall into.

24. Users should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organisational value should on the other hand be regularly purged or deleted from your system.

25. Use standard TEXT (ASCII) messages where possible; these are both smaller, (in terms of file size), and are less able to ‘hide’ executable code e.g. HTML-based e-mails which can ‘run’ upon opening.

26. The sending of inappropriate messages should be prohibited including those, which are sexually harassing or offensive to others on the grounds of race, religion or gender.

27. The ‘Cyber Streetwise’ campaign aims to change the way people, (you and I), view online safety and provide the public + businesses with the skills and knowledge they need to take control of their cyber security. The campaign includes a new easy-to-use website and online videos.

28. It is also worth visiting and engaging with the ‘Get Safe Online’ website – a unique resource providing practical advice on how to protect yourself, your computers and mobiles device and your business against fraud, identity theft, viruses and many other problems encountered online. It contains guidance on many other related subjects too – including performing backups and how to avoid theft or loss of your computer, smartphone or tablet. Every conceivable topic is included on the site. There is also guidance on protecting your website, backing up your website, and working towards ways of protecting your products/services from pirates.

29. Registering, if not already done so with the DMCA will help slightly in locking down copying of your site.

30. Added to this is the Publishers Licensing Society PLSClear scheme.

31. Even the major Publishers have an issue and set up their own sites to report this so that they go through the motions of having the sites involved reported to sources such as Google and taken down.

32. Norton Identity Safe available by using your search engine and type in these three words can hep you get a Safe Web rating for every website you visit, plus get one-click access to your favourite sites.

33. For further informative reference, please download the IT Governance publication entitled “Cyber Security: A Critical Business Risk”, again available by typing in this total in your search engine to get the URL link to access the material.

34. The Cyber-security Information Sharing Partnership (CiSP), part of CERT-UK, is a joint industry-government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and therefore reduce the impact on UK business. CiSP allows members from across sectors and organisations to exchange cyber threat information in real time, on a secure and dynamic environment, whilst operating within a framework that protects the confidentiality of shared information. For other sources to help consideration on the subject please visit Microsoft Security TechCenter and CERT-EU.