Computer Security Basics: A Partial Checklist

The following is partial checklist of some of the most basic, essential computer security precautions to take that I originally wrote for family and friends. I welcome comments and corrections.

Regardless of anything else, always make sure that all of your essential data is properly backed-up: Keep at least two copies in two separate, secured locations. Three for anything truly irreplaceable that you can’t stand the thought of losing. External drives are generally the most practical media to use for backup. For a little more on back-up, see my post Backup Should Always Come First

1.) Use Strong Passwords

Protect all of your accounts with secure passwords.

It is also essential, for any hardware (such as a router) that comes with a default password, to change it to a secure one.

To be secure, a password should be at least eight characters in length and contain a mix of upper and lower case letters as well as numbers and special characters (& ! # _ – , etc.).

Never choose a dictionary word or something like an address, phone number or child’s name that is easily guessable or obtainable for a password.

2.) Keep Your OS and ALL of Your Programs Updated

It is essential to keep both your operating system (whether Windows, Mac, GNU/Linux or other) as well as all of the programs on your computer updated. Vulnerabilities are continually being discovered, exploited and patched. For more on this, see my post Keeping ALL of Your Programs Updated

3.) NAT Router- 1st Line of Defense Against Intrusion

A NAT router is a hardware-based firewall that, assuming you have any kind of broadband connection* (cable, DSL, fiber-optic),  should be your computer’s first line of defense  against outside intrusion. If you have a DSL or cable modem, it may already have a built-in NAT router.  If not, you can purchase one separately.

NOTE: Always be sure to change the default password on a router to a secure password. (see #1 above)

One way to check whether or not you are behind a NAT router is by running an online port scan. This can also be done to test the effectiveness of any software firewall you may be running.

To check whether or not you are behind a NAT router, you must first disable any software firewall you may have before running the scan. (Whether the the firewall that came with your operating system, such as the Windows or Mac firewall, or a third-party program that may either be part of a security suite that includes anti-malware protection or a stand-alone firewall program.  All of these are software firewalls that must be disabled in order to test for the presence of a NAT router)

The most popular online port scan is probably Gibson Research Corporation’s Shields Up!! , the direct URL to which is https://www.grc.com/x/ne.dll?bh0bkyd2

You can also get there by going to the GRC home page (www.grc.com) and then, from the drop-down menu under the “Services” tab at the top of the page, selecting “Shields-Up!” (should be the first option listed).

A welcome page will then appear displaying your host name and IP address. Click “Proceed” and then on the next page select “All service ports”.

Two Notes Here: First, if you get a warning about switching between a secure and insecure connection, just ignore it and click “continue” or ”okay”. (Don’t ask me why, after years of widespread use, this still happens.) Second, before clicking on “All Service Ports” or any of the other selections, be sure that the page has completely finished loading. Otherwise, you may go around in circles, continually being redirected to the welcome page.  At least that’s what happened to me when I clicked-on any of the selections before the page had finished loading.

Another online scanner that I am familiar with and use often is that offered by PC Flank at http://pcflank.com/scanner1.htm

I recommend running both and comparing the results. Both are freely available, without any charge or need to register.

If the scan shows that any of your ports are open, then you are not behind a NAT router– at least not one that is functioning as it should.

Even if the scan does not find any open ports, however, it does not necessarily mean that you are behind a NAT router. The ports may be closed by your ISP and/or operating system itself and none of the online scans that I am aware of check all (or anywhere close to all) of the  65535 ports your computer has.

If you are not sure whether or not you have a NAT router or need any help with properly setting-up and securing a NAT or wireless router or anything else directly related to your Internet connection, one avenue of support– perhaps even the first one– that you may wish to try is the tech support offered by your ISP.

Whether or not it is actually necessary — or even desirable– to have all of your ports “stealthed”, as opposed to merely closed, is a matter of dispute. But you certainly should not have any ports open.

To test your software firewall, you must do the opposite of the procedure outlined above: make sure it (your firewall program) is running and that your NAT router is off and then run the port scan.

Remember to turn everything back on after testing.

*While routers are not generally associated with dial-up (Internet connections made through ordinary analog telephone lines, known as POTS for Plain Old Telephone Service), I recently came across a post somewhere at an online forum that claimed that there are certain routers to which dial-up modems can, in fact, be connected.  I would welcome any info or comments on this.

4.) Precautions When Using Public WiFi

• Do not use public WiFi for anything sensitive without– at the very least– being absolutely certain that everything– the entire session and not just the login– is done over SSL encryption. (This means that the URL in the address bar of your browser must begin with httpS at all times) .*

Even with complete, end-to-end, SSL encryption, however, there still exists the risk of man-in-the-middle (MITM) attacks. These are where an attacker intercepts an SSL connection, using forged credentials that evade detection. This is not that easily pulled-off, however, and while I don’t know just how low the risk is, I am fairly certain that at least in most cases, it is relatively low. Nonetheless, and especially considering how many people are unlikely even to notice whether or not an entire session even occurs over SSL in the first places, it is best to wait until you are home or somewhere else with a secure connection before doing anything that involves the transfer of sensitive data.

• Be sure that any computer that you ever connect to any type of public WiFi with has an effective firewall.

This is necessary regardless of how otherwise careful you may be; merely connecting to any public or untrusted wireless network makes your computer vulnerable to any number of threats that only a firewall can protect against.

(*I know that this option can be enabled in Gmail:

Settings > General >Browser connection >Always use https

as well as WordPress: When logged-into your account, on the left-hand side of the page:

Users > Personal Settings > Browser Connection > check Always use HTTPS when visiting administration pages

There is also a Firefox add-on from the Electronic Frontier Foundation that will automatically redirect a number of sites to the SSL version where available.)

5.) Public Computers: DANGER!

Any publicly accessible computer, whether at an Internet café, library, hotel or anywhere else, must be assumed to have key-loggers and other traps that can capture your passwords and personal data. NEVER bank, shop or do anything else that involves the transfer of sensitive data on a public computer.

If you absolutely must access your email on a public computer, then enter your password using a method to foil keyloggers (see here) and then change your password as soon as you get to a secure computer.

6.) Securely Disposing of a Drive

Do not dispose of, give away or sell a computer without first removing or wiping the hard drive.

Merely deleting the data on a drive or even formatting the drive is not sufficient; unless properly encrypted, the data remains easily recoverable. The only ways to render the data on a drive unrecoverable are proper overwriting, also known as “secure deletion“, or physical destruction of the drive.

Note that merely overwriting individual files and folders or even all of the free space on a drive may not actually catch everything; some sensitive data could still remain. In order to be certain that no recoverable data remains, it is necessary to wipe the entire drive.

This can be done either via software utilities such as DBAN (Darik’s Boot and Nuke, a free and open source program that is used and recommended by Peter Gutmann). Another option is the ATA Secure Erase function that is built-into most hard drives manufactured since 2001.

Recent research finds that Flash and solid state drives (SSDs) pose a special challenge; See:

Flash drives dangerously hard to purge of sensitive data

NOTE: Do not attempt to destroy a drive without first taking appropriate safety precautions. Also note that drives, like all computer components, contain toxic materials and require proper recycling or disposal. Never place a computer or computer component into ordinary trash.

For physically destroying hard drives, Dr. Gutmann recommends a complete do-it-yourself kit called DiskStroyer that retails for around U.S. $30.00.

7.) Online Financial Transactions

Consider doing any banking, shopping or other sensitive transactions from a Linux live CD or a separate, dedicated computer to be kept and used exclusively for such purposes.

Either option should bypass most of the malware and other vulnerabilities that are commonly present on the average user’s computer.

Advertisement