Security and privacy
This category includes guidelines on firewalls, VPNs, data backups, anti-virus, anti-spam, anti-spyware, physical security, and associated best practices.
Computer security is a complicated topic, as it involves a great many different things, including network design, technology usage, user education and training. This section of the guidelines covers the common technological precautions that organizations should take. These recommendations are appropriate for most organizations, but may not be adequate for organizations with special or heightened security concerns.
Staff training
The first line of defense in computer security is user education. Organizations need to make sure that its computers users are aware of safe computing practices. This means that users know what to do in case they receive a suspected virus email, know what a social hack is and how to respond, know how to pick strong passwords, and know how to use the security features of their computer. Users without basic training in computer security can easily compromise network security. The organizational cost of one avoidable virus outbreak can easily exceed the cost of providing basic security training to your staff.
(Link to safe computing curriculum)
FirewallAny computer with Internet access needs to have some form of firewall set up on its Internet connection to shield it from unauthorized external access. A firewall is the first line of defense against malicious hackers and rogue software. A firewall, at it’s most basic, is a filter that only allows authorized traffic through to the network or computer. For network installations, we recommend a basic NAT firewall. This technology is included in almost all routers, and provides strong protection against external threats. From outside the local net, a NAT firewall appears as a single, non-responsive computer, shielding computers on the network from external probing and manipulation. Computers with direct connections to the Internet should use software firewalls, which are integrated into OS X and Windows XP SP2, and are available as standalone products, such as ZoneAlarm, for Windows 2000.
Organizations with special security concerns may want to look into a more robust firewall that can filter out outbound connections as well. These filters can be programmed to allow only specific connections and content into and out of a network. These firewalls are more expensive then “consumer� NAT firewalls, and often require a properly trained consultant to setup securely.
Virtual private networks
Virtual private networks (VPNs) are a technology that can allow secure access to a network from the public Internet. A VPN creates a secure encrypted tunnel between two points, allowing remote computers to access the local network. We recommend using hardware-based VPNs, which are often available integrated with an Internet router. These are easier to use and maintain than software based VPNs. We recommend VPN’s using the PPTP protocol, which is easier to setup than other protocols, and has clients integrated within the HSC recommended OS.
VPNs can be setup between to set points on the Internet, for instance between two offices, or can be open ended, allowing any device to access the VPN, assuming it has the right credentials, which is useful for home users accessing a work network.
Data backups
Perhaps the most important security precaution an organization can take is reliable data backups. All computers need access to some form of backup system so that important data can be securely and reliably backed-up. We recommend that organizations use a centralized, network-based backup solution.
Though manual backups can be effective for very small networks or home offices, we recommend using a dedicated backup application, such as Dantz Retrospect, wherever possible. Retrospect is effective, easy-to-use, cross-platform software that allows administrators to manage the backup system from a server or a peer computer. Properly configured, an automated system is more reliable, easier to manage and maintain, and easier to recover data from.
We recommend hard-drive based backup systems, as opposed to more traditional tape-based backup systems. The cost of tape drives and tape media has been relatively stable, while the cost of hard drives has plummeted while the capacity has greatly increased. For most networks, hard drives are a cheaper, quicker, and easier to use option for backup then tape.
One drawback of a hard drive system is that they are not suitable for archiving data. Increasingly organizations are facing reporting requirements that involve archiving and retaining data. For these purposes we recommend the use of CD-R or DVD-R technology to make archival copies of important data. Again, this is a lower cost and easier to use option (at least for modest amounts of data) than tape.
One key aspect of a reliable network is centralizing data. In additions to centralized file shares, it is also possible to centralize users home directories (where users documents folder, desktop folder, and other data is kept). Organization with client server based networks should investigate this option. For organizations that don’t have a server or centralized user accounts, be sure that the backup system backs up users home directories on their computers. Dantz Retrospect has this feature built-in.
One thing to be aware of when setting up a backup system is the security of the media. Your backup hard drive or tape will contain all your organizations vital information. Be sure that this media is properly protected, both on-site and off-site.
(Link to backup procedures recommendations and details.)
Anti-virus
All computers need to have up-to-date anti-virus software installed and running. Symantec has donated their anti-virus software to the NPO sector through TSS. Buy it, install it, keep it up-to-date. For organizations with a server-based network, we strongly recommend using SAV Corporate Edition, which provides centralized management and update services, as well as providing AV protection to file servers.
For organizations hosting their own email server, we strongly recommend using a server based anti-virus program. Many viruses transmit themselves via email, and catching them at the server, before they enter users mailboxes, is key to eliminating these viruses from your network.
Anti-spyware and Anti-malware
In addition to anti-virus software, organizations should install anti-spyware/malware applications. Malware is software that disrupts the regular functioning of computers, monitors or spies on users, often inserting ads into or on top of web pages. This kind of software is often bundled with free programs or is installed by unscrupulous websites. Unlike viruses and worms, malware is not capable of propagating itself from computer to computer.
There are a large number of anti-malware programs available, and with the release of Microsoft’s beta anti-spyware product, there is a lot of uncertainty around spyware tools. At this time, we recommend Lavasoft’s Adaware and Spybot – Search & Destroy, both of which are free desktop tools. For larger networks, a centrally managed “enterprise� product, such as PestPatrol Anti-Spyware Corporate or Spy Sweeper Enterprise, may be more appropriate.
Malware prevention requires more user intervention and training than many other aspects of computer security. Users need to be aware of the implications of installing software on their computers, as most spyware piggy backs on “legitimate� software.
(Link to reviews of anti-spyware products)
Anti-spam
Email spam is a resource drain on NPO staff, and organizations should put in place anti-spam filters. Spam, though a serious issue, is becoming increasingly easy to limit to a minor distraction. Many anti-spam tools are effective, filtering out most spam with very few “false positives�.
If possible, use email server based anti-spam tools. Look for an ISP that provides spam filtering. If your organization operates an email server of it’s own, setup a spam filter on the server. There are a number of good free and low-cost tools available. To effectively use server-side filtering, you may need to train email users how to setup a simple filter in their email client to separate out the email the server tags as spam.
For organizations unable to use server-side filtering, there is a number of client-side spam filtering products available. Many email reading applications include reasonably effective spam filters, including the lastest version of MS Outlook, Eudora Pro in paid mode, Thunderbird, and Apple Mail. For other mail readers, there are add-on filter products, such as Mailshell, available from TSS.
http://www.techsoup.org/howto/articlepage.cfm?ArticleId=542&cg=searchter...
Physical security
The most overlooked aspect of data security is physical security. All the security measures put in place on a network won’t help you if someone steals the server. Organizations should make sure that servers and other key network components such as backup tapes and drives are secured, preferably in a locked cabinet.
Laptop computers are an extremely vulnerable to theft. They should be locked down at all times, usually with a cable lock. Also be wary of leaving laptops in cars, as thieves are very adept at stealing them.
Confidentiality and Privacy
Many organizations have significant confidentiality and privacy responsibilities. In any case, organizations should have well defined data handling, privacy, and retention policies.
Data handling policies should address what data is retained, how long the data will be retained, how it will be transmitted and stored, and how it will be deleted / destroyed at the end of the retention period.
Privacy policies should address what data on clients, staff, and others are kept, how that data is handled, and who has access to that data.
A key aspect of privacy and confidentiality is keeping a only the minimum necessary data.
Email insecurity
Email, for the most part, is an insecure medium, open to easy and undetectable interception. Email should not be used for transferring confidential or sensitive information, if at all possible.
Screen savers
Though screen savers are no longer needed for technical reasons (the screen burn-in problem has mostly been solved by CRT manufacturers), there are good security reasons for implementing password protected screen savers, so that when staff leave a computer, it will automatically lock, preventing unauthorized access. All the recommended OS’s include this feature.
Contributors
Michael Schrecker, CompuMentor (authored content)
Elizabeth Curley O'Malley, CompuMentor (posted content)
Zac Mutrux, CompuMentor (made edit suggested by Don Cameron)
Security and Privacy guidelines
Guys this is a great article, so I hope you excuse a minor correction in the hope of avoiding confusion by readers.
Under the heading "Anti-Malware" you discuss Spyware and reference Microsoft's Anti-Spyware app - Yet Spyware is not Malware. To quote Webopedia:
Malware - (mal´wãr) (n.) Short for malicious software, software designed specifically to damage or disrupt a system, such as a virus or a Trojan horse
and
Spyware - n.) Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes.
Malware targets a machine - Spyware targets an individual. This is a very significant difference. A virus or Trojan is Malware, Spyware is, well, Spyware.
May I suggest renaming this heading to "Anti-Spyware".
Please keep up the great work!
Best rgds, Don