CyberCops are particularly vulnerable to exploitation when they are doing investigations on the Internet. To help them, and others who want to be safer when cruising the Internet, Fred Cohen and CyberCop.org (Kevin Manson) provide this list of the 51 ways to protect your information assets when cruising the Internet.
System configuration must be done properly in order to have a modicum of security. Here are some configuration issues you should address:
1. Use removable media on Internet-connected computers. With removable media, you can put in the Internet disk when you are using the Internet, and replace it with the ‘secure’ media when doing your investigative work. It means that the bad actors can’t get to your confidential information when you’re on the net and your critical information can’t get messed up by a virus or Trojan horse coming in from off the Internet.
2. Turn off “sharing” on NT and Windows boxes. Sharing of files lets Internet users access your disk from anywhere in the world. With sharing turned off, they have to break in to get at your system.
4. Use properly configured software to assist in detecting viruses and malicious code. If your virus scanner can handle it, have it check for macro viruses in real-time.
5. Keep clean and current copy of system start-up and restore software handy. This way you can recreate a working system in a flash and avoid long downtime when you do things like upgrading explorer versions over the Web and finding out that your system is locked up.
6. Backup, backup, backup. Yes – keep three copies of the backups just in case.
7. Keep your software up to date with security-related changes. For example, without the latest version of your browser or email program, you may find that when you go to read email – even before you open up any of the messages, your system has been taken over by a remote attacker.
8. Turn off unnecessary Internet service ports. In general, if you don’t know why your system uses a service, you should not have that service turned on. Every service is a potential vulnerability.
9. Use a scanning tool to test which ports are turned on. Never trust the menu-based configuration tool to tell you this sort of information because many of these tools have errors, some of which have opened systems up to remote exploitation even though the user ‘did the right thing’.
10. If it’s really important to document, print it out. Remember that paper trails are a lot easier to use and authenticate in court than electronic media. Passwords have been a security issue for a long time, and most people still don’t know how to use them safely. You need to know how to create and use passwords that are properly crafted to the need:
11. If you have anything important on a remote site, use unique passwords for each online service and site. Otherwise, someone breaking into or watching one service could use your password in other services.
12. If you are going to use the same password for multiple sites, make sure they are not important sites. For example, whenever you get a password for a remote site that is not important, try for user ID guest, password guest. This may weaken their security, but if they allow it, their security is already very weak, and it is easy for you to remember and doesn’t give anything away about you or the kinds of passwords you use for important systems.
13. If you are accessing remote services on the Internet, remember the passwords can be easily sniffed. Try to avoid using passwords for Internet-based access.
14. NEVER use a password over the Internet that’s the same password you use on your local systems. That might allow someone from the Internet to break into your system.
15. Try to get and use one-time authentications of some sort. These are relatively inexpensive and very effective.
16. When possible, augment passwords with some other form of authentication. For example, use TCP wrappers or some other similar tool to limit the remote IP addresses that can access a critical system, or use a separate channel to enable remote login.
17. When you have to change your password, don’t do it over the Internet. It is easily sniffed. If at all possible, do it from the computer with the password on it.
18. Changing your password regularly is not prudent for all systems or situations. Consider the real benefit and harm associated with this activity before doing it haphazardly.
19. Some passwords are harder to guess than others. Use the harder to guess ones. Examples of easily guessed passwords include: (1) your name, user ID, or other available information associated with you; (2) any word or pair of words in any language; (3) QWERTY or similar keyboard patterns (but not all keyboard patterns are easy to guess); (4) passwords of less than 7 keystrokes; (5) passwords with only numbers, only letters, or the same character repeated.
20. Don’t let other folks use your user ID and password and don’t tell anyone your user ID and password. This lets them fake being you and you are likely to be the one who gets into trouble if they do something wrong. No legitimate person responsible for security or systems maintenance needs to know your password, and there are almost no exceptions to this rule. Don’t trust remotely obtained software. It can contain Trojan Horses that are potentially devastating in their effect. Examples of how this has been exploited in the past include but are by no means limited to: (1) causing your system to dial out to a 900 number for Internet service; (2) stealing your online information; (3) corrupting or destroying information on your system; (4) turning the computer into a jumping off point to attack other systems; and (5) placing a Trojan horse in your system to permit remote re-entry and exploitation at a later date.
21. Turn off “autoinstall” features on browsers. Autoinstall allows remote websites to automatically change what your system does by installing their software.
22. Become familiar with the “processes” that are authorized to run on your machine and how to check on them. Check them periodically and whenever you suspect or observe abnormal system behaviour.
23. More viruses spread occurs today as a result of email attachments than anything else. Be careful how you use email attachments and who you accept them from. When you don’t know and trust the person sending you an email attachment, either ask them to send it in plain text format and not as an attachment, or copy it off of your system onto a non-networked system and read it there.
24. Don’t use Word attachments without Word configured to disable all macros before execution. Otherwise, you can easily be attacked by an email.
25. Don’t trust excel spreadsheets. They not only give wrong answers, but they can contain “CALL” macros to attack your system and there is no mechanism available today to detect or prevent this.
26. Don’t trust any program – whether it comes in source or in executable format – without seriously considering the potential implications of its installation and use. Many programs innocently do things that weaken your security, and in lots of cases they allow remote exploits against your system.
27. Just because it isn’t called a program doesn’t mean it isn’t a program. Most information you get is just plain ‘data’, but some of it is not, and it is hard to tell the difference unless you are a real expert. But you can’t stop using computers just because you don’t trust them. Just understand that you can get hurt and prepare to suffer the consequences. Keep up to date on the information security issues that might affect your system:
28. Subscribe to computer security lists such as NT Bugtraq, NTSecurity Digest, etc. Read about the newest attacks and update your system to mitigate them.
29. Keep your system up to date with the newest security patches for the software you use to cruise the Internet.
30. Realize that computer security requires a systematic, not a piecemeal, strategy to be effective.
31. Think like an attacker, how would you attack yourself? You might read some of the hacker FAQs or try an automated attack and defense game to get a sense for what people might try to do to you and how.
32. Don’t forget other communications channels that may be vulnerable, such as voicemail.
33. Ask others who are competent to review or audit your security practices.
34. Don’t forget that critical data may be far more resilient to degradation or corruption when placed on paper than on magnetic or optical media. Use available security technology to your advantage:
35. Become familiar with methods of anonymizing your online sessions – such as Onion routing, ZKS, anonymizer, and “mixmaster” type anonymous remailers. Remember that the bad guys use them (and may run them) too, and don’t trust them alone for anything important.
36. Begin to routinely encrypt any important communications and encourage (and assist) others in doing so.
37. Whenever you encrypt, always view the encrypted file before sending it. Encryption systems sometimes don’t do what they say they do.
38. Generate a public/private key pair and let others know how they may obtain it.
39. Digitally sign email where authenticated identity or unmodified content is important.
40. Digitally sign important files, documents that you believe others may wish to rely on as to their integrity and authenticity.
Use uncommon sense:
41. Don’t visit the bad-guys’ sites except through a properly concealed and authorized location. Remember that they can see you when you can see them.
42. Don’t go cruising through the seedy side of the Internet unless you are ready for the seedy side to go cruising through you.
43. Don’t respond to emails from lists you haven’t signed up to, especially if they tell you that you can ‘unsignup’ by sending them mail. This is how they confirm your email address as valid.
44. Never post to public bulletin boards or mailing lists unless you want to get anonymous emails from lots of solicitation places. That’s one of the major ways they get email addresses.
45. Unless you are investigating a porn site, don’t visit it. You are likely to get a great deal of follow-up from a very broad range of sources.
46. The information you place in your Web browser (like your name, address, organization name, and so forth) are available to the websites you visit. Don’t place information there unless you want it to be given to every site you visit.
47. Every site you have ever visited may be revealed to any site you visit.
48. Your system keeps records on almost every place you visit. Many of these records can be remotely accessed, and local access grants a lot of fine details of when what took place.
49. If the bad guys get into your system, they can get all of your cryptographic keys, your passwords, and anything else you have placed on your system.
50. If the bad guys get into your system, they can use your system to get into other systems it can connect to. This often includes other computers inside your firewall.
51. Think twice before you click.