CITS

Protecting Your Computer

September 11, 2015   |  By Chris Phillips

It is usually much less costly to prevent a security problem than to recover from one -- in both time and money.  The security steps discussed in this article can substantially reduce the risks to your computer and your data, as well as the risks to others.  And if something bad does happen despite your best efforts, some of these steps will substantially reduce the time and monetary costs of recovering.

Your Security Priorities

If you have an office at UMB, you may be able to rely on security measures taken by University technical staff. Before taking any actions on your own with a workplace computer, ask your local IT staff about what they recommend; otherwise you may do things that aren't needed, or that are actually counter-productive.  If you have a computer at home or elsewhere outside the office, you have substantial do-it-yourself responsibilities.

Physical Security and Access Control

It is important to protect the computer equipment itself, because it would be time-consuming, disruptive, or expensive to replace it. For that, it's crucial to secure the physical environment in which the computer is located.  And it is at least equally important to protect the data on the computer, and to prevent "leaks" of sensitive information to persons who shouldn't have access.  A secure physical environment is the foundation for protecting both. 

Physical Security--Other Threats

Computer theft is common and always something to protect against, but technical malfunctions like a hard drive crash or a memory chip failure, environmental damage from water or heat or gravity, or simply misplacing the computer in a taxi or a security line at the airport, are much more common causes of equipment and data loss. Careful behavior can prevent or reduce the likelihood of some of these, but you may still want to consider special property insurance for an expensive computing device.

The only true insurance for the integrity and availability of your data is making frequent backup copies.

Secure Copies, and Everything Else

It cannot be stressed enough how important it is to have backup copies of hard-to-replace information. Do you have any idea what would it take to restore the data on your computer if its hard drive were to fail catastrophically right now?

Whatever backup option you choose, be sure to keep those backup copies in a secure place--ideally, a secure place far from where your computer is kept, so a single catastrophe doesn't destroy everything. But wherever it is, backups containing sensitive information should be protected as carefully as you protect the computer they came from.

Access Passwords

When available, you should also use passwords for software, and websites that access any kind of sensitive data. These are a critical protection against intruders who manage to get physical access to your computer. It's true that passwords can sometimes be defeated by a determined, knowledgeable attacker, but they will protect against lesser threats.

Current Protective Software

If physical access to your computer were the only issue, a secure physical environment and a simple access protection like passwords would generally be enough. You should assume that every piece of software you use also presents some risk if not kept current. It is essential to keep your operating system software (e.g., Windows or Mac OS) updated.  And updating is particularly critical for antivirus, anti-spyware and firewall products. University IT staff generally take care of this for your workplace computer. Your personal computing devices should have all of these types of software as well, and they must be kept current to be effective.

Communications Security

Not that long ago connecting a computer to a local network or to the Internet required wires. Today even desktop computers can connect to networks and to other devices wirelessly; laptops, tablets, and smart phones do this by default.

On workplace networks, you can usually rely on local IT staff to secure these wireless links. Outside the office, you need to take steps to secure your Wi-Fi and Bluetooth wireless connections. To safely access University systems from off campus you will want to use a "virtual private network" or VPN.  Ask your local computer support staff for instructions on establishing one.

Protection with Encryption

When you visit a website where any kind of sensitive information is exchanged, such as a bank or e-commerce site, it should be configured to use encrypted communications. You'll know it’s secure when you see the “s” in the "https:" prefix of the site's address. Do not enter sensitive data into any web page that doesn't offer an https: connection. 

You can also encrypt files/directories stored on your home computing system with an encryption system that requires a password or physical device (such as a USB key) -- or both -- to unlock.  Whether the extra inconvenience of encryption is "worth it" depends on the sensitivity of the data and the security of your computer otherwise.

Lending and Borrowing computers

Be conservative about "lending" your computer for others' use. You can expose sensitive data to snooping if you have not been sufficiently careful with your password protections. (This is another reason you should refuse the "remember my password" offer from websites.) Also be extra careful not to leave sensitive information behind if you work on someone else’s--or a public--computer.  

Secure Disposal

Sooner or later every device reaches the end of its productive life. When you no longer need a computer, it is critical that you take steps to clean it of any sensitive information. Paper can be shredded. So can optical media like DVDs (though it may take a powerful shredder). Hard drives inside computers must be systematically over-written, "degaussed" by a very powerful electromagnet, or physically destroyed. Floppies and magnetic tapes require the same. Solid-state (flash) memories must also be over-written or physically destroyed. If you don't understand the secure disposal specifics for your computer and other hardware then find someone who does. Don't ever just throw a storage device in the trash! That's one of the most common ways that sensitive information is exposed.

Defense in Depth

Do you really need to do all the things discussed in this article? Maybe yes, maybe no. You must assess your own computing devices' vulnerabilities, given how and where you use them, and the sensitivity of what you keep on them.  For starters, you should be familiar with UMB IT policies in such areas as Computer Workstation Security, Password Management, etc.  If you're not sure where to start, ask your local IT support staff, and/or find additional resources through the CITS IT Help Desk.