Internet Security - Guidance

With the increasing real risk of abuse on the internet, cyber security is increasingly important and you are strongly commended to consider and implementing the following and creating/nurturing a culture within the business/organisation of awareness, good practice conscious behaviour, and understanding of the real potential and actual risks.

1. Ensure you have your firewall set up on all devices used be it desktop, laptop, tablet, or mobile. Disable all unnecessary service features that may be included in the firewall package.

2. Disallow all connection attempts to and from us inside unless you are sure that this is what you want and is authorised. Allowing any inbound connections provides a mechanism hackers might be able to exploit to establish connections to Trojan horses or by exploiting bugs in service software.

3. Do not rely upon Windows ISA Server built-in filtering alone to protect your connection.

4. Do not use simple packet filtering or packet-filtering services from the Internet Service Provider (ISP) as a replacement for application-layer firewalls. They are not as secure.

5. Make sure there is no way for a hacker to tell which firewall product is in use.

6. Never publish a list of user or employee names on the Web site. Publish job titles instead.

7. Set the TCP/IP stacks to accept connection only on ports for services that machine specifically provides.

8. Install the latest version of the operating system software check your computer or device for update, better still set-up for auto updates to ensure that this occurs.

9. Do not allow clear text-password authentication.

10. Record the IP addresses of the source computers, (assuming they look valid), and try to determine the source of the attacks so legal measures can be taken to stop the problem.

11. As a part of security conscious awareness, make sure users know to report all instances of denial of service whether they seem important or not. If a specific denial of service cannot be correlated to known downtime or heavy usage, or if a large number of service denials occur in a short time, a siege may be in progress.

12. Great care must be taken when downloading information and files from the Internet to safeguard against both malicious code and also inappropriate material.

13. Avoid using one of the smaller Internet service providers. Hackers frequently target them as potential employers because they often have less security awareness and may use UNIX computers, rather than dedicated machines, as gateways and firewalls-making spoof attacks easy to perpetrate. Ask the service provider if they perform background checks on technical service personnel, and reject those that say they do not.

14. Plan and have regularly tested to ensure that damage done by possible external cyber crime attacks can be minimised and that restoration takes place as quickly as possible. Check with your online provided as to what measures they have in place in this event. Try and undergo an 'APR' - Aware - Intelligent insight to monitor evolving threats and anticipate risks. Prepare - Setting and implementing the right technology and cultural strategy to manage evolving cyber threats. Respond - Crisis management, diagnostics and solutions so you can minimise the material impact of cyber attacks in real time at any time.

15. In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times.

16. Have procedures to deal with hoax virus warnings are to be implemented and maintained.

17. Antivirus software is to be deployed across all PCs with regular virus defining updates and scanning across servers, PC’s and laptop computers + tablets. For Mac’s please visit their website.

18. Personnel (be they paid or unpaid staff/volunteers), should understand the rights granted to them by your business/ organisation in respect of privacy in personal e-mail transmitted across the business/organisation systems and networks.

19. Confidential and sensitive information should not be transmitted by mail unless it is secured through encryption or other secure means.

20. E-mail should be considered as an insecure communications medium for the purposes of legal retention for record purposes. With the usage of digital signatures and encryption, reliance upon e-mail may soon be available; however, if in any doubt, treat e-mail as transient.

21. External e-mail messages should have appropriate signature footers and disclaimers appended(E-mail Signature File). A disclaimer is particularly important where, through a miss-key, the email is sent to an inappropriate person. The disclaimer should confirm the confidential nature of the e-mail and request its deletion if the addressee is not, in fact, the intended recipient.

22. You should not open e-mails or attached files without ensuring that the content appears genuine. If you are not expecting to receive the message or are not absolutely certain about its source do not open it.

23. Users should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organisational value should on the other hand be regularly purged or deleted from your system.

24. Use standard TEXT (ASCII) messages where possible; these are both smaller, (in terms of file size), and are less able to ‘hide’ executable code e.g. HTML based e-mails which can ‘run’ upon opening.

25. The sending of inappropriate messages should be prohibited including those, which are sexually harassing or offensive to others on the grounds of race, religion or gender.

For further informative reference, please download the IT Governance publication entitled “Cyber Security : A Critical Business Risk”.