[Date Prev][Date Next][Date Index]

E-M:/ [Fwd: NetAction Notes No. 76: Cyber Security]

Enviro-Mich message from Phil Shepard <shepard@acd.net>

To follow up my last post, here are some basic guidelines on computer and
internet security for non-profits, taken from a recent Net Action newsletter:

Audrie Krause wrote:

> Published by NetAction            Issue No. 76               October 22, 2001
> Repost where appropriate. Copyright and subscription info at end of message.
> * * * * * * *
> In This Issue:
> Cyber Security
> About NetAction Notes
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Cyber Security
> Shortly after the September 11 attacks on the World Trade Center and
> the Pentagon, security experts began predicting a resurgence of
> malicious attacks on the Internet. More recently, an international
> security monitoring group (CERT, the Computer Emergency Response Team
> Coordination Center) <http://www.cert.org/> warned that Internet
> attacks are expected to double this year. While attacks by malicious
> or politically-motivated hackers have typically been directed at
> corporate and government web sites, any computer connected to the
> Internet is vulnerable. Computers connected through a broadband
> service are especially vulnerable since the connection is always on.
> If you haven't already taken steps to ensure that your computer is
> secure, do it now.
> NetAction prepared the following checklist of computer security
> basics for activists and nonprofit organizations:
> 1) Virus Protection
> New computer viruses are discovered all the time. Installing and
> regularly updating your anti-virus software is essential to
> maintaining the security of your computer files. In recent months,
> countless files have been distributed over the Internet by computers
> infected with the SirCam virus.  See
> <http://www.cert.org/advisories/CA-2001-22.html> for more information
> about this pesky virus. Some of these files were confidential, others
> were simply embarrassing to the originator. None of these documents
> would have wound up in strangers' in-boxes if the computers they were
> stored on had been protected by up-to-date anti-virus software.
> But the unintended release of confidential or embarrassing documents
> isn't the only risk you take if you don't keep your virus protection
> software up-to-date. Some viruses actually delete files from
> computers, others wreak so much havoc to your operating system that
> the only way to recover is to reformat the drive, wiping all its
> contents in the process.
> Most virus protection software developers regularly update their
> software programs to include protection against newly detected
> viruses. Some software programs can be set up to automatically check
> for updates on a user-determined schedule (for example, on the first
> day of every month). If your software includes a scheduler, set it up
> to automatically check for updates once a month. If not, note it on
> your calendar and update the software manually.
> See <http://www.cert.org/other_sources/viruses.html#VI> for a
> complete list of anti-virus software vendors. Some virus protection
> software vendors you may already be familiar with are Symantic
> <http://securityresponse.symantec.com/avcenter/> and McAffee
> <http://www.mcafee.com/anti-virus/>. Their web sites include alerts
> about newly discovered viruses and comprehensive information about
> virtually all known viruses. If your computer is infected, you may
> find information on these sites that will help you minimize any
> damage to or loss of data.
> Along with being vigilant about protecting your computer from
> viruses, be cautious about forwarding virus warnings that are sent to
> you via email. Many of these warnings are hoaxes. If someone sends
> you email warning of a virus, confirm its validity before forwarding
> it to anyone else. Sites that provide information on false virus
> warnings and other Internet hoaxes include:
> <http://www.nonprofit.net/hoax/default.html> and
> <http://hoaxbusters.ciac.org/HBUrbanMyths.shtml>.
> 2) Firewalls
> If your computer is part of a network, chances are your network
> administrator has set up a firewall to prevent "crackers" from
> breaking into any of the computers on your network. If you don't have
> a network administrator, or don't know for sure whether your network
> is protected by a firewall, ask.
> Networks without firewalls are extremely vulnerable! The obvious risk
> is that someone will hack in and obtain confidential information or
> deface your organization's web site. Perhaps less obvious is the risk
> that a malicious hacker will use your computer as part of a
> distributed denial of service (DoS) attack directed at another
> server. In a DoS attack, a sever is bombarded with so much email that
> it will eventually crash if the attack isn't stopped. See
> <http://www.cert.org/archive/pdf/DoS_trends.pdf> for additional
> information on DoS attacks.
> Even if your computer is not connected to a network it's a good idea
> to set up a firewall, especially if you connect to the Internet via
> an always-on broadband service (such as DSL or cable modem).
> Individual computers with broadband connections can easily be usurped
> for DoS attacks without the owner's knowledge. Several software
> developers sell personal firewall software programs. Once installed,
> these programs can be set up to prevent access to your computer or to
> designate the level of access. (For example, if you occasionally work
> from home, you may want to set up the firewall on your home computer
> to allow you to retrieve work files from home when you're in the
> office.)
> See <http://www.interhack.net/pubs/fwfaq/> for a FAQ on firewalls.
> Firewall software software is available from many of the same
> developers who produce anti-virus software, including Symantec and
> McAffee.
> 3) Backups
> Regular backups are a crucial component of computer security.
> Businesses that are serious about data security may spend tens of
> thousands of dollars on secure off-site storage of their backed up
> data. Since this isn't an option for most nonprofit organizations and
> individual activists, some creativity is necessary to develop an
> affordable backup strategy.
> Documents and other data should be backed up daily. Backed up data
> can be stored on removable media (such as floppy or zip disks, or
> CDs), on an external hard drive, on a tape drive, or on a secure web
> site. Redundancy is the best strategy, so plan on using more than one
> alternative.  (Note: CDs are probably your best choice in removable
> media; they hold 600-700 MB and cost less than $1 each, while zip
> disks hold 100 MB and cost about $10 each. Tape drives are generally
> more expensive than external drives, although both types of drives
> vary in price depending on capacity, type of connection and other
> factors.)
> If the computer in your office is backed up daily onto a tape drive,
> make a second backup of your data on a floppy or zip drive to store
> in another location away from the office. (For example, at your
> accountant's office, or your supervisor's home.) If your home
> computer came with a rewrite-able CD player, make two copies of your
> backup on CD. Leave one at home and store the other in your office,
> or with a trusted neighbor or friend. Or make one backup on an
> external hard drive, the second on a floppy or zip disk that can be
> stored in another location.
> In addition to backing up your data, it's also a good idea to make a
> full backup of your hard drive, and to update the full backup
> whenever you update your operating system or software applications.
> If you have a full backup and your hard drive crashes, it will be
> easier to recover. Otherwise, you will have to reinstall the
> operating system and applications one at a time if you want access to
> backed up documents or other data.
> When you back up your entire drive, size matters. If your computer
> has a 10 GB hard drive and your programs and data use up 5 of the 10
> GBs, a full backup will also require 5 GBs. While it's possible to
> make a full backup by using multiple floppy or zip disks or CDs, you
> will probably find it easier to use an external hard drive or a
> large-capacity tape drive.
> If you use a PC with a current version of the Windows operating
> system (ME or 2000), a backup software program is included with the
> operating system. Mac users will have to buy a separate backup
> software program for full backups of the hard drive; data files can
> simply be copied to removable media or an external drive.
> Although not strictly a security issue, good disk maintenance is also
> important. Several software vendors sell utility tools (such as
> Norton Utilities) that can alert you to and fix minor problems, and
> sometimes even retrieve lost data.
> 4) Mailing Lists
> Mailing lists have long been targeted by spammers, so mailing list
> security should always be a high priority.
> If you are responsible for maintaining a mailing list, configure it
> so that only the list owner has access to the addresses of individual
> subscribers. When you use your email browser to create a mailing
> list, you can prevent subscribers' addresses from being disclosed by
> always putting the addresses in the "Bcc" field. If your mailing list
> is provided by an application service provider (such as Topica), or
> you use a list software application (such as Majordomo) be sure it is
> configured so that subscriber addresses are not disclosed. Also, back
> up the subscriber list regularly.
> Mailing lists fall into one of two categories: discussion or
> announcement. You have significantly more control of announcement
> lists since they are intended for one-way communication from the list
> owner to the list subscribers. (For example, to distribute email
> newsletters or action alerts.) When you configure an announcement
> list, limit posting privileges to as few people as possible and
> change the password whenever there is a change in personnel who have
> posting privileges.
> If you operate a discussion list, you can increase security by
> assigning a moderator. When a subscriber sends a message to a
> moderated list it is routed to the moderator, who screens it before
> posting to make sure it is an appropriate message for the list. Of
> course, if your list has a lot of traffic this can be very
> time-consuming.
> In situations where your best option is an unmoderated list, you can
> still exercise some control over who has access by configuring it so
> that all subscriptions must be approved by the list owner.  This may
> make it easier to screen out spammers, as well as to remove a
> subscriber who becomes disruptive or persists in posting off-topic
> messages.
> 4) File and Email Security
> Nearly everyone has some data on their computer that is sensitive or
> confidential. There are several ways to secure this data from prying
> eyes. Some operating systems allow users to set passwords that limit
> access to the entire hard drive. If your computer is on a network,
> check with your network administrator to determine if a password can
> be set to prevent access to your files. If not, check the "Help"
> files or the user guide for your operating system.  And remember to
> change your password periodically.
> Individual files, and the content of email messages, can be secured
> with encryption software. NetAction's Guide to Using Encryption
> <http://www.netaction.org/encrypt/> includes information on software
> programs that can be used to encrypt individual files and/or folders,
> and software that can be used to encrypt email messages.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> About NetAction Notes
> NetAction Notes is a free electronic newsletter, published by
> NetAction. NetAction is a national, nonprofit organization dedicated
> to promoting use of the Internet for grassroots citizen action, and
> to educating the public and policy makers about technology policy
> issues.
> To subscribe to NetAction Notes, send a message to: <majordomo@netaction.org>
> The body of the message should state: <subscribe netaction>
> To unsubscribe at any time, send a message to: <majordomo@netaction.org>
> The body of the message should state: <unsubscribe netaction>
> NetAction is supported by individual contributions and grants. You
> can make a credit card donation from NetAction's secure server at:
> <https://secure.manymedia.com/netaction/form.html>.
> For more information about contributing to NetAction, contact Audrie
> Krause by phone at (415) 775-8674, by E-mail at
> <mailto:audrie@netaction.org>, visit the NetAction Web site at
> <http://www.netaction.org>, or write to:
> NetAction * 601 Van Ness Ave., No. 631 * San Francisco, CA 94102
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Copyright 1996-2001 by NetAction/The Tides Center.  All rights reserved.
> Material may be reposted or reproduced for non-commercial use provided
> NetAction is cited as the source.  NetAction is a project of The Tides
> Center, a 501(c)(3) non-profit organization.

Phil Shepard

ENVIRO-MICH:  Internet List and Forum for Michigan Environmental
and Conservation Issues and Michigan-based Citizen Action.   Archives at

Postings to:  enviro-mich@great-lakes.net      For info, send email to
majordomo@great-lakes.net  with a one-line message body of  "info enviro-mich"