The Human Factor - 20 Things Every User Should Know
Another Twenty Things Every Computer User Should Know
This paper and accompanying Power Point presentation are part of an ongoing expanded computer security awareness campaign. The objective of the campaign is to increase the general awareness of privacy and security issues for the average computer user. This presentation assumes the audience is already aware of choosing strong passwords, using a good anti-virus program, installing updates, and firewalls.
The Human Factor
People are the first line of defense on the security front. Most security breaches, small and large, are caused by some kind of human action. As individuals on the front lines of security, we need to be aware of the different ways the safety of our private and confidential information can be jeopardized.
One useful definition of privacy is the right to choose what personal information about ourselves we disclose and who we disclose it to. As individuals, we assume the responsibility for protecting our own private information. On the other hand, as trustworthy individuals, we have the responsibility to maintain the confidentiality of other people's private information.
Confidentiality, integrity and availability
Being on the security front lines means we need to protect the data (our own private information and any information that has been entrusted to us) from unauthorized access, either accidental or intentional. We also need to protect the data from unauthorized changes or deletions. Something that is often overlooked is, we need to insure that we are able to use our computers and access the data when we need to.
Not just viruses and hackers
Most people think of hackers and computer viruses when they talk about computer security. Computer viruses and hackers are real concerns; however, there are other, more common ways the security of our computers and data are threatened. These include, but are not limited to:
- We oftentimes give away our private information without realizing it.
- Someone else may misuse our confidential information.
- We can be manipulated by a con artist.
- We don't always properly secure and maintain our computer.
- We may have developed poor computer usage habits.
- Our computer gets spyware or computer viruses or we download a trojan horse program.
- Our computer, disk drive, USB drive, or CD may get stolen.
- We may leave private and confidential data on the computer when we sell or give away the computer or its disk drive.
- Someone could overhear our private cell phone conversations or tap into our unencrypted computer connection.
- A hacker may break into our home, mobile, or office computers.
Don't give it away!
It's nearly impossible to get a job, obtain a driver's license, or take out insurance without providing a lot of private information about yourself. But, we also tend to give away our private information when it is not necessary or appropriate to do so. It is common to get a telephone call from someone conducting a customer satisfaction survey and, to "verify" they have called the right person, they may ask you for your Social Security number, date of birth, and how much money you earn in a year. Some people are very willing to answer all of those questions without giving it a second thought, but all of that information is private information that could easily be misused and so should be carefully protected. Some web sites try to collect the same kind of private information by either asking you to become a member or by running an on-line survey. We also give away our private information by entering sweepstakes or sending in a product registration form. Before giving out your private information, find out who is asking for the information. What is their street address? How long have they been in business? Why do they want your private information? How will it be used? Who will they share your information with? And ask yourself, do I really want to give them this information?
Using interpersonal relationship skills, conversation and storytelling to manipulate and trick people into giving away useful private or confidential information is called "social engineering". Social engineering has been around for a very, very long time - the Internet just makes it a lot easier to do. It capitalizes on human nature: our desire to be helpful, our tendency to trust other people, and fear. It can be done in person, over the telephone, by Email, in on-line chat rooms, through Instant messaging programs, and from web sites. Signs to watch for are: they are unwilling to give you their contact information or other references; they try to get you to hurry up (rushing); they mention a well known name (Dr. Jordon, Microsoft, the Denver Police); they try to intimidate you (I'm going to get you fired or I'll sue you for all your worth); spelling errors and poor grammar; asking odd questions or asking for private or confidential information.
Fishing for victims
Most of us have received Email messages telling us there is something wrong with our account or asking us to verify our personal information. These are called "phishing" (sic) scams - they are fishing for victims. These phishing scams are another form of social engineering. Learn to recognize them and delete them from your inbox, without replying.
New computers come with some safety warning labels. They warn us not to use the computer if the electrical cord is worn or frayed. We are warned not to operate the computer while sitting in the bathtub. Do not use if seal is broken! But, I have yet to see a computer that came with Email and Web browser safety warning labels. As a result, we have had to learn from our mistakes what not to do. Some examples of bad habits are:
- Opening Email file attachments.
- Replying to SPAM Email or clicking on links in SPAM Email.
- Clicking on pop-ups ads and banner ads.
- Downloading free stuff from the internet (music, search programs, screen savers, games, videos, fonts, icons, etc.).
- Trading computer programs and other computer files.
- Creating or accessing unprotected shared folders.
- Running P2P software (free music and video exchange).
- Using chat rooms and instant messaging.
- Inappropriately saving private/confidential data.
- Letting others use your computer or computer account.
- Using same username, password, and Email address everywhere.
- Choosing weak passwords.
- Not using the built-in password protected screen saver.
- Not logging off of the computer when finished or away.
- Signing up for or joining questionable web sites.
Email file attachments
You should not open an Email attachment unless all of the following are true:
- You know the sender and have received legitimate Email from them in the past.
- The subject line makes sense to you.
- The text of the message makes sense to you.
- You were expecting the sender to send you a file attachment.
- You know what the file attachment contains, and why it was sent to you.
- You have a good quality, up to date anti-virus scanner installed and running on your computer.
Clicking on pop-up advertisements and banner advertisements is a common way of getting adware and spyware programs installed onto your computer. Close pop-up ads by clicking on the small gray "X" in the top right corner of the pop-up. Not all pop-up ads install spyware. Many personal firewalls can be configured to block most pop-up ads. You may also want to consider not visiting web sites that run pop-up ads.
All this free stuff!
Downloading free stuff from the Internet is another way your computer can get adware and spyware on it. You may even get a trojan horse program or SPAM robot installed on your computer. Stay away from free programs, screen savers, backgrounds, games, free music & videos, fonts, and icons, etc. You should never download or install anything onto a computer that does not belong to you.
Saving confidential data
Be careful about what private or confidential data you save on your computer hard drive (or USB drive). We frequently save confidential information on our local workstation rather than a secured server because it is easier and more convenient for us while we are working with it, but then we forget that it is there. Before saving confidential information on your computer, ask yourself what the consequences would be if your computer was stolen or the data was copied off of your computer by a trojan horse program? Is your computer the safest place for the data? Should it be encrypted? Take all of the necessary precautions to keep your computer from being stolen. Keep your laptop out of site and locked up when not in use. Routinely backup important data and store it in a secure place away from the computer. Periodically review the files you have saved on your computer and use a secure erase utility to remove old files, particularly if they contain sensitive information.
Lost or stolen computer
There have been several high profile computer security incidents that did not involve hackers or viruses - they were caused by burglars stealing the computer. In one case, the burglars didn't steal the computer; they stole the hard drive out of the computer! In all of the cases, the computers had a lot of very confidential data saved on the hard drive. Theft is usually, but not always, a crime of opportunity. Never leave a laptop computer or PDA unattended - not even for a minute. When not in use, laptops and PDA's should be locked up, out of sight. Sensitive confidential data saved on a portable computer should be stored using data encryption.
Secure data erasure
There have been several other high profile computer security incidents caused when the computers were sold with sensitive data left on the hard drive. In one case, an old laptop computer containing classified government data had been thrown into a dumpster! Most people are not aware that a deleted file can usually be recovered. Likewise, most people are not aware that data can still be recovered from a disk drive that has been reformatted. Regardless of who used the computer, or what it was used for, the computer's hard drive should be thoroughly erased with a disk wipe utility before the computer is given away, traded, sold, or disposed of. Computer disks, tapes, and CD's should be shredded before they are thrown in the trash. (Note: there are environmental laws which also govern the proper disposal of electronic equipment such as batteries, cell phones, computer monitors, CPUs, and hard drives.)
Computers need to have security updates installed in a timely manner, they should have a good anti-virus program installed, and they should be protected by a firewall; however, computer viruses and hackers are not the only things that threaten our computers and our data. How we use the computer is as important as running an anti-virus program. Our own actions can potentially create greater risks to our private and confidential information than do hackers and viruses.
Rothke, Ben. Computer Security, 20 Things Every Employee Should Know. New York: McGraw-Hill, 2004.
Tynan, Dan. Computer Privacy Annoyances. Sebastopol: O'Reilly, 2005.