This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Many threats take advantages of vulnerabilities in software on PCs. Software manufacturers release updates for their software to eliminate these vulnerabilities. Accordingly, teleworkers should ensure that updates are applied regularly to the major software on their telework PCs. In addition to the OS, updating should include the following types of software:
Teleworkers should review manufacturer documentation for each software program their PC contains in these categories to determine each program's update capabilities. Most major software programs provide built-in mechanisms to update themselves automatically. Teleworkers should enable these features so that the programs check for updates at least weekly, preferably daily. For any programs that do not offer automatic updating, the teleworker should determine from the documentation other available options, such as running an update feature from the application's menus every week or visiting the manufacturer's Web site weekly for updates and downloading and installing any available updates.
For a PC with slow connectivity, such as dial-up access, teleworkers should be cautious when configuring automatic software update features. Because many updates are very large, downloading them could consume all the network bandwidth on a slow link for hours at a time. This could make it difficult for teleworkers to send and receive email, access Web sites, and use the network in other ways while the download is occurring. Teleworkers could instead configure the software to download the updates at a time when no one needs to use the PC. Updates should still be performed at least weekly, preferably daily.
Some software manufacturers offer updates at no charge, whereas others require an annual fee or other payment to receive updates, such as paying a subscription fee to get the latest antivirus signatures. Most software manufacturers that charge a fee allow users to pay it through the manufacturer's Web site and receive updates within minutes of making payment.
5.2 User Accounts and Sessions
A PC can be configured with user accounts and passwords to restrict who can use the PC. This section explains how teleworkers can configure their telework PCs to prevent unauthorized access to their applications and data.
Use Accounts with Limited Privileges
On most OSs, user accounts can have full privileges or limited privileges. Accounts with full privileges, also known as administrative accounts, should be used only when performing PC management tasks, such as installing updates and application software, managing user accounts, and modifying OS and application settings. If a PC is attacked while an administrative account is in use, the attack will be able to inflict more damage to the PC. Therefore, user accounts should be set up to have limited privileges; such accounts are known as daily use, limited, or standard user accounts. Teleworkers should not use administrative accounts for general tasks, such as reading email and surfing the Web, because such tasks are common ways of infecting PCs with malware.
The primary disadvantages of having separate administrative and standard user accounts are that standard users might not be able to run some applications, especially ones designed for older OSs, or to install applications and OS or application updates. This could cause a significant delay in downloading and installing updates, as well as making other tasks less convenient for users. Some OSs have a feature that allows a person logged in as a standard user to perform individual administrative tasks by selecting a particular option.
Each person who uses the telework PC should have a separate standard user account. On most OSs, this keeps each person's data and settings (e.g., files, stored emails, Web browser bookmarks and security settings) private from other people using the PC. It also helps limit how much damage certain attacks can cause, such as damaging only one user's files, not all users' files.
Protect Accounts with Passwords
Each PC user account should have a password to prevent unauthorized people from using the PC-not only people with physical access to the PC, but also attackers attempting to contact the PC from other computers. Users should select strong passwords that cannot be guessed by attackers. The following are recommended practices for password selection:14
Select a sufficiently long password. Longer passwords are more difficult to guess than shorter passwords of similar complexity (see below). The downside is that longer passwords are often more difficult for users to remember. Users should select passwords that are at least eight characters long. Passphrases, which are long passwords usually composed of multiple words, may be easier to remember than conventional passwords.
Create a complex password. A variety of characters should be part of the password. For example, a password made of all lower case letters is a relatively simple password, but another password of the same length made of upper and lower case letters, digits, and symbols (such as punctuation marks) is relatively complex. The more complex the password is, the more difficult it will be for others to guess. Users should select passwords containing digits and/or symbols in addition to letters.
Protect User Sessions from Unauthorized Physical Access
It is important that user sessions be protected against unauthorized physical access. For example, if a PC is sitting unattended in an area that other people can access, anyone could walk up to the PC and masquerade as the user, such as sending email from the user's account, accessing the organization's remote access resources, making purchases from Web sites, or accessing sensitive information stored on the PC. To prevent such events, most OSs allow the user to lock the current session through menu options or a combination of keystrokes. Also, many OSs offer screensavers that activate automatically after the PC has been idle for a certain number of minutes, and can also be activated manually by the user on demand. Some of these screensavers can be configured to lock the PC and require the user to enter his or her password to unlock it. If a PC will be left unattended in an accessible area at any time, users should use a password-protected screensaver or manually lock their user sessions. However, users should be aware that these security features provide only short-term protection; someone who has access to the PC for an extended period of time can bypass these features and gain access to the user's session and data.
5.3 Networking Configuration
Most PCs can be configured to limit network access, which reduces the number of ways in which attackers can try to gain access to the PC. This section makes recommendations for configuring networking features to better protect the PC.
Disable Unneeded Networking Features
By default, most PCs provide several networking features that can provide communications and data sharing between PCs. Most teleworkers need to use only a few of these features. Because many attacks are network based, PCs should use only the necessary networking features. For example, file and printer sharing services, which allow other computers to access a telework PC's files and printers, should be disabled unless the PC shares its files or printers with other computers, or if a particular application on the PC requires the service to be enabled.15 Other examples of services that might not be needed are IPv6 protocols,16 wireless networking protocols (e.g., Bluetooth, IEEE 802.11a/b/g/n) and infrared ports. (Consult the PC's hardware and OS documentation for guidance on which network features should be disabled; if still unsure, seek expert assistance.)
Limit the Use of Remote Access Utilities
Some OSs offer features that allow a teleworker to get remote technical support assistance from a coworker, friend, product manufacturer, or others when running into problems with a PC. Many applications are also available that permit remote access to the PC from other computers. Although these features are convenient, they also increase the risk that the PC will be accessed by attackers. Therefore, such utilities should be kept disabled at all times except specifically when needed. The utilities should also be configured to require the remote person to be authenticated, usually with a username and password, before gaining access to the PC. (See the recommendations in Section 5.2.2 for choosing strong passwords.) Provide the username and password to the remote person in person, by phone, or by other means that cannot be monitored by attackers; do not send passwords through email messages, instant messaging, or other methods that do not provide protection for communications.
Configure Wireless Networking
An improperly configured wireless network could transmit sensitive information without protecting it properly, allowing people nearby to eavesdrop. Section 4.2 explains how to secure a wireless home network. In addition, PCs should be configured so that they do not automatically attempt to join wireless networks they detect. For example, a PC could join a neighbor's wireless home network instead of the teleworker's network; if that neighbor's network is improperly secured, then the teleworker's communications and computer could be at higher risk. Therefore, teleworkers should configure their PCs so they do not join detected wireless networks automatically. Teleworkers should also configure their PCs so that they cannot use ad hoc networking, which is a relatively easy way to attack a PC.
5.4 Attack Prevention
PCs should use a combination of software and software features that will stop most attacks, particularly malware. The types of software described in this section are antivirus and antispyware software, personal firewalls, spam and Web content filtering, and popup blocking. Changing a few settings on common applications, such as email clients and Web browsers, can also stop some attacks.
Although security tools can stop many attacks, teleworkers also need to practice safe computing habits. One of the most common ways that PCs are attacked is by users opening and executing files from unknown and untrusted sources. Teleworkers may download these files from Web sites, file sharing services, peer-to-peer programs, or other means, or they may be sent to teleworkers through email, instant messaging, and other communications services. These files often contain malware, and teleworkers
Install and Configure Antivirus and Antispyware Software
The most effective tool for protecting PCs against malware is antivirus software, which is specifically designed to detect many forms of malware and prevent them from infecting PCs, as well as cleaning PCs that have already been infected. Because malware is the most common threat against PCs, NIST recommends that PCs use antivirus software at all times.17 The antivirus software should be kept up-to-date, as described in Section 5.1.
Many brands of antivirus software are available, most of which offer similar functionality. NIST recommends configuring antivirus software to use the following types of functions:
Automatically checking for and acquiring updates of signature or data definition files at least daily
Scanning critical OS components, such as startup files, system basic input/output system (BIOS), and boot records
Monitoring the behavior of common applications, such as email clients, Web browsers, file transfer and file sharing programs, and instant messaging software
Performing real-time scans of each file as it is downloaded, opened, or executed
Scanning all hard drives regularly to identify any file system infections, and optionally scanning removable media as well
Handling files that are infected by attempting to disinfect them, which refers to removing malware from within a file, and quarantining them, which means that files containing malware are stored in isolation for future disinfection or examination
Logging all significant events, such as the results of scans, the startup and shutdown of antivirus software, the installation of updates, and the discovery and handling of any instances of malware.
Most antivirus products can identify several types of malware, including viruses, worms, Trojan horses, and malicious mobile code.18 Antivirus products offer varying levels of support for detecting spyware.19 Separate antispyware utilities should be used to supplement any antivirus products that do not have robust spyware handling capabilities. Unlike antivirus software, which attempts to identify many types of malware, antispyware utilities specialize in malware and non-malware forms of spyware.
Office Productivity Suites
Teleworkers should consider adopting the following recommendations for each office productivity suite on their telework PCs:
Restrict macro use. Applications such as word processors and spreadsheets often contain macro languages that certain types of viruses use. Most common applications with macro capabilities offer security features that permit macros only from trusted locations or prompt the user to approve or reject each attempt to run a macro. The prompting feature can be effective at stopping macro-based malware threats.
Limit personal information. Many office productivity tools allow personal information, such as name, initials, mailing address, and phone number, to be stored with each document created. Although the most basic information (typically, name and initials) are often needed for collaboration features and edit tracking, information such as mailing addresses and phone numbers is not. Personal information becomes embedded within document files and may inadvertently be distributed with files to others. Teleworkers should not enter any more personal information than necessary into the user settings of office productivity tools. For some word processors, teleworkers can use sanitization utilities that remove personal information from documents, as well as comments, tracked changes, and other information that might be embedded in documents but should not be part of the final document.
Use secured folders for application files. Most office productivity applications allow users to define default locations for saving documents and holding temporary files, including auto-save and backup copies of documents. This can be very helpful at protecting application files from unauthorized access by others. Teleworkers should also store their custom dictionary entries in a user-specific file stored in one of their protected folders
Depending on the sensitivity of telework communications, telephone security may be a consideration. The various choices for telephones and telephone services span a wide spectrum of privacy capabilities. At the low end are older cordless phones, whose calls may be picked up by walkie-talkies, baby monitors, and radio scanners; at the high end are corded phones. The most commonly used options are summarized below.
Corded phones using traditional wired telephone networks. Physical connections are required to intercept communications involving traditional corded telephones that use wired telephone networks, so they are sufficiently secure for typical telework. Security for corded phones used with VoIP networks is described below.
Cordless phones using traditional wired telephone networks. Cordless phone communications can be intercepted by eavesdroppers within physical proximity of the phone, often a few hundred yards at most. Cordless phones used for telework should employ spread spectrum technology, which uses a rapidly changing set of frequencies to scramble transmissions, thus reducing the risk of eavesdropping. Security for cordless phones used with VoIP networks is described below.
Cellular phones. Most cell phones use digital technology, and their transmissions are scrambled to deter eavesdropping. Digital cell phones should be acceptable for typical telework. Older cellular phones use analog technology. Analog calls can be intercepted by individuals with scanning equipment, so teleworkers should avoid using analog cell phones for discussions involving sensitive or proprietary information.
Voice over IP. There are many services that offer local and long-distance phone service over the Internet. Known as VoIP, the services convert speech to Internet messages and transmit them to a facility that interfaces with the telephone network. The party on the other end can be using any type of phone service, not just VoIP. From a security standpoint, this type of connection may be susceptible to eavesdropping because it may be carried over the local network, the Internet service provider's network, and sometimes the Internet. Because of the potential for vulnerabilities in one or more of these networks, communications carried over VoIP should not be considered secure unless some form of encryption is used. Many VoIP services now provide strong encryption, so teleworkers interested in using VoIP for telework discussions involving sensitive or proprietary information should first check with the VoIP provider to see if communications are encrypted.
WPANs are small-scale wireless networks that require no infrastructure to operate. A WPAN is typically used by a few devices in a single room to communicate without the need to physically connect devices with cables. Examples include using a wireless keyboard or mouse with a computer, printing wirelessly, synchronizing a personal digital assistant (PDA) with a computer, and allowing a wireless headset or earpiece to be used with a cell phone. The two most commonly used types of technologies for WPANs are Bluetooth and infrared. Although these two technologies have similar capabilities, they also have a few important differences. Infrared requires an unobstructed line of sight between the two devices using it, whereas Bluetooth does not. Furthermore, devices using infrared generally have to be within a meter (a few feet) of each other, whereas Bluetooth devices can be up to 100 meters (300 feet) apart, depending on output power. As Sections 5 and 6 mention, teleworkers should disable Bluetooth and infrared when they are not in use. In addition, Bluetooth users should use a personal identification number (PIN) that is at least eight characters long, preferably one that includes letters and digits. This makes it more difficult for an attacker to guess the PIN and gain access to the Bluetooth devices. For Bluetooth devices that do not support the use of long PINs (some permit only four-digit PINs), teleworkers should choose hard-to-guess PINs. Teleworkers should also configure their Bluetooth devices to encrypt their communications, if the devices support it; the devices' documentation should provide the necessary information on configuring encryption capabilities.
Wireless Broadband Data Network Technologies
Cellular phone service providers offer wireless broadband data networks, a form of mobile networking for laptops and other types of computers. This technology allows a computer to have wireless access to the Internet from nearly any location. Because of the nature of cellular communications, it is much more difficult for an attacker to eavesdrop on wireless broadband networks than WLANs, but it is still possible. Therefore, teleworkers should assume that wireless broadband communications are not sufficiently secure for transmitting sensitive information. Teleworkers should consult with their organization to determine what protection the organization's remote access solution provides before using wireless broadband to send or receive sensitive information.
When a teleworker-owned computer is no longer going to be used, it should be prepared for retirement. The computer's built-in storage devices, such as hard drives, often contain information that teleworkers might not want others to see, including their organizations' files and their personal information, such as files from tax return software. Even if the teleworker deletes all of the files from the computer, curious people who get access to the computer might be able to recover the files using free or inexpensive software utilities specifically designed to recover deleted files. Accordingly, teleworkers should ensure that all data on their computers' built-in storage devices is wiped out before donating, selling, or discarding a computer. Methods of performing these actions are as follows:
Use a third-party disk scrubbing utility. Several commercial and open source software products are available that are specially designed to remove traces of data from computers. Follow the manufacturer directions for removing data from the hard drive.
Retain the hard drive. Following the instructions in the computer manufacturer's documentation, a teleworker can remove the hard drive from the computer. If other people want to use the computer in the future, they can purchase a new hard drive and install an operating system (OS) onto the computer. This is the best option if the computer is no longer functioning properly, preventing the use of disk scrubbing utilities.
Destroy the hard drive. Hard drives can be degaussed, which involves applying a magnetic field to the drive that makes it unusable. Hard drives can also be shredded or otherwise physically destroyed through specialized equipment and services.
Teleworkers also need to ensure that removable media, printed materials, and other forms of media that may contain sensitive information are also destroyed. Many organizations provide information destruction services for their teleworkers, such as scrubbing or destroying hard drives and shredding removable media and printed materials.