- Home
- About Us & Project Introduction
- What Are "Cyber Security" and "Cyber Attack"?
- Why Does Cyber Security Matter?
- International and Local Cooperation on Cyber Attacks
- Simple Steps Towards Enhanced Cyber Security
- Educating the Public
- Video Reviews & Useful Resources
- Bibliography
- Acknowledgements
Simple Steps Towards Enhanced Cyber Security (with a touch of theory)
Most guides you can find on the internet will instruct you to install extra software, take note of this and that etc. in securing your computer. We do the same - but we hope to include discussions regarding misconceptions of cyber security that we commonly have as ultimately (as of the this time of writing), it is human decisions and mindsets that determine the workings of computers.
Remember that computers, as powerful as they seem, are nevertheless operated and dictated to by human beings.
The Myth of '100% secure'
Now, some individuals might think that if they have the most vigorously-tested security software installed on their systems, they will be safe from all threats. When something goes wrong on what they think are 100% secure systems, they might still hold on to the belief that these computers just weren't 'prepared' enough, just as how a parent might feel about a child who did not manage a full score in a recent test.
There's 2 problems to this mode of thinking.
Firstly, it is almost impossible to ascertain "100% secure" for any one computer system because security bugs (problems) in software (that allow malware to cause disruptions to the normal functioning of a computer will) always appear and are often not immediately apparent to the programmer who is writing code since commercial software development teams are usually small, with little peer-review possible due to the treatment of program source code as trade secrets.
Hence, the largely closed nature of commercial software development discourages the discovery and fixing of bugs quickly, leaving security bugs here and there in software installed and used by users everyday.
Secondly, security is a balance of trade-offs and should be viewed in shades of Gray. For one, connecting to the internet opens up the possibility that internet worms could enter your computer. Does that mean that this is completely undesirable? Well, you need your connection to get your work done, don't you?
As you can see, a security risk posed could be the other side of the coin to a convenience or necessity. This shifts our perspectives regarding our actions on the computer. We should stop looking at actions in black and white like this: 'this action is secure' , 'this action isn't'.
Try 'is this convenience I take worth the risk?' - by judging for ourselves based on cases, we would be more in touch with the reality of implementing security as a means to protect computers.
Security does not solely depend on technical infrastructure
Even if there is a '100% secure' solution on the market right now, it does not necessarily result in a safe computing experience for buyers. In the new threats posed by social engineering, more often than not the uninformed user is the main source of concern.
Take for example the situation where a malware is delivered onto a system which is “fully protected” by security software. If the user decides to ignore the warnings given by his operating system and to run unverified programs and even granting them administration privileges so that they can do anything they want, he/she’s pretty much compromised his system, handing over the keys of control over to the attacker. As much as we tend to focus on the technical aspects of computer security, the “human interaction” element is just as important. In short, Security isn't completely physical and involves both infrastructure and policy.
A somewhat simpler example could be put this way: Imagine a bank owner who wants to secure his banks from robbery. So he employs security guards, say, 8 for each branch. They are the toughest guys in town, made up of ex-grunts and marines. Now, what would be the point of employing these guys if they sipped colas all day long, slept on night shift and had no fixed set of duties? Would they be of any use if the bank owner is cajoled into inviting a Al-Capone type and his entire gang into the bank for a little poker?
The physical infrastructure put in place are not sufficient. We need guiding principles that will put defences into work.
At last, here's the guide with a disclaimer:
This is by no means a guarantee for a completely secure computing environment.
1. Install security software such as Antivirus/Antimalware Software, Firewalls, or Intrusion Detection Systems as well as putting in place sound security policies, e.g. scanning the entire computer twice a week.
2. Choose software known for their security. Google Chrome and Firefox are good examples of web browsers which are more secure than the commonly used Internet Explorer.
3. Use encryption to prevent your private information from being read and analyzed. GnuPG for email, HTTPS Everywhere for web-browsing and TrueCrypt/Bitlocker for files. This will prevent attackers from making sense of data even if it is captured.
4. If a deal looks like it’s too good to be true, you are probably right. Many pirated games and applications are loaded with Trojan Horses which "piggy-back" on the software, comitting undesirable actions like stealing data or making your computer part of a 'zombie' network, known as a botnet.
5. Keep your software updated. Software vendors regularly release “patches” which fix vulnerabilities that malware exploit in operating systems.
6.Strong Passwords are a crucial guard against brute-force attacks that attempt to permutate all possible combinations of a password in order to gain access to a system or account. We advise you use one with >8 characters, comprising of numbers and characters. Keep this password unique to a single account. In the case that attackers discover one password, they cannot continue to access other online accounts of yours with this password.
7. Recognize social engineering such as email containing mysterious website links or pop-up advertisementsinformation. Senders often pose as companies, and will attempt to convince you in handing over information. Check the integrity of the sender before replying.
8.Remember to log out of online accounts after accessing them on computers, especially if they belong to others.
9. While not strictly part of "locking down" a system to security threats, backing up will prevent data lost and help you to recover your systems quickly. When our forefathers warned that we should "never put all our eggs in one basket", they were right!
Remember that computers, as powerful as they seem, are nevertheless operated and dictated to by human beings.
The Myth of '100% secure'
Now, some individuals might think that if they have the most vigorously-tested security software installed on their systems, they will be safe from all threats. When something goes wrong on what they think are 100% secure systems, they might still hold on to the belief that these computers just weren't 'prepared' enough, just as how a parent might feel about a child who did not manage a full score in a recent test.
There's 2 problems to this mode of thinking.
Firstly, it is almost impossible to ascertain "100% secure" for any one computer system because security bugs (problems) in software (that allow malware to cause disruptions to the normal functioning of a computer will) always appear and are often not immediately apparent to the programmer who is writing code since commercial software development teams are usually small, with little peer-review possible due to the treatment of program source code as trade secrets.
Hence, the largely closed nature of commercial software development discourages the discovery and fixing of bugs quickly, leaving security bugs here and there in software installed and used by users everyday.
Secondly, security is a balance of trade-offs and should be viewed in shades of Gray. For one, connecting to the internet opens up the possibility that internet worms could enter your computer. Does that mean that this is completely undesirable? Well, you need your connection to get your work done, don't you?
As you can see, a security risk posed could be the other side of the coin to a convenience or necessity. This shifts our perspectives regarding our actions on the computer. We should stop looking at actions in black and white like this: 'this action is secure' , 'this action isn't'.
Try 'is this convenience I take worth the risk?' - by judging for ourselves based on cases, we would be more in touch with the reality of implementing security as a means to protect computers.
Security does not solely depend on technical infrastructure
Even if there is a '100% secure' solution on the market right now, it does not necessarily result in a safe computing experience for buyers. In the new threats posed by social engineering, more often than not the uninformed user is the main source of concern.
Take for example the situation where a malware is delivered onto a system which is “fully protected” by security software. If the user decides to ignore the warnings given by his operating system and to run unverified programs and even granting them administration privileges so that they can do anything they want, he/she’s pretty much compromised his system, handing over the keys of control over to the attacker. As much as we tend to focus on the technical aspects of computer security, the “human interaction” element is just as important. In short, Security isn't completely physical and involves both infrastructure and policy.
A somewhat simpler example could be put this way: Imagine a bank owner who wants to secure his banks from robbery. So he employs security guards, say, 8 for each branch. They are the toughest guys in town, made up of ex-grunts and marines. Now, what would be the point of employing these guys if they sipped colas all day long, slept on night shift and had no fixed set of duties? Would they be of any use if the bank owner is cajoled into inviting a Al-Capone type and his entire gang into the bank for a little poker?
The physical infrastructure put in place are not sufficient. We need guiding principles that will put defences into work.
At last, here's the guide with a disclaimer:
This is by no means a guarantee for a completely secure computing environment.
1. Install security software such as Antivirus/Antimalware Software, Firewalls, or Intrusion Detection Systems as well as putting in place sound security policies, e.g. scanning the entire computer twice a week.
2. Choose software known for their security. Google Chrome and Firefox are good examples of web browsers which are more secure than the commonly used Internet Explorer.
3. Use encryption to prevent your private information from being read and analyzed. GnuPG for email, HTTPS Everywhere for web-browsing and TrueCrypt/Bitlocker for files. This will prevent attackers from making sense of data even if it is captured.
4. If a deal looks like it’s too good to be true, you are probably right. Many pirated games and applications are loaded with Trojan Horses which "piggy-back" on the software, comitting undesirable actions like stealing data or making your computer part of a 'zombie' network, known as a botnet.
5. Keep your software updated. Software vendors regularly release “patches” which fix vulnerabilities that malware exploit in operating systems.
6.Strong Passwords are a crucial guard against brute-force attacks that attempt to permutate all possible combinations of a password in order to gain access to a system or account. We advise you use one with >8 characters, comprising of numbers and characters. Keep this password unique to a single account. In the case that attackers discover one password, they cannot continue to access other online accounts of yours with this password.
7. Recognize social engineering such as email containing mysterious website links or pop-up advertisementsinformation. Senders often pose as companies, and will attempt to convince you in handing over information. Check the integrity of the sender before replying.
8.Remember to log out of online accounts after accessing them on computers, especially if they belong to others.
9. While not strictly part of "locking down" a system to security threats, backing up will prevent data lost and help you to recover your systems quickly. When our forefathers warned that we should "never put all our eggs in one basket", they were right!