Desktop Security 101

The single biggest computing security problem today is weak selection and management of passwords. Most systems rely heavily on passwords for authenticating user access. Therefore, Penn recommends that you choose a strong password with the following characteristics:

• Includes at least eight characters long
• Contains a mixture of Uppercase (A-Z), lowercase (a-z), numbers (0-9) and special characters (@#$%%*, etc.)
• Should NOT contain whole dictionary words
• Should avoid names or phrases that people with personal knowledge of you might be able to guess

For additional guidance on setting a strong password visit PennKey Password Guidelines at https://pennkeysupport.upenn.edu/password-guidelines.

One of the often used techniques to create strong passwords is to think of a phrase that has meaning only to you. Take the first letter of each word to assemble your password. For example, Orange elephants invade Alaska; film at eleven would yield OeiA;fae as a password.

Another technique is to use a passphrase. A passphrase is a long password that may be a full sentence with spaces and punctuation. For example, I walk my dog at 6:00 pm everyday would yield 1 Walk my Dog @6PM everyDay. Passphrases tend to be exponentially more secure than passwords, epically if you mix upper and lowercase alphabets, numbers and special characters as recommended.

Once you select a strong password or passphrase, avoid sharing it with anyone, and don't write it down.

An alternative is to use a password management solution. A password management software similar to LastPass, provides the user with the functionality to create strong passwords, save passwords in a Password vault accessed with a master Password, and the ability to manage passwords across multiple devices and websites.

More often than not, if you receive an email attachment that you weren't expecting or is from someone you don't know, chances are the attachment carries some variety of "malware." A malware, short for Malicious Software, comes in a form of a virus, trojan, worm or backdoor programs. An email attachment may carry a malware programmed to execute when an individual attempts to open the attachment. It may carry filename extension of .exe, .pdf., pif, scr or vba.

In short, if you get an email attachment you don't feel confident about or where it came from and who sent it, DON'T OPEN IT! If in doubt, scan it with an anti-virus software to see if anything is lurking inside, or verify by phone or email.

Also, be cautious when clicking on hyperlinks in emails. Similar to email attachments, email hyperlinks may carry malware programmed to execute when the recipient clicks on the link. When in doubt, hover over the link to view the source and then scan the email with anti-virus software to ensure it is not carrying malware.

Penn provides guidance on "Antivirus for desktops and laptops" for both Windows and Macintosh operating systems and an antivirus solution to Penn users at no cost. To obtain a copy, visit the Supported Products website at http://www.upenn.edu/computing/product/. Once installed, be sure to update the virus signature files regularly. The ISC Office of Information Security recommends you update your anti-virus signature on a weekly basis and set the software to run a scheduled weekly scan.

The ability to transfer files back and forth - "uploading" and "downloading" from Peer-to-peer (P2P) Networks like KaZaa, LimeWire, and BitTorrent are on the rise. Similar to purchasing and downloading application software from a well-known commercial website, there's a high level of confidence that you're dealing with reputable people, and the transaction is usually done using a secured connection. There are many cases, though, where you can't be entirely sure who or what is at the other end, and whether or not you can trust the files you're getting from them. Therefore, it's a good idea to run downloaded files through your anti-virus software before opening or installing them. If you're running peer-to-peer file-sharing software, review the sharing settings of the entire directory structure to make sure that nothing has been changed without your knowledge. And be on the lookout for the sudden appearance of files that you don't recognize and/or don't recall downloading. "Mystery" files may be a sign that someone has gained access to your system without your knowledge.

This is very important not only when using your personal computer in your office or dorm room, but also when you are using public lab computers. If you forget to log off a lab, office, dorm, or public computer after finishing your session, you give the next user an open door into your account, which they can use to access personal information including your email and financial data. They could also change your password and lock you out.

Whenever you get up and leave your computer logged in, especially if you are working in an open suite or cubicle, you provide an opportunity for someone to physically compromise your system. It takes less than a minute to install a backdoor program that will allow them to remotely access and control your computer or install Spyware that enables them to view everything on your screen.

All major operating systems provide the ability to lock and password-protect the screen and system so that an unauthorized person with physical access cannot tamper with your computer.

There is a risk in leaving your computer unattended even for a few seconds. Thieves could be watching when you are checking out a book at the library, or picking up your cup of coffee. Always back your data to an external hard-drive, a designated server or to secure cloud services similar to Box.

Sometimes it's necessary to print out copies of important or sensitive data. Keep important printouts in a secure location away from prying eyes, and when you don't need it anymore, shred it. Crosscut personal shredders are inexpensive and useful in disposing of confidential printouts, junk mail, credit card offers, and other printed material that may contain Personally Identifiable Information (PII) that could be used to steal your identity. PII refers to pieces of information that could potentially identify an individual, which includes your name, birthdate, and credit card/ID number. It may also include Social Security Numbers, biometrics data (unique physical characteristics such as fingerprints, face recognition, DNA, retina, etc.), and bank account number.

Malicious individuals are continually probing and testing for vulnerabilities in all the major computer operating systems. When this happens the company that markets and distributes the operating system rushes to develop a "patch" to fix the problem and makes it available at no charge. The problem is, many users rarely check for availability of patches and system upgrades. An unpatched computer could be hijacked to launch a Distributed Denial of Services (DDoS) attack where an attacker floods a system's bandwidth with traffic to paralyze it. 

Similarly, unpatched software applications are an invitation for hackers to access and remotely control your computer. DON'T LET THIS HAPPEN! All the major operating system vendors including Microsoft and Apple offer mechanisms that will allow you to regularly check for updates and apply them relatively easily. When updates appear, it's a good practice to apply the update and run any upgrade. 

All major operating systems come packaged with features containing application and server software. Often these services are turned on by default with little explanation about what they do, and little flexibility regarding configuration settings. In general, the more services you have running on your computer, the more potential targets you create for hackers. These services include standard features like ftp, telnet, Samba, SQL, and SMTP (email server). If you need to run any of the features with a full understanding of its configuration, then keep it running. Otherwise, don't turn it on; if it's running by default, turn it off.

When considering what services should be running on your system, here are a few easy rules of thumb:

• If you don't know what it is or what it does, don't turn it on. If you find out later that you need it, you can go back and turn it on. 
• If it's on, and you don't need it, turn it off.
• If it's off, and you don't need it, don't turn it on. 

Social Engineering refers to techniques used by malicious individuals who manipulate users into sharing confidential information. A social engineer is that guy who walks into a busy office, acting as if he belongs, and announces he’s been sent to fix the president's computer; he will impatiently demand to be shown where it is, then calmly state, "I need his user name and password.” Sometimes he'll call on the phone: “This is Joe from the Help Desk. There's a problem with your account, and I need your password to fix it."

Cyber criminals use social engineering tactics because it is easier to exploit humans natural inclination to trust than designing ways to gain access to your computer or data. One of the most common social engineering tactics is email Phishing. An email phish message may carry one or more of the following characteristics:

• Contain a link that may either carry a malicious code executable when a user clicks on it or directs the user to a well-crafted web page that looks legitimate luring users to enter their username and password. 
• Carry an attachment that has embedded malicious software executable when a user attempts to open the attachment. 
• Enticing users to act urgently either to avoid losing access to information or network connectivity or to assist someone in need. 
• Ask users to provide confidential information similar to account access credentials (e.g. PennKey) or social security numbers in a response message. 
• Addressed generically not to specific individuals, e.g. Dear User or Dear Staff.

Don't become a victim

To avoid becoming a victim of email phishing scams:

• Hover over the link in the message before clicking on it. If the link doesn't carry a familiar domain address don't click on it. For example, a URL (web address) representing an online function from PNC bank should carry pnc.com in its address, e.g. https://www.onlinebanking.pnc.com/.
• Don't open an attachment from entities or individuals you are not expecting to receive a message from. Call the sending individual or entity to make sure the message was generated from them. 
• Don't respond to emails asking you to provide your username and password, or social security number. Banks, government entities, and Penn will not ask you for such information in an email. 
• Install and run an anti-virus software and keep it up to date with the latest virus definitions by running weekly updates. 

Malicious individuals are frequently scanning the network for vulnerable machines to attack or use to launch attacks. Scanning can be used to alert a system owner about what vulnerabilities are present and what can be done to remove or lessen them. Many network-scanning software applications can be downloaded for free and used to scan your own system without getting permission from Penn Information Systems and Computing. Running scans without permission on Penn's network, or against systems, isn’t allowed and considered a violation of the Acceptable Use Policy. 

Penn Information Security can scan your PennNet-connected system for vulnerabilities, provided you contact us and make arrangements in advance. Contact us at security@isc.upenn.edu.