A best practice guide for information technology: 12 essential rules for securing your digital equipment.
(Translated from: Guide des Bonnes Pratiques de l’informatique. 12 règles essentielles pour sécuriser vos équipements numériques.)
(www.ssi.gouv.fr/uploads/2015/03/guide_cgpme_bonnes_pratiques.pdf). Version 1.1.1 – Janvier 2017 20170111-1014. Licence Ouverte/Open Licence (Etalab – V1). Agence Nationale de la Sécurité des Systèmes d’information. ANSSI – 51, boulevard de la Tour-Maubourg – 75700 PARIS 07 SP.
By Edward Eggleston
A best practice guide for information technology: 12 essential rules for securing your digital equipment.
[This collection offers essential rules with added explanations. Some are quite familiar, yet belong in any basic, thorough list. The original document is intended for companies with fewer than 250 employees. The suggestions are also more generally useful and important.]
1. Choose passwords carefully
2. Update your software regularly
3. Identify users and service providers in your system
4. Make regular backups
5. Secure the Wi-Fi access for your organization
6. Be as careful (prudent) with smart phones or tablets as you are with (other) computers
7. Protect your data when traveling
8. Use careful judgment with email
9. Download programs from official programmer/vendor sites
10. Be vigilant when using Internet payment systems
11. Separate personal and professional IT usage
12. Take care with personal and professional information, and with your digital identity
Introduction.
Why should you implement IT security?
Although information technology plays a central role in our personal and professional lives, security is too rarely considered in its use. New technologies, present everywhere, carry new risks weighing heavily on organizations. For example: the most sensitive data (client documents, contracts, ongoing projects…) can be stolen through IT attacks or taken with loss (or theft) of a smart phone, tablet, or laptop. IT security is also a priority for all well run industrial systems (electricity provision, water distribution…). An attack on industrial IT systems can cause loss of control, stoppage, or damage to installations.
These incidents often have severe repercussions in terms of security, economic loss, and degrading an organization’s image. Nevertheless, these dangers can be greatly reduced by a group of best practices. These can be inexpensive or free, and easy to implement. For this purpose, developing organization-wide awareness for the rules of good information technology “hygiene” is fundamental. It is especially effective for limiting a great number of risks.
Resulting from a partnership between ANSSI* and the CGPME**, the objective of this guide is to give information on IT security risks and preventative measures. The emphasis is on acquiring the habits of simple (yet effective) practices. Each rule or “best practice” is accompanied by an example from ANSSI based on actual events.
* (ANSSI) Agence nationale de la sécurité des systèmes d’information [National Cybersecurity Agency of France]
** (CGPME, now CPME) Confédération des Petites et Moyennes Entreprises [French Small and Medium-Sized Employers’ Organization]
1. Choose passwords carefully
In the context of his accounting work, Julien frequently consulted accounts on an Internet banking site. For simplicity, he chose a weak password: 123456. This password was easily discovered during a cyberattack using an automated tool: which cost the company 10,000 euros [about 11,000 USD].
A password is an authentication tool, used especially for access to digital equipment and data. To effectively protect your information, choose passwords that are difficult to discover with automated tools or by a third party.
If possible, choose passwords of 12 different characters (capital and lowercase letters, numbers, special characters); that are unrelated to you (your name, date of birth…); and not found in a dictionary. Two simple methods can help to construct your passwords:
a) The phonetic method: “I bought 5 CDs for 9 dollars today”: Ibgt5CDs49$T;
b) The first letter method: « Allons enfants de la patrie, le jour de gloire est arrivé » : aE2lP,lJ2Géa! ; [The French original is used for (b) – “de’’ sounds like “2“. Both examples show some adaptation.]
Define a unique password for each sensitive area/service. Passwords protecting sensitive information (bank, professional email…) must never be reused for other functions/services.
It is preferable not to use password storage tools. If such software is used, one must use a certified solution. [The French government CSPN, “Certification de premier niveau” is listed here. The CC group, “Common Criteria for Information Technology Security Evaluation”, is another source for recommended software.]
In the workplace [enterprise]:
a) Determine rules for choosing passwords and their length, and insist on compliance;
b) Always modify the default authentication elements (identifiers, passwords) given for equipment (printers, servers, CPUs…);
c) Remind employees to never keep passwords in (as part of) a computer file or on post-it notes;
d) Make employees aware they should never store (or pre-register) passwords in Web browsing software, especially during use or connection to a public or shared computer (Internet café, “roaming” uses…)
2. Update your software regularly
Carole, system administrator of a medium sized company, did not always update her software. Unintentionally, she opened an attachment containing malware. Following this mistake, attackers could exploit a vulnerability to install software for spying on company activities.
Vulnerabilities exist in operating systems (Android, IOS, MacOS, Linux, Windows,…) and other software. Once discovered, they are corrected by programmers and offered to users in security updates. Knowing many users do not install these updates, attackers exploit these vulnerabilities a long time after their discovery and correction.
It is appropriate then, within an organization, to establish certain rules:
a) Define and require a policy of regular updates: If an IT department is present within an organization, it is responsible for OS and other software updates; if this department is not present, users must assume these tasks, under authority of the CEO.
b) Configure your programs for automatic security updates each time they are available. If not, (at least) download available updates.
c) Only use official programmer/vendor Internet sites.
(to be continued)