A best practice guide for information technology: 12 essential rules for securing your digital equipment.

(Translated from: Guide des Bonnes Pratiques de l’informatique. 12 règles essentielles pour sécuriser vos équipements numériques.)

(www.ssi.gouv.fr/uploads/2015/03/guide_cgpme_bonnes_pratiques.pdf). Version 1.1.1 – Janvier 2017 20170111-1014. Licence Ouverte/Open Licence (Etalab – V1). Agence Nationale de la Sécurité des Systèmes d’information. ANSSI – 51, boulevard de la Tour-Maubourg – 75700 PARIS 07 SP.

By Edward Eggleston


(Part 4)

A best practice guide for information technology: 12 essential rules for securing your digital equipment.

[This collection offers essential rules with added explanations. Some are quite familiar, yet belong in any basic, thorough list. The original document is intended for companies with fewer than 250 employees. The suggestions are also more generally useful and important.]

The complete topic list.
1. Choose passwords carefully
2. Update your software regularly
3. Identify users and service providers in your system
4. Make regular backups
5. Secure the WiFi access for your organization
6. Be as careful (prudent) with smart phones or tablets as you are with (other) computers
7. Protect your data when traveling
8. Use careful judgment with email
9. Download programs from official programmer/vendor sites
10. Be vigilant when using Internet payment systems
11. Separate personal and professional IT usage
12. Take care with personal and professional information, and with your digital identity


 

7. Protect your data when traveling
In an airport, Charles was sympathetic toward another traveler claiming a mutual acquaintance. When this person asked if he could charge his smart phone in his laptop, Charles did not suspect anything. The stranger used this chance to remove very confidential business data from the laptop.

Laptops, smart phones, and tablets make business travel easier. They can simplify data transport and exchange. Traveling with mobile devices also poses significant risks for theft or loss concerning sensitive information. The consequences of such loss for an organization can be considerable. It is appropriate (and perhaps necessary) to consult an IT travel security guide from ANSSI. [A similar guide for US citizens is provided by the State Department’s Overseas Security Advisory Council (OSAC).]

Before professional travel:
a) Only bring necessary equipment on the trip (laptop, removable hardware, phones), and these devices should only contain required data.
b) Backup data first, in case of loss during travel.
c) If you plan to work en route, bring a screen protection filter for the computer.
d) Place a marker (such as a colored sticker) on your equipment to assure there are no mixups during travel.
e) Make sure passwords are not stored in your mobile systems.

During professional travel:
a) Keep all equipment and files with you during travel and your stay (do not leave them in an office or hotel room).
b) Turn off WiFi and Bluetooth functions on your equipment.
c) Remove the SIM card and battery from your phone if you must leave it, give it to someone, etc.
d) Tell your company if foreign authorities inspect or seize your equipment.
e) Do not use equipment offered to you if you cannot have it verified by a trusted security group.
f) Avoid connecting your equipment to other equipment without complete confidence in its security. For example, if you need to exchange documents during a commercial presentation, use a USB stick intended only for this purpose, and erase the data afterward with secure erasure software.
g) Refuse to let third parties connect their equipment to yours (smart phone, USB stick, mp3 player…).

After professional travel:
a) Erase call and navigation histories.
b) Change all passwords used during the trip.
c) If possible, have your equipment analyzed after the trip.
d) Never use USB sticks offered during your travels (receptions, meetings, excursions …): highly valued by attackers, they might contain malicious programs.

8. Use careful judgment with email
After receiving an email appearing to be from a coworker, Jean-Louis clicked on a link in the message. The link was a trap. Without his knowledge, his computer was used afterward to distribute email containing child pornography.

Email and attachments often play a central role in computer attacks (fraudulent email, attachments with viruses, etc.).

When you receive email, take the following precautions:
a) The identity of the sender is not at all guaranteed: verify the coherence between the sender and the message content. If there is any doubt, do not hesitate to contact the sender directly.
b) Never open attachments sent originally to unknown recipients, or if the title or format appears inconsistent with files typically sent/shared among your contacts.
c) If there are links in an email, pass the mouse over them before clicking. The complete site address will appear in the status bar of the browser in the lower left part of the window (if this feature is enabled). This can help to verify the safety of the link.
d) Never respond by email to a request for personal or confidential information (ex.: PIN number or bank card number). Email is sometimes sent under the guise of a tax office (or other similar group) to take such personal information. This type of attack is known as “phishing”.
e) Never open or resend chain letters, appeals for a cause (“appels à la solidarité”), false security alerts (“scareware”), etc.
f) Do not set your system to automatically open downloaded documents. Download and scan them with antivirus software before opening them to ensure they do not contain a known virus.