Telecommuters must do as much as possible to keep company information safe while it is on their system and while being transmitted back and forth from them to the company. Being lax with security can not only jeopardize sensitive information but also the respectability of the telecommuter.
In this report we will discuss some of the challenges that Alice, a telecommuter working for an oil company, will face, and issues she must consider when trying to keep her system secure and the data housed within safe.
There are many risks associated with being ‘online’, discussing all of them goes well beyond the scope of this report. In this report we will discuss the most common pitfalls and issues faced by all users today: common vulnerabilities, corrective measures, and access controls.
Alice works from home for an oil company. Alice deals with confidential information and must do more to keep this data safe on her home computer, as well as when she is transmitting this data to her employer. Covered in this report are some of the issues Alice and her employer face. Also covered in this report are ways Alice can better protect the information housed in the computer, and ways that data transmittal can be more secure.
There are many risks when using the computer and internet. Some attacks are aimed directly at specific systems; other attacks are indirect, affecting a system because of information garnered from another computer. Though it might seem an impossible task, protecting a system and data can be achieved by learning about the risks and recommended ways of fixing them. The information gathered in this report came from internet reference materials as well as authoritative sites on computer security, systems, and applications.
The hardware, software and downloads mentioned in this report are widely known and accepted as preventative measures and fixes for nefarious acts. No specific brands are mentioned other than Microsoft, because of the assumption that Alice is using Windows XP Professional.
There are more risks mentioned than corrective measures because many of the measures offer protection from more than one risk.
Social engineering and human error were intentionally left out of this report, as we assume that Alice is versed in maintaining confidentiality, and protects her passwords, as well as her office and computer. Other assumptions made in this report are common and hence justifiable.
Scope of Report
This report will review the methods by which Alice can improve the security of the data she retains on her home computer and how the company can help Alice have a more secure internet connection.
a.) using a direct connection to the Internet
b.) is not using an antivirus program, or hard/software firewall
c.) not sure if she stays current with operating system and application updates and patches
d.) using email and instant messaging.
e.) using Microsoft Windows XP
c.) Trojan horse
b.) instant messaging
Corrective Measures for Security
1.) Access Controls
a.) password protect computer and connections
b.) strong passwords
c.) file encryption
a.) operating systems
a.) download and install patches and service packs
a.) install and update
b.) renew subscription
Measures for Security
There are several security measures Alice and the company she works for can use to help protect the data on Alice’s computer and as it is being transmitted to the employer. Alice and her employer must also decide who will be in charge of which security measures. The company should take a proactive approach to security and not leave the protection of company data to telecommuters.
File encryption converts data stored on a hard disk into a format that can’t be read by others. EFS (Encrypting File Systems) is included in Windows XP Professional, but not Windows XP Home Edition (Microsoft support, 2004). File encryption can help protect data in case a virus, Trojan, worm or other malicious infiltrator gets into the system. When a file is encrypted an encryption key is created for the user. The file will remain encrypted, and an access error report is generated preventing file viewing, for anyone other than the original user. With the encryption key, a file can be viewed, edit and decrypted. There are more advanced encryption programs on the market, and after reviewing their capabilities Alice should purchase a better package. The EFS built into Windows XP is good, but there are more advanced programs on the market.
Passwords are not created equal. To be considered strong, a password must be at least eight characters with numbers and symbols. A sixteen alpha-numeric character password is even better.
Stronger authentication tools are available. Two-factor authentication combines personal identification numbers (PINS) or passwords with tokens, smart cards or biometric devices. Passwords protect the computer from unwanted entry, and unwanted intrusion into files and folders. A strong password will also help deter a hacker from entering the company intranet and Alice’s computer. Email and instant messaging files to another user opens the door to ‘eavesdropping’. Password protecting all files that are transmitting, then sending the password to the receiver in a separate email or message is helpful in keeping data from being seen by eyes other than the intended.
Updates and Patches
Updating the computer operating systems and applications is an important step in data protection. Updates generally offer security fixes, critical system updates, and computer hardware driver updates. Critical updates should always be downloaded, but a user can choose to whether or not to download driver updates. Applications can usually be updated from within the program or if the program does not have update checks available, a user can register the product to opt to receive update notifications, and then manually download updates following instructions.
Patches are similar to updates in that they are downloadable, but patches generally fix bugs and can improve performance and security. Microsoft refers to patches as ‘service packs’. Both Alice and the company she works for should install security patches whenever they become available.
Unpatched and unupdated systems leave their owners wide open to exploits, attacks.
A backdoor is a way of bypassing security to access a system. Backdoors are sometimes intentionally created or installed by software programmers, but can also be created or exploited by hackers. As these backdoors are discovered, software developers release patches to seal them up. If a system is not kept up to date, then these hidden doorways will remain open to intruders.
Antivirus software is the backbone of computer security and one of the easiest precautions to implement. There are many antivirus programs available and it is beyond the scope of this report to perform a comparison. No matter what antivirus program is chosen, it is only deemed a security solution if it regularly updated. Stay Safe Online (staysafeonline.com) suggests that users “look for antivirus software that:
recognizes current viruses, as well as older ones
effectively reverses the damage
Viruses are most commonly spread through infected emails, but also are passed on removable disks. A virus is defined as “a self-contained program or code that attaches itself to an existing application in a manner that causes it to be executed when the application is run,” (Answers.com). Antivirus programs recognize and remove known viruses, Trojan horses, and worms. If the virus can’t be removed from the system, the antivirus program usually offers a ‘vault’ which will confine the virus until the user manually removes the virus. Manual removal instructions can usually be found on the antivirus program’s website or by searching the Internet.
Windows XP offers a built in firewall protection and it is recommended that Alice uses this component until she is able to get a better one. Windows XP firewall blocks incoming communications but not outbound. A good firewall needs to protect both, as well as block, if not hide ports that are unused. Ports are comparative to little doors that stay open to allow information to pass in and out of the system. Firewalls can hide these ports by keeping them from responding to port scanning or probes. A normal port responds to a scan with a reply,( think of a knock on the door to see if you are home) a blocked port sends a “I’m not open” reply to the sender, but a hidden port offers no response at all, so the sender has no idea it is there. If a hacker doesn’t ‘see’ the systems’ ports, then he doesn’t know the system is there and available for attack.
Some firewalls can also offer SPI, (Stateful Packet Inspection) which, according to Tweak Hound, (tweakhound.com, 2005) “knows which information to filter out” and which to allow. Information is broken into packets which travel separately all over the Internet, then come back together when they reach the receiver. SPI examines each packet and ensures it is valid.
Virtual Private Networks are best described as tunnels that would connect Alice’s computer directly through the tunnel to the server at her workplace. VPN’s are commonly used in companies that need to communicate in private over a public network. Alice’s computer would be authenticated by the company network or server before a tunneled connection would be established. VPN’s do not provide an the internet connection, what they do is use the already established internet connection, i.e. dial-up, broadband, wireless, and encrypt the information being sent back and forth between sender and receiver. VPN’s will allow Alice to either access any network resource she would have access to if she were to work at the company itself, or it will allow access to secured servers where the information Alice needs to work with is housed. The files residing on the server can be protected to by passwords or encryption, adding yet another level of security to the transaction. It would be up to the company Alice works for to install and maintain the VPN. Alice would have the VPN client software installed on her computer system, and would download updates and patches as she is notified of them. The company would also establish the passwords and encryption methods on the servers Alice would be accessing.
Though no computer system is absolutely safe from exploits, viruses, attacks and intrusions, informed computer users can proactively protect their systems and their data. Maintaining updates and patches, installing and updating antivirus programs, connecting to and/or installing firewalls, and securing pathways to company intranets are some of the most common ways users can prevent and detect unwanted intrusions and attacks.
Understanding that all computer systems, no matter how well protected are vulnerable to intrusions could prevent some users from developing and maintaining good protection policies. While this could be understandable given the issues that can arise after installing updates and patches, and the problems that can result from installing new hardware and software, exploitations, hackers, and intrusions are not going away. Predictions are that viruses are only going to get smarter, and damage worse. It behooves not only the company employee but also the home user to become familiar with security tactics and develop their own security protocols.
Information technologies are changing constantly. Users must adapt to the changes and stay informed of new technologies and dangers. In the case of Alice and the oil company, the company network managers could establish more secure means of internet transactions, and thus limit its dependence on Alice to establish security measures.
Alice needs to protect her computer, and the data on her computer, and by following the items in this report, she would be on her way to learning how to do just that.
List of References
Microsoft Support, 2004 “How to encrypt a file in Windows XP.” Retrieved 2006-11-04 from
Stay Safe Online.org, “Top 8 Cyber Security Practices” Retrieved 2006-11-05
Answers.com, “Computer Virus” Retrieved 2006-11-04 from
Tweakhound.com 09/30/2005 “Securing Windows XP” Retrieved 2006-11-05
CERT Coordination Center, “Home Network Security” Retrieved 2006-11-05 from http://www.cert.org./tech_tips/home_networks.html
Wikipedia, “Microsoft Update” Retrieved 2006-11-05 from
John Leyden, April 18,2003. Office workers give away passwords for a cheap pen. Retrieved 2006-11-05 from http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Granger, Sarah, December 18, 2001 “Social Engineering Fundamentals, Part 1: Hacker Tactics” Retrieved 2006-11-04 from http://www.securityfocus.com/infocus/1527
An unethical or illegal attack that takes advantage of some vulnerability.
Also knows as trapdoors. A secret way of gaining access to a program or online service. Trapdoors are built into the software by the original programmer as a way of gaining special access to particular functions.
Software used to infect a computer. After the virus code is written, it is buried within an existing program. Once that program is executed, the virus code is activated and attaches copies of itself to other programs in the system. Infected programs copy the virus to other programs.
A program that appears legitimate, but performs some illicit activity when it is run. It may be used to locate password information or make the system more vulnerable to future entry or simply destroy programs or data on the hard disk. A Trojan is similar to a virus, except that it does not replicate itself. It stays in the computer doing its damage or allowing somebody from a remote site to take control of the computer.
A destructive program that replicates itself throughout disk and memory, using up the computer’s resources and eventually taking the system down.
Secretly gaining unauthorized access to confidential communications.
The management of admission to system and network resources. The first part of access control is authenticating the user, which proves the identity of the user or client machine attempting to log on. The second part is granting the authenticated user access to specific resources based on company policies and the permission level assigned to the user or user group.
The reversible transformation of data from the original to a difficult-to-interpret format as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity.
A fix to a program.
A software program that detects and blocks computer viruses.
The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user’s computer.
A private network that is configured within a public network (a carrier’s network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks.