What Are Information Security Best Practices?
by William G. Perry, Ph.d.
Copyright Paladin Information Assurance 2018


Introduction

The best practices associated with information security focus on maintaining the confidentiality, integrity and availability of your mission critical information. You should be aware of how to properly deploy your digital resources in a safe manner.

The security of information is everyone’s job. Each person (individuals and employees) must be aware of his or her responsibility for security in day-to-day activities. People who use computers, laptops and smartphones must understand the importance of protecting digital assets.

Safe work procedures and activities need to be built around policies that promote safety and what activities should be implemented or avoided.

To obtain a high level of awareness in an organization, security policies must be developed. Information security policies are based upon an understanding of vulnerabilities as well as risk.  For example, an employee who works on the Internet most of the day risks his or her system to external attacks.

Each person (an individual, employee or owner) must understand his or her role, responsibility and know how to safely use information technology.  Securing information assets has now become necessary to the survival of a business and a matter of national security.

Security best practices include the adoption of routine activities and follow-through on the part of each and every individual, including employees.  Everyone should be concerned about digital security. It determines whether your private information is safe from unauthorized disclosure.  Computers and networks with weak defenses can endanger your employer’s survival as well as your personal finances and your family's personal safety.

Cyberattacks continue to expand rapidly and so do their level of sophistication. Cyberspace is becoming more and more dangerous as is the capability of the technology. You must take steps now to protect yourself, your family, employer and business. You can do so by proactively following what is "security best practices".

What are security best practices? The phrase refers to procedures; awareness of processes and habits that you routinely perform to "harden" your computer. Let's examine a few.

1. Use robust passwords. Your password should consist of at least 11 characters and include one uppercase letter and one special character. Avoid using common, pop culture words, birthdays of families and friends, the name of your pet, or other easy terms that could be easily discovered.  A pass phrase, for example, is safer than a single word.

2. Always lock your keyboard when it’s unattended.  Lock your computer or log-out when you leave your workstation. Otherwise your machine could be accessible to anyone who is nearby.  Make sure that your workspace is clear.

3. Avoid downloading apps, screen savers and software from unknown sources. Malicious hackers frequently use malware embedded in desirable products and being offered for free. Once a person downloads the software it can hide in the computer system and wreak havoc. The computer may even become a "bot" and attack others.

4. Avoid opening email attachments from unknown senders. Malicious software can be contained in email attachments.  They can be installed on your system and possibly even spread to your contacts.

5. Double-check requests for information that you receive from a company with whom you do business.  Such could be a "phishing attack". Cyber criminals are skilled social engineers and can present a professional-looking screen to you that appears to be from a trusted source. Crackers have duplicated a fake request for information from PayPal, for example, to gain personal information under false pretenses.

6. Avoid questionable websites that focus on gambling, porn or get rich quick schemes.  Many of these sites will automatically scan your computer for known vulnerabilities and, once found, exploit them. Your system will be compromised.

7. Install an antivirus software package and use it. There are a number of excellent products on the market. Antivirus software looks for virus signatures and blocks them.  Make sure that the product is highly rated and updated frequently.

8. Change your wireless router's default password from the factory setting. Certain routers ship with a default password that is well-known to hackers. Anyone who is within range or your broadcast signal can intercept it and access your network.

9. Avoid sharing storage media used on other computers (e.g. your spouse or children). Malicious software could be automatically downloaded onto your machine from a friend or associate's USB drive, for example, without your knowledge.

10. Perform a "white hat hack" on your system. Such a procedure can identify any vulnerability that exists. Gibson Research has an excellent and free program that has a “white hat” component.

11. Keep your software updated. Install recommended patches from the publisher. Consider automating the process. Malicious computer users are up-to-date on vulnerabilities and know what to attack.

12. Install and use a firewall. There are both hardware and software firewalls. You can block specific incoming and outgoing addresses when using a firewall.

13. Terminate your Internet connection when you have finished a session.  The Internet is one of the biggest attack venues. Disable your connection to the Internet and reduce the attack surface that nefarious hackers can use.

14.  Disable any services or apps on your computer that you aren’t using.  A functional app, such as Flash, should be disabled if it is not being used.  Services that are enabled but aren’t being used unnecessarily increase the number of possible vulnerabilities.

15. Encrypt your critical information. A number of free or inexpensive encryption programs are published, such as PGP (Pretty Good Privacy).  Encryption disguises information and makes it unreadable.

16. Consider using multi-factored authentication to access your computing resources. A password is one level of authentication (something you know). Consider using a token (which you possess). Use a fingerprint reader (something you are).  There are other methods.  One would randomly generate a second password.

17. Be discrete when using social media. Cyber criminals prowl sites of this type for scraps of information that can be used in exploits against you.  Companies should have policies and procedures related to the use of social media.

18.  Provide awareness training for your employees, if you are the manager or owner of a business.

Business owners, managers and other leaders must visibly demonstrate a concern for information security.  Employees and others follow the information security tone set by their leaders.  However, a leader must make a concerted effort to explain each person’s responsibility for maintaining the confidentiality of digital assets.

19.  Back-up your critical data.  Maintaining back-ups of your mission critical information is necessary because it’s only a question of “when” you are going to lose data rather than “if”.

20.  Comply with all relevant privacy laws and regulations.  You must be aware of information security laws (e.g. Florida Statute 501.171, HIPPA, Safe Harbor, etc.).  You could suffer real financial losses as well as your customers if you are out-of-compliance with any number of laws, rules and/or protocols.  Computer owners and operators need to be aware.

21.  Follow a multi-layered approach to information security (e.g. combination locks, photo-id’s, etc.).

Use more than one technique or level of authentication to your information systems (e.g. photo id’s, muti-factored log-ins, etc.)  Computer networks should be physically or logically segmented, etc.

22.  Have a plan to destroy information (software, hardware, paper copies, etc.) when its outlived its usefulness.  All organizations and individuals need to have a plan to destroy confidential information.  Doing so in a pre-determined manner is essential.  There needs to be a policy that is approved by management and consistent with the law.

23.  Conduct a threat analysis.  We live in an asymmetric threat environment which include threats from people, Acts of God, software, hardware or any other circumstance that put your information system at risk.  A threat could originate from an employee, vendor, the weather or an electrical surge.

24.  Conduct a vulnerability analysis.  Malicious crackers and cybercriminals constantly search for openings in computers and networks.  Consequently, you need to make a major effort to find openings in your system that could be exploited and eliminate them.  Make searching for weaknesses in your system an official policy.

25.  Develop and implement an official information security plan.  Educate your employees and/or family members.  You need to have an information security plan that focuses upon proving for the confidentiality, integrity and availability of your information.  You and others need a sense of direction and procedures for maintaining the security of your information.  Having such a plan makes you consistent and proves that you have practiced due diligence.

Summary

The time has arrived for individuals and employers to become proactive relative to information security.  The above list suggests a number of security best practices.  The list is comprehensive yet the author is sure more could be added.  The most important point is to take action to assure the safety and reliability of your digital assets.  They are at risk.