Best Practices

While the field of information security can seem complex and intimidating to those unfamiliar with the space, there are several simple guidelines that users can follow to increase the security of their information while using computers and other devices. The list below, though not exhaustive, outlines some basic security best practices that the ISC Project has found effective for protecting user privacy.

  1. Apply software patches regularly

    Common software titles for which there are regular updates include Windows, Microsoft Office, antivirus and antimalware software, Firefox, Chrome, Adobe Reader, Flash Player, iTunes and QuickTime, Skype (and other IM clients), and Java. Note that pirated copies of software generally cannot obtain updates, thereby decreasing your information security.

  2. Use strong, licensed antivirus or Internet security suite software

    Examples of strong software include Symantec Endpoint Protection, Norton Antivirus, Norton Internet Security, Trend Micro Internet Security, Avira Internet Security, Kaspersky Internet Security, Computer Associates Antivirus, Immunet and ClamAV, F-Secure, and AVG Internet Security. Never install more than one antivirus or Internet security suite title, as they can interfere with each other’s effectiveness. However, you may install an antivirus together with an antimalware.

  3. Avoid phishing and malware attacks

    Do not open attachments from within emails unless they have been scanned by your antivirus and antimalware software. Many antivirus software and Internet security suites already include an antimalware feature. However, if you are unsure whether your antivirus software includes antimalware, you may use separate antimalware software such as Spybot Search and Destroy. Never enter your password into a site accessed via an email link, as this could be a phishing site and your password could be recorded. Finally, never click on links sent to you from unknown Facebook, Twitter, or other social media sources. If you suspect that a URL is fishy, you can use a service like VirusTotal to scan and verify it.

  4. Guard your computer from access by strangers

    Keep your computer password protected when unattended. Make sure a complex password is required to log in, and make sure a password is required to access the computer after 15 minutes of system inactivity.

  5. Backup your data at least once a week

    There are many different backup options available. Some commercial software can schedule backups to online services automatically. Alternatively, users can perform a scheduled or manual backup to removable media such as large storage size USB flash drive or external hard drive. If there is a network in place, a backup can be done to a network file server.

  6. Use strong, complex passwords and passphrases

    Never use passwords or passphrases consisting of only a name. Use long passwords (at least 10 characters) and incorporate numbers and symbols. Do not use names of spouses, children, or pets. Also, do not use any sequential series of numbers or letters (like 12345 or ABCDE). Do not share your password with anyone, and do not write it down.

  7. Use password management tools

    Use a password management tool that helps you store all of your passwords securely. Password managers can generate strong passwords for you, and some of them will help you login to websites automatically. In this case, you will only have to memorize one password. Many password management tools, such as KeePass and Password Safe, use strong encryption to secure their databases.

  8. Secure your wireless access points

    Be sure your wireless access point is using a WPA-2 encrypted protocol. Avoid WEP, as it is very easy to crack. Change the default router username and password.

  9. Use encrypted instant messaging (IM) & VoIP communication

    Skype, Facebook chat, Google Talk, and Hangouts use encryption, but there are alternatives available to those who are interested in maximizing the security of their IM communication. It is recommended to use open source IM clients like Pidgin in tandem with the Off The Record (OTR) plugin, which can encrypt otherwise unsecure IM communication.

  10. Use hard drive encryption and avoid leaving your computer in Sleep or Standby mode.

    Encrypting your hard drive can give your data an extra layer of protection beyond that of a system password. You can use Microsoft Bitlocker (bundled with Windows 7 Ultimate and 8 Professional versions) for hard drive encryption. Alternatively, TrueCrypt is an open source, free, and reliable option. If you must leave the computer unattended, always either shut it down or use the Hibernate mode. Using the Sleep or Standby mode could leave the computer vulnerable, as an attacker could still extract your encryption keys and gain access to your data.

  11. Avoid pirated software

    Compared to licensed products, pirated software is more likely to have sophisticated malware built into it. In some environments, it is advisable to purchase computer software from outside the country, as local copies (even those legally purchased in some cases) may have malware built in.

  12. Never communicate sensitive information via phone

    In general, almost all phone conversations, both mobile and fixed line, are unsecure. It is remarkably easy for to eavesdrop on communications over the phone. Similarly, most SMS messages can easily be recorded and cached. Look for mobile applications that can encrypt SMS, such as TextSecure for Android.

  13. Secure your mobile phone

    Treat mobile phones like little computers. Apply the same security tips to your mobile as you do to your computers including encryption, antivirus and antimalware, etc.

  14. Assume everything posted on online social networks is public

    Online social networks like Facebook, LinkedIn, and Twitter are intended to share information. Security policies of these sites can change without notice, and security breaches are relatively common. Avoid posting your personal information on these online services as much as possible and make sure to adjust your profile’s security settings.