Community Security Trust


COMPUTER SECURITY ADVICE FOR COMMUNAL ORGANISATIONS



1. Introduction - Understanding the risks

All organisations using computers need to consider the security of information they keep. Data held on computers may be at risk of theft, loss or corruption by accident or through deliberate intervention.

Our Community has to take extra care over and above the usual precautions because we are at risk of a breach of data security by those who want to harm the Community. Such groups may target our data to disrupt communal activities or to collect information on Jewish individuals, organisations, buildings and events, with a view to hostile actions.

Because of the additional risks we face, Jewish organisations should use the many available computer security tools to their maximum capabilities. Below we detail some common computer security problems and give basic guidance about some of the available solutions.



2. Physical Security

Protecting computer hardware from being stolen or lost or accessed

Computer equipment continues to be highly vulnerable to theft. Some simple precautions will help to protect your computers. These include restriction of access to areas where computers are kept, burglar alarms, closed circuit television monitoring and property marking.

Measures specifically applicable to computers include:

  • Attach computers to permanent or heavy fixtures so they cannot be removed. It is possible to bolt computers or computer cabinets to floors, walls or heavy furniture.
  • Use computer safes and cabinets that stop computers from being removed easily but still allow the required access for usage and maintenance.
  • High quality security cables can be used to attach hardware to permanent fixtures or heavy furniture.
  • Install a removable hard disk (costs may be as little as 30). The hard disk can be removed when you close your office and locked away in a secure cabinet.


2.1 Control Access To Data

Consider all points of access to computer data and observe simple precautions to prevent data being accessed illegitimately. For instance remove or lock floppy drives and CD drives on computers where they are not needed. When setting up a computer network, make sure that all network access points are in secure areas.



2.2 Computers taken off-site/Repairs

If computer equipment must go off-site for service or repair then you should remove sensitive data before the computers are take away. Hard drives may be physically removed, or alternatively, data can be securely deleted (see 2.2 (a)).

(a) Secure Deletion/Overwriting/Wiping

In most operating systems (eg Windows, Apple Macintosh, Unix) normal deletion of files does not actually delete the data from the hard disk. Deletion merely removes some of the labelling indicating where the data is on the hard drives (addressing). Easy-to-use software that allows the restoration of the original files is widely available. Fortunately, software that overwrites all the data, making it much more difficult to retrieve, is also widely available. Examples of this software are the Wipefile function in Norton Utilities and the Wash command in XtreeGold.

Using a defragmentation program (eg Disk Defragmenter in Windows) also overwrites some data but often leaves old files easy to retrieve.

(b) Laptops, other portables and removable media

Staff and others using laptop and handheld computers (eg Palms and Psions) which carry sensitive data should keep these machines with them at all times or lock them away securely. Theft of laptops and handhelds from vehicles has become extremely common, so do not leave them unattended in vehicles. You should take similar care over removable media (eg backup tapes, CDs, floppy disks) containing sensitive data: do not leave them unattended and lock them away securely whenever possible. If removable media that contained sensitive data are being re-used, then their contents should be securely deleted/overwritten (see 2.2 (a) above).

A useful feature of many laptops is a removable hard disk. When travelling but not using your laptop, it is better to carry the hard drive on your person, separate from your laptop. Store your hard drive (or the whole laptop) in a secure cabinet when not travelling.

(c) Disposing of Computers and disks

Before you discard, sell or pass on your old computers, overwrite all sensitive data (see 2.2 (a)). Similarly if you dispose of any media on which you keep data - such as floppy disks, CDs, zip disks - overwrite them first. Alternatively, destroy them physically.




3. Electronic Security

Protecting confidential and personal information against being lost, divulged or interfered with by electronic means; this includes procedures for backup, access control, passwords etc.



3.1 Data Loss and Backups

Data stored on an organisation's computers is often critical to the operation of the organisation, even though computers are not totally reliable. You should regularly "back up" your data so that if your computer loses it you can replace it fully. Data is usually backed up on removable media (eg tape cartridges/DATs, zip drives, writeable CDs) for which you may need an additional drive.

Check regularly that you are backing up all the data that you need and test that you can actually restore it.

Keep a recent backup copy of your system in a secure place off-site so that if on-site backups are destroyed in an emergency you can still restore your data.

Many organisations back up their systems overnight. If you do this then protect sensitive information on the backup from being removed by keeping the computer containing the backup drive in a locked cabinet.



3.2 Viruses

Severe data loss can be caused by computer virus programs (destructive programs designed to disrupt computers). These can be transferred via floppy disks, CDs etc but more commonly through emails or downloaded files from the Internet. To combat this all computers should have up-to-date anti-virus software installed and running. This software may initially cost as little as about 20. Well known anti-virus software companies include Dr Solomon, McAfee, Sophos and Norton/Symantec but there are many others. If you really cannot afford to pay for anti-virus software, there are free programs available over the Internet but these may be less reliable and not updated as often. New viruses are constantly appearing so update your anti-virus software as frequently as possible. Many companies allow you to do this for free over the Internet.

Some viruses come as files attached to emails - and sometimes even the sender is unaware that they have passed on the virus. Some of these (known as Trojans) contain programs that can allow an outsider to access and take control of your computer or network over the Internet. To be absolutely sure that they do not receive viruses, some organisations refuse to accept files attached to emails. The golden rule is if you do not know the sender do not open the attachment. If you do know the sender but have even the slightest doubt then contact them by phone or email to confirm that they sent it.



3.3 Passwords

To protect sensitive information, you should use passwords wherever possible. You can usually set up passwords (in the BIOS) so that the computer cannot be started without the password. Passwords are also usually used to log in to networks. Individual files created in many common programs can be password protected. It is also possible to password a screensaver to reduce access to your computer if you are away from it and have left it running.

You should keep passwords secret. If possible do not write them down. If you feel you have to write down a password then keep the written version under lock and key, away from computers that it is used with. Do not write down what the password is for in the same place as the password itself. Wherever possible change your password regularly.

Despite these precautions, in case of emergencies, more than one person should be able to access each password used.

Although passwords undoubtedly make illegitimate access to sensitive data more difficult, serious hackers have many tools at their disposal to break passwords. The following precautions make a password more difficult to crack. Avoid using passwords that people will be able to work out easily. Ideally passwords should be random sequences of capitals, lower case letters and numbers. However, random passwords are difficult to remember. To avoid this difficulty, take an ordinary word (eg carpenter), deliberately spell it wrongly (karpenter), change some letters to capitals at random (kArpenteR) and also insert some numbers randomly (kA7rpen4teR). You could also use Hebrew or Yiddish words but again do not use ones that are easy for others to break. Passwords should also be as long as possible.


3.4 Networks

(a) Wherever possible, store all data on a network fileserver, running an operating system with built in security (eg Windows 2000 or Windows NT). Use cryptic passwords for all user logins.

(b) 'Permissions'

Control access to the different parts of your network. Restrict permission to users to access only those programs, directories and files that they need in order to be able to do their work.

(c) Laptops and other portables

You should also consider whether and how portable computers may be connected to your system. If, for instance, you allow users to connect laptops or palmtops to your network, how will you guarantee that they do not download viruses to your network and that they do not copy sensitive files from your network to the portable?




3.5 Internet

(a) A major computer security weakness for many organisations is their access to the Internet. It is possible for someone with advanced computing knowledge to access the information stored on your computer and networked computers when you are connected to the Internet. If you have a broadband Internet connection (eg ADSL, cable modem) then your vulnerability to such an attack is increased, particularly if your link to the Internet is maintained constantly or for extended periods of time.

The most effective way to protect your network from hackers is to isolate it from the Internet. If at all possible, try to allocate a single 'stand-alone' computer, not connected to a network, for all 'external' contact such as Internet, email and fax use. This should hold no sensitive information such as membership details and mailing lists.

If you really are unable to have a separate PC for Internet use, consider encrypting sensitive data on your machine (see 3.5(e)), and set up as many levels of password protection as possible for all your data and programs.


(b) Firewalls

It is crucial to implement Internet firewalls on both networks and stand-alone computers. This will help prevent attacks against computers while connected to the Internet. Hardware and software firewalls are available.

Hardware firewalls cost from about 500 up to thousands of pounds. They are connected between your computer and the Internet in order to stop information from your computer being transferred unwittingly to and from the Internet.

Software firewalls do a similar job and, for extra security, they should be used alongside hardware firewalls. On a computer network, Microsoft Internet Security and Acceleration Server (formerly known as Proxy Server) is a commonly used firewall. However, the advanced settings need to be implemented for Internet Security and Acceleration Server to be effective. For stand-alone computers, Zone Alarm is an excellent and easy to use product. For charitable and personal use, it can be downloaded for free from www.zonealarm.com.


(c) Webservers

Most organisations have their websites hosted by an external body. If, however, you host your own website internally, i.e. on your own webserver, make sure that this is totally unconnected to your main network. Experienced hackers may be able to access your network via a webserver on your network in as little as 20-30 minutes.


(d) Email/Downloading files

Beyond the considerations outlined above for use of the Internet, email across the Internet and downloading files provide further dangers to your data and computer systems. Follow the advice about viruses in 3.2 above. Remember, if you have any concern about an attachment to an email or a downloaded file, then do not open it. You may want to enforce a policy banning the receipt of email attachments and downloading files without approval by a nominated responsible person.


(e) Encryption

Furthermore, emails can be intercepted and read or even changed so they should not be used for sending sensitive information. You may even want to introduce a policy forbidding sending attachments. You can use an encryption program to protect email and the contents of your hard disk as well. Be sure to obtain encryption programs from a reliable distributor. A high-grade encryption program called pgp (Pretty Good Privacy) is available for free for non-commercial use from www.pgp.com.




4. The Human Element

The guidelines above outline some of the technical solutions to some important computer security problems. However, perhaps the most significant weakness in this field is the human element. Using technical tools and devising policies about computer security are important aspects of a computer security strategy. However, it is equally important to educate your computer users about the risks your computer systems face and to train them how to use the computer security tools you decide to employ. Once your policies, tools and training have been implemented, it is vital to monitor the behaviour of your users to ensure that security is maintained at a high level.




5. Further help/advice

This document is intended to provide basic guidelines only. The Community Security Trust is able to provide free expert consultancy and advice to Jewish Community Organisations requiring further information on computer security.



CST Tel: 020 8457 9999





Produced with assistance from Brijnet
Summer 2001

Return to CST Home Page

Return to Brijnet Home Page

Written by CST

Web design by Rafi Salasnik

©(content) CST & (web) Brijnet
2001