Skip to end of metadata
Go to start of metadata
NameIT security recommendations for users
SourceINFOSEC
Table of contents

Summary

The most important suggestions for better securing your computer are presented below. If these are implemented, cyber attackers will have a much harder time putting you and your data at risk.

The main points are summarized below:

  1. Backup: Regularly create a backup which you keep in a safe place. All current operating systems already have corresponding backup tools integrated free of charge.
  2. Secure passwords: These are the key to our digital identity. To be best protected against modern attacks, they should be at least 12 characters long and, above all, only unique (a separate password for each service). With the help of passphrases, this is easy for everyone to implement.
  3. Virus protection: Every computer must be protected against known threats by an up-to-date virus scanner.
  4. System updates: Manufacturers regularly fix critical vulnerabilities in their software products. To ensure that a computer is protected, updates must be installed as soon as possible.
  5. Hard disk encryption: To prevent unauthorized data access, it is recommended to encrypt the hard disks of all end devices.
  6. Screen lock: To ensure that a computer is appropriately protected when it is absent, an automatic screen lock should be set up.
  7. Office Macros: This automation feature is very often misused for the initial malware infection. That is why it is recommended to disable it from the very beginning.
  8. Conscious choice of a standard browser: The browser is our gateway to the endless expanses of the Internet. It is therefore all the more important that we explicitly choose a secure software that is maintained by the respective manufacturer. Firefox, Google Chrome and Microsoft Edge are recommended.
  9. Show & recognize file extensions: Windows "recognizes" the different files by their file extension. This is to be displayed and correctly interpreted in Windows Explorer.
  10. Separate admin user: The user's own account should not have administrative privileges. Instead, it is recommended to create a separate admin account.
  11. Pro-tip: Secure PowerShell: Windows integrates this very powerful scripting language that is used in many attacks. With the Constrained Language Mode, securing is possible.


General

Whether it's online banking, Facebook, Instagram or e-mail: digitization is very present not only in our professional lives, but also in our private lives. In addition to the many opportunities that make our everyday lives easier, this also brings risks. We constantly hear about cyber attacks that affect companies, government institutions and private individuals. Experience shows that anyone can become the target of an attack by hackers. Nobody is "too unimportant"!

In addition to classic social engineering techniques, in which users are tricked into disclosing sensitive information, attackers also use technical tricks to place malware on the computers of their "customers". Using this malware, it is then possible to take all stored files (e.g. the latest evaluations of a research project or photos of the last vacation) as a digital hostage and demand a ransom for their release. Alternatively, the "conquered" computer can be used to distribute illegal content or the malware manipulates the next online order and can steal sensitive account or credit card data.

To prevent such scenarios, we provide you with security recommendations that help to better protect a computer from malware and technical attacks. Take the time to secure your computer in the office, but also your private computer, to avoid becoming a victim yourself.

1. the protection: backup

Emergency preparedness and prevention is already the norm in many areas. For example, well-placed and regularly maintained fire extinguishers are part of the basic equipment of every public building. There are regular evacuation drills, fire alarms are tested for functionality, and every department must nominate a fire safety officer who has the appropriate training. And, of course, there is the fire department as a "backup" that does everything it can to prevent the worst from happening. A state of 100% safety is not possible, but it is possible to prepare for the worst case scenario in order to be able to keep a cool head and save the most important things in case of an emergency. This awareness of possible risks and dangers and their prevention must also find its way into everyday digital life.

The first and most important step is to create regular backups (= backup copies).

This involves copying the most important data to an external storage medium, such as a USB stick. The USB stick must then be stored in a safe place. It is important that the respective backup does not remain plugged into the computer, because if a cyber attack occurs, the backup copy will also be affected. Mechanical damage to the external storage medium can also be prevented by keeping it physically separate.

Today, no expensive software is required for the automatic creation of a backup - a USB stick or an external hard drive with sufficient free memory is sufficient. Under Apple devices, the already integrated solution "Time Machine" can be used for the actual backup[1].

For Windows users, there is also an integrated backup solution, the so-called "file version history" (from Windows 10). This feature can be used to back up your files to an external hard drive or to a network drive (in the company).

Windows backup configuration :

  1. Open the Windows Start menu and search for the term "File History" via the search window..

Fig. 1: Windows backup settings

2. Plug in your external backup media or connect the network drive on which the backup is to be created.

3. The next step is to activate the backup medium as such. To do this, select the previously plugged-in drive in the "Backup" window. From this point on, a backup is created automatically as soon as the backup medium is available (i.e. plugged in). Since the first run takes a long time, it is recommended to leave the computer switched on overnight, for example.

Fig. 2: Activate backup

4. In the default configuration, all files from your own user directory (e.g. the desktop or documents) are backed up. If you have stored important content in other folders, it is recommended to include them in the backup as well. Using the "More options" (see screenshot above), any other directories can be included in the backup.


Fig. 3: Backup otions

It is important that you perform a backup operation regularly. You can always check the current status yourself using the File Version History application. Do not forget to unplug the backup media after successful completion of the operation and store it in a safe place![2]

Windows periodically reminds you to perform a backup.

2. Secure passwords

When leaving one's own house or apartment, it is natural to lock it so that strangers are prevented from accessing it. Online, we use passwords instead of keys. These passwords (like our key ring) must be protected against misuse.

Indirect password theft is a particular risk. If, for example, an online provider with whom we have a user account is hacked, this can lead to our password being published on the Internet. If we use this password for other services, criminals can also access it. Therefore, on the one hand, secure passwords must be used by default, and on the other hand, a separate one must be used for each service. But: How are we supposed to remember all that?

The solution to this is the use of so-called "passphrases". This involves using easy-to-remember phrases to create a complex and correspondingly long (at least 12 characters long) password that is as easy to remember as possible. Here is an example:

The sentence should be simple: 
I always have such a hard time remembering passwords.

 

So that not all services receive the same password, for example, the name of the respective provider can be built into the sentence:

I always have such a hard time remembering passwords, except for Amazon!

 

The first letters of each word make a secure password:

Iahsahtrp,efA!


Anyone can check for themselves via the website https://haveibeenpwned.com/ whether he or she has already been affected by indirect password theft. Modern password managers, such as 1Password (https://1password.com/tour/), have an automatic password quality check and a comparison with publicly known data leaks. So a good reason to use a password manager.

3. Virus protection

Viruses are annoying in all respects!

Computers are exposed to digital threats via the Internet 24 hours a day, 365 days a year. More than 500 million different malware variants are now known and they are multiplying rapidly. A modern virus scanner is essential to protect your computer from unwelcome contemporaries such as Cryptolocker, Trojans, Coinminer or Keylogger.

Windows Defender has been integrated directly into the operating system since Windows 10. This has also been further developed into a recommendable security program. Regardless of which security solution you use, you can monitor the status via the integrated "Windows Security" application. Ideally, your computer is as well protected as the one shown here:


Fig. 4: Windows security at a glance

Virus scanners offer good basic protection, but of course they cannot stop every threat! Ultimately, you always decide whether to open an attachment or download a file. A natural distrust is also appropriate in the digital environment. No one will give you the latest iPhone for free, offline or online!

MacOS also has an integrated security solution with "Gatekeeper"[3]. Although this is not a full-fledged virus scanner, it can still be used to fend off most threats that are harmful to macOS.

4. System updates

In order for end users to use a program, a software developer must first teach the computer the expected functionality. This is a process known as "programming". Current operating systems, such as Windows 10, build on 50 - 60 million lines of program code in the background. Logically, this is not completely error-free - this is almost impossible due to the quantity and complexity alone.

Some of the errors contained therein are security-relevant problems. An attacker could, for example, use them to take control of a third-party computer. Accordingly, it is important to install all updates provided by the respective software manufacturer promptly. This will fix any new security problems that become known. Under Windows 10, the current update status can be checked via the "Check for updates" application. In the best case, your computer is up to date, which means that all known security holes have been fixed. If you are missing updates, it is recommended that you install them as soon as possible.

Fig. 5: Windows system update

The "Advanced options" button should also be used to ensure that all updates provided by Microsoft are installed and corresponding notifications are displayed.

Fig. 6: Advanced options

5. Hard disk encryption

Imagine: You finally arrive at your destination airport by plane and are waiting for your luggage. In less than an hour you have an important meeting, but your company laptop is nowhere to be found. A super disaster for you, but also for the company! Because since the introduction of the General Data Protection Regulation (GDPR) at the latest, all personal data enjoys additional protection.

That's why all end devices should be protected against unauthorized data access with hard disk encryption. Once a PC, laptop or smartphone has been encrypted, the information stored on it can only be accessed again if the correct passwords are known.

Newer smartphones (iOS and Android) are encrypted from the outset. Apple-branded computers are also already encrypted by default with a technology called FileVault. Therefore, no additional security measures are required here.

To protect the built-in hard drive of Windows 10 computers (except for the Windows 10 Home version) from unauthorized access, the so-called "Bitlocker technology" can be used, which is integrated in Windows 10.

To do this, enter the term "BitLocker" in the search field at the bottom left. This will take you to the "BitLocker Management". There you click on "Activate BitLocker". This encrypts your hard drive and any information is now stored on the device in an appropriately secured manner. Thieves can no longer access the files - provided you use a secure password for your computer.

The following screenshot shows the optimal configuration: BitLocker is active for the operating system drive:

Fig.7: Windows search

Fig. 8: BitLocker Drive Encryption

6. Screen lock

You are working on a grant application for an EU project and calculating the expected wage costs for the project staff when your cell phone rings. In order not to disturb your colleagues in the office, you get up "just for a moment" and go to the meeting room to make a call. Since the colleague on the phone has more to say about the last conference than expected, the call lasts half an hour. You then return to your seat.

To prevent unauthorized persons from viewing or accessing the data you are working on, the screen must be locked every time (!) you leave your workplace (even in your home office). Even if you are alone in the office and you lock the door, as there are people, such as cleaning staff, who could theoretically enter your office at any time.

If you search for "Screen saver" in the search box at the bottom left of the screen, you will get the option "Change screen saver". When you click on this option, the "Screen saver settings" window appears. Here, by clicking on the checkbox "Login page on reactivation", you can configure the "Wait time" on inactivity, i.e. the time after the computer is locked when not working (recommendation 5 - 10 minutes). To unlock the computer, it is then necessary to enter the password.

Fig. 9: Windows search

Fig. 10: Screen saver setting

7. Office macros

Microsoft Office has always offered very extensive automation functions. However, this functionality, known as "Office macro", is now very often misused for the initial infection with malware. Users are tricked into agreeing to the macro execution by clicking on "Activate content".

Fig. 11: Macros "Activate content"

If the user can actually be tricked into this "wrong click", malware is loaded in the background and the attacker gains control over the affected PC or, in the worst case, over the entire network in which the user is located. Therefore, it is crucial to only agree to macro execution for truly trustworthy documents.

If you generally do not need the extensive automation functions, it is recommended that you deactivate them from the outset and only activate them when they are actually needed. To do this, the following option must be activated in Microsoft Word and Excel via the Trust Center (in the "File" tab on "Options" è Trust Center è Settings for the Trust Center) in the Macro Settings area:

Fig. 12: Disable macros

Attention: even if you use macros, never select the "Enable all macros" option. Otherwise, even opening an Office file can be enough to infect the computer.

8. Deliberate choice of a default browser

When we "get on the Internet," we use a web browser. This displays publicly provided content and allows us to interact with it. It is important to make sure that we use a secure web browser. Otherwise, it is relatively easy for hackers to install malware on a computer, monitor us and steal sensitive data (such as credit card information).

The following browsers are recommended:

  • Microsoft Edge: A browser recently released by Microsoft. This has been integrated into the operating system since Windows 10.
  • Mozilla Firefox: A particularly customizable web browser with many options. It can be downloaded for free at the following URL: https://www.mozilla.org/en-GB/firefox/
  • Google Chrome: A browser provided by Google with a focus on speed: https://www.google.com/intl/en_uk/chrome/

All modern browsers offer the possibility to automatically block advertising on the Internet. For this purpose, the "uBlock" extension can be used, for example. This extension can be activated by calling the link below on the browsers listed above.

9. Show & detect file extensions

Every day we work with a large number of different documents. When a file is opened by double-clicking on it, modern operating systems use the file extension (everything after the last point) to decide which program is suitable for displaying it.

Unfortunately, there are also some document types that can be classified as dangerous, such as .vbs (Visual Basic Script), .js (Javascript) and .hta (HTML Application). Double-clicking on them can lead to the infection of your own computer. In order to detect them correctly and then delete them directly, it is important to show the file name extensions. As shown in the following screenshot, the "File name extensions" checkbox in the "View" tab of Windows Explorer must be activated.

Fig. 13: Enable file name extension

Since there are a large number of potentially dangerous file types, it is not possible to list them all. It is simpler and also safer to list the data types that can be classified as harmless. The following table lists the most frequently encountered file extensions that can be opened without hesitation:

 

File extension

Description

.doc

Word file (Attention with macros)

.docx

New Word file

.xls

Excel file (Attention with macros)

.xlsx

New Excel file

.ppt

PowerPoint file

.pptx

New Powerpoint file

.pdf

Portable Document Format (PDF) file

.jpg, .jpeg, .png, .gif

Common image files

.zip

Archive file

.txt

Plain text file


If you receive an unknown file, it is recommended to check with your IT (before opening it).

10. Separate admin users

Historically, many users at the TU Wien work with administrative privileges. The reason for this is that this is the only way to execute updates, install new programs or change system-relevant configurations. However, this approach becomes problematic as soon as malware is executed on the computer. This is because it can now access all data and thus also delete other users' files or spread across the network. In the worst case, entire groups of computers could fail.

Therefore, it is recommended to never work with administrative privileges, but to use a separate admin user instead.

The first step is to check whether the current "user" has administrative privileges. This can be easily determined via a Windows search for the keyword "Your account information". The user shown below has administrative privileges and should therefore be secured:

Fig. 14: Retrieve account information

Since the exact process involves several steps, we refer here to the video "Creating a local user or administrator account in Windows 10" provided by Microsoft. This explains the necessary configuration changes in detail: https://support.microsoft.com/en-us/windows/create-a-local-user-or-administrator-account-in-windows-10-20de74e0-ac7f-3502-a866-32915af2a34d

If you have any questions, you can also contact your IT administrator. They can assist you with the configuration and answer any questions you may have.


[1] Configuration instructions can be found at: https://support.apple.com/en-gb/HT201250 (last accessed 01/19/2021).

[2] For more instructions on how to use the "File version history", as well as how to restore files, see:
https://support.microsoft.com/en-us/windows/file-history-in-windows-5de0e203-ebae-05ab-db85-d5aa0a199255 (last accessed 01/19/2021).

[3] See: https://support.apple.com/en-gb/HT202491 (last accessed 01/19/2021).



6 Comments

  1. Gregor Hartweger ergänzen um:

    1. Firewall am Laptop installieren. Welche?
    2. Am eigenen WLAN-Router WPA2-Verschlüsselung aktivieren
    3. Keinen unbekannten Personen Zugriff zum eigenen WLAN-Router erlauben.

    Wobei Punkt 2 und 3 eigentlich zu den Homeoffice-Tipps gehören. Wie siehst du das?

  2. Zu 1) Die Firewall ist im Windows Defender intergriert und sollte standardmäßig aktiviert sein. Heutzutage fällt das alles unter Endpointsecurity! Der Sophos, der als Campussoftware angeboten wird, ist nur für PCs verwendbar, dort zwar gut, aber ich evaluiere ein paar Varianten, die universell einsetzbar sind (alle Plattformen und Mobile Geräte).
    2,3 ) Ja, das wäre Home-Office, passt aber zur Datensicherheit. Vielleicht sollten wir das querverlinken oder hat das VR anders gemeint?

    Die IT Security Empfehlungen zielen genau auf die verwendete Hardware, die entweder Infrastruktur darstellt oder auf sie zugreift. Die Geräte (die Du im Mail beschreibst) sind damit eigentlich auch gemeint, allerdings anders beschrieben. Die WLAN Router sind eine notwendige dazwischenliegende Hardware, die eventuell auch zu den Geräten kommen könnte.

  3. bezüglich Festplattenverschlüsselung: Natürlich ist die „Bitlocker Technologie“ auch bei Windows 10 Home verfügbar, allerdings muss sie dort über die Commandline und kann nicht über das GUI aktiviert werden. Nach der Aktivierung ist sie dann auch im GUI sichtbar.

    1. Ja, das stimmt schon, aber wir wollten ganz Bewusst keine Commandline aufrufen müssen, weil das für den/die reine Anwender_in auch eine Fehlerquelle darstellen könnte. Wir könnten das eventuell bei den Empfehlungen für Administrator_innen ergänzen?

      1. Da hast Du allerdings Recht. Da muss man wissen, was man tut. Das kann ins Auge gehen.

        1. Du meinst "manage‐bde ‐on C:" oder?
          Ich hätte das unter den Punkt 5. Festplattenverschlüsselung bei den "IT Security Empfehlungen für Administrator_innen" eingefügt.
          Magst Du das dort hinzufügen?