The 50 Ways Series
50 Ways to Protect Your Information Assets When Cruising the Internet
CyberCops are particularly vulnerable to exploitation
when they are doing investigations on the Internet. To help them, and
others who want to be safer when cruising the Internet, Fred Cohen and
CyberCop.org (Kevin Manson) provide this list of the 50 ways to protect
your information assets when cruising the Internet.
System configuration must be done properly in order to
have a modicum of security. Here are some configuration issues you
- 1. Use removable media on Internet-connected computers. With
removable media, you can put in the Internet disk when you are using the
Internet, and replace it with the 'secure' media when doing your
investigative work. It means that the bad actors can't get to your
confidential information when you're on the net and your critical
information can't get messed up by a virus or Trojan horse coming in
from off the Internet.
- 2. Turn off "sharing" on NT and Windows boxes. Sharing of files
lets Internet users access your disk from anywhere in the world. With
sharing turned off, they have to break in to get at your system.
help you make pretty pictures, but they also allow the bad actors of the
Internet to enter your system and do with it what they will.
- 4. Use properly configured software to assist in detecting viruses
and malicious code. If your virus scanner can handle it, have it check
for macro viruses in real-time.
- 5. Keep clean and current copy of system start-up and restore
software handy. This way you can recreate a working system in a flash
and avoid long downtime when you do things like upgrading explorer versions
over the Web and finding out that your system is locked up.
- 6. Backup, backup, backup. Yes - keep three copies of the backups just
- 7. Keep your software up to date with security-related changes.
For example, without the latest version of your browser or email
program, you may find that when you go to read email - even before you
open up any of the messages, your system ha been taken over by a remote
- 8. Turn off unnecessary Internet service ports. In general, if
you don't know why your system uses a service, you should not have that
service turned on. Every service is a potential vulnerability.
- 9. Use a scanning tool to test which ports are turned on. Never
trust the menu-based configuration tool to tell you this sort of
information because many of these tools have errors, some of which have
opened systems up to remote exploitation even though the user 'did the
- 10. If it's really important to document, print it out. Remember
that paper trails are a lot easier to use and authenticate in court than
Passwords have been a security issue for a long time,
and most people still don't know how to use them safely. You need to
know how to create and use passwords that are properly crafted to the
- 11. If you have anything important on a remote site, use unique
passwords for each online service and site. Otherwise, someone breaking
into or watching one service could use your password in other services.
- 12. If you are going to use the same password for multiple sites,
make sure they are not important sites. For example, whenever I get a
password for a remote site that is not important, I try for user ID
guest, password guest. This may weaken their security, but if they
allow it, their security is already very weak, and it is easy for me to
remember and doesn't give anything away about me or the kinds of
passwords I use for important systems.
- 13. If you are accessing remote services on the Internet, remember
the passwords can be easily sniffed. Try to avoid using passwords for
- 14. NEVER use a password over the Internet that's the same
password you use on your local systems. That might allow someone from
the Internet to break into your system.
- 15. Try to get and use one-time authentications of some sort.
These are relatively inexpensive (Deception Toolkit at all.net has one
for free) and very effective.
- 16. When possible, augment passwords with some other form of
authentication. For example, use TCP wrappers or some other similar
tool to limit the remote IP addresses that can access a critical system,
or use a separate channel to enable remote login.
- 17. When you have to change your password, don't do it over the
Internet. It is easily sniffed. If at all possible, do it from the
computer with the password on it.
- 18. Changing your password regularly is not prudent for all
systems or situations. Consider the real benefit and harm associated
with this activity before doing it haphazardly. Look at this article for more details.
- 19. Some passwords are harder to guess than others. Use the
harder to guess ones. Examples of easily guessed passwords include (1)
your name, user ID, or other available information associated with you,
(2) any word or pair of words in any language, (3) QWERTY or similar
keyboard patterns (but not all keyboard patterns are easy to guess), (4)
passwords of less than 7 keystrokes, (5) passwords with only numbers,
only letters, or the same character repeated.
- 20. Don't let other folks use your user ID and password and don't
tell anyone your user ID and password. This lets them fake being you
and you are likely to be the one who gets in trouble if they do
something wrong. No legitimate person responsible for security or
systems maintenance needs to know your password, and there are almost no
exceptions to this rule. (Check your organization's policies in this
Don't trust remotely obtained software. It can
contain Trojan Horses that are potentially devastating in their effect.
Examples of how this has been exploited in the past include but are by
no means limited to (1) causing your system to dial out to a 900 number
for Internet service, (2) stealing your online information, (3)
corrupting or destroying information on your system, (4) turning the
computer into a jumping off point to attack other systems, and (5)
placing a Trojan horse in your system to permit remote reentry and
exploitation at a later date.
- 21. Turn off "autoinstall" features on browsers. Autoinstall
allows remote Web sites to automatically change what your system does by
installing their software.
- 22. Become familiar with the "processes" that are authorized to run on
your machine and how to check on them. Check them periodically and whenever
you suspect or observe abnormal system behavior.
- 23. More viruses spread occurs today as a result of email
attachments than anything else. Be careful how you use email
attachments and who you accept them from. When I don't know and trust
the person sending me an email attachment, I either ask them to send it
in plain text format and not as an attachment, ask them to FAX it to me,
or copy it off of my system onto a non-networked system and read it
- 24. Don't use Word attachments without Word configured to disable
all macros before execution. Otherwise, you can easily be attacked by
- 25. Don't trust excel spreadsheets. They not only give wrong
answers, but they can contain "CALL" macros to attack your system and
there is no mechanism to detect or prevent this available today.
- 26. Don't trust any program - whether it comes in source or in
executable format - without seriously considering the potential
implications of its installation and use. Many programs innocently do
things that weaken your security, and in lots of cases they allow remote
exploits against your system.
- 27. Just because it isn't called a program doesn't mean it isn't a
program. Most information you get is just plain 'data', but some of it
is not, and it is hard to tell the difference unless you are a real
expert. But you can't stop using computers just because you don't trust
them because they are required in order to get the work done. Just
understand that you can get hurt and prepare to suffer the consequences.
Keep up to date on the information security issues
that might effect your system:
- 28. Subscribe to computer security lists such as NT Bugtraq,
NTSecurity Digest, etc. Read about the newest attacks and update your
system to mitigate them.
- 29. Keep your system up to date with the newest security patches
for the software you use to cruise the Internet.
- 30. Realize that computer security requires a systematic, not a
piecemeal, strategy to be effective. 50 ways are only the beginning.
- 31. Think like an attacker, how would you attack yourself? You
might read some of the hacker FAQs or try an automated attack and
defense game to get a sense for what people might try to do to you and
how. You might want to see how attackers think by exploring one of the
games on the all.net web site.
- 32. Don't forget other communications channels that may be vulnerable,
such as voicemail.
- 33. Ask others who are competent to review or audit your security
- 34. Don't forget that critical data may be far more resilient to
degradation or corruption when placed on paper than on magnetic or
Use available security technology to your advantage:
- 35. Become familiar with methods of anonymizing your online
sessions - such as Onion routing, ZKS, anonymizer, and "mixmaster" type
anonymous remailers. Remember that the bad guys use them (and may run
them) too, and don't trust them alone for anything important.
- 36. Begin to routinely encrypt any important communications and
encourage (and assist) others in doing so.
- 37. Whenever you encrypt, always view the encrypted file before
sending it. Encryption systems sometimes don't so what they say they do.
- 38. Generate a public/private key pair and let others know how they may
- 39. Digitally sign e-mail where authenticated identity or unmodified
content is important
- 40. Digitally sign important files, documents that you believe others
may wish to rely on as to their integrity and authenticity.
Use uncommon sense:
- 41. Don't visit the bad-guys' sites except through a properly
concealed and authorized location. Remember that they can see you when
you can see them.
- 42. Don't go cruising through the seedy side of the Internet
unless you are ready for the seedy side to go cruising through you.
- 43. Don't respond to email from lists you haven't signed up to,
especially if they tell you that you can 'unsignup' by sending them mail.
This is how they confirm your email address as valid.
- 44. Never post to public bulletin boards or mailing lists unless
you want to get anonymous email from lots of solicitation places.
That's one of the major ways they get email addresses.
- 45. Unless you are investigating a porn site, don't visit it. You
are likely to get a great deal of follow-up from a very broad range of
- 46. The information you place in your Web browser (like your name,
address, organization name, and so forth) are available to the Web sites
you visit. Don't place information there unless you want it given to
every site you visit.
- 47. Every site you have ever visited may be revealed to any site
- 48. Your system keeps records on most every place you visit. Many
of these records can be remotely accessed, and local access grants a lot
of fine details of when what took place.
- 49. If the bad guys get into your system, they can get all of your
cryptographic keys, your passwords, and anything else you have placed on
- 50. If the bad guys get into your system, they can use your system
to get into other systems it can connect to. This often includes other
computers inside your firewall.