Computer security is a crucial issue, as the damage caused by an attack can be devastating for a company. We can no longer count the companies or communities that have lost all their data, following malicious encryption for ransom.
In addition to efficient security organs, the best way to avoid these attacks is to comply with a few rules of good IT practice.
Here is an overview of the 12 rules proposed by ANSSI.
As a reminder, the national information systems security agency acts as the national authority for information systems security. As such, it is responsible for proposing the rules to be applied for the protection of State information systems and for verifying the application of the measures adopted.
1. CHOOSE STRONG PASSWORDS
Passwords that are too simple, or related to your identity, can be guessed or forced. This is why it is important to choose a strong password, in accordance with the following rules:
- Choose 12 characters and more
- Add at least one special character
- Use numbers
- Add letters with upper and lower case
- Avoid a link with your person (such as a date of birth for example).
Storing your passwords in files or browsers is strongly discouraged. However, some software solutions are first level certified (CSPN). These solutions allow you to centralize and automate your passwords which, remember, must be different for each account.
In addition, if you have network equipment (printer, box, camera, etc.) always remember to change their default passwords, or to put one when there is none.
To go further, the implementation of multi-factor authentication (MFA) is very effective in limiting the impact of a lost or stolen password, since without the phone or the physical device, the attacker cannot connect.
2. REGULARLY UPDATE YOUR SOFTWARE
All software, including operating systems, contains security vulnerabilities. Both publishers and hackers are constantly trying to identify them. Some to correct them, others to exploit them.
For this reason, it is essential to update all of your company’s software on a regular basis.
Also note that some software is no longer maintained and therefore no longer benefits from updates. They are obviously to be excluded.
Finally, only get your software through the official portals of the publishers, to avoid a security breach due to corrupted software.
3. PRIORITIZE ACCESS
Already, only reserve administrator accounts for qualified people, and for uses requiring them. The rest of the time, it is preferable to use user accounts, with restricted access.
Identify different types of users, and reduce the rights of these accounts to what is strictly necessary. The obvious benefit is that, in the event that an account is hacked, it would not have the necessary rights to cause critical damage.
Also, remember to deactivate, or delete when possible, nominative and generic accounts that are no longer used.
4. Backup REGULARLY
With regular backups, you will be able to recover your data in the event of your system malfunctioning, intentional or not.
Many backup solutions exist (NAS server, magnetic tapes, data center outsourcing, etc.), and it may be wise to have several, in different places.
Be vigilant, depending on the nature of your data, in your choice of an outsourced solution. It is preferable to choose an accessible provider with data centers in your country.
Generally speaking, it’s always good to know where your data is, geographically speaking.
It is important that the backups are isolated from the rest of the information system, so as not to be destroyed at the same time as the production data during the attack. Too often, we see that the backups are impacted by the attack.
5. SECURE YOUR WI-FI ACCESS
If wired access to the network remains the most secure, the use of a Wi-Fi access point can be useful, even essential.
Make sure that your access point password follows a WPA2 encryption protocol, or failing that WPA-AES. The WEP protocol on the other hand is not secure, since it can be broken in a few minutes using software.
Modify the connection key, by a new, long one (12 characters or more), by varying the types of characters.
It is not recommended to let people outside your company use your Wi-Fi network.
Outside of your company, use only private, trusted Wi-Fi networks, and make sure your computer or phone has sufficient protections (antivirus and firewall).
6. THE CASE OF SMARTPHONES AND TABLETS
These terminals are as sensitive as computers, and have very little basic security. They are therefore potential targets.
Be vigilant with the applications you download, and control the access they request (contacts, geographic information, etc.)
Like computers, make regular backups to an external device.
7. IN CASE OF DISPLACEMENT
Mobile devices add a risk, which must be prevented in various ways:
- Choose dedicated equipment outside, with restricted access and data. Back up the data beforehand, and check that the passwords are not pre-saved.
- Against physical threats, you can affix a distinctive sign on the equipment, and use a privacy filter.
- Never part with your material. If you have to, remove the SIM card and battery. Also let your company know.
- Turn off Wi-Fi and Bluetooth, and avoid connecting untrusted devices. Use a USB key, intended for this exclusive use, if necessary.
- When you return to your premises, clean your browsing data (password, history, etc.) and have your device analyzed.
Simple precautions can secure it:
- Check the identity of the sender, and the consistency of his e-mail address with his identity announced in the e-mail. If in doubt, do not hesitate to call the company in question.
- Only open attachments from senders you know for sure. Also check the size and format of the attachment.
- Leave your mouse over the links to view their full content. Check their consistency before opening them.
- Never send confidential data by email, especially if it is requested. A trusted organization will not ask you for a password or bank details this way.
- Disable the automatic opening of downloaded documents, and scan them with your antivirus.
9. SOFTWARE INSTALLATION
Always download software from the publisher’s official website. You will be assured of the authenticity of the program, as well as to have an up-to-date version.
Read each window carefully, some editors redouble their imagination to make you install these third-party programs.
Disable the automatic opening of programs, and scan them with your antivirus before installation.
10. INTERNET PAYMENT
Paying on the internet can be an opportunity for a hacker to intercept your bank details.
Check for the presence of a padlock, or the words http S : //, in the address bar of your browser.
Check the address for accuracy, being aware of any spelling mistakes.
When making your purchase, use strong authentication if possible, via an SMS. Your bank certainly offers secure payment methods. Feel free to use them.
11. PERSONAL AND PROFESSIONAL USE
Personal equipment does not enjoy the same level of security as professional devices. Thus, some attacks target personal devices, before infecting professional equipment.
To avoid this :
- Do not forward business emails to personal voicemail, and vice versa.
- Do not interconnect personal and professional peripherals (USB key, telephone, etc.)
- Do not host business data on your personal equipment.
12. INFORMATION, DATA AND DIGITAL IDENTITY
Your personal information is precious, and posting it online makes you lose all control over it. Some people can even use it to deduce your passwords, access your computer systems, etc.
Thus, only transmit a minimum of information in the online forms. Be aware of who asks for them.
Limit your information on social media. Set your privacy settings there.