📄 rfc2504.txt
字号:
sending confidential or extremely personal information via Email. You should never send credit card numbers and other sensitive data via unprotected Email. Please refer to "The Wires Have Ears". To cope with this problem, there are privacy programs available, some of which are integrated into Email packages. One service many Email users like to use is Email forwarding. This should be used very cautiously. Imagine the following scenario: A user has an account with a private Internet Service Provider and wishes to receive all her Email there. She sets it up so that her Email at work is forwarded to her private address. All the Email she would receive at work then moves across the Internet until it reaches her private account. All along the way, the Email is vulnerable to being read. A sensitive Email message sent to her at work could be read by a network snoop at any of the many stops along the way the Email takes. Note that Email sent or received at work may not be private. Check with your employer, as employers may (in some instances) legally both read your Email and make use of it. The legal status of Email depends on the privacy of information laws in force in each country.Guttman, et. al. Informational [Page 6]
RFC 2504 Users' Security Handbook February 1999 Many mail programs allow files to be included in Email messages. The files which come by Email are files like any other. Any way in which a file can find its way onto a computer is possibly dangerous. If the attached file is merely a text message, fine. But it may be more than a text message. If the attached file is itself a program or an executable script, extreme caution should be applied before running it. See the section entitled "The Dangers of Downloading".3.4 Passwords Passwords may be easily guessed by an intruder unless precautions are taken. Your password should contain a mixture of numbers, upper and lower case letters, and punctuation. Avoid all real words in any language, or combinations of words, license plate numbers, names and so on. The best password is a made-up sequence (e.g., an acronym from a phrase you won't forget), such as "2B*Rnot2B" (but don't use this password!). Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. You should change your passwords periodically. You should also NEVER save passwords in scripts or login procedures as these could be used by anyone who has access to your machine. Be certain that you are really logging into your system. Just because a login prompt appears and asks you for your password does not mean you should enter it. Avoid unusual login prompts and immediately report them to your security point-of-contact. If you notice anything strange upon logging in, change your password. Unless precautions have been taken to encrypt your password when it is sent over the network, you should, if possible, use "one-time passwords" whenever you log in to a system over a network. (Some applications take care of that for you.) See "The Wires Have Ears" for more information on the risks associated with logging in over a network.3.5 Viruses and Other Illnesses Viruses are essentially unwanted pieces of software that find their way onto a computer. What the virus may do once it has entered its host, depends on several factors: What has the virus been programmed to do? What part of the computer system has the virus attacked?Guttman, et. al. Informational [Page 7]
RFC 2504 Users' Security Handbook February 1999 Some viruses are 'time bombs' which activate only when given a particular condition, such as reaching a certain date. Others remain latent in the system until a particular afflicted program is activated. There are still others which are continually active, exploiting every opportunity to do mischief. A subtle virus may simply modify a system's configuration, then hide. Be cautious about what software you install on your system. Use software from "trusted sources", if possible. Check your site policy before installing any software: Some sites only allow administrators to install software to avoid security and system maintenance problems. Centrally-administered sites have their own policy and tools for dealing with the threat of viruses. Consult your site policy or find out from your systems administrator what the correct procedures are to stay virus free. You should report it if a virus detection tool indicates that your system has a problem. You should notify your site's systems administrators as well as the person you believe passed the virus to you. It is important to remain calm. Virus scares may cause more delay and confusion than an actual virus outbreak. Before announcing the virus widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of technically-competent personnel. Trojan Horse programs and worms are often categorized with viruses. Trojan Horse programs are dealt with in the "What Program is This, Anyway?" section. For the purposes of this section, worms should be considered a type of virus.3.6 Modems You should be careful when attaching anything to your computer, and especially any equipment which allows data to flow. You should get permission before you connect anything to your computer in a centrally-administered computing environment. Modems present a special security risk. Many networks are protected by a set of precautions designed to prevent a frontal assault from public networks. If your computer is attached to such a network, you must exercise care when also using a modem. It is quite possible to use the modem to connect to a remote network while *still* being connected to the 'secure' net. Your computer can now act as a hole in your network's defenses. Unauthorized users may be able to get onto your organization's network through your computer!Guttman, et. al. Informational [Page 8]
RFC 2504 Users' Security Handbook February 1999 Be sure you know what you are doing if you leave a modem on and set up your computer to allow remote computers to dial in. Be sure you use all available security features correctly. Many modems answer calls by default. You should turn auto-answer off unless you are prepared to have your computer respond to callers. Some 'remote access' software requires this. Be sure to turn on all the security features of your 'remote access' software before allowing your computer to be accessed by phone. Note that having an unlisted number will not protect you from someone breaking into your computer via a phone line. It is very easy to probe many phone lines to detect modems and then launch attacks.3.7 Don't Leave Me... Do not leave a terminal or computer logged in and walk away. Use password-locked screensavers whenever possible. These can be set up so that they activate after the computer has been idle for a while. Sinister as it may seem, someone coming around to erase your work is not uncommon. If you remained logged in, anyone can come by and perform mischief for which you may be held accountable. For example, imagine the trouble you could be in for if nasty Email were sent to the president of your company in your name, or your account were used to transfer illegal pornography. Anyone who can gain physical access to your computer can almost certainly break into it. Therefore, be cautious regarding who you allow access to your machine. If physically securing your machine is not possible, it is wise to encrypt your data files kept on your local hard disk. If possible, it is also wise to lock the door to one's office where the computer is stored.3.8 File Protections Data files and directories on shared systems or networked file systems require care and maintenance. There are two categories of such systems: - Files to share Shared files may be visible to everyone or to a restricted group of other users. Each system has a different way of specifying this. Learn how to control sharing permissions of files and implement such control without fail.Guttman, et. al. Informational [Page 9]
RFC 2504 Users' Security Handbook February 1999 - Protected files These include files that only you should have access to, but which are also available to anyone with system administrator privileges. An example of this are files associated with the delivery of Email. You don't want other users to read your Email, so make sure such files have all the necessary file permissions set accordingly.3.9 Encrypt Everything Additionally, there are files that are private. You may have files which you do not wish anyone else to have access to. In this case, it is prudent to encrypt the file. This way, even if your network is broken into or the systems administrator turns into Mr. Hyde, your confidential information will not be available. Encryption is also very important if you share a computer. For example, a home computer may be shared by room mates who are friends but prefer to keep their Email and financial information private. Encryption allows for shared yet private usage. Before you encrypt files, you should check your site's security policy. Some employers and countries expressly forbid or restrict the storing and/or transferring of encrypted files. Be careful with the passwords or keys you use to encrypt files. Locking them away safely not only helps to keep them from prying eyes but it will help you keep them secure too; for if you lose them, you will lose your ability to decrypt your data as well! It may be wise to save more than one copy. This may even be required, if your company has a key escrow policy, for example. This protects against the possibility that the only person knowing a pass phrase may leave the company or be struck by lightning. Whilst encryption programs are readily available, it should be noted that the quality can vary widely. PGP (which stands for "Pretty Good Privacy") for example, offers a strong encryption capability. Many common software applications include the capability to encrypt data. The encryption facilities in these are typically very weak. You should not be intimidated by encryption software. Easy-to-use software is being made available.3.10 Shred Everything Else You would be surprised what gets thrown away into the waste-paper basket: notes from meetings, old schedules, internal phone lists, computer program listings, correspondence with customers and evenGuttman, et. al. Informational [Page 10]
RFC 2504 Users' Security Handbook February 1999 market analyses. All of these would be very valuable to competitors, recruiters and even an overzealous (hungry?) journalist looking for a scoop. The threat of dumpster diving is real - take it seriously! Shred all potentially useful documents before discarding them. You should also be aware that deleting a file does not erase it in many cases. The only way to be sure that an old hard disk does not contain valuable data may be to reformat it.3.11 What Program is This, Anyway? Programs have become much more complex in recent years. They are often extensible in ways which may be dangerous. These extensions make applications more flexible, powerful and customizable. They also open the end-user up to all sorts of risks. - A program may have "plug-in" modules. You should not trust the plug-ins simply because you are used to trusting the programs they plug into. For example: Some web pages suggest that the user download a plug-in to view or use some portion of the web page's content. Consider: What is this plug-in? Who wrote it? Is it safe to include it in your web browser? - Some files are "compound documents". This means that instead of using one single program, it will be necessary to run several programs in order to view or edit a document. Again, be careful of downloading application components. Just because they integrate with products which are well-known does not mean that they can be trusted. Say, you receive an Email message which can only be read if you download a special component. This component could be a nasty program which wipes out your hard drive! - Some programs are downloaded automatically when accessing web pages. While there are some safeguards to make sure that these programs may be used safely, there have been security flaws discovered in the past. For this reason, some centrally- administered sites require that certain web browser capabilities be turned off.4. Paranoia is Good Many people do not realize it, but social engineering is a tool which many intruders use to gain access to computer systems. The general impression that people have of computer break-ins is that they are the result of technical flaws in computer systems which the intruders have exploited. People also tend to think that break-ins are purely technical. However, the truth is that social engineering plays a bigGuttman, et. al. Informational [Page 11]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -