Limited User Accounts

How much of the computing work you do actually requires an administrator account? If you're like most, it's in the 5-10% range. And if you're wondering why this is an important question, you're not alone. Bottom line, there's little reason to provide administrative exposure 100% of the time when you only need it 5-10% of the time. However, while it's quite uncommon for users to create separate accounts for the purpose of administration, that's exactly what I suggest you do.

Most destructive and invasive malware - viruses, trojans, woms, and spyware - cannot properly install and execute when attempted under the context of a limited user account. The reason for this is that malware, like any other kind of software, gets the privileges of the logged on user. If that user does not have the capability of installing software, the malware is either significantly limited in what it can do, or it will be rendered 'dead on arrival'. This essentially enforces the principle known as Least Privilege - the application of technical controls to prevent things that you don't want to allow. 

For the times when you do want to install programs, you're a right-click away from the "RunAs" command (Windows PCs), which allows you to run an application with the credentials of the administrator account. On Linux, you can su- to root for this purpose, or do a fast-switch to the admin profile. In rare cases, you will actually need to log off and log on directly to this account.

A little extra work up front and a slight adjustment to your paradigm can render a host of malware powerless, or at least marginalized. The best time to set this up is when you have a new system or are re-building an existing one. At your first administrative logon, create a new, limited user account. Build and maintain your main profile there - and set the desktop background to something different so you can quickly tell which account is which. I like to keep the admin desktop particularly free of icons. If you want to set this up mid stream, you'll have a little extra work ahead of you, since you already have a lot of user data in the administrator profile. This data will need to be migrated to the newly created profile and, in some cases, you may need to re-install some programs. In either case, you can create scheduled maintenance tasks to run with the administrator privilege. Common examples of  include disk defrag or the data backup.

Patching: The What & The Why

Ken Layng, ITS / Training Services

While patching is commonly referred to as updating, there is actually a subtle difference. Patching addresses functional and security flaws. Updating certainly includes these things, but also addresses new features of software. This post primarily addresses the existence of security flaws, and thus patching, specifically.

Plainly put, if software is not patched, it remains vulnerable to known exploits. More significantly, when vulnerabilities are discovered, they are announced. This is actually a responsible thing to do so that vendors will create patches and so that users and enterprises will know about them. However, attackers also learn about them this way and can react by writing exploits, figuring that not everyone will be diligent in patching. And they're right. Systems are attacked by malware that exploits known vulnerabilities all the time. "But I'm using Windows and I've got Automatic Updates configured - so I'm all set, right?" Wrong. Even with recent improvements, Automatic Updates still only patches Microsoft software. You still need to be very concerned with all the non-Microsoft software on your system. Automatic Updates is a good start, as is Software Update on the Mac.

To address the gap, there is Secunia PSI for PCs and AppFresh for Macs. These applications check all known software for patch level status, and categorize as patched, unpatched, and out-of-lifecycle. These are both free utilities at the user level. Install these today - you'll be amazed at what you will learn about your software patch levels. By the way, if the reports generated by these tools reveall software that you no longer use, remove the software. That's the best way to eliminate potential vulnerabilities - now and down the road!

Managing Multiple Complex Passwords - Part 2

Ken Layng, ITS/Training Services

In Passwords Part 1, I established the importance of ensuring that your passwords are complex, long, not dictionary-based, and changed frequently. The first thing to mention is that the last of these things - the frequency of the password change - is dependent upon the first three. The better you do with the first three, the longer you can go without changing the password. But the real difficulty comes into play when you consider the myriad of accounts that we accumulate over time. Remembering all of these passwords becomes quite a chore.
To address the resulting confusion, I have two suggestions - either one of which can begin helping right away:
The first is a password naming convention. Essentially what this does is name all of your various account passwords in a similar fashion, but makes a component of each unique, according to the account that is to be accessed. For example, goEbaypsu! for Ebay, goPaypsu! for PayPal, etc. Add an additional word for length, or substitute a number for a letter. If most of your accounts adopt this convention, you can have strong, complex passwords that are also easy to remember. Some websites may apply restrictions to length or complexity, so that may be a limitation for some accounts.
A second option is a password vault. This is a particularly good option if you know that, despite all the recommendations and best practices, you’ll end up putting  passwords on a sticky note on your desk, creating the same password for multiple accounts, or creating short, weak passwords. With a password vault, you remember one password and let the vault remember the complexity. Take KeePass, for example; KeePass can auto-generate long, complex passwords for you. Even you don't need to know a password - as long as you can access KeePass, you can access the accounts it manages. You can create backups of the database, put copies on multiple computers where you work, synchronize databases in multiple locations, or even put it on a thumbdrive so you have access to all your accounts wherever you go. The important thing to remember here is that this is potentially a single point of disclosure of all your passwords so you need to make sure that the password that protects the database is a strong one.

Password Primer - Part 1

Ken Layng, ITS/Training Services

You have probably heard that you should always password-protect your system accounts. This prevents unauthorized people from accessing your account - both locally and remotely! You may have even heard that not all passwords are created equally. Free tools exist to 'crack' passwords. Theoretically speaking, all passwords are crackable but, practically speaking, you can make a password virtually uncrackable. Dictionary attacks check thousands of common passwords and words in mere minutes. To avoid falling prey to these tactics, create passwords that meet four requirements:

1) Complexity: Use of upper and lower cases, number and letters, and special characters, greatly increases the number of possibilities for each character.
2) No dictionary words - These are susceptible to simple dictionary attacks.
3) Length: Complexity aside, more characters make stronger passwords. Consider using a passphrase - a series of words together. This can be easier than remembering a complex password. If you deliberately misspell a word and throw in a special character, all the better.
4) Password Aging: If you change your password more frequently than it takes to brute force attack it, mathematically, the password becomes secure.

But there are many account types beyond a system account - Ebay, PayPal, blogs, banks, shopping, investing, and on and on. What you may NOT have heard is that you should not use the same password for multiple accounts. Doing so essentially increases the likelihood of a password compromise. Moreover, if your password is compromised in any one of these accounts, all of the other accounts become vulnerable. Also, if your password is attacked, it is not likely that an individual was targeting you, specifically (although that is possible). Scripts and programs do this automatically and, as soon as they find a vulnerable system, they can go to 'work' in a number of ways.

So what's a person to do? On one hand, passwords need to be long, complex, not based on dictionary words, and recreated frequently. I know... I know... you have a dozen or more accounts; password maintenance alone could become unmanageable. Well stay tuned for Part 2: Managing Multiple Complex Passwords.

It Still Boils Down to Awareness

Ken Layng, ITS/Training Services

If you use a computer today, system and data security matters. Not just to you individually, but to 'us', collectively. Further, it requires literacy and savvy that need to be developed. There are things that, regardless of the role you're in, you need to understand. This resource is about those things - the common denominator of data security and privacy.

There are many projects and initiatives at many levels of both government and the university to address issues of personal privacy and data security. Government has defined a value-driven agenda - privacy and security - with legislation such as FERPA, HIPAA, and GLBA in an attempt to prevent unauthorized disclosure of educational, health, and financial records respectively. Organizations are then required by law (and hopefully for our good) to comply or face stiff penalties. So they put new policies and procedures in place to decrease the likelihood of an 'incident', or to reduce penalties in the event of one.

Essentially, these organizational policies are transferring part of the responsibility back to us. Ironically, despite all of these efforts, it takes nothing more than a lack of understanding for a user to disclose their own sensitive information, or that of the university.  When it comes to personal and organizational security and privacy, there are many things that you can leave to the experts. But this resource presents the things that, after everything else is said and done, are up to you. It will be easy to understand - things to check out or do. Maybe an explanation that you've been waiting for. In some cases, it might be an article that is worth a minute or two. 

My goal is for one post a week - perhaps two as time permits, and I'll try to keep them shorter than this first one. If you like what you're seeing, pass it on to a friend. Have your staff subscribe. If you have an idea for a topic, send it to me for inclusion as a future post. Well, that's all for now and here's to your security!