Security Trainer Offers Simple Tips to Protect Your Personal Computer

Computer and network security have been growing concerns at Penn State for some time, and last year's outbreak of worms and viruses may have demonstrated just how important it can be to stay on top of the game, according to ITS Training Services security trainer Ken Layng.

"Computer security is the process of detecting and protecting against unauthorized use of your computer," said Layng. A hacker who breaks into a personal computer has access to the user's e-mail and other stored personal information. At Penn State, however, the security concerns go much deeper, according to Layng.

Most hackers are not out to get just one user. The hacker's power lies in the network to which the user is connected, and the goal of most hackers is to corrupt as many computers as possible with the least amount of effort. "People are usually hacked by an automated process. The hackers are after numbers-they aren't interested in you personally," said Layng. "But that doesn't mean they won't use your computer to carry out their master plan."

A hacker can compromise one unprotected computer and, through that, reach other computers within the same network. "A hacker can even launch attacks from a compromised PC," said Layng. This is what makes computer security at the root level so important. "The extent to which users are not secure is the degree to which the network is susceptible to exploits and compromises," he said.

Layng explained that when a computer is compromised, it is inconvenient and costly from a productivity standpoint. When a network is compromised, those effects are compounded. "A virus can spread rapidly throughout the whole Penn State network, and right now, the best weapon of defense we have is knowledge," he said.

Though much can be done at the administrative level to protect computers and networks, Layng stressed that this issue is too important for the individual user to ignore. According to Layng, there are many different levels of security, and measures must be taken at all those levels in order to ensure the most comprehensive security for computers and network environments.

"The stability of the campus network is dependent upon the cooperation of the users in that environment," said Layng, who describes his job as one of advocacy. "I am here to spread the word, explain the problem, make sure users understand what's at stake-security and identity theft, for example-and then provide the tools they need to protect themselves," he said.

"Hacking tools are becoming more and more sophisticated, and, unlike the lone rangers of old, today's hackers often comprise an organized crime community," said Layng, emphasizing that even those hackers who have a comparatively low level of knowledge can be very intrusive.

The good news is that there are easy solutions to prevent personal computers from being compromised. According to Layng, most computers are compromised simply because the users did not know there was an easy solution.

Following are several key steps that users can take to become "vastly more secure than most of the people out there," according to Layng.

Basic Security Guidelines

1. Use strong passwords. Use passwords that others cannot guess, such as phrases that include numbers, rather than words that can be found in a dictionary. Use different passwords for different accounts, and change passwords regularly. Never share your passwords.


2. Back up files. This includes daily backups of non-system files and full weekly backups. Store backups on a secure server or removable media, and store a copy of the files outside of the office area.


3. Take computers offline when not in use. Disconnect from the Internet and turn your computer off overnight.


4. Do not open unexpected e-mail attachments. Be suspicious of attachments even if they are from someone you know. If it looks suspicious, contact the sender for verification.


5. Use virus protection software. Install antivirus software. Update virus definitions automatically or weekly.


6. Use a personal firewall. A personal firewall monitors inbound and outbound traffic between a computer and the Internet.


7. Update system software. Install security updates and patches as they are made available from the vendor.


8. Restrict or disable unnecessary network services. This can include disabling file transfer protocol, telnet, personal Web servers; disabling JavaScript and ActiveX in Web browsers; and disabling scripting features in e-mail applications.

This information is provided in more detail in the free Desktop Security Overview seminar, offered through ITS Training Services. The handout is free and available to view or download at http://its.psu.edu/training/resources/handouts/home_security/.

Some free security enhancing tools and applications are available to the Penn State community via the PAC-ITS CD or at http://downloads.its.psu.edu/. You must have a valid Penn State Access Account to access these tools and applications.

If you fear that your computer has been infected, you may contact the Help Desk for assistance at 814-863-2494, 814-863-1035 or 1-888-778-4010. Please report receipt of infected messages to virus@psu.edu, and include full header information.

ITS Training Services offers several free seminars that can help users gain a better understanding of how to secure and protect their desktop computers. These include Desktop Security (Overview) and two levels of Windows XP Security. Typically, these seminars are repeated during fall, spring, and summer seminar sessions. This spring, Layng also offered two fee-based courses on Windows Server 2003 Security. He hopes to continue developing and offering these types of courses as requested and needed by the Penn State community.

In addition, Layng and his colleagues at ITS Training Services are in the process of developing a security training plan that will accommodate many skill levels and target training to a variety of job functions within the Penn State community. He works closely with Security Operations and Services, a unit of Information Technology Services, to identify training needs and to develop appropriate training sessions for a variety of audiences, from everyday users to security managers and network administrators.

Check the ITS Training Services home page for the most current information on upcoming training events at http://its.psu.edu/training/.