Keep Your Computer Safe With Access Controls
How NIST 800 Standards Can Keep Your Computer Safe
Recently the government passed a requirement: small business supplying contractors to the Federal Government must assure that they protect Controlled Unclassified Information (CUI). This information includes financial and medical information about their employees, financial records about contracts, patents and trademarks, and other information. If revealed to competitors or hackers, CUI could harm the company or its employees. These companies need to audit their cyber security processes, people, and technologies to assure that adequate protections are in place to keep this information secure.
The National Institute of Standards and Technology (NIST) developed a checklist of controls and practices that facilitate the audit process: NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and organization. The publication consists of 14 control families that help provide a defense to protect the confidentiality, integrity, and available of the information stored, processed, or transmitted.
But what about the individual at home? NIST SP 800 can educate the home user on procedures and tools that will make home systems more secure. These recommendations include the use of inexpensive or open source tools, external devices, and procedures that you can easily incorporate into your daily routine to protect your information. These lessons do not tell the reader how to implement these controls or practices – you can find these instructions on YouTube. Instead, these lessons provide a roadmap of ideas to make your system more resilient to hackers. These lessons follow the NIST control guidelines. Today we will discuss the first family of controls: access controls.
What are Access Controls?
Access is the ability to make use of any system resource. Access control is the process of granting or denying specific requests to:
1) obtain and use information and related information processing services; and
2) enter specific physical facilities. (We will covered this topic under physical security controls.)
System-based access controls are called logical access controls. Logical access controls prescribe not only who can have access to a specific system resource, but also the type of permitted access (read, write, delete, etc.). These controls may be built into the operating system, incorporated into applications programs or major utilities (e.g., database management systems, communications systems), or implemented through add-on security packages. Logical access controls may be implemented internally to the system being protected or in external devices.
Let’s concentrate only on the ability to read the information. After all, disclosing information usually causes the most harm. Now that you understand the purpose of access controls, let’s see how you can make your home system more secure.
Why You Should Limit Admin Access
Restricting Administrator Access Protects Your Computer
Many users log into their systems without considering the privilege level that comes with the sign-on. Usually people sign on as “administrator,” which basically provides the user with access to all system information and all applications. Admin access makes the system easy to use. For instance, you can quickly install new applications, change how the desktop works, and access to all files. However, during a system compromise, then everything you have on the computer is at risk.
First, determine what information you want available to only you. This could include tax information, stock transactions, health records, or anything that, if revealed, could result in severe harm. Place all these documents in a folder that is not shared with anyone. This is the information that is available to you when you sign on as administrator or owner.
Limit Access Rights
Next, create another log-in profile – this time, with limited rights. Use this profile for all information that, if disclosed, would result in minimal harm. This includes term papers, recipes, articles downloaded from the Internet, vacation pictures (that you would show publicly), songs, etc. Use this profile to log into your system most of the time. Thus, if a system compromise occurs while logged on with this account, the hacker will only have access to non-vital information.
Create a Guest Account
Finally, create a guest account for the rare occasion when you let someone else use your system. This account does not require a password, and information in folders and on the desktop is not available to guest users.
How Computer Sign Outs and Timeouts Protect Your Identity
Activate password lockouts should someone obtain physical access to your computer. I usually set this at three attempts.
Auto Sign Out
Time for a break? Auto sign outs, or auto logouts, are also referred to as idle logouts, session logouts, and inactivity logouts. Enabling idle logouts prevents your computer from staying “open” during an interruption (phone call, visitors, etc.). I usually set this to 15 minutes. If you are going to leave your house for any period of time, then you should power down your computer. The safest computers are the ones that are not on.
How Does FDE (Full Disk Encryption) Work?
Full disk encryption (FDE) technology converts data into unreadable code. This undecipherable, or “encrypted,” code prevents unauthorized people from reading the data. Full disk encryption encrypts all data so that the user cannot forget to encrypt. FDE is especially useful for laptops and mobile devices that can be physically lost or stolen. TechTalks gives a more detailed explanation of how FDE works.
Full Disk Encryption Software
If you have a laptop, invest in full disk encryption (FDE) software. A single user application costs under $100. Full disk encryption provides a level of security that passwords alone cannot provide. There are numerous tools that specialize in cracking passwords, but FDE uses strong encryption algorithms to encrypt drives on your PCs, thereby protecting all data stored in the drives. With FDE, even though the drive is removed from the current computer and put into other devices, the information is still inaccessible.
What is the best full disk encryption software?
Use these resources to start your own FDE software research. Wikipedia has a comprehensive comparison of disk encryption software, and PC Magazine offers some top FDE software recommendations.
Is Free Wi-Fi Safe?
Finally, if you use your laptop while on travel, do not use free Wi-Fi to transmit any information that you would not want other to see. All of the recommended actions protect data while processing and in storage, but they will not protect data transmitted over non-secure connections. Use a VPN (virtual private network) for the safest connection. We cover VPN usage in the awareness and training lesson.
Summary: 7 Steps to Access Control Safety
- Restrict administrator access.
- Create a login profile with limited rights.
- Create a guest account.
- Activate password lockouts.
- Enable auto sign out.
- Invest in full disk encryption software.
- Avoid public Wi-Fi.