IT Fundamentals/Security Practices

This lesson introduces the best IT security practices.

Keys
Keys

Objectives and Skills

edit

Objectives and skills for the security practices portion of IT Fundamentals certification include:[1]

  • Explain methods to secure devices and best practices.
    • Securing devices (mobile/workstation)
      • Antivirus/Anti-malware
      • Host firewall
      • Changing default passwords
      • Enabling passwords
      • Safe browsing practices
      • Patching/updates
    • Device use best practices
      • Software sources
        • Validating legitimate sources
        • Researching legitimate sources
        • OEM websites vs. third-party websites
      • Removal of unwanted software
      • Removal of unnecessary software
      • Removal of malicious software
  • Explain password best practices.
    • Password length
    • Password complexity
    • Password history
    • Password expiration
    • Password reuse across sites
    • Password managers
    • Password reset process
  • Explain common uses of encryption.
    • Plain text vs. cipher text
    • Data at rest
      • File level
      • Disk level
      • Mobile device
    • Data in transit
      • Email
      • HTTPS
      • VPN
      • Mobile application
  • Summarize behavioral security concepts.
    • Expectations of privacy when using:
      • The Internet
        • Social networking sites
        • Email
        • File sharing
        • Instant messaging
      • Mobile applications
      • Desktop software
      • Business software
      • Corporate network
    • Written policies and procedures
    • Handling of confidential information
      • Passwords
      • Personal information
      • Customer information
      • Company confidential information

Readings

edit
  1. Wikipedia: Computer security
  2. Wikipedia: Personal data

Multimedia

edit
  1. YouTube: Devices Security Best Practices
  2. YouTube: Password Best Practices
  3. YouTube: Common Uses of Encryption
  4. YouTube: Behavioral Security Concepts
  5. YouTube: Chapter 11 - IT Fundamentals+ (FC0-U61) IT Security Threat Mitigation

Activities

edit
  1. Complete the GCF Global: Protecting your computer tutorial.
  2. Use anti-malware software to scan your system and test malware detection.
  3. Configure password management.
  4. Test your firewall using a testing service such as Gibson Research: ShieldsUP!
  5. Consider encrypting your system storage:
  6. Research privacy options when using social networking, instant messaging, and various installed apps and programs. Consider enhancing your privacy settings wherever possible.

Lesson Summary

edit

Device Security

edit
  • Device hardening is the process of securing a system by reducing its surface of vulnerability. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.[2]
  • Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.[3]
  • A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.[4]
  • Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines.
  • Securing devices includes:[5]
    • Antivirus/Anti-malware
    • Host firewall
    • Changing default passwords
    • Enabling passwords
    • Safe browsing practices
    • Patching/updates
  • Best practices for device use include:[6]
    • Software sources
      • Validating legitimate sources
      • Researching legitimate sources
      • OEM websites vs. third-party websites
    • Removal of unwanted software
    • Removal of unnecessary software
    • Removal of malicious software

Passwords

edit
  • A password is a memorized secret, typically a string of characters, used to confirm the identity of a user.[7]
  • Password best practices include:[8]
    • Password length
    • Password complexity
    • Password history (minimizing reuse)
    • Password expiration
    • Password reuse across sites (minimizing reuse)
    • Password managers
    • Password reset process

Encryption

edit
  • Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext.[9]
  • Most applications of encryption protect information only at rest or in transit, leaving sensitive data in cleartext and potentially vulnerable to improper disclosure during processing.[10]
  • File-level encryption is a form of disk encryption where individual files or directories are encrypted by the file system itself.[11]
  • Disk-level encryption is a form of disk encryption where the entire partition or disk in which the file system resides is encrypted.[12]
  • Email is encrypted using Transport Layer Security (TLS).[13]
  • Web browser communication is encrypted using HTTPS.[14]
  • A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.[15]

Behavioral Security

edit
  • Internet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via the Internet.[16]
  • Those concerned about Internet privacy often cite a number of privacy risks — events that can compromise privacy — which may be encountered through online activities. These range from the gathering of statistics on users to more malicious acts such as the spreading of spyware and the exploitation of various forms of bugs (software faults).[17]
  • A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data.[18]
  • Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services.[19]

Key Terms

edit
PII (Personally Identifiable Information)
Any information relating to an identifiable person.[20]
PIN (Personal Identification Number)
A numeric or alpha-numeric password used in the process of authenticating a user accessing a system.[21]
VPN (Virtual Private Network)
Extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.[22]

Assessments

edit

See Also

edit

References

edit