Universidade do Porto
TIC - Tecnologias de Informação e Comunicação
» TIC » Segurança TIC | Versão de impressão. Data de edição: 2012-07-10
Procuramos, de forma permanente, aumentar o conhecimento acerca dos diferentes aspetos da segurança informática e divulgá-los sob a forma de:
Tópicos / Áreas
A legislação da UE - e, consequentemente, a portuguesa - difere da dos EUA.
A GI (Unidade de Gestão de Informação) da Reitoria da U.PORTO possui informação e delineou procedimentos em relação a estes aspectos. ]
“While it may seem easier to keep everything, this is actually a losing strategy,” said Sarah Koucky, Senior Director of Security and Compliance for Cintas Document Management. “Saving unnecessary records costs both time and money. By setting retention schedules and policies, organizations will remain compliant with government regulations and can expedite the destruction of out-dated records to ensure a clutter-free system.”
The following retention schedule is a general recommended guideline for certain files and documents. Consult your legal advisor for specific retention schedules appropriate for your business and records.
· 1. As you leave (…) make sure you take everything with you, including your mobile devices…
· 2. Protect your mobile device: with at least a password (…a strong one…). Better (…) use an encryption solution so that even if your device is left behind, the data on it is not accessible to anyone…
· 3. Don't elect to automatically complete online credentials, such as corporate network log in detail…
· 4. Back-up your device and remove any sensitive information that you do not need…
· 5. As in tip 4, remove SMS and emails that you don't need anymore - you'd be surprised how many people keep their default password emails on their mobiles and other hugely sensitive information like PINs, bank account details…
· 6. Don't leave your mobile device open to access (e.g. leaving Bluetooth or Wi-Fi turned on) (…) visible and unsecured.
· 7. Include your name and contact details in the device so that, if it should be lost, it can easily be returned to you…
· 8. Finally, speak to your IT department before you leave the office… – that's what they're there for. They'll help make sure your device is better protected should it find itself languishing all alone at the airport.
" 'Tis the season to be jolly – and to leave sensitive corporate information behind at the airport! According to telephone interviews with the lost property offices of 15 UK airports (…) over 5,100 mobile phones and 3,844 laptops have been left behind so far this year; with the majority still unclaimed and many more expected to be left over the Christmas holiday peak season."
· 1. My computer speaks to me.
· 2. My computer is running extremely slowly.
· 3. Applications won't start.
· 4. I cannot connect to the Internet or it runs very slowly.
· 5. When I connect to the Internet, all types of windows open or the browser displays pages I have not requested.
· 6. Where have my files gone?
· 7. My antivirus has disappeared, my firewall is disabled.
· 8. My computer is speaking a strange language.
· 9. Library files for running games, programs, etc. have disappeared from my computer.
· 10. My computer has gone mad… literally.
"Users are often advised to use an antivirus to check if their systems are infected, but with the current cyber-crime scenario, this is simply not enough."
"PandaLabs has produced a simple guide to the 10 most common symptoms of infection, to help all users find out if their systems are at risk…"
· 1. Hackers don't go on holiday.
· 2. Protect dormant accounts.
· 3. Don't advertise that your staff are on holiday.
· 4. Don't share login details.
· 5. Set time limits on special access privileges.
· 6. Secure remote worker authentication.
· 7. Ensure robust end-point security for remote workers.
· 8. Watch out for increased web use.
· 9. Be vigilant on payment processing.
· 10. Switch off unused PCs and routers.
"SecureWorks outlines its top ten tips for IT and security managers to minimize risk during the holiday season."
"Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the Web is full of outdated advice and myths. But here are some do's and don'ts of Wi-Fi security, addressing some of these myths."
· 1. Don't use WEP.
· 2. Don't use WPA/WPA2-PSK.
· 3. Do implement 802.11i.
· 4. Do secure 802.1X client settings.
· 6. Secure remote worker authentication.
· 5. Do use a wireless intrusion prevention system.
· 6. Do deploy NAP or NAC.
· 7. Don't trust hidden SSIDs.
· 8. Don't trust MAC address filtering.
· 9. Do limit SSIDs users can connect to.
· 10. Do physically secure network components.
· . Don't forget about protecting mobile clients.
"Wi-Fi security do's and don'ts. 11 tips for protecting your wireless networks."
· Legitimate access, yet inappropriate use.
· Opportunistic access is still a real risk.
· Illegitimate Access - so of course they're up to no good.
· What can corporate UK do?
It may seem like a nightmare with so many trusted employees intentionally, or even inadvertently putting your most vital asset – your data – in jeopardy, yet there are ways to mitigate against these risks.
"Arguably an organizations' most vital asset is its databases, often containing sensitive financial information, customer and employee data and intellectual property. There have been many articles written that examine the risks posed of data being exposed and the potential damage caused. External threats have long been recognized, with billions of pounds spent strengthening defenses to mitigate against them - yet there is little acknowledgment of the very real threat from within. The statement 'don't leave your valuables on show' is a simple principle so why is it often ignored by corporate UK?"
"I've identified the most common techniques individuals will employ to copy sensitive data"
If you take your computer on vacation with you
· Before you do anything else, back up all your information…
· Make sure that you have reliable, up-to-date protection and all necessary security patches are installed.
· To mitigate the consequences of anyone stealing your computer, encrypt the information on your hard disk…
· Clean out temporary files, logs, cookies and any password reminders or auto-complete features you use with your browser…
· Don't connect to unprotected WiFi networks, as you could be hooking up to a network set up by hackers to steal any information that you share across the Internet. Even if you have to pay for it, it is always better to use secure, trusted networks.
· Take care with email. Phishing attacks and spam are becoming increasingly sophisticated.
If you use a computer other than your own during the holidays
· Better still… Don't! You never know what could be installed on this computer. Using PCs in cyber-cafes (…) or systems in hotels or airports to access your bank account, etc. could have serious consequences…
· If you really have no choice, and you have to enter websites requiring your personal credentials, make sure you change these as soon as possible afterwards to minimize the risk.
· Avoid making any transactions or purchases online…
· Don't accept any of the prompts to save personal data offered by many browsers.
· When you have finished, delete all temporary files, the browser history, cookies, log files and any other information that may have been saved on the computer.
· If you download anything onto the local computer, remember to delete it before closing…
And always, on social networks or similar
· Never use applications for planning journeys offered by social networks, to ensure that you can't be located. Don't accept the geolocation function…
· Don't proactively share your holiday plans in chatrooms, IRCs, communities, etc.
· If you do spend time in chatrooms while on holiday, don't reveal any personal or confidential details to anyone you don't know.
· Share these recommendations with your children, who are often more naïve and more open to sharing information across the Internet.
· If you observe any suspicious behavior on social networks (strangers with too much of an interest in your holiday destination, dates, etc.) contact the police. Prevention is better than cure.
"With the boom in social networks and the numerous applications now available for sharing information across the Internet, PandaLabs advises users to take extra precautions to prevent falling victim to computer fraud, particularly as the summer vacation period commences in many countries."
· If you download movies or videos clips, make sure they're from well-known and trusted sources.
· Don't click on search results for images of celebrities unless you can verify where the image is coming from.
· When searching for popular movies or celebrities, know how to spell names correctly.
· Purchase your gear from well-respected online retailers.
· Be wary of clicking on links in Twitter - shortened links make it difficult to confirm legitimate and recognized Web sites.
· Entering a contest online? Here's what to look for to make sure it's legit.
· 1. Manage your privacy settings.
· 2. Own it.
· 3. Tag with care.
· Identify information assets.
1 - Public information; 2 - Internal, but not secret, information; 3 - Sensitive internal information; 4 - Compartmentalized internal information; 5 - Regulated information.
· Locate information assets.
· Classify information assets.
· Conduct a threat modeling exercise.
STRIDE: Spoofing of Identity; Tampering with Data; Repudiation of Transactions; Information Disclosure; Denial of Service; Elevation of Privilege.
· Finalize data and start planning.
"Organizations face a constant barrage of cybersecurity threats. Botnets, malware, worms and hacking are just a few things that keep IT managers awake at night, wondering if their network is safe and strong enough to deflect the next attack. Rather than reaching for a sleep aid to get through the night, organizations need a coherent methodology for prioritizing and addressing cybersecurity risks."
"CDW advises organizations to consider five steps to develop a solid foundation for the organization's security strategy"
· Evaluate your goals.
· Perform due diligence.
· Choose wisely.
· To protect your data, take a good look at your provider.
· Consider a hybrid security model.
· Remember to comply!
Vírus (clique na imagem para conhecer a situação em tempo real)
Vulnerabilidades (é necessário ter iframe activo para ver os gráficos)
Fonte: OSVDB - Open Source Vulnerability Database
Fonte: OSVDB - Open Source Vulnerability Database
Avisos / Destaques anteriores (links)