Basic Security Checklist

Introduction

This basic security checklist addresses general security topics.

Password Security

Your computer password is your best defense against damaging intrusions. Without a well-chosen password or set of passwords, any other security measures protecting your data are greatly weakened. Never share your passwords with anyone. The most frequent password mistakes made include choosing an obvious password or writing down the password near your computer. You can avoid creating an insecure password by making sure it meets these requirements:

  • Has eight-characters at a minimum. However, it is better to make your password as long as you can. In general, the longer your password, the more secure it willl be.
  • Uses a mixture of upper- and lower-case letters, numbers, and special characters such as ‘~!@#$%^}\|`”;:,/?.
  • Isn’t based on any obvious items of personal information (e.g. PID, Social Security number, street address, middle name, etc.)
  • Does not use words or combinations of words that could be found in a dictionary, but especially an English dictionary. Example: “TarHeels”.
  • Uses a specially crafted sequence of characters for unusual phrases that you invent. An example would be the password “~2myuT$!” for “About 2 more years until Tenure Salary!”
  • Is changed often. In general, the longer and more complex a password, the longer it would take to determine what the password was. If you change your password every 90 days, then the chances of your password being cracked are even more greatly diminished.
  • Is not the same password used for other accounts. Do not use a password for more than one account and do not base your password on an easily guessed pattern. If your password is discovered and it is also discovered that you used an easily guessed pattern to make the password, then your other passwords will also be at risk.

When it comes to physical password security, never record your password anywhere close to the computer (on post-its, pull-out trays in desks, inside drawers, under shelves, etc.)

Make sure to password protect your computer and any services or programs that you use online. Never turn on features to automatically remember passwords that websites or software programs may offer you. Even something as simple as an instant messaging client could potentially pose a threat to your computer security.

Physical Security

Even the most secure password can be compromised if you step away from your computer while logged in. Make sure that you always limit incidental access to your machine: log off your computer when you leave the room and lock your office or room. You can also use a screen saver password to lock your computer so that only you can unlock it.

While all computers on the UNC-Chapel Hill network are valuable to those looking to commit digital crimes, you should never forget that your computer equipment is also a target for theft. Remember to physically secure your laptop and any other easily portable equipment to a desk or other hefty object using a security cable (available in Student Stores).

Effective Antivirus Protection

Outside of a good password, constant antivirus protection is one of the most critical components on a secure computer system. Viruses can easily cause your system data to be compromised, and their destructive influence is devastating. The University provides Microsoft Security Essentials AntiVirus for Windows (For Personally Owned Computers) and Microsoft System Center Endpoint Protection Antivirus Client (Non-Managed – For University Owned Computers) for Windows users. For Macintosh users, ClamXav AntiVirus for Mac (For Personally Owned Computers) is available. Both the Windows and the Macintosh antivirus programs are free to University faculty, staff, and students.

Many users don’t install antivirus software (and sometimes even disable existing software) because they think it slows their computer down or it clutters their system. Although antivirus software may in fact slow down your computer a negligible amount, it rarely affects the overall performance of your system, and the protection it provides is immeasurable.

Finally, many users keep their antivirus software installed but fail to update the virus definitions. Those definitions are equivalent to the FBI’s Most Wanted list, and if you don’t update them regularly, the software’s effectiveness is severely limited. Look in help.unc.edu for documents on the Windows and the Macintosh antivirus programs to determine how to be sure definitions are updated on a regular basis.

Evolving Past Telnet

If you use telnet to check your e-mail or utilize UNC’s Unix shell, you should be aware that hackers may be able to eavesdrop on your telnet session. By spying on the plain-text data that moves between computers, they can pick up your username, password, grades, and more. And once they have your password, they can also use your accounts to send mail, hack into other computers, and get you into trouble for things you never did.

ITS recommends that you use Secure CRT as your default telnet client instead of the standard telnet that comes installed on your computer. Secure CRT looks and feels just like telnet, but it encrypts every piece of data that travels between your computer and the telnet server (often isis.unc.edu) so that others can’t eavesdrop.

When you decide to use Secure CRT, don’t be discouraged by the requirement that you register for a serial number. We have a limited number of site licenses at UNC, but any student or faculty member is more than welcome to use one. Receiving your license number usually takes less than one business day. For more information on Secure CRT, look at this HelpSite article.

Setting Up a Firewall

A firewall is a barrier between your computer and the Internet, through which only certain kinds of information can pass. You should install one if the long-term stability and security of your computer system is important to you. While ITS does not endorse any one product over another, we have instructions for how to set up a free firewall (or buy a professional product) on our Firewalls page.

Web Vigilance — Trust No One

In order to protect your own personal privacy, we can’t stress enough that you remain vigilant and protective of your Onyen, password, and other personal information. Many individuals assume that hackers will never go after them and their information. However, it is crucial to understand that hackers simply look for computers that are easy to crack and can be used for the hacker’s own purposes. By simply having a good password, you severely reduce the risk of getting hacked. Given the choice, hackers will attempt to break into the system that is easiest to exploit. Having a strong password is a good way to help prevent that.

In addition, never give out your credit card numbers, social security number, or any other personal information on an unfamiliar site or a site that isn’t secured by SSL encryption. Look for the lock icon in your web browser to make sure.

Programs on websites can also potentially compromise your computer, so you should completely trust such a program before allowing it to run.

If you’re using a wireless adapter to connect to the Internet, please see our Wireless setup page.

E-mail Concerns

Never open attachments sent by a stranger. In general, it’s a safer bet never to open any attachment if it’s only “funny” or entertaining. These kinds of attachments frequently double as a trojan horse: a program that will distract you (or simply become invisible) while another computer user (a hacker) gains control of your computer.

It is also a good idea to create a separate web-based free e-mail account to receive junk mail and other unnecessary e-mail. Never respond to unsolicited e-mail, because doing so may confirm your existence to a SPAM-mail provider.

To stop SPAM, see our document: How do I reduce the amount of email spam I get? .

If you have further questions about e-mail or security, please explore the ITS Security Office Website or contact us at security@unc.edu.