| 
APEC LogoAPEC TEL WG LogoVoIP Security

Computer Security Essentials

Many VoIP systems use personal computer systems as key parts of the infrastructure. Given this, a number of activities should be followed to help secure these systems and protect the confidentiality, integrity and availability of the entire VoIP system. The following section runs through some common and key items to address to ensure the underlying computer system is secure:

Utilise a supported version of your operating system

For security reasons, it is extremely important to use a supported operating system and to update this with the most recent updates and patches. All users of Windows, Mac OS X and Linux should check the appropriate websites regularly for software upgrades. By using a supported version, “patches” become accessible for known security problems, protecting both the computer and contained data from becoming a target. For computers running Windows operating system versions earlier than Windows XP or Windows 2000, the operating system software is no longer supported by Microsoft, thus making such systems particularly vulnerable to attack. It is advised that such computers be upgraded to a current (and supported) version of Windows. For other platforms including Apple Mac and Linux, it is recommended that the status of the necessary operating system versions be checked to ensure they are supported. Regardless of which operating system is being used, it is likely to continue to post some security risk if the recommendations below are not followed.

IMPORTANT NOTE: Prior to upgrading to the latest version of an operating system, ensure that (a) the computer is sufficiently powerful to run the new operating system, and (b) the application programs are compatible with the new platform. Backing up data prior to such an upgrade is essential.

Create strong passwords

Follow best practice recommendations when creating passwords. Many tools exist that can rapidly ‘guess’ passwords. These tools can discover a simple password in a matter of minutes. However, a strong password that follows best practice “dos and don’ts” will need much longer to ’crack’:

  • Do change all vendor-supplied default passwords before any equipment and / or software is put into operation.
  • Don’t use any word that can be found in your local language.
  • Don’t use any word in reverse that can be found in your local language.
  • Don’t use any word that can be associated with the user, i.e. the user’s address, phone number, birth date, pet’s name, nicknames, favourite sports activity or hobby.
  • Don’t use consecutive letters or numbers like “abcdefg” or “234567”.
  • Minimise repetition of characters eg “zzzzzzzzzzzzz”
  • Don’t use adjacent keys on the keyboard like “qwerty”.
  • Do make it simple enough that passwords can be remembered without being written down.
  • If you have to write a password down, ensure that it is kept secure and private.
  • Do use a combination of letters (upper and lower case), numbers and special characters in random order.
  • Do use at least 6 characters – and using 8 or more is recommended.
  • Don’t give personal passwords out for any reason.
  • Don’t select the “remember my password” feature associated with some websites and disable this feature in Internet browsing software.
  • Don’t use the same password for everything - have one for non-critical activities and another for sensitive or critical activities.
  • Do change passwords regularly

With these constraints in mind, it is still possible to make a strong password which is easily remembered. For example taking the lyrics “Row Row Row your boat, gently down the stream” could become: “Row3gdts”.

Install a ’personal firewall’ on your computer

Through the use of personal firewall software, a user can protect their computer from hackers and prevent unwanted programs from accessing their system. Although many users believe that they have nothing on their computer worth looking at or stealing, there are many other reasons why hackers may want to break into your computer.

As a result, all computers accessing the Internet should use a firewall. The occasional user is just as vulnerable as the full-time user in terms of random scanning by hackers. There are several firewalls available at no cost from major vendors.

IMPORTANT NOTE: From time to time, personal firewalls will pop up windows containing warnings which require a response to a question about access. Be sure to take the time to understand the nature of the question so the appropriate response can be given.

Install anti-virus software

Anti-virus software stops unwanted and dangerous viruses from entering computers and other devices such as PDAs and mobile phones. Viruses are software programs, and the actual effect of any particular virus depends on how it was programmed and for what purpose. Some viruses are deliberately designed to damage files on a system or in some way interfere with the computer’s operation. All viruses can potentially damage or destroy files stored on a computer’s hard disk. In addition to real-time protection, be sure to perform regular full virus scans of computer systems. These scans can be automated to occur at convenient times.

It is imperative that users install anti-virus software on their computers. A recent version of the software should be used, and should implement the “automatic update” option offered by most such programs to maintain up-to-date virus definitions. Unanticipated files from anyone should not be opened unless the user can positively verify what the file is, who sent it, and why it was sent to them. For email attachment virus checking, anti-virus software that is integrated into email is recommended. If this is not possible, use anti-virus software to check any suspicious email file attachment prior to opening.

IMPORTANT NOTE: Most users understand the need for anti-virus software and have installed it on their computer. However, many forget to keep the virus definitions up to date and this can actually render the software useless. The best defence is to select the “automatic update” option - this facility automatically checks for new virus definitions each time a user logs onto the Internet.

Install an anti-spyware program on your computer

Spyware is a software program used for advertising, collecting personal information for marketing purposes, or changing a computer’s configuration, all without the user’s consent. Typical signs of spyware having been installed on a computer include the following:

  • Pop-up advertisements even when the computer is not connected to the Internet.
  • The page a browser first opens to has changed without the user’s knowledge.
  • A web browser has a new toolbar or other component that the user doesn’t remember installing.
  • The computer seems generally sluggish or takes longer than usual to complete certain tasks.
  • Some settings have changed and the user can’t change them back to what they were.
  • For no apparent reason the user experiences a rise in computer crashes.
  • Users can perform regular spyware checks on systems to guard against malicious applications. Weekly scans are recommended.

IMPORTANT NOTE: Each anti-spyware program is designed to look for different types of problems. Check with different manufacturers and decide which will best meet your needs. If necessary, multiple anti-spyware programs can be installed.

Backup important data

Developing and adhering to a backup strategy is important for protecting data. There are many reasons why data is lost and they are not all related to security issues. Power blackouts, hardware failures and human errors can all cause data to be lost. The best protection is to regularly backup files. An organisation will need to decide on a backup schedule, the type of storage device and the approach to backup (eg the use of a remote backup service, or manually backing up to a portable hard drive).

Whether performed internally or through a hired service, organisations will need to determine a backup schedule, with the following backup techniques in mind:

  • Full backup: a backup of the complete set of all data and system files. This generally doesn’t need to be performed daily, as most files don’t change every day.
  • Differential backups: a backup of the set of files that have changed since the last full backup.
  • Incremental backups: a backup of the set of files that have changed since the previous backup (whether it is a differential, incremental, or full backup). This takes the least time and space, but in the event of data loss, data will have to be restored from several backups and restored in the correct order.

Backup can be carried out onto tape, CD, DVD or auxiliary hard disk. There are services available today that allow users to backup with an online service, providing off-site storage that further protects data from physical disaster (e.g. fires, floods, theft, accidental erasure)

IMPORTANT NOTE: It is important to perform periodic tests of backups. What good is a backup if it can’t be used to restore the system? Current best practice for SMEs is to store backups with a secure, on-line storage facility. This protects data from physical damage (e.g. fire, flood) as well as unauthorized access.

Update software regularly

Better yet, take advantage of the “automatic update” option whenever available. The software running on a computer can be a source of security problems if it is not kept up to date. After a program has been in use for a while, small problems are discovered and the manufacturer will need to create “updates” or “patches” to fix them. Additionally, with each new version of a software program, new security measures will likely be introduced, as reputable software manufacturers are working hard to make the online environment safer for users with each new release.

IMPORTANT NOTE: The “automatic update” option is the best way to keep your software up to date. These updates may be quite large however, so for organisations that utilise a volume-based Internet access plan, they may have to monitor program updates to avoid exceeding imposed download limits.

Don’t open email attachments

Email attachments should NEVER be opened unless a user is certain of the source and is sure that the attachment was sent by that user intentionally. For example, email addresses can be forged to look like the sender is a person that is known and trusted to the recipient. Since most viruses, worms and Trojans are disseminated by email attachments, if in doubt, the best defence is to check with the sender before opening the file. Anti-virus software can also be used to perform a manual scan of the attachment to determine if it is safe to open.