For digital security, it is not enough to just secure your computer and operating system, it is necessary to use them safely and behave safely on the Internet.
Security of Your PC
- keep your operating system and applications updated
- only install applications from trusted sources
- when installing applications, be careful not to install unwanted software
- do not use illegal software (other than prosecution, you run the risk of bringing malicious software onto your computer)
- use one antivirus program; in Windows 7 and later it is from Microsoft – you can replace it with another
- do not connect to unknown or unsecured wireless networks
- perform common activities (handling mail, browsing the web or creating documents) under an unprivileged account
- if more than one person is working on the computer, each should have their own account with their password
- back up important data (especially your documents), it is advisable to synchronize files. For school data we recommend OneDrive , for private Dropbox/Google Drive/iCloud/…
- If you are traveling with a computer, have the operating system encrypt the drive
- send personal (in terms of GDPR) or sensitive information in an encrypted archive
Non-encrypted data can be read and altered by the attacker. This applies primarily to data stored on your computers, laptops, tablets, mobile phones, and other devices. In the event of loss of such devices, you try to solve not only the unavailability of the device and the loss of data, but also their possible misuse by third parties, as unencrypted data on the stolen device is at the mercy of the attacker.
It is best to encrypt the entire disk, including the operating system and user data. For school computers with Windows 10, we created the description Encryption Using Bitlocker. You can also use it on your computers. If you have a more expensive Windows edition, see How to set up BitLocker Drive Encryption in Windows 10. In Windows 10 Home, you can use the open source tool VeraCrypt (successor to Truecrypt, it can manage also encrypted containers). GNU/Linux has got the dm-crypt /LUKS.
These tools above can be used to encrypt also USB drives.
FileVault is available on macOS. When turning on disk encryption, the notebook must be connected to the AC adapter, otherwise the process will be interrupted. The whole process takes about two hours. To decrypt the drive, simply select “Turn off FileVault” and the notebook must be connected to the power supply at all times. Here are links to the FileVault User Guide directly from the manufacturer:
In Czech: https://support.apple.com/cs-cz/HT204837
In English: https://support.apple.com/en-us/HT204837
In MacOS, you can easily encrypt individual external and virtual drives using the Disk Utility. Description is here https://support.apple.com/cs-cz/HT204837
Sensitive data should be encrypted when sent by mail or stored in various Internet cloud storage, vaults and similar services.
Some formats support encryption – for example, Word or Excel documents. Another solution is encrypted .zip archives – you can store any files in them. Windows and other operating systems support unzipping of encrypted .zip archive. However, to create an encrypted archive in Windows, you need to install a suitable application – we recommend the open-source 7-zip application.
Files and archives are password protected – use Password Manager to generate and save your password, see What to Use for Password Administration? When forwarding the encrypted archive to another person, send the password in another way – e.g. by SMS or by encrypted e-mail message (see below).
Even the content of emails can be encrypted to secure the email against eavesdropping (the electronic signature will not protect you from that). There is no need to use an email client (e.g. Thunderbird with Enigmail extension). There are two standards – S/MIME and OpenPGP, but their use requires at least basic knowledge of public key distribution.
Safe Internet Behavior
When logging in to a web service or communicating your password or any other personal or confidential information to a website, make sure that:
- the correct address is written in the address bar of the browser (in case of the VŠE network, it is something.vse.cz)
- sites that require user authentication with a password use HTTPS encrypted protocol
- the browser does not display a certificate invalidity warning
Address bar with HTTPS (2) and correct address (1)
Invalid Certificate Warning in Firefox
If a server prompts you for a password or other personal information or confidential information, and is not accessible via HTTPS encryption, or your browser warns you (as shown above) about the fact the certificate is invalid or untrustworthy, you should not obey such server and provide passwords or personal information to such a server.
The purpose of fraudulent e-mails is usually to disclose some personal information, often login information (user name and password), or credit card numbers, etc.
You should ignore emails that require your password to be sent. Be careful when working with links in emails; rather enter the address manually into your browser, rather than clicking the link. You should definitely not enter any personal or login information on the site you accessed via the link in the email.
Of course, VŠE may prompt you to change your password, especially in the event of a security breach. In this case, however, it will not send you an email with a link to a fraudulent page where you should enter your password. Conversely, they tell you to log in to InSIS and click Change Password in Information system set-up settings.
A secure password should be at least 10 characters long and consist of either a random combination of numbers, special characters, uppercase, lowercase, or a sequence of several random words (a passphrase). The use of personal data is strongly discouraged. For technical reasons, it is advisable to avoid using diacritics.
It is advisable to use a unique password for each service. Because remembering many unique and secure passwords is a problem, you should use a password manager to securely store, catalog, access, and generate secure new passwords. For an overview of password managers, see What Do I Use for Password Management?
You should not disclose your password to anyone by email, telephone, in writing or in person. Neither to foreign persons, nor to employees of VŠE. Computer network administrators usually have the right to change your password and they should not need your password to work.
What to Do If Your Account Is Compromised
If you find or believe that you have provided your credentials to an attacker, first change your password as soon as possible to prevent further abuse of your account. However, as it may be too late and attackers could use your credentials to do damage, you should also contact the administrator of the service immediately to report what happened to you. If you cannot change your password (probably because attackers have taken control of your account and changed your password), please also contact the administrator of the service as soon as possible. In the case of VŠE, contact the User Support Centre (room SB 22 or JM 356, email: firstname.lastname@example.org).
If you use the same password for other services, change it as well. Do not rely on an attacker to try these passwords for these other services.
You should only entrust social networks with such information and materials that you would be willing to publish on your own public website. It is most appropriate to use other communication channels to exchange confidential information.
Some services from some businesses may be linked to social networks, or encourage you to become part of a social network. Such attempts should be prevented if your goal is not to become part of the social network and to put yourself on display to the world in this way.
If you use browser plug-ins to block ads, respect the fact websites live from the ads. Especially if a website explicitly indicates that they do not approve ad blocking, it would be a good idea not to block ads on those websites or not to visit them at all if the ad is too harassing.
Logout (also at VŠE)
Be sure to sign out of both your web services and your computer when you are finished working.