SYSTEM SECURITY

1. INTRODUCTION

System security involves the Availability of the system, the Integrity (correctness
and completeness) of the information and the programs within that system, and the
Confidentiality of the information. Loss of any of these aspects of security
constitutes a ‘Security breach’ and is caused by specific threats, which must be guard
against.

As organisations come to rely on systems more and more, a corporate plan for system
security is an essential part of the overall business strategy. Waiting for a security
breach to occur before considering counter measures to a particular threat is a very
expensive way of developing a security plan. Indeed, the effect of certain major
breaches of security may be so severe that the organisation may not get a second
chance to produce such a plan.

2. BREACHES OF SYSTEM SECURITY

Breaches of system security, whether accidental or deliberate, may result in any of the
following three consequences to the system:

 Loss of availability
 Loss of integrity
 Loss of confidentiality

Loss of Availability
This means that the system is not able to serve you when you require it. The
failure may be minor, perhaps due to a small hardware or software fault, or, in the
worst situation, it may be the result of a major physical disaster which has
destroyed the organisation’s central system that may be responsible for supplying
information and computing capabilities both centrally and to the organisation’s
branches or depots throughout the country.

Loss of Integrity
When system integrity is lost, the system no longer performs its functions
accurately. The software and/or the data held on system files may be corrupted, or
lost altogether. This may be the result of a deliberate act (sabotage), or it may be
accidental.
Loss of Confidentiality
Confidentiality is lost when system data of a sensitive nature, whether it is
personal data or company secret, becomes available to unauthorised personnel. In
the UK for example, the Data Protection Act (1984) specifically states that, where
systems hold personal data, ‘appropriate security measures shall be taken
against unauthorised access to, or alteration, disclosure or destruction of,
personal data and against accidental loss or damage’. It would mean quite
likely that the majority of system users would have to be registered since
‘personal’ data may range from someone’s complete life-history, down to
something as apparently innocuous as their job-title and current salary. Hence in
the UK, the Act may well force the issue of a security policy for most
organisations.

3. SOURCES OF THREATS TO THE SYSTEM

Breaches of System security are caused by threats. The first step towards
countering any threat is to recognise its existence. You must carefully consider
what threats exist to the system of your particular organisation.

Threats to a system may come from two main sources:

 They may be posed by the environment in which the system is sited
 They may be posed by people.

3.1 THREATS POSED BY THE ENVIRONMENT

Many of the factors which threaten a system are related to, and may be directly
attributable to the building, or where the system is situated. Others relate to the
line, both for power and system communications, which connect the system to the
outside environment. Such threats may be countered by a thorough consideration
of the physical environment in which the system is installed. The main sources of
environmental threat are considered, together with suggestions of the types of
counter measures you may take against them.

3.1.1 Location of the Building

The physical location of the building may have a major influence upon the threats
to which a system is exposed. Aspects of the site which require consideration are:

 Is the site subject to any extremes of weather? Is there flooding, for

example?

2
  Is the site stable? Underground mine-workings or earth tremors, for
example, may cause movement which disrupts communication lines, or
even makes the building unsafe;
 Are there any activities in the surrounding area which could jeopardise
your system’s security? The power output from a radar transmitter at a
nearby airport may cause corruption of magnetic media (tapes/floppy
disks), for example, to say nothing of the damage which would be
caused by an aircraft landing in your system room.

3.1.2 The Building Itself

The features of the building which house your system hardware may affect the
security of your system.

Where the system is to be housed in an existing building security risk of the

building has to be assessed if the level of such risks are too great, the building is
untenable otherwise the risks are noted and remedial measures defined. For
purpose-built installations security plan should be drawn up very early in the
project to influence every aspect of construction. The following items are worthy
of particular attention:

 The building should be constructed using tried and tested materials proven
to be fire-resistant
 Nooks and crannies should be kept to the barest minimum if not totally
avoided.
 The system room should not be at or below ground level to reduce risk of
flooding
 Water storage tanks should not be sited on top of the system room while
water pipes should not run through the room
 Access doors to the system and its peripherals should be kept to the
minimum.

3.1.3 Fire Precautions

Fire is the most common risk to systems and system installations in Nigeria. The
risk is more prominent now that systems are being increasingly installed in open
offices. Fire prevention, detection and fighting measures applicable to either the
purpose built system room or the ordinary office environment are discussed as
follows:

3
The System Room
The system room should be surrounded by fire resistant materials and these
materials should not produce toxic, corrosive fumes or dust which can damage
system hardware or be even dangerous to staff. The floor above the room should
be water proof. There would be little to gain if the system is saved from fire only
to be destroyed by flooding.

Air Conditioning System

Air-conditioning is essential for the good functioning of systems. However there
are risks attached to provision of air conditioning. All materials used for air-
conditioning including ducting, sound-proofing, installation, air filters should be
non-combustible while regular maintenance and filter cleaning to remove fluff
should be the norm. It is better for the air-conditioning system in the system room
to be of the stand-alone type.

Protection of Information
It should be part of the organisation’s policy to store copies of software on a
separate site. The copies stored on the separate site should be updated regularly so
that they can be useful and relevant if ever required particularly in the event of a
major disaster.

Working copies or back-up copies kept in the system installation should be stored
in fire-proof safes when not in use. The fire-proof safes should also always be
kept locked for effective protection against threats of fire and theft. The data safe
manufacturer should be called in to open the safe if it does not open normally after
a fire incident to avoid destroying the content through forced opening.

Fire Detection
Fire detection systems for system installations should be automatic. Fire detectors
are based on two principles. The fires type detects fire in materials which generate
smoke early while the second detects fire in materials which burn quickly while
producing little smoke.

It is a good idea to have an equal mix of the two types of fire detectors to cover all
eventualities.

4
 Fire Extinguishing Systems
Fire-fighting facilities should be present in system installations, to provide first
time response in cases of fire. There are two popular Fire Extinguishing Systems:
 Gas Flooding systems, and
 Sprinkler systems

Gas Flooding Systems

Gas Flooding systems are based on either carbon-dioxide or the group of gases
known as halons. Halons based systems are becoming increasingly more popular
in spite of being more expensive. Gas flooding systems have the advantage of
quickly penetrating all areas of the system room making them extremely effective.
They however should be activated after all staff have been evacuated from the
system room.

Sprinkler Systems
Sprinkler systems are slower than gas systems. They are water based and the
resultant flooding could damage the system hardware where fire did not. They are
therefore operated as last resort.

Procedures in the Event of Fire

Operational procedures for fire prevention and control should be established and
communicated to all staff. These procedures should be aimed at preventing fire
and if that fails minimise the size, extent and damage, of fire without jeopardising
the safety of the staff themselves.

Staff should be aware of, and practised in the correct cause of action stated in
these procedures. The procedures must be regularly reviewed to check that they
remain appropriate and sufficient.

Interruption of Services
The loss of essential services can pose significant threat to the integrity and
availability of any system. The two main services upon which systems depend are:
 Electricity supply;
 Communication lines
Unfortunately, organisations responsible for the provision of these services in our
country are yet to attain the desired level of reliability. Organisations therefore have to
provide support facilities to augment provisions from public utilities.

5
 The Electricity Supply
Systems can not function without electricity supply. It is common for
organisations in Nigeria to install electric generators to provide a substantial part
of these electricity requirement particularly in the loss of public power supply. In
addition, the generators are supported with power stabilizers and Uninterrupted
Power Supply (UPS). Power stabilizers protect the system from the harmful
effects of fluctuations. UPS maintain the continuity of power supply in the gap
between the switch over from public supply to in-house Generator or Vice-versa.

Communication Lines
It is common within many organisations for systems to communicate with
terminals and indeed other systems in remote locations. The communication
facilities providing these links must be continuously operational for system
operations to be effective and reliable. It is common practise in Nigeria for back-
up communication facilities to be established to ensure continuity of functioning.
The backup facilities are based on a source different from the base of the primary
facility for effective protection.

3.2 THREATS POSED BY PERSONNEL

The threats to a system which are attributable to people may relate to:
 Authorised personnel, i.e persons with the authority to use the particular
aspect of the system being considered. They may be members of staff,
customers or suppliers to the organisation.
 Unauthorised personnel, i.e persons not authorised to use that particular
aspect of the system. Such persons may be members of staff, customers,
suppliers, or persons not apparently connected with the organisation. They
may, or may not be authorised users of other aspects of the system.
The threats may involve actions which deliberately breach security, or may relate
to actions which do so unintentionally. The countermeasures which are required
may be as simple as a locking door to prevent unauthorised access to hardware, or
more complex, for example, involving security aspects being built into the
software.

The kinds of threats related to personnel which can be identified are:

 Wire tapping: people may breach the confidentiality or integrity of the

system by gaining access to communications lines.

6
 Intellectual challenge: individuals internal or external to the organisation
may try to gain access to the system, just for the sport, but may cause
accidental corruption of data, or may come across confidential data which
they subsequently divulge to competitors, for example.

 Human error: this may affect the integrity (accuracy) of information

within the system. It may be exacerbated by lack of understanding of the
system, lack of training, inadequate documentation of procedures, or just
carelessness due to lack of interest in the job.

 Fraud: such malpractice as the raising of false accounts by members of

the organisation’s staff, to their own benefits, constitutes fraud. This can
be guarded against by suitable division of jobs as described later, and by
thorough and regular auditing of the system.

 Industrial espionage: The deliberate acquisition of information or the

casual discovery of such information and its subsequent sale, or disclosure
to competitors may pose a serious threat in some organisations where
information of a sensitive nature is held.

 Theft: with so many pieces of system equipment being sited in ordinary

offices, the opportunities for the theft of equipment can be great if security
measures are not sufficient. The small size and the resolubility of
microsystems makes them a prime target.

7
PART II: SYSTEM FRAUD
INTRODUCTION
Fraud has been in existence ever since. However, with the advent of the systems with
all its numerous advantages to process data speedily, system fraud also becomes
revolutionised.

System today is almost totally depended on for information management be it for

storage and processing of organisational data therefore, it is no longer profitable to
perpetrate fraud the conventional manner in a systemised environment.

A study once conducted in the United States of America showed that approximately
$500m is lost to system fraud annually. On the average, each system fraud involves
$500 as against $10000 per bank robbery and $19000 per conventional bank
embezzlement. System fraud has clearly demonstrated itself to be the unfortunate
aspect of the ‘utopian’ systemised society.

It is against this background that the management of systemised organisations should

pay attention with all resources available at their disposal, the issue of detecting and
preventing system fraud.

2. TYPES OF SYSTEM FRAUD

System fraud exists in different forms as follows:

1. Software related system fraud
2. Hardware related system fraud
3. Communications related system fraud
4. Procedures related system fraud

What are the:

i. intensions (objective)
ii. method used (techniques)
iii. likely culprits
iv. antidotes or preventive measures.

We are going to examine each of the above in detail to understanding of them.

8
 SOFTWARE RELATED SYSTEM FRAUD

Software related system fraud can exist in any of the following forms

 Input fraud
 Theft of software
 Data interception
 Fraudulent manipulation of software
 Improper use of software

2.1.1 INPUT FRAUD

Input fraud is said to occur when the input to a system is maliciously modified or
detected. This normally, takes the form of modifying or deleting records of
transactions to be fed into the system. It may involve the modification of system and
batch totals so as to ensure that the system does not reject the corrupted input data on
account of irreconcilable control totals.

The usual motivation is the desire to misallocate money or company merchandise to

cover up management incompetence. Input fraud can not be initiated outside the
immediate environment of the system hence the usual initiators are company staff
responsible for raising, processing and forwarding input forms and system staff
responsible for data entry.

Antidotes
 Separation of responsibilities, in particular the decoupling of authorisation and
duties
 Batch totalling
 Input data review by supervisory personnel
 Consistent attention to error conditions and exceptional situations.

2.1.2 THEFT OF SOFTWARE

System fraud can also take the form of stealing either programs or data. This crime
can be committed by simply copying programs or data for use outside the work
environment.

Motivations may include:

9
Intelligence i.e a competitor company may make it part of their elaborate espionage
scheme.
Profit: the culprit sells the stolen software for money to interested buyers
Private use: the culprit installs the software on a private machine for private use

The perpetrator of this act has to be somebody with access (physical or remote) to the
machine. This type of fraud is difficult to detect because unlike the other resource of
an organisation, system data can be stolen non-destructively – hence it is difficult to
know that it has been stolen.

Antidotes
Usual preventive measures include effective password system. To ensure a good
password the following rules should be observed:

 Assign password to individuals

 Advise users to change password frequently
 Advice users to choose good password – not name of spouse or any other
names that can be easily guessed by someone.
 Develop an accountability system that makes users responsible for all actions
done by their password
 Apply data encryption i.e store the data in the system in a coded form thereby
making such data meaningless to a thief who does not have the decoding key.
Of course, the encryption key has to be a highly guarded secret.

2.1.3 DATA INTERCEPTION

This is actually a form of stealing system programs and data but the method used to
realise this fraud. Data interception is exclusively done in networked environments
with teleprocessing activities taking place. With appropriate electronic gadgets and
access to the data communications medium (which is usually telephone lines), a
criminal can tap the signals that are sent to a system from a remote source. This is
similar to tapping a telephone line for the purpose of listening in on telephone
conversations.

Effective password system cannot help here as access to the system is not required.
The solution is data encryption. The unauthorised user may intercept the signals but
he will not be able to intercept them.

2.1.4 FRADULENT MANIPULATION OF SOFTWARE

10
The intent of this category of fraud is similar to that of input fraud that is, to
misallocate money or company merchandise or to cover up management
incompetence. Here, the culprits by virtue of access and privileges modify programs
and data with malicious intent.

Fraudulent manipulation of programs is more insidious than fraudulent manipulation

of data. This is because whereas the latter modifies one piece of data item once, the
former sets up a mechanism for effecting illegal modifications to data repeatedly over
a long duration. The catastrophe that can be generated by such an act can be
awesome.

The culprit in both cases has to be a reasonably technical person with access to, and
privileges on the system.

Antidotes:
 Enforcing adequate program library procedures
 Review of consoles logs
 Review of file access by unusual people at unusual times
 Maintaining elaborate system of control totals – not only of batches but of
records and sensitive fields of records
 Data encryption
 Installing security packages that restrict and monitor file access

2.1.5 THEFT OF SYSTEM TIME

It is common for personnel to use system time for unofficial activities. This is alright
as long as the activities are minor – e.g. using a Word processor to produce a personal
letter. However, things like using a system time to analyse the data of other businesses
or the outright sale of system time to other organisation is fraudulent and should be
checked.

The usual antidotes to such activity is some form of continuous supervision of what
users do on the system – either by having work schedules which are adhered to or by
having the system generate logs of who uses what and when.

2.2 HARDWARE RELATED SYSTEM FRAUD

The hardware can be the target of a system crime from three view points:

11
  To destroy
 To steal
 To borrow (illegally)

2.2.1 Destroy hardware

A person trying to cover up crime or incompetence can resort to destroy the system
hardware i.e the physical machine itself or some storage media such as tape unit, disk
packs or floppy diskettes, flash drives, compact disks, etc. The concept here is that
with the evidence (information) destroyed, crime cannot be established. A common
form of destruction these days is by fire.

Antidote

The best safeguard is to have up-to-date Backup copies of all important data at a
remote location that is secure.

2.2.2 Steal hardware

The storage media on which vital information is stored can also be stolen. The actual
target is usually not the stolen hardware (except in exceptional cases of technological
espionage) but the information contained therein.

The intention is either to use the information offensively or simply to deprive the
owner of its use. This act can only be perpetrated by someone with physical access to
the relevant hardware units.

Usual safeguards include adequate physical security and control procedures for the
hardware, offsite backup facilities and data encryption are other means of preventing
this fraud.

2.2.3 Illegal borrowing

A person with physical access to storage media units may temporarily remove a tape,
disk or diskette from the office, and use another system facility to copy program and
data files contained therein.

Preventive measures against this method of stealing software include:

 Establishment of a media library that has adequate security and control
procedures
 Data encryption.

12
2.3 COMMUNICATION RELATED SYSTEM FRAUD

The linking up of systems situated at divergent geographical sites to form an orchestra

of machines computing in concert is a major technological feat that can be exploited
by various sections of the economy to achieve astounding benefits. A major
component of system networks is a communication medium through which the data
travels. The most common form of communication media is the telephone line
because it is cheap (in most cases, it is already there) and its level of reliability (in
term of no distortion of data) is acceptable. Unfortunately, the medium is highly
susceptible to tapping both passively and actively.

Tapping refers to interfering with signals passing through a communication medium.

If the interference is only to listen in on the signals then we say the tapping is Passive.
If however, the interference involves substituting new signals for the original ones
then the interference is called Active. Both are possible given the appropriate
electronic gadgets and access to the communication medium. Access to the system
(physical or remote) is not required. Passive tapping can be used to acquire
intelligence while active tapping is generally used to cause the system to misallocate
money or company merchandise.

Antidotes:
There are two widely accepted barriers to this form of system fraud:
Data encryption – the culprit may intercept the data but he will not be able to
intercept it correctly or interchange it intelligently.

Maintain logs of valid updates which at periodic intervals will be applied to

appropriate versions of data. If the resulting state is different from the current
state of data, then illegal modification via active tapping is to be suspected,
and appropriate corrective measures set in motion. Of course the log file must
be very secured otherwise the authorised user will simply insert entries in the
log file to corroborate his/her illegal actions.

2.4 PROCEDURES RELATED SYSTEM FRAUD

Procedures can be defined as instructions for people on the use and operations of a
system. Most system fraud succeeds because either:
 No procedure exists, or
 Existing procedures are inadequate, or
 Existing procedures are adequate but not adhered to

13
Every sensitive activity in the organisation should be identified and vigorous
procedures defined for it. Furthermore, guidelines on the strict observance of the
procedures should be built into the procedures.

Effective procedures prevent fraud because it demonstrates to the potential culprit that
detection is likely. A primary obstacle in the establishment of adequate procedures is
the identification of all activities that can be abused. This is because some seemingly
harmless activity may result in outrageously disastrous consequences when abused.
Below is an obviously incomplete list of activities that require carefully thought out
procedures.
Organisational Procedures
Top management involvement in data processing
System Centre Procedures
Access to system equipment
Access to media library
Movement of backup copies to offsite library
Input Preparation Procedures
Documentation of authorised input forms
Verification of control totals
Validation of inputs
Processing Procedures
Access to view information
Access to manipulate information
Review of processing logs
Programs testing
Output Procedures
Destruction of system output
Distribution of system output
Examination of system output to detect discrepancies

14
 3 MOTIVATION

Systems on its own do not have the capacity to perpetrate fraud. It is human beings
that initiate the act. And more often than not, it is an insider. A most relevant question
is ‘why do system users commit system fraud?’

3.1 Greed
An employee with tendency of greedy manifestations may decide to defraud his
company. This is usually in the form of misallocation of money or company
merchandise.

3.2 Robin Hood Syndrome

A data processing personnel may conclude that his company is ripping off the masses
and may decide to even things out by stealing from the rich to give the poor. The
perpetrator seldom benefits from the crime except for the satisfaction that he derives
from redressing what he considers to be social injustice.

3.3 Blackmail
An employee may be pressurised to commit system fraud by a third party. The
operative word here is pressurised, and the leverage is usually blackmail. For
example, threat:
 To hurt a member of his family
 To make public hidden secrets that cause severe embarrassment or cause
irreparable damage etc.

3.4 Crisis
An employee in a state of acute or crippling financial crisis may decide, against better
judgement, to defraud his company and use proceeds from the exercise to settle his
bills. In addition, an employee in a state of mental instability may commit fraud
because he is not in full control of his faculties.

3.5 Disgruntleness
A disgruntle employee who has an axe to grind with his employer may decide to
penalise his employer by committing system fraud. The overriding concern of the
disgruntled employee is that his employer should sustain a loss. He may not be
necessarily interested in benefiting from the exercise.

15
3.6 The Hacker Syndrome
A system hacker is a programmer who is consumed with the desire to understand and
conquer any system in his vicinity. To demonstrate that he has control over that
system he will perform some otherwise illegal operations and relish in the fact that the
system cannot refuse such improper overtures. His other source of reward, apart from
the ‘eureka’ cry is that he can boast of his programming wizardry amongst his
colleagues who will envy and respect him. A typical hacker is a very intelligent
programmer. The type you will turn to for direction when confusion gets in.
Fortunately, not all intelligent programmers demonstrate the hacker syndrome.

3.7 Lack of Adequate Security Screens

Finally, when the security and control measures put in place is very lax, an otherwise
conscientious employee may be tempted to commit system fraud. This is similar to a
situation where an otherwise law abiding citizen decides to go through a red light
when there is no policeman in sight.

4. WARNING SIGNALS

These are 12 warning signals indicating that the potential for system crime exists:
1. The system seems to run the company; management just reacts
2. Management expects system to solve major existing problems
3. Management does not (cannot) communicate with the EDP staff
4. Users are told how their systems will be designed
5. There are no documented standards for the development of new applications
or the maintenance of existing ones
6. Technical management is actively involved in programming troubleshooting
7. Programmers are uncontrolled; they can do what they want with the system
8. EDP staff has easy access to data and to program libraries
9. Errors occur so frequently that adequate investigation is not possible
10. Auditors treat the system like a mysterious black box
11. Management fails to implement audit recommendations; and
12. No EDP audit is performed.

These signals are characteristics of companies in which crimes have occurred

16
PART III: PRACTICAL APPROACH TO SAFE
COMPUTING
If you connect to the Internet, allow other people to use your system, or share files
with others, you should take steps to protect your system from harm. Why? Because
there are system criminals (sometimes called hackers or crackers) who attack other
people's systems. These people can attack directly, by breaking into your system
through the Internet and stealing your personal information, or indirectly, by creating
malicious software (or malware) designed to harm your system.
Fortunately, you can protect yourself by taking a few simple precautions. This article
describes the threats and what you can do to defend against them.
Check your security status with Windows Security
Center
 Windows Security Center is your headquarters for system security. It shows
your system's current security status and recommends anything that you
should do to help make your system more secure.
Security Center checks your system for these security essentials:
 Firewall. A firewall can help protect your system by preventing hackers or
malicious software from gaining access to it.
 Automatic updating. Windows can routinely check for updates for your
system and install them automatically.
 Malware protection. Antivirus software can help protect your system against
viruses, worms, and other security threats. Antispyware software can help
protect your system from spyware and other potentially unwanted software.
 Other security settings. Security Center checks for proper Internet security

settings and whether User Account Control is turned on.

Windows Security Center
If any of the security items have a red or yellow background, your system might be
vulnerable to security threats. To fix the problem, click an item to expand it, and then

follow the instructions.

What are security alerts?
If Windows detects that your system might need enhanced security in any one of the
security areas—firewall, automatic updating, malware protection, or other security
settings—you will see a notification every time you log on until the problem is fixed.
Notifications are displayed in the notification area of the taskbar.
Security notification

17
Click the notification to open Security Center, where you can learn how to fix the
problem.
Note
 To turn off security notifications or hide the Security Center icon in the
notification area, open Security Center, click Change the way Security Center
alerts me, and then choose an option. Even if you turn off notifications,
Security Center will continue to check and display security status.
Use a firewall
A firewall is software or hardware that checks information coming from the Internet
or a network and then either turns it away or allows it to pass through to your system,
depending on your firewall settings. In this way, a firewall helps prevent hackers and
malicious software from gaining access to your system.
Windows Firewall is built into Windows and is turned on automatically.
How a firewall work
If you run a program such as an instant messaging program or a multiplayer network
game that needs to receive information from the Internet or a network, the firewall
asks if you want to block or unblock (allow) the connection. If you choose to unblock
the connection, Windows Firewall creates an exception so that the firewall won't
bother you when that program needs to receive information in the future.
Use virus protection
Viruses, worms, and Trojan horses are programs created by hackers that use the
Internet to infect vulnerable systems. Viruses and worms can replicate themselves
from system to system, while Trojan horses enter a system by hiding inside an
apparently legitimate program, such as a screen saver. Destructive viruses, worms,
and Trojan horses can erase information from your hard disk or completely disable
your system. Others don't cause direct damage, but worsen your system's performance
and stability.
Antivirus programs scan e-mail and other files on your system for viruses, worms,
and Trojan horses. If one is found, the antivirus program either quarantines (isolates)
it or deletes it entirely before it damages your system and files.
Windows does not have a built-in antivirus program, but your system manufacturer
might have installed one. Check Security Center to find out if your system has
antivirus protection. If not, go to the Microsoft Antivirus Partners webpage to find an
antivirus program.
Because new viruses are identified every day, it's important to select an antivirus
program with an automatic update capability. When the antivirus software is updated,

18
it adds new viruses to its list of viruses to check for, helping to protect your system
from new attacks. If the list of viruses is out of date, your system is vulnerable to new
threats. Updates usually require an annual subscription fee. Keep the subscription
current to receive regular updates.
Warning
 If you do not use antivirus software, you expose your system to damage from
malicious software. You also run the risk of spreading viruses to other
systems.
Use spyware protection
Spyware is software that can display advertisements, collect information about you, or
change settings on your system, generally without appropriately obtaining your
consent. For example, spyware can install unwanted toolbars, links, or favorites in
your web browser, change your default home page, or display pop-up ads frequently.
Some spyware displays no symptoms that you can detect, but it secretly collects
sensitive information, such as which websites you visit or text that you type. Most
spyware is installed through free software that you download, but in some cases
simply visiting a website results in a spyware infection.
To help protect your system from spyware, use an antispyware program. This version
of Windows has a built-in antispyware program called Windows Defender, which is
turned on by default. Windows Defender alerts you when spyware tries to install itself
on your system. It also can scan your system for existing spyware and then remove it.
Because new spyware appears every day, Windows Defender must be regularly
updated to detect and guard against the latest spyware threats. Windows Defender is
updated as needed whenever you update Windows. For the highest level of protection,
set Windows to install updates automatically.
Update Windows automatically
Microsoft regularly offers important updates to Windows that can help protect your
system against new viruses and other security threats. To ensure that you receive these
updates as quickly as possible, turn on automatic updating. That way, you don't have
to worry that critical fixes for Windows might be missing from your system.
Updates are downloaded behind the scenes when you're connected to the Internet. The
updates are installed at 3:00 A.M. unless you specify a different time. If you turn off
your system before then, you can install updates before shutting down. Otherwise,
Windows will install them the next time you start your system.
To turn on automatic updating
1. Click to open Windows Update.

19
 2. Click Change settings.
3. Make sure Install updates automatically (recommended) is selected. Windows
will install important updates for your system as they become available.
Important updates provide significant benefits, such as improved security and
reliability.
4. Under Recommended updates, make sure the Include recommended updates
when downloading, installing, or notifying me about updates check box is
selected, and then click OK. Recommended updates can address non-critical

problems and help enhance your computing experience. If you are

prompted for an administrator password or confirmation, type the password or
provide confirmation.

Use a standard user account

When you log on to your system, Windows grants you a certain level of rights and
privileges depending on what kind of user account you have. There are three different
types of user accounts: Standard, Administrator, and Guest.
Although an administrator account provides complete control over a system, using a
standard account can help make your system more secure. That way, if other people
(or hackers) gain access to your system while you are logged on, they can't tamper
with the system's security settings or change other user accounts.
To determine your account type
 Click to open User Accounts.
The account type appears under your name.
User account information
If you are currently using an administrator account, see Change a user's account type
to learn how to change it to a standard account.
Tips for using e-mail and the web safely
 Use caution when opening e-mail attachments. e-mail attachments (files
attached to e-mail messages) are a primary source of virus infection. Never
open an attachment from someone you don't know. If you know the sender but
were not expecting an attachment, verify that the sender actually sent the
attachment before you open it.
 Guard your personal information carefully. If a website asks for a credit
card number, bank information, or other personal information, make sure that
you trust the website and verify that its transaction system is secure.

20
  Use the Phishing Filter in Internet Explorer. Phishing is the practice of
creating fraudulent e-mail messages and websites in order to trick system
users into revealing personal or financial information. The fraudulent e-mail
message or website appears to be from a trusted source, such as a bank, credit
card company, or reputable online merchant. The Phishing Filter helps detect
phishing websites to protect you from scams.
 Be careful when clicking hyperlinks in e-mail messages. Hyperlinks (links
that open websites when you click them) are often used as part of phishing and
spyware scams, but they can also transmit viruses. Only click links in e-mail
messages that you trust.
 Only install add-ons from websites that you trust. Web browser add-ons,
including ActiveX controls, allow webpages to display things like toolbars,
stock tickers, video, and animation. However, add-ons can also install spyware
or other malicious software. If a website asks you to install an add-on, make
sure that you trust it before doing so.

Security and privacy features in Internet Explorer

Internet Explorer offers a number of features to help protect your security and privacy
when you browse the web.
What security features does Internet Explorer have?
Internet Explorer includes the following security features:
 Phishing Filter, which can help protect you from online phishing attacks,
fraud, and spoofed websites.
 Protected Mode, which can help protect you from websites that try to save
files or install programs on your system.
 Pop-up Blocker, which can help block most pop-up windows.
 Add-on Manager, which lets you disable or allow web browser add-ons and
delete unwanted ActiveX controls.
 Digital signatures, which tell you who published a file and whether it has
been altered since it was digitally signed.
 A 128-bit secure (SSL) connection for using secure websites. This helps
Internet Explorer create an encrypted connection with websites run by banks,
online stores, medical sites, or other organizations that handle sensitive
customer information.
Which security features are turned on when I first use Internet
Explorer?
By default, Internet Explorer is set to provide a level of security that can help protect
you against common threats, such as spyware or other types of malware, when

21
browsing the web. These settings can help protect against known security threats,
such as websites installing add-ons or other programs without your knowledge.
How can I protect my privacy when I'm online?
Internet Explorer provides the following features that can help protect your privacy
when you're online:
 Privacy settings that specify how your system handles cookies.
 Privacy alerts that let you know when you try to go to a website that doesn't
meet the criteria in your privacy settings.
 The ability to view a website's privacy statement.
Why am I getting a message that reads "Your security setting level puts
your system at risk"?
You are getting this message because certain security settings are at a lower level than
is recommended. By default, Internet Explorer has a minimum level for some settings
that can help protect your system from websites that are trying to install malicious or
unwanted software without your knowledge or permission.
How do I know which settings are not at recommended levels?
To see which security settings are not at recommended levels, follow these steps:
To view Internet Explorer security settings
1. Click to open Internet Explorer.
2. Click the Tools button, and then click Internet Options.
3. Click the Security tab.
4. Click the Internet icon, and then click Custom level.
Settings that are not at recommended levels are highlighted in red.

Security settings set below recommended levels

What is changed when I click "Fix Settings for Me" on the Information
bar when my system is at risk?
When you click Fix Settings for Me on the Information bar, Internet Explorer will
reset the security settings that put your system at risk back to their recommended
settings. To see your security settings, follow these steps:

To view Internet Explorer security settings

1. Click to open Internet Explorer.
2. Click the Tools button, and then click Internet Options.
3. Click the Security tab.
4. Click the Internet icon, and then click Custom level.

22
 Settings that are not at recommended levels are highlighted in red.
How do I change my Internet Explorer security settings?
To change your Internet Explorer security settings
1. Click to open Internet Explorer.
2. Click the Tools button, and then click Internet Options.
3. Click the Security tab.
4. Click the Internet icon.
5. Do one of the following:
o To pick a preset security level, drag the slider.
o To change individual security settings, click Custom level. Change the
settings as desired and click OK when you are done.
o To set Internet Explorer back to the default security level, click Default
level.
6. When you are finished making changes to the security settings, click OK.
How do I change my Internet Explorer privacy settings?
To change your Internet Explorer privacy settings
1. Click to open Internet Explorer.
2. Click the Tools button, and then click Internet Options.
3. Click the Privacy tab.
4. Under Settings, do either of the following:
o To allow or block cookies from specific websites, click Sites.
o To load a customized settings file, click Import. These are files that
modify the rules that Internet Explorer uses handle cookies. Since
these files can override default settings, you should only import them if
you know and trust the source.
5. When you are finished making changes to your privacy settings, click OK.

23