Frequently asked questions
about Information Security and Crime Prevention

1. What is the biggest threat to Information Security for
   companies?
2. What can we do, to secure our permanent Internet connection
   and local network against hacking, data spying, data
   altering etc.?
3. What shall I do, if I recognise that a hacker is attacking
   my computer system now?
4. How can I secure my stand-alone PC and data against
   unauthorised access?
5. How can I protect a computer system from computer viruses?
6. How can I transmit confidential electronic information to a
   receiver?
7. How can I bring awareness to the employees and management
   in my organisation?
8. What should we do if external persons service our system?
9. How can I protect a telecommunication system from misuse
   such as unauthorised access?
10.Where can I get information about IT Security?



1. What is the biggest threat to Information Security for
companies?                                                [Top]
----------------------------------------------------------------

One big threat occurs if your staff are unaware of the
importance of Information Security and the difference between
'nice to know' and 'need to know'. Employees should only have
access to the information that they need in order to do their
job (to prevent information leakage).

Your staff must be informed about IT security and trained
regularly. A key threat for companies is hacking. Hackers can
not only destroy data, they may also destroy the image and the
reputation of the company, too.

2. What can we do, to secure our permanent Internet
connection and local network against hacking, data spying,
data altering etc.?                                       [Top]
----------------------------------------------------------------

The solution is called firewall! A firewall is able to defend
hacking attempts in a computer system, but it is necessary to
administrate the system every time. Normally, a Firewall will
only protect against unauthorised access from outside. It should
be complemented by an Intrusion Detection System (IDS) system.
An IDS will protect the system from internal attacks and failure
of the Firewall.

Introduce an Incident Handling System (IHS). Being well prepared
is the best condition in order to minimise the damage and losses
after an incident.

To keep out unauthorised persons it is further recommended to
use access codes as passwords etc. Passwords should not be too
short or too easy to find out and they should be changed
frequently.

3. What shall I do, if I recognise that a hacker is
attacking my computer system now?                         [Top]
----------------------------------------------------------------

With an IHS you will be prepared to handle the incident. If you
do not have an IHS and you recognise that a hacker has attacked
a computer system, the best thing to do is disconnect the system
from the net. Further, it is usually necessary to make a seizure
of the attacked system and of the log protocols. It is important
to make a full back-up so that evidence (i.e. IP-address,
login-time) can be collected. If there is a serious threat or
damage it is recommended that it should be reported to the
police.

4. How can I secure my stand-alone PC and data against
unauthorised access?                                      [Top]
----------------------------------------------------------------

To secure a stand-alone PC it is recommended to set up a
BIOS-password and a screensaver-password ('do not write the
passwords under the keyboard'). It is necessary to change
passwords frequently. Encryption can be used to protect
important/confidential information.

There are different methods of protecting a PC physically such
as alarm systems, floppy locks, etc.

5. How can I protect a computer system from computer
viruses?                                                  [Top]
----------------------------------------------------------------

A very simple and useful method against computer viruses is to
use a anti-virus-program (like Norton Anti-Virus or McAffee). A
problem is that new viruses are created very fast and so it is
necessary to update the anti-virus program very frequently. It
is also dangerous to download data from unknown sources and open
e-mails from unknown persons. Special attention should be given
to 'attachments' to mail. Use a stand-alone PC to check
diskettes for viruses before they are loaded into the network.

It is important to have a company policy that explains that
uncontrolled downloading can have undesirable consequences,
because of the risk of viruses etc.

6. How can I transmit confidential electronic information
to a receiver?                                            [Top]
----------------------------------------------------------------

If it is really necessary to transmit confidential information
via e-mail it is recommended that you should use an
encryption-program like Pretty Good Privacy (PGP).

7. How can I bring awareness to the employees and
management in my organisation?                            [Top]
----------------------------------------------------------------

Tell your management what can happen in the case of uncontrolled
internal access to information or lack of protection from
external attacks. If a hacker successfully attacks your company
network, inform the management about possible material damages
and the loss of reliability and image. Educate employees and
management to never give their PIN numbers, password, and
calling card numbers to anyone who asks them. Legitimate persons
never ask for passwords etc. via telephone or e-mail.

8. What should we do if external persons service our
system?                                                   [Top]
----------------------------------------------------------------

The best way is to save the confidential information on other
media before servicing. Furthermore, it is recommended to
observe the persons during the servicing, if they have not been
security checked before. Never let external service staff take
computer media or computers with classified information from
your site.

9. How can I protect a telecommunication system from
misuse such as unauthorised access?                       [Top]
----------------------------------------------------------------

Normally a mobile phone or a fixed-phone can be protected
against misuse with a Personal Identification Number (PIN). In a
large telecommunication system (like those in companies) it is
recommended to block special telephone numbers (like
audiotex-lines), which produces higher charges.

10. Where can I get information about IT Security?        [Top]
----------------------------------------------------------------

There are a lot of publications, books, training courses etc.,
covering these topics. Information can also be obtained from the
Internet as well as from IT Security companies. Some basic
information can be obtained from your local police organisation
and there are many Web-sites on the topic.