This is quite an in depth topic, but we'll cover off the basics, I'll split this into two sections as both sections have quite different ways to prevent data theft.
Local data theft
Local data theft, i.e. someone logs onto your machine and steals data while actually sitting physically at your system. You probably have a Windows password on your machine, but did you know that locally it's really easy to remove that password or circumvent it entirely? Here are some more effective ways to stop someone getting access.
1. BIOS password
This is a password that is presented even before Windows starts loading. On laptops especially this can be quite effective at halting a data theft attempt, on desktops it's easier to get around this one. Also if you remove the hard drive from the machine that may well give the person access to your data. Passwords are always recommended to be cycled every 6 weeks or less in case a would-be thief finds out what it is.
2. Hard drive encryption
Most modern hard drives support hard drive encryption, whether you can implement it or not depends on your BIOS and computer model. For instance, it's rare to see hard drive encryption on a consumer laptop. But it's even rarer NOT to see it on a business laptop. This is quite an effective tool, again a password is presented before the operating system boots, if you don't know it the hard drive is useless.
Think things like fingerprint readers, facial recognition and iris recognition. These have their upsides and downsides.
Plus, they are easy to use and can make an effective deterrent.
Plus, if they are business grade your data will be encrypted which is good.
Minus, they typically fall back to passwords, so if the thief knows your password, they can just opt to use that instead of your features
Minus, if they don't have password backups then if your biometric changes for any reason, a burn or an accident, you may lose your data
Minus, if they are consumer grade, then they merely store your password and use the biometric to enter it into windows and grants access. No encryption.
4. 2 token authentication
This is now commonplace among corporates and is increasingly available to small business or ‘prosumer' users. Basically, you require two form of authentication before you are allowed access. Biometric + password or password + swipe card etc.
This is more secure again and possibly overkill for the typical at home user.
Remote data theft
This is the realm of hackers, viruses and the occasional disgruntled employee. This is one of the most likely ways you will have your data stolen or wiped. If you have no security hardware and software in your network you will be leaving your machine open to the wild. The idea here is to stop them getting in in the first place.
We did an experiment with a vanilla XP system with no firewall or internet security, it lasted around 4 minutes and then wouldn't start up, so much so we had to wipe it and start again.
Here are some steps you can do to make your online experience safer.
No software is perfect and as people figure out loopholes, backdoors, exploits and other ways to hack into a network so too does the software vendor patch them up. Tuesday is patch day for Windows so on Wednesday you can be sure you have updates to download. If you do not update you will be leaving your system and your data open for the picking.
2. Internet Security Software
Isn't a free antivirus enough? I get asked this all the time. Truth is, it would really depend on a number of factors but the general answer is NO. Free antivirus is the basic any company can offer. All of those companies have paid for much fuller offerings that do a lot more. Typically a free offering will only scan files, a paid offering will do things like;
Heuristic analysis – where they look for patterns of infection or symptoms rather than just match a virus to a definition
Email scanning – They will instantly see both an email with a dodgy attachment or a phishing email that tries to get your data
Web scanning – they will warn you of any questionable websites that have been linked with fraud or other illegal activities
Firewall – They will have a fully featured software firewall that will deflect attacks
It is very worthwhile upgrading your security software to a full featured package. Go with the brand names, my favourite is Kaspersky Internet Security.
3. Hardware firewall
Windows and Security software will provide a software Firewall, but if your machine is compromised then that software firewall will likely be compromised and be configured by the virus or whatever to let in all the nasties (as in a Trojan attack), therefore an essential element of a network is the hardware firewall.
The good news is if you have a router of any description, this will likely have a hardware firewall built in. Here are some tips on Firewalls;
a. Ports – a port allows a certain type of traffic through, like mail traffic or website traffic, only have the ports your require open and close all the others. If you stop using a port then close it off.
b. UPNP – Universal Plug and Play, this can be turned on by default in firewalls and allows a program on your computer to say if a port should be open on the hardware firewall. This can be bad if that program is a virus or Trojan. Only have UPNP on if you need it. In a business environment you likely would not.
c. DMZ – Demilitarized zone, if you let anything use this you are basically giving them an open window to the outside world, where they can send anything out and outside can send anything in. Use with extreme caution.
d. SPI – Stateful Packet Inspection, When considering a firewall, any decent one will have SPI it checks packets for anything anomalous and if very good at detecting and blocking attacks.
Depending on the size of your organisation you may want to go with a dedicated firewall, however these are usually $1000+ so it could be a considerable investment for some.
4. Remote access passwords
You must always guard remote access passwords. If an employee leaves your office, you must change all the passwords he or she had access to immediately or they could cause considerable damage, data loss/theft.
You must always make remote access passwords difficult, follow these guidelines.
a. Minimum of 8 characters
b. At least 1 uppercase letter
c. At least 1 number
d. At least 1 special character like the @ or? symbol
e. Change these at most every 6 weeks
This makes it several orders of magnitude harder for someone to ‘crack' your password, hello123 just doesn't suffice.
5. Operating system version
Support for Windows XP which is now 10 years old is just about over. Also, the newer operating systems like Win 7 and 8 are far better at blocking unwanted attention and dealing with attacks than previous generations.
If you have not upgraded yet, please do. You are way overdue.