Massachusetts, since its founding, has many times been at the forefront of progressive change. People from Massachusetts played a major role in initiating the break from Great Britain and founding a representative democracy. The state was home to important leaders of the slavery abolition movement, and more recently was the first state to recognize that same-sex couples have the right to full protection of the law. (Neil Savage's book, Extraordinary Tenure, explores some of the reasons for Massachusetts's leadership role in the nation's history, http://tinyurl.com/savage-extraordinary-tenure).

Very much in that tradition, this year Massachusetts announced the most advanced data safety rules in the country. Partly due to the growing global problem of identity theft, and partly due to a major information breach at a local company (http://tinyurl.com/tjmaxx-disaster), the state has developed rules to help protect sensitive information from being misused.

The state uses the term "Personal Information" (PI) to define the information we must protect. If your organization stores social security numbers, drivers license numbers, or credit card or other financial account numbers, you must develop strong systems to protect this information, and you must have a written security plan which you check regularly to make sure the plan is being carried out well. You must appoint someone on your staff to be responsible for carrying out the plan, and the plan must include staff training in the security procedures.

You also have to make sure that if you share any of this information with vendors or business partners, they must be in full compliance with the rules.

Virtually all organizations in Massachusetts store these numbers. For example, if your organization has just one part-time employee, you must have her I-9 and W-4 form in your files permanently, and these forms have social security numbers on them. When you receive a check in payment from a customer, this check has the customer's name and bank account number on it. If you are a landlord and you do a credit check on your tenants, you will have to store their social security numbers.

So, in our view, the state is asking all organizations, from the smallest home office to the largest corporation, to develop strong data safety programs.

Our goal at this site is to help you do this in a sensible, economical way.

An Attitude Adjustment Moment

A number of people we've talked with about these new rules have complained about what a hassle they are, and how the last thing Massachusetts businesses need right now is an expensive and time-consuming new mandate from the state.

We want to urge you to view these regulations a little differently. The state is requiring you, your competitors, and everyone else to get their data safety act together. Yes, this will take work and money, but the net effect should be to make your computer systems safer and better, and to protect you and your customers and community from the severe consequences of a serious data breach or loss. The government requires you to insure your car, to adhere to workplace health standards, and to follow safe building codes. Now, late but better than never, the state is requiring us to make our information handling safe.

We know that if you pursue compliance in this spirit, you will value the process more, and see it as a welcome part of your business development. We'll try to help you through the process with this in mind.

Helping your computer system grow up

The best way to comply with these regulations, in our view, is to take steps to make your system healthy and safe. You will then be compliant, but also can reap the many benefits of having a strong, secure system.

At the beginning of Tolstoi's War and Peace, Prince Vasili, at a fancy party, asks after the health of the famous Anna Pavlovna, friend of the empress. She responds, "How can a person be healthy when one is suffering so from nerves? Is it possible, in our time, to feel at peace?" She is talking about her anxiety over the French revolution and the prospect of war.

Looking at our computer system, we might respond similarly. Strong? Secure? How can such thing be possible in our time? Even a computer running the best antivirus program can be hit by a virus that generates incessant popups and disables the antivirus program. With relations between employer and employee strained by economic turmoil and the breakdown of mutual loyalty we have seen, the risk of embezzlement and internal data theft should make us all worried.

Here is our basic approach to this anxiety-creating situation:

1. Regularly backup all your data, and keep some copies of the backup in the hands of trusted people outside your organization.

2. Use industry-standard computer safety procedures.

3. Track all "Personal Information" (PI) and sensitive information as it enters the organization, is used by the organization, and is finally disposed of. Lock it up or encrypt it, giving keys only to people who need access.

4. Train and supervise your staff in your security procedures, from the moment they join the organization, to the moment they leave.

5. Create a library of how-tos to document, enforce, audit and prove your security policy.

We will now walk with you through our approach to achieving these broad goals. You will naturally adjust these based on your needs and resources. It will be helpful to everyone if you would use the 201cmr17 blog to share the particular choices you make, and the adventures you have as you work on making your organization more secure. Our blog is at 201cmr17.wordpress.com. Please feel free to contribute anonymously, but also feel free to include your company information, if you would like people to contact you to share ideas.

A simple but thorough way of securing data in your organization

This approach comes from Computer Care and Learning's (www.ComputerCareAndLearning.com) many years of helping people and organizations take care of their information. We combine this experience with the specific requirements of the new regulations, to produce a guide that will help you keep your data safe, and help you towards your compliance goals. Be sure to review your plans with your computer support people and your attorney, to be sure you are fully in compliance with 201 CMR 17.00, as well as the other regulations and laws that apply to your organization.

First, do no harm. And pace yourself.

It is natural to panic a bit when you first do a serious survey of your data safety situation. That you now need to comply with a law, with heavy fines for noncompliance, adds to the pressure. We want to encourage you to breathe steady as you proceed. You can cause more harm to your security by rushing to implement a bunch of procedures, than by doing nothing at all. Encryption is a good example. If you hastily encrypt your vital data, without proper safeguards and good practices in place, you can "lock your keys in the car" in a way that no coat hanger or friendly locksmith can rescue you. If you set up stringent security procedures that get in the way of people working, your staff will find ways around them, and create an atmosphere of disrespect for all security procedures.

So take it slow, but steady. Think of your organization as a student, who needs support, encouragement, and steady guidance. Your organization won't become secure overnight, but if you work steadily at planning and education, it can become quite secure in just a few months. Pay close attention to the cautions we point to, and in general, don't force things-- if your gut says something is not right, listen to that, and reconsider your plan. We'll try to point out some trouble spots to expect.

You might find it helpful to compare this effort to the task of getting into good physical shape and eating healthily-- you can make some major changes right away, but your body and mind need time and practice to adjust and make the changes permanent.

Pick a Leader

Both the new regulations and good business practice say that you should pick a Information Safety Manager(ISM) to lead your data security efforts. We suggest you choose someone who has been with your organization for some time and knows different parts of it well. Your ISM should have good computer skills, good leadership skills, and get along well with people. It also helps if she has an active, healthily suspicious imagination. Someone who reads spy novels in his spare time is a good find. The person needs to be flexible and able to deal with frustration, and needs to know how to work well with vendors and support organizations. If you can't get all this in one person, consider choosing a team of two with complementary skills.

Get outside help

Your ISM needs to develop a good working relationship with your IT support organization, and with your attorney. All plans should be reviewed with them. If you have your own IT department, we recommend that you have a computer help company review their work-- an extra set of eyes, unjaded by custom, can often see obvious and less obvious problems that your IT staff might miss. We were at a children's museum recently, and a play structure there had a piece of wood that was a pinch hazard. We mentioned this to a staff person who sat daily next to this structure. She immediately recognized the problem, and said "I've looked at this hazard every day, but I didn't see it until you pointed it out."

Your Information Security Manger (ISM) Assembles Her Tools

As your manager begins, she'll need tools for the journey. We'll discuss each tool in turn, and you'll see that mastery of these tools is a good way of achieving both compliance with 201cmr17 and good computer safety in general.

Here is the list, in order of importance, for you to keep in mind as we discuss them. Since most of our customers use PCs, this list is PC-centric, but most of it applies to Macs as well.

A tested, rotated, offsite backup system, with a backup log in Excel

A WISP (Written Information Security Plan)

A sensible and realistic security philosophy

201cmr17 compliance certifications from vendors and other partners

A password list in Excel

A locked space to secure paper files

Truecrypt containers to secure computer files

Tolvanen's Eraser

Up-to-date antivirus/antimalware software with daily updating, and software firewall

Microsoft update, with weekly updating, plus Secunia update check

Appropriate networking hardware, including wireless hardware with correct configuration

Logmein or another secure remote control program

This is surprisingly short list, but as Mr. Miyagi teaches Daniel in The Karate Kid, you don't need a lot of moves; you need to know a few moves well.

Let's talk about each in turn.

A tested, rotated offsite backup

You may be surprised to find this first on the list of tools to prevent identity theft. But we have found, again and again, how central a good backup is to all data safety, including preventing data theft. Before we talk about the details of the backup system, let's outline why you should address backups first and with your best energy.

An encrypted, tested, daily, full backup system with offsite rotation provides you with a safeguard against many bad things that can happen to your data, such as fire, theft, hard drive failure, virus corruption, and sabotage, to name some of the most common. A good system can discourage embezzlement and other forms of theft, including identity theft, by providing a reliable record of what your system has contained over time. One of the favorite tools used by people who want to steal is to cover their tracks-- deleting logs, deleting other evidence, even deleting the numbers they stole, to make it hard to trace the theft. Good backups, kept securely offsite, make this much harder.

But there is an even more direct reason why backups come first in your collection of tools for preventing data theft. When you are securing your data, YOU are the biggest danger to your data. Even an experienced IT practitioner can make the mistake of encrypting something and losing the password, or have the bad luck of an encrypted file becoming corrupted and unrecoverable. We strongly recommend that you NEVER encrypt or secure any computer data without first having multiple, tested full backups, with some offsite.

Here is our basic recommendation for how to achieve the goal of encrypted, tested, daily, full backups with offsite rotation:

1. Daily, backup your computer using Acronis True Image (www.acronis.com) to an external hard drive. Use AES encryption, with a password that follows your password policy (see Password List, below). Use full backups (not incremental), and create a different backup task for each day of the week. Check the backup for size and date each day.

Weekly, mount the backup and open a recent file. This is an essential step-- you must check your backup regularly by restoring a test file-- this both helps you know the backup is working, and makes you practice your password. Weekly, swap the drive with a similar drive you keep offsite. Since the backup is encrypted, a neighbor, a locked drawer in your downtown office, or a relative are good ideas. Nice social opportunity when you swap the drive if you keep it at a friend's house; one of my co-workers met his future wife by such visits.

2. Supplement this with an encrypted vital data backup onto flash drives, and CDs/DVDs. Use a TrueCrypt container (see TrueCrypt, below). If you use Outlook, backup the .pst file and the .nk2 file, and use unlocker (see below) to make sure that Outlook has not locked the .pst file before you backup. Your computer helper can write a simple batch file to automate this process somewhat. Check the backup by opening a recent file.

You may ask, why do the flash drive/DVD backup if you're already backing up using Acronis to external disk drives? This is keeping with the principle you'll see here again and again-- layers and more layers. Our experience is that external disk drives fail, decent software gets corrupted, people lose their passwords. By having your vital data in at least two locations, backed up by two entirely different methods, on to two different kinds of media, you reduce the likelihood of losing your data. Flash drives are easy to take with you, and DVDs are easy to mail-- which is a nice way of spreading your backups around, even across the country. As long as they are TrueCrypted, this gives you safety with very little risk of breach.

3. You may want to use the increasingly fancy and cheap online backup services, too-- one of my customers found Cryptonite fun to use; another customer uses SugarSync; still another uses BackupMyBusiness. Our main cautions: 1) TrueCrypt the data before backing it up online-- this protects you better from the data being breached while in the possession of the online service, in spite of their encryption schemes. 2) be sure to store the encryption key the online service provides in your password list (see Password List, below), for safety-- they cannot replace this key if you lose it.

4. We recommend you use an Excel spreadsheet to keep a backup log, including size, dates, location of backups, and when you restored a test file. This keeps everyone honest-- it becomes very obvious when the backups aren't being done, rotated offsite, and tested. This backup log becomes an important document to verify that you and your staff are taking care of your data.

A note on pacing yourself: these four steps are very worth doing, but do them at a reasonable pace. Add each element and get to know it well, don't rush. Ask for help from people who have done this before. At Computer Care and Learning, we encourage our customers to talk with one another and share notes about their backup and security systems; this helps everyone do a better job, and is a fine networking opportunity, too.

A WISP (Written Information Security Plan)

We recommend that you create a Word document named "How to keep the data in this organization safe."

This document will be your main way of planning and tracking your security effort. 201cmr17 specifically requires that you use a document like this, which the regulation refers to as a "WISP", a written information security plan. As we go forward, we'll take repeated looks at our how-to to show how it develops. Here's how your ISM (data safety manager) might start:

|----------------------------------------------------------------|

How to keep the data in this organization safe

Revised 2/17/09

by Brooke Nicole Mayfield, security manager,

Our organization is committed to protecting the private information entrusted to us in the course of business.

It is our policy to identify private information as it comes in to our company. Private information is defined as "Personal information" as defined in 201 CMR 17.00, and as additional information that we and our customers consider confidential. This information is stored in locked physical spaces or encrypted computer files, and is only retrieved by staff who have a business need for it. When there is no business need for it, the information is shredded or securely erased.

Staff who have a business need to use this information sign a confidentiality agreement upon hiring. Upon leaving the company, people relinquish their passwords and keys to the locked physical spaces, and the passwords they have been using are changed.

The organization will only share private information with partners or vendors who need the information in order to do business with us. These partners and vendors must certify to us in writing that they follow a data security plan equivalent to ours.

As an additional precaution, the organization follows industry-standard good computer security practices, including the use of up-to-date antivirus/antimalware protection, security patches, physical firewalls, good password procedures, and physical access controls.

The organization regularly audits the training and practice of its staff in enforcing data security. Staff who enforce the security rules properly are richly rewarded, and staff who do not are given verbal, then written warning, and if the problem persists, they are asked to leave.

In the event of a security breach, the Information Safety Managerwill carefully investigate and document the breach.

-----------------------------------------------------------------|

A sensible and realistic security philosophy

Your organization's awareness of real vs. imagined risks can have a huge impact on how safe you are. Just a few thoughts to get you started: in many years of working with organizations, the computer helpers at Computer Care and Learning have observed no intrusions into customers from outside, except by generic virus and malware infections. In the same time span, we have seen or heard about several instances of major embezzlement by trusted staff people. Your security arrangements should take internal theft extremely seriously, and you should work hard to create an environment which makes this kind of theft very difficult. We would like to add that, in our own view, the biggest victim of embezzlement and theft is the thief-- property can be replaced, but the damage to a person's character by doing something dishonest is very hard to repair. Everyone, under some circumstances, can give way to temptation-- help people resist their weaknesses by making theft difficult. Do this socially, by making data safety part of your culture, and do it technically by the methods we explore on this site. Be aware of people's stresses in your organization; be alert to people who have gotten disconnected or are in times of turmoil, and help them.

201 CMR 17.00 compliance assurances from vendors and other partners

Until we have something better, a WISP document like the one above, signed by the CEO of your vendor or partner, goes a long way towards assuring compliance. The "public" WISP would be shortened, to reduce unnecessary detail and keep some methods private. Our hope is that our community will develop a rigorous, peer-reviewed certification process. We hope that this site will be one of the early steps towards that process.

A Password List

We recommend that your Information Safety Manager (ISM) develop a password list for the company. Bruce Schneier's Password Safe program is a good tool to use to manage your passwords. You may also use Excel for this purpose, Winzip-Encrypted or Truecrypted(see Winzip and Truecrypt, below). Excel is simpler to use and you have more formatting flexibility; Password Safe has the great advantage of being able to use the passwords discreetly even when sharing your computer screen with colleagues or students.

The basic rule for passwords is that they be 8 characters, including at least one non-letter character and at least one change of case. We recommend you take a song or a poem or a saying, and take the first letter of each word, so a decent password is Rrryb,gdts (Row row row your boat, gently down the stream). We don't want words or names, because people can use dictionary attacks, and computer have gotten very fast at trying combinations.

The only exception to the 8 character rule is for Truecrypt passwords (20 characters), which you'll read about below.

If you use Excel, a good layout for the password list is:

User name Password Song/poem Description

JoanJett Ilr&r,paditjbb "I love rock & roll, put another dime in the jukebox baby" Itunes store password

All passwords for the organization are stored here, including workstation passwords, which are passed in person to the Information Security Manager (ISM).

The list is printed out, and a copy given to the CEO and the ISM to take home and keep in a safe place there. If you are using Password Safe, use the export feature to export to Excel. Then print out what you need, and use Tolvanen's Eraser program (see below) securely to erase the exported file.

Note that good business practice, and 201 CMR 17.00, requires workstation passwords.

Note also that when a person leaves an organization, the best practice is to change all passwords on the list she has access to. This is a serious challenge, that can lead to unexpected problems. For example, if you change your adminstrator password to your network, your backup system will stop working until you change the password there. If you add a Windows password to a Vista machine, the password cache can get cleared, and automatic connections to peer workstations will stop working.

A locked space to secure paper files

You can invest in new file cabinets, or retrofit old ones (www.cubiclekeys.com advertises this service).

Your ISM needs to develop a system for the handling of the keys. For example, in a Boston mortgage processing company, only two staff people, plus the data manager and the president, need to look at these reports. All 4 of them are given a key request form to sign:

[-----------------------------------------

Key Request

I accept a single copy of the key to the credit report filing cabinets. I will keep the cabinets locked at all times, except when I am standing next to them and taking out or putting in a credit report. Any credit reports which I receive by mail or fax, or print out or take out of the file cabinet, will stay with me until I return them to the locked file cabinet.

I will not share my key with any other person, and I agree to return it when I leave the company.

-------------------------------------------------------]

One theme we will emphasize here, which we will return to repeatedly: data safety is as much a social process as a computer process. For security to work in your organization, you must all respect your security rules. As is the case with tools, we recommend only a few rules, but these few rules must be taken seriously by everybody. For keys and passwords, the rule is: never share your key or password with any unauthorized person, even if you trust them, and they are your friend, relative, or longtime co-worker. Emphase that this is a safety practice that everyone follows, not an attack on anybody's honesty.

Use Winzip encrypted files or TrueCrypt containers to secure computer files

Winzip is a respected, mature program that lets you encrypt your files using strong encryption. We think that for business uses, it is easier to use than TrueCrypt, and less prone to careless mistakes.

Having said that, TrueCrypt is a versatile, well-respected, free program that allows you to create a new drive on your computer-- you pick the letter-- which you can use like any other drive. Copy files to it, delete files, create folders and subfolders, copy whole folder trees from you data. Once you lock the new drive, it turns into a regular Windows/DOS file that contains gibberish. When you unlock it with the password, it becomes the new drive again, and you get access to all the files.

Tolvanen's Eraser

Tolvanen's Eraser (http://www.tolvanen.com/eraser/) is a free, widely-used program that lets you securely delete electronic files from your computer so that no one, including an IT professional with fancy recovery tools, can recover the files.

Security Guide

Security Guide Summary:

1. Backup your data and your system. Test your backups regularly. Keep some your recent backups offsite.

2. Use tough passwords.

3. Use good anti-spyware and anti-malware software on your computer. Download them from the links provided here, to make sure you're getting the legitimate programs.

4. Keep your Windows and programs updated.

5. Use strong encryption. Never encrypt unless you have good backups.

The Basics:

You’re attaching your machine to the Internet for the first time, or you’ve just cleaned out your machine, and you want to make it safe.

Here’s one simple approach that gives substantial protection:

Backup your data thoroughly and check your backup carefully. At least one recent backup should be tested and then taken offsite, and we strongly recommend you keep more than that.. Check your backup: are all the subdirectories there? Number of files makes sense? Size looks right? Can you open a recent document? If you haven’t already, contact us, or another qualified support team, for help in developing a full backup plan that makes sense for your system and your life. We strongly recommend a system that does cross-backing up between two machines, if this is possible. Consider using a backup log to keep track of your backups and locations.

We are now strongly recommending that all customers “image” their machines, using Acronis True Image or Norton Ghost. The one we use most often is Acronis' True Image 2009 Home (http://www.acronis.com/), about $50. Acronis makes an exact copy of your entire hard disk, and stores it on an external hard drive, so it can be quickly and correctly recovered in the event of a hard disk crash or a serious malware infestation. The Seagate Freeagent drives are decent drives. The Freeagent Go drives are the size of a deck of cards, and use just a USB cable; get a 500G drive, now for about $120. This is the simplest, least expensive way to protect your machine from data loss, virus infestation, and hard drive failure.

In addition to providing an extra layer of backup, this procedure can save many hours of reinstallation work in the event of a hard disk crash or infection, and can be programmed to be done automatically. Ask us about specific suggestions for doing this kind of backup. The short version of our advice: we recommend that you schedule a full backup each day to an external drive, and be sure to make a recovery boot disk. The dailies will overwrite each other once a week; also schedule a monthly backup that won't be overwritten until next month. In our office, we use two drives, and swap one of them offsite each week, after we've tested to make sure the backup really worked. Test the backup by "mounting" the backup, and opening a recent file.

We use Winzip 12 with strong encryption to make a vital data backup to a flash drive daily. We use two flash drives, and alternate them each day, and carry them with us. This prevents us from being too dependent on Acronis, and makes for an easy offsite backup.

It's a good idea to have the CDs for the critical programs you use, like MS Office and Autocad. Make copies of the critical ones, and keep the copies offsite with your backup.

Dealing with slowness:

Many computers are running more programs than they need. Try start, run, msconfig. Go to the startup tab. Uncheck programs that look unnecessary (this is a a bit of an art, but you can err on the side of turning stuff off-- you can always turn it on again. We google the program names if we don't know what they are. Hints: be sure not to turn off your antivirus program (ask for help if you don't know-- hint: programs starting with cc are Norton apps). Don't turn off ctfmon.

A brief note about “phishing”:

Many smart people have been victimized by organized crime rings using computers to elicit bank or other financial info. "Phishing" is fooling the user into thinking an evil website or email is a safe one.

Most antivirus programs and browsers have some antiphishing features. We also recently have started use OpenDNS (www.opendns.org), a free service that filters out phishing attacks before your browser can go to them. You can also use this service to filter out porn and other inappropriate contents.

These phishing people are very sophisticated. Have a VERY SUSPICIOUS MIND when it comes to giving out info on the web. I feel safe using my browser to go to my bank and credit card sites. But I don’t feel safe responding to an emailed link, or a link on a site I’m visiting for the first time, if it has to do with money. To give you a flavor for what’s going on, check out Sonicwall’s Phishing test: http://www.sonicwall.com/phishing/. Using Firefox gives you some extra protection. We recommend that you use Adblocker Plus with Firefox to avoid banner ad attacks.

Passwords:

Make sure all your passwords are STRONG passwords. If you’re like us, you use passwords a lot. If you don't choose a tough password, a kid with a password cracking program may be able to get access. There are a lot of kids out there with these programs, so good habits with ALL your passwords will make your work safer. Here’s the method we use and recommend:

Created passwords should be at least eight characters long. Generate a password by selecting the first letters of the words of a song, poem or saying. Please have at least one of the letters in uppercase and include a punctuation mark. For example, “Tliyl,tliml” (This land is your land, this land is my land).

This is very hard to crack, and is easy to remember. But be sure to put the password and the song in a password list (see below), as one’s memory tends to fade over time.

Use Excel to keep your password list, and then password it with a master password (save, tool, general options, password to open). Although not absolutely secure, it will protect your passwords from those not seriously determined and trained. Print out the list monthly (these lists are always growing) and keep a copy of the list offsite, and accessible by someone you trust. Make sure the printout includes your master password. For home and home office users, we strongly recommend you regularly give an updated copy to your executor and other trusted close friends, who will come in to help you if you are ill or worse.

Make sure your insurance covers the replacement value of your computers. Some homeowner's insurance limits coverage of computers used for work. Inventory your computers, keeping a detailed list. This will help you negotiate with your insurance adjuster in case of a loss, since you will be able to make a very clear and well-documented list of what you lost.

If your homeowner's insurance is not enough, and they won't sell you a reasonable "rider" to cover all your equipment, try 1-800-SAFEWARE, an insurance company dedicated to computer coverage. We use them, even though we have some business insurance coverage for our computers, since we figure that they will understand computers better, and reimburse us properly in the event of a loss. They charge about $100/year for $5000 worth of computer equipment, and have a good reputation among computer people.

And now the software steps:

0. If you have a wireless router, or your provider gave you one, and you do not need wireless, if possible, disable the wireless feature. Unfortunately some routers won't let you do this (Netgear, for example)-- on older models, we solve this by unscrewing the wireless antenna and putting it aside. Linksys does let you turn of the wireless, one of the reasons why we tend to use Linksys routers instead of Netgear. We recommend you remove the antennas EVEN if you have disabled wireless, since if the modem get accidentally reset, the wireless will turn back on again. If you are using wireless, also see the notes on “Wireless security” at the end of this document.

1. Go to www.grc.com, choose “Shields UP”, you’ll get a long list of offerings, choose “Shields UP” from that list too. Steve Gibson, well-known security expert, will ask your permission to scan your machine—click “Proceed”. Then choose “all service ports.” Steve’s system will scan all your external ports. They should all come up as “stealth”, which is in green. It should then tell you that you passed the true stealth analysis. Almost all computers these days pass this test; let us know if you don't.

The reason why most computers pass is that your computer usually is being “nat’ed” on the internet, that is, your router and your service provider's router is running interference for you by Naturally Address Translating your internet address, hiding it behind their address. You can double check this by going to Start, programs, accessories, command prompt and typing “ipconfig”. It will tell you that your IP address is 192.168.1.something or 192.168.0.something. This means your machine has an address that cannot be seen on the internet. This is very good, and prevents many kinds of attacks.

If your machine does not behave as above, call us or another qualified support group to discuss remedies. You will probably need to buy a “firewall router”, a inexpensive device that does the blocking you need.

2. Go to www.microsoft.com, and do Microsoft Update. If you have XP or newer, set updates to automatic; otherwise, do this weekly. Note the (irritating) difference between "Windows Update:" (which just updates Windows XP or Vista) and "Microsoft Update" ( which updates XP/Vista and all your MS Office programs). Be sure to choose "Microsoft Update" when setting this up, so that your Office programs get the latest patches.

3. Make sure you have up-to-date antivirus.

If you don’t have antivirus, or yours is more than a year or so old, get AVG from www.grisoft.com. You can get free AVG from http://free.grisoft.com/doc/1,. Note that if you are a business, or have several machines on a network, you must buy the commercial version. Download the program and do an update; it will then update and scan daily automatically. Be sure to checkmark the rootkit checker under scanning options.

If you use a different product (for example, Norton antivirus), make sure it is updating correctly by checking the virus definition dates. Note that Norton "ages" quickly-- if you have Norton 2005 or even 2006, it is too old; you should get the latest version. AVG does not suffer from this problem-- both the program and the signatures are continually updated, provided you renew every two years.

4. Use Firefox as your browser, from www.mozilla.com. You may find websites that don’t work very well—for example drop-down menus don’t work, etc—for those, use Internet Explorer. But for most sites, use Firefox, which is more secure. Firefox also lets you use zotero.org's filing system, created by librarian's for research. I have really enjoyed using this-- check it out at zotero.org. If you use it in earnest, be sure to move the data directory to thLet know if you need more information about this.

5. Clean out your Temporary Internet Files regularly: internet explorer, tools, options, general, temporary internet files, delete. For Firefox, tools, options, privacy, and then use “settings” button to set your clear private data options.

6. Spam prevention: your provider may do some filtering for you.

If you are using Outlook, you can also use SpamBayes (http://spambayes.sourceforge.net/)

These steps provide quite good protection. For an additional layer, which we strongly recommend, do the following:

The Strengthening Layer:

I strongly recommend you use these programs. Put them in a Tools directory on your C: drive, so you have them if you need them. To get these programs, please use the links I've provided--there are a lot of evil lookalikes on the web that try to trick you into downloading bad programs that sound like good programs.

These are free programs. Users of Spybot are encouraged to donate $10 to this amazing volunteer effort; there is a donation link in the program.

HijackThis
http://www.download.com/3001-8022_4-10781312.html?spi=6336876acc4cfef666906a5c3aedec2e

I strongly recommend you install this program and run it, and save and date the log it makes. If you have an infection, this will be very useful for tracking it down. It does a "baseline" of what is running on your computer. If you suspect that you have a virus, you can run another scan, and compare the log files, and zero in on the problem.

Usage notes: run and save the text file it produces.

Malwarebytes and Superantispyware:

Two of the best malware cleaners---www.malwarebytes.com.and www.superantispyware.com Install and update weekly. You don't need to scan, unless you suspect your machine is infected. Keeping it updated means you'll be ready in case your machine is hit.

Wireless security:

If you have a wireless router, and you don’t use the wireless feature, disable the wireless capability.

I recommend you avoid using wireless unless it makes your life substantially more wonderful, as it almost always introduces hassles and security risks. Instead, have a good electrician put in cable for you. That’s what we did in our office, and we’ve had many years of safe, trouble-free networking.

But sometimes wireless is helpful. If you do use wireless, do the following. I am depressed to inform you that as of this writing, sometimes these features slow down or stop the network from working; use as much of it as you can:

When creating passwords, be sure to follow the password guidelines in the list of basic steps at the beginning of this document.

-1. (We give this advice whenever you’re about to do anything). Make sure all your data is thoroughly backed up. Then, if possible, encrypt any highly sensitive data.

0. Make sure Windows is fully updated.

.5 Under administration in your router, password the router itself. This means that you will need a password to get into the router control panel from now on. This is good, since it means that OTHER people will need a password to mess around with these vulnerable settings. One of my customer’s neighbors forgot to password his router, and I turned off his wireless functionality by accident, thinking I was in my customer’s control panel. This would not have been possible had the neighbor passworded his router. Note that this is different than encryption, which is discussed below.

1. If your router is not new, update your router firmware. You may want to consider doing this even with a new router, but sometimes the newest releases can cause problems as well as solve them, so follow your gut on this one.

2. Disable software firewalls when getting things set up. Re-enable them afterward. Often you can skip disabling firewalls, and everything works; use this step if you’re having trouble.

3. If you do file sharing, share as little as possible, and encrypt as much as possible.

4. Use WPA authentication and AES encryption. Note the “WEP” encryption now has a reputation for being too weak to provide decent protection.

6. Some routers let you prevent machines on the wireless network from sharing with each other. Use this block, unless you need to share.

7. Get the latest driver for your wireless card from the vendor, but see step 1 for a caution about this.

8. If you don't plan to have guests often, use MAC address filtering—this restricts users to those you choose by the unique address reported by their network card. Most routers have a feature where you can add machines currently connected to the “allow” list. Use this feature, as MAC addresses are frustrating to enter manually. This feature is a nuisance if you have frequent guests.

9. For the SSID, it is probably best to keep broadcasting enabled, so people know what channel you are on; disabling broadcasting does not add much security, and it can cause other problems.

10. If you often lose your connection, try using channel 11 instead of the default channel 6.

11. use User Privileges to limit access to your files

12. use Word or Excel password feature to password highly sensitive files. This won't stop a determined person, but provides an extra layer.