Three basic security concepts important to information on the internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.

When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality. For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some locations, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies; debt collectors; businesses that extend credit to their customers or issue credit cards; hospitals, doctors’ offices, and medical testing laboratories; individuals or agencies that offer services such as psychological counseling or drug treatment; and agencies that collect taxes.

Information can be corrupted when it is available on an insecure network. When information is modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized changes are made to information, whether by human error or intentional tampering. Integrity is particularly important for critical safety and financial data used for activities such as  electronic funds transfers, air traffic control, and financial
accounting.

Information can be erased or become inaccessible, resulting in loss of availability. This means that people who are authorized to get information cannot get what they need. Availability is often the most important attribute in service-oriented businesses that depend on information (for example, airline schedules and online inventory systems).

Availability of the network itself is important to anyone whose business or education relies on a network connection. When users cannot access the network or specific services provided on the network, they experience a denial of service.

To make information available to those who need it and who can be trusted with it, organizations use authentication and authorization. Authentication is proving that a user is the person he or she claims to be. That proof may involve something the user knows (such as a password), something the user has (such as a “smartcard”), or something about the user that proves the person’s identity (such as a fingerprint). Authorization is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program.

Authentication and authorization go hand in hand. Users must be authenticated before carrying out the activity they are authorized to perform. Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as nonrepudiation.

These concepts of information security also apply to the term information security; that is, internet users want to be assured that

• They can trust the information they use
• The information they are responsible for will be shared only in the manner that they expect
• The information will be available when they need it
• The systems they use will process information in a timely and trustworthy manner

In addition, information assurance extends to systems of all kinds, including large-scale distributed systems, control systems, and embedded systems, and it encompasses systems with hardware, software, and human components. The technologies of information assurance address system intrusions and compromises to information.

FOR EMPLOYEES

• Make your passwords complex. Use a combination of numbers, symbols, and letters (uppercase and lowercase).
• Change your passwords regularly (every 45 to 90 days).
• Do NOT give any of your user names, passwords, or other computer/website access codes to anyone.
• Do NOT open e-mails or attachments from strangers.
• Do NOT install or connect any personal software or hardware to your organization’s network or hardware without permission from your IT department.
• Make electronic and physical back-ups or copies of all your most important work.
• Report all suspicious or unusual problems with your computer to your IT department.

FOR MANAGEMENT & IT DEPARTMENT

• Implement Defense-in-Depth: a layered defense strategy that includes technical, organizational, and operational controls.
• Establish clear policies and procedures for employee use of your organization’s information technologies.
• Implement Technical Defenses: firewalls, intrusion detection systems, and Internet content filtering.
• Update your anti-virus software daily.
• Regularly download vendor security “patches” for all of your software.
• Change the manufacturer’s default passwords on all of your software.
• Monitor, log, and analyze successful and attempted intrusions to your systems and networks.

While EULAs rarely attract the kind of attention lavished on viruses or phishing schemes, they are an important consideration when managing the security of your computer and private information. The following sections present recommendations for protecting yourself from the security and privacy problems associated with EULAs.

Read the EULA
This is the most important step you can take: Before installing any software, take the time to read its EULA. While you might incur a half hour of boring reading, doing so can spare you security and privacy headaches.

If the EULA is lengthy or you find it difficult to read in the installation interface, copy it into a word processing document, quit the installation, and carefully read the agreement before proceeding. Make sure you understand the agreement’s terms and conditions, and that you agree with them. Contact the software publisher with any questions you might have or if you need clarification about any specific points.

Packaged software purchased off the shelf can present something of a catch-22: How can you agree to the terms and conditions of the EULA when the package states that breaking the shrink wrap constitutes agreement? To get around this problem, consult the software publisher’s web site. Software publishers often make their EULAs available online. Note the version ID or number and other pertinent information from the packaging to help ensure you read the EULA for the specific version of the software. Contact the publisher directly if you cannot locate the EULA for the software you’re interested in.

Consider the Software Publisher
While there is no guarantee you will agree to the terms of any given EULA, established software publishers that have built strong business reputations are less likely to engage in questionable business practices. This includes unusual, misleading, or camouflaged terms and conditions in the EULAs governing the use of their software. You should not, however, use a company’s strong business reputation as an excuse for not reading its EULA. A company’s good corporate reputation does not mean you will necessarily agree with the terms and conditions of its software.

When dealing with software published by a company or organization with which you’re not familiar, you may want to review its software EULAs with added scrutiny. Particular vigilance is recommended when the software is bundled with other software from third-party publishers. Be prepared to read the EULAs for third-party components when necessary.

Beware of Firewall Prompts When Installing Software
During installation, if your personal firewall generates a prompt asking whether you want to allow certain inbound or outbound connections, proceed with caution. You should verify that the software requires changes to your firewall settings for normal operation, and that you are comfortable with this operation. For instance, the EULA may require you to allow monitoring of your activity, access to specified directories (as in file-sharing programs), or use of your computer’s resources. These provisions may require the opening of holes in your personal firewall.

Note, however, that in the case of bundled software, EULAs requiring you to allow monitoring, directory access, etc. may not be in the primary software’s EULA. These EULA requirements may be in the third-party software EULAs.

Firewall prompts may also be a sign that rogue software has been bundled into the software package you’re installing. This was the case in the file-sharing Trojan horse discussed earlier. If you’re in doubt about whether to change your firewall settings based on prompts received during software installation, consult the software’s user or installation guide. If no guide is available, or if you are still unsure about allowing the traffic through your firewall after consulting it, contact the software publisher before making any changes.

Note that some personal firewalls include options to allow one-time or case-by-case connections. This option may be useful if you are reasonably certain about the legitimacy of a request. For instance, some software attempts to connect to a server during the registration process. If you are comfortable with this request, you can approve the connection for the purposes of registration, but deny all future connections.

Beware of “Free” Software
The old saying tells us “there is no free lunch.” This applies to software. Many “free” software programs, such as the file-sharing programs discussed earlier, often exact a non-monetary charge for their use. This non-monetary charge is detailed in the EULA and specifies what you must allow or provide in exchange for use of the software. This may include mandatory installation of components that compromise your security and/or privacy.