All posts by Steve

How to protect your email account

Email has become very important for most people. Even a lot of sensitive data is nowadays handled over email. Unfortunately, almost everyone is receiving a lot of unwanted emails marketing useless products as well as fake emails trying to fool people to disclose passwords or install malware on their computers. Safe-guarding your email account has become very important. Here is a short article explaining how to protect your email account.

First of all, try to keep your email account secret. It is virtually impossible to avoid spam but by not publishing your email account, the daily amount of spam can be kept to a minimum. Be aware that a lot of spammers are searching the Internet for email addresses, so never put your primary email account onto a web page. This also includes posts to social media, don’t put your email address into the post itself and don’t have it in your signature. If you want to sign up for freebies on the Internet, create a second email account and use it when signing up for lists. It is generally best to use one of the big web mail providers, such as gmail or yahoo, for such email accounts. They have good spam filters which automatically forward suspicious emails into the spam folder.

Needless to say, you should always you strong passwords for your email accounts. Don’t be lazy, use long passwords, containing special characters and digits. You should also use unique passwords for your accounts. This includes accounts to social media, ebay and other web sites. Many programs let you save your login details but never save your passwords in the email clients or web browsers. If someone gets hold of your computer, they can access your accounts. Obviously, if you are using a shared PC for reading your emails, make sure not to save any account information, and erase any cached information. Better still, don’t use shared computer to access your emails.

Also make sure to change your passwords regularly. Many email programs still send login details, including passwords, unencrypted across the networks. This has never been a good idea, and in unsecured WiFi networks it is definitely not advisable to login on to email servers that don’t support encryption. Many places, such as hotels, bars and pubs, offer free WiFi access for their customers. But security is often poor, nothing prevents a hacker from running a sniffer program which collects login details. If you are sending login details, make sure that the connection from your laptop is encrypted. If you are using a web browser, this means you should use the https protocol, rather than the standard http protocol. Fortunately, most of the popular Internet sites, such as yahoo and facebook are using the https protocol for logins by default. Note that this is a problem also for smartphones, checking your emails on your smartphone using an unsecured WiFi network sends the login details across the network unencrypted.

Unfortunately, it is very easy to send faked emails. Most people get emails pretending to come from UPS, IRS, FBI, CitiBank, PayPal etc. Sometimes the emails include links that are supposed to be used to login and verify your account details. But the link does not go to the real web site, instead the hackers have set up a web site that looks the same as the real web site, for collecting the login details. Other emails contain attachments which are supposed to include important information. Instead, it contains malware. Never execute any files that you receive by email, unless you are 100% sure who sent you the email. You should use a virus scanner, they are not foolproof but they will recognize virtually all known threats.

You should backup your emails regularly. This protects you not only against hackers but also against hardware failures. Here you can learn more about how to back up your computer.

VOIP Security Issues

Voice over IP (VoIP) has become very popular. The main reason for the success of VoIP is lower costs for telephone calls but VoIP offers several other advantages over the old PSTN based telephone lines. With the increased use of VoIP, security has become much more important. Here is an overview of common VoIP security issues.

VoIP is taking over from the traditional PSTN, packet-switched telephone network, phone services. Not only does VoIP cut costs but it also offers additional features compared with the old telephone lines. Typically, features such as voicemail and teleconferencing are included. VoIP telephones can be either a softphone, which is software running on a computer, or a normal telephone which is connected to an IP network rather than the traditional phone network. Softphones are very handy for professional who are often on the road. VoIP allows them to use their laptop as a phone. This makes it possible to work from home or from any place with a fast and reliable Internet connection.

Of course, VoIP also have some disadvantages. First, a fast and reliable Internet connection is necessary. This is nowadays seldom a real problem. But the quality of service is a potential problem, regardless of what kind of local Internet connection is being used. In the old PSTN networks, once a connection had been set up, the quality of the service was guaranteed. Even if some hiccups happened once in a while, the service was reliable. Standard VoIP does not guarantee anything, it works on a best effort basis. Packets could be lost or received out of order. Thus, VoIP calls may suffer from jitter and significant latency.

But security may be the most serious problem with VoIP. While eavesdropping on PSTN telephone lines required wire-tapping, which required access to the physical telephone line, VoIP calls can potentially be relatively easy to record.

One problem is that VoIP communication is by default not encrypted. There is no protection against unauthorized access of the communication. This is a major problem for many organizations. Not only is it possible to eavesdrop, a sophisticated attacker could even alter the packets. A number of solutions have been developed. Unfortunately, most of the solutions require that everyone is using the same product.

Since VoIP is still a relatively new technology, a number of security issues still need to be solved. One company had increased its profits by illegally routing VoIP traffic through their network and charging the clients for the traffic. The fraudsters were not interested in eavesdropping on the traffic, they just made sure that the packets got directed into their network so they could charge for the traffic.

In many ways, securing VoIP networks is not much different from securing standard data networks. Physical access to the network equipment and cabling must be limited. For firewalls, VoIP creates a couple of new challenges. The main problem is that traditional scanning of the packets takes too long time. But newer firewalls are VoIP aware and generally handle VoIP traffic without causing any major hiccups.

In order to keep up with security issues, VoIP telephones need to be patched regularly. This can be a problem in organizations that have given the administration of the VoIP telephones to the same staff that used to manage the traditional phones. In some cases, the default update procedure for VoIP telephones is not secure.

The security of VoIP is also dependent on the overall network security. If the network security is weak, VoIP will be vulnerable as well. Additionally, the security of softphones is dependent on the security of the operating system of the computer. It is also worth noting that VoIP is vulnerable to denial-of-service attacks. A successful DOS attack may take down an organization’s complete telephone service.

Another potential problem is SPIT, spam over IP telephony. It is easy for sophisticated spammers to send out unsolicited messages to VoIP telephones. This could also be used for DOS attacks. Fortunately, firewalls can be used to control SPIT. But it is still too early to say how large problem SPIT will become for VoIP users.

PKI, Public Key Infrastructure, Overview

Secure encryption has until lately relied on secret keys. The encryption is typically very strong, the problem is how to securely distribute the keys. This is already difficult if only two parties are involved, with more than two parties the risk that the key gets compromised increases drastically. Public key encryption has no secret key that needs to be distributed. This has made public key encryption very popular on the Internet.

Public key encryption uses two different keys, one public key and one private key. Like the name implies, the private key is kept secret and is only known by the owner. The public key on the other hand, can be freely distributed. That the public key is known by third parties does not pose a security problem. This makes it very easy to distribute the public key, all that is needed is a public key infrastructure. Despite that the public key is not secret, some management of the keys is necessary. It must be possible to identify the owner of the private key and the owner may need to revoke a key.

In public key encryption, one key is used to encrypt the message and the other key is used to decrypt the message. The two keys are mathematically related. If the private key is used to encrypt the message, it can be decrypt with the public key and you know that only the owner of the private key can have encrypted the message. If the public key is used to encrypt the message, only the owner of the private key can decrypt the message. It is also possible to both sign and encrypt a message that you send. You simply sign the message using your private key and then encrypt the message, including your digital signature, using the recipient’s public key.

A private key infrastructure needs some kind of trusted authority. This authority tries to verify the identity of the people who request keys from them. Users want to be sure that they are communicating with their bank and not with a fake site that has created a certificate with the name of the bank. The central authority can also revoke keys. This is very important in case a private key has been compromised. At the same time it is very important that no malicious revocation of private keys is allowed. The system would quickly collapse if one person could revoke keys he does not own.

The most widely used PKI standard is X.509 which was created back in 1988 by the ITU, International Telecommunications Union. The standard belongs to the X.500 family of protocols. The X.509 standard has a hierarchical system of certificate authorities. This hierarchical system has later on been replaced with a structure that supports other topologies as well.

The certificate authorities manage the digital certificates. The digital certificates are based on public key encryption. They contain the owner’s name and public key plus some other information, such as an expiration date. The digital certificate also contains information about the issuer, the certificate authority, also known as the CA.

SSL (Secure Socket Layer) certificates are used to ensure that the data you send to a website is encrypted and that you are communicating with the right website. SSL certificates are issued by CAs and placed on the webserver. This allows browsers to verify that they are communicating with the right site and to encrypt the communication between the browser and the website.

Note that all browsers come with the public keys of several CAs. The browser will always trust certificates issued by these CA. If your browser did not have any pre-loaded CAs it could trust, it would not be possible to verify if an SSL certificate was real or not. If the website you are visiting has a certificate issued by one of the CAs your browser trusts, it will also trust the website. But if certificate is issued by a CA that your browser does not know, it will check the certificate of that CA. If it has been issued by one its trusted CAs, your browser will trust this CA as well.

What is Computer Forensics

Computer security has become very important and one of the most important fields is computer forensics. Computer forensics is defined as the acquisition, preservation and analysis of electronically stored information in such a way that it can be used in a court of law. This generally boils down to trying to figure out what happened, when it happened and who did it. Computer forensics has even become popular in fiction but here we are going to discuss activities in the real world.

Computer forensics is very interesting and since new technology is introduced all the time, the methods have to be refined to keep up with the changes. Investigations can be divided into two types. In the first category we have the investigations there computers were used to commit a crime. In the second type of investigations, the computer was the target of the crime.

Forensics investigators follow standard set of procedures to ensure that their findings can be used as evidence in court. Often this includes working on a digital copy of the data while the original is stored in a secure place. All this is done to avoid getting the evidence declared invalid by the court, just because the correct procedures were not followed. Computer forensics can require as much legal skills as technical skills.

Nowadays, there are plenty of tools for computer forensics investigations. There is no need to develop your own tools. This means that the technical skills needed for computer forensics are relatively easy to acquire.

The International Society of Forensic Computer Examiners has a computer forensics certification, the Certified Computer Examiner (CCE) certification. It is not well known outside computer forensics, but it is the only certification and has been around since 2003.

Of course, being able to recover data from crashed hard disks is a useful skill also outside legal courts. Often crashed disks contain important data that has not been copied to other locations. While end users are seldom capable of recovering the data, people with the right tools and skills can in many cases recover most of the data. A lot of clients are prepared to pay generously to get their data back.

Computer forensics experts can also find data that has been deliberately deleted. In most operating systems, then you delete a file, the file handle is removed but the data still remains on disk. The operating system can’t find it, the file handle does not exist anymore but the data has not been overwritten on disk. For most operating systems, recovery tools exist that can restore deleted files, as long as the data has not been overwritten. But if the data on disk has been overwritten such tools can’t recover the data.

But it is actually possible to recover the data even if it has been overwritten. This requires special tools which analyze the magnetic fields on the disc platters. If the data has only been overwritten once, it is relatively easy to recover the file. Therefore, if you want to be sure that the data can’t be recovered you need to overwrite the data blocks several times. Every time a data block is overwritten, the chance of recovering the old data decreases exponentially. By overwriting the data seven times, it will be too difficult and too expensive for most organizations to recover the data.

What is Botnet

Botnets are a sophisticated form of malware. A botnet is a group of computers controlled remotely by an attacker. The computers are typically distributed all over the Internet making them difficult to track down and almost impossible to shut down. It is believed that most botnets are operated by criminals for financial gains.

The early computer viruses were mostly made for fun or fame. Many of them could be annoying but did not do any real damage, a few were harmful but they did seldom survive for long. But none of them brought in any money for the creators. Things have changed a lot since the good old days, nowadays malware can be a very lucrative business. And the most lucrative of all malware are botnets.

So what is botnet? Botnets are a collection of computers that have been infected so that they can be controlled remotely. Botnets can be made up of a huge number of infected computers, the largest botnets are made up of hundreds of thousands of computers. The person controlling the botnet is known as the botnet operator or the bot master.

While many viruses are easy to detect, sometimes unfortunately after they have damaged the computer, botnets are very difficult to detect. The whole point of a botnet is to control as many computers as possible for as long as possible. This can only be achieved by using stealth, making the malware as unobtrusive as possible. The infected computer is only used for small tasks which don’t put much load on the computer.

The main use of botnets is to send spam emails, everything from promoting overpriced products to phishing for login information. But botnets can be used for many other purposes. DDOS, distributed denial of service, attacks are often suspected to come from botnets. They can also be used to generate fake web traffic and so called click fraud. The botnet software can also include spyware used for identity theft.

Controlling a huge number of computers all over the world can be profitable. It is believed that many of the largest botnets are controlled by organized crime. These organizations can pay for skillful programmers, which explains why many botnets are very sophisticated, far beyond the level of normal computer viruses.

Botnets used to be controlled from one central point, this made it easy for the botnet operator to control the infected computers. But it was also a single point of failure and made it relatively easy to detect and destroy a botnet. That said, often the infected computers in a botnet that has been shut down can be taken over by the same operator, using a new central server. The botnet operators realized quickly that if the botnet was controlled from one single computer, the whole network was very vulnerable. Therefore, nowadays centralized botnets are often managed by a few computers, giving the bot master the possibility to control the network even if one of the central servers is compromised.

But botnets that are managed from a few servers are still relatively easy to block. To make it more difficult to destroy botnets, peer-to-peer (P2P) botnets have been developed. In these networks, every peer, that is every computer, can act as a control server. Such botnets are much harder to detect and shut down, there is no single point of failure.

Protecting yourself against botnets is done in the same way as against standard computer viruses. Make sure that you install all security patches and use anti-virus software. But botnets often use a number of attacks. Often they scan networks for vulnerable computers which can make it very difficult to get rid of a botnet if it gets inside your network.

Anti-virus programs are good at removing botnets from your computer but botnets have started to become polymorphic, making it more difficult for virus scanners to detect them. The problem with botnets has become so large that ISPs are cooperating to block the control traffic.

How to protect against insider attacks

Firewalls are very good at protecting organizations against attacks from the outside. But if the attacker is already inside the firewall, you are not helped by firewalls. Insider attacks have become a big problem for many companies. Here are some ideas how you can protect yourself against insider attacks.

Obviously, in order to carry out their daily duties, some people need to have permission to do activities which could harm the organization. It is also easier for staff to acquire information about sensitive systems than it is for outsiders. Since insiders generally know much more about the computer systems of the organization, inside attacks often cause much more damage than attacks done by outsiders.

Protecting against internal attacks is often a tedious task. It requires that you list what systems and data that need to be protected. Then you have to build a list of the people who need access to these systems in order to carry out their daily jobs. Now you are ready to start planning how to protect the organization’s sensitive resources. This includes assign a person who is responsible for each asset that needs to be protected. This person decides who should have what kind of access to the asset.

It is relatively easy to audit access. This should be done and the audit logs need to be saved in on secured server. Otherwise, the insider may erase the audit log after the attack has been done. But audit log only makes it possible for you to work out who did what, they don’t prevent people from damaging the system or stealing data.

The principles that should be used are known as “Principle of Least Privilege” and “Segregation of Duties.” The first principle means that no one should get privileges greater than those needed to carry out his or her tasks. The second principle means that no single individual should be able to process a transaction from initiation to completion.

There are number of reasons why it is difficult to protect against internal attacks. Below are some of the main reasons.

In many organizations, people move frequently to new positions with new responsibilities. But that can also mean that they should no longer have permission to do tasks or to access information that belonged to their old position. This means permissions have to be updated and audited regularly.

By restricting staff’s access, it becomes harder for them to do their work. It can often be convenient to relax the restrictions but this also decreases the security.

Often an inside attacker can take advantage of the fact that he or she is on friendly terms with people who possess vital information. Sometimes this makes it possible to acquire key knowledge or information that the attacker was not supposed to get. But a colleague wanted to be helpful and supplied the information.

Note that insiders can also create security issues by mistake. It is easy to bring in new programs on USB sticks and similar devices. Far from everyone select strong passwords for their accounts. Educating the users is the best way of preventing such security problems. Clever social engineering is another way how insiders can be fooled, here you can learn more about social engineering.

What Is Social Engineering

You may have heard that it is very difficult to protect against social engineering attacks. But what is social engineering? Here is a short overview about what it is and how it has been used to gain unauthorized access.

Social engineering is a term used for a number of methods and techniques. They all have one thing in common, they all try to manipulate people, by posing as someone else, into revealing information or performing actions. Social engineering covers a wide range of techniques, some examples are, pretending to be a manager and requesting actions from employees, posing as a new employee asking for information about the systems or claiming to be support personal and telling people to download and install an important patch.

Nowadays, social engineering can also be done using email. Phishing emails have become a daily nuisance, telling you to log into your online bank account using the link provided in the email or emails pretending to come from the police or IRS telling you to open an attachment.

Social engineering is difficult to defend against because it targets the weakest link in IT security, humans. After all, we all want to be helpful and look like we know what we are doing. This means that the defense against social engineering is education. Unfortunately, this is not easy since there are so many different ways that social engineering can be used.

A social engineering attack can be fast, just a phone call or an email, but also slow by gathering one piece of information at a time. The latter approach can be very difficult to detect, each individual piece may not be important but by putting together all information, the attacker may know all he needs to know.

Social engineering is not just limited to getting access to computers. It can be used gain entrance to server rooms, getting badges or keys for buildings or getting confidential documents.

Firewalls are very efficient in preventing unauthorized people from gaining access to your network. A lot of attackers have also realized this, social engineering is one way of getting around the firewalls and all other IT security. This is what makes social engineering so dangerous, you can have configured your firewalls and computers very securely, preventing all unauthorized access just to have some “helpful” employee giving the attacker all he wants.

Still, good IT security is important, it limits the number of people who can help the attacker and it also makes life more difficult for the attacker even if he successful with his social engineering. But you also have to inform all people about popular social engineering attacks. Increasing your staff’s awareness about social engineering is the best way of preventing such attacks.

Since there are so many different kinds of social engineering attacks it is very difficult to teach people how to detect such attempts. Social engineering by email is very common but seldom efficient, most people know that it is very easy to forge an email. Still, if it would not work at all, we would not receive so many emails pretending to come from the IRS, FBI or UPS. But educated users are unlikely to give away any sensitive data in an email. After all, even if the recipient is not an attacker, you should never put any sensitive data in an email. Most emails travel over public networks without being encrypted. Although it is unlikely, the data can be read by anyone who has access to the network.

Social engineering over telephone requires some knowledge about the organization but is also be much harder to protect against. Once again, people aware of social engineering attacks are less likely to be fooled. Social engineering in person is not very common, after all it exposes the attacker. But a sophisticated attacker is very good at reading people and knows when to look helpless and when to be aggressive. Such attacks are generally done by insiders and can be very difficult to protect against.

Encryption Overview

Encryption has been used for a very long time. It is used to scramble information so that it cannot be read by anyone except the intended recipient. In the computer world, encryption is very important. Without secure encryption, the Internet would never have become such a huge success. Here is a short encryption overview.

Encryption has a long history, it was already used in the ancient world. Even some wars have been won more thanks to superior skills in cryptology than superior military skills. Computers have completely changed the science of cryptology. The computing power of modern computers has made it possible to create codes that are virtually impossible to crack without the help of sophisticated software and powerful computers. On the other hand, sophisticated encryption is absolute necessary on the Internet. Often, users use encryption without even being aware of it.

Computer encryption can be divided into two categories, symmetric encryption and asymmetric encryption. Symmetric encryption means that the same key is used to both encrypt and decrypt the message. This key has to be kept secret and distributed securely before the communication can begin. Asymmetric encryption on the other hand, uses different keys to encrypt and decrypt the information. One key is public, which is known by everyone, and one key is private, which must remain known only to one entity. The advantage of asymmetric encryption is that no secret keys need to be securely distributed.

The first popular encryption standard for computers was DES, Data Encryption Standard, developed by IBM in the early 1970s. DES uses symmetric encryption and could be implemented very efficiently. But it had one practical problem, how to distribute the keys securely. DES also used a 56-bit key, not long enough to avoid brute-force attacks by powerful computers. To improve the security, 3DES or Triple Des was created. It uses 168-bit keys, three times longer than the original DES key length. Each additional bit in the key doubles the effort needed by brute-force to crack the code.

The problem with secure key distribution has made asymmetric encryption methods, also known as public key encryption, popular in the computer world. The advantage is that the public key can be distributed freely to everyone, also to people who are not allowed to decrypt the information. The decryption can only be done if you know the secret key, known as the private key. When the pair of keys is generated, the private keys is kept by the entity and the public key is distributed freely to the whole world.

The most well-known public key encryption system is probably PGP, Pretty Good Privacy. It was developed by Phil Zimmerman in 1991. The creation of PGP was controversial, it provided everyone, both good and bad guys, with encryption that was extremely secure. It can be downloaded free of charge. Just beware that you are not allowed to download it from a site in the US if you are located outside the US.

The RSA method is most likely the most successful commercial public key method. The RSA methods were developed by Ron Rivest, Adi Shamir and Len Adlema. The first letter in the surnames of the developers is supposed to have been used for the name.

Note that public key encryption also makes it possible to create digital signatures. By reversing the process, using the private key to encrypt a signature and decrypting it with the public key, you know that the message was sent by the person who possesses the private key.

Both SSL, Secure Sockets Layer, and TLS, Transport Layer Security, use public encryption to provide secure communication over the Internet. URLs beginning with https rather than the usual http use SSL or TLS.

Here you can learn more about the Public Key Infrastructure which is used on the Internet

What Is Malware

Malware has become more and more sophisticated. It has also become harder to detect malware. At the same time, the damage done by malicious software has increased. Protecting your computers against malware is extremely important. Here is a short article explaining what malware is and how you can protect your computer.

First we should sort out what malware really is. A lot of different terms have been used for software that you should not use. The term computer virus has been around for a long time. Computer viruses are one type of malware. Malware is nowadays used as a term describing all kinds of software that you don’t know that have been installed on your computer and which execute harmful operations. The damage done can be limited to just being annoying but criminals have started to use malware in order to steal money as well.

Since malware is a term used for a lot of different kinds of software, it is difficult to protect computers to such a wide variety of attacks. The old computer viruses were relatively easy to stop, they were installed when the user executed an infected executable. Anti-virus programs are good at detecting viruses. But the success of Internet has opened new ways of attacking computers. Old computer viruses were often annoying but not very harmful. Viruses that did too much damage were easy to detect and did not survive for long. Today’s malware can be much more malicious and very difficult to get rid of.

Successful malware must be hard to detect, otherwise it will not get any chance to do its job. But first the malware needs to be installed on the computer. While it is popular to attack computers remotely and try to install malware without the owner being aware of what is happening, most malware is installed by tricking the computer user to install the malware himself. Email is one of the least sophisticated methods but it still works. That’s why most people get official looking emails with attachments supposed to contain important information. But instead the attachment includes malware that the attacker hopes that the user will execute.

A more sophisticated method is phishing. The attacker sets up a website that looks like an official website, such as an Internet banking site, and tries to divert real bank customers to his site instead of the real site. Often phishing emails are used, it is an official looking email with links pointing to the fake website. The victim enters his login details which are saved and then the user is generally told that the login was incorrect and diverted to the real website. Since passwords are typically not displayed on the screen, most people think that they made a typo and try again and this time they log on to the real site. Everything looks normal but the attacker has got the information he wanted.

The old viruses were simple to detect, once the virus creator had released the malicious code, he could not change it. All anti-virus programs needed to know was how the infected code looked like and they could detect it without any problems. But things have changed, nowadays malware creators have learnt to change their code slightly with every infection, known as polymorphism, so it is almost impossible for virus scanners to detect them.

Botnet is a term used for a group of computers that run malware that is controlled by one operator. The computers can be infected with relatively harmless software (for the user), for example used for email spamming or distributed denial of service attacks. But also dangerous software such as keyboard loggers could be installed.

So how can you protect yourself against malware? It is very easy to get infected but common sense, anti-virus software and a firewall will help you. Avoid connecting your computers directly to the Internet, use a basic NAT firewall. They don’t stop all attacks but at least your computers are safe against basic scans and attacks. A real time anti-virus scanner is a must nowadays. They are not fool-proof but they detect most viruses and limit the damage. But most important of all, be careful. Never download things from sites you don’t know. Never execute anything unless you are sure that it comes from a trusted source.

Botnets are a sophisticated malware which are used for financial gains. Here you can learn more about botnets.

Why is physical security important

You can have your computers and networks safely secured against attacks from the outside. But if someone can gain physical access to your computers, it does not matter that your computers have been configured securely. Here is a short article explaining why physical security is important.

Computer and network security is not just configuring computers and networks so that they are secure. It is also very important that your computers and network equipment are stored in a secure place. Needless to say, if someone steals your computer, you have a big problem. Theft of hardware is one reason to make sure that your computers and network equipment are stored in a secure location. But an attacker can also be more subtle than just walk away with the equipment. Damaging equipment can be done quickly and switching off the power or pressing the reset button is easily done, sometimes even done by accident.

But if an attacker gets physical access to your computer, he or she can also boot it from a USB device or CD and get administrator/superuser access to the computer. Fortunately, you can protect you against such attacks. Apart from making sure that only authorized staff has access to the computers, they can generally be configured to not by default boot from USB or CD devices. Most computers let you also to password-protect the BIOS so that no changes to the configuration can be done without knowing the password.

Note that you just need to give a selected few people physical access to the computers, keyboards and monitors can be placed outside the secure room where the computers reside. Physical access to the network also gives an attacker the chance to connect a packet sniffer to the network which can collect username and password, to be used for attacks later on.

If you have backups onsite, make sure that they are stored in a secure place. Otherwise, someone could copy the backups without anyone noticing. The backup could then be used to extract sensitive data. It is possible to encrypt backups but make sure to use strong encryption, nowadays processing power is cheap and what used to be strong encryption may be relatively easy to crack by using brute-force methods.

If you want to protect your computers at home, the main threat is theft. Backups make sure that you don’t lose your important documents if your computer is stolen. Just make sure to store the backups in a secure place, not next to the computer. But if you have sensitive data on your computers, you have a problem. It is very convenient to store all passwords in your computer and some people even store credit card and bank account information on their computers.

Passwords should never be stored directly on a computer, use utilities that save your passwords in encrypted form and requires you to know one single password to access all your other passwords. You can save the encrypted passwords on a USB stick which is much easier to protect than a computer.

If you really have sensitive data stored on your computer, you should use programs that encrypt the whole hard drive. The Windows password at start up gives you no security, the disk can just be placed in another computer and then all data on the disk is accessible. Just remember that if you forget the password that was used for encrypting the data, it can be very expensive to recover the data. Another possibility is to use biometric readers. But beware that biometric security devices have some disadvantages and are not considered secure by some security experts. The main problem is that the biometric tests can not be too strict. For example, a finger print reader has to accept relatively close matches, otherwise a small scratch could prevent you from accessing your data for several days. But this fault tolerance also lowers the security of the system. Here you can learn more about biometrics in computer security.