The policy of familiarizing and instructing the end users about the importance of security issues is a sine qua non of the most measures taken by the system administrators to avert possible harms against security of information. Combining the very factor with the conventional security precautions yields highly effectual results. It is a well known fact that if people do their best beforehand to take 20 per cent of preventive measures to remedy security vulnerabilities, it will plainly and simply suffice to overcome 80 per cent of the threats. Therefore, it is true that is harder to overcome the challenge without educating the end users. Our main aim in this article is to inform the end users about the most frequent errors that the users are falling into and to enlighten them about simple tactics that would help them avert the bigger risks. In this respect, we hope this article will be a check list for the users about the things they should take care of.

1. The server operating sytems on desktop computers

The desktop computers are ultimatley intended for the end users and they are not designed to execute the tasks of servers in particular. However, the users are generally tend to think that the more complex operating systems they use, the more efficient the system will be. For example, it is a common false impression that Windows Server operating systems or Linux Server versions are doing better jobs than Windows 9x/2000/XP Professional/Home or Linux Workstation operating systems. In fact, some services on server operating sytems are installed and run automatically without noticing the users about it. They then consume a great deal of the system performance and create serious vulnerabilities escaping the awareness of the users.

2. The server applications on desktop computers

Although the operating systems have client characteristics (Windows 9x/2000/XP Home/Professional or Linux Workstation etc.), the users opt to use insecure FTP servers or web servers to share files or serve web pages. For example, using Microsoft IIS as a web server has caused very serious security vulnerabilities in the past; and today, as CodeRed and Nimda viruses continue to exploit the vulnerability of the sofware, it continues to be a nuisance for the users. Such nuisances can be avoided if only the server applications are provided centrally by the system administrators on secure operating systems and through secure software. For example, the users should well be able to create their web pages on UNIX server systems through using their user accounts and they should well be able to transfer their files through FTP programs that run on server systems.

3. Updating the operating system

The end users are very frequently mistaken when they think that security vulnerabilities are out of question after they have correctly and succesfully installed the software. Indeed, the facts prove otherwise. The operating systems start to release their updates immediately after they themselves are distributed on the market. While these updates renew the driver files and debug the defected files, on the other hand they most essentially fix the security vulnerabilities of the operating system. Some operating systems install their updates automatically or they can be arranged and set; so that they automatically install the updates. The viruses generally do harm to computers and spread themselves by exploiting the security vulnerabilities of the operating systems which are not updated.

4. Application software updates

In addition to the operating systems, some of the application software, unless they are updated, open up vulnerabilities for viruses or for malicious attacks; therefore important data may be lost. The users should especially update e-mail programs such as Microsoft Outlook etc., Microsoft Office packages, message programs such as MSN Messenger and ICQ.

5. Administrator rights on desktop computers

The desktop computer users most frequently err because they think it is better to be the administrator of their computers. Such reasoning is false because one does not need to be the administrator to use his/her desktop computer. However, some system administrators deliberately allow the users to administer the computers; only because they wish to escape time-consuming telephone calls and endless explanations. The installations that the unaware administrator end-user has executed on the system unknowingly, and the configuration parametres he/she has changed may open up new security vulnerabilities on the computer.

6. Anti-virus software and updates

To some users, anti-virus software cause annoyances, because they think that the software slow down the system performance. It is true that anti-virus software slow down the system performance between %0,5-%2. However, the loss of performance is so much less than in the case of a virus affecting the performance of a computer. According to a most common misconception of the users, once the anti-virus software is installed on their computer, it will protect the system from viruses. This is the very common cause of the users’ failure and neglicence about updating their anti-virus software. Computer end users should be informed about the following: how do the anti-virus software operate, how the anti-virus software detect the new viruses, how do the users update virus scanning engines and virus pattern/definition files.

7. File Sharing

Users are not aware of the fact that when they are sharing files with other users on the system, the files are readily visible by everybody on the network. Some users share only some specific folders, but other users share the folders where the operating system files and programs are kept without even specifying a password. By doing this, they not only create a security vulnerability, but also they provide fertile ground for viruses to spread themselves. Computer end users should be informed about the risks of sharing files and more secure ways of file sharing methods should be suggested to them.

8. P2P File Sharing Programs

The users are downloading files through P2P file-sharing programs on Internet such as Kazaa and Imesh or they download executable files from message programs such as ICQ without even having an idea about the origin or safety of the file they download. These files may contain viruses or trojan horses. The awareness of the users on this issue should be raised.

9. Programs that are run on Web without much awareness about their safety

If you do not have enough information about some of the programs and plug-ins that you download from the web sites, this may pave the way for inviting directly the viruses or malicious codes to your computer. Users should implement precautionary measures, such as adjusting security settings on their Internet browser programs or answering the questions displayed on the web pages only after they make sure that they exactly know what is being prompted.

10. E-mail attachments

It is a very common and simple error to execute the attachments of the e-mails that pretend as if it was sent from a genuine sender. These e-mails are a product of a successful social engineering and tend to exploit the naiveness of the computer user who fails to keep pace with the technology. To prevent the spreading of viruses through e-mail messages, users should use anti-virus software and they should update their operating systems. They should also use secure e-mail reading programs. (Netscape Messenger, Pine, Mutt etc. instead of Microsoft Outlook should preferred).

11. Security Standards (Security Baseline) and Policy of Use

The documents that are prepared by system administrators or the policies implemented are generally regarded as useless by most of the end users. End-users generally tend to ignore the recommendations of the administrators about the security settings to be done. The computer end-users should be computer users should be aware of, and take precautions to avoid, the potentially harmful programs available from various locations across the Internet.

Cengiz ACARTÜRK