4. BitLocker and BitLocker To Go
Microsoft BitLocker is a feature of the Business and Ultimate
editions of Windows 8 that you use to implement full-disk encryption of
your copy of Windows and all your files and data.
It supports multiple partitions and hard disks across a computer and can work in conjunction with a Trusted Platform Module (TPM)
chip on your computer’s motherboard to securely store the encryption
keys. This means that even if your hard disks are physically removed
from the computer they still cannot be decrypted.
To access BitLocker on your computer, open the Start screen and search for Bitlocker or find it in the full Control Panel.
So what is BitLocker and how does it work?
Method 1: Encrypting a Hard Disk or Partition with Hardware Support
If your computer’s motherboard has a TPM chip, it stores the
cryptographic keys needed to encrypt and decrypt your hard disk or
partition. This encryption key (cipher) is unique to this chip. This
means that if an encrypted
disk is removed, it can never be decrypted on another computer because
the encryption key has been left behind on the old computer.
Method 2: Encrypting a Hard Disk or Partition without Hardware Support
If your computer does not have a TPM chip on the motherboard, then
the cryptographic keys are stored within Windows and are not linked to
specific hardware. Using this method, you can use the password to access
the hard disk if it is plugged into another Windows 8 or a Windows 7
computer.
Method 3: Encrypting a USB Flash Drive or External Hard Disk
This method of encryption is similar to the non-TPM–based hard disk
just described in method 2. Windows uses standard BitLocker
cryptographic keys to ensure that an encrypted flash drive or hard disk
can be used on other Windows 7 or Windows 8–based computers. This method
uses the Windows 8 BitLocker To Go feature. To read a BitLocker To Go
protected external drive in Windows XP, you can use the BitLocker To Go
Reader software which is automatically placed on the drive. BitLocker To
Go Reader does not allow writing to an encrypted disk or pen drive.
Administering Your TPM Chip
The main BitLocker
window will display a link in the bottom left corner where you can
administer the TPM chip on your motherboard. This chip needs to be
activated before you can use BitLocker; however, when you turn BitLocker
on, Windows 8 can do this for you automatically.
However, if BitLocker has been used on the computer before, perhaps
if you were using Windows Vista or Windows 7 with it enabled, you might
want to clear the TPM chip, which you can do in the Administration
options. You can also reset a lock-out from the TPM chip if you have had
a security problem. The TPM administration panel is shown in Figure 3.
In the main BitLocker Window, all the hard disks that physically
reside inside your computer or, in the Bitlocker To Go section, attached
to your computer via USB or Thunderbolt are displayed. Each hard disk
has a link next to it labeled Turn on BitLocker, as shown in Figure 4.
You will need to have your main Windows drive completely encrypted by
BitLocker before Windows will allow you to encrypt any other drives;
however, if you are decrypting drives, Windows will allow you to select
all or several at the same time.
Note
If you have a lot of
data on the hard disk, it will take longer to encrypt, possibly
overnight. Moving the data off the hard disk temporarily will speed up the process.
Caution
BitLocker provides an extremely high level of security and
encryption. If you forget the password or if your TPM-equipped
motherboard fails and has to be replaced, you may never be able to
access that data again. Do not encrypt data by using BitLocker if you do not have a backup copy of the data elsewhere.
Although it can take a while to encrypt your computer with BitLocker, you are free to shut the computer down or put it to sleep. The encryption
or decryption process will pause upon shutdown or when going into Sleep
mode and resume the next time the computer is used.
BitLocker is something that I recommend people use on laptop
computers and sometimes for USB flash drives and external hard disks.
There might even be legal requirement to do so. Depending on the country
in which you’re working, if you carry critical information such as
personal data about other people, you might be subject to data
protection laws that make it illegal to transport unencrypted data.
Breaking these laws by not properly protecting the data could lead to
heavy fines or even imprisonment.
BitLocker is also
useful for everyday computer users who not only carry a great deal of
personal information in their files, but also commonly store passwords
for websites in Internet browsers. If you have a laptop and Windows 8
Enterprise or Ultimate edition, it is well worth encrypting your hard
disk. If you are considering buying a laptop and can afford to do so,
purchase one with a TMP chip and Windows 8 Pro or Enterprise. I believe
the peace of mind is worth the extra expense incurred.
If you manage a business for which employees carry sensitive business
or customer-related data on their laptops, these should all be
encrypted by using BitLocker or another system. Failure to do so is
inviting data loss or embarrassment, at the least, and possible criminal
prosecution at the worst.
5. Beware the Weak Link at the Keyboard
If you have antivirus software installed in Windows 8 and UAC
enabled, your operating system should be perfectly secure. However, the
weakest link in all computer security will always be the user. Here are
my top tips for avoiding the user errors that can undermine your
computer’s security.
Keep Your Antivirus Software Up to Date
First things first: Ensure that you are protected from external attacks by installing antivirus software.
Ensure That You Have a Good, Up-to-Date Firewall
Just as important as antivirus software is a firewall. This is your
first line of defense against attack from outside. Again, you need to
ensure that it’s kept up to date, as well. If you’re running Windows XP
in a virtual machine, don’t rely solely on the built-in firewall; it’s
not enough.
It’s essential that you turn on Windows Update and leave it on.
Updates are released by Microsoft on a monthly basis, and although some
might require you to reboot your computer, the slight inconvenience is
well worth it for the added security and peace of mind.
Keep Your Software Up to Date
Ensure that you regularly check for general and security updates for the software you use the most. You can find these on the websites of the respective manufacturers.
Always Check Email Attachments Before Opening Them
It’s always a good idea to check all email
attachments for viruses. Save them to your hard disk first, and then in
File Explorer, right-click the file and select Scan With [Your Anti-Virus Software] before you open it.
If you receive a suspicious-looking email
attachment from someone you know, you could email that person to ask if
she did intend to send it to you. It could be that a virus on her
computer has forwarded itself to people in her address book, in which
case she would probably like to be notified.
Use a Secure Internet Browser
Browsers like the latest versions of Firefox
or Internet Explorer provide much of the protection you need. In
Windows 8, the protected mode in Internet Explorer that denies any
software running in the browser access to the rest of the operating
system as well as the Start screen filter for detecting malicious
software and websites are an extra bonus.
Get Spam and Phishing Filtering for Your Email Software
Everyone knows what spam is. Phishing emails, however, are the
messages that purport to be from a real bank or credit card company
asking you to provide your personal details to a website. I’ve seen some
of the most net-savvy people caught out like this.
Never Click Anything You Don’t Explicitly Mean To
If you haven’t gone to a website with the express intention of
clicking items, for instance, maybe to install a browser plug-in or get a
specific download, never click anything unless you know exactly what it is.
Beware of reputable websites such as YouTube on which viruses are
occasionally posted disguised as a codec that is required to play a
video. If you are ever in doubt, simply don’t click it!
Look for the Padlock or the Green Bar
When shopping online or when visiting any website that requires you to enter personal information, look for the padlock,
which is a visual method for your browser to tell you that the website
is encrypting any data sent back and forth using a valid security
certificate. What browser you use will determine where this is located.
The latest security convention in browsers is to color code the address
bar. The address bar is displayed as green if the site is okay and
orange or red if you should use caution or avoid the site.
Note
Not all web browsers will use color-coded address bars, and they
might display the padlock in different ways and in different areas of
the browser. You should refer to the Help menu for your specific browser
for more advice on this.
Never Give Private Details Online Unless You Must
Shopping for a credit card or car insurance is one thing, but many
websites will unnecessarily ask for personal details that too many
people are all too willing to give away. At best, these details are used
to send you spam; at worst, they are used to steal your identity.
Ensure that you keep regular backups of your data somewhere away from
your Windows installation, maybe on an external USB storage device, for
instance. Windows has a built-in backup utility, but third-party
packages offer backup solutions, too.
Keep Your Backups in a Safe Place
It is not wise to keep your backups on your computer or in the same location as it. Cloud
storage is a useful and secure place to which to store backups, but it
can be very slow if you have large amounts of files to back up or a slow
broadband connection. CDs,
DVDs, and Blu-ray discs can degrade over time. If you can afford one an
external USB hard disk which is stored off site and brought back
monthly to be updated is the best solution.
Keep the Driver CDs and Manuals for Your Computer
Always safeguard the discs and manuals that come with your computer.
These will prove invaluable if Windows ever needs to be reinstalled.
Make sure you keep them somewhere safe and together.
Get a Windows Installation DVD for Your Computer
Many computers these days do not ship with Windows 8 installation DVDs. This is done as an anti-piracy measure. Instead, they come with pre-configured restore
partitions. It is always wise to contact the company you bought your
computer from and request—nay demand—a Windows 8 installation DVD so
that you have it available should disaster occur and you need it. There
might be a postage charge for sending it, but don’t be put off: you have
paid for your copy of Windows and that includes the installation media!
You will have much more fun on your computer if
you keep it tidy and maintained; uninstall programs that you don’t
need, use the built-in tools or third-party tools to remove unnecessary
files, and keep the registry clean.
Be Careful When You Throw Away Your Computer
When your computer comes to the end of its useful life, be sure to use a utility that will securely erase the hard
disk by overwriting the data several times. If you can, also remove the
erased hard disk and dispose of it separately. Discarded computers can
contain a wealth of sensitive information that makes them a bargain find
for identity thieves.
Windows 8 includes a new Reset
option which you can find in the General section of PC Settings. This
will completely wipe all user accounts, settings, apps, programs, and
files and return your computer to a state where it is suitable to be
passed on.
Caution
The Reset option and deleting files will not securely
erase them. You should use a specific secure erase program if you want
to guarantee that files cannot be recovered later. This can be a slow
process however so prepare to be patient with it.
The market for computer security
is enormous and includes every type of product that you can imagine.
One website that I’ve found invaluable over the years is Gibson Research
Corporation at www.grc.com.
Steve Gibson is a highly respected computer security expert; in fact,
he’s probably the best. His website includes his ShieldsUP! tools,
which he accurately describes as, “the Internet’s quickest, most
popular, reliable and trusted, free Internet security checkup and
information service.”
There are also a host of other tools at the website for testing the
security of your computer, Internet connection, and firewall. I cannot
recommend the tools on this website highly enough.
Setting security on your computer is absolutely critical, and
maintaining it is even more so, given the nature of how we live our
lives online these days, and how criminals and malware writers want to
exploit the “soft, squidgy thing” that sits in front of the screen.
Windows 8 is more secure than any version of
the operating system before it, and some security researchers already
asserted that Windows 7 was one of the most secure operating systems on
the planet. Security these days though is as much about tricking the
user as it is about making a brute-force attack. Always be careful when
you go online with your computer, and always be vigilant about your
security.
