"Source from the Office of the Government Chief Information Officer (OGCIO) of the Government of the Hong Kong Special Administrative Region"
 Question 1
 Q:What is Information Security ?
 A:Information Security refers to all aspects of protection for information. Most often, these aspects are classified in five categories: confidentiality, integrity, availability, non-repudiation and authentication of information. Confidentiality refers to the protection of the information from being disclosed to unauthorised parties while integrity refers to the protection of information from being changed by unauthorised parties. Availability refers to the information being available to authorised parties when requested. Non-repudiation refers to the provision of proof of the origin such that the sender cannot deny sending the message, and the recipient cannot deny the receipt of the message. Authentication refers to a process or method to identify and to prove the identity of a user / party who attempts to send message or access data.
 Question 2
 Q:What is IT Security ?
 A:There is no exact definition, but the general idea is to protect of any IT information and resources with respect to confidentiality, integrity, availability, non-repudiation and authentication.
 Question 3
 Q:What should we do first to ensure IT Security ?
 A:It is recommended to use a systematic approach by first considering the security interest of the organization or department as a whole. You can first identify the security requirements of your organization, then establish your security policy followed by enforcement. But periodic and continuous review and monitoring are definitely necessary in order to have an effective and efficient security policy.

Question 4

 Q:How to identify your security requirements ?
 A:You can first identify what you are going to protect such as your equipment and assets. Then you can find out the threats, the impact of each threat and the chance of their occurrence. To identify the threats which are often of different natures, a process namely risk analysis is normally used. Through this process, you can identify what assets to protect, their relative importance, and the priority ranking for urgency and level of protection required. As a result, a list of security requirements can be defined for your organization.
 Question 5
 Q:What is a Security Policy ? How is it related to security standards, guidelines and procedures ?
 A:Security policy sets the basic mandatory rules and principles on information security. It should be observed throughout an organization and should be in accordance with your security requirements and organization's business objectives and goals. Security standards, guidelines and procedures are tools to implement and enforce security policy such that more detailed managerial, operational and technical issues can be considered. Standards, guidelines and procedures may require more frequent reviews than security policy.

Question 6

 Q:What should be considered first when drafting a security policy ?

These include:


  • Goals and direction of the organization
  • Existing policies, rules, regulations and laws of the Government
  • Organization's own requirements
  • Implementation, distribution and enforcement issues
 Question 7
 Q:Who should be involved in development of a Security Policy ?
 A:Developing a Security Policy requires an active support and ongoing participation of individuals from multiple ranks and functional units. You can form a working group or task force to develop the Policy. But the exact group of personnel required depends on your organization's requirements. In general, this group may include empowered representatives from management, technical personnel, system developers, operational personnel, officers or users. Management represents the interests of the organization's goals and objectives, and can provide the overall guidance, assessment and decision making. Technical personnel can provide technical support for various security mechanisms or technological aspects. Users represent the users of related systems who may be directly affected by the Policy. Sometimes, a third party may get involved to review the Policy drafted.
 Question 8
 Q:How to develop a Security Policy ?
 A:You may first identify the group of people involved in developing the Policy. Second, make all necessary plans for activities, resources acquired and schedules. Then determine your security requirements, and establish your own Security Policy. You may need to go through several iterations of review and refinement for your Policy before a complete one can be established. As technology, environment and your requirements often change, you may need to continuously review and monitor your Security Policy in order to make it effective and useful for your organization.
 Question 9
 Q:What can I include into my Security Policy ?
 A:Typical contents may include the policy objectives and scope, the assets to be protected, the roles and responsibilities of the involved parties, the DO and DON'T rules and security incidents reporting and handling. However, the exact contents and level of details depend on your security requirements and your organization's business objectives. Before drafting your security policy, you should also consider the goals and directions of HKSAR Government, the existing policies, rules, regulations and laws, and your implementation, distribution and enforcement issues.
 Question 10
 Q:What are the benefits of having a Security Policy ?
 A:As mentioned before, you and your staff can clearly understand what is and is not permitted in your organization relating to the protection of IT resources. This also helps to raise the level of security consciousness and to provide a baseline on which detailed guidelines and procedures can be established. It may also help to support the decision of prosecution against security violations.
 Question 11
 Q:What should I consider when implementing Security Policy ?
 A:Of course, you must first observe your organization's procedures, rules and regulations for implementation. However, no policy is considered to be implemented unless users or related parties have commitment and communication. This can be done through briefing, orientation and ongoing training. Make them aware that the Policy can create benefits to their daily work and if possible, invite them to participate in the process of developing the Policy. This can gain their commitment and acceptance of the Policy.
 Question 12
 Q:What is meant by Security Assessment ?
 A:Security assessment here is defined as the methods to assess the security of the network or system. A security assessment software is specially designed to reduce the chance of internal abuse by searching and eliminating unnecessary security risks and vulnerabilities on internal hosts and workstations. These assessment tools are often used for security audit.
 Question 13
 Q:What is a Security Audit ?
 A:A security audit is performed in order to check and review the effectiveness and completeness of your security controls, your security policy, standards, guidelines and procedures. It will identify any inadequacies of the policy and related standards, and will find out if there are any security vulnerabilities of IT resources. Recommendations and remedy actions on security measures will be provided. In fact, a security audit should be an on-going process which should be performed periodically or regularly as there may be new vulnerabilities coming up daily.
 Question 14
 Q:How often should a Security Audit be performed ?
 A:A Security Audit only provides a snapshot of the vulnerabilities revealed at a particular point of time. But technology and your environment changes daily. There may be vulnerabilities found in the future even if all existing vulnerabilities have been identified. So periodic and ongoing review is inevitably required.
 Question 15
 Q:Who should perform a Security Audit ?
 A:As Security Audit is a complex task and requires skilled and experienced personnel accommodated with existing system administrators, it must be planned carefully. A third party is recommended to perform the audit. This third party can be another group of in-house staff or an external audit team depending on your staff's skills and the sensitivity of the information being audited.

Question 16

 Q:What is an IT Security Incident ?
 A:An IT Security Incident is any event that could pose a threat to the availability, integrity and confidentiality of a computer system. Such incidents can result in the destruction of data and disclosure of information.

Question 17

 Q:How to handle a security incident ?
 A:A security incident handling plan should be defined to identify as far as possible all kinds of security incidents that may occur. The plan should be set up with a set of goals and objectives. When a security incident occurs, try to follow the procedures stated in the security incident handling plan. The plan may list all the activities such as the person to notify, the actions to protect the evidence and logs, the ways to limit the effect of the incident and the recovery procedures with minimal user impact. Evaluation of the incident should not be omitted as this can review the existing security measures, and ensure the completeness of these security measures.

Question 18

 Q:What is an intrusion ?
 A:An intrusion is a set of actions which attempt to compromise the availability, confidentiality and integrity of an information resource. Generally speaking, intrusion detection is the methodology by which intrusions are detected. This includes detection of intruders breaking into a system or users misusing the system resources.

Question 19

 Q:Why do I need an Intrusion Detection System (IDS) if my network already has a firewall ?
 A:Firewalls are only part of the total integrated security system. They do have limitations. They can neither alert on ALL intrusions nor stop ALL security breaches. They are frequently and easily misconfigured. Organizations are dynamic. People, technology and process often change. Unless you are constantly monitoring for intrusions, you cannot know if your firewall is working properly. Hence, the IDS is a vital tool to monitor your network 7 days x 24 hours per day. But bear in mind that IDS is just an addition to the firewall.

Question 20

 Q:What doesn't Intrusion Detection do ?
 A:Intrusion Detection cannot help you to solve or fix the problem. It can neither tell you exactly who and how the attack occurred nor the intention of the attacker. It can only provide you with logs about the origin of the attack and who is making the attack, but most often these logs may not be able to tell you who is the real attacker.

Question 21

 Q:What is a network firewall and what can a firewall protect against ?
 A:A firewall is a group of systems that enforce an access control policy between two networks. In principle, the firewall can block traffic from the outside to the inside and permit traffic from the inside to communicate to the outside world. The firewall can also provide logging and auditing functions to record all traffic passing through it. In other words, a firewall can protect the internal network against any attacks from outside by defining an access control policy to permit or deny traffic. However, the firewall cannot protect against attacks that do not go through it and cannot protect against things like viruses or data driven attacks. It should be noted that firewalls are only part of the overall network security and the proper configuration of the firewall plays a very important role as well.

Question 22

 Q:What are the security risks that affect the Web servers ?
 A:Once you install a Web server at your site, you have opened a door into your local network for external visitors. From the view of the network administrators, you are opening up potential security hole. You have to bear the risks associated with this opening. Bugs or misconfiguration of the Web server can allow unauthorised remote users to access information which is not intended for them. Hackers may even execute server commands to modify the system, gain information about the Web server's host machine or launch attacks. Client side browsers may be attacked by these hackers and their personal information may be retrieved by these hackers through the hole. Network data sent from browser to Web server or vice versa may be intercepted by eavesdropping. Hence, all your information is vulnerable to interception if there is no proper system security on both browser and server sides.

Question 23

 Q:What general security precautions should I take for my web servers running on UNIX and NT systems ?
 A:In general, there are many precautions you should take. Say for example, you can limit the number of user accounts available on the machine. Try to ensure that users select good passwords. Remove all unused services, shells and interpreters. Configure your web servers correctly and ensure that the file permissions are granted to those authorised parties. Regularly check for system and Web logs for suspicious activity.

Question 24

 Q:How can I protect the personal computer and public network against virus ?
 A:A virus is a piece of code that can replicate itself and spread to other computers via floppy diskettes or data communication channels such as emails. It is recommended to install a memory-resident anti-virus program to continuously monitor the microcomputer. Virus protection should also be done on servers as well. Administrators are required to install some server-based anti-virus package into the servers with proper settings. A virus scanning software should be installed into the server's boot-up drive, and be activated at all times to prevent boot sector from infection. Administrators should also include a virus prevention and detection process into their daily routine. Of course, regular updates on the version of the virus prevention and detection software are essential to ensure the accuracy of detection and coverage for new classes of virus.

Question 25

 Q:What are the general considerations for protecting the network ?
 A:The security of multiple systems are of same magnitude of importance as the security of the interconnecting network. It is desirable to limit the connection to outside networks to those hosts which do not store sensitive information. All access to and from the local network must be made through a single host computer that acts as a firewall. Keep the network simple by minimizing the number of network interface points between the internal and external network. Only authorised traffic is allowed to pass via the internal network. If possible, use multiple authentication systems to monitor the users. However, network security only covers a small area in the overall security system, the data owner is also responsible for the security of the data.

Question 26

 Q:What is meant by physical security ?
 A:Physical security refers to the protection of hardware and computer equipment from external physical threats.

Question 27

 Q:What is meant by application security ?
 A:Application security refers to the additional security measures built in the application itself to provide a more secure environment. It is highly related with system developers.

Question 28

 Q:What can be considered for Internet Security ?
 A:Internet security covers a wide range of issues such as identification and authentication, virus protection, software licensing, remote access, dial-up access, physical security, firewall implementation and other aspects relating to the use of Internet.

Question 29

 Q:How to protect my privacy online ?
 A:There are many ways to protect your privacy online. For example, you should not share your personal information such as your name and address with anyone online, unless you want them to know. Think carefully before giving out your personal information online, as this information about yourself may end up being used for other purposes. Secure your email by digitally signing and encrypting it before transmission and storage. Safeguard your personal computer at work and at home because it is physically open to attack or theft. Often change your password and keep it secret. Try not to use passwords that are your obvious names or easy to guess.

Question 30

 Q:How to ensure that the user passwords are secure ?
 A:This depends on the password mechanisms and how the user himself keeps his own password. User should select a password that is difficult to guess and keep the password as secret as possible. He should also change his own password immediately after system recovery or upon receipt of the new password. Administrator should ensure that each new user is granted with a good initial password instead of using a default one. Procedures should be set up to ensure that only the real person is requesting the new or change password and gets that password. No passwords should be displayed on the screen at any time. User passwords which are used for authentication and administration should be encrypted before stored.

Question 31

 Q:What is spam email ?

According to Coalition Against Unsolicited Commercial Email (CAUCE), most commonly seen unsolicited commercial emails (UCEs) are:


  • Chain letters
  • Pyramid schemes (including Multilevel Marketing, or MLM)
  • Other "Get Rich Quick" or "Make Money Fast" (MMF) schemes
  • Offers of phone sex lines and ads for pornographic web sites
  • Offers of software for collecting email addresses and sending UCE
  • Offers of bulk emailing services for sending UCE
  • Stock offerings for unknown start-up corporations
  • Quack health products and remedies
  • Illegally pirated softwa

Question 32

 Q:What are the negative impacts of spam email on the Internet Community ?
 A:Every time a spammer sends out spam email, the entire Internet community has to bear the cost, in particular the recipients and the ISPs at the receiving end. Some Internet users are paying for their Internet access time by the minute, so they are forced to spend extra online time and, therefore, money in downloading unwanted spam email.


Spam is also disruptive to email users, wasting their time, and ultimately making the email as a convenient tool less useful if the amount of spam continues to grow. Spam email also ties up bandwidth and resources on computers and routers all over the Internet. Every unwanted email message adds to the total cost of operating the networks of computers that form the path of delivery to recipients. Spam email can disrupt a network by crashing mail servers and filling up hard drives. It also constitutes an invasion of Internet users' online privacy


Question 33

 Q:How does spam work ?

Most spam is commercial advertising. Companies and advertisers rarely send spam directly. They would hire some spammers to do the work. Spammers obtained mailing lists from some email address harvesters. The harvesters can collect email addresses via scanning web sites, newsgroups and email lists. In addition, harvesters can also develop programs to generate random email addresses lists.


With these lists, harvesters can bombard a domain with messages and the harvesters can obtain validated email addresses if the recipients respond to the messages.

With the mailing lists, spammers can start their work using spamming tool available in the Internet. When spammers first started, they used to send bulk mails from their own IP addresses. However, as email administrators learn from experiences and start to blocking email from their sites, spammers have to find a way of sending unsolicited commercial emails. Finally, they found an easy way to accomplish this - Third Party Mail Relay or Open Relay.


Question 34

 Q:What is a third party relay email server ?
 A:A third party mail relay is an email server receiving email from an unknown sender and then sending it on to a recipient or recipients that are not users of that email system. Some email systems enable this relay feature in the default installation. Taking into account the large number of mail servers that exist on the Internet, this is still a considerable number of servers which allow the relay.


Spammers can simply collect lists of third party mail relay in the Internet through some scanning programs. With the lists, spammers can configure the spamming tool with a relay's address, so it obscures their identity from the recipients and places the burden of the work on an email server that they don't worry about overloading or crashing.


Question 35

 Q:How do the Internet services providers (ISPs) in Hong Kong react on the issue of email spamming ?
 A:Almost all ISPs operating in Hong Kong have included in their service agreements provisions to prohibit users from abusing their services for the purpose of email spamming. Spammers will face warnings or even suspension or termination of services with forewarnings.


Furthermore, ISPs commonly adopt technical measures to combat spamming problem. For example, their email servers may refuse the transmission of emails not composed by the sender (such as rejecting to forward an email received by the subscriber to the third party); or they may maintain a blacklist of email servers (i.e. reject to take in emails sent from blacklisted servers); or they may limit the quantity of emails sent from prepaid accounts.


Question 36

 Q:Is it possible to retrieve data deleted with the "delete" command ?
 A:A typical "delete" command merely deletes the pointer to a file. The data will not be overwritten until the storage area is reallocated and re-used. By using commonly available utilities, it is possible to retrieve the deleted data in a computer.

Question 37

 Q:How about the "format" command ?
 A:The "format" command in many cases merely creates an empty root directory and a new blank indexing scheme for all allocation units on the storage media making it available for the storage of new files. There are commercially available utilities to recover lost data from storage media caused by accidental execution of the "format" command.

Question 38

 Q:Are there tools or software available for the complete data deletion purpose and are they reliable ?
 A:Commercial software and services are available in the market to perform secure data deletion by means of writing over the storage media a number of times and with different patterns. Those software packages which overwrite the data space with a character, the complement of that character, then a random character can be considered as reliable and follow current industry best practice for secure data deletion. However, you may need to evaluate the capability and features of such products and consult their respective product vendors for details to see if they fulfill your specific requirements. Also, besides technical solution, necessary checks and balances should be in place to ensure that the secure deletion process is performed and is successful. Some of the possible measures which you may consider include proper approval/logging of the whole process, sample check/verification of erase hard disks, etc.

Question 39

 Q:We understand that there are tools that claim to be capable of retrieving data even from a hard disk that was burnt by fire. Is it true ?
 A:Yes, commercial tools are available for data recovery. However, the prime objective of those tools is to address the disaster recovery need, e.g. when the data or its media is deleted or damaged by accident or natural disaster such as fire rather than after the application of the secure deletion procedures.

Question 40

 Q:Is it possible to recover data from a computer after being overwritten by those secure deletion tools ?
 A:To recover or reconstruct data that has been deliberately overwritten usually requires specialised devices and/or environment. Data recovery and/or guessing would likely be uneconomical and hence impractical after the secure deletion procedures that follow the industry best practices are adopted.
In fact, Secure data deletion is one form of security risk management, similar to other information security topics. The security risk level associated with data deletion and recovery would be related to the value of the data being protected, the resources required to delete/undelete the data, and the cost of the equipment to be reused.

Question 41

 Q:Is degaussing an acceptable method for secure data deletion for magnetic media such as hard disks, floppy disks and magnetic tapes ?
 A:According to international/industry practices, degaussing is considered an acceptable technical solution for secure data deletion for magnetic media such as hard disks, floppy disks and magnetic tapes if properly employed. During the degaussing process, the magnetic flux of the media is reduced to virtually zero by applying a reversing magnetizing field. Properly applied, degaussing renders any previously stored data on the media unrecoverable by keyboard or laboratory attack.

Question 42

 Q:Are there any considerations regarding the use of degaussers for secure data deletion ?

With reference to current international/industry best practices, the following are some major considerations/practices when using degaussers for secure data deletion:


  • The resistance of a magnetic media to demagnetization is the coercivity of the magnetic media and is measured in Oersteds. In order to completely erase the content on the magnetic media (e.g. hard disk), the degausser should produce a sufficiently strong magnetic field. It is recommended that the magnetic field should be at least 1.5 times higher than the coercivity of the media. Typical figures for various types of magnetic media are given below:
Typical Media Coercivity Figures
5.25" 360K floppy disk
300 Oe
5.25" 1.2M floppy disk
675 Oe
3.5" 720K floppy disk
300 Oe
3.5" 1.44M floppy disk
700 Oe
3.5" 2.88M floppy disk
750 Oe
3.5" 21M floptical disk
750 Oe
1/2" magnetic tape
300 Oe
1/4" QIC tape
550 Oe
8 mm metallic particle tape1500 Oe
DAT metallic particle tape1500 Oe
4mm DDS-1 tape1550 Oe
4mm DDS-2 tape1650 Oe
4mm DDS-3 tape2300 Oe
4mm DDS-4 tape2350 Oe
Older (1980's) hard disks900-1400 Oe
Newer (1990's) hard disks1400-2200 Oe
Newer (2000) hard disks2000-3400 Oe


  • During the degaussing process, the degaussers have to be operated at their full magnetic field strength. The product manufacturer's directions must be followed carefully since deviations from an approved method could leave significant portions of data remaining on the magnetic media.
  • For degaussing hard drives, all shielding materials (e.g. castings, cabinets, and mounting brackets), which may interfere with the degausser's magnetic field, must be removed from the hard drive before degaussing. Hard disk platters must be in a horizontal direction during the degaussing process. For degaussing hard drives with very high coercivity ratings, it may be necessary to remove the magnetic platters from the hard drive's housing.
  • Sufficient checks and balances mechanisms should be in place for the degaussing process such as requiring the individual who performs the degaussing to certify the completion of the degaussing by affixing a signed verification label to the hard drive or the computer housing the hard drive indicating the date and degaussing product used for the procedure. Sample check of the degaussed media should also be performed by another party to ensure that the degaussing is done properly. Besides, the degausser should also be periodically tested accordingly to manufacturer's directions to ensure that they function properly.

Question 43

 Q:What is a Virus ?
 A:Since the first PC virus was found in 1986, the total number of virus has been rocketing to an enormous figure. As many may have known, computer virus is a piece of malicious program which is able to affect the normal operation of a computer system. Why we call these malicious codes computer virus? Computer scientists have found a number of similarities between biological virus (like " H5N1 " ) and computer virus. First of all, both of them need a host for residence. In case of computer virus, the host is usually the infected file / disk. Secondly, both of them are capable of self-replicate from one host to another. Finally, both of them may cause damage to the host. But there is at least one difference: computer viruses are created by human while biological viruses are not. When a virus strikes, the results range from merely annoying screen displays to disastrous and extensive data corruption. With the growing popularity of microcomputers, the threat of virus should definitely not be negligible. To further complicate the story, a new type of virus, named " Macro Virus " , emerged into computing world in 1995. Its ability to infect document files has broken the golden rule that " virus can affect program files only " . Also, the ubiquity of interchanging documents among computer users has fuelled up the spreading of the macro virus further. Notwithstanding, with appropriate counter-measures in place, we are still able to prevent/minimize the loss from computer infection.

Question 44

 Q:How can virus affect us ?
 A:Computer virus affects the health of your computer just like their biological counterparts make you sick. Typical payload of computer virus includes creating some annoyances (e.g. affects your mouse / keyboard), removing files from your hard disk and formatting your hard disk. It' s only the discovery of CIH virus that corruption to BIOS data has been added to the list of payloads. Computer virus may seem remote from you. It may be true in the old days, when few of us have PC at home and virus spread slowly with the exchange of floppy disks. But time has changed; virus can now reach us through a number of routes. They may arrive from the shared files in the server, mails from your colleagues, files downloaded from the Internet and BBS. And worst still, some vendors delivered the machines / CD ROMS with virus pre-installed. So, we are at stake. This is illustrated by the results of a survey conducted by ICSA (International Computer Security Agency, a US-based company) in 1998 over 580,000 desktop workstations and 12,000 application and file servers. ICSA found that virtually all large and midsize North American Corporations (>99%) have encountered computer infections. In addition, the outbreak of the Melissa virus proved that virus could spread around the globe just with hours. Do you think that virus is remote to you anymore?

Question 45

 Q:What are CARO and EICAR ?
 A:CARO - Computer Anti-Virus Researchers Organisation. An invitation-only group of technical researchers, mostly representing anti-virus vendors. CARO approves ' standard ' names for viruses. Some people tend to mistrust the fact that CARO members often share virus samples: however, CARO membership is a convenient yardstick by which other members can judge whether an individual can be trusted with samples. In general, users at large benefit this way: anti-virus vendors with CARO members can include most known viruses in their definitions databases.


EICAR - European Institute for Computer Anti-Virus Research. Membership of which comprises academic, commercial, media, governmental organisations etc., with experts in security, law etc., combining in the pursuit of the control of the spread of malicious software and computer misuse. Membership is more open, but members are expected to subscribe to a code of conduct. And yes, this is the origin of the EICAR test file. EICAR has a web page at


Question 46

 Q:What is the Wild List ?
 A:The Wild List is a list of the most common viruses infecting computers worldwide, and is compiled by the well-known antivirus researcher Joe Wells. Wells works closely with antivirus research teams around the world to update the list regularly.

A product that detects 90 percent of ' in the wild ' viruses will detect 90 percent of the viruses on this list - or 90 percent of the most common viruses circulating.


Question 47

 Q:How to prevent virus ?

Computer virus is around you and me. Nevertheless, we could minimize the chance of being infected by taking sufficient preventive measures. The following provides some guidelines on preventing computer virus:


  • DO NOT use Illegal software under any circumstances.
  • Connection to Internet / external BBS should be controlled.
  • DO NOT run programs downloaded from Internet / doubtful origin. If it is necessary to do so, you should scan the file with an up-to-date virus scanner.
  • Scan files attached in e-mails with up-to-date anti-virus program before use.
  • Set C: as the default boot up drive (by changing the settings in the CMOS setup). This will decrease the chance of infecting boot sector virus.
  • Check floppy diskettes and files (especially those of unknown origin) with a virus scanning programs before use.
  • Write-protect all floppy diskettes that you do not expect to write to and remove floppy diskettes from drive slots when they are not being referenced.
  • Make sure that you backup your files regularly so that you can recover them after a virus attack.

Question 48

 Q:How to detect virus ?

New viruses are being developed every day. New techniques may render existing preventive measures insufficient. The only truth in virus and anti-virus field is that there is no absolute security. However, we can minimize the damage by identifying virus infections before they carry out their payload. The following lists some ways to detect virus infections:


  • Watch out for any changes in machine behaviour. Any of the following signs could be symptoms of virus activity:
    • Programs takes longer time than usual to execute,
    • Sudden reduction in system memory available or disk space
  • A memory-resident anti-virus program can be employed to continuously monitor the computer for viruses.
  • Scan your hard disk with an anti-virus utility. You should make sure that an up-to-date virus signature has been applied and you should update the signature at least once a month.
  • Employ server-based anti-virus software to protect your network. You should also consider employing application-based anti-virus software (e.g. those running on Lotus Notes) to further protect your machine.

Question 49

 Q:Are there CMOS viruses ?
 A:Although a virus can write to (and corrupt) a PC's CMOS memory, a virus can NOT ' hide ' there. The CMOS memory is not ' addressable '. Data stored in CMOS would not be loaded and executed on a PC. A malicious virus can alter the values in the CMOS as part of its payload causing the system to be unable to reboot, but it cannot spread or hide itself in the CMOS.


A virus could use CMOS memory to store part of its code, but executable code stored there must first be moved to the computer's main memory in order to be executed. Therefore, a virus cannot spread from, or be hidden in CMOS memory. And there is no known virus that stores code in CMOS memory.


There had been reports of a trojanized AMI BIOS. It is not a virus, but a ' joke ' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. If the date is the 13th of November, it stops the boot up process and plays ' Happy Birthday ' through the PC speaker.


Question 50

 Q:Are there BIOS viruses ?
 A:Theoretically, it is possible to have a virus that hide in BIOS and be executed from BIOS. Current technology enables programs to write codes into BIOS. BIOS is the place for storing the first piece of program to be executed when a PC boots up.

Question 51

 Q:How to clean virus ?

Virus has been found? Don' t panic! The following is some pieces of advice about removing computer virus:


  • All activities on infected machine should be stopped (and it should be detached from the network) as the payload may be triggered at any time. Continuing the use of the infected machine help the suspected virus spread further.
  • Recover from backup is the most secure and effective way to recover the files.
  • In some cases, you may recover the boot sector, partition table and even the BIOS data using the emergency recovery disk.
  • In case you do not have the latest backup of your files, you may try to remove the virus using anti-virus utilities

Question 52

 Q:Do we have to fear virus ?
 A:Computer viruses are not Devils. They are just computer programs with self-replication function. That means they are able to make copy of itself. Since the process is automatic, the program is able to spread inside a computer or inside a network. Anti-virus software is designed by international companies to detect and clean such virus programs. With up-to-date virus signature, almost all viruses can be detected and removed easily. For new viruses not detected by anti-virus software, a new virus signature update will usually be available within a week.

Question 53

 Q:Are there PDA viruses ?
 A:As with any computing platform, handheld devices are also susceptible to virus attacks. Thus far, there have already been some reports of minor viruses attacks on mobile devices. For more information, see Types of Virus.

Question 54

 Q:Are there mobile phone viruses ?
 A:Mobile phones that do not allow user to install new applications on the device and are limited to using only the on-board applications burned into ROM (read only) or Flash memory chips are not susceptible to classical computer virus attacks. However, the new generation of smart phones are essentially mobile-enabled PDAs. These devices permit the user to install new software on the device at any time. Therefore, as with any computing platform, smart phones are also susceptible to virus attacks. Thus far, there have already been some reports of minor viruses attacks on mobile devices. For more information, see Types of Virus.

Question 55

 Q:Can data files be infected ?
 A:Usually not. The exception is data files that contain executable code, which can be infected by viruses. A good example of this is a Microsoft Word file (.DOC, .DOT). Although Word files are technically data files, they may contain macros, which are executable and therefore susceptible to infection.

Question 56

 Q:What is a macro virus and how does it spread ?
 A:Macro viruses are special macros that self-replicate in the data files of applications such as Microsoft Word and Excel. The majority of macro viruses infect Word document files. When a file containing infected macros is opened, the virus usually copies itself into Word's global template file (typically NORMAL.DOT). Any document opened or created subsequently will be infected.


Macro viruses become part of the document itself, and are transferred with the file via floppy disks, file transfer, and e-mail attachments.


Question 57

 Q:What's the worst damage a macro virus can do ?
 A:Like all computer viruses, macro viruses can destroy data. For most users, the worst thing a macro virus might do is to reformat their computer hard drives. While most of the known macro viruses are not destructive, many cause a considerable loss of productivity and time.

Question 58

 Q:How to minimize Word macro viruses' destruction to hard disks and files ?
 A:Of course the most secure method is to backup your data regularly and use antivirus software that is able to scan your documents before Word startup.

Question 59

 Q:Will viruses infect Access ?
 A:Yes. The first Access macro virus JETDB_ACCESS-1 infects Chinese, English, Japanese and other versions of Access. This virus once infects a database will search and infect all .MDB files in the current directory.

Question 60

 Q:I cannot save files, Word Basic Error 7 occurs while saving a file ?
 A:Error 7 in Word Basic means out of memory. If you are using Word only, and there is no large image in the document, this error should not occur. You should check the macros in the global template to see if there is a Prank Macro virus or other Word macro virus. You can see the macro in the Normal template by choosing Tools | Macros menu item (if the ' Macros ' option disappears, your machine is likely infected with some macro virus). If there is suspicious macro in the Normal template, you should scan your machine with anti-virus software to see if there is any macro virus.

Question 61

 Q:Will I be infected when I access Internet FTP server ? Will virus be downloaded during file downloading ?
 A:The files on the FTP server may be infected with computer virus(es). Your computer will be infected if you run / open the infected file(s). Therefore, you should scan files downloaded from the Internet before use.

Question 62

 Q:Will virus infect my machine if I connect to the Internet and view Web pages/download programs ?

If you' re only viewing web pages written with HTML only (i.e. no Active X, active scripting, JAVA, etc.) and that your computer has been patched with the latest security patches, the answer is ' No ' . However, if your computer is not fully patched or if you run Active X controls, active scripting and JAVA applets, or run programs downloaded from the Internet, it is possible that these programs contain viruses and affect your machine. Computer users should take the following security measures when surfing the Internet:


  • Ensure that the operating system and software on your computer have been applied with the latest security patches.
  • Enable real-time scanning of anti-virus software and use the latest virus signature.
  • Avoid visiting suspicious/untrusted websites.
  • Do not execute unsigned ActiveX control or ActiveX control from un-trusted sources.
  • If possible, disable running active scripting in browser setting.
  • Avoid downloading programs from un-trusted websites, since they have high risk of causing virus infection.

Question 63

 Q:Can e-mail message be infected ?
 A:Plain electronic mail messages with pure text containing no executable code will not be infected. However, HTML e-mails which can contain executable scripts as well as files attached to the e-mail message may be infected. Most anti-virus software nowadays canbe configured to scan e-mails and their attachments.

Question 64

 Q:Can firewalls detect virus ?

Firewalls do not screen computer viruses. As the location of firewalls within a network is usually a good place for virus scanning, some firewalls have plug-in virus-scanning modules. And some programs are also available for scanning viruses at a point either before or after a firewall.


You may wish to note that scanning FTP or HTTP traffic adds heavy network overhead but blocks only one of the sources of virus, as virus can get into the local intranet through floppy disks, CDROM or even a brand new PC.


Question 65

 Q:What is a clean boot disk. How to create a clean boot disk ?

A boot disk is one which contains the necessary operating system files (e.g. MSDOS.SYS, IO.SYS) to boot up the machine. It is useful when scanning and cleaning virus, because even if the hard disk becomes inaccessible, you can still boot up the machine to attempt some repairs. If you are running DOS / Windows 3.x, you could create a boot disk (in drive A:) using the following command:




If you' re running Windows 95 / 98, you could create a system disk by selecting ' Add / Remove Programs ' in Control Panel, choose the ' Startup Disk ' tab, and then click the ' Create Disk ' button.

After creating the boot disk, make sure it is *write-protected* so that it would not be infected by virus.


Question 66

 Q:What are rescue disks ?
 A:Many anti-virus and disk repair utilities can make a (usually bootable) rescue disk for a specific system. This needs a certain amount of care and maintenance, especially if you have made more than one of these for a single PC with more than one utility. Make sure you update *all* your rescue disks when you make a significant change, and that you understand what a rescue disk does and how it does it before you try to use it. Don' t try to use a rescue disk made from one PC on another PC, unless you' re very sure of what you' re doing, otherwise you may risk losing valuable data/files on your computer.

Question 67

 Q:What is scan engine ? Why do I have to update signature file as well as the scan engine of my antivirus software ?

A virus scanning engine is the program that does the actual work of scanning and detecting viruses while signature files are the ' fingerprints ' used by the scan engines to identify viruses. New scan engine versions are released for a number of reasons. About 6 to 8 new viruses are found everyday around the world. New types of viruses may not be detected by the old engine. New versions of scan engine usually also enhance scanning performance and detection rates. Some vendors provide updates for both the scan engine and signature file in a single file while others will provide them in separate files .You may find the link to update your anti-virus software in the following web page.


Question 68

 Q:Why some viruses can be detected but not cleaned with the anti-virus software ?

Anti-virus software not only detect viruses, but also other types of malicious codes, which may not be cleanable. For example, trojan horse is a type of malicious code that should be deleted instead of cleaned. In other cases, the virus may have corrupted the file and made it impossible to be cleaned / recovered. Nevertheless, there are some tips you can do to maximize the likelihood of recovering the file using anti-virus software:


  • Check whether the virus signature files and scan engine are up-to-date.
  • Make sure there is enough free space on the disk.
  • Check if removal instructions or automatic removal tool is available from anti-virus vendor web sites.
  • If still unsuccessful, obtain a virus sample and send it to anti-virus vendors for recommended actions.

Wi-Fi Security

 Question 1
 Q: How to prevent unauthorized Wi-Fi access?
 A: To prevent unauthorized Wi-Fi access, you can consider implementing the following measures on your wireless access point (AP).
  • Change the default setting such as, user name and password of Access Point (AP).
  • Turn on wireless data encryption WPA2-PSK (Preshared key) with AES protocol; with minimum 20 characters passphrase contains at least one capital letter and one numeric letter.
  • Enable the MAC address filtering feature on AP and only allow devices with pre-registered MAC address to connect.
  • Do not broadcast the service set identifiers (SSID).
  • Turn off the AP when not in use.
 Question 2
 Q: How to prevent hacking of insecure default configuration?
 A: To prevent unauthorized Wi-Fi access, you can consider implementing the following measures on your wireless access point (AP).
  • Change the default setting such as, user name and password of Access Point (AP).
  • Turn on wireless data encryption WPA2-PSK (Preshared key) with AES protocol; with minimum 20 characters passphrase contains at least one capital letter and one numeric letter.
  • Enable the MAC address filtering feature on AP and only allow devices with pre-registered MAC address to connect.
  • Do not broadcast the service set identifiers (SSID).
  • Turn off the AP when not in use.
 Question 3
 Q: How to prevent hacking via weak protocol?
 A: Use WPA2-PSK (Preshared Key) with AES protocol for the data encryption. WPA2 is more secure than WPA and WEP and those algorithms had been broken. To protect against brute force attacks, minimum 20 characters should be used and passphrase should contains at least one capital letter and one numeric letter. Apart from the data encryption, user should disable the service (SNMP and WPS) which is not in use and upgrade the firmware regularly.
 Question 4
 Q: How to prevent clients sniffing each other?
 A: Some AP has built-in function to isolate connection between clients. This function has different name in different products (e.g. AP Isolation, Privacy Separator). In addition, make sure you use https connection as possible while browsing the Internet.
 Question 5
 Q: How to minimize the exposure of corporate network via Wi-Fi for guest?
 A: If you provide Wi-Fi connection to guest, you should separate them into an isolated Wi-Fi network. Guest should have limited access to Internet only (Web browsing) and not able to access internal resources, such as file server. System administrator should review the traffic and audit log regularly, as it can help in the detection of security incident.
 Question 6
 Q: How to minimize the exposure of internal Wi-Fi?
 A: Below are some suggestions that you can implement to minimize the exposure of internal Wi-Fi.
  • Change the AP default user name and password.
  • Do not broadcast the SSID of the AP.
  • Only allow registered wireless network devices to connect.
  • Turn on wireless data encryption.
  • Classified Wi-Fi networks as untrusted networks and password protect your computers and files.
  • Use firewall and network intrusion detection to detect and defend network attack.
  • Periodically check AP logs for abnormal traffic and rogue users.
  • Turn off wireless cards and APs when not in user.
 Question 7
 Q: How to plan and deploy secure corporate Wi-Fi network?
 A: Wireless network provides the mobility for user to work within the company. It also provides a way for you to allow visitors to access Internet with their mobile devices. Planning and deploying is more complicated than just plug in the wireless AP within your corporate. You need to establish policies for the usage and control of Wi-Fi network, select the security measure to minimize the risk in Wi-Fi networks and secure Wi-Fi communications.

You may reference the below for planning and deploying Wi-Fi network.

Security Polices:

  • Define the usage of the Wi-Fi network and security requirement of the Wi-Fi connection
  • Define the type of information that is not allowed to send over wireless network.
  • Define the procedure of reporting the loss of WLAN device.
  • Keep an accurate inventory of all WLAN devices
  • Remove all configuration and sensitive information from the WLAN device before disposal.

Wi-Fi location and network design:

  • Wireless site survey should be conducted to tune the power of APs to provide just sufficient coverage and roam capability.
  • Treated Wi-Fi network as untrusted network and segment the wireless traffic in a separate network.

Security protection:

  • Deploy Network Intrusion system (WIPS/WIDS) which support rouge AP Identification and Denial of Service protection such as AP flooding.
  • Disable all insecure and unused management protocols of AP and configure it for least privilege.
  • Enable the AP access threshold parameters, such as inactivity timeouts and maximum supported associations.
  • Enable the AP logging features and forward the log entries to a remote logging server
  • Disable the ad-hoc mode of wireless client device.
  • Incorporate the enterprise login system (such as RADIUS and Kerberos) for authentication
  • Adopt the latest authentication option, such as Extensible Authentication Protocol (EAP) to get the higher protection level.
  • Limit the services provided in WLAN, especially guest WLAN. Apply access control and quality of service control to ban unallowed traffic or unwanted overuse of bandwidth.

Ongoing maintenance:

  • Wireless vulnerability assessment should be performed regularly to look for the enforcement of security policy, unknown wireless devices or security threat due to mis-configuration or device vulnerability.
  • Regular review of access and traffic of AP for abnormal traffic and rogue users.
  • Update the firmware of wireless devices periodically.
 Question 8
 Q: How to ensure continuous security of corporate Wi-Fi network?
 A: Security requires ongoing maintenance and education, it is important to regularly maintain the wireless network for highest level of security.
  • Regular review of access and traffic of AP for abnormal traffic and rogue users.
  • Update the firmware of wireless devices periodically
  • Perform wireless vulnerability assessment regularly to look for the enforcement of security policy, unknown wireless devices or security threat due to mis-configuration or device vulnerability.
  • Subscribe wireless security newsletter and alert and attend security seminar to keep abreast of new security trend.
 Question 9
 Q: Should I use free public Wi-Fi without encryption?
 A: You should avoid using free public Wi-Fi without encryption, if you do so, you should avoid login to your email, online shopping or e-banking web sites.
 Question 10
 Q: How to avoid connecting to malicious Wi-Fi AP?
 A: To avoid connecting to malicious Wi-Fi AP, you should be aware of the SSID you are connecting. Do not connect to a SSID called “Free Public Wi-Fi”, this is usually an ad-hoc network created by another laptop or a trap that trick you to connect to a harmful network and then infect your laptop or steal personal data.

Some wireless AP requires you to accept the usage agreement on the landing page, you should verify their certificate by clicking the SSL Lock icon ( ) before you accept the usage agreement. Finally you should turn off the Wi-Fi device when it is not in use to avoid it automatically connect to unknown AP.

 Question 11
 Q: How to secure communication via public Wi-Fi?
 A: Public Wi-Fi access is generally treated as insecure connection. Many public Wi-Fi are completely unencrypted so that users can connect to it easily. Intruder could easily see all data being transmitted if it is unencrypted. Therefore, you should only connect to a Wi-Fi hotspot with encryption enabled. Below are some tips which help you access public Wi-Fi safely.
  • Avoid sending financial / personal information over public Wi-Fi network. If you must enter your sensitive information, make sure you are connecting to https web site. There is a lock icon in the browser windows and the site’s address begins with “https”
  • Turn off file and printer sharing on computer when connecting to public network.
  • Make sure your Internet browser, computer and antivirus signature are up-to-dated and turn on your system firewall.
 Question 12
 Q: How to communicate sensitive information over public Wi-Fi?
 A: We do not recommend sending sensitive information such as financial information and bank account, at public Wi-Fi hotspot. If you do, make sure you are connecting to a legitimate hotspot and web sites with encryption enabled.