3 Days Left to Save $400 on SANS Rocky Mountain 2015 - Denver

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

April 27, 2015

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online (http://www.bbbonline.org) and do some research. Check the company's website for feedback from previous customers.

April 26, 2015

How to spot a phishing email...

It could be a phishing email if...
  • There are misspelled words in the e-mail or it contains poor grammar.
  • The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
  • There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
  • The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
April 25, 2015

Secure your Wireless Router

When setting up a wireless network at home, I was surprised to be able to connect to my neighbor's unsecured wireless router. Not only could I have used his bandwidth for free, but had I been so inclined, I could have used the connection for illegal activities. If the police came looking, he may not have been able to prove the activity didn't come from one of his computers. Properly securing wireless is not hard. Look in the manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication and TKIP for encryption, and using MAC address filtering.
April 24, 2015

Use a strong voicemail password. This helps prevent crooks from hijacking your phone line or voicemail

A busy person set his voicemail password to match his extension. It seemed easy to remember but was also easy to guess. A prison inmate guessed the password and began using the account to communicate with fellow criminals—leaving messages for them and deleting legitimate messages.

The receptionist at a small business came into the office at 8:30 a.m. and the phones were ringing off the hook. She picked up one of the lines and was surprised to hear people talking in a foreign language. Turns out fraudsters were using the phone system to steal international long-distance phone time.
April 23, 2015

Don't Investigate a Security Problem Unless You Are Authorized by the System Owner

A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue. http://www.channelregister.co.uk/2005/10/06/tsunami_hacker_convicted/
April 22, 2015

Don't make that call!

If you receive an email asking you to call an 800 number related to a banking issue, don't call the number. Your credit card has a phone number on the back as do your account statements. Be safe, don't call a phone number listed in an email; instead look the number up on your account statements. There is a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.
April 21, 2015

Use common sense when reviewing your email

If you did not order a new laptop, then you should not be receiving an update on its shipping status. Delete these emails.
April 20, 2015

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support

No one from the HelpDesk or Tech Support will ever ask you for your password. If we need to access your account for some reason, and cannot contact you in time, we will reset the password and notify you by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to our network. If you receive such a call, notify your supervisor immediately.
April 19, 2015

Protect Your Social Security Number

Avoid using your social security number whenever you can. Many places use social security numbers for user identification. Ask to use an alternate number if possible. In addition, don't print it on personal checks. Your Social Security number is the key to most of your financial information which makes it a prime target for criminals. Only give it out when absolutely necessary.
April 18, 2015

Four Tips to Help Keep Your Computer Secure

  1. Anti-virus. A reliable, effective anti-virus program with the latest updates. Both licensed and free anti-virus software are available. Whichever you use, make sure it scans incoming and outgoing emails for malware.
  2. Anti-spyware. Reliable effective anti-spyware is a must for securing your computer. Both licensed and free anti-virus software, such as Windows Defender, are available.
  3. Two-way Personal Firewall. Two-way personal firewall software monitors network traffic to and from your computer and helps block malicious communications.
  4. Anti-Keylogger software. Anti-Keylogger software products, like AntiLogger and Keyscrambler Personal, help prevent what you type on your computer, especially sensitive information such as the usernames, passwords, and financial information you use in making online transactions, from being hijacked by Bad Guys.

-- Ramkumar Raghavan

April 17, 2015

Don't download sets of pictures from the Internet

A user downloaded a set of photos of pop icon Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch her own programs. The IT department determined that she had downloaded a Trojan program along with the photo: her freebie photo had a malicious payload attached that used her computer to send out spam for a bad guy. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process.
April 16, 2015

When selecting a screen name...make sure it doesn't say too much about you

Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.
April 15, 2015

Be skeptical and trust your instincts

People often post false or misleading information concerning their identities and interests. In most instances, this is done with good intentions as a way to avoid disclosing personal information. However, there are also people who fabricate information with malicious intent. If you ever feel threatened or uncomfortable with someone you encounter online, take the time to report the incident. Most social networking sites like MySpace provide several mechanisms for reporting inappropriate behavior.
April 14, 2015

Hey, I know who you are and where you work! It says so right there on your badge

Security badges are meant to prove identity and display access privileges at work. They should never be worn outside of the office in public when going to lunch, taking a break, or even walking outside. Exposing your badge in public permits identity thieves to see your name, office, and possibly your level of security clearance. Whats worse is that now the public knows what your badge looks like, thereby increasing the chances of successful forgery. Always remove and put away your badge when leaving work, even if just for a break.
April 13, 2015

Avoid spam in your IM email account

Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes @ to go directly to trash. You will be able to communicate with all your IM buddies without the hassle of being notified of items coming into the inbox.
April 12, 2015

Don't fall for phishing schemes

Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.
  1. We need to verify your account information.
  2. If you don't respond immediately, your account will be cancelled.
  3. Click the link below to update your information.

Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.
April 11, 2015

Don't be duped by Internet Fraud

We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don't be tricked by Internet Fraud. For more information see http://www.lookstoogoodtobetrue.com.
April 10, 2015

Make sure the site you're ordering from protects your information crossing the Internet

This is shown by either a closed lock or an unbroken key at the bottom of the browser window. You can also check to see if the URL begins with https://. While https by itself is not an indication of a secure site, when it is combined with the lock or the unbroken key, then it indicates your data is being encrypted from prying eyes as it crosses the Internet. If you have https without the lock or key in the browser, then it has been faked and is not secure. Sometimes you may also encounter a pop up box that indicates you are about to enter or leave a secure area.
April 9, 2015

Backup important files on a regular basis

Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".
April 8, 2015

Get a separate email address for postings

To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.

April 7, 2015

Don't tell anybody your password

This warning includes your systems administrator, who NEVER needs your password. One day I received an e-mail from "Support@Waidele.info", saying they needed my password for maintenance, and if I did not go to a webpage and give it to them, they would suspend my account. As it turns out, I'm the one in charge of "waidele.info" — so I'm the one who gives out accounts and does maintenance. Things might have ended differently if I had had an account with googlemail.com or aol.com. Then the senders would have called themselves "support@aol.com" and I might have been fooled.
April 6, 2015

Use anti-virus software

Make sure you have anti-virus software installed on your computer and update it regularly.

Warning: Out-of-date anti-virus software will not protect your computer from new viruses.
April 5, 2015

Always Check Credentials

The receptionist's PC had been running slowly, so he was pleased when a woman arrived and announced that she was a technician. She dropped the name of the IT manager and said, "Don't bother logging off, I'll only be a few minutes." Ten minutes later she was gone — along with a bunch of confidential documents. Those documents enabled an unscrupulous competitor to beat the company to a lucrative contract. If the receptionist had checked the technician's credentials with the IT Manager, the security breach could have been avoided. Not only did the receptionist learn a lesson; the company also learned that they should control access to sensitive information!
April 4, 2015

Question Apparent Authority

Even highly intelligent and educated people fall for a phishing scam. Remember the old 60's T-shirt/slogan — "Question Authority"? When you are on the computer, remember to Question Apparent Authority.
April 3, 2015

Do not allow Internet Explorer to store passwords for you

Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you've reused that password for other logins, many systems or web sites could be compromised.
April 2, 2015

Don't click on links in pop-ups or banner advertisements

In July 2007, when iPhones were scarce and strongly in demand, Botnet herders put software on already infected computers that redirected users browsing for iPhones to phony websites. The malware caused pop-ups and banner advertisements on infected computers; clicking on the provided links took users to the phony sites. People who attempted to buy iPhones from the sites were actually providing the Bad Guys with their personal and financial information. You can expect to see something similar for any fad that comes along. When your heart is tempted by the latest hot fad, don't throw caution to the wind.
April 1, 2015

Use caution when opening email attachments

Email attachments are a common tool for attackers because forwarding email is so simple. Users often open attachments that appear to come from someone they know or an organization they do business with. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send. If your email program includes an option to automatically download email attachments, DON'T take it. Doing so could immediately expose your computer to any viruses included in the email attachments.
March 31, 2015

Passwords: Be creative

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.

When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.

March 30, 2015

Stop! Nobody Sends Email to Dead People!

One type of Phishing (fake emails to trick you into sharing your private financial details) is to send a note claiming to want to send you a sum of money but not being able to because they have been told you are deceased. The idea is for you to prove you are not dead by giving up your financial information. As always, if it sounds too good to be true, it is probably not true. If someone wants to contact you in order to give you a large sum of money, they will almost certainly do it by certified mail, not by email.
March 29, 2015

Don't share your password-even with an assistant or close coworker

A salesperson relied on his assistant every day, trusting her with his username and password. She quit, but not before she deleted all of his sent e-mail and all of his saved files...Turns out she wasn't backing up the computer either.

Several coworkers used the same ID to login—it seemed easier that way. The time came to change their password and they forgot to tell each other. One by one, they all called the help desk to get the ID reset, and they ended up locking each other out of their computers and getting reprimanded for sharing.