3 Days Left to Save $200 on ICS Houston Training

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

May 4, 2015

Email isn't the only online communication that has security risks

Instant Messaging has become a popular way for people to communicate over the Internet. In some instances it has even replaced email. What some people don't realize, however, is that instant messaging has many of the same security threats that email does... and then some. Instant messaging can transfer viruses and other malware, provide an access point for Trojans, and give hackers an easy way to find victims. If you use instant messaging on a regular basis, you need to be aware of the security risks associated with it and take steps to protect yourself. See the following links for more on instant messaging safety.

May 3, 2015

Avoid default installations

Most software and hardware setup procedures are designed to get the product up and running with maximum functionality and minimum effort. One thing that usually slips is security. If you set up your external firewall with the suggested password from the installation instructions, how many others are set up just like that? Take the time to change the defaults that will make the attacker's job just a little bit harder. Make sure to document the changes in a secure way.
May 2, 2015

Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are customers in your office. Leaving your computer unlocked can expose customer data to a third party. Even when there is no one in your office, data could be exposed if your computer screen faces an outside window, especially on the ground floor.
May 1, 2015

It takes two to tango and two firewalls to secure your system

Contrary to the myth that hardware firewalls are better than software firewalls, both are equally necessary to secure your system because they provide different kinds of protection. Any size network — whether it's one or two computers on a home network or 100 computers in a business — needs to be protected by a hardware firewall, and every connected computer needs to be protected by a software firewall.
April 30, 2015

Save your files to a network server

A computer user working on a critical project was saving the analysis document on his Windows desktop. Unfortunately, the Windows desktop was located on the local hard drive and local hard drives were not automatically being backed up. When his hard disk failed, he lost the file and had to work through nights and a weekend to make up for the lost time. If your company permits network backups or remote storage, be sure you back up your important files. PS. Important files don't include things like vacation pictures, which can overburden the backup system. Ask the help desk for advice on where such files should be saved.
April 29, 2015

Don't plug in USB drives that you find lying around. Criminals can use them to steal your data

People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
April 28, 2015

See just how "Security Aware" you really are

Do you believe you're a little more Security Aware? Can you identify the threats that exist in your environment and the steps you should take to avoid them? Take the following quizzes and find out.
April 27, 2015

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online (http://www.bbbonline.org) and do some research. Check the company's website for feedback from previous customers.
April 26, 2015

How to spot a phishing email...

It could be a phishing email if...
  • There are misspelled words in the e-mail or it contains poor grammar.
  • The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
  • There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
  • The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
April 25, 2015

Secure your Wireless Router

When setting up a wireless network at home, I was surprised to be able to connect to my neighbor's unsecured wireless router. Not only could I have used his bandwidth for free, but had I been so inclined, I could have used the connection for illegal activities. If the police came looking, he may not have been able to prove the activity didn't come from one of his computers. Properly securing wireless is not hard. Look in the manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication and TKIP for encryption, and using MAC address filtering.
April 24, 2015

Use a strong voicemail password. This helps prevent crooks from hijacking your phone line or voicemail

A busy person set his voicemail password to match his extension. It seemed easy to remember but was also easy to guess. A prison inmate guessed the password and began using the account to communicate with fellow criminals—leaving messages for them and deleting legitimate messages.

The receptionist at a small business came into the office at 8:30 a.m. and the phones were ringing off the hook. She picked up one of the lines and was surprised to hear people talking in a foreign language. Turns out fraudsters were using the phone system to steal international long-distance phone time.
April 23, 2015

Don't Investigate a Security Problem Unless You Are Authorized by the System Owner

A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue. http://www.channelregister.co.uk/2005/10/06/tsunami_hacker_convicted/
April 22, 2015

Don't make that call!

If you receive an email asking you to call an 800 number related to a banking issue, don't call the number. Your credit card has a phone number on the back as do your account statements. Be safe, don't call a phone number listed in an email; instead look the number up on your account statements. There is a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.
April 21, 2015

Use common sense when reviewing your email

If you did not order a new laptop, then you should not be receiving an update on its shipping status. Delete these emails.
April 20, 2015

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support

No one from the HelpDesk or Tech Support will ever ask you for your password. If we need to access your account for some reason, and cannot contact you in time, we will reset the password and notify you by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to our network. If you receive such a call, notify your supervisor immediately.
April 19, 2015

Protect Your Social Security Number

Avoid using your social security number whenever you can. Many places use social security numbers for user identification. Ask to use an alternate number if possible. In addition, don't print it on personal checks. Your Social Security number is the key to most of your financial information which makes it a prime target for criminals. Only give it out when absolutely necessary.
April 18, 2015

Four Tips to Help Keep Your Computer Secure

  1. Anti-virus. A reliable, effective anti-virus program with the latest updates. Both licensed and free anti-virus software are available. Whichever you use, make sure it scans incoming and outgoing emails for malware.
  2. Anti-spyware. Reliable effective anti-spyware is a must for securing your computer. Both licensed and free anti-virus software, such as Windows Defender, are available.
  3. Two-way Personal Firewall. Two-way personal firewall software monitors network traffic to and from your computer and helps block malicious communications.
  4. Anti-Keylogger software. Anti-Keylogger software products, like AntiLogger and Keyscrambler Personal, help prevent what you type on your computer, especially sensitive information such as the usernames, passwords, and financial information you use in making online transactions, from being hijacked by Bad Guys.

-- Ramkumar Raghavan

April 17, 2015

Don't download sets of pictures from the Internet

A user downloaded a set of photos of pop icon Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch her own programs. The IT department determined that she had downloaded a Trojan program along with the photo: her freebie photo had a malicious payload attached that used her computer to send out spam for a bad guy. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process.
April 16, 2015

When selecting a screen name...make sure it doesn't say too much about you

Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.
April 15, 2015

Be skeptical and trust your instincts

People often post false or misleading information concerning their identities and interests. In most instances, this is done with good intentions as a way to avoid disclosing personal information. However, there are also people who fabricate information with malicious intent. If you ever feel threatened or uncomfortable with someone you encounter online, take the time to report the incident. Most social networking sites like MySpace provide several mechanisms for reporting inappropriate behavior.
April 14, 2015

Hey, I know who you are and where you work! It says so right there on your badge

Security badges are meant to prove identity and display access privileges at work. They should never be worn outside of the office in public when going to lunch, taking a break, or even walking outside. Exposing your badge in public permits identity thieves to see your name, office, and possibly your level of security clearance. Whats worse is that now the public knows what your badge looks like, thereby increasing the chances of successful forgery. Always remove and put away your badge when leaving work, even if just for a break.
April 13, 2015

Avoid spam in your IM email account

Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes @ to go directly to trash. You will be able to communicate with all your IM buddies without the hassle of being notified of items coming into the inbox.
April 12, 2015

Don't fall for phishing schemes

Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.
  1. We need to verify your account information.
  2. If you don't respond immediately, your account will be cancelled.
  3. Click the link below to update your information.

Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.
April 11, 2015

Don't be duped by Internet Fraud

We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don't be tricked by Internet Fraud. For more information see http://www.lookstoogoodtobetrue.com.
April 10, 2015

Make sure the site you're ordering from protects your information crossing the Internet

This is shown by either a closed lock or an unbroken key at the bottom of the browser window. You can also check to see if the URL begins with https://. While https by itself is not an indication of a secure site, when it is combined with the lock or the unbroken key, then it indicates your data is being encrypted from prying eyes as it crosses the Internet. If you have https without the lock or key in the browser, then it has been faked and is not secure. Sometimes you may also encounter a pop up box that indicates you are about to enter or leave a secure area.
April 9, 2015

Backup important files on a regular basis

Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".
April 8, 2015

Get a separate email address for postings

To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.

April 7, 2015

Don't tell anybody your password

This warning includes your systems administrator, who NEVER needs your password. One day I received an e-mail from "Support@Waidele.info", saying they needed my password for maintenance, and if I did not go to a webpage and give it to them, they would suspend my account. As it turns out, I'm the one in charge of "waidele.info" — so I'm the one who gives out accounts and does maintenance. Things might have ended differently if I had had an account with googlemail.com or aol.com. Then the senders would have called themselves "support@aol.com" and I might have been fooled.
April 6, 2015

Use anti-virus software

Make sure you have anti-virus software installed on your computer and update it regularly.

Warning: Out-of-date anti-virus software will not protect your computer from new viruses.
April 5, 2015

Always Check Credentials

The receptionist's PC had been running slowly, so he was pleased when a woman arrived and announced that she was a technician. She dropped the name of the IT manager and said, "Don't bother logging off, I'll only be a few minutes." Ten minutes later she was gone — along with a bunch of confidential documents. Those documents enabled an unscrupulous competitor to beat the company to a lucrative contract. If the receptionist had checked the technician's credentials with the IT Manager, the security breach could have been avoided. Not only did the receptionist learn a lesson; the company also learned that they should control access to sensitive information!