Security Awareness Tip of The Day

February 8, 2010

If you print it, go get it right away!

Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away!

February 7, 2010

Just because your company's spam filter, virus filter and other defenses let an email through, doesn't mean it's harmless

Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!

February 6, 2010

Don't buy anything from a spammer

If an unexpected email brings you news that seems too good to be true, it is probably a spam and a scam. If you didn't request information about the product or service, it is probably a spam and a scam. If it promises to enhance parts of your body, it won't. If it promises you an easy mortgage, you can do better by visiting your bank. If it promises that you can make a fortune on a penny stock, you can't. If you are unsure, ask five friends. Chances are four of them also received the spam and you can know to steer clear.

February 5, 2010

Don't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet

Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software (http://www.vnunet.com/vnunet/news/2170208/security-firm-pay-million-false).

February 4, 2010

Be skeptical and trust your instincts

People often post false or misleading information concerning their identities and interests. In most instances, this is done with good intentions as a way to avoid disclosing personal information. However, there are also people who fabricate information with malicious intent. If you ever feel threatened or uncomfortable with someone you encounter online, take the time to report the incident. Most social networking sites like MySpace provide several mechanisms for reporting inappropriate behavior.

February 3, 2010

Make sure your personal information is protected when you do business online

Always read the privacy statement before you fill in the blanks. You should also verify that the site is using encryption before you submit any information — look for https in the web address and for a padlock or key in the lower right corner of your browser. Don't send your personal information (social security number, credit card number, etc.) in an email or through instant messaging.

February 2, 2010

Print out important documents

A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.

February 1, 2010

Change your password on a schedule.

Passwords are like bubble gum; they are better when fresh. The longer and more complex your password is, the harder it is to crack, and the less often you'll need to change it. If you use an 8-character password, you should change it about every six months. Remember: Never use a password with less than 8 characters. If you use a 9-character password and follow the rules about uppercase and lowercase letters, numbers, and symbols, it will stay fresh for a whole year. If you can't remember the last time you changed your password, it's time to change it.

January 31, 2010

Look before you click

Do not open e-mails when you can't tell who the sender is. The "friendly" postcard below warns alert readers of danger with its weird syntax, poor spelling and suspicious web address. PS Do NOT click on any links in this message if they appear.

Hello friend!
You have just received a postcard from someone who cares about you! It has been a long time since I haven't heared about you! I've just found out about this service from Claire, a friend of mine who also told me that...." If you'd like to see the rest of the message, click here http://[link removed]ro/postcard. gif.exe to receive your animated postcard! Thank you for using http://[link removed].com's services !!! Please take this opportunity to let your friends hear about us by sending them a postcard from our collection!

January 30, 2010

Place a fraud alert to protect against identity theft

By the time I placed a fraud alert on my credit information, almost two weeks had passed since my wallet was stolen. By then, all the damage had been done.

If your wallet or credit card is stolen, call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number. The alert means any company that checks your credit has to contact you to authorize new credit.

Here are numbers you always need to contact if your wallet, etc., has been stolen:

1. Equifax: 1-800-525-6285
2. Experian (formerly TRW): 1-888-397-3742
3. Trans Union: 1-800-680-7289
4. Social Security Administration (fraud line): 1-800-269-0271

You can get a free credit report once a year from each of the three credit reporting agencies. They have set up a web site for this: https://www.annualcreditreport.com/cra/index.jsp

January 29, 2010

Don't use e-mail to send private messages

In a hospital romance right out of prime time television, one young woman involved in a three-way love triangle used her personal hotmail account to send romantic messages. She got a response she definitely did not expect: the party she had been cheating on cracked into her hotmail account, printed out some very personal messages and posted them on the message board at the small town supermarket for all to see. Moral of the story: protect your passwords. And PS. As long as you're planning on getting fired, you're better off spending time working on your resume than sending romantic e-mails that you don't want publicized.

January 28, 2010

Effectively delete files

When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Does your recycle bin include credit card information, passwords, medical, or other personal data? Is there sensitive corporate information? Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.

January 27, 2010

Make your password complex.

A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.

January 26, 2010

Change the combination on opened laptop locks

When people have cables with combination locks for securing their laptops at their workstation, they always remember to turn the tumblers when they secure the laptop. But what happens when they unsecure the laptop? Many people won't turn the tumblers on the opened lock because it is much easier to lock the laptop later if the combination is already set. About half a dozen laptops in our office disappeared one day. The laptops were stolen by someone who came by when the laptops were not there and noted the combination. They came back later when the laptops were there and used the combination they had noted earlier.

January 25, 2010

Always log off your own computer. Do not let anyone else offer to do it for you

One of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.

January 24, 2010

Report or challenge strangers in your office

Visitors and staff should wear badges. Others you don't recognize may be opportunist thieves who have walked past reception or found an open back door. Grab a co-worker and politely ask if they need some assistance or report them to your security or reception staff. Thieves are as likely to steal your purse or wallet as they are to take company property, so it is in everyone's interest to keep our premises safe.

January 23, 2010

Many people think that 'formatting' a hard drive will wipe out all the data so it canat be recovered

Not so. To prevent the possibility of future recovery, use a third-party, low-level hard drive formatting tool, such as Killdisk (downloadable at no charge from www.killdisk.com) to overwrite data on the hard drive with a random sequence of 1's and 0's.

January 22, 2010

Protect Your Social Security Number

Avoid using your social security number whenever you can. Many places use social security numbers for user identification. Ask to use an alternate number if possible. In addition, don't print it on personal checks. Your Social Security number is the key to most of your financial information which makes it a prime target for criminals. Only give it out when absolutely necessary.

January 21, 2010

Don't tell ANYONE your password

One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.

January 20, 2010

Protect your home wireless networks

No matter how friendly you are, you wouldn't let your neighbor read your bank statements and private letters. If you have a wireless network in your house and don't protect it, you could be doing just that. As they come "out of the box", most wireless networks let anyone in range connect to them and that could also let them see your PC and your email. It is worth taking a few extra minutes when setting them up to enable the encryption settings. Briefly, if you don't understand the jargon, WPA is better than WEP.

January 19, 2010

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support

No one from the HelpDesk or Tech Support will ever ask you for your password. If we need to access your account for some reason, and cannot contact you in time, we will reset the password and notify you by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to our network. If you receive such a call, notify your supervisor immediately.

January 18, 2010

Use a password protected screen saver

Desktop computers should be locked, or logged off when the user steps away from the terminal. Password protecting the Windows screen saver is "locking" the desktop. To do this, right click on the desktop and go to "Properties"; select the "Screen Saver" tab; and check "On resume, password protect".

January 17, 2010

Outsmart hoax e-mail

Productivity-sapping e-mail circulates close to April Fool's Day. Keep the e-mail system from bogging down with thousands of unnecessary messages—delete hoaxes and jokes.

One year, an April Fool e-mail claimed that "for every person that you forward this e-mail to, Microsoft will pay you $245.00 ..." It was forwarded to thousands of people even though it sounded too good to be true. At one nationwide company, in-boxes were clogged and the e-mail servers had to be reset, delaying legitimate e-mail.

January 16, 2010

Think twice before you post personal information. Remember, even crooks may see what you post on social media sites

Criminals are mopping up because social media users are willing to share personal information about themselves and others. This data can be used to guess your password, give them the answers to account security questions or send you email with malicious attachments that appear to be from someone you know.

January 15, 2010

How to spot a phishing email...

It could be a phishing email if...

• There are misspelled words in the e-mail or it contains poor grammar.
• The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
• There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
• The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
  • Phishing website: www.regionsbanking.com
  • Real website: www.regions.com

January 14, 2010

Always Check Credentials

The receptionist's PC had been running slowly, so he was pleased when a woman arrived and announced that she was a technician. She dropped the name of the IT manager and said, "Don't bother logging off, I'll only be a few minutes." Ten minutes later she was gone — along with a bunch of confidential documents. Those documents enabled an unscrupulous competitor to beat the company to a lucrative contract. If the receptionist had checked the technician's credentials with the IT Manager, the security breach could have been avoided. Not only did the receptionist learn a lesson; the company also learned that they should control access to sensitive information!

January 13, 2010

Periodically check your credit report

Get a copy of your credit report from each of the three major credit bureaus every year. (Federal law gives you the right to one free credit report from the three credit bureaus: Equifax, Experian, and TransUnion — http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm.) Check the reports to make sure everything is accurate. Consider staggering the requests and obtain one report every four months. That way, you can watch for signs of identity theft (i.e. inquiries that were not generated by you, accounts you didn't open).

January 12, 2010

Remember that any email or instant message you send could come back to haunt you

Once you send an e-mail, it has a very good chance of being saved in someone's mailbox or archived on a server forever. People involved in scandals like Oliver North, Monica Lewinsky, Patricia Dunn (the former Hewlett-Packard chairman), and Bill Gates probably wish they could take back an email or two... Instant Messages can also be saved and used at a later date to embarrass you. Paris Hilton might be able to shed additional light on that subject. Be careful about what you put in writing and whom you send it to.

January 11, 2010

Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.