5 Days Left to Save $400 on SANS Network Security 2014

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

August 23, 2014

What you ask people walking around inside your company offices without a valid identity card: "May I help you?"

Security comes before a false sense of social etiquette. If you see someone anywhere on your office premises whom you don't know, and who doesn't have a valid ID, go ahead and ask the question. You can't be too alert.

Submitted by Nitin Dewan

August 22, 2014

Look before you click

Do not open e-mails when you can't tell who the sender is. The "friendly" postcard below warns alert readers of danger with its weird syntax, poor spelling and suspicious web address. PS Do NOT click on any links in this message if they appear.

Hello friend!
You have just received a postcard from someone who cares about you! It has been a long time since I haven't heared about you! I've just found out about this service from Claire, a friend of mine who also told me that...." If you'd like to see the rest of the message, click here http://[link removed]ro/postcard. gif.exe to receive your animated postcard! Thank you for using http://[link removed].com's services !!! Please take this opportunity to let your friends hear about us by sending them a postcard from our collection!
August 21, 2014

Periodically check your credit report

Get a copy of your credit report from each of the three major credit bureaus every year. (Federal law gives you the right to one free credit report from the three credit bureaus: Equifax, Experian, and TransUnion — http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm.) Check the reports to make sure everything is accurate. Consider staggering the requests and obtain one report every four months. That way, you can watch for signs of identity theft (i.e. inquiries that were not generated by you, accounts you didn't open).
August 20, 2014

Don't make that call!

If you receive an email asking you to call an 800 number related to a banking issue, don't call the number. Your credit card has a phone number on the back as do your account statements. Be safe, don't call a phone number listed in an email; instead look the number up on your account statements. There is a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.
August 19, 2014

If you print it, go get it right away!

Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away!
August 18, 2014

If you download FREE software...Make sure you don't get more than you bargain for

Free software that you download could be just what you think it is — a single software package. However, many times free software comes bundled with other unwanted, harmful programs including spyware, viruses, or even Trojan horse programs. To help keep your computer free from unwanted guests, make sure the site you are downloading from is one you know and trust. Also verify that your operating system and anti-virus software have been updated and patched BEFORE you click the download button!
August 17, 2014

Never respond to an email asking for personal information

Companies you do business with should never ask for account information, credit card numbers or PIN information in an email message. If you have any questions about an email you receive that supposedly comes from your financial institution, call the local branch office. Do NOT respond to the email.
August 16, 2014

Use anti-virus software

Make sure you have anti-virus software installed on your computer and update it regularly.

Warning: Out-of-date anti-virus software will not protect your computer from new viruses.
August 15, 2014

Question Apparent Authority

Even highly intelligent and educated people fall for a phishing scam. Remember the old 60's T-shirt/slogan — "Question Authority"? When you are on the computer, remember to Question Apparent Authority.
August 14, 2014

Don't download files from unknown sources

Not all web sites are safe. Always ensure that the source you are downloading from is legitimate. Use extreme caution if you are referred to a site by an email message. If you're uncertain, don't download.
August 13, 2014

Lock it when you leave it

Never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up. Remember to always leave your Windows computer by pressing the keyboard shortcut combination of the Windows logo key and the letter "L" on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up.
August 12, 2014

Always Check Credentials

The receptionist's PC had been running slowly, so he was pleased when a woman arrived and announced that she was a technician. She dropped the name of the IT manager and said, "Don't bother logging off, I'll only be a few minutes." Ten minutes later she was gone — along with a bunch of confidential documents. Those documents enabled an unscrupulous competitor to beat the company to a lucrative contract. If the receptionist had checked the technician's credentials with the IT Manager, the security breach could have been avoided. Not only did the receptionist learn a lesson; the company also learned that they should control access to sensitive information!
August 11, 2014

Watch out for shoulder surfers

Watch out for shoulder surfers who read over your shoulder or try to steal your password. If you have your back to the door or an open cubical wall, get a rear view mirror to stick up and watch behind you when youre typing. This also prevents office pranksters from sneaking up on you. When in public places, such as Internet cafes, always try to sit with your back to a wall to prevent onlookers. Glass walls dont count — thieves can look right through them!
August 10, 2014

Stay safe when buying or selling online

Internet auction sites and online stores make shopping a breeze during the holiday season. But buying or selling merchandise online can have risks. Visit the following sites to learn more about keeping your online accounts and personal information secure and how to guard against fraud.
Amazon.com safety and security Tips
eBay Security & Resolution Center
PayPal Identity Protection
August 9, 2014

A password should be used by only one person.

Passwords are like bubble gum; they are much better when used by only one person. If you share your computer with others, each person should have a unique account, username, and password. Don't allow another user to know or use your password, and don't ask another user if you can use theirs. When it's your turn to use the computer, log the last user off, and log on using your own username and password. When you take a break, don't leave your computer open. Log off or lock it. And remember: Passwords shorter then 8 characters are easy to crack; avoid common words and proper names; and use both uppercase and lowercase letters, numbers, and symbols.
August 8, 2014

Don't check "remember my password" boxes

Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.
August 7, 2014

Do not allow Internet Explorer to store passwords for you

Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you've reused that password for other logins, many systems or web sites could be compromised.
August 6, 2014

Four Tips to Help Keep Your Computer Secure

  1. Anti-virus. A reliable, effective anti-virus program with the latest updates. Both licensed and free anti-virus software are available. Whichever you use, make sure it scans incoming and outgoing emails for malware.
  2. Anti-spyware. Reliable effective anti-spyware is a must for securing your computer. Both licensed and free anti-virus software, such as Windows Defender, are available.
  3. Two-way Personal Firewall. Two-way personal firewall software monitors network traffic to and from your computer and helps block malicious communications.
  4. Anti-Keylogger software. Anti-Keylogger software products, like AntiLogger and Keyscrambler Personal, help prevent what you type on your computer, especially sensitive information such as the usernames, passwords, and financial information you use in making online transactions, from being hijacked by Bad Guys.

-- Ramkumar Raghavan

August 5, 2014

Read error messages and checkboxes

When you see an error message pop up on the screen, read it! You may not understand everything, but if you look through the message, you can get the gist. Hackers can sometimes generate errors to collect everything you type and everything that comes up on your screen. If you don't understand the error, at least capture the screen. To do that, hold down the shift key and press the key labeled "Print Screen" or "PrtSc". That will put the screen into short-term storage called the clipboard. Then open an e-mail message, right click on the message body and select "paste". Now you can print it or send it to tech support for further analysis.
August 4, 2014

Know your IMEI?

Did you know there is a unique serial number that identifies each mobile phone? Press *#06# on your phone's keypad, and it will display a 15 digit number. Make a record of that number, it is your International Mobile Equipment Identity (IMEI) number; and, if the phone is lost or stolen, the phone can be identified even if a new SIM card is added. Your provider can also block others from using the phone on their network, which could help protect you against expensive 1-900 phone calls and similar mischief.

August 3, 2014

Do not use the same password for everything

An attendee of a training program for a new software package to set up login accounts mentioned using the same password for everything to make it easy to remember. As a security professional, I said that this was a bad idea because, if the password was disclosed, the "bad guy" would have the keys to all their information. The attendee scoffed and told me it did not matter because the password was a word from a foreign language. The person then sat down to create his account on the computer that was attached to the overhead projector. He typed his password into a non-masked field, exposing it to everyone in the room. My security advice was proven true.
August 2, 2014

Don't use unauthorized software

It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.
August 1, 2014

Beware of Shoulder Surfing

A person who is standing near as you fill out a form, enter your PIN number, or punch in your calling card numbers may be doing more than just waiting their turn. To help prevent shoulder surfing, shield your paperwork from view using your body and cup your hand over the keypad.

Submitted by Nitin Dewan
July 31, 2014

Passwords: Be creative

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.

When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.

July 30, 2014

Don't tell ANYONE your password

One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.
July 29, 2014

Make your password complex.

A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.
July 28, 2014

Don't use e-mail to send private messages

In a hospital romance right out of prime time television, one young woman involved in a three-way love triangle used her personal hotmail account to send romantic messages. She got a response she definitely did not expect: the party she had been cheating on cracked into her hotmail account, printed out some very personal messages and posted them on the message board at the small town supermarket for all to see. Moral of the story: protect your passwords. And PS. As long as you're planning on getting fired, you're better off spending time working on your resume than sending romantic e-mails that you don't want publicized.
July 27, 2014

Don't leave thumb drives or other small devices lying around

Laptops and handheld devices like Palms aren't the only things that can be stolen from your workspace. When not in use, thumb drives and other small valuable devices (wireless cards, headphones, cell phones, etc.) should be stored in a safe place. At the very least, put them in a desk drawer so they're out of sight. Don't tempt a thief!
July 26, 2014

Don't download sets of pictures from the Internet

A user downloaded a set of photos of pop icon Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch her own programs. The IT department determined that she had downloaded a Trojan program along with the photo: her freebie photo had a malicious payload attached that used her computer to send out spam for a bad guy. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process.
July 25, 2014

Beware of USB flash drive's autoplay feature

A white hat hacker broke into a bank and left 20 USB tokens lying around the parking lot of the bank for employees to find. When they plugged in the USB token, the Trojan backdoor was installed on the employees' computers and the hacker was into the banks network! Some employees claimed they were being helpful — trying to find the token's owner, others were curious about the token's content, still others thought they had scored a huge USB token and tried unsuccessfully to reformat the token. Unfortunately the new "U3 Technology" on these tokens prevented a hidden partition from being deleted, and it contained a remote access Trojan which installed itself by emulating a cdrom and using WinXP's Cdrom autoplay feature.