Last Day to Save $400 on SANS Albuquerque 2014

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

July 30, 2014

Don't tell ANYONE your password

One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.

July 29, 2014

Make your password complex.

A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.
July 28, 2014

Don't use e-mail to send private messages

In a hospital romance right out of prime time television, one young woman involved in a three-way love triangle used her personal hotmail account to send romantic messages. She got a response she definitely did not expect: the party she had been cheating on cracked into her hotmail account, printed out some very personal messages and posted them on the message board at the small town supermarket for all to see. Moral of the story: protect your passwords. And PS. As long as you're planning on getting fired, you're better off spending time working on your resume than sending romantic e-mails that you don't want publicized.
July 27, 2014

Don't leave thumb drives or other small devices lying around

Laptops and handheld devices like Palms aren't the only things that can be stolen from your workspace. When not in use, thumb drives and other small valuable devices (wireless cards, headphones, cell phones, etc.) should be stored in a safe place. At the very least, put them in a desk drawer so they're out of sight. Don't tempt a thief!
July 26, 2014

Don't download sets of pictures from the Internet

A user downloaded a set of photos of pop icon Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch her own programs. The IT department determined that she had downloaded a Trojan program along with the photo: her freebie photo had a malicious payload attached that used her computer to send out spam for a bad guy. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process.
July 25, 2014

Beware of USB flash drive's autoplay feature

A white hat hacker broke into a bank and left 20 USB tokens lying around the parking lot of the bank for employees to find. When they plugged in the USB token, the Trojan backdoor was installed on the employees' computers and the hacker was into the banks network! Some employees claimed they were being helpful — trying to find the token's owner, others were curious about the token's content, still others thought they had scored a huge USB token and tried unsuccessfully to reformat the token. Unfortunately the new "U3 Technology" on these tokens prevented a hidden partition from being deleted, and it contained a remote access Trojan which installed itself by emulating a cdrom and using WinXP's Cdrom autoplay feature.
July 24, 2014

Protect your home wireless networks

No matter how friendly you are, you wouldn't let your neighbor read your bank statements and private letters. If you have a wireless network in your house and don't protect it, you could be doing just that. As they come "out of the box", most wireless networks let anyone in range connect to them and that could also let them see your PC and your email. It is worth taking a few extra minutes when setting them up to enable the encryption settings. Briefly, if you don't understand the jargon, WPA is better than WEP.
July 23, 2014

Don't plug in USB drives that you find lying around. Criminals can use them to steal your data

People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
July 22, 2014

Check and make sure your friend sent that great screensaver

A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something like that, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.
July 21, 2014

Protect files with a password

Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!
July 20, 2014

If your browser questions a website's security, stop, think, and verify.

When visiting the "https" secure sites of banks and online shopping retailers, you may see an onscreen warning, such as "There is a problem with the website's security certificate" or "Secure Connection Failed." Don't just click to continue or to make an exception. The warning may only indicate that there is a harmless temporary problem with the site or with the network. But it can also mean that the site is bogus or has been compromised by hackers, and someone is listening in on your conversation with your bank or retailer.

Be smart. Contact your bank or retailer by phone to find out if they know about a problem with their website or the network. Don't be the next victim of fraud.

July 19, 2014

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online (http://www.bbbonline.org) and do some research. Check the company's website for feedback from previous customers.
July 18, 2014

Don't fall for phishing schemes

Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.
  1. We need to verify your account information.
  2. If you don't respond immediately, your account will be cancelled.
  3. Click the link below to update your information.

Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.
July 17, 2014

When selecting a screen name...make sure it doesn't say too much about you

Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.
July 16, 2014

Backup important files on a regular basis

Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".
July 15, 2014

Turn off your wireless AP when it's not in use

Power off your wireless access point (AP) when you know you won't be at home or when it's not in use. Your AP can't be accessed by hackers when it is not powered on. So, turn it off and limit the amount of time you leave yourself open to attack.
July 14, 2014

Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece

Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at: http://www.youtube.com/watch?v=1c-jzYAH2gw
July 13, 2014

Don't tell anybody your password

This warning includes your systems administrator, who NEVER needs your password. One day I received an e-mail from "Support@Waidele.info", saying they needed my password for maintenance, and if I did not go to a webpage and give it to them, they would suspend my account. As it turns out, I'm the one in charge of "waidele.info" — so I'm the one who gives out accounts and does maintenance. Things might have ended differently if I had had an account with googlemail.com or aol.com. Then the senders would have called themselves "support@aol.com" and I might have been fooled.
July 12, 2014

Use caution when opening email attachments

Email attachments are a common tool for attackers because forwarding email is so simple. Users often open attachments that appear to come from someone they know or an organization they do business with. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send. If your email program includes an option to automatically download email attachments, DON'T take it. Doing so could immediately expose your computer to any viruses included in the email attachments.
July 11, 2014

Don't use information related to yourself as a password

Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.
July 10, 2014

Always log off your own computer. Do not let anyone else offer to do it for you

One of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.
July 9, 2014

Lock your workstation before you leave your desk

Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.

Or, to make things even easier, create a desktop shortcut.
  1. Right click any empty area of your desktop
  2. Click New
  3. Click Shortcut
  4. Type in the following: rundll32.exe user32.dll, LockWorkStation
  5. Click Next
  6. Name your shortcut
  7. Click Finish

Now it's as easy as a double click!
July 8, 2014

Letting Family or Friends Use Your Employer's Computers Can Be Bad for You

A candidate for Parliament in the UK received a lot of bad publicity when people took offense at a message her husband sent from her Council email account. She isn't the first person to get into trouble over a family member misusing their work email account or PC. Very few organizations let employees' families use their PCs. If you work from home on a corporate PC, then check your company policy and clarify boundaries with household members. (http://news.bbc.co.uk/1/hi/uk_politics/6121646.stm?ls)
July 7, 2014

Avoid Ad-hoc wireless networks

Disable automatic connection to any new networks and limit your connections to access point (infrastructure) networks only:
  • Click the "Start" button and navigate to the "Control Panel" and then to "Network Connections."
  • Right mouse-click on the "Wireless Network Connection" and choose "Properties".
  • Pick the "Wireless Networks" tab, then the "Advanced" button:
    • Make sure that the check box next to "automatically connect to non-preferred networks" is not checked.
    • Click on Access point (infrastructure) networks only to avoid ad hoc networks.

This configuration prevents you from automatically connecting to any new networks and refuses all ad-hoc networks, which have the potential to monitor traffic that passes through them.
July 6, 2014

Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are customers in your office. Leaving your computer unlocked can expose customer data to a third party. Even when there is no one in your office, data could be exposed if your computer screen faces an outside window, especially on the ground floor.
July 5, 2014

Don't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet

Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software (http://www.vnunet.com/vnunet/news/2170208/security-firm-pay-million-false).
July 4, 2014

Wireless Hotspots...limit activity to web surfing only

A hotspot is an open wireless network that is available (open) to everyone. An example would be the wireless network at your favorite coffee shop. These networks hook computers into the public Internet — handy but dangerous. Because wireless hotspots are for open use, they don't provide much protection for your data. When using a wireless hotspot try to limit activity to web surfing only. You should also disable peer-to-peer networking, file sharing, and remote access. Always use a good personal firewall and of course make sure all your software including your operating system (like Windows) is up to date and patched. You should never use hotspots for online banking, bill paying, or for making purchases that require you to give out confidential information such as a credit card number.
July 3, 2014

Choose a password that's hard to crack

When choosing a password, try to make it by writing a sentence that you can easily remember. For example: "Los Angeles Lakers will win the NBA tournament this year". Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers. For example, with the last sentence you could get the password: =3LALwwtNtty$. This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.
July 2, 2014

Patch and update on a regular basis

Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.
July 1, 2014

Revoking security access isn't always enough

A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.