Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

April 24, 2014

Periodically check your credit report

Get a copy of your credit report from each of the three major credit bureaus every year. (Federal law gives you the right to one free credit report from the three credit bureaus: Equifax, Experian, and TransUnion — Check the reports to make sure everything is accurate. Consider staggering the requests and obtain one report every four months. That way, you can watch for signs of identity theft (i.e. inquiries that were not generated by you, accounts you didn't open).

April 23, 2014

Don't use unauthorized software

It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.
April 22, 2014

If you receive child pornography via email, report it to your manager or IT section immediately

Sending pornographic images of children is a serious criminal offense and most police forces will investigate promptly and insist that all traces are removed. When you report it, don't forward the image. Sending it on spreads the images across more systems, making it harder to clear up and causes needless distress to the person you are reporting it to.
April 21, 2014

Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece

Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at:
April 20, 2014

Do not use the same password for everything

An attendee of a training program for a new software package to set up login accounts mentioned using the same password for everything to make it easy to remember. As a security professional, I said that this was a bad idea because, if the password was disclosed, the "bad guy" would have the keys to all their information. The attendee scoffed and told me it did not matter because the password was a word from a foreign language. The person then sat down to create his account on the computer that was attached to the overhead projector. He typed his password into a non-masked field, exposing it to everyone in the room. My security advice was proven true.
April 19, 2014

Don't click on links in pop-ups or banner advertisements

In July 2007, when iPhones were scarce and strongly in demand, Botnet herders put software on already infected computers that redirected users browsing for iPhones to phony websites. The malware caused pop-ups and banner advertisements on infected computers; clicking on the provided links took users to the phony sites. People who attempted to buy iPhones from the sites were actually providing the Bad Guys with their personal and financial information. You can expect to see something similar for any fad that comes along. When your heart is tempted by the latest hot fad, don't throw caution to the wind.
April 18, 2014

Don't open email about Michael Jackson

When a major news event happens, cyber criminals send email with a subject line related to the event and include an attachment that is malware to infect your computer and make it part of a botnet for sending SPAM and conducting other illegal activities. You can see examples of these catchy subject lines at
April 17, 2014

Use a password in only one place.

Reusing passwords or using the same password all over the place is like carrying one key that unlocks your house, your car, your office, your briefcase, and your safety deposit box. If you reuse passwords for more than one computer, account, website, or other secure system, keep in mind that all of those computers, accounts, websites and secure systems will be only as secure as the least secure system on which you have used that password. Don't enter your password on untrusted systems. One lost key could let a thief unlock all the doors. Remember: Change your passwords on a schedule to keep them fresh.
April 16, 2014

Think twice before you post personal information. Remember, even crooks may see what you post on social media sites

Criminals are mopping up because social media users are willing to share personal information about themselves and others. This data can be used to guess your password, give them the answers to account security questions or send you email with malicious attachments that appear to be from someone you know.
April 15, 2014

Lock your workstation before you leave your desk

Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.

Or, to make things even easier, create a desktop shortcut.
  1. Right click any empty area of your desktop
  2. Click New
  3. Click Shortcut
  4. Type in the following: rundll32.exe user32.dll, LockWorkStation
  5. Click Next
  6. Name your shortcut
  7. Click Finish

Now it's as easy as a double click!
April 14, 2014

Keep your password secret

Your password is like your bank account PIN - if you give your PIN to someone else, your bank is unlikely to pay you back if it is used to steal from your account. Likewise, your company expects you to use your password to stop others misusing your computer account. If you share your password, you may be held responsible for what other people do with it.

Article about percentage of users that would share their passwords:,289142,sid14_gci895483,00.html
April 13, 2014

Make your password complex.

A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.
April 12, 2014

Back up your information so you don't join Kroll Ontrack's Top 10 Countdown this year

  • A customer who told engineers she had "washed away all her data" after putting a USB stick through a cycle in her washing machine.
  • A father who, while feeding his baby daughter, forgot about the USB stick in his top pocket. As he leant over the high chair, the device fell into a dish of apple puree.
  • After discovering ants had taken up residence in his external hard drive, a photographer took the cover off and sprayed the interior with insect repellent. The ants were killed off and the data was eventually recovered.

In 2007, Kroll Ontrack has seen more damaged portable devices than ever before. For the complete list of strange ways of damaging hardware in the company's top 10 countdown this year, go to,1000000091,39291331,00.htm.

April 11, 2014

Revoking security access isn't always enough

A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
April 10, 2014

Get a separate email address for postings

To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.

April 9, 2014

Read error messages and checkboxes

When you see an error message pop up on the screen, read it! You may not understand everything, but if you look through the message, you can get the gist. Hackers can sometimes generate errors to collect everything you type and everything that comes up on your screen. If you don't understand the error, at least capture the screen. To do that, hold down the shift key and press the key labeled "Print Screen" or "PrtSc". That will put the screen into short-term storage called the clipboard. Then open an e-mail message, right click on the message body and select "paste". Now you can print it or send it to tech support for further analysis.
April 8, 2014

Stay safe when buying or selling online

Internet auction sites and online stores make shopping a breeze during the holiday season. But buying or selling merchandise online can have risks. Visit the following sites to learn more about keeping your online accounts and personal information secure and how to guard against fraud. safety and security Tips
eBay Security & Resolution Center
PayPal Identity Protection
April 7, 2014

Use common sense when reviewing your email

If you did not order a new laptop, then you should not be receiving an update on its shipping status. Delete these emails.
April 6, 2014

Don't tell ANYONE your password

One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.
April 5, 2014

E-mail is insecure by default because it is more like a postcard, not a sealed envelope

A number of people are under the misconception that when they draft and send e-mail, two things occur. Their message gets sealed in an envelope (that's why you have to open e-mail right?) and that it goes directly to the person it was sent to via internet magic. The truth is your e-mail is sent in plain text (i.e. readable by anyone who picks it up along the way) and is passed around the Internet with multiple stops until it reaches its destination. People with evil intentions can intercept your e-mail, read it or even alter it before it reaches your intended recipient.
April 4, 2014

A password should be used by only one person.

Passwords are like bubble gum; they are much better when used by only one person. If you share your computer with others, each person should have a unique account, username, and password. Don't allow another user to know or use your password, and don't ask another user if you can use theirs. When it's your turn to use the computer, log the last user off, and log on using your own username and password. When you take a break, don't leave your computer open. Log off or lock it. And remember: Passwords shorter then 8 characters are easy to crack; avoid common words and proper names; and use both uppercase and lowercase letters, numbers, and symbols.
April 3, 2014

If you download FREE software...Make sure you don't get more than you bargain for

Free software that you download could be just what you think it is — a single software package. However, many times free software comes bundled with other unwanted, harmful programs including spyware, viruses, or even Trojan horse programs. To help keep your computer free from unwanted guests, make sure the site you are downloading from is one you know and trust. Also verify that your operating system and anti-virus software have been updated and patched BEFORE you click the download button!
April 2, 2014

Don't use information related to yourself as a password

Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.
April 1, 2014

Use Outlook? Use the Auto-Preview, not the Reading Pane

If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview:
  1. Open Outlook.
  2. Choose View -> Reading Pane -> Off
  3. Choose View -> AutoPreview
  4. Now you can see what is Junk, and which ones may have an HTML payload.
March 31, 2014

Don't make that call!

If you receive an email asking you to call an 800 number related to a banking issue, don't call the number. Your credit card has a phone number on the back as do your account statements. Be safe, don't call a phone number listed in an email; instead look the number up on your account statements. There is a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.
March 30, 2014

Print out important documents

A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.
March 29, 2014

Don't check "remember my password" boxes

Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.
March 28, 2014

Remember that any email or instant message you send could come back to haunt you

Once you send an e-mail, it has a very good chance of being saved in someone's mailbox or archived on a server forever. People involved in scandals like Oliver North, Monica Lewinsky, Patricia Dunn (the former Hewlett-Packard chairman), and Bill Gates probably wish they could take back an email or two... Instant Messages can also be saved and used at a later date to embarrass you. Paris Hilton might be able to shed additional light on that subject. Be careful about what you put in writing and whom you send it to.
March 27, 2014

Report or challenge strangers in your office

Visitors and staff should wear badges. Others you don't recognize may be opportunist thieves who have walked past reception or found an open back door. Grab a co-worker and politely ask if they need some assistance or report them to your security or reception staff. Thieves are as likely to steal your purse or wallet as they are to take company property, so it is in everyone's interest to keep our premises safe.
March 26, 2014

Many people think that 'formatting' a hard drive will wipe out all the data so it cannot be recovered

Not so. To prevent the possibility of future recovery, use a third-party, low-level hard drive formatting tool, such as Killdisk (downloadable at no charge from to overwrite data on the hard drive with a random sequence of 1's and 0's.