Security Awareness Tip of The Day

May 17, 2013

Backup important files on a regular basis

Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".

May 16, 2013

Don't Trust Links Sent in Email Messages

A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.

May 15, 2013

Know your IMEI?

Did you know there is a unique serial number that identifies each mobile phone? Press *#06# on your phone's keypad, and it will display a 15 digit number. Make a record of that number, it is your International Mobile Equipment Identity (IMEI) number; and, if the phone is lost or stolen, the phone can be identified even if a new SIM card is added. Your provider can also block others from using the phone on their network, which could help protect you against expensive 1-900 phone calls and similar mischief.

May 14, 2013

Effectively delete files

When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Does your recycle bin include credit card information, passwords, medical, or other personal data? Is there sensitive corporate information? Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.

May 13, 2013

Don't pass on chain messages or send warnings to everyone you know

Chain messages are a burden on mail systems and to the vast majority of the people who receive them. Just don't pass them on — it is as simple as that. You may get messages from friends, warning you about a new virus, health scare, charity appeal or con trick. These are very likely to be hoaxes or just plain wrong. Be very suspicious of messages that ask you to pass them to "everyone you know". That leads to an endless chain of forwarded messages that go on long past any real or imagined threat. If it is really convincing, pass it to your IT section or helpdesk for them to consider.

May 12, 2013

What you ask people walking around inside your company offices without a valid identity card: "May I help you?"

Security comes before a false sense of social etiquette. If you see someone anywhere on your office premises whom you don't know, and who doesn't have a valid ID, go ahead and ask the question. You can't be too alert.

Submitted by Nitin Dewan

May 11, 2013

Never respond to an email asking for personal information

Companies you do business with should never ask for account information, credit card numbers or PIN information in an email message. If you have any questions about an email you receive that supposedly comes from your financial institution, call the local branch office. Do NOT respond to the email.

May 10, 2013

Patch and update on a regular basis

Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.

May 9, 2013

See just how "Security Aware" you really are

Do you believe you're a little more Security Aware? Can you identify the threats that exist in your environment and the steps you should take to avoid them? Take the following quizzes and find out.

• Phishing http://www.onguardonline.gov/games/phishing-scams.aspx
• Spyware http://www.onguardonline.gov/games/beware-spyware.aspx
• Identity Theft http://www.onguardonline.gov/games/id-theft-faceoff.aspx
• Social Networking http://www.onguardonline.gov/games/friend-finder.aspx

May 8, 2013

Protect your home wireless networks

No matter how friendly you are, you wouldn't let your neighbor read your bank statements and private letters. If you have a wireless network in your house and don't protect it, you could be doing just that. As they come "out of the box", most wireless networks let anyone in range connect to them and that could also let them see your PC and your email. It is worth taking a few extra minutes when setting them up to enable the encryption settings. Briefly, if you don't understand the jargon, WPA is better than WEP.

May 7, 2013

Don't be an unintentional spammer

If you're like most people, you've probably received at least one hoax or chain letter in your inbox. What should you do with the next one you receive? Delete it! Why you ask? Because chain letters and hoaxes have the potential to cause problems (lots of network traffic or just filling up someone's inbox) and they can also be very annoying. Visit the following sites to find out more about hoaxes and chain letters.

• http://www.snopes.com
• http://www.breakthechain.org
• http://hoaxbusters.ciac.org

May 6, 2013

If you print it, go get it right away!

Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away!

May 5, 2013

Watch out for shoulder surfers

Watch out for shoulder surfers who read over your shoulder or try to steal your password. If you have your back to the door or an open cubical wall, get a rear view mirror to stick up and watch behind you when youre typing. This also prevents office pranksters from sneaking up on you. When in public places, such as Internet cafes, always try to sit with your back to a wall to prevent onlookers. Glass walls dont count — thieves can look right through them!

May 4, 2013

Don't enter your password on an untrusted computer.

A password is only as secure as the computer or network it is used on.

Bad Guys target public kiosk-type computers and wireless networks, such as those in Internet cafes, conference centers, hotels and motels, and airports. The instant you type your password on a computer that is infected or rigged, or on one using a compromised wireless network, the Bad Guy has got that password for good. This is one reason why you should change your passwords on a schedule, and never reuse a password on several computers or systems. Regard all public-use computers as untrustworthy. If you have no choice but to use a public computer, change your password before you log off or at the next available opportunity.

May 3, 2013

Use Outlook? Use the Auto-Preview, not the Reading Pane

If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview:

1. Open Outlook.
2. Choose View -> Reading Pane -> Off
3. Choose View -> AutoPreview
4. Now you can see what is Junk, and which ones may have an HTML payload.

May 2, 2013

Don't enter your username and password on any computer you don't control.

Using public computers will always carry the risk of exposing your personal data. "Public" computers — as in college library computers. A Kentucky college student has been charged with identity theft and unlawful access to a computer for allegedly breaking into other students' email accounts at the University of the Cumberlands, and using the access and information to blackmail them. He did this by allegedly placing spyware on computers at the college library to harvest the information he needed to access the email accounts. Then he threatened to divulge the contents of certain messages unless the students complied with his demands.

For more information: http://blogs.techrepublic.com.com/10things/?p=322

May 1, 2013

E-mail is insecure by default because it is more like a postcard, not a sealed envelope

A number of people are under the misconception that when they draft and send e-mail, two things occur. Their message gets sealed in an envelope (that's why you have to open e-mail right?) and that it goes directly to the person it was sent to via internet magic. The truth is your e-mail is sent in plain text (i.e. readable by anyone who picks it up along the way) and is passed around the Internet with multiple stops until it reaches its destination. People with evil intentions can intercept your e-mail, read it or even alter it before it reaches your intended recipient.

April 30, 2013

Revoking security access isn't always enough

A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.

April 29, 2013

Stop! Nobody Sends Email to Dead People!

One type of Phishing (fake emails to trick you into sharing your private financial details) is to send a note claiming to want to send you a sum of money but not being able to because they have been told you are deceased. The idea is for you to prove you are not dead by giving up your financial information. As always, if it sounds too good to be true, it is probably not true. If someone wants to contact you in order to give you a large sum of money, they will almost certainly do it by certified mail, not by email.

April 28, 2013

Do NOT open unknown or unexpected e-mail attachments

This morning I got an e-mail from my boss with an attachment. My boss is a man of few words on e-mail. If he wants to explain or discuss something with me, he picks up the phone. When he wants me to read or edit something we have talked about, he sends it to me. Even though the subject line was a date, the e-mail had no text, AND my boss hadn't told me he was sending me an attachment, I opened it because it was from my boss at an e-mail address I recognized. Bad move. Imagine my surprise when my Norton anti-virus screen popped up with a message that the attachment contained a virus and had been deleted. Hackers had spoofed his address and I had fallen for it.

April 27, 2013

Don't be duped by Internet Fraud

We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don't be tricked by Internet Fraud. For more information see http://www.lookstoogoodtobetrue.com.

April 26, 2013

Check for encryption or secure sites when providing confidential information online

Credit card and online banking sites are convenient and easy ways to purchase and handle financial transactions. They are also the most frequently spoofed or "faked" sites for phishing scams. Information you provide to online banking and shopping sites should be encrypted and the site's URL should begin with https. Some browsers have an icon representing a lock at the lower right of the browser window. For more information about phishing, please visit http://www.onguardonline.gov/phishing.html

April 25, 2013

Avoid spam in your IM email account

Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes @ to go directly to trash. You will be able to communicate with all your IM buddies without the hassle of being notified of items coming into the inbox.

April 24, 2013

Keep your password secret

Your password is like your bank account PIN - if you give your PIN to someone else, your bank is unlikely to pay you back if it is used to steal from your account. Likewise, your company expects you to use your password to stop others misusing your computer account. If you share your password, you may be held responsible for what other people do with it.

Article about percentage of users that would share their passwords:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci895483,00.html

April 23, 2013

Don't check "remember my password" boxes

Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.

April 22, 2013

Don't Let Spammers See Your "Out of Office" Replies

Configuring your email program to automatically return "Out of Office" notifications to email senders is good for internal mail system users, but it can provide confirmation of an email address to a spammer, if permitted to leave the corporate network. Configure your message replies to recognize only trusted domain addresses or block your notifications outbound at the firewall.

For home users, never say you are not home, but rather "away from the computer right now", and don't specify for how long. You don't want to advertise your absence.

April 21, 2013

Use a password in only one place.

Reusing passwords or using the same password all over the place is like carrying one key that unlocks your house, your car, your office, your briefcase, and your safety deposit box. If you reuse passwords for more than one computer, account, website, or other secure system, keep in mind that all of those computers, accounts, websites and secure systems will be only as secure as the least secure system on which you have used that password. Don't enter your password on untrusted systems. One lost key could let a thief unlock all the doors. Remember: Change your passwords on a schedule to keep them fresh.

April 20, 2013

Just because your company's spam filter, virus filter and other defenses let an email through, doesn't mean it's harmless

Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!

April 19, 2013

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online (http://www.bbbonline.org) and do some research. Check the company's website for feedback from previous customers.