IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

October 2, 2014

People Forget, Computers Don't

In 2003, the British Government published a report on Iraq's security and intelligence organizations. Then a Cambridge University lecturer discovered that much of the document was copied from three different articles, one written by a graduate student. How did he know? The document contained a listing of the last 10 edits, even showing the names of the people who worked on the file.

Hidden data can often be found within Microsoft Office documents particularly Word. Whenever you exchange documents with clients, either convert them to PDF format (WYSIWYG) or else run them through Microsoft's Hidden Data Removal tool.

For more info, and to download Microsoft's Hidden Data Removal tool, see

October 1, 2014

Review your credit reports routinely

The Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months. Take advantage of these free reports, and verify the information that they contain.
- Don Young
September 30, 2014

Don't buy anything from a spammer

If an unexpected email brings you news that seems too good to be true, it is probably a spam and a scam. If you didn't request information about the product or service, it is probably a spam and a scam. If it promises to enhance parts of your body, it won't. If it promises you an easy mortgage, you can do better by visiting your bank. If it promises that you can make a fortune on a penny stock, you can't. If you are unsure, ask five friends. Chances are four of them also received the spam and you can know to steer clear.
September 29, 2014

Use common sense when reviewing your email

If you did not order a new laptop, then you should not be receiving an update on its shipping status. Delete these emails.
September 28, 2014

Five Security Tips

  1. If you don't understand the warning message, say no and consult IT support. It's easier to go back and say yes if you need to than be sorry and have to rebuild your machine.
  2. Certificates: If you don't understand a website certificate message, say no and consult IT support. It is easier to go back and say yes if you need to than be sorry and have to rebuild your credit.
  3. Antivirus: Running antivirus does not slow your computer down nearly as much as a virus does.
  4. Back-up: Backing up your data may seem like a waste of time — er, until you spill coffee all over your laptop.
  5. Passwords: Writing down your password around your desk is about as secure as leaving a $20 bill lying on the dashboard of your car. How well do you trust anyone these days?
September 27, 2014

Don't Trust Links Sent in Email Messages

A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.
September 26, 2014

Back up your information so you don't join Kroll Ontrack's Top 10 Countdown this year

  • A customer who told engineers she had "washed away all her data" after putting a USB stick through a cycle in her washing machine.
  • A father who, while feeding his baby daughter, forgot about the USB stick in his top pocket. As he leant over the high chair, the device fell into a dish of apple puree.
  • After discovering ants had taken up residence in his external hard drive, a photographer took the cover off and sprayed the interior with insect repellent. The ants were killed off and the data was eventually recovered.

In 2007, Kroll Ontrack has seen more damaged portable devices than ever before. For the complete list of strange ways of damaging hardware in the company's top 10 countdown this year, go to,1000000091,39291331,00.htm.

September 25, 2014

Take time to explore security settings

Whether it is financial management software, instant messaging or a social networking website, take the time to see what security settings are offered to protect you and your information. Follow these steps for all of the software you use, not just email.
  1. Go to Options or Preferences
  2. Every program is different, so look for words like "Privacy", "Safety" or "Security" and click on them.
  3. Select the most restrictive option (i.e. only let the people you approve view your information or contact you — or the one that best accommodates your business needs).
  4. Save the settings.
September 24, 2014

Use Outlook? Use the Auto-Preview, not the Reading Pane

If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview:
  1. Open Outlook.
  2. Choose View -> Reading Pane -> Off
  3. Choose View -> AutoPreview
  4. Now you can see what is Junk, and which ones may have an HTML payload.
September 23, 2014

Connect for good health

Keep computers healthy—frequently connect them to the network. When you connect, you can get security patches and anti-virus updates. Whenever possible, use automatic updates to ensure your system is up to date.
September 22, 2014

If you access the Internet from a shared computer, make sure you don't leave anything behind

Being able to access the Internet from different locations — the library, a computer lab at school, an Internet cafe — is a great convenience, but it can also pose a security risk to personal information. If you do access the Internet from a shared computer, here are a few things you need to remember.
  1. Don't check the "remember my password" box.
  2. When you're done, make sure you log off completely by clicking the "log off" button before you walk away.
  3. If possible, clear the browser cache and history.
  4. Never leave the computer unattended while you're logged in.
  5. Trash all documents you used, and empty the recycle bin.
September 21, 2014

Don't reply to unsolicited email messages (spam)

By responding, you only confirm that your email address is active. Another thing you shouldn't do is click the "remove me" link in the message. Links in email can point to an IP address other than the one you think it references. The best thing you can do is delete the message. Many free email service providers will allow you to easily report it as spam if you received it through MSN hotmail, Yahoo!, AOL or GMail.
September 20, 2014

Do NOT open unknown or unexpected e-mail attachments

This morning I got an e-mail from my boss with an attachment. My boss is a man of few words on e-mail. If he wants to explain or discuss something with me, he picks up the phone. When he wants me to read or edit something we have talked about, he sends it to me. Even though the subject line was a date, the e-mail had no text, AND my boss hadn't told me he was sending me an attachment, I opened it because it was from my boss at an e-mail address I recognized. Bad move. Imagine my surprise when my Norton anti-virus screen popped up with a message that the attachment contained a virus and had been deleted. Hackers had spoofed his address and I had fallen for it.
September 19, 2014

How to spot a phishing email...

It could be a phishing email if...
  • There are misspelled words in the e-mail or it contains poor grammar.
  • The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
  • There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
  • The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
September 18, 2014

Avoid default installations

Most software and hardware setup procedures are designed to get the product up and running with maximum functionality and minimum effort. One thing that usually slips is security. If you set up your external firewall with the suggested password from the installation instructions, how many others are set up just like that? Take the time to change the defaults that will make the attacker's job just a little bit harder. Make sure to document the changes in a secure way.
September 17, 2014

Report or challenge strangers in your office

Visitors and staff should wear badges. Others you don't recognize may be opportunist thieves who have walked past reception or found an open back door. Grab a co-worker and politely ask if they need some assistance or report them to your security or reception staff. Thieves are as likely to steal your purse or wallet as they are to take company property, so it is in everyone's interest to keep our premises safe.
September 16, 2014

Don't Investigate a Security Problem Unless You Are Authorized by the System Owner

A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue.
September 15, 2014

Some Tips to Protect against Identity Theft

  1. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED"; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.
  2. When you order your checks, don't list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.
  3. Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.
  4. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Store those photo copies in a secure place and refresh it when you change cards.
September 14, 2014

Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.
September 13, 2014

Avoid opening email attachments

If you MUST open an attachment received in an email, make sure the email was sent from a known source. Read the accompanying email text to make sure it really sounds like it came from the apparent sender — check for a signature and other recognized patterns.
September 12, 2014

Use Google's cached mode to avoid spyware

As the network administrator at a small firm, I've been fighting spyware and spam for years. At first I had to rely on, which provides legitimate links to free anti-spyware programs. One day I needed one of those programs in a hurry. I did a Google search and clicked on the first link I found in the Google hit list. The link took me to a "hijacked" website. Pop-ups immediately came up on my pc. Fortunately I knew how to stop them before anything was downloaded [When a popup is showing on your desktop — don't click on it! Right click on the Windows Taskbar item and choose Close]. Since then, I never clicked on the first Google hit link again. I always use the Google "cached" link to check the link first.
September 11, 2014

Get a separate email address for postings

To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.

September 10, 2014

Think twice before you post personal information. Remember, even crooks may see what you post on social media sites

Criminals are mopping up because social media users are willing to share personal information about themselves and others. This data can be used to guess your password, give them the answers to account security questions or send you email with malicious attachments that appear to be from someone you know.
September 9, 2014

Outsmart hoax e-mail

Productivity-sapping e-mail circulates close to April Fool's Day. Keep the e-mail system from bogging down with thousands of unnecessary messages—delete hoaxes and jokes.

One year, an April Fool e-mail claimed that "for every person that you forward this e-mail to, Microsoft will pay you $245.00 ..." It was forwarded to thousands of people even though it sounded too good to be true. At one nationwide company, in-boxes were clogged and the e-mail servers had to be reset, delaying legitimate e-mail.
September 8, 2014

Don't click on links in pop-ups or banner advertisements

In July 2007, when iPhones were scarce and strongly in demand, Botnet herders put software on already infected computers that redirected users browsing for iPhones to phony websites. The malware caused pop-ups and banner advertisements on infected computers; clicking on the provided links took users to the phony sites. People who attempted to buy iPhones from the sites were actually providing the Bad Guys with their personal and financial information. You can expect to see something similar for any fad that comes along. When your heart is tempted by the latest hot fad, don't throw caution to the wind.
September 7, 2014

Don't Let Spammers See Your "Out of Office" Replies

Configuring your email program to automatically return "Out of Office" notifications to email senders is good for internal mail system users, but it can provide confirmation of an email address to a spammer, if permitted to leave the corporate network. Configure your message replies to recognize only trusted domain addresses or block your notifications outbound at the firewall.

For home users, never say you are not home, but rather "away from the computer right now", and don't specify for how long. You don't want to advertise your absence.
September 6, 2014

Do not write your password down and leave it near your computer

Writing your password on a 'sticky-note' and sticking it on your monitor makes it very easy for people who regularly steal passwords to obtain yours. Hiding it under your keyboard or mouse pad is not much better, as these are common hiding places for passwords. However if you must write something down, jot down a hint or clue that will help jog your memory or store the written password in a secure, locked place.
September 5, 2014

Just because your company's spam filter, virus filter and other defenses let an email through, doesn't mean it's harmless

Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!
September 4, 2014

Print out important documents

A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.
September 3, 2014

Be better than James Bond

In Casino Royale, Bond chooses a password to protect a multi-million pound money transfer. What does he choose? His girlfriend's name - doh! Why bother torturing him when you could just guess his cunning plans? We can all do better than that. For most situations a password should be 8 characters long and be a mixture of letters, numbers and other characters and it should conform to company policy. It should not be a word you would find in a dictionary, the name of your spouse, partner, child, pet, favorite band or any of these followed by a single digit. Use common sense - Razorlight1 isn't a good choice if you have a poster of the band behind your desk.