Data Center Risk - Tell us how you manage it and enter to win iPad

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

July 24, 2014

Protect your home wireless networks

No matter how friendly you are, you wouldn't let your neighbor read your bank statements and private letters. If you have a wireless network in your house and don't protect it, you could be doing just that. As they come "out of the box", most wireless networks let anyone in range connect to them and that could also let them see your PC and your email. It is worth taking a few extra minutes when setting them up to enable the encryption settings. Briefly, if you don't understand the jargon, WPA is better than WEP.

July 23, 2014

Don't plug in USB drives that you find lying around. Criminals can use them to steal your data

People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link:
July 22, 2014

Check and make sure your friend sent that great screensaver

A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something like that, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.
July 21, 2014

Protect files with a password

Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!
July 20, 2014

If your browser questions a website's security, stop, think, and verify.

When visiting the "https" secure sites of banks and online shopping retailers, you may see an onscreen warning, such as "There is a problem with the website's security certificate" or "Secure Connection Failed." Don't just click to continue or to make an exception. The warning may only indicate that there is a harmless temporary problem with the site or with the network. But it can also mean that the site is bogus or has been compromised by hackers, and someone is listening in on your conversation with your bank or retailer.

Be smart. Contact your bank or retailer by phone to find out if they know about a problem with their website or the network. Don't be the next victim of fraud.

July 19, 2014

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online ( and do some research. Check the company's website for feedback from previous customers.
July 18, 2014

Don't fall for phishing schemes

Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.
  1. We need to verify your account information.
  2. If you don't respond immediately, your account will be cancelled.
  3. Click the link below to update your information.

Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.
July 17, 2014

When selecting a screen name...make sure it doesn't say too much about you

Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.
July 16, 2014

Backup important files on a regular basis

Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".
July 15, 2014

Turn off your wireless AP when it's not in use

Power off your wireless access point (AP) when you know you won't be at home or when it's not in use. Your AP can't be accessed by hackers when it is not powered on. So, turn it off and limit the amount of time you leave yourself open to attack.
July 14, 2014

Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece

Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at:
July 13, 2014

Don't tell anybody your password

This warning includes your systems administrator, who NEVER needs your password. One day I received an e-mail from "", saying they needed my password for maintenance, and if I did not go to a webpage and give it to them, they would suspend my account. As it turns out, I'm the one in charge of "" — so I'm the one who gives out accounts and does maintenance. Things might have ended differently if I had had an account with or Then the senders would have called themselves "" and I might have been fooled.
July 12, 2014

Use caution when opening email attachments

Email attachments are a common tool for attackers because forwarding email is so simple. Users often open attachments that appear to come from someone they know or an organization they do business with. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send. If your email program includes an option to automatically download email attachments, DON'T take it. Doing so could immediately expose your computer to any viruses included in the email attachments.
July 11, 2014

Don't use information related to yourself as a password

Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.
July 10, 2014

Always log off your own computer. Do not let anyone else offer to do it for you

One of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.
July 9, 2014

Lock your workstation before you leave your desk

Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.

Or, to make things even easier, create a desktop shortcut.
  1. Right click any empty area of your desktop
  2. Click New
  3. Click Shortcut
  4. Type in the following: rundll32.exe user32.dll, LockWorkStation
  5. Click Next
  6. Name your shortcut
  7. Click Finish

Now it's as easy as a double click!
July 8, 2014

Letting Family or Friends Use Your Employer's Computers Can Be Bad for You

A candidate for Parliament in the UK received a lot of bad publicity when people took offense at a message her husband sent from her Council email account. She isn't the first person to get into trouble over a family member misusing their work email account or PC. Very few organizations let employees' families use their PCs. If you work from home on a corporate PC, then check your company policy and clarify boundaries with household members. (
July 7, 2014

Avoid Ad-hoc wireless networks

Disable automatic connection to any new networks and limit your connections to access point (infrastructure) networks only:
  • Click the "Start" button and navigate to the "Control Panel" and then to "Network Connections."
  • Right mouse-click on the "Wireless Network Connection" and choose "Properties".
  • Pick the "Wireless Networks" tab, then the "Advanced" button:
    • Make sure that the check box next to "automatically connect to non-preferred networks" is not checked.
    • Click on Access point (infrastructure) networks only to avoid ad hoc networks.

This configuration prevents you from automatically connecting to any new networks and refuses all ad-hoc networks, which have the potential to monitor traffic that passes through them.
July 6, 2014

Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are customers in your office. Leaving your computer unlocked can expose customer data to a third party. Even when there is no one in your office, data could be exposed if your computer screen faces an outside window, especially on the ground floor.
July 5, 2014

Don't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet

Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software (
July 4, 2014

Wireless Hotspots...limit activity to web surfing only

A hotspot is an open wireless network that is available (open) to everyone. An example would be the wireless network at your favorite coffee shop. These networks hook computers into the public Internet — handy but dangerous. Because wireless hotspots are for open use, they don't provide much protection for your data. When using a wireless hotspot try to limit activity to web surfing only. You should also disable peer-to-peer networking, file sharing, and remote access. Always use a good personal firewall and of course make sure all your software including your operating system (like Windows) is up to date and patched. You should never use hotspots for online banking, bill paying, or for making purchases that require you to give out confidential information such as a credit card number.
July 3, 2014

Choose a password that's hard to crack

When choosing a password, try to make it by writing a sentence that you can easily remember. For example: "Los Angeles Lakers will win the NBA tournament this year". Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers. For example, with the last sentence you could get the password: =3LALwwtNtty$. This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.
July 2, 2014

Patch and update on a regular basis

Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.
July 1, 2014

Revoking security access isn't always enough

A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
June 30, 2014

Don't be duped by Internet Fraud

We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don't be tricked by Internet Fraud. For more information see
June 29, 2014

Stop! Nobody Sends Email to Dead People!

One type of Phishing (fake emails to trick you into sharing your private financial details) is to send a note claiming to want to send you a sum of money but not being able to because they have been told you are deceased. The idea is for you to prove you are not dead by giving up your financial information. As always, if it sounds too good to be true, it is probably not true. If someone wants to contact you in order to give you a large sum of money, they will almost certainly do it by certified mail, not by email.
June 28, 2014

No free lunch

A new round of bogus pop-ups offers to scan your computer for infections and vulnerabilities for free. Do not take the bait! By allowing this kind of scan, you may be giving Bad Guys access to your personal information.
June 27, 2014

If you weren't expecting an attachment, write back and request that sender embeds text in email

When you see your anti-virus package "scanning" a Word or Excel file, the odds are VERY high that it won't find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.
June 26, 2014

Keep it off the floor

No matter where you are in public - at a conference, a coffee shop, or a registration desk - avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you're aware of it.

Visit for more information.

June 25, 2014

Get it out of the car

Don't leave your laptop in the car - not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.

Visit for more information.