Deadline to Save $200 for SANS Rocky Mountain 2015 is May 27.

Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

May 22, 2015

Beware of Shoulder Surfing

A person who is standing near as you fill out a form, enter your PIN number, or punch in your calling card numbers may be doing more than just waiting their turn. To help prevent shoulder surfing, shield your paperwork from view using your body and cup your hand over the keypad.

Submitted by Nitin Dewan

May 21, 2015

Take time to explore security settings

Whether it is financial management software, instant messaging or a social networking website, take the time to see what security settings are offered to protect you and your information. Follow these steps for all of the software you use, not just email.
  1. Go to Options or Preferences
  2. Every program is different, so look for words like "Privacy", "Safety" or "Security" and click on them.
  3. Select the most restrictive option (i.e. only let the people you approve view your information or contact you — or the one that best accommodates your business needs).
  4. Save the settings.
May 20, 2015

E-mail is insecure by default because it is more like a postcard, not a sealed envelope

A number of people are under the misconception that when they draft and send e-mail, two things occur. Their message gets sealed in an envelope (that's why you have to open e-mail right?) and that it goes directly to the person it was sent to via internet magic. The truth is your e-mail is sent in plain text (i.e. readable by anyone who picks it up along the way) and is passed around the Internet with multiple stops until it reaches its destination. People with evil intentions can intercept your e-mail, read it or even alter it before it reaches your intended recipient.
May 19, 2015

Beware of USB flash drive's autoplay feature

A white hat hacker broke into a bank and left 20 USB tokens lying around the parking lot of the bank for employees to find. When they plugged in the USB token, the Trojan backdoor was installed on the employees' computers and the hacker was into the banks network! Some employees claimed they were being helpful — trying to find the token's owner, others were curious about the token's content, still others thought they had scored a huge USB token and tried unsuccessfully to reformat the token. Unfortunately the new "U3 Technology" on these tokens prevented a hidden partition from being deleted, and it contained a remote access Trojan which installed itself by emulating a cdrom and using WinXP's Cdrom autoplay feature.
May 18, 2015

Don't Trust Links Sent in Email Messages

A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.
May 17, 2015

Keep your password secret

Your password is like your bank account PIN - if you give your PIN to someone else, your bank is unlikely to pay you back if it is used to steal from your account. Likewise, your company expects you to use your password to stop others misusing your computer account. If you share your password, you may be held responsible for what other people do with it.

Article about percentage of users that would share their passwords:,289142,sid14_gci895483,00.html
May 16, 2015

Protect files with a password

Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!
May 15, 2015

Wireless Hotspots...limit activity to web surfing only

A hotspot is an open wireless network that is available (open) to everyone. An example would be the wireless network at your favorite coffee shop. These networks hook computers into the public Internet — handy but dangerous. Because wireless hotspots are for open use, they don't provide much protection for your data. When using a wireless hotspot try to limit activity to web surfing only. You should also disable peer-to-peer networking, file sharing, and remote access. Always use a good personal firewall and of course make sure all your software including your operating system (like Windows) is up to date and patched. You should never use hotspots for online banking, bill paying, or for making purchases that require you to give out confidential information such as a credit card number.
May 14, 2015

Effectively delete files

When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Does your recycle bin include credit card information, passwords, medical, or other personal data? Is there sensitive corporate information? Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.
May 13, 2015

Just because your company's spam filter, virus filter and other defenses let an email through, doesn't mean it's harmless

Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!
May 12, 2015

Think twice before you post personal information. Remember, even crooks may see what you post on social media sites

Criminals are mopping up because social media users are willing to share personal information about themselves and others. This data can be used to guess your password, give them the answers to account security questions or send you email with malicious attachments that appear to be from someone you know.
May 11, 2015

Revoking security access isn't always enough

A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
May 10, 2015

Nobody from the Help Desk needs your password

While watching some scenarios in some videos on computer security, one of the audience members turned bright red. After the video, she confided in me that she had once received a call from "The Help Desk" saying that they needed her password to trouble-shoot a problem they were having backing up her files. She provided it. Fortunately, she thought about it and 5 minutes later called the help desk to confirm. The help desk staff immediately locked her account and had her drop by with ID so they could provide her with a new password.
May 9, 2015

If you get up from your computer, lock it!

"I sent an email to your boss letting him know what you really think of him". This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds -- three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn't send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.
May 8, 2015

Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.
May 7, 2015

Better safe than sorry: If you're unsure that a file or program is clean, scan it for malware before you open or install it

Find out if a file or program of 10MB or less is free of malware by uploading it to, a free service which scans submissions using a combination of antivirus engines. VirusTotal detects viruses, worms, Trojans, and other kinds of malware that any one antivirus application might miss.
May 6, 2015

Use Outlook? Use the Auto-Preview, not the Reading Pane

If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview:
  1. Open Outlook.
  2. Choose View -> Reading Pane -> Off
  3. Choose View -> AutoPreview
  4. Now you can see what is Junk, and which ones may have an HTML payload.
May 5, 2015

If you are a victim of identity theft, report it immediately

Here are some things you should do.
  1. Contact the three major credit bureaus and have them place a fraud alert on your credit report.
  2. If a credit card was involved, contact the credit card company and close the account.
  3. Contact your local law enforcement agency and file a report.
  4. File a complaint with the Federal Trade Commission.
  5. Document all conversations so you know whom you spoke to and when.
May 4, 2015

Email isn't the only online communication that has security risks

Instant Messaging has become a popular way for people to communicate over the Internet. In some instances it has even replaced email. What some people don't realize, however, is that instant messaging has many of the same security threats that email does... and then some. Instant messaging can transfer viruses and other malware, provide an access point for Trojans, and give hackers an easy way to find victims. If you use instant messaging on a regular basis, you need to be aware of the security risks associated with it and take steps to protect yourself. See the following links for more on instant messaging safety.
May 3, 2015

Avoid default installations

Most software and hardware setup procedures are designed to get the product up and running with maximum functionality and minimum effort. One thing that usually slips is security. If you set up your external firewall with the suggested password from the installation instructions, how many others are set up just like that? Take the time to change the defaults that will make the attacker's job just a little bit harder. Make sure to document the changes in a secure way.
May 2, 2015

Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are customers in your office. Leaving your computer unlocked can expose customer data to a third party. Even when there is no one in your office, data could be exposed if your computer screen faces an outside window, especially on the ground floor.
May 1, 2015

It takes two to tango and two firewalls to secure your system

Contrary to the myth that hardware firewalls are better than software firewalls, both are equally necessary to secure your system because they provide different kinds of protection. Any size network — whether it's one or two computers on a home network or 100 computers in a business — needs to be protected by a hardware firewall, and every connected computer needs to be protected by a software firewall.
April 30, 2015

Save your files to a network server

A computer user working on a critical project was saving the analysis document on his Windows desktop. Unfortunately, the Windows desktop was located on the local hard drive and local hard drives were not automatically being backed up. When his hard disk failed, he lost the file and had to work through nights and a weekend to make up for the lost time. If your company permits network backups or remote storage, be sure you back up your important files. PS. Important files don't include things like vacation pictures, which can overburden the backup system. Ask the help desk for advice on where such files should be saved.
April 29, 2015

Don't plug in USB drives that you find lying around. Criminals can use them to steal your data

People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link:
April 28, 2015

See just how "Security Aware" you really are

Do you believe you're a little more Security Aware? Can you identify the threats that exist in your environment and the steps you should take to avoid them? Take the following quizzes and find out.
April 27, 2015

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online ( and do some research. Check the company's website for feedback from previous customers.
April 26, 2015

How to spot a phishing email...

It could be a phishing email if...
  • There are misspelled words in the e-mail or it contains poor grammar.
  • The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
  • There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
  • The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
April 25, 2015

Secure your Wireless Router

When setting up a wireless network at home, I was surprised to be able to connect to my neighbor's unsecured wireless router. Not only could I have used his bandwidth for free, but had I been so inclined, I could have used the connection for illegal activities. If the police came looking, he may not have been able to prove the activity didn't come from one of his computers. Properly securing wireless is not hard. Look in the manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication and TKIP for encryption, and using MAC address filtering.
April 24, 2015

Use a strong voicemail password. This helps prevent crooks from hijacking your phone line or voicemail

A busy person set his voicemail password to match his extension. It seemed easy to remember but was also easy to guess. A prison inmate guessed the password and began using the account to communicate with fellow criminals—leaving messages for them and deleting legitimate messages.

The receptionist at a small business came into the office at 8:30 a.m. and the phones were ringing off the hook. She picked up one of the lines and was surprised to hear people talking in a foreign language. Turns out fraudsters were using the phone system to steal international long-distance phone time.
April 23, 2015

Don't Investigate a Security Problem Unless You Are Authorized by the System Owner

A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue.