Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

April 1, 2015

Use caution when opening email attachments

Email attachments are a common tool for attackers because forwarding email is so simple. Users often open attachments that appear to come from someone they know or an organization they do business with. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send. If your email program includes an option to automatically download email attachments, DON'T take it. Doing so could immediately expose your computer to any viruses included in the email attachments.

March 31, 2015

Passwords: Be creative

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.

When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.

March 30, 2015

Stop! Nobody Sends Email to Dead People!

One type of Phishing (fake emails to trick you into sharing your private financial details) is to send a note claiming to want to send you a sum of money but not being able to because they have been told you are deceased. The idea is for you to prove you are not dead by giving up your financial information. As always, if it sounds too good to be true, it is probably not true. If someone wants to contact you in order to give you a large sum of money, they will almost certainly do it by certified mail, not by email.
March 29, 2015

Don't share your password-even with an assistant or close coworker

A salesperson relied on his assistant every day, trusting her with his username and password. She quit, but not before she deleted all of his sent e-mail and all of his saved files...Turns out she wasn't backing up the computer either.

Several coworkers used the same ID to login—it seemed easier that way. The time came to change their password and they forgot to tell each other. One by one, they all called the help desk to get the ID reset, and they ended up locking each other out of their computers and getting reprimanded for sharing.
March 28, 2015

Remember that any email or instant message you send could come back to haunt you

Once you send an e-mail, it has a very good chance of being saved in someone's mailbox or archived on a server forever. People involved in scandals like Oliver North, Monica Lewinsky, Patricia Dunn (the former Hewlett-Packard chairman), and Bill Gates probably wish they could take back an email or two... Instant Messages can also be saved and used at a later date to embarrass you. Paris Hilton might be able to shed additional light on that subject. Be careful about what you put in writing and whom you send it to.
March 27, 2015

Don't click the "unsubscribe" link at the bottom of unsolicited emails

Spam filters are catching most unwanted e-mail, but some might still reach you. Most spam is designed to get you to respond with your own email or to click a link to "unsubscribe." When you respond or click the "unsubscribe" link, the sender takes your email address and adds it to a SPAM database of active email addresses. You might then start to receive a large amount of SPAM in your inbox. Do not respond or click the "unsubscribe" links.
March 26, 2015

Don't check "remember my password" boxes

Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.
March 25, 2015

Use Google's cached mode to avoid spyware

As the network administrator at a small firm, I've been fighting spyware and spam for years. At first I had to rely on www.techguy.org, which provides legitimate links to free anti-spyware programs. One day I needed one of those programs in a hurry. I did a Google search and clicked on the first link I found in the Google hit list. The link took me to a "hijacked" website. Pop-ups immediately came up on my pc. Fortunately I knew how to stop them before anything was downloaded [When a popup is showing on your desktop — don't click on it! Right click on the Windows Taskbar item and choose Close]. Since then, I never clicked on the first Google hit link again. I always use the Google "cached" link to check the link first.
March 24, 2015

Shh! Don't say it out loud. The cubes have ears

Office workspaces seem to be smaller and smaller. It is therefore harder to keep secrets when everyone is within earshot. When necessary use handwritten notes for transferring confidential information, and then shred the papers when done.
March 23, 2015

Connect for good health

Keep computers healthy—frequently connect them to the network. When you connect, you can get security patches and anti-virus updates. Whenever possible, use automatic updates to ensure your system is up to date.
March 22, 2015

Three Tips for Safer Online Transactions

  1. Make sure that the URL of the website begins with https (not http). Https ensures that your username, password, credit card number, expiration date and other information are sent from your computer to the site in encrypted form. Encryption helps to make your connection secure and reduces the risk that malicious people may intercept the information your enter and make illegal use of it.
  2. A yellow icon that looks like a padlock at the lower right corner of your browser window confirms that you have a secure connection.
  3. Some websites present a certificate of authenticity when you browse to them as a way to assure you that the site is legitimate. Check to make sure the certificate is valid and has not expired. If you are satisfied with the validity of the certificate, click on the link that takes you to the site itself. An invalid or expired certificate may indicate that the site neither authentic nor secure.
March 21, 2015

Check and make sure your friend sent that great screensaver

A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something like that, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.
March 19, 2015

If you download FREE software...Make sure you don't get more than you bargain for

Free software that you download could be just what you think it is — a single software package. However, many times free software comes bundled with other unwanted, harmful programs including spyware, viruses, or even Trojan horse programs. To help keep your computer free from unwanted guests, make sure the site you are downloading from is one you know and trust. Also verify that your operating system and anti-virus software have been updated and patched BEFORE you click the download button!
March 18, 2015

Some Tips to Protect against Identity Theft

  1. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED"; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.
  2. When you order your checks, don't list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.
  3. Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.
  4. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Store those photo copies in a secure place and refresh it when you change cards.
March 17, 2015

Five Security Tips

  1. If you don't understand the warning message, say no and consult IT support. It's easier to go back and say yes if you need to than be sorry and have to rebuild your machine.
  2. Certificates: If you don't understand a website certificate message, say no and consult IT support. It is easier to go back and say yes if you need to than be sorry and have to rebuild your credit.
  3. Antivirus: Running antivirus does not slow your computer down nearly as much as a virus does.
  4. Back-up: Backing up your data may seem like a waste of time — er, until you spill coffee all over your laptop.
  5. Passwords: Writing down your password around your desk is about as secure as leaving a $20 bill lying on the dashboard of your car. How well do you trust anyone these days?
March 16, 2015

Think twice before posting pictures of yourself or your family and friends

Photographs often contain information that could be used to identify you or the places you visit frequently. Never post unflattering or embarrassing pictures (no matter how funny) that could come back to haunt you. Carefully examine photos for identifying information such as the name of your school, the name of a sports team or organization you belong to, the address of the place you work or your favorite social hangout. Do not give out the full name of a child in your captions. One mother was very concerned to see her son's wrestling picture online with his full name. Pictures can also be copied or altered and used on other websites in ways that might be detrimental to your reputation.
March 15, 2015

Lock it when you leave it

Never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up. Remember to always leave your Windows computer by pressing the keyboard shortcut combination of the Windows logo key and the letter "L" on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up.
March 14, 2015

Don't reply to unsolicited email messages (spam)

By responding, you only confirm that your email address is active. Another thing you shouldn't do is click the "remove me" link in the message. Links in email can point to an IP address other than the one you think it references. The best thing you can do is delete the message. Many free email service providers will allow you to easily report it as spam if you received it through MSN hotmail, Yahoo!, AOL or GMail.
March 13, 2015

Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece

Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at: http://www.youtube.com/watch?v=1c-jzYAH2gw
March 12, 2015

Back up your information so you don't join Kroll Ontrack's Top 10 Countdown this year

  • A customer who told engineers she had "washed away all her data" after putting a USB stick through a cycle in her washing machine.
  • A father who, while feeding his baby daughter, forgot about the USB stick in his top pocket. As he leant over the high chair, the device fell into a dish of apple puree.
  • After discovering ants had taken up residence in his external hard drive, a photographer took the cover off and sprayed the interior with insect repellent. The ants were killed off and the data was eventually recovered.

In 2007, Kroll Ontrack has seen more damaged portable devices than ever before. For the complete list of strange ways of damaging hardware in the company's top 10 countdown this year, go to http://news.zdnet.co.uk/hardware/0,1000000091,39291331,00.htm.

March 11, 2015

DO NOT install Microsoft patches or updates sent by email (They are fake)

Microsoft never sends out patches or updates by email. There are no exceptions. Keep that in mind and you won't be a victim of a Microsoft patch hoax. The first time I received one of these, I sat down at my workstation and saw an email message from Microsoft telling me to install the patch they had handily supplied as an attachment. I knew this was bogus immediately. We sent out a voicemail quickly warning all employees not to fall for opening attachments that offer to install any kind of software. That was March, 1999. Every 18 months or so, someone tries this hoax again by crafting and sending out a phony email complete with a Microsoft look-alike logo, spoofed return address, links, etc., and some text assuring you that this is all the real thing. It isn't.
March 10, 2015

A cheap way to avoid an expensive disaster

Backing up your files is a cheap way to avoid an expensive disaster. How much is it to buy a backup drive? About $75.00. Backup software? $30 or less. An hour of consultant's time to install and show you how to use it? About $100. Not losing your data? Priceless.
March 9, 2015

Make your password long.

At least eight characters long, and the longer the better. Passwords shorter than 8 characters are easy to crack. Follow these password rules. Avoid common words and proper names. Use both uppercase and lowercase letters, numbers, and symbols. Trouble is, who can remember a password like Fm79$#Xk? Try a passphrase instead: When I was 7, my dog Dolly went to Heaven. This contains 42 easy-to-remember characters, follows all the rules, and is in plain English. (Not every system will accept passphrases; when in doubt, try it out.) The odds against anyone cracking it even with the help of a supercomputer are astronomical. Make your passphrase original. Don't use familiar or famous quotations. Don't use any real names especially your own, your family members, or your pets. Nonsensical passphrases are the hardest to crack.
March 8, 2015

If you access the Internet from a shared computer, make sure you don't leave anything behind

Being able to access the Internet from different locations — the library, a computer lab at school, an Internet cafe — is a great convenience, but it can also pose a security risk to personal information. If you do access the Internet from a shared computer, here are a few things you need to remember.
  1. Don't check the "remember my password" box.
  2. When you're done, make sure you log off completely by clicking the "log off" button before you walk away.
  3. If possible, clear the browser cache and history.
  4. Never leave the computer unattended while you're logged in.
  5. Trash all documents you used, and empty the recycle bin.
March 7, 2015

Don't be an unintentional spammer

If you're like most people, you've probably received at least one hoax or chain letter in your inbox. What should you do with the next one you receive? Delete it! Why you ask? Because chain letters and hoaxes have the potential to cause problems (lots of network traffic or just filling up someone's inbox) and they can also be very annoying. Visit the following sites to find out more about hoaxes and chain letters.
March 6, 2015

If you weren't expecting an attachment, write back and request that sender embeds text in email

When you see your anti-virus package "scanning" a Word or Excel file, the odds are VERY high that it won't find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.
March 5, 2015

Keep it off the floor

No matter where you are in public - at a conference, a coffee shop, or a registration desk - avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you're aware of it.

Visit http://onguardonline.gov/laptop.html for more information.

March 4, 2015

Get it out of the car

Don't leave your laptop in the car - not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.

Visit http://onguardonline.gov/laptop.html for more information.

March 3, 2015

Treat your laptop like cash

If you had a wad of money sitting out in a public place, would you turn your back on it - even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.

Visit http://onguardonline.gov/laptop.html for more information.

March 2, 2015

Treat your laptop like you want to keep it

Thinking of taking your laptop on the road? It's a great way to work and stay in touch when you're out and about, but you need to take some steps to keep your laptop safe-and in your possession. Here are some things you can do to keep track of your laptop:

  • Treat it like cash.
  • Get it out of the car...don't ever leave it behind.
  • Keep it locked...use a security cable.
  • Keep it off the floor...or at least between your feet.
  • Keep passwords separate...not near the laptop or case.
  • Don't leave it "for just a sec"...no matter where you are.
  • Pay attention in airports...especially at security.
  • Use bells and whistles...if you've got an alarm, turn it on.

Visit http://onguardonline.gov/laptop.html for more information.