Security Awareness Tip of The Day

December 5, 2013

Choose a password that's hard to crack

When choosing a password, try to make it by writing a sentence that you can easily remember. For example: "Los Angeles Lakers will win the NBA tournament this year". Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers. For example, with the last sentence you could get the password: =3LALwwtNtty$. This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.

December 4, 2013

Don't Investigate a Security Problem Unless You Are Authorized by the System Owner

A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue. http://www.channelregister.co.uk/2005/10/06/tsunami_hacker_convicted/

December 3, 2013

Use common sense when reviewing your email

If you did not order a new laptop, then you should not be receiving an update on its shipping status. Delete these emails.

December 2, 2013

Patch and update on a regular basis

Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.

December 1, 2013

Beware of Shoulder Surfing

A person who is standing near as you fill out a form, enter your PIN number, or punch in your calling card numbers may be doing more than just waiting their turn. To help prevent shoulder surfing, shield your paperwork from view using your body and cup your hand over the keypad.

Submitted by Nitin Dewan

November 30, 2013

If you print it, go get it right away!

Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away!

November 29, 2013

Backup important files on a regular basis

Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".

November 28, 2013

Limit the amount of personal information you post about yourself, your friends, and your family

As a general rule, don't post anything you wouldn't want the world to see or know about. Think of social networking sites like MySpace as giant billboards. The good guys (teachers, law enforcement officials, future employers, family members) and the bad guys (predators, stalkers, and con artists) can all view the information you post. You should also control who can view your information by restricting access to your pages.

November 27, 2013

Review your credit reports routinely

The Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months. Take advantage of these free reports, and verify the information that they contain.
- Don Young

November 26, 2013

Change that password!

A woman has been fined GBP 500 (US $975) for reading email messages from her previous employer's account. Susan Holmes had worked for a nanny agency that accepted registration forms through an AOL email account. The company neglected to change the account password after Holmes left, which allowed her access to the information. The company became suspicious after a noticeable decline in the amount of email they received on the account in the first few months of 2007. AOL connection logs revealed IP addresses that eventually led to Holmes being identified as the culprit. Last week, she pleaded guilty to unauthorized access to a computer, in violation of Section One of the Computer Misuse Act 1990.

November 25, 2013

Check for encryption or secure sites when providing confidential information online

Credit card and online banking sites are convenient and easy ways to purchase and handle financial transactions. They are also the most frequently spoofed or "faked" sites for phishing scams. Information you provide to online banking and shopping sites should be encrypted and the site's URL should begin with https. Some browsers have an icon representing a lock at the lower right of the browser window. For more information about phishing, please visit http://www.onguardonline.gov/phishing.html

November 24, 2013

Use variations on a strong "core" password

It's tough to remember a series of strong passwords and use a different one for each online system or site you access. The temptation is to use the same password for several or all systems and sites. That's a bad idea -- if a Bad Guy gets a hold of your password, he'll have the key that fits all of your doors. Instead, create a strong "core" password and then unique variations on it for each online system or site system you use. Here's a strong password: 5P0ky!3Z. It contains 8 characters, a mixture of uppercase and lowercase letters, at least one number and one non-alphanumeric character or symbol, and no personally identifiable information. By adding a character or two at the beginning or the end, you can have many variations to use for each system or site -- effectively creating a new strong password for each one. Remember to change your "core" password and its variations on a regular basis.

- Carl Hill, Toronto, Canada

November 23, 2013

Securing your wireless network - priceless!

Laptop: $1,000
Wireless router: $100
Being able to connect to the Internet with peace of mind, knowing that you did it safely: priceless.

Wireless networks are inherently unsafe because anyone within range can use them and potentially steal your information if these networks are not set up properly. If you don't know what needs to be done to secure them, get help from a technical friend or use a professional from the store where you bought it.

November 22, 2013

If you're not sure you've seen an incident, report it anyway

Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.

November 21, 2013

Don't make that call!

If you receive an email asking you to call an 800 number related to a banking issue, don't call the number. Your credit card has a phone number on the back as do your account statements. Be safe, don't call a phone number listed in an email; instead look the number up on your account statements. There is a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.

November 20, 2013

Print out important documents

A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.

November 19, 2013

Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.

November 18, 2013

Don't open email about Michael Jackson

When a major news event happens, cyber criminals send email with a subject line related to the event and include an attachment that is malware to infect your computer and make it part of a botnet for sending SPAM and conducting other illegal activities. You can see examples of these catchy subject lines at http://www.flickr.com/photos/panda_security/with/3256919391/

November 17, 2013

Many people think that 'formatting' a hard drive will wipe out all the data so it cannot be recovered

Not so. To prevent the possibility of future recovery, use a third-party, low-level hard drive formatting tool, such as Killdisk (downloadable at no charge from www.killdisk.com) to overwrite data on the hard drive with a random sequence of 1's and 0's.

November 16, 2013

Nobody from the Help Desk needs your password

While watching some scenarios in some videos on computer security, one of the audience members turned bright red. After the video, she confided in me that she had once received a call from "The Help Desk" saying that they needed her password to trouble-shoot a problem they were having backing up her files. She provided it. Fortunately, she thought about it and 5 minutes later called the help desk to confirm. The help desk staff immediately locked her account and had her drop by with ID so they could provide her with a new password.

November 15, 2013

Avoid opening email attachments

If you MUST open an attachment received in an email, make sure the email was sent from a known source. Read the accompanying email text to make sure it really sounds like it came from the apparent sender — check for a signature and other recognized patterns.

November 14, 2013

If you download FREE software...Make sure you don't get more than you bargain for

Free software that you download could be just what you think it is — a single software package. However, many times free software comes bundled with other unwanted, harmful programs including spyware, viruses, or even Trojan horse programs. To help keep your computer free from unwanted guests, make sure the site you are downloading from is one you know and trust. Also verify that your operating system and anti-virus software have been updated and patched BEFORE you click the download button!

November 13, 2013

Never respond to an email asking for personal information

Companies you do business with should never ask for account information, credit card numbers or PIN information in an email message. If you have any questions about an email you receive that supposedly comes from your financial institution, call the local branch office. Do NOT respond to the email.

November 12, 2013

Use a password protected screen saver

Desktop computers should be locked, or logged off when the user steps away from the terminal. Password protecting the Windows screen saver is "locking" the desktop. To do this, right click on the desktop and go to "Properties"; select the "Screen Saver" tab; and check "On resume, password protect".

November 11, 2013

Take time to explore security settings

Whether it is financial management software, instant messaging or a social networking website, take the time to see what security settings are offered to protect you and your information. Follow these steps for all of the software you use, not just email.

1. Go to Options or Preferences
2. Every program is different, so look for words like "Privacy", "Safety" or "Security" and click on them.
3. Select the most restrictive option (i.e. only let the people you approve view your information or contact you — or the one that best accommodates your business needs).
4. Save the settings.

November 10, 2013

Do NOT open unknown or unexpected e-mail attachments

This morning I got an e-mail from my boss with an attachment. My boss is a man of few words on e-mail. If he wants to explain or discuss something with me, he picks up the phone. When he wants me to read or edit something we have talked about, he sends it to me. Even though the subject line was a date, the e-mail had no text, AND my boss hadn't told me he was sending me an attachment, I opened it because it was from my boss at an e-mail address I recognized. Bad move. Imagine my surprise when my Norton anti-virus screen popped up with a message that the attachment contained a virus and had been deleted. Hackers had spoofed his address and I had fallen for it.

November 9, 2013

Lock your workstation before you leave your desk

Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.

Or, to make things even easier, create a desktop shortcut.

1. Right click any empty area of your desktop
2. Click New
3. Click Shortcut
4. Type in the following: rundll32.exe user32.dll, LockWorkStation
5. Click Next
6. Name your shortcut
7. Click Finish

Now it's as easy as a double click!

November 8, 2013

Remember that any email or instant message you send could come back to haunt you

Once you send an e-mail, it has a very good chance of being saved in someone's mailbox or archived on a server forever. People involved in scandals like Oliver North, Monica Lewinsky, Patricia Dunn (the former Hewlett-Packard chairman), and Bill Gates probably wish they could take back an email or two... Instant Messages can also be saved and used at a later date to embarrass you. Paris Hilton might be able to shed additional light on that subject. Be careful about what you put in writing and whom you send it to.

November 7, 2013

See just how "Security Aware" you really are

Do you believe you're a little more Security Aware? Can you identify the threats that exist in your environment and the steps you should take to avoid them? Take the following quizzes and find out.

• Phishing http://www.onguardonline.gov/games/phishing-scams.aspx
• Spyware http://www.onguardonline.gov/games/beware-spyware.aspx
• Identity Theft http://www.onguardonline.gov/games/id-theft-faceoff.aspx
• Social Networking http://www.onguardonline.gov/games/friend-finder.aspx