Security Awareness Tip of The Day

Upcoming Webcasts RSS Feed Click here to subscribe to the Security Awareness Tip of the Day RSS Feed

To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.

SANS Institute is using Twitter! Click Here

SANS Security Tip Contest. Have your tip featured on the SANS Tip of the Day!

December 21, 2014

Passwords: Be creative

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.

When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.


December 20, 2014

Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are customers in your office. Leaving your computer unlocked can expose customer data to a third party. Even when there is no one in your office, data could be exposed if your computer screen faces an outside window, especially on the ground floor.
December 19, 2014

Don't download files from unknown sources

Not all web sites are safe. Always ensure that the source you are downloading from is legitimate. Use extreme caution if you are referred to a site by an email message. If you're uncertain, don't download.
December 18, 2014

Always Check Credentials

The receptionist's PC had been running slowly, so he was pleased when a woman arrived and announced that she was a technician. She dropped the name of the IT manager and said, "Don't bother logging off, I'll only be a few minutes." Ten minutes later she was gone — along with a bunch of confidential documents. Those documents enabled an unscrupulous competitor to beat the company to a lucrative contract. If the receptionist had checked the technician's credentials with the IT Manager, the security breach could have been avoided. Not only did the receptionist learn a lesson; the company also learned that they should control access to sensitive information!
December 17, 2014

Patch and update on a regular basis

Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.
December 16, 2014

Lock it when you leave it

Never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up. Remember to always leave your Windows computer by pressing the keyboard shortcut combination of the Windows logo key and the letter "L" on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up.
December 15, 2014

If you are a victim of identity theft, report it immediately

Here are some things you should do.
  1. Contact the three major credit bureaus and have them place a fraud alert on your credit report.
  2. If a credit card was involved, contact the credit card company and close the account.
  3. Contact your local law enforcement agency and file a report.
  4. File a complaint with the Federal Trade Commission.
  5. Document all conversations so you know whom you spoke to and when.
December 14, 2014

Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.
December 13, 2014

Use caution when opening email attachments

Email attachments are a common tool for attackers because forwarding email is so simple. Users often open attachments that appear to come from someone they know or an organization they do business with. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send. If your email program includes an option to automatically download email attachments, DON'T take it. Doing so could immediately expose your computer to any viruses included in the email attachments.
December 12, 2014

Secure your Wireless Router

When setting up a wireless network at home, I was surprised to be able to connect to my neighbor's unsecured wireless router. Not only could I have used his bandwidth for free, but had I been so inclined, I could have used the connection for illegal activities. If the police came looking, he may not have been able to prove the activity didn't come from one of his computers. Properly securing wireless is not hard. Look in the manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication and TKIP for encryption, and using MAC address filtering.
December 11, 2014

Don't walk away from your computer before you....

... Lock your computer by holding down the "Windows" key and pressing the "L" key.
December 10, 2014

Turn off your wireless AP when it's not in use

Power off your wireless access point (AP) when you know you won't be at home or when it's not in use. Your AP can't be accessed by hackers when it is not powered on. So, turn it off and limit the amount of time you leave yourself open to attack.
December 9, 2014

Don't be duped by Internet Fraud

We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don't be tricked by Internet Fraud. For more information see http://www.lookstoogoodtobetrue.com.
December 8, 2014

Do not write your password down and leave it near your computer

Writing your password on a 'sticky-note' and sticking it on your monitor makes it very easy for people who regularly steal passwords to obtain yours. Hiding it under your keyboard or mouse pad is not much better, as these are common hiding places for passwords. However if you must write something down, jot down a hint or clue that will help jog your memory or store the written password in a secure, locked place.
December 7, 2014

Don't Let Spammers See Your "Out of Office" Replies

Configuring your email program to automatically return "Out of Office" notifications to email senders is good for internal mail system users, but it can provide confirmation of an email address to a spammer, if permitted to leave the corporate network. Configure your message replies to recognize only trusted domain addresses or block your notifications outbound at the firewall.

For home users, never say you are not home, but rather "away from the computer right now", and don't specify for how long. You don't want to advertise your absence.
December 6, 2014

Print out important documents

A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.
December 5, 2014

Don't check "remember my password" boxes

Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.
December 4, 2014

Prevent USB Drives from Spreading Viruses

When you stick a thumb drive infected with a worm like Conficker/Downadup into a clean system, the normally handy AutoPlay feature launches the worm and spreads the infection. You can prevent this by flipping the master switch. Here's how:
  1. Click on the "Start" button and pick "Run."
  2. Enter the text GPEDIT.MSC and press Enter. After a moment, the Group Policy editor window will open.
  3. In the left panel, double-click on "Computer Configuration."
  4. Double-click on "Administrative Templates."
  5. Double-click on "System."
  6. In the right panel near the bottom of the list, double-click on "Turn off autoplay."/
  7. The default setting is the "Not configured." Put a bullet in "Enabled."
  8. Make sure "Turn off Autoplay on:" is set to "All drives."
  9. Click on "Apply," and then "OK".
  10. Close the Group Policy editor window.
December 3, 2014

Turn off the message preview pane in Outlook or Outlook Express

If the message preview pane is enabled, the messages in your inbox are automatically "opened" as you scroll through them. While this is convenient, it also poses a potential security risk. If you disable the preview pane, you can delete any email that looks suspicious BEFORE it's opened and avoid a possible virus infection.
December 2, 2014

Think twice before you post personal information. Remember, even crooks may see what you post on social media sites

Criminals are mopping up because social media users are willing to share personal information about themselves and others. This data can be used to guess your password, give them the answers to account security questions or send you email with malicious attachments that appear to be from someone you know.
December 1, 2014

Make sure the site you're ordering from protects your information crossing the Internet

This is shown by either a closed lock or an unbroken key at the bottom of the browser window. You can also check to see if the URL begins with https://. While https by itself is not an indication of a secure site, when it is combined with the lock or the unbroken key, then it indicates your data is being encrypted from prying eyes as it crosses the Internet. If you have https without the lock or key in the browser, then it has been faked and is not secure. Sometimes you may also encounter a pop up box that indicates you are about to enter or leave a secure area.
November 30, 2014

Don't Let Personnel Issues Become Security Issues; Terminate Computer Access Before You End a Contract or Tell People They Are Fired

Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.
November 29, 2014

Always log off your own computer. Do not let anyone else offer to do it for you

One of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.
November 28, 2014

Email isn't the only online communication that has security risks

Instant Messaging has become a popular way for people to communicate over the Internet. In some instances it has even replaced email. What some people don't realize, however, is that instant messaging has many of the same security threats that email does... and then some. Instant messaging can transfer viruses and other malware, provide an access point for Trojans, and give hackers an easy way to find victims. If you use instant messaging on a regular basis, you need to be aware of the security risks associated with it and take steps to protect yourself. See the following links for more on instant messaging safety.
November 27, 2014

Know your IMEI?

Did you know there is a unique serial number that identifies each mobile phone? Press *#06# on your phone's keypad, and it will display a 15 digit number. Make a record of that number, it is your International Mobile Equipment Identity (IMEI) number; and, if the phone is lost or stolen, the phone can be identified even if a new SIM card is added. Your provider can also block others from using the phone on their network, which could help protect you against expensive 1-900 phone calls and similar mischief.

November 26, 2014

Don't Investigate a Security Problem Unless You Are Authorized by the System Owner

A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue. http://www.channelregister.co.uk/2005/10/06/tsunami_hacker_convicted/
November 25, 2014

Only deal with reputable companies that you know and trust

At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online (http://www.bbbonline.org) and do some research. Check the company's website for feedback from previous customers.
November 24, 2014

Many people think that 'formatting' a hard drive will wipe out all the data so it cannot be recovered

Not so. To prevent the possibility of future recovery, use a third-party, low-level hard drive formatting tool, such as Killdisk (downloadable at no charge from www.killdisk.com) to overwrite data on the hard drive with a random sequence of 1's and 0's.
November 23, 2014

Make sure your personal information is protected when you do business online

Always read the privacy statement before you fill in the blanks. You should also verify that the site is using encryption before you submit any information — look for https in the web address and for a padlock or key in the lower right corner of your browser. Don't send your personal information (social security number, credit card number, etc.) in an email or through instant messaging.
November 22, 2014

Don't fall for phishing schemes

Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.
  1. We need to verify your account information.
  2. If you don't respond immediately, your account will be cancelled.
  3. Click the link below to update your information.

Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.