MONTHLY Security Tips

TIP-32: Have a Backup Plan -

Since your information could be lost or compromised (due to an equipment malfunction, an error, or an attack), make regular backups of your information so that you still have clean, complete copies. Backups also help you identify what has been changed or lost. If your computer has been infected, it is important to remove the infection before resuming your work. Keep in mind that if you did not realize that your computer was infected; your backups may also be compromised. Courtesy of United States Computer Emergency Readiness Team Authors: Mindi McDowell, Matt Lytle

TIP-31: Lock Up Your Valuables -

If an attacker is able to access your personal data, he or she may be able to compromise or steal the information. Take steps to protect this information by following good security practices (see the Tips index page for a list of relevant documents). Some of the most basic precautions include locking your computer when you step away; using firewalls, anti-virus software, and strong passwords; installing appropriate software updates; and taking precautions when browsing or using email. Courtesy of United States Computer Emergency Readiness Team Authors: Mindi McDowell, Matt Lytle

TIP-30: Don't advertise that you are away from home -

Some email accounts, especially within an organization, offer a feature (called an autoresponder) that allows you to create an "away" message if you are going to be away from your email for an extended period of time. The message is automatically sent to anyone who emails you while the autoresponder is enabled. While this is a helpful feature for letting your contacts know that you will not be able to respond right away, be careful how you phrase your message. You do not want to let potential attackers know that you are not home, or, worse, give specific details about your location and itinerary. Safer options include phrases such as "I will not have access to email between [date] and [date]." If possible, also restrict the recipients of the message to people within your organization or in your address book. If your away message replies to spam, it only confirms that your email account is active. This may increase the amount of spam you receive (see Reducing Spam for more information). Courtesy of United States Computer Emergency Readiness Team Authors: Mindi McDowell, Matt Lytle

TIP-29: If it sounds too good to be true, it probably is -

You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes for more information). Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware. Courtesy of United States Computer Emergency Readiness Team Authors: Mindi McDowell, Matt Lytle

TIP-28: Mail Theft

"Old school" thieves scout for unlocked mailboxes and steal your mail—and your identity—right from your front door. If you are expecting valuable items like credit card or bills, report them immediately if they are delayed.

TIP-27: Online Shopping

Thieves are experts at duplicating legitimate online storefronts. Before you know it, you've completed your transaction and inadvertently handed over the personal information they need to commit fraud. Only shop from reputable sites.

TIP-26: Fishing

Email, texting, and websites are not the only way thieves are phishing for personal information. Fishing—voice calls made to your landline or mobile phone—is an effective way for thieves to get your personal information. Ensure that you have proper password protection enabled on your VM systems.

See More Tips

Click to Expand

TIP-25: Fix Your Browser

Qualys recently analyzed more than 1 million Internet-connected Microsoft Windows PCs and Macs. It found 56% of users of Microsoft's Internet Explorer surfed the Internet using an older version of the popular Web browser carrying widely known security flaws. Hackers are expert at tapping into such flaws to seed infections. Some 49.2% of users of Mozilla's Firefox, 47.5% of Google's Chrome and 37.4% of Apple's Safari also used browser versions lacking the latest security updates. Using an outdated browser — and clicking on a Web page booby-trapped with a hidden virus — can turn control of your computer over to an intruder.

TIP-24: Police, Prosecutors Worried about Brazen Form of Identity Theft

Police and prosecutors are increasingly worried about a brazen form of identity theft in which thieves go beyond financial fraud to assume the victim's persona completely. So-called total identity theft involves crooks who use a person's name and Social Security number to get a job and other documents and services. To protect against identity theft, the Federal Trade Commission urges Americans to follow the "three D's" - deter, detect and defend. There is now a new push to protect people by checking they credit score because police in Wichita are seeing a new scheme. Police say people who are in the country illegally are using stolen social security numbers to get a job and other services.

Candida Gutierrez's identity was stolen the thief used it to get a driver's license, mortgage and medical care for the birth of her two children. Americans reported more than 279,000 instances of identity theft last year, up from 251,100 in 2010. To deter it, people should make sure to shred financial documents and watch who they share their information with online. To detect identity theft, one should monitor their accounts, bills and credit score. And to defend against identity theft, is someone people suspect a problem they should immediately place a fraud alert on their credit reports and close any accounts that may have been compromised. The Fair Credit Reporting Act requires each of the nationwide consumer reporting companies to provide people with a free copy of their credit report once every 12 months.

By Chris Oberholtz, Multimedia Producer & By Emily Rittman, News Reporter
FAIRWAY, KS (KCTV)

TIP-23: Phishing

These days, that email from your bank in your inbox could be real—or a phishing attempt. Today's thieves are busy impersonating legitimate businesses via email and websites in order to acquire your personal information like PINs, credit card or bank account numbers, or Social Security number information. Do not click on a link in your e-mail rather visit the site directly.

TIP-22: Youth at Risk

Complaints by victims' age points to an interesting statistic: incidents of fraud are low in consumers age 19 and younger, however complaints of identity theft are disproportionately higher*—ripe for future fraud activity.

TIP-21: ATM Skimmers/Handheld Skimmers

Today's thieves are innovating the way they steal your personal information, by swiping it–literally–when you are in the midst of a legitimate transaction such as paying for dinner bill at a restaurant, pumping gas, or using an ATM. Pay close attention to your statements.

TIP-20: Change of Address

This is a classic identity theft technique—thieves change the address where you receive mail and divert your personal information into the wrong hands.

TIP-19: Stolen Wallet

When a thief steals your wallet, they gain instant access to the information they need to take the next step and steal your identity. Ensure to have a copy of all your credentials from wallet in a secure place, so you can report them in case of loss or theft.

TIP-18: Dumpster Diving

This method of identity theft is one of the most traditional—and most effective. Thieves search your trash for documents that contain your personal information and gain access to important numbers that help them commit identity theft. Shred them.

TIP-17: Can You Trust a Certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate's unique fingerprint by calling the organization directly, there is no way to be absolutely sure.

When you trust a certificate, you are essentially trusting the certificate authority to verify the organization's identity for you. However, it is important to realize that certificate authorities vary in how strict they are about validating all of the information in the requests and about making sure that their data is secure. By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal information, you may want to look at the certificate.

How do you check a certificate?

There are two ways to verify a web site's certificate in Internet Explorer or Firefox. One option is to click on the padlock icon. However, your browser settings may not be configured to display the status bar that contains the icon. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:

- Who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte,
  or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.

- Who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on
  the certificate does not match the name of the organization or person you expect.

- Expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of
  the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of
  organizations with certificates that are valid for longer than two years or with certificates that have expired.

Authors: Mindi McDowell, Matt Lytle
Copyright 2005, 2008, 2010 Carnegie Mellon University

TIP-16: Why is Cyber Security a Problem?

You've heard the news stories about credit card numbers being stolen and email viruses spreading. Maybe you've even been a victim yourself. One of the best defenses is understanding the risks, what some of the basic terms mean, and what you can do to protect yourself against them.

What is cyber security?

It seems that everything relies on computers and the internet now— communication (email, cellphones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on. How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system?

Cyber security involves protecting that information by preventing, detecting, and responding to attacks.

What are the risks?

There are many risks, some more serious than others. Among these dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card information and making unauthorized purchases. Unfortunately, there's no 100% guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances.

What can you do?


The first step in protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them.

Hacker, attacker, or intruder - These terms are applied to the people who seek to exploit weaknesses in software and computer systems for their own gain. Although their intentions are sometimes fairly benign and motivated solely by curiosity, their actions are typically in violation of the intended use of the systems they are exploiting. The results can range from mere mischief (creating a virus with no intentionally negative impact) to malicious activity (stealing or altering information).

Malicious code - Malicious code, sometimes called malware, is a broad category that includes any code that could be used to attack your computer.

Malicious code can have the following characteristics:
o  It might require you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular
    web page.
o  Some forms propagate without user intervention and typically start by exploiting a software vulnerability. Once the victim computer has been infected,
    the malicious code will attempt to find and infect other computers. This code can also propagate via email, websites, or network-based software.
o  Some malicious code claims to be one thing while in fact doing something different behind the scenes. For example, a program that claims it will speed
    up your computer may actually be sending confidential information to a remote intruder. Viruses and worms are examples of malicious code.

Vulnerability - In most cases, vulnerabilities are caused by programming errors in software. Attackers might be able to take advantage of these errors to infect your computer, so it is important to apply updates or patches that address known vulnerabilities.

Authors: Mindi McDowell, Allen Householder
Copyright 2004, 2009 Carnegie Mellon University.

TIP-15: P2P File Sharing

Music sharing sites and other peer-to-peer networks have helped high-tech thieves get all kinds of personal information via accidental disclosure—tax returns, password files, birth dates, and account numbers. Anything stored on the same hard drive as the shared library can inadvertently go public when you connect.

TIP-14: STOP. THINK. CONNECT.


http://stopthinkconnect.org/

Stop: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

Think: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.

Connect: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.

Courtesy of Department of Homeland Security.

TIP-13: HOW DO THIEVES STEAL AN IDENTITY?

Identity theft starts with the misuse of your personal information such as your name and Social Security number, credit card numbers, or other financial account information. For identity thieves, this information is as good as gold. Skilled identity thieves may use a variety of methods to get hold of your information, including:

Dumpster Diving. They rummage through trash looking for bills or other paper with your personal information on it.

Skimming. They steal credit/debit card numbers by using a special storage device when processing your card.

Phishing. They pretend to be financial institutions or companies and send e-mail or pop-up messages to get you to reveal your personal information.

Changing Your Address. They divert your billing statements to another location by completing a change of address form.

Old-Fashioned Stealing. They steal wallets and purses; mail, including bank and credit card statements; pre-approved credit offers; and new checks or tax information. They steal personnel records, or bribe employees who have access.

Pretexting. They use false pretenses to obtain your personal information from financial institutions, telephone companies, and other sources.

Courtesy of FTC.gov

TIP-12: WHAT IS AN OPERATING SYSTEM?

An operating system (OS) is the main program on a computer. It performs a variety of functions, including determining what types of software you can install coordinating the applications running on the computer at any given time making sure that individual pieces of hardware, such as printers, keyboards, and disk drives, all communicate properly allowing applications such as word processors, email clients, and web browsers to perform tasks on the system (e.g., drawing windows on the screen, opening files, communicating on a network) and use other system resources (e.g., printers, disk drives) reporting error messages.

The OS also determines how you see information and perform tasks. Most operating systems use a graphical user interface (GUI), which presents information through pictures (icons, buttons, dialog boxes, etc.) as well as words. Some operating systems can rely more heavily on textual interfaces than others.

How do you choose an operating system?

In very simplistic terms, when you choose to buy a computer, you are usually also choosing an operating system. Although you may change it, vendors typically ship computers with a particular operating system. There are multiple operating systems, each with different features and benefits, but the following three are the most common:

Windows - Windows, with versions including Windows XP, Windows Vista, and Windows 7, is the most common operating system for home users. It is produced by Microsoft and is typically included on machines purchased in electronics stores or from vendors such as Dell or Gateway. The Windows OS uses a GUI, which many users find more appealing and easier to use than text-based interfaces.

Mac OS X - Produced by Apple, Mac OS X is the operating system used on Macintosh computers. Although it uses a different GUI, it is conceptually similar to the Windows interface in the way it operates.

Linux and other UNIX-derived operating systems - Linux and other systems derived from the UNIX operating system are frequently used for specialized workstations and servers, such as web and email servers. Because they are often more difficult for general users or require specialized knowledge and skills to operate, they are less popular with home users than the other options. However, as they continue to develop and become easier to use, they may become more popular on typical home user systems.

Authors: Mindi McDowell, Chad Dougherty
Copyright 2004, 2010 Carnegie Mellon University.

TIP-11: KEEPING CHILDREN SAFE ONLINE PART 2

How can you minimize the access other people have to your information?

How can you minimize the access other people have to your information? You may be able to easily identify people who could, legitimately or not, gain physical access to your computer—family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult.

Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it's enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information.

Disconnect your computer from the Internet when you aren't using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean disabling a wireless connection, turning off your computer or modem, or disconnecting cables. When you are connected, make sure that you have a firewall enabled.

Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate.

TIP-10: KEEPING CHILDREN SAFE ONLINE PART 1

What unique risks are associated with children?

When a child is using your computer, normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. You need to consider these characteristics when determining how to protect your data and the child.

You may think that because the child is only playing a game, or researching a term paper, or typing a homework assignment, he or she can't cause any harm. But what if, when saving her paper, the child deletes a necessary program file? Or what if she unintentionally visits a malicious web page that infects your computer with a virus? These are just two possible scenarios. Mistakes happen, but the child may not realize what she's done or may not tell you what happened because she's afraid of getting punished.

Online predators present another significant threat, particularly to children. Because the nature of the internet is so anonymous, it is easy for people to misrepresent themselves and manipulate or trick other users. Adults often fall victim to these ploys, and children, who are usually much more open and trusting, are even easier targets. The threat is even greater if a child has access to email or instant messaging programs, visits chat rooms, and/or uses social networking sites.

What can you do?

Be involved - Consider activities you can work on together, whether it be playing a game, researching a topic you had been talking about (e.g., family vacation spots, a particular hobby, a historical figure), or putting together a family newsletter. This will allow you to supervise your child's online activities while teaching her good computer habits.

Keep your computer in an open area - If your computer is in a high-traffic area, you will be able to easily monitor the computer activity. Not only does this accessibility deter a child from doing something she knows she's not allowed to do, it also gives you the opportunity to intervene if you notice a behavior that could have negative consequences.

Set rules and warn about dangers - Make sure your child knows the boundaries of what she is allowed to do on the computer. These boundaries should be appropriate for the child's age, knowledge, and maturity, but they may include rules about how long she is allowed to be on the computer, what sites she is allowed to visit, what software programs she can use, and what tasks or activities she is allowed to do. You should also talk to children about the dangers of the internet so that they recognize suspicious behavior or activity. The goal isn't to scare them, it's to make them more aware.

Monitor computer activity - Be aware of what your child is doing on the computer, including which web sites she is visiting. If she is using email, instant messaging, or chat rooms, try to get a sense of who she is corresponding with and whether she actually knows them.

Keep lines of communication open - Let your child know that she can approach you with any questions or concerns about behaviors or problems she may have encountered on the computer.

Consider partitioning your computer into separate accounts - Most operating systems (including Windows XP, Mac OS X, and Linux) give you the option of creating a different user account for each user. If you're worried that your child may accidentally access, modify, and/or delete your files, you can give her a separate account and decrease the amount of access and number of privileges she has.

If you don't have separate accounts, you need to be especially careful about your security settings. In addition to limiting functionality within your browser, avoid letting your browser remember passwords and other personal information. Also, it is always important to keep your virus definitions up to date.

Consider implementing parental controls - You may be able to set some parental controls within your browser. For example, Internet Explorer allows you to restrict or allow certain web sites to be viewed on your computer, and you can protect these settings with a password. To find those options, click Tools on your menu bar, select Internet Options..., choose the Content tab, and click the Enable... button under Content Advisor.

There are other resources you can use to control and/or monitor your child's online activity. Some ISPs offer services designed to protect children online. Contact your ISP to see if any of these services are available. There are also special software programs you can install on your computer. Different programs offer different features and capabilities, so you can find one that best suits your needs. The following web sites offer lists of software, as well as other useful information about protecting children online:

GetNetWise - http://kids.getnetwise.org/ - Click Tools for Families to reach a page that allows you to search for software based on characteristics like what the tool does and what operating system you have on your computer.

Yahooligans! Parents' Guide - http://yahooligans.yahoo.com/parents/ - Click Blocking and Filtering under Related Websites on the left sidebar to reach a list of software.

TIP-09: HOW DO EMAIL CLIENTS WORK?

Every email address has two basic parts: the user name and the domain name. When you are sending email to someone else, your domain's server has to communicate with your recipient's domain server.

For example, let's assume that your email address is johndoe@example.com, and the person you are contacting is at janesmith@anotherexample.org. In very basic terms, after you hit send, the server hosting your domain (example.com) looks at the email address and then contacts the server hosting the recipient's domaIn (anotherexample.org) to let it know that it has a message for someone at that domain. Once the connection has been established, the server hosting the recipient's domain (anotherexample.org) then looks at the user name of the email address and routes the message to that account.

How many email clients are there?

There are many different email clients and services, each with its own interface. Some are web-based applications, some are stand-alone applications installed directly on your computer, and some are text-based applications. There are also variations of many of these email clients that have been designed specifically for mobile devices such as cell phones.

How do you choose an email client?

There is usually an email client included with the installation of your operating system, but many other alternatives are available. Be wary of "home-brewed" software, because it may not be as secure or reliable as software that is tested and actively maintained. Some of the factors to consider when deciding which email client best suits your needs include:

- security - Do you feel that your email program offers you the level of security you want for sending, receiving, and reading email messages? How does it handle attachments? If you are dealing with sensitive information, do you have the option of sending and receiving signed and/or encrypted messages.

- privacy - If you are using a web-based service, have you read its privacy policy? Do you know what information is being collected and who has access to it? Are there options for filtering spam?

- functionality - Does the software send, receive, and interpret email messages appropriately?

- reliability - For web-based services, is the server reliable, or is your email frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons?

- availability - Do you need to be able to access your account from any computer?

- ease of use - Are the menus and options easy to understand and use?

- visual appeal - Do you find the interface appealing?

Each email client may have a different way of organizing drafted, sent, saved, and deleted mail. Familiarize yourself with the software so that you can find and store messages easily, and so that you don't unintentionally lose messages. Once you have chosen the software you want to use for your email, protect yourself and your contacts by following good security practices.

Can you have/use more than one email client?

You can have more than one email client, although you may have issues with compatibility. Some email accounts, such as those issued through your internet service provider (ISP) or place of employment, are only accessible from a computer that has appropriate privileges and settings for you to access that account. You can use any stand-alone email client to read those messages, but if you have more than one client installed on your machine, you should choose one as your default. When you click an email link in a browser or email message, your computer will open that default email client that you chose.

Most vendors give you the option to download their email software directly from their websites. Make sure to verify the authenticity of the site before downloading any files, and follow other good security practices, like using a firewall and keeping anti-virus software up to date, to further minimize risk, and other.

You can also maintain free email accounts through browser-based email clients (e.g., Yahoo!, Hotmail, Gmail) that you can access from any computer. Because these accounts are maintained directly on the vendors' servers, they don't interfere with other email accounts.

TIP-08: HOW ANONYMOUS ARE YOU?

You may think that you are anonymous as you browse websites, but pieces of information about you are always left behind. You can reduce the amount of information revealed about you visiting legitimate sites, checking privacy policies, and minimizing the amount of personal information you provide.

What information is collected?

When you visit a website, a certain amount of information is automatically sent to the site. This information may include the following:

- IP address - Each computer on the internet is assigned a specific, unique IP (internet protocol address). Your computer may have a static IP address or a dynamic IP address. If you have a static IP address, it never changes. However, some ISPs own a block of addresses and assign an open one each time you connect to the internet - this is a dynamic IP address.

- Domain name - The internet is divided into domains, and every user's account is associated with one of those domains. You can identify the domain by looking at the end of URL; for example, .edu indicates an educational institution, .gov indicates a US government agency, .org refers to organization, and .com is for commercial use. Many countries also have specific domain names.

- Software details - It may be possible for an organization to determine which browser, including the version, that you used to access its site. The organization may also be able to determine what operating system your computer is running.

- Page visits - Information about which pages you visit, how long you stayed on a given page, and whether you came to the site from a search engine is often available to the organization operating the website.

If a website uses cookies, the organization may be able to collect even more information, such as your browsing patterns, which include other sites you've visited. If the site you're visiting is malicious, files on your computer, as well as passwords stored in the temporary memory, may be at risk.

How is this information used?

Generally, organizations use the information that is gathered automatically for legitimate purposes, such as generating statistics about their sites. By analyzing the statistics, the organizations can better understand the popularity of the site and which areas of content are being accessed the most. They may be able to use this information to modify the site to better support the behavior of the people visiting it.

Another way to apply information gathered about users is marketing. If the site uses cookies to determine other sites or pages you have visited, it may use this information to advertise certain products. The products may be on the same site or may be offered by partner sites.

However, some sites may collect your information for malicious purposes. If attackers are able to access files, passwords, or personal information on your computer, they may be able to use this data to their advantage. The attackers may be able to seal your identity, using and abusing your personal information for financial gain. A common practice is for attackers to use this type of information once or twice, then sell or trade it to other people. The attackers profit from the sale or trade, and increase the number of transactions makes it more difficult to trace any activity back to them. The attackers may also alter security settings on your computer so that they can access and use your computer for other malicious activity.

Are you exposing any other personal information?

While using cookies may be one method for gathering information, the easiest way for attackers to get access to personal information is to ask for it. By representing a malicious site as a legitimate one, attackers may be able to convince you to give them your address, credit card information, social security number, or other personal data.

How can you limit the amount of information collected about you?

- Be careful supplying personal information - Unless you trust a site, don't give your address, password, or credit card information. Look for indications that the site uses SSL to encrypt your information. Although some sites require you to supply your social security number (e.g., sites associated with financial transactions such as loans or credit cards), be especially wary of providing this information online.

- Limit cookies - If an attacker can access your computer, he or she may be able to find personal data stored in cookies. You may not realize the extent of the information stored on your computer until it is too late. However, you can limit the use of cookies.

- Browse safely - be careful which websites you visit; if it seems suspicious, leave the site. Also make sure to take precautions by increasing your security settings, keeping your virus definitions up to date, and scanning your computer for spyware.

Author: Mindi McDowell
Copyright 2005, 2008 Carnegie Mellon University.

TIP-07: DEBUNKING SOME COMMON MYTHS

There are some common myths that may influence your online security practices. Knowing the truth will allow you to make better decisions about how to protect yourself.

How are these myths established?

There is no one cause for these myths. They may have been formed because of a lack of information, an assumption, knowledge of a specific case that was then generalized, or some other source. As with any myth, they are passed from one individual to another, usually because they seem legitimate enough to be true.

Why is it important to know the truth?

While believing these myths may not present a direct threat, they may cause you to be more lax about your security habits. If you are not diligent about protecting yourself, you may be more likely to become a victim of an attack.

What are some common myths, and what is the truth behind them?

- Myth: Anti-virus software and firewalls are 100% effective.
  Truth: Anti-virus software and firewalls are important elements to protecting your information. However, neither of these elements are guaranteed to
  protect you from an attack. Combining these technologies with good security habits is the best way to reduce your risk.

- Myth: Once software is installed on your computer, you do not have to worry about it anymore.
  Truth: Vendors may release patches or updated software even offers the option to obtain updates automatically. Making sure that you have the latest
  virus definitions for your anti-virus software is especially important.

- Myth: There is nothing important on your machine, so you do not need to protect it.
  Truth: Your opinion about what is important may differ from an attacker's opinion. If you have personal or financial data on your computer, attackers
  may be able to collect it and use it for their own financial gain. Even if you do not store that kind of information on your computer, an attacker who can
  gain control of your computer may be able to use it in attacks against other people.

- Myth: Attackers only target people with money.
  Truth: Anyone can become a victim of identity theft. Attackers look for the biggest reward for the least amount of effort, so they typically target
  databases that store information about many people. If your information happens to be in the database, it could be collected and used for malicious
  purposes. It is important to pay attention to your credit information so that you can minimize any potential damage.

- Myth: When computers slow down, it means that they are old and should be replaced.
  Truth: It is possible that running newer or larger software programs on an older computer could lead to slow performance, but you may just need to
  replace or upgrade a particular component (memory, operating system, CD or DVD drive, etc.). Another possibility is that there are other processes or
  programs running in the background. If your computer has suddenly become slower, you may be experiencing a denial-of-service attack or have
  spyware on your machine.

Author: Mindi McDowell
Produced 2006 by US-CERT, a government organization.

TIP-06: EMAIL ATTACHMENTS

Don't trust candy from strangers

Finding something on the internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable. It is also easy for attackers to "spoof" email addresses, so verify that an email is legitimate before opening an unexpected email attachment or responding to a request for personal information.

Why can email attachments be dangerous?

Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:
- Email is easily circulated
- Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don't even require users to forward the email
- they scan a users' computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take
  advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
- Email programs try to address all users' needs
- Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
- Email programs offer many "user-friendly" features
- Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the
  attachments.

Authors: Mindi McDowell, Allen Householder
Copyright 2004, 2009 Carnegie Mellon University

TIP-05: AVOIDING SOCIAL ENGINEERING AND PHISHING ATTACKS

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
- natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- epidemics and health scares (e.g., H1N1)
- economic concerns (e.g., IRS scams)
- major political elections - holidays

How do you avoid being a victim?

- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.
- If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's
  authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in
  email.
- Don't send sensitive information over the Internet before checking a website's security.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different
  domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on
  a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also
  available online from groups such as the Anti-Phishing Working Group.
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your email client and web browser.

What do you do if you think you are a victim?

- If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization,
   including network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been
  compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each
  account, and do not use that password in the future.
- Watch for other signs of identity theft.
- Consider reporting the attack to the police, and file a report with the Federal Trade Commission.

Author: Mindi McDowell
Copyright 2004, 2009 Carnegie Mellon University.

TIP-04: REAL-WORLD WARNINGS KEEP YOU SAFE ONLINE

Many of the warning phrases you probably heard from your parents and teachers are also applicable to using computers and the internet  

Why are these warnings important?

Like the real world, technology and the internet present dangers as well as benefits. Equipment fails, attackers may target you, and mistakes and poor judgment happen. Just as you take precautions to protect yourself in the real world, you need to take precautions to protect yourself online. For many users, computers and the internet are unfamiliar and intimidating, so it is appropriate to approach them the same way we urge children to approach the real world.

What are some warnings to remember?

- Don't trust candy from strangers -
Finding some things on the internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable. It is also easy for attackers to "spoof" email addresses, so verify that an email is legitimate before opening an unexpected email attachment or responding to a request for personal information.

- If it sounds too good to be true, it probably is -
You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises - they are most likely spam, hoaxes, or phishing schemes. Also be wary of pop-up windows and advertisements for free downloadable software - they may be disguising spyware.

- Don't advertise that you are away from home -
Some email accounts especially within an organization, offer a feature (called an autoresponder) that allows you to create an "away" message if you are going to be away from your email for an extended period of time. The message is automatically sent to anyone who emails you while the autoresponder is enabled. While this is a helpful feature for letting your contacts know that you will not be able to respond right away, be careful how you phrase your message. You do not want to let potential attackers know that you are home, or, worse, give specific details about your location and itinerary. Safer options include phrases such as "I will not have access to email between [date] and [date]." If possible, also restrict the recipients of the message to people within your organization or in your address book. If your away message replies to spam, it only confirms that your email account is active. This may increase the amount of spam you receive.

- Lock up your valuables -
If an attacker is able to access your personal data, he or she may be able to compromise or steal the information. Take steps to protect this information by following good security practices. Some of the most basic precautions include locking your computer when you step away; using firewalls, anti-virus software, and strong passwords; installing appropriate software updates; and taking precautions when browsing or using email.

- Have a backup plan -
Since your information could be lost or compromised (due to an equipment malfunction, an error, or an attack), make regular backups of your information so that you still have clean, complete copies. Backups also help you identify what has been changed or lost. If your computer has been infected, it is important to remove the infection before resuming your work. Keep in mind that if you did not realize that your computer was infected, your backups may also be compromised.  

Courtesy of the UNITED STATES COMPUTER EMERGENCY REDINESS TEAM
Authors: Mindi McDowell, Jason Rafail, Shawn Hernan
Copyright 2004, 2009 Carnegie Mellon University

TIP-03: CHOOSING AND PROTECTING PASSWORD SERIES PART 3

How can you protect your password?

Now that you've chosen a password that's difficult to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don't tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords.

If your internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response, or public key encryption rather than simple passwords. Consider challenging service providers that only use passwords to adopt more secure methods.

Also, many programs offer the option of "remembering" your password, but these programs have varying degrees of security protecting that information. Some programs such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information. For this reason, always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Other programs, such as Apple's Keychain and Palm's Secure Desktop, use strong encryption to protect the information. These types of programs may be viable options for managing your passwords if you find you have too many to remember.

There's no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

Authors: Mindi McDowell, Jason Rafail, Shawn Hernan
Copyright 2004, 2009 Carnegie Mellon University.

TIP-02: CHOOSING AND PROTECTING PASSWORD SERIES PART 2

How do you choose a good password?

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or "crack" them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password - is it a word that can be found in the dictionary? If so, it may be susceptible to "dictionary" attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to "Il!2pBb." and see how much more complicated it has become just by adding numbers and special characters.

Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can. For example, "This password is 4 my email!" would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase - many applications limit the length of passwords and some do not accept spaces. Avoid common phrases, famous quotations, and song lyrics.

Don't assume that now that you've developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique password for each of your accounts.

Here is a review of tactics to use when choosing a password:

- Don't use passwords that are based on personal information that can be easily accessed or guessed.
- Don't use words that can be found in any dictionary of any language.
- Develop a mnemonic for remember complex passwords.
- Use both lowercase and capital letters.
- Use a combination of letters, numbers, and special characters.
- Use passphrases when you can.
- Use different passwords on different systems.

Courtesy of the UNITED STATES COMPUTER EMERGENCY REDINESS TEAM Authors: Mindi McDowell, Jason Rafail, Shawn Hernan Copyright 2004, 2009 Carnegie Mellon University

TIP-01: CHOOSING AND PROTECTING PASSWORD SERIES PART 1

Why do you need a password?

Think about the number of personal identification numbers (PINs), passwords, or passphrases you use every day: getting money from the ATM or using your debit card in a store, logging on to your computer or email, signing in to an online bank account or shopping cart... the list seems to just keep getting longer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, and maybe you've wondered if all the fuss is worth it. After all, what attacker cares about your personal email account, right? Or why would someone bother with your practically empty bank account when there are others with much more money? Often, an attack is not specifically about your account but about using the access to your information to launch a larger attack. And while having someone gain access to your personal email might not seem like much more than an inconvenience and threat to your privacy, think of the implications of an attacker gaining access to your social security number or your medical records.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that someone is the person they claim to be is the next step, and this authentication process is even more important, and more difficult, in the cyber world. Passwords are the most common means of authentication, but if you don't choose good password or keep them confidential, they're almost as ineffective as not having nay password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords.

Courtesy of the UNITED STATES COMPUTER EMERGENCY REDINESS TEAM Authors: Mindi McDowell, Jason Rafail, Shawn Hernan Copyright 2004, 2009 Carnegie Mellon University

 
             
             
             
             
  Our Company What We Do Careers Media Center Login  
  About Us Solutions Jobs News GNS E-mail  
  Contact Us Clients Benefits Security Tips GNS Intranet  
    Contracts     Deltek Time Collection  
          Remote Web Workplace  
           
Copyright ©2013 GNS, INC.