Security Tips



You are the Target - Social Engineering

Email & IM - Browsing - Social Networking

Mobile Devices - Passwords - Encryption


Security Awareness Tip of The Day





You Are The Target

One of the most important things to understand is that you are the cyber criminal's primary target. Many people have the misconception that cyber criminals target only large corporations or organizations, when in reality they also target individuals such as yourself. In addition, while these attackers use a variety of sophisticated tools, the simplest way to hack into an organization is by targeting people.

Unaware employees are an organization's greatest weakness as people make common mistakes, such as clicking on malicious links or using an infected USB stick. As a result you have become the primary target. Your computer and your information has tremendous value to cyber attackers. Some examples include:

Data Theft: Cyber criminals can steal our highly confidential information by hacking your computer or compromising your work accounts.

Identity Theft: Cyber criminals can steal and commit fraud with your personal information including your credit card data, medical history or bank accounts.

Attacking Others: Cyber criminals can use your computer to harm others, including hacking other computers, launch denial of service attacks, or distribute spam.

What you may not realize is you are also a target when you are traveling, such as at an airport, a hotel or attending a conference. You are even under attack at home, when you and your family connect to the Internet. To help protect yourself, your family and our organization, always remember some core principles:

Always be cautious and assume you are a target. You may think you or your information does not have value but it does.
On the Internet attacks are a constant threat. If something seems suspicious or wrong, it most likely is.

[Back to Top]


Social Engineering

Now lets learn how cyber criminals are able to hack into our computers and how they steal our information. The more we understand who is attacking us and how, the better we can protect ourselves. One of the main techniques most cyber criminals use is social engineering. Social engineering is the art of human manipulation or lying.

It is when an attacker pretends to be something you know or trust, such as your bank, a well known organization or perhaps even a friend. They then use that trust to get what they want, often by simply asking for it. Let's take a look at a non-technical example and see how this works.

Let's say you are travelling and just checked into a hotel. You walk into your hotel room, set your bags on the floor and the phone rings.

You pick up the phone and there is a very nice lady at the other end. She introduces herself as Rebecca from the front desk. There is a problem with your check-in and she needs to confirm your credit card. She asks you to confirm your card, which you give her. She then says everything checks out and asks you to please enjoy your stay.

What you do not realize is that was really not Rebecca at the front desk. In reality that was a criminal calling every hotel room. The criminal is pretending to be the front desk, which people trust. She is then using that trust to get credit card numbers simply by asking for them. This is social engineering.

To protect yourself, if you get a phone call like this hang up and call the front desk back, or walk down to the front desk in person. This way you know it is really the front desk you are talking to. Lets take a look at another example of social engineering. Lets say you receive an email, or perhaps a phone call, explaining that your computer is infected and you need to visit a website and install Anti-virus.

You follow the instructions and go to the website. When you connect, the website pops up a window scanning your computer and confirming you are infected. However, everything you see happening here is actually a lie, your computer is really not infected. Instead the cyber criminal is trying to trick you into installing their software. If you install this, the criminal will infect your computer, taking total control. The best way to protect yourself is not to install the software, instead simply close your browser.

Remember, social engineering is nothing more then the cyber criminal building trust with you, then using that trust to get what they want. If you get an email or phone call that seems odd or suspicious it may be an attack. If you cannot verify who sent the email or who is on the phone, simply delete the email or hang up the phone.

[Back to Top]


Email &IM

Email and instant messaging are some of the most powerful methods in the cyber criminal's arsenal, simply because so many people use these technologies in their daily lives. What makes email so dangerous is cyber criminals can easily pretend to be someone or something you trust, such as your friend or your bank. These email attacks, often called phishing, work by tricking you into doing something.

For example, here is an email sent by a cyber criminal pretending to be a well known bank. The email is very professional looking, including the bank's logo.

The email says there is a problem with your account and that if you do not update your account immediately, it will be deactivated. It then requires you to click on a link and login to the website.

If you click on this link you are taken to a website that looks real, but in reality is a website controlled by the cyber criminal and is designed to steal your information, including your login credentials.

Keep in mind, many email attacks go beyond just stealing your information, their goal is to infect your computer. For example, cyber criminals will send emails with links, just as we saw in the previous example. However, instead of sending you to websites that steal your information, these websites silently hack your browser, infecting your computer and taking over it. Or instead of links, criminals will send emails with infected attachments. Here is an example of what appears to be an email from a legitimate organization, but in reality is an attempt by criminals to get you to open an infected attachment.

Another attack type is a scam. These are the emails telling you that there are millions of dollars sitting in Africa waiting for you to recover, or that you won the lottery, even though you never entered it. The goal of these scams is to either get your money or your information. The stories are often quite convincing, but are nothing more then cyber criminals attempting to fool you.

In addition to general email attacks, cyber criminals utilize a more focused attack called spear phishing. Spear phishing is a highly customized attack where only a few emails are sent to targeted individuals within our organization. These emails appear very realistic, often with a Subject that is relevant to the victim's job or appear to come from individuals that the victim highly trusts. Spear phishing attacks are harder to detect, but also require more work and research by the cyber criminal.

Finally, there is Instant Messaging. If Instant Messaging is allowed be aware that just like email, IM can be used for attacks like these.
In most cases simply opening an email is safe. For most attacks to work you have to do something after reading the email, such as opening the attachment, clicking on the link, or responding to the request for information. To protect yourself keep the following in mind.

Just because an email comes from your friend does not mean the message is safe. Cyber criminals may have infected your friend's computer or spoofed the From address.

Be suspicious of any email directed to "Dear Customer" or some other generic salutation. It often means the sender does not know you.
Be skeptical of any email that requires "immediate action", creates a sense of urgency or simply threatens to shut down your account.

Do not click on links. Instead copy the URL from the email and paste it into your browser. Even better is to simply type the website into your browser. For example, if you get an email from your bank asking you to update your bank account, do not click on the link. Instead, type your bank's website in your browser, then login to the website directly.

Only open attachments you were expecting.
Using email and IM safely is ultimately about common sense. If a message sounds suspicious or too good to be true, it is most likely an attack. Simply delete the email. If you get a message and you are not sure if it is an attack, contact your help desk or information security team.

[Back to Top]


Browsing

Browsers are one of the primary ways we interact with the Internet, such as reading the news, shopping online or downloading files. Browsers are also one of the most dangerous applications you use because they provide an entry point into your computer.

Cyber criminals know this and as a result have developed techniques for attacking your browser. A common technique cyber criminals will use is to create tools that attack and exploit your browser, then place these attack tools on websites. When you visit these websites these malicious tools silently probe your browser and launch multiple attacks. If your browser is vulnerable, the attack will give cyber criminals control of not only your browser but potentially your entire computer, with no indication this occurred. Unfortunately there is no simple way to tell if a website is safe or malicious. Even legitimate sites can be compromised and used to attack you.

However, most modern browsers offer some protection. Most modern browsers maintain a list of known malicious websites, these are evil websites that intend to cause you harm. If you accidently visit one of these known malicious websites, your browser will post a warning, as you see here. If you browser warns you against visiting a website, be sure you do not connect to it.

In addition, a key step to protecting yourself is scanning all downloaded files from the Internet with anti-virus. When you download and install or run a new program, that program may be infected. It may appear to work just fine but will attempt to silently infect your computer. This is very common especially with free files, such as free screensavers or games. Be sure to scan anything you download with anti-virus.

Finally, there are some other steps you can take to protect your browser and yourself.

First, use the most current version of your browser and be sure it is always updated. This protects you from attackers exploiting known weaknesses in your browser and is one of the most effective ways to protect yourself.

Second, do not install plugins or add-ons into your browser unless you absolutely need them, they simply add more vulnerabilities for attackers to hack into. If you do have plugins installed in your browser, make sure you keep them updated. Just like your browser, you protect yourself by always using the latest version.

Finally, some browsers allow you to set specific security settings. You may want to consider configuring your security settings to a higher level. While it might stop some legitimate sites from working, it will go along way in keeping your system secure.

[Back to Top]


Social Networking

Social networking websites are one of the most exciting new technologies on the Internet. These are virtual, online communities allowing people to connect from around the world. On these sites you create an account, post information about yourself and then share that information with your friends, family and fellow employees. Different sites may be used for different purposes. Sites such as LinkedIn are often used for professional or work-related activities, while sites like Facebook are often used for personal activities.

Each of these sites has a different set up but they are all designed to let you decide what information you want to share, how often and with whom. What makes these sites so powerful is how easy it is to share with others and to watch and learn what others are doing. However, with these amazing capabilities come risks that you need to be aware of.

First, be careful what information you post as people can use that information to steal your identity, guess your passwords or commit online fraud. In some cases criminals may track your account and see when you are away on vacation, then break into your house. Attackers may also read your updates over time to create a profile that will help them perform identity theft.

Some websites such as Facebook offer privacy controls allowing you to control who can access what information. The problem with privacy controls is they are complex and change often. Also, they do not always work as you expect, so in many cases people who are not your friends can still access your information. The best way to protect yourself is to limit the amount of personal information you post. In fact, it is best to assume any information you do post will eventually become public, regardless of the privacy controls you use. If you do not want your boss, coworkers or family members to find out about it, do not post it.

You must also be careful of what others post about you. Even if you are careful and limit your personal information your friends may be posting confidential information or perhaps even personal photos. Ask your friends to be considerate of your privacy and track what they are posting about you. If they post anything you feel is inappropriate, ask your friends to remove the content or report it to the abuse department of the website.

Also, just like with email or instant messaging, be aware of cyber attackers that attempt to fool you. A common attack on social networking sites like Facebook or Twitter is for a criminal to hack into a person's account, then post messages pretending to be that person. Also, there is no verification of who someone is when they setup an account.

Someone can perform research on you, find a name of one of your friends from school, then create an account and pretend to be that friend. Either way these attacks are very powerful, you think it is your friend communicating with you when in reality it is a criminal.

For example, your friend may post that they were just mugged while traveling overseas and lost all their money and documentation. They desperately need help and ask if you or anyone else can transfer some money right away. The problem is that your friend was never mugged nor was your friend even traveling. Instead a criminal hacked into your friend's Facebook account, then posted the fake message pretending to be your friend.

In another example your friend's computer may be infected with malicious software, Once infected, their computer automatically posts messages with links to other websites. Usually these links take you to malicious websites designed to attack anyone who connects to them. If you get suspicious messages on a social networking site from a friend, call your friend to confirm if they posted the message or not.

Also be careful of 3rd party applications that integrate with social networking sites, they may be infected or attempt to access your personal information. Just like with applications for your smartphone, only install applications that you need and from known, trusted sources. When you stop using the 3rd party applications, uninstall or disable its access to your social networking profile.

Finally, do not post any confidential information about our organization on any websites. If you have any questions about what you can or cannot post about work, please ask your supervisor.

[Back to Top]


Mobile Devices

Mobile devices, such as smartphones or tablets, have become incredibly powerful. Not only can you call anyone in the world, but you can watch movies, read your email, bank online and even install apps. This combination of factors make mobile devices very useful, however it also can put you at great risk. To protect yourself, we recommend the following.

Just like your computer, install only apps that you need and make sure that you download them from trusted sources. Criminals can create apps that look real, but are actually malicious programs designed to quietly take control of your devices.

Just like your computer, backup your mobile device on a regular basis. This way if something happens to the device, your information is not lost.

Make sure you update your mobile device and apps on a regular basis. Cyber attackers can more easily exploit your devices if you are running outdated software.

If you have security software installed, such as anti-virus or a firewall, then make sure they are enabled and updated with the latest version.

Remember that many of the attacks you find in email can also happen via texting on your smartphone. For example, cyber criminals can text messages asking you to connect to malicious websites, download infected apps, or ask you for private information such as your bank account. If a text message seems suspicious or too good to be true, simply delete it.

Be careful when using Wi-Fi. Many mobile devices will automatically connect to Wi-Fi networks without asking you, putting your device at risk. Disable Wi-Fi if you are not using it.

Attackers can also take advantage of your Bluetooth capabilities. Just like Wi-Fi, disable Bluetooth when you are not using it. If you use Bluetooth, check your settings and disable any Bluetooth capabilities that you do not need. It is also important to turn off Bluetooth auto discovery.

Finally, when you lose a mobile device anyone can access all of your information including your emails, pictures or contact lists, unless it is protected. Protect your devices with a hard-to-guess password or PIN. If your device supports encryption, we recommend you use it. Also, consider enabling remote wiping. This means if your smartphone is lost or stolen, you can erase all your information remotely.

[Back to Top]


Passwords

Now lets learn about passwords. Passwords are how you login to a system.

If someone can gain access to your password, they can steal your digital identity and have access to all of your information. We often take passwords for granted, forgetting that we need to protect them well. Let's learn more about what makes a good password and how to use them safely. There are two key points to strong passwords.

First, you want passwords that are hard to guess. This means do not use passwords such as those you can find in the dictionary, your pets name or your birth date.

Second, use passwords that are easy to remember. If you keep forgetting your passwords they are not very helpful.

Cyber criminals have developed programs that automate the ability to guess, or brute force your passwords. This means they can break into your accounts if your passwords are easy to guess. To protect yourself follow these rules for good passwords.

You must have at least one number in your password.

You must have at least one lower case and one upper case letter in your password.

You must have at least one symbol in your password.

Let's take a look at a password that is easy to remember but hard to guess. At first glance this password looks very difficult. However by using the first letter of each word in a sentence, it becomes much easier to remember:

My 1st son was born at Fairfax Hospital at 11:25.

By using phrases you can pick passwords that are easy to remember and hard for people to guess.

In addition to strong passwords, you must protect how you use and control them.

First, be sure to use different passwords for different accounts. For example, never use the same passwords for your work or bank accounts as your personal accounts, such as Facebook, YouTube or Twitter. This way if one of your passwords is hacked, the other accounts are still safe.

Second, never share your password with anyone else, including a supervisor. Remember, your password is a secret, if anyone else knows your password it is no longer secure. If you accidently share your password with someone else, change it immediately.

Third, never use a public computer such as at hotels or libraries to log into a work or bank account. Since anyone can use these computers they may be infected with a malicious code that is capturing all your keystrokes. Only login to your work or bank accounts on trusted computers you control.

Fourth, if you are no longer using an account, be sure to disable or delete it.

Finally, be careful of websites that require you to answer personal questions. These questions are often used if you forget your account password and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even your personal Facebook page. Make sure that if you answer personal questions you use only information that is not publicly known. If the website provides other reset options, such as a SMS message to your mobile phone, you may want to consider these alternatives.

[Back to Top]


Encryption

Encryption protects your information by making it unreadable or unusable by anyone that does not have your key. For example encryption allows you to secure communications over the Internet so no one can monitor or sniff your activity.

It also protects data on your mobile devices in case you lose them, such as your laptop. Let's learn more about how encryption works and how it helps protect our information.

When information is not encrypted, it is called clear text, like you see here. This means anyone can easily read or access the information. For example, when you send an email or visit a website by default, all of your information is available for anyone to intercept.

To protect your information you need to encrypt it. Encryption takes the information and converts it into random data that no one can access unless they have the key. This is called cipher text. Now you can send the same message over the Internet and not have to worry about someone intercepting or reading it.

Encryption works with a key, the key is what locks or unlocks your information just like a key can lock or unlock a door. To protect your encrypted data only you should have access to the key. Examples of things you can encrypt include the following.

Any mobile devices, such as your laptop, smartphone or USB sticks. This is very important, especially if you lose any of these or have one stolen.

Your communications such as Email, Voice over IP, or Instant Messaging.

When you visit confidential websites, such as online banking or shopping.

[Back to Top]

These security tips provided by www.sans.org