Synergies Systems SecurityAdvisor

March 23, 2010

Don't plug in USB drives that you find lying around. Criminals can use them to steal your data

People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

March 22, 2010

Protect files with a password

Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!

March 21, 2010

Patch and update on a regular basis

Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.

March 20, 2010

Keep your password secret

Your password is like your bank account PIN - if you give your PIN to someone else, your bank is unlikely to pay you back if it is used to steal from your account. Likewise, your company expects you to use your password to stop others misusing your computer account. If you share your password, you may be held responsible for what other people do with it.

Article about percentage of users that would share their passwords:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci895483,00.html

March 19, 2010

Get a separate email address for postings

To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.

March 18, 2010

If you are a victim of identity theft, report it immediately

Here are some things you should do.

  1. Contact the three major credit bureaus and have them place a fraud alert on your credit report.
  2. If a credit card was involved, contact the credit card company and close the account.
  3. Contact your local law enforcement agency and file a report.
  4. File a complaint with the Federal Trade Commission.
  5. Document all conversations so you know whom you spoke to and when.

    March 17, 2010

    Don't Trust Links Sent in Email Messages

    A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.

    March 16, 2010

    Don't click on links in pop-ups or banner advertisements

    In July 2007, when iPhones were scarce and strongly in demand, Botnet herders put software on already infected computers that redirected users browsing for iPhones to phony websites. The malware caused pop-ups and banner advertisements on infected computers; clicking on the provided links took users to the phony sites. People who attempted to buy iPhones from the sites were actually providing the Bad Guys with their personal and financial information. You can expect to see something similar for any fad that comes along. When your heart is tempted by the latest hot fad, don't throw caution to the wind.

    March 15, 2010

    Revoking security access isn't always enough

    A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.

    March 14, 2010

    Beware of USB flash drive's autoplay feature

    1. If you find a USB token in the wild, don't plug it into your USB port as it could autoinstall software if your system is set to autoplay CDROMs.
    2. Though many organizations' standards call for disabling autoplay of CDROMs, you should check and set yours. To disable autoplay follow these instructions (for WinXP):
    3. Open My Computer
    4. Right click on your cdrom drive selecting "Properties"
    5. Select Autoplay page and set each menu option to "Select an Action to Perform" = "Take no action"
    6. Click Apply (you must apply each setting change one at a time!)
    7. Repeat for each item in the list (alternatively ensure that all are set to "Prompt me for actio

          March 13, 2010

          Be better than James Bond

          In Casino Royale, Bond chooses a password to protect a multi-million pound money transfer. What does he choose? His girlfriend's name - doh! Why bother torturing him when you could just guess his cunning plans? We can all do better than that. For most situations a password should be 8 characters long and be a mixture of letters, numbers and other characters and it should conform to company policy. It should not be a word you would find in a dictionary, the name of your spouse, partner, child, pet, favorite band or any of these followed by a single digit. Use common sense - Razorlight1 isn't a good choice if you have a poster of the band behind your desk.

          March 12, 2010

          Shh! Don't say it out loud. The cubes have ears

          Office workspaces seem to be smaller and smaller. It is therefore harder to keep secrets when everyone is within earshot. When necessary use handwritten notes for transferring confidential information, and then shred the papers when done.

          March 11, 2010

          Be Skeptical When You Read Your Email

          Keep asking Why should I believe that? It is important to remember that you can't trust the "from" address on e-mail from outside the organization, as it is often faked by fraudsters and viruses. If you didn't expect a message, link, or attachment from someone, ask yourself why you should trust that it really came from the apparent sender, and that it's safe. When in doubt, it's a good idea to call and verify that they sent you the message.

          March 10, 2010

          Use a password in only one place.

          Reusing passwords or using the same password all over the place is like carrying one key that unlocks your house, your car, your office, your briefcase, and your safety deposit box. If you reuse passwords for more than one computer, account, website, or other secure system, keep in mind that all of those computers, accounts, websites and secure systems will be only as secure as the least secure system on which you have used that password. Don't enter your password on untrusted systems. One lost key could let a thief unlock all the doors. Remember: Change your passwords on a schedule to keep them fresh.

          March 9, 2010

          Avoid spam in your IM email account

          Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes @ to go directly to trash. You will be able to communicate with all your IM buddies without the hassle of being notified of items coming into the inbox.

          March 8, 2010

          Don't Let Personnel Issues Become Security Issues; Terminate Computer Access Before You End a Contract or Tell People They Are Fired

          Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.

          March 7, 2010

          What you ask people walking around inside your company offices without a valid identity card: "May I help you?"

          Security comes before a false sense of social etiquette. If you see someone anywhere on your office premises whom you don't know, and who doesn't have a valid ID, go ahead and ask the question. You can't be too alert.

          Submitted by Nitin Dewan

          March 6, 2010

          Make your password long.

          At least eight characters long, and the longer the better. Passwords shorter than 8 characters are easy to crack. Follow these password rules. Avoid common words and proper names. Use both uppercase and lowercase letters, numbers, and symbols. Trouble is, who can remember a password like Fm79$#Xk? Try a passphrase instead: When I was 7, my dog Dolly went to Heaven. This contains 42 easy-to-remember characters, follows all the rules, and is in plain English. (Not every system will accept passphrases; when in doubt, try it out.) The odds against anyone cracking it even with the help of a supercomputer are astronomical. Make your passphrase original. Don't use familiar or famous quotations. Don't use any real names especially your own, your family members, or your pets. Nonsensical passphrases are the hardest to crack.

          March 5, 2010

          If you receive child pornography via email, report it to your manager or IT section immediately

          Sending pornographic images of children is a serious criminal offense and most police forces will investigate promptly and insist that all traces are removed. When you report it, don't forward the image. Sending it on spreads the images across more systems, making it harder to clear up and causes needless distress to the person you are reporting it to.

          March 4, 2010

          Avoid Ad-hoc wireless networks

          Disable automatic connection to any new networks and limit your connections to access point (infrastructure) networks only:
          • Click the "Start" button and navigate to the "Control Panel" and then to "Network Connections."
          • Right mouse-click on the "Wireless Network Connection" and choose "Properties".
            • Pick the "Wireless Networks" tab, then the "Advanced" button:
            • Make sure that the check box next to "automatically connect to non-preferred networks" is not checked.
            • Click on Access point (infrastructure) networks only to avoid ad hoc networks.
            This configuration prevents you from automatically connecting to any new networks and refuses all ad-hoc networks, which have the potential to monitor traffic that passes through them.

            March 3, 2010

            Use anti-virus software

            • Make sure you have anti-virus software installed on your computer and update it regularly.
            • Warning: Out-of-date anti-virus software will not protect your computer from new viruses.

            March 2, 2010

            Choose a password that's hard to crack

            When choosing a password, try to make it by writing a sentence that you can easily remember. For example: "Los Angeles Lakers will win the NBA tournament this year". Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers. For example, with the last sentence you could get the password: =3LALwwtNtty$. This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.

            March 1, 2010

            Use a strong voicemail password. This helps prevent crooks from hijacking your phone line or voicemail

            A busy person set his voicemail password to match his extension. It seemed easy to remember but was also easy to guess. A prison inmate guessed the password and began using the account to communicate with fellow criminals—leaving messages for them and deleting legitimate messages.

            The receptionist at a small business came into the office at 8:30 a.m. and the phones were ringing off the hook. She picked up one of the lines and was surprised to hear people talking in a foreign language. Turns out fraudsters were using the phone system to steal international long-distance phone time.

            February 28, 2010

            Hey, I know who you are and where you work! It says so right there on your badge

            Security badges are meant to prove identity and display access privileges at work. They should never be worn outside of the office in public when going to lunch, taking a break, or even walking outside. Exposing your badge in public permits identity thieves to see your name, office, and possibly your level of security clearance. Whats worse is that now the public knows what your badge looks like, thereby increasing the chances of successful forgery. Always remove and put away your badge when leaving work, even if just for a break.

            February 27, 2010

            Don't use information related to yourself as a password

            Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.

            February 26, 2010

            Change that password!

            A woman has been fined GBP 500 (US $975) for reading email messages from her previous employer's account. Susan Holmes had worked for a nanny agency that accepted registration forms through an AOL email account. The company neglected to change the account password after Holmes left, which allowed her access to the information. The company became suspicious after a noticeable decline in the amount of email they received on the account in the first few months of 2007. AOL connection logs revealed IP addresses that eventually led to Holmes being identified as the culprit. Last week, she pleaded guilty to unauthorized access to a computer, in violation of Section One of the Computer Misuse Act 1990.

            February 25, 2010

            A password should be used by only one person.

            Passwords are like bubble gum; they are much better when used by only one person. If you share your computer with others, each person should have a unique account, username, and password. Don't allow another user to know or use your password, and don't ask another user if you can use theirs. When it's your turn to use the computer, log the last user off, and log on using your own username and password. When you take a break, don't leave your computer open. Log off or lock it. And remember: Passwords shorter then 8 characters are easy to crack; avoid common words and proper names; and use both uppercase and lowercase letters, numbers, and symbols.

            February 24, 2010

            Make sure the site you're ordering from protects your information crossing the Internet

            This is shown by either a closed lock or an unbroken key at the bottom of the browser window. You can also check to see if the URL begins with https://. While https by itself is not an indication of a secure site, when it is combined with the lock or the unbroken key, then it indicates your data is being encrypted from prying eyes as it crosses the Internet. If you have https without the lock or key in the browser, then it has been faked and is not secure. Sometimes you may also encounter a pop up box that indicates you are about to enter or leave a secure area.

            February 23, 2010

            Avoid default installations

            Most software and hardware setup procedures are designed to get the product up and running with maximum functionality and minimum effort. One thing that usually slips is security. If you set up your external firewall with the suggested password from the installation instructions, how many others are set up just like that? Take the time to change the defaults that will make the attacker's job just a little bit harder. Make sure to document the changes in a secure way.

            Protect files with a password

            Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!

            Patch and update on a regular basis

            Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.

            If you are a victim of identity theft, report it immediately

            Here are some things you should do.

            1. Contact the three major credit bureaus and have them place a fraud alert on your credit report.
            2. If a credit card was involved, contact the credit card company and close the account.
            3. Contact your local law enforcement agency and file a report.
            4. File a complaint with the Federal Trade Commission.
            5. Document all conversations so you know whom you spoke to and when.
             
             
            You are here: Home SecurityAdvisor