Information Security News Alert January 2016
SSecurity Awareness Top 10
10 lists to kee a t w o rk a p y o u s e c u r e a t h o me , nd on the road!
+ Phish ing Sca ms + Secur ity Quo tes + 2015 Ne + Stayin ws Stories g Safe at Work + Socia l Media Securit + LOTS y MORE!
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
WE ALL LOVE TOP TEN LISTS, RIGHT? Places to visit. Foods to try. Things to do. So, of course, we made ten lists of the Top Ten Best Security Practices for Work, at Home and On the Road. We encourage you to share these lists with friends, family members and co-workers! Print them, hang them and email them to spread the good message of security awareness. Help make the internet a safer place for all of us! (Make sure you know how much and what kind of sharing your policy allows.)
TOP 10
BEST PROFESSIONAL SECURITY PRACTICES
find 1. Follow policy at all times, and know where to policy documents for easy reference. 2. When in doubt, ask ! Y! 3. Suspect something? REPO RT IT IMMED IATEL to 4. Memorize the numbers & email for whom contact in case of emergency or where to report a potent ial securi ty inciden t.
5. Err on the side of cautio n.
Top Ten Best MOBIL E Securit y Practices
TOP TEN
1.
Best PERSONAL Security Practices
2.
1. Don’t click on unknown stuff. Use common sense.
3.
2. Set up a password-protected WiFi network with a nonbroadcasting SSID. 4.
3. Never leave technology in a car. If you own it, protect it. 4. Practice strong organization of hard copies. It’s an old
5.
skill well worth honing. (Yes, a file cabinet is still of
value, and it’s more secure if you have a lock on it.) 5. Avoid personal disasters by using surge protectors, keeping liquids away from all technology and keeping devices out
6.
of reach of the youngest family members. 6. Use a unique password for every single online account. 7. Change your password often. It may seem like a hassle,
7.
but it really helps. Get a password manager! 8. Keep an additional backup of your personal information on a hard drive. The cloud is great, but remember, the cloud is
8.
just another word for “someone else’s computer,” so keep that in mind when storing private information or photos.
9.
9. The less you share on social media, the better. Again, USE COMMON SENSE! Know what information you should and should not share. 10. Create a home and family security policy for you and everyone in your family to follow.
6. Don’t click thoughtlessly (whic h causes more than 90% of data breaches). 7. Be awar e of your surround ings, in all three domains: cyber, physical and human. 8. Be very selfish about shar ing company information via email, phone or social media. 9. Tru st but verif y anyt hing that can affe ct our secu rity here at wor k. 10. Utilize our security awareness program and resources. Keep yourself up-to-date and in-the-know.
10.
On all personal devices, install
anti-virus and/or malware dete ction apps. Set up a lock screen with a pat tern , PIN or pas sword. Use a VPN (Virtual Private Net wor k) when access ing the internet on free WiFi. With out a VPN , the bad guys can eas ily stea l your login cre dentials , see your photos and obtain your ban king info rmation. Enable rem ote wipe and kno w how to erase all data in the event that your dev ice is lost or sto len.
Only install apps from trusted sources. If you are uns ure, goo gle the app and check oth er users’ revi ews. If the app is ask ing for more per mis sion s than you thin k it nee ds – esp ecially your soc ial sec urit y number , cre dit card or ban king information – do not install it. Bac kup your mo bile dev ice. If it is ever lost or sto len, you won’t lose all your contacts and photos.
Keep your mo bile soft ware (apps and OS) up to date. Igno ring upd ates could put you at risk for ma lware. Upd atin g your system often keeps your dev ice running as quic kly and smooth ly as pos sible . Don’t "jailbreak" your phone or buy one that has been "jailb roken.” Mobile developers put those securit y measures in place for a rea son , and removing them can weaken the overall securit y of your phone. Turn off Bluetooth when it’s not in use. Criminals can use a techniq ue called “drive-by hac king” to access the personal informa tion stored in your phone just by usin g Blue tooth.
Don’t click on link s, photos or videos in text mes sages from an unk nown source. These can be mo bile phis hing attack s, and they can wreak havoc on your mo bile dev ice.
Top 10 Ways to
Keep Your Kids Safe Online
GIVE THEM REASONS: Talk to your kids about the importance of online safety and security awareness. If they understand the why behind your concern, they will be more inclined to follow the what behind your rules. PRACTICE WHAT YOU PREACH: Create a home security policy that everyone in the family follows. Use this Human Firewall Pledge as a starting point. INSTALL & INFORM: Install parental controls or child-monitoring software, especially if you have younger kids. Explain to your kids why this software is necessary. BACK IT UP: Backup should be set to run automatically every day! Copy all of your important family data to a separate hard drive. You don’t want to lose any of those
family photos, financial documents, medical files and school reports! INDIVIDUAL ACCOUNTS: Each person should have their own user account on shared home devices. Only use the admin account when absolutely necessary. BE AWARE: Know what your kids are doing online, where they are “hanging out,” and with whom they communicate. PASSWORDS ARE PRIVATE: Stress to your kids the importance of never sharing their passwords, not even with a best friend. If they have already shared their passwords, make sure they change them immediately.
DON’T BELITTLE THEM: Kids are smart. Teach them about common online scams so they can learn how to detect and avoid them. Also, listen to them. They may know about a scam before you do! THE INTERNET IS FOREVER: Tell children to be careful about what they post online, not only to protect their personal identity and safety, but to ensure a clean slate for their future. Your child may have a difficult time finding a job when they’re older if they have posted inappropriate photos or participated in cyberbullying. They need to know that once something is posted on the internet, it can never be “taken back.”
PAY ATTENTION: Notice your child’s behavior on and off the internet. Not only do you need to prevent them from participating in cyberbullying, you should also notice if they are the target and take appropriate action to report it.
TOP TEN WAYS TO KEEP Personally Identifiable Information PRIVATE Bi
rth
S#
S
pla
ce
fo tic In e n e G
Addre
DL#
ame Full N
ss
DO
B
ONE: Make sure you know what kinds of PII you handle at work and who is entitled to have access to it. TWO: Learn to recognize social engineering attacks and don’t give out PII to someone trying to extract it from you—whether it’s yours or that of a customer! THREE: Stay on top of industry-specific regulatory guidelines. Follow any and all compliance standards. FOUR: At work or when working away from the office, always follow policy regarding proper handling, sharing and emailing PII. FIVE: When using mobile devices, make sure PII is always fully encrypted. SIX: Only write down PII when absolutely necessary and if you do, be sure to completely destroy the piece of paper once it is no longer needed.
SEVEN: If you work with POS terminals, follow PCI guidelines: keep a close eye on the machine and credit card receipts. If you notice any new equipment has been added to the terminal or that the receipt is printing the entire credit card number, report it immediately. EIGHT: Do not share PII unless there is an explicit reason to do so. NINE: Avoid putting PII on USB thumb drives and similar portable media. If necessary, it should be encrypted. TEN: Shred, shred, shred!!! Make sure any documents with customer information are completely shredded or detroyed as per policy before throwing them away.
Still not sure what PII is? Check out this blog post to learn more! blog.thesecurityawarenesscompany.com/what-is-pii/
Top 10 Ways to Avoid Phishing Scams Stop clicking so fast. Read each message as it comes in , and think before you click.
x
Mouse-over links to see what really lies beneath the URL. Beware of poor spelling and grammar. They are big, red flags that an email is probably a phishing attack.
u
w
If you receive an email asking you login to your account, don’t login through the email. Open a new browser tab, type in the URL and login to your account through the website.
Verify the email address and company logos. Scammers can change a single letter in an email address or slightly change the color of a logo to make them look quite similar and easily undetectable.
y
If an email says you have a date with your favorite movie star or that some uncle you’ve never heard of wants to send you money, it is probably a phishing attack.
If you have agreed to sell an item through an online marketplace, and someone offers to pay more than what the item is worth, it is a scam. There are new phishing scams being sent every day, and they are getting more refined. Read security blogs and stay in the know about the latest risks, threats & ways to protect yourself through common sense and security awareness.
y
(One fun and informative blog that you can check out is blog.thesecurityawarenesscompany.com)
x
Notify companies such as Amazon, PayPal or your bank if you receive a phishing email masquerading as a real message.
Phishing emails often come with malware attached. Scan incoming emails with anti-virus and anti-malware software.
The
Top 10 Ways to Stay Safe on Social Media Never post PII (such as your address or phone number), or photos containing PII (like photos of your driver’s license or paycheck).
Less is more, and by ‘less is more’ we mean, ahem... less information, of course!
when selecting & answering security questions, don’t answer them as you but as your favorite tv or literary character. this way, no one can ever guess the answers based on your social media account.
Limit work history details on LinkedIn, and avoid sharing your job title and company information on Facebook, Twitter and other social media sites. Detailed work history can be used by criminals to guess passwords, and even get a loan or new credit card in YOUR name. google yourself!
Not only is this a good way to see what information about you is readily available to the public, it can also help you find anyone who is trying to impersonate you or steal your identity.
Remember: If you wouldn’t say or do it in public, don’t post it online. The internet is forever.
FRIEND people you know in real life. only
Follow a CLEAN DESK Use policy.
work policy as a guide for all social media and online behavior.
Follow your company’s policy for social media posting. Even if you don’t mention specific names or details, a post as simple and seemingly harmless as “I hate my boss.” or “I had to deal with the rudest customer today.” could get you fired.
if you suspect your account has been compromised,
notify the website and change your password immediately.
s to y a W 0 1 p To
e f a S y Sta ork at W
Know the privacy guidelines of each site that you use, and take the time to check and update YOUR privacy settings every few weeks. You are the only one responsible for protecting your privacy & that of your family.
Make sure your colleagues know and understand work policy.
Understand data classification & handling procedures as laid out in the policy at work.
Know and follow data retention and disposal policies.
Only use devices approved by organizational policy.
Follow all policy regarding USB drives and portable media.
Know how to easily and quickly access company policy for reference.
Ask your manager regularly for any policy changes or updates pertinent to you and your job function.
Did we mention that you should always follow policy?
Quotes
TOP 10
TOP 10 TWEET-WORTHY
ON SECURITY AND PRIVACY
Without ethical hackers, we would all be left helpless at the mercy of malicious attackers. Rather than seeing ethical hackers as criminals, we should instead recognize their contributions to the state of security. —Georgia Weidman
#CYBERNEWS STORIES OF 2015
?
AnonyMouse @AnonyMouse • Nov 16 Anonymous declares war on ISIS after Paris attacks. http://tinyurl.com/o8568t9
—Bruce Schneier, American cryptographer, computer security & privacy specialist
Cat Tweets @ThisCatTweets • Nov 8 What Happens to Hacked Social Media Accounts? http://tinyurl.com/p43zh7r
There are only three groups of people in the U.S.: those whose identities have been stolen, those who do not know their identities have been compromised, and the identity theft thieves. My advice: put a freeze on your credit now. — Joy Gumz
Ninja Cat @anklebiter • Oct 29 The Death of Safe Harbor - http://tinyurl. com/q85frqe and http://tinyurl.com/ p8crrxm
The user’s going to pick dancing pigs over security every time.
If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. —Kahlil Gibran, Lebanese-American artist and poet
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. —Gene Spafford, American professor of computer science and leading computer security expert
Passwords are like underwear; you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers —Chris Pirillo If you spend more on coffee than on IT Security, you will be hacked. What’s more, you deserve to be hacked. —Richard Clarke
! The problem of viruses is temporary and will be solved in two years. —John McAfee, 1988 (founder of McAfee Antivirus)
HA
HA
Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. —Gosser Why does security fail? Apathy, arrogance and ignorance. —Winn Schwartau
BONUS QUOTE: Have you tried turning it off and back on again? —Roy Trenneman, The IT Crowd
Sir Napsalot @catnaps • Oct 27 CIA Director Uses AOL Email and Gets Hacked. http://tinyurl.com/nnhsvyu Kitten Little @klittle • Oct 26 Cyber Security lessons learned from the Ashley Madison Hack. http://tinyurl.com/ nsfybsv Hipster Kitty @unheardof • Oct 15 Apple Security Honeymoon Ends. http:// tinyurl.com/px8hrn5 General Meow • @GenMeow • Sept 25 US and China agree on cyber deal. http:// tinyurl.com/oo5d8m9 PolitiCat @politicat • Sept 10 John McAfee announces he’s running for president under the Cyber party. http:// tinyurl.com/qheoe8z BroCat @BroCat • July 10 OPM & IRS Data Breaches (April & May respectively) http://tinyurl.com/q9wvp6x DaBoss Cat @bosscat • Apr 9 Man attempts to hire hacker via Craigslist to wipe his legal fines from court computer system - http://tinyurl.com/qa2dned