Every October celebrates National Cyber Security Awareness Month (NCSAM). This effort was created through collaboration between government and industry to ensure every American has the resources they need to stay safer and more secure online.
National Cyber Security Awareness Month (NCSAM)—celebrated every October—was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. See more at: http://staysafeonline.org/ncsam/about/#sthash.jbiErnUN.dpuf
For one step of Cyber Security Awareness, let's look at some best practices for recognizing phishing/spam emails that may also contain malicious attachments or hyperlinks.
What is phishing?
Phishing (pronounced "fishing") is a type of online identity theft. It uses email and fraudulent websites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information.
Con artists might send millions of fraudulent email messages with links to fraudulent websites that appear to come from websites you trust, like your bank or credit card company, and request that you provide personal information. Criminals can use this information for many different types of fraud, such as to steal money from your account, to open new accounts in your name, or to obtain official documents using your identity.
What does a phishing email message look like?
Here is an example of what a phishing scam in an email message might look like.
Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
Beware of links in email. If you see a link in a suspicious email message, don't click on it. Rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address.
Links might also lead you to .exe files. These kinds of file are known to spread malicious software.
Threats. Have you ever received a threat that your account would be closed if you didn't respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised.
Spoofing popular websites or companies. Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows.
Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered. For more information,
For more information on how to recognize and identify phishing emails, visit https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx
2. Passwords and Best Practice Recommendations
For a second step of Cyber Security Awareness, let's identify best practice methods for maintaining secure passwords.
Make passwords hard to guess
Passwords based on personal information easily obtained from the net -- such as account name, actual first or last name, initials of the name, system name, etc. -- are extremely easy to guess and should never be used. Hackers are also on to all the usual tricks, such as spelling a name backwards or simple substitution of characters. Certain easily-guessed words are also commonly used as (poor) passwords -- such as "guest", "password", "secret", etc. -- and should never be used as passwords.
Hackers also have easy access to very powerful password-cracking tools incorporating extensive word and name dictionaries. Passwords should never be dictionary words or names. The cracking tools will also check for simple tricks like words spelled backwards or simple substitution of certain characters (i.e. "mouse" becomes "m0us3").
More secure passwords are those which are based on pass phrases and/or non-dictionary words (including "nonsense" words), combined with obscure character substitutions. These can be extremely difficult to either guess or crack. If your system supports machine-generated passwords, you might also consider using one.
Use an 8 character password
Using the maximum number of characters greatly increases the complexity of guessing or cracking passwords.
Change passwords regularly
A regular password change is a good idea, since it prevents misuse of your account without your knowledge if your password was somehow accidently (or deliberately) disclosed.
Use different passwords for different accounts, systems and applications;
Using a single password is the equivalent of using a single key for your car, house, mail box, and safety deposit box -- if you lose the key, you give away access to everything. If your password is compromised on one system, using different passwords on different systems will help prevent intruders from gaining access to your accounts and data on other systems. For example, system managers should use different passwords for their personal account and their privileged account. If the personal account password is accidently revealed, the privileged account is still protected. Similarly, a user should use different passwords for their pop email account and interactive logons.
Store passwords securely
It's understandable that users will want and need to record their passwords. This is acceptable if password lists are stored in a safe place, such as a locked personal cabinet, or a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the when it is used and to be sure to return it to safe storage immediately after use.
Don't share passwords with others
The password should authenticate only the identity of the authorized user. Furthermore, the authorized user can be held responsible if the account is misused.
Don't leave passwords where others can find them
Don't leave your password on a post-it on your desk (this really happens) or written down in any other places where someone could find it. If you absolutely must write down your passwords, keep them in a secure, locked place.
Also, don't leave your passwords where others can find them electronically. Never send them in email, post them to news, or leave them online in a file (even in a protected directory).
Consider a Password Manager
Many password tools exist to help you generate, store, and maintain various and complex password for all websites. Visit The Best Password Managers article for information on options and tools available for this.
For a third step of Cyber Security Awareness, let's review encryption for both web browsing and file storage.
What is encryption?
Encryption is a way to enhance the security of a message or file by scrambling the contents so that it can be read only by someone who has the right encryption key to unscramble it. For example, if you purchase something from a website, the information for the transaction (such as your address, phone number, and credit card number) is usually encrypted to help keep it safe. Use encryption when you want a strong level of protection for your information.
How can I use encryption?
While visiting sites on the Internet, make sure a site is secure by checking the address begins with https:// (in place of http://). For example, you could even visit https://www.bing.com in place of http://www.bing.com.
To create secure encrypted file storage, Windows offers built in BitLocker Drive Encryption. View the BitLocker site for information on how to turn on and use this feature. For Apple OS X, FileVault allows full disk encryption to keep data secure.
Can I or should I encrypt Email?
Users should be mindful of transferring personal or sensitive information by email. Dominican University offers an email encryption tool to protect any sensitive information that must be sent via email. For detailed information on using email encryption at Dominican University, visit our Information Security knowlege base article(s).
4. Software Security Updates
For a fourth step of Cyber Security Awareness, actively keeping your Operating System and applications up to date for both performance enhancements and mitigating security risks is important. The following check list will review these important tools and steps needed to maintain your computer.
Operating System (OS) Updates
- For Window computers, make sure your computer is set to download and install automatic updates. Visit the Windows update page for more information.
- For Mac OS updates, visit the Apple update site for more information.
- Ensure you have a working up to date anti-virus software. Many computers come preloaded with anti-virus software, however, the virus definition subscriptions for these often expire within a few months. The virus definitions for the software should active to update daily.
- In addition to anti-virus software, anti-malware software provides another layer of protection. Many free anti-malware software provides exist. Visit Malwarebytes as an option to download software.
- All applications such as Firefox, Chrome, Adobe Reader, Adobe Flash, etc, require updates to stay current. Check the applications are set to automatically update and allow them to run and install when prompted.