Best Practices for the Digital Age

E-mail Best Practices

Never open an e-mail unless you know the sender. If you do not know the sender, you can block the sender and process it as ‘junk’ depending on your e-mail client. Never click on a link in a Spam E-mail. You may be prompted to give up your login credentials, or unknowingly install viruses and spyware on your PC. This includes ‘Removal Links’ in any e-mail unless you know who the sender is.

Change the password to your e-mail account every 90 days to ensure that your account remains safe. Never e-mail anything sensitive to a Hotmail or Gmail account. These services make money by indexing all e-mail for marketing purposes. You do not want your data ending up in their advertising database. If you must e-mail sensitive information, encrypt any attachments using a program such as 7-zip. This will use your password (secure) and encrypt the attachment. You can then e-mail the encrypted attachment to the recipient and provide the password in a second e-mail, or telephone call.

The most common way hackers intercept data is by gaining access to your computer. There are several ways evil-doers can achieve this. By mimicking a sender’s address, as in “…@liu.edu”, cybercriminals can deceive you. These messages typically contain a link or an attachment that looks innocent but includes malicious software that can record all your keystrokes, or search among files on your computer. The goal of these practices is to gain access to your passwords and confidential information. These programs can also use your email account to send similar packages to all your contacts, distributing the software to even wider circles. Other methods include accessing webmail on public computers. Without logging off properly, the next user may be able to view your account.

Think before opening any attachment or clicking any link – even if it appears to be sent from someone you know! This means that you should be suspicious of any document or link sent to you, unless you are expecting it.

Some other practices that can help protect you and your data include:

Changing your password frequently, and changing your password to make it more difficult to guess.

  • Do not use a word or clue to your password in any of your social media accounts.
  • Think of a phrase that’s easy to remember but difficult to decipher. A password created by using the first letter of each word in the phrase is stronger.
  • Never use a word found in the dictionary in your password.

Be skeptical of messages that contain:

  • misspellings
  • threats that non-compliance will lead to closing your account.

Be wary of links in emails.Any word, sentence or image can be linked. What may look like a legitimate link, can be easily disguised. By resting the cursor over a link – and being careful not to click on the link – you can read the Java hint of the actual URL.

Link

1. Attach the message to a new email message and forward it to Information Technology. Doing so allows IT to view metadata in the header of the email message.

a. Outlook on a PC:

  • Create a new message.
  • In the message window, on the Message tab, in the Include group, click Attach Item. Click Outlook Item.
  • Browse through your folder list to find the folder that contains the item that you want to attach.
  • Under Items, click the item, and then click OK.

b. Outlook on a Mac:

  • With your inbox open and the suspicious message highlighted, on the Home tab, click Attachment (paperclip icon with an arrow).
  • This will generate a new email message with the suspicious message attached.
  • You can also create a new message and drag the message to be attached from your inbox to the new message.

2. IT will immediately review the message and provide feedback on the veracity of the message. If the message is fictitious, IT will ask you to reset your password. A password change can be initiated by going to:

3. Remember that your password should include at least 1 capital letter, 1 lowercase letter, 1 number, 1 special character (e.g., @, #, %, ^), and no less than 8 characters in total.

Contact your IT office immediately. We will reset your password and address any and all concerns to your computer equipment.

If you have any questions, suspicions or concerns, please contact your local IT office.

Password Practices

Never share your password with anyone! The Department of Information Technology will never ask you for your username and password.

Never use the same password for your e-mail account and any other account that is registered to it. For example, the password for your social networking accounts should not be the same as the e-mail address they’re registered to. If someone were to compromise your password, they can also log into your e-mail account.

Never use a dictionary word as a password. These passwords are much easier to ‘crack’ and your data will be at risk. Always set your password to be at least 10 characters, but preferably 12 or more. You should use at least one capital letter, one number (1,2) and one symbol ($,!).

For Home Banking and other financial sites, change your password every 90 days to ensure that your account is safe.

To make strong passwords, instead of using a simple dictionary word you could use a phrase or sentence for example, ‘ilikeapplepie’. It will be more difficult for a hacker to crack. In addition, you should also use the substitution method. Using the chart below, you could substitute the characters in the password ‘ilikeapplepie’ for ‘!L!ke@pP1eP13’. It will be much more difficult to crack this password.

Lower Case a b c d e f g h i j k l m
Upper Case A B C D E F G H I J K L M
Special @ 8     3       1     1  
                  !     !  
                           
Lower Case n o p q r s t u v w x y z
Upper Case N O P Q R S T U V W X Y Z
Special   0                      

A password should be something that you can remember. You should never have to write your password down as this could compromise your password. Using the phrase method, this should be easy to accomplish with a commonly used phrase or passage.

Document Best Practices

Always keep a backup! When you do, ensure that you protect your backup in the same manner that you’d protect the actual data. Remember, you no longer need the password to take a backup and read it on a different computer.

If you use a cloud-based service such as iCloud, Dropbox, Google Docs or Amazon E3, do so knowing that your information may be accessed by this vendor according to their terms of service. Please refer to their terms of service prior to storing anything sensitive such as financial documents, bank statements and account information.

Home Networking Best Practices

If someone can get access to your home network, they can conceivably download and make malicious use of your personal information. They can also use your bandwidth to engage in illegal activities. For these reasons, it is important that you follow these simple principles when setting up your home network. If you have a wireless router in your home, always place the router towards the middle of your home. That way a weaker signal will bleed through your walls to the outside of your home. Always set the password for your home router. Hackers will know the default passwords for dozens of home networking devices so you will not be secure. Always lock down your home wireless network. You should use WPA2 with a strong password (sometimes called pre-shared key) with the AES algorithm. If your home router does not support WPA2, you should use WPA.

If you must, use WEP for legacy wireless devices, but choose 128-bit WEP and use a randomly generated WEP key. WEP is less-secure than WPA2/WPA, but it will dissuade the passersby from using your Wireless Networking.

Mobile Device Security

Creating a strong password for your e-mail account is a good first step towards being secure. However, many smart phones will have the Username and Password fields populated during their configuration. This is a nice feature for ease of use, however anyone can simply pick up your phone and go through your e-mail. Many Smart Phone’s come with the capability to lock and password-protect the device when not in use. This is critical to keeping your personal information safe. A malicious individual can make use of not only your e-mail, but your recent call list and phone book.

In addition to locking the device, ensure that you install software from trusted vendors. iPhone’s make use of the App Store, which is fully vetted by Apple Computers to ensure that every program is safe and secure. If you Jailbreak your iPhone, you may add some additional capabilities but you are sacrificing a line of defense between malicious programs and your mobile device.

Malicious Programs

There are good programmers, and bad programmers in this world. While some would like to introduce new software to improve your day-to-day, others are trying to rip off your financial information so they can sell it to the highest bidder. It is important to be mindful of the latter and ensure that your computer is secure at all times. On University Machine’s we use a product called Forefront Endpoint Protection to monitor all computers for Viruses, Malware and Spyware. All three are malicious types of programs designed to harvest sensitive information, passwords and decrease productivity.

If you would like to protect your personal computer, you can download Microsoft Security Essentials for free via the link http://windows.microsoft.com/mse. Microsoft Security Essentials will scan running processes and downloaded files to ensure they contain no malicious code. It is important to update the Definitions for your virus scanner often to ensure you are protected against the newest threats that exist.

Recognizing a Phishing Attempt

For Identity Thieves, one of the most lucrative means of collecting personal information is called Phishing. It involves a malicious individual sending misleading e-mail requesting your personal information. Typically, they will require your Username and Password for some purpose such as ‘preventing your account from being disabled’, or ‘to receive your cash prize’. Phishing e-mail is simply a modern take on a very old scam. Once the user gives up their username and password, their e-mail account is harvested for Financial Information, Blackmail Material and then used to send additional phishing e-mails to their contacts.

No reputable organization will ever ask for your username and password via e-mail. If they need to reset your password, they will not need your current password to do so. Be very careful to whom you give any personal information to. Below you will see samples of actual Phishing Attempts that were received by University Personnel. Never give your username and password to anyone who asks for it via e-mail!

Phishing Example 1:

Subject: EMAIL QUOTA ALERT!!!
Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails Until You Re-Validate It.
To Re-Validate –> Follow Link Here

System Administrator

Notice in Example 1 that this malicious individual is attempting to create an immediate need to ‘validate’ your e-mail address. This is done to cause anxiety for the reader and hopefully get them to follow its instructions before thinking about it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail.

Phishing Example 2:

From: lbyrneandsons@eircom.net; on behalf of; Long Island University helpdesk@liu.edu Subject: Notice
Your account subscription has expired and your email account is about to be suspended, Confirm your account information to keep your email active.Click the secured below to extend your account.
secure/liu.edu

Thank you
© 2012 – Long Island University

Notice in Example 2 that the e-mail is purportedly coming from Long Island University, yet the actual e-mail address is lbyrneandsons@eircom.net. Also, the spoofed account is misspelled as helpdek@liu.edu instead of helpdesk@liu.edu. Those are both red flags, and should cause the reader to question the validity of this e-mail and simply delete it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail!