Best Practices for the Digital Age
E-mail Best Practices
Never open an e-mail unless you know the sender. If you do not know the sender, you can block the sender and process it as ‘junk’ depending on your e-mail client. Never click on a link in a Spam E-mail. You may be prompted to give up your login credentials, or unknowingly install viruses and spyware on your PC. This includes ‘Removal Links’ in any e-mail unless you know who the sender is.
Change the password to your e-mail account every 90 days to ensure that your account remains safe. Never e-mail anything sensitive to a Hotmail or Gmail account. These services make money by indexing all e-mail for marketing purposes. You do not want your data ending up in their advertising database. If you must e-mail sensitive information, encrypt any attachments using a program such as 7-zip. This will use your password (secure) and encrypt the attachment. You can then e-mail the encrypted attachment to the recipient and provide the password in a second e-mail, or telephone call.
Never share your password with anyone! The Department of Information Technology will never ask you for your username and password.
Never use the same password for your e-mail account and any other account that is registered to it. For example, the password for your social networking accounts should not be the same as the e-mail address they’re registered to. If someone were to compromise your password, they can also log into your e-mail account.
Never use a dictionary word as a password. These passwords are much easier to ‘crack’ and your data will be at risk. Always set your password to be at least 10 characters, but preferably 12 or more. You should use at least one capital letter, one number (1,2) and one symbol ($,!).
For Home Banking and other financial sites, change your password every 90 days to ensure that your account is safe.
To make strong passwords, instead of using a simple dictionary word you could use a phrase or sentence for example, ‘ilikeapplepie’. It will be more difficult for a hacker to crack. In addition, you should also use the substitution method. Using the chart below, you could substitute the characters in the password ‘ilikeapplepie’ for ‘!L!ke@pP1eP13’. It will be much more difficult to crack this password.
A password should be something that you can remember. You should never have to write your password down as this could compromise your password. Using the phrase method, this should be easy to accomplish with a commonly used phrase or passage.
Document Best Practices
Always keep a backup! When you do, ensure that you protect your backup in the same manner that you’d protect the actual data. Remember, you no longer need the password to take a backup and read it on a different computer.
If you use a cloud-based service such as iCloud, Dropbox, Google Docs or Amazon E3, do so knowing that your information may be accessed by this vendor according to their terms of service. Please refer to their terms of service prior to storing anything sensitive such as financial documents, bank statements and account information.
Home Networking Best Practices
If someone can get access to your home network, they can conceivably download and make malicious use of your personal information. They can also use your bandwidth to engage in illegal activities. For these reasons, it is important that you follow these simple principles when setting up your home network. If you have a wireless router in your home, always place the router towards the middle of your home. That way a weaker signal will bleed through your walls to the outside of your home. Always set the password for your home router. Hackers will know the default passwords for dozens of home networking devices so you will not be secure. Always lock down your home wireless network. You should use WPA2 with a strong password (sometimes called pre-shared key) with the AES algorithm. If your home router does not support WPA2, you should use WPA.
If you must, use WEP for legacy wireless devices, but choose 128-bit WEP and use a randomly generated WEP key. WEP is less-secure than WPA2/WPA, but it will dissuade the passersby from using your Wireless Networking.
Mobile Device Security
Creating a strong password for your e-mail account is a good first step towards being secure. However, many smart phones will have the Username and Password fields populated during their configuration. This is a nice feature for ease of use, however anyone can simply pick up your phone and go through your e-mail. Many Smart Phone’s come with the capability to lock and password-protect the device when not in use. This is critical to keeping your personal information safe. A malicious individual can make use of not only your e-mail, but your recent call list and phone book.
In addition to locking the device, ensure that you install software from trusted vendors. iPhone’s make use of the App Store, which is fully vetted by Apple Computers to ensure that every program is safe and secure. If you Jailbreak your iPhone, you may add some additional capabilities but you are sacrificing a line of defense between malicious programs and your mobile device.
There are good programmers, and bad programmers in this world. While some would like to introduce new software to improve your day-to-day, others are trying to rip off your financial information so they can sell it to the highest bidder. It is important to be mindful of the latter and ensure that your computer is secure at all times. On University Machine’s we use a product called Forefront Endpoint Protection to monitor all computers for Viruses, Malware and Spyware. All three are malicious types of programs designed to harvest sensitive information, passwords and decrease productivity.
If you would like to protect your personal computer, you can download Microsoft Security Essentials for free via the link http://windows.microsoft.com/mse. Microsoft Security Essentials will scan running processes and downloaded files to ensure they contain no malicious code. It is important to update the Definitions for your virus scanner often to ensure you are protected against the newest threats that exist.
Recognizing a Phishing Attempt
For Identity Thieves, one of the most lucrative means of collecting personal information is called Phishing. It involves a malicious individual sending misleading e-mail requesting your personal information. Typically, they will require your Username and Password for some purpose such as ‘preventing your account from being disabled’, or ‘to receive your cash prize’. Phishing e-mail is simply a modern take on a very old scam. Once the user gives up their username and password, their e-mail account is harvested for Financial Information, Blackmail Material and then used to send additional phishing e-mails to their contacts.
No reputable organization will ever ask for your username and password via e-mail. If they need to reset your password, they will not need your current password to do so. Be very careful to whom you give any personal information to. Below you will see samples of actual Phishing Attempts that were received by University Personnel. Never give your username and password to anyone who asks for it via e-mail!
Phishing Example 1:
Subject: EMAIL QUOTA ALERT!!!
Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails Until You Re-Validate It.
To Re-Validate –> Follow Link Here
Notice in Example 1 that this malicious individual is attempting to create an immediate need to ‘validate’ your e-mail address. This is done to cause anxiety for the reader and hopefully get them to follow its instructions before thinking about it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail.
Phishing Example 2:
From: firstname.lastname@example.org; on behalf of; Long Island University email@example.com Subject: Notice
Your account subscription has expired and your email account is about to be suspended, Confirm your account information to keep your email active.Click the secured below to extend your account.
© 2012 – Long Island University
Notice in Example 2 that the e-mail is purportedly coming from Long Island University, yet the actual e-mail address is firstname.lastname@example.org. Also, the spoofed account is misspelled as email@example.com instead of firstname.lastname@example.org. Those are both red flags, and should cause the reader to question the validity of this e-mail and simply delete it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail!