CYBER SECURITY October 2009 ARE YOU AWARE? The Federal Trade Commission reports that: For the seventh year in a row, identity theft tops the list, accounting.

CYBER SECURITY

October 2009

ARE YOU AWARE? The Federal Trade Commission reports

that: “For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud.”

FTC News

TOP TEN COMPLAINTS FOR VIRGINIA

RANK CATEGORIES COMPLAINTS

%

1 Identity Theft 246,035 36

2 Shop-at-Home/Catalog Sales 46,995 7

3 Prizes/Sweepstakes &Lotteries 45,587 7

4 Internet Services & Computer 41,243 6

5 Internet Auctions 32,832 5

6 Foreign Money Offers 20,411 3

7 Advance-Fee Loans and Credit Protection/Repair

10,857 2

8 Magazines and Buyer Clubs 8,924 1

9 Telephone Services 8,165 1

10 Health Care 7,467 1

Why should you be aware? Websites can be disabled and

unavailable Office/home computers can be

damaged by a virus Hackers can break into our databases

and steal identity information, not just our customers, but yours as well!

Malicious users could use our systems to attack other systems

Cyber Security

DID YOU KNOW? A unprotected computer connected

to the internet can be compromised in less than one minute

A modern desktop computer can send 200,000 spam emails an hour

Networks of exploited computers can be rented for targeted attacks via web stores controlled by Bot Owners

VITABOTS

CYBER SECURITY

CURRENT MALICIOUS BEHAVIORS

WHAT IS SPAM?

The simple definition of spam is it is an

unsolicited email

Product offers Misdirection to allow installation

of malwareMisinformation (denial of

access)

WHAT IS PHISHING?

According to Microsoft:

“Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, Windows Live IDs, other account data and passwords, or other information.”

Microsoft

TYPES OF PHISHING IRS and Treasury scams Credit Union and Banking scams Major events (Elections,

Holidays) Social networking Web sites Fake Websites Websites that spoof your

familiar sites using slightly different Web addresses

Phishing Video

KEYLOGGER/KEYSTROKE SPYWARE

Keylogger is a software program (it can even be hardware) designed to monitor and log all keystrokes.

The biggest threats in this area are stolen password, confidental information, pin numbers, credit card account numbers, etc.

VIRUSLIST

SOCIAL ENGINEERING

According to Microsoft:“The purpose of social engineering

is usually to secretly install spyware or other malicious software or to trick you into handing over your passwords or other sensitive financial or personal information.”

TYPES OF SOCIAL ENGINEERING

Phishing Spear phishing E-mail hoaxes

NIGERIAN EMAIL SPAM

PROTECT YOURSELF

PROTECT YOU PERSONAL INFORMATION

Don’t give out your name, email or home address, phone, account numbers, or SS numbers without finding out why it is needed and how it will be protected

Monitor your email- don’t respond to unknown or unsolicited email

When shopping online, take measures to reduce the risk- ensure lit lock or https: (secured) sites are used

Read the company privacy policy

LOGOFF OR LOCKUP

When leaving your desk, remember to logoff or CTRL-ALT-Delete to lock your workstation

alt

EMAIL AND INSTANT MESSAGING

Avoid clicking on links in emails, type the URL in the browser bar

Don’t open attachments that appear to be suspicious

Delete emails that direct you to a website where you are prompted to fill out personal data

Delete hoax and chain letter emails

SENSITIVE DATA Don’t store sensitive data on you hard

drive (Social Security, Credit Card, etc.)

If you must store sensitive data, have it encrypted (see MIS for more Information)

If printing sensitive data, avoid printing on shared printers/copiers:

** If you have to print on a shared copier/printer, remove it immediately!

EQUIPMENT PHYSICAL PROTECTION

If you have a laptop/portable device, lock it up at night

If traveling with a laptop, never check it in at the airport

Use a surge protector Portable devices need to be secured

when not in use! Don’t put laptops/portable devices on

the seat of your car, not just for anti-theft but for climate control!

Remember flash drives/CDs are considered portable devices!

PORTABLE DEVICES It is a COV Security standard that

COV data not be stored on non-COV devices, so you will have to use COV portable devices when working away from the office

COV sensitive data should be encrypted before being moved onto your COV-portables

Scan, Scan, Scan- Portable devices are just like your

hard drive, it needs to be scanned at least once a week

WHO IS IT?

You don’t open your door at home without ensuring who is at the door,

….So why would you not take the same precaution online!

WORLD WIDE WEB, WWW

Be watchful of sites that: Redirect you to other sites Request personal information Appear to involve malicious

activityRemember: Block pop-ups and only enable

them for trusted sites Cookies are great, but third party

cookies should be blocked!

SECURITY SOFTWARE

Ensure your home and work PCs are up-to-date on the following

programs: Anti-Virus Software Firewalls Anti-Spyware and Malware

Software Email ScanningWindows XP Firewall

Information

UP-TO-DATE

In order to protect yourself and your computer you need to ensure that you Operating System and Web Browser is up-to-date

Security patches are frequently updated, so check regularly!

Microsoft

PASSWORD Your password is the key to your

computer, don’t make it readily accessible. Never place your password out in plain view. Keep it secured!

Avoid the option that allows a computer to remember any password

Never share your password. Your IT person should never ask for your password!

STRONG PASSWORD

Use at least nine characters, including numerals and symbols

Avoid common (dictionary) words Don’t use your personal

information, login or adjacent keys as passwords

Change at least every 42 days for work and 90 days for home

Use variety of passwords for your online accounts

PASSWORD TIPS

Use memorable phases, such as “I hate Mondays!”

Alter caps with lowercase, numbers, and use symbols:

Example: 1h@teM0ndays! Using this format gives you the

opportunity to use the same password for long time. Simply change at least two characters and most policies will allow you to keep the same password.

BACKUP YOUR DATA One of the biggest errors people make

is not backing up their data! Depending upon your use:

For work we back it up every night For home you should strive to back it up

at least weekly

Windows X

P Backup

DEFEND YOURSELF

IDENTITY THEFT

File a complaint with the Federal Trade Commission:

Federal Trade Commission Place a fraud alert on your credit reports,

and review your credit reports. This can be accomplished by contacting one of the nationwide consumer reporting agency

File a Police Report Close the accounts that have been

tampered with or opened fraudulently

HOUSTON WE HAVE A PROBLEM!

How to Recognize a Cyber Security Threat:

Slow or non-responsive system Unexpected behavior, such as program pop-ups Display of messages that you haven’t seen

before Running out of disk space unexpectedly Unable to run a program due to lack of memory Crashing! Rejecting a valid and correct password

WHAT TO DO

Stop and unplug system from the LAN/Modem!

If unable to freeze the problem, take note about occurrence

Contact any of your MIS personnel and supervisor about any cyber security incident

THE BE’S OF CYBER SECURITY

BE ALERT BE WATCHFUL BE ON GUARD BE CAREFUL WHERE YOU GO

ONLINE! BE SURE TO ASK FOR HELP! BE SURE TO THINK B4 U

CLICK!

CYBER SECURITY

It is said a chain is only strong as it’s weakness link…. Don’t be the

weak link!

Cyber Security is everyone's responsibility!

Thanks!Thank you for going through the training today!

Information Security is critical at work and at home. We appreciate you taking the time to learn the contents of this training and highly encourage you taking some time regularly to read up on security topics – you can click on the security link at the bottom of our MRC web pages to visit the VITA-NG security web site at any time.

This information is provided to educate you on how to protect yourself at work and at home, but as always, it is required for you to understand and follow our agency security policy. If youneed to review the policy again, you can go to the following

link:

Agency Information Security PowerPoint

Please contact Erik Barth (x72262); Linda Farris (x72280) oryour supervisor if you have any questions about this training orinformation security topics in general.

DON’T FORGET

Please don’t forget to email, fax, or mail

your acknowledgement for completing

your cyber-security training!

References

FTC News Microsoft VITA VIRUSLIST Wikipedia Stay Safe Online OnGuard Online Cyber Security