Featured Clip

Prep Clips

These clips can be used in preparation for the Awareness Quiz:

• Email Usage
  • Email Security Awareness Video 1
  • Email Security Awareness Video 2
  • Computer Security Tips: Passwords and Email
  • Email Security – Malicious email
• Surfing the Internet
  • Adware and Spyware Threats
  • Internet Safety
  • Secure Thinking When Online
• Passwords
  • Computer Security Tips: Passwords and Email
  • How to Use Passwords
• Mobile computing
  • Securing Smart Phones Step by Step
• Privacy and proper handling of sensitive information
  • Security of Sensitive Information
  • Internet Privacy
  • Internet Privacy and Security
• Physical security
  • Physical Security
  • Fundamentals of Physical Security
  • Protect From the Physical Security Threat
• Social Engineering, and Identity theft avoidance
  • The Art of Deception
  • Examples of Social Engineering
  • Protect Yourself from Identity Theft
• Viruses and malware
  • Malware Fundamentals
  • Who Makes Malware and Why
  • How to Avoid Infections
• File sharing
  • P2P File-Sharing Security Risks
• Using encryption
  • Email Encryption for Everyone
  • How to Encrypt Files
  • Encrypting Laptops
  • Securing Smart Phones Step by Step
• Reporting suspicious activity and abuse
  • Security in the Workplace
  • If You See Something, Say Something
  • Suspicious Activity Reporting

Adware

Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software.

Botnet

Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

Crimeware

Crimeware is a class of malware designed specifically to automate financial crime. Crimeware (as distinct from spyware, adware, and malware) is designed (through social engineering or technical stealth) to perpetrate identity theft in order to access a computer user's online accounts at financial services companies and online retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the Crimeware. Crimeware also often has the intent to export confidential or sensitive information from a network for financial exploitation. Crimeware represents a growing problem in network security as many malicious code threats seek to pilfer confidential information.

Firewall

A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria. A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Identity Theft

Identity theft is a crime used to refer to fraud that involves someone pretending to be someone else in order to steal money or get other benefits. The term is relatively new and is actually a misnomer, since it is not inherently possible to steal an identity, only to use it. The person whose identity is used can suffer various consequences when he or she is held responsible for the perpetrator's actions. In many countries specific laws make it a crime to use another person's identity for personal gain.

Malware

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, Crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant.

Phishing

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Rootkits

A rootkit is malware that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator access, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of changes to the actual accounts on the system. Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.

Router

A router is a networking device whose software and hardware are usually tailored to the tasks of routing and forwarding information.

Social Engineering

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.

Spam

E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. "UCE" refers specifically to unsolicited commercial e-mail.

About 80% of all spam is sent by fewer than 200 spammers. Botnets, networks of virus-infected computers, are used to send about 80% of spam. E-mail addresses are collected from chatrooms, websites, newsgroups, and viruses which harvest users' address books, and are sold to other spammers. Much of spam is sent to invalid e-mail addresses. Spam averages 94% of all e-mail sent.

Spyware

Spyware is computer software that is installed surreptitiously on a personal computer to collect information about a user, their computer or browsing habits without the user's informed consent. While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

Switch

A network switch is a computer networking device that connects network segments.

Trojan

Trojan, in the context of computing and software, describes a class of computer threats that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the host machine, giving them the ability to save their files on the user's computer or even watch the user's screen and control the computer. Trojan Horses (not technically a virus) can be easily and unwittingly downloaded. For example, if a computer game is designed such that, when executed by the user, it opens a back door that allows a hacker to control the computer of the user, then the computer game is said to be a Trojan horse. However, if the computer game is legitimate, but was infected by a virus, then it is not a Trojan horse, regardless of what the virus may do when the game is executed. The term is derived from the classical story of the Trojan Horse.

Virus

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

Worms

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a targeted computer.

Zombie Computer

A zombie computer (often shortened as zombie) is a computer attached to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

Email

1. If you think you've received a phishing e-mail message, do not respond to it.
   If an e-mail looks suspicious, don't risk your personal information by responding to it.

2. Approach links in e-mail messages with caution.
   Links in phishing e-mail messages often take you to phony sites that encourage you to transmit personal or financial information to con artists. Avoid clicking a link in an e-mail message unless you are sure of the real target address, or URL. Most e-mail programs show you the real target address of a link when you hover the mouse over the link.

   Before you click a link, make sure to read the target address. If the e-mail message appears to come from your bank, but the target address is just a meaningless series of numbers, do not click the link.

   Make sure that the spelling of words in the link matches what you expect. Fraudsters often use URLs with typos in them that are easy to overlook, such as "microsoft" instead of “Microsoft”.

3. Don't trust the sender information in an e-mail message.
   Even if the e-mail message appears to come from a sender that you know and trust, use the same precautions that you would use with any other e-mail message.

   Fraudsters can easily spoof the identity information in an e-mail message.

4. Verify the identity and security of the Web site.
   Some sites feature verified identity and security information. When you visit a verified site using Internet Explorer 7, the browser address bar turns green and the identity information appears on the right-hand side of the address bar. This makes it easy to check the identity information and ensure that it matches the site that you expected to see.

   Make sure the site is secure before you type. In Internet Explorer, you can do this by checking the yellow lock icon on the status bar. The closed lock icon signifies that the Web site uses encryption to help protect any sensitive, personal information that you enter, such as your credit card number, Social Security number, or payment details.

   Make sure the site is secure before you type. In Internet Explorer, you can do this by checking the yellow lock icon on the status bar. The closed lock icon signifies that the Web site uses encryption to help protect any sensitive, personal information that you enter, such as your credit card number, Social Security number, or payment details.

   Make sure the site is secure before you type. In Internet Explorer, you can do this by checking the yellow lock icon on the status bar. The closed lock icon signifies that the Web site uses encryption to help protect any sensitive, personal information that you enter, such as your credit card number, Social Security number, or payment details.

   Note that this symbol doesn't need to appear on every page of a site, only on those pages that request personal information.

   Unfortunately, even the lock symbol can be faked. To help increase your safety, double-click the lock icon to display the security certificate for the site. The name following Issued to should match the name of the site.

   If the name differs, you may be on a fake site, also called a "spoofed" site. If you're not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave.

   If the name differs, you may be on a fake site, also called a "spoofed" site. If you're not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave.

   Tip: If you don't see the status bar at the bottom of your browser window, click View at the top of the browser, and then select Status Bar to activate it.

5. Type addresses directly into your browser or use your personal bookmarks.
   If you need to update your account information or change your password, visit the Web site by using your personal bookmark or by typing the URL directly into your browser.

6. Use an updated browser.
   Regularly updated Web browsers incorporate an ever-expanding set of features, such as Phishing Filters, designed to help protect you when you click links in e-mail messages, so be sure to upgrade as these features become available.

7. Don't trust offers that seem too good to be true.
   If a deal or offer in an e-mail message looks too good to be true, it probably is. Exercise your common sense when you read and respond to e-mail messages.

8. Report suspicious e-mail.
   Report the e-mail to the faked or "spoofed" organization.

   Contact the organization directly-not through the e-mail you received-and ask for confirmation. Or call the organization's toll-free number and speak to a customer service representative. Report the e-mail to the proper authorities, for more information on how to report phishing scams, read what to do "if you’re a victim of a scam".

9. Don't enter personal or financial information into pop-up windows.
   One common phishing technique is to launch a fake pop-up window when someone clicks a link in a phishing e-mail message. To make the pop-up window look more convincing, it might be displayed over a window you trust. Even if the pop-up window looks official or claims to be secure, avoid entering sensitive information, because there is no way to check the security certificate. Close pop-up windows by clicking the red X in the top right corner (a "Cancel" button may not work as you'd expect).

10. Update your computer software.
    One of the most important ways to keep your computer and the data stored on it safe from the “bad guys” is to keep all installed software patched. This may seem to be a never ending struggle, but it is an essential part of safeguarding your system.

Your Personal Computer

There are just a few basic things to remember that will greatly improve security of your personal computer.

• Always use a ‘local’ or ‘host-based’ firewall. Most operating systems now come with one built-in, unfortunately many users disable it because they find the alert messages annoying, but if one takes the time to ‘tune’ the firewall, it provides a very solid layer of protection.
• Always use antivirus and antispyware protection, and keep it updated. Schedule complete scans of your system and ensure that they occur.
• Always keep your operating system and other software patched. Probably the most important and yet the most forgotten security measure is keeping your software patched. This is how the bad guys are able to do what they do; they find vulnerabilities in software and then exploit that vulnerability to do bad things—keep your software patched!

Mobile Computing

The newest laptops and external drives are powerful, light, and thin enough to fit easily into the slenderest of carry-on baggage. This makes them easy to travel with, but also easier to lose or have stolen.

It pays to be extra vigilant at airport security checkpoints where thieves know people can be flustered.

You should also store your laptop in the seat in front of you, instead of in the overhead compartment when you fly.

Here are some tips to help you secure the information on your laptop:

Protect your information.
If you keep personal or financial information on your computer, invest in an operating system that includes file protection (encryption).

Protect your laptop with a strong password.
If you travel with your laptop frequently, you should secure it with a strong password. Check your computer's Help and Support service to learn how to add or change your system password. To find out how to create passwords that are tough for hackers to crack, but easy for you to remember, see Strong passwords: How to create and use them.

Back up before you go.
Always back up your information before you take your laptop on a trip. You can't always avoid the financial loss of your equipment, but you can avoid losing all your information in the process.

Be careful what you store on your thumb drives.
With the growing popularity and increasing memory capabilities of small flash drives (known as "thumb drives") comes a greater risk of information theft. If you travel with a thumb drive, try not to store sensitive information on it. If you lose the drive or if the drive is stolen it's easy for anyone to access that information. Thumb drives can also carry viruses, so remember to update the antivirus software on your computer.

For more information visit Online safety resources and research.

Logins and Passwords

Authentication requirements are normally established by local agency policy; they should be considered the ‘lock and key’ to not only local information, but every piece of information that you have access to on your network, that’s why it is so critical that logins and passwords are kept safe and never shared—they should also be complex and difficult to guess as well as changed frequently; you should be aware that in the end if a compromise occurs using your credentials, you may be held accountable.

Passwords

Creating and remembering strong passwords -- like backing up our computers' contents -- is something many of us know we should do, but don't. Having to come up with usernames and passwords for virtually everything we do on a computer is enough to make anyone use "Magic123" over and over. However, with a little time and some discipline, you can create strong passwords and do a better job managing them.

A good password is one that's hard to guess, yet easy to remember. So here are the top 10 ways to choose a password, in roughly increasing difficulty. If you don't use any of the first 5, you're well on your way. The stats are very rough estimates (for comparison purposes, an 8-character password is used for most calculations):

Default (same as none):
Many programs and services assign a default password. Change this to a new password immediately. Examples: password, superuser

10 Common passwords:
god, love, lust, money, private, qwerty, secret, sex, snoopy, password

Personal info:

• your name, initials, location (zip code), birthday, pets, license plate, family/friend's names (including maiden), locations, birthdays, word/number combinations of any of the above
• Ego-related; examples: guru, master, wizard
• Favorite: Music (group names, albums), Fiction/Nonfiction/Comic books/characters, Movie/TV/Cartoon characters & titles
• Dumb Hollywood movie
• people think all passwords are of this variety

Categories:

• Double-words; examples: kittykitty, johnjohn
• Funny/nonsense/jargon words; examples: wassup, bzzzzz, foobar
• Insults; examples: biteme, eatdirt
• Keyboard sequences; examples: asdfg, qweasd, poiqwe
• Obscene words; examples: (use your imagination)
• Passwords based on host name (for people with lots of passwords) for example, if the system is named 'cat' an obvious password is catpass
• Reversals; examples: terces, wordpass, nhojnhoj

Dictionary & Foreign Language words:

• If you can find your word in a dictionary, it's not a very good password, this includes words in foreign languages.

Mixed-Case Dictionary Words (alternating UPPER-lower case letters):

• Examples: paSSworD, PLaceBO
• Stats: If a word has 2 letters, there are 4 (22) ways to capitalize it (at, At, aT, AT). If a word has 8 letters, there's 256 ways. Similar combinations (2letters) apply to each word in the dictionary.

Mixed-case Word with Number(s):

• Examples: 9fiNgeRS, loVELy68
• Stats: Tacking on a number from 0-9 before or after a word gives 20 more variations to the password. Using 00-99 before or after the word, gives 200 variations.

Mixed-case Word(s)/Letter(s):

• Combining words and/or extra letters. Examples: GUessTHis, BiKeFisH

Mixed-case Words/Numbers/Letters:

• Examples: No50WaY2, puT863MoX
• Variant: Hacker/IRC/License-plate jargon
• Examples: H4x0rD00dZ, UR2good4Me, FXR1stR8
• Stats: OK, my mind's swimming, there's somewhere around 218 trillion (628) 8-letter/number passwords. It takes an average of 5 seconds to crack this kind of password on a Windows machine; considerably longer on BSD or Linux.

Random characters:

• Examples: qs3UIs82, k38#0J$dA
• Note: some programs and services only allow letters and numbers, some include dashes ('-'); the best allow any character

In general no password is un-crackable. The best you can do is make it difficult and non-trivial to determine your password. Whatever method you choose, it's a good idea to change your password often. The more important the password, the more often it should be changed. Why? If someone is attempting a brute-force attack on your password, the hope is that you're changing it to something they've already tried and found to be wrong.  The longer the password, the harder it is to 'guess'.

Some clever people are foregoing brute-force hacks (e.g. dictionary attacks), in favor of 'social engineering' to obtain passwords.  If somebody calls or emails, requesting your password, it's a dumb idea to give it to them.  Of course nobody would sticky-note a password to their monitor, or under a keyboard!

Acceptable Use of Email and the Internet

It is important to know that in the absence of a local policy, Information Technology Policy 1200 prohibits the use of the Internet for anything other than official State business.  For those agencies permitting employees other use of the Internet, it is important to remember that we as state employees have an inherent responsibility to protect the information with which we are entrusted and every time we use the Internet we are, to some degree, putting that information at risk.

Social Engineering

Social engineers don’t even need to be particularly technically savvy; it’s their “people skills” that get them in where they aren’t supposed to be. They use charm, intimidation or trickery to convince others to disclose information that compromises the security of the network. Most employees have no reason to question someone who seems to have a legitimate reason for asking, but this is where we all need change our habits with regard to information disclosure. As an employee ensure that you’ve read and understand all policies and regulations regarding release of information, learn to be skeptical and if you’re unsure don’t be afraid to ask your supervisor.

Physical Security

From the physical security perspective, there are just a few commonsense things that we should practice. First, know who works in your area; don’t allow strangers to wander around unattended. Second, if access to critical areas is controlled by a keycard locked door, don’t allow ‘tail-gaters’; ensure those behind you use their keycard. If you use a laptop, or carry removable media, never leave it unattended in a common-use or public area, keep them locked up when not in use or at least out of sight.

Shopping Online

If you don't know an online retailer by its brand or reputation, these tips can help you determine whether they're operating a secure and trustworthy Web site before you enter your credit card number or personal information.

Before you select a store

• Do a background check. Look for a physical address (not a Post Office box), request a catalog by mail, or call and talk to a company representative.
• Explore the Web site for third-party seals of approval such as:
  • Better Business Bureau Online (BBB)
  • TRUSTe

Companies can put these seals on their sites if they abide by a set of rigorous standards—such as how complaints and disputes will be resolved and how personal information can be used. If you don't readily see these seals on the site, look in the privacy policy or "Terms & Conditions" which should be clearly posted on the site.

Tip: If you do see the seals above, click them to make sure they link to the organization that created them. Some unscrupulous merchants will put these logos on their sites without permission, and they're less likely to get caught if they don't link back to the site.

Find out what other shoppers have to say about an online store on comparison sites such as Epinions or Bizrate. These sites have customer evaluations built into their design with a number of smiley faces or stars.

Review their shipping methods and policies to determine what carriers they use, their shipping rates, and if they provide tracking and insurance. Also find out where they ship from—goods are sometimes sent from international locations, which require customs and extra time.

Before you enter your credit card number

So, you've found the perfect item at the perfect price and you're ready the purchase. Before you enter your credit card number, make sure the store you've chosen abides by these rules.

• The company should only require personal information that's necessary to complete the purchase. You will probably enter your credit card number, address, and telephone number. Be wary if they ask for other information such as your Social Security number, bank account numbers, or your mother's maiden name.
  • Note: Some reputable companies might ask for your interests by having you check certain boxes. This information should not be required to complete the purchase.
• The Web site should use secure technology. When you get to the screen where you enter your credit card number or other personal information, make sure that the Web address begins with https (for example, https://www.tailspintoys.com/) and check to see if a tiny locked padlock appears on the screen.

If you use Internet Explorer7 you will get another layer of protection with sites that use Extended Validation (EV) SSL Certificates. The address bar should turn green to alert you that there is more information available about the Web site. The identity of the Web site owner is also displayed on the address bar.

An EV SSL certificate not only helps ensures that the communication with a Web site is secure, but also includes information about the owner of the Web site, which has been identified by the Certification Authority (CA) issuing the SSL Certificate.

Update your Web browser

Most browsers today include improved security features that make it easier to see which sites provide more secure data exchange, so you can shop and bank online with confidence. Check with your browser's manufacturer to learn more.

Trust your instincts

If a site matches all the criteria above, then there's a good chance that the site is both legitimate and reliable. But as with most things online or off, if you get a bad feeling about a store, skip it and shop somewhere else.

For more information

• Making safer financial transactions online

Social Networking Sites

Social networking Web sites like Facebook, Twitter, and Snapchat are services people can use to connect with others to share information like photos, videos, and personal messages.

As the popularity of these social sites grows, so do the risks of using them. Hackers, spammers, virus writers, identity thieves, and other criminals follow the traffic.

Read these tips to help protect yourself when you use social networks.

1. Use caution when you click links that you receive in messages from your friends on your social Web site. Treat links in messages on these sites as you would links in e-mail messages. (For more information, see Approach links in e-mail with caution.)

2. Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't. If you suspect that a message is fraudulent, use an alternate method to contact your friend to find out. This includes invitations to join new social networks.

3. To avoid giving away e-mail addresses of your friends, do not allow social networking services to scan your e-mail address book. When you join a new social network, you might receive an offer to enter your e-mail address and password to find out who else is on the network. The site might use this information to send e-mail messages to everyone in your contact list or even everyone you've ever sent an e-mail message to with that e-mail address. Social networking sites should explain that they're going to do this, but some do not.

4. Type the address of your social networking site directly into your browser or use your personal bookmarks. If you click a link to your site through e-mail or another Web site, you might be entering your account name and password into a fake site where your personal information could be stolen.

5. Be selective about who you accept as a friend on a social network. Identity thieves might create fake profiles in order to get information from you. This is known as social engineering.

6. Choose your social network carefully. Evaluate the site that you plan to use and make sure you understand the privacy policy. Find out if the site monitors content that people post. You will be providing personal information to this Web site, so use the same criteria that you would to select a site where you enter your credit card.

7. Assume what you write on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print the information or save it to a computer.

8. Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications in order to steal your personal information. To download and use third-party applications safely, take the same safety precautions that you take with any other program or file you download from the Web. For more information, see Before you download files, help protect your computer.

9. Think twice before you use social networking sites at work. For more information, check your agency's Social Media policy.

10. Talk to your kids about social networking. If you're a parent of children who use social networking sites, see How to help your kids use social Web sites more safely.

For more information:

• Protect your privacy on the internet
• Tips for keeping kids safe online

Online Payment Services

It’s not always easy to tell who's at the other end of your online transaction when you hand over your credit card number. Fortunately, you can use a third-party payment service to make paying for things online a little easier and safer.

What is a third-party payment service?

When you use a third-party payment service, you transfer money into an online account and make payments from that account. That way, you never expose your real credit card or bank account information. The most popular of these services in the U.S. is called PayPal (owned by eBay), but there are others such as Amazon.com Payments. You can use these third-party payment services to:

• Make purchases on online auction sites.
• Purchase products from small Web sites.
• Donate money to different causes.
• Send money to anyone with an e-mail account (certain services only)

Choosing a payment service

If you've already won an auction, you might be limited to the payment choices the seller or the auction site selects. For example, many eBay sellers only accept PayPal and many Amazon.com Auctions sellers only accept Amazon.com Payments.

If you have a choice, follow these tips to choose a more secure service:

• Read the privacy policy and make sure you agree with it. If you don't, go elsewhere.
• Check for a stamp of approval from the Better Business Bureau (BBB) or TRUSTe.

Find out what others say about the service: check comparison sites such as Epinions or Bizrate.

Using payment services more safely

Some ways to use third-party services more safely include:

• Never respond to e-mail messages from third-party payment services asking you to confirm account details, such as passwords or other personally identifiable information. These e-mail messages could be an identity theft scam, such as phishing.
• Type the address of the payment service directly into your browser or use your personal bookmarks. If you need to update your account information or change your password, visit the Web site by using your personal bookmark or by typing the URL directly into your browser.
• Check if the seller has been a verified member of the payment service for a few months or more. Some sites also allow you to check the seller's rating—although these ratings cannot be guaranteed, they can be helpful.
• Never use your account to transfer money for someone else that you don't know. This might be an advanced fee fraud. To learn more, see Don't be fooled by that easy money e-mail hoax.
• Be more careful when you purchase very expensive items, such as jewelry or computers, especially around the holidays and for items that are sold out in stores.

Downloading

Downloading files can include installing programs from a CD, opening pictures or links to Web sites from e-mail, copying documents and spreadsheets from the company network, upgrading software acquired from the Web, or transferring music files from a computer half a world away.

Files you download could be just what you expect, but they might also be a vehicle for malevolent intent. Malicious software (also called malware) is software that can harm you or your computer; it can include viruses, worms, spyware, and other unwanted programs.

Before you download files, make sure you are as protected from unwanted software as you can be.

Keep your software safety net up-to-date

• Update your PC automatically. If you use Windows, Automatic Updates delivers updates to your computer automatically, so that's the easiest and most reliable way to make sure that you get new security and other high-priority updates as soon as they become available. All operating systems have some form of automatic updates, find out what applies to your system.
• If you use don't want to use automatic updates, remember to manually update your software regularly.

Regularly download the latest antispyware and antivirus updates, and then scan your computer right away. To do this, subscribe to the program's update service. You can set most of these programs to actively-even automatically-monitor for and help stop spyware and virus intrusions.

Improve your computer's overall security

Lay the protective groundwork. Use a firewall, keep your operating system updated with the latest security updates, and use both antivirus and antispyware programs.

Set your antivirus program to scan all incoming files and e-mail attachments before you open them. This is different for every antivirus program, so consult the manual or online Help for instructions.

Use a spam filter. Many e-mail programs offer filters that can help block unwanted messages.

Install and run a program to help detect and remove spyware. Some Internet Service Providers (ISPs) include antispyware software as part of their service.

Protecting Your Family

The ever evolving world of technology has created a entirely new discipline for protecting our families; no longer is “keeping the doors locked “ a sufficient way to protect ourselves let alone the ones we love, fortunately there is a mountain of information and tools available to help us deal with this new threat.

These are a just a few of the many Web sites that provide tools and resources to help you protect your family:

• Ready (DHS)
• Online Privacy and Security (FTC)
• Family Online Safety Institute
• SafeKids.com
• ConnectSafely.org
• Net Family News
• Connect Safely

Cybersecurity Informational Videos

Email

• Never open email attachments from anyone you don’t know
• Don’t use the email preview pane, viruses can be activated by simply using this feature
• Never provide personal information to an email request
• Limit who gets your email address
• Disable graphics in email
• Report Spam
• Be skeptical of all attachments, even from those you know; send them a clean email asking them to confirm they sent it

Surfing

• At work, know your organization’s acceptable use policy
• Always close advertising popup windows using the red “X”, selecting anything else may activate any attached application
• Only use browsers that support encryption
• Always read privacy statements before downloading any software or providing any information

What if...

I think I'm infected, what should I do?

At work—Stop - call technical support, do not attempt to clean or cover up anything as this usually makes the problem worse or at least more difficult to troubleshoot and correct.

At home—Follow these procedures; these instructions provide an excellent step-by-step process for evaluating your PC and in the event something is found, it will provide a process for cleaning your PC (be aware that not all malicious software can be removed, in which case the only course of action is to reload your PC).

I'm receiving too much spam, what can I do?

At work—Contact your technical support.

At home—Computer Hope provides a comprehensive approach to minimizing Spam, you can access this information here.

My computer is running very slow what can I do?

At work—contact technical support.

At home—there are several things that could cause a PC to run slow, however since this is a security site the focus here will be to evaluate your PC for viruses or malicious software. Follow these procedures; these instructions provide an excellent step-by-step process for evaluating your PC and in the event something is found, it will provide a process for cleaning your PC (be aware that not all malicious software can be removed, in which case the only course of action is to reload your PC).

My computer is being controlled by someone else?

At work—follow local security policy procedures, but in the absence of procedures, immediately stop what you’re doing and contact technical support. If sensitive information is being revealed disconnect the PC from the network, but do not turn if off as critical forensic information may be lost, then contact technical support.

At home—should you find your home PC being controlled remotely, remove it from the network. In this instance the safest course of action is to reload your PC; the reason for this drastic action is because bad guys normally do a good job of hiding back doors. However, if you would rather not do this you can try to locate and remove the files that are permitting the bad guy by following these procedures. These instructions provide an excellent step-by-step process for evaluating your PC and in the event something is found, it will provide a process for cleaning your PC (be aware that not all malicious software can be removed, in which case the only course of action is to reload your PC).

I inadvertently selected or was redirected to a prohibited site?

At work—don’t panic, just note the date and time, and let your supervisor know what occurred; occasionally we all click on something we shouldn’t have—just don’t make it a habit!

At home—if you find yourself viewing a site you didn’t want anyone in your house to see, consider using parental controls. There are many commercial and free ones to choose from and they work very well at restricting access to questionable material. Use this free tool.

I suspect I’m a victim of fraud, what should I do?

When you use a credit card, you can be vulnerable to fraud, whether you pay online, over the phone, or even in person at your neighborhood grocery store.

If you think you've been the victim of fraud or a scam, immediately follow these steps. The faster you contact the proper authorities, the more likely you are to minimize the damage a scammer can do to your identity, your credit, and your bank account.

Steps to take when you believe you are a victim of fraud

Step 1: Close any affected accounts

Contact the genuine company or organization if you believe you've given sensitive information to an unknown source masquerading as that real company or organization. If you contact the real company immediately, they might be able to lessen the damage to you and others. Then:

• Speak with the security or fraud department about any fraudulently accessed or opened accounts at every bank or financial institution you deal with, including credit card companies, utilities, Internet service providers, and other organizations that have your personal information.
• Follow up with a letter and save a copy for yourself. When you open new accounts use strong passwords, not passwords such as your mother's maiden name, along with a new account number.

Step 2: Change the passwords on all of your online accounts

When you change your passwords or open new accounts, use strong passwords. For more information see User Resources passwords.

Step 3: Place a fraud alert on your credit reports

In the United States, contact these three credit bureaus:

• Equifax (800) 525-6285
• Experian (888) 397-3742
• TransUnion (800) 680-7289

For each of the credit bureaus:

• Get a copy of your report (victims of ID theft can receive copies of their credit reports for free) and ask that no new credit be granted without your approval.
• Make sure your account is flagged with a "fraud alert" tag and a "victim's statement," and insist that the alert remain active for the maximum of seven years.
• Send these requests in writing and keep copies for yourself.
• Review the reports carefully. Look for things like inquiries you didn't initiate, accounts you didn't open, and unexplained debts.

Outside of the United States, you can contact your bank or financial institution, who can direct you to the relevant organization or agency.

Step 4: Contact the proper authorities

In the United States, contact the Federal Trade Commission (FTC).

• File a complaint. If you are a victim of any type of identity theft, you can report the theft by calling the FTC's toll-free Identity Theft Hotline at (877) ID-THEFT or (877) 438-4338. Counselors will advise you on how to deal with the credit-related problems that can result from identity theft.
• Download and print the FTC's Identity Theft affidavit. Fill it out and send it to all the financial institutions at risk to help minimize your responsibility for any debts incurred by those who stole your identity. Your case will be entered in the FTC’s nationwide "Consumer Sentinel" database of ID theft cases, which helps law enforcement agencies find criminal patterns and catch the thieves.
• File a report with your local police department. Get a copy of the police report to notify your bank, credit card company, and other creditors that you are a victim of a crime, not a credit abuser.

Depending on where you live, you might be required to file a report in the jurisdiction where the crime actually took place.

Step 5: Record and save everything

As you complete all these steps to clear up the wrongdoing, always make print copies of documents for yourself, including e-mail messages, written correspondence, and records of telephone calls, and file them somewhere safe.

For telephone or in-person conversations, follow up with dated confirmation letters to the organization, and save a copy for yourself. State in the letter what was covered in the conversation, and list any follow-up items that you or the representative have committed to in the conversation.

Additional Resources

United States:

• National Consumers League - Use the online complaint form or call (800) 876-7060.
• U.S. Department of Justice ID Theft Kit
• Federal Trade Commission's document, Take Charge: Fighting Back Against Identity Theft, which includes sample dispute letters and other recovery procedures.