Computer "Tip of the Day 09-30-09"

- IMPORTANT - IMPORTANT - IMPORTANT - IMPORTANT - IMPORTANT -

--US-CERT Warns of Spam Pretending to be From IRS (September 25 & 28, 2009) The US Computer Emergency Readiness team (US-CERT) has issued an alert warning of a spam attack in which the messages are spoofed to appear to come from the US Internal Revenue Service (IRS) regarding underreported income. The messages encourage the recipients to open an attachment or click on a link to view their tax statement, but the attachment contains malware and the link leads to a malicious website. The IRS warns people not to open attachments in emails claiming to be from the agency. The malware used in this attack is the Zeus Trojan horse program, which is difficult to detect. Zeus is used to help cyber criminals steal money from bank accounts.
http://www.computerworld.com/s/article/9138527/IRS_scam_now_world_s_biggest_e_mail_virus_problem?source=CTWNLE_nlt_dailyam_2009-09-28
http://voices.washingtonpost.com/securityfix/2009/09/irs_scam_e-mail_could_be_costl.html
http://www.us-cert.gov/current/#malicious_code_spreading_via_irs

Computer "Tip of the Day 09-29-09"

IMPORTANT - IMPORTANT - IMPORTANT - IMPORTANT

Security concerns about popup windows and other hacker tricks.

When connected to and using the Internet, do not respond to popup windows requesting that you to click "ok" for anything.

If a window pops up on your screen informing you that you have a virus or spyware and suggesting that you download an antivirus or antispyware program to take care of it, close the popup window by selecting the X in the upper right corner of the popup window. Do not respond to popup windows informing you that you have to have a new codec, driver, or special program for something in the web page you are visiting. Close the popup window by selecting the X in the upper right corner of the popup window.
Most of these popup windows are actually trying to trick you into clicking on "OK" to download and install spyware or other malicious code onto your computer.
Hackers are known to scatter infected USB drives with provocative labels in public places where their target business’s employees hang out, knowing that curious individuals will pick them up and take them back to their office system to "see what’s on them." What is on them is generally malicious code which installs a spy program or remote control program on the computer. Teach your employees to not bring USB drives into the office and plug them into your business computers (or take them home and plug into their home systems). It is a good idea to disable the "AutoRun" feature for the USB ports on your business computers to help prevent such malicious programs from installing on your systems.

Computer "Tip of the Day 09-25-09"

Limit employee access to data and information, and limit authority to install software.


Use good business practices to protect your information. Do not provide access to all data to any employee. Do not provide access to all systems (financial, personnel, inventory, manufacturing, etc) to any employee. For all employees, provide access to only those systems and only to the specific information that they need to do their jobs.

Do not allow a single individual to both initiate and approve a transaction (financial or otherwise).
The unfortunate truth is that insiders – those who work in a business – are the source of most security incidents in the business. The reason is that they already are inside, they are already trusted, and they have already been given access to important business information and systems. So, when they perform harmful actions (deliberately or otherwise), business information, systems, and networks suffer harm.

To better protect systems and information, ensure that all employees use computer accounts which do not have administrative privileges. This will stop any attempt – automated or not – by employees to install unauthorized software.

Computer "Tip of the Day" 09-23

Require individual user accounts for each employee on business computers and for business applications.

Set up a separate account for each individual and require that good passwords be used for each account. Good passwords consist of a random sequence of letters, numbers, and special characters – and are at least 8 to 10 characters long.

To better protect systems and information, ensure that all employees use computer accounts which do not have administrative privileges. This will stop any attempt – automated or not – by employees to install unauthorized software. If an employee uses a computer with an administrative user account, then any malicious code that they activate (deliberately or by deception) will be able to install itself on their computer – since the malicious code will have the same administrative rights as the user account has.

Without individual accounts for each user, you may find it difficult to hold anyone accountable for data loss or unauthorized data manipulation.

Passwords which stay the same, will, over time, be shared and become common knowledge to an individual user’s coworkers. Therefore, passwords should be changed at least every 3 months.

Computer "Tip of the Day" 09-22

Train your employees in basic security principles.

Employees who use any computer programs containing sensitive information should be told about that information and must be taught how to properly use and protect that information. On the first day that your new employees start work, they need to be taught what your information security policies are and what they are expected to do to protect your sensitive business information. They need to be taught what your policies require for their use of your computers, networks, and Internet connections.

In addition, teach them your expectations concerning limited personal use of telephones, printers, and any other business owned or provided resources. After this training, they should be requested to sign a statement that they understand these business policies, that they will follow your policies, and that they understand the penalties for not following your policies. (You will need clearly spelled-out penalties for violation of business policies.)

Set up and teach "rules of behavior" which describe how to handle and protect customer data and other business data. This may include not taking business data home or rules about doing business work on home computers.
Having your employees trained in the fundamentals of information, system, and network security is one of the most effective investments you can make to better secure your business information, systems, and networks. You want to develop a "culture of security" in your employees and in your business.

Typical providers of such security training could be your local Small Business Development Center (SBDC), community college, technical college, or commercial training vendors.

Computer "Tip of the Day" 09-21

Secure your wireless access point and networks.

If you use wireless networking, it is a good idea to set the wireless access point so that it does not broadcast its Service Set Identifier (SSID). Also, it is critical to change the default administrative password. It is important to use strong encryption so that your data being transmitted between your computers and the wireless access point cannot be easily intercepted and read by electronic eavesdroppers. The current recommended encryption is WiFi Protected Access 2 (WPA-2) – using the Advanced Encryption Standard (AES) for secure encryption. See your owner’s manual for directions on how to make the above changes. Note that WEP (Wired-Equivalent Privacy) is not considered secure; do not use it for encrypting your wireless traffic.

Computer "Tip of the Day 09-18"

Control physical access to your computers and network components.

Do not allow unauthorized persons to have physical access to or to use of any of your business computers. This includes locking up laptops when they are not in use. It is a good idea to position each computer’s display so that people walking by cannot see the information on the screen.

Controlling access to your systems and networks also involves being fully aware of anyone who has access to the systems or networks. This includes cleaning crews who come into the office space at night to clean the trash and office space. Criminals often attempt to get jobs on cleaning crews for the purpose of breaking into computers for the sensitive information that they expect to find there. Controlling access also includes being careful about having computer or network repair personnel working unsupervised in office space on systems. It is easy for them to steal many gigabytes of information and walk out the door with it without anyone noticing anything unusual.

No one should be able to walk into your office space without being challenged by an employee. This can be done in a pleasant, cordial manner, but it must be done to identify those who do not have a legitimate reason for being in your offices. "How may I help you?" is a pleasant way to challenge an unknown individual.