Not so very long ago, the Internet was an amusing toy-for some a tool-that we used periodically. Now it is an integral part of out lives. From laptops to smart phones to iPods, for many of us the cyber world is as real as the physical world.
The news is it comes with its own set of risks. The good news is it comes with its own set of safety measures, too. no matter where you access the Internet, there are simple guidelines you can follow to keep safe.
Fannin Bank is here to help you get started, and has put together a list of industry best practice to help you build a solid foundation to be safer online.
All of us here at Fannin Bank know the value of family and the importance of keeping them safe. We put together some tips to help you keep yourself and your family safe online.
Best Practice for Parents
Create rules for Internet use in the home.
Set reasonable rules and guidelines for computer use by your children and post them near the computer as a reminder. Be sure that the rules are being followed by everyone in the household.
Know what your kids are doing online.
Check the Internet history to see which sites your child is visiting. Use filtering and monitoring software on your computer. Remember, it's your family, and you have the power and responsibility to keep an eye on what your kids are doing.
Use the Internet with your kids.
Spend time letting your kids show you what they do online. This can be a great learning experience for both of you. If your kids know something about the website or the Internet that you don’t, ask them.
Don’t allow solitary surfing.
Keep your computer in an open and public room and position the monitor so that it can be seen by anyone in the room. Do not allow your kids to have a computer with Internet access in their room.
If you agree to let your child meet an online buddy in person, go with them.
Be sure to meet in a public spot, and let the buddy know you will be accompanying your child. If the online buddy is against meeting this way, it’s a tip-off that you probably don’t want them meeting anyway.
Don’t rely solely on technology as a substitute for you.
Technology will never replace good parenting. It’s important that we talk to our kids about the dangers that they face online and help them to understand the safeguards that we put in place to protect them.
Best Practice for Kids
Keep all of your personal information to yourself.
Information like your address, telephone number, or even where you go to school and what you do afterwards can lead to a dangerous situation down the road.
Never give out your picture or post it online.
Your image is everything; don’t let someone destroy it. Anything you send could be altered and then given to other people.
Always use a neutral screen name.
It is important that your username not reveal any personal information such as your age, sex, or location.
Don’t give out passwords to anyone other than your parents.
Your password can be used in a variety of ways that may hurt you. If you think that someone may know your password, change it.
Don’t trust everyone you meet online.
Some people are not who they say they are. For instance, someone online could claim to be 12 and really be 50.
If you come across anything that makes you uncomfortable, tell your parents.
This includes pictures, messages that are mean, or anything else that makes you feel uncomfortable.
Ask your parents before meeting an online buddy in person.
Meeting an online buddy in person is risky. If your parents agree to the meeting, be sure to meet in a public place and bring them with you.
At Fannin Bank we know how important your business is. No business is created by magic. It takes creativity, commitment, and most of all-a lot of hard work. Consider for example all the elements it takes to protect a business, such as burglar alarms, fire insurance, and maybe security guards with fierce dogs.
You need to make sure that you have given the same consideration to cyber security that you have to physical security. You are not the only stakeholder in your business's security; there are also your vendors, your employees, and your customers. A breach in your network can mean loss of money, loss of information, and loss of trust.
Fannin Bank knows your business is an integral part to our community and our community can't thrive without you. In order to help you build a good cyber security plan Fannin Bank has compiled a list of industry best practice standards.
Key Security Components
"Although you cannot make it completely immune to attacks, there are ways to improve the overall security of your system to make it less vulnerable." - CERT Coordinator Center, Carnegie Mellon University
Identify your risks.
Determine what your company’s most critical information assets are, and spend your time and energy protecting what is most important.
Get the CEO involved.
Good security has to start from the top, with executives who help create a corporate culture that values security.
Put someone in charge.
Security is a complex job, so make sure someone is in charge of coordinating security efforts.
Develop and implement a security policy.
Establish guidelines for how your company handles and protects its data —from who makes sure software patches are installed, to how employees access their e-mail on the road, to how often passwords should be changed.
Educate employees and raise awareness.
Make security awareness an ongoing project. Employees need to understand why their role is so critical.
Have a security audit done.
Hire an independent third party to evaluate your security posture, and then use the recommendations made by the auditor.
Incorporate physical security into the plan.
The best security technology in the world will not do any good if a well-meaning employee lets the wrong person into the server room.
Remember internal threats.
Most attempted hacks come from the outside, but most successful ones start with people who have inside knowledge. Have a process in place to delete user accounts when employees quit or are let go.
Stay tuned in.
Make sure someone keeps track of new developments in information security, including new vulnerabilities and attacks.
Prepare for the worst.
Create an incident response plan to help you save time in the event of a security problem. This will lay out who needs to be involved, what their jobs are, and how you will minimize the damage.
Create and Maintain a Risk Assessment
Performing a risk assessment of your systems is a vital part to a strong security program. Knowing what and how you are doing something is the first step to understanding the risk envolved. To create a risk assessment you can start with a spreed sheet. One of the best ways to start is create column headers. Example header titles would be Customer Information System, Threat or Vulnerability, Incident Response, Threat Probablity, Impact, Controls and Other Risk Mitigation Factors, Control Factor Rating, Total Risk Rating. You can adjust the eight column headers listed above to better suit your individual needs. This will give you a starting point.
Customer Information System would be where you list the software, service or product you use or provide to others. This is an important step. This allows you to identify all they system you use daily. Threat or Vulnerability is how the system could be used or exploited by someone that does not have your best interest in mind. Incident Respoonse is what you will do in the event something listed in the previous column happens. Threat probability is simply how likely this is to happen to you. Impact much like threat probability is how much damage will it cause to your business. Controls and Other Risk Mitigation Factors: simply list out the phyisical and logical controls you have in place with this system. Control Factor Rating is a score you give each system based on the number and types of controls in place.
For our example we have a customer database. This data base contains all information you have on the customer. Customer Name, Address, Phone Number, Billing and Account Numbers. This would be a critical system to your day to day operations without it you are not going to be able to do much. What are the treats facing this system is the next question we ask. Unauthorized access by employees or hackers. What can they do with this information is our another question that needs to be answered. They could steal the information and use to perform identity theft of each customer listed in your data base. Send fake bills to your customers or delete the database. This is just a few examples to help you get started. Now that we know what system is critical and what the treats are, we can fill in our Incident Response. Having steps layed out before a breach happens will make you life much easier in a stressful time. Just list out what you have planned to do if anything for this system. If you having nothing say so. The goal of the risk assessment is to find your weak areas and ways to improve them.
So far we know what system is critical to our daily operations. We also know what treats can impact our daily operation for this system and what we will do if one of these threats occurs. Now we need to figure out how likely this is to happen. We need a scale to measure this by. One of the easiest ways to do this is use numbers. For our scale we will use 1 to 5 with the higher numbers representing greater probalitiy. We also need to define what each number represents. 1 = Very Low, 2 = Low, 3 = Medium, 4 = High, 5 = Very High. Make a key that gives the explanation of each number value on the scale so you don't forget. For our example lets mark our Threat Probability as 2. When you fill in the Controls and Other Risk Mitigation Factors will help influence the number you place in this column. The more contorls the lower the risk.
Impact is how is how hard will this event affect you. Like our number scale for Threat Probability we will use 1 to 5 with higher numbers representing higher impact to our business. Loss of access to a customer database would create a large impact on day to day operations. For our example lets go with a five.
Controls and Other Risk Mitigation Factors we want to list all controls that are currently in place to prevent damage. This information includes passwords and the policy around password such as complexity, experation, user access rights. Does every user need administrative rights in the system. No not all user should have full administrative rights in the system. Review your user rights at least annualy. Do you have a backup program in place. What are the physical controls in place to secure the equipment. Once we have our controls listed it is time to assign them a value. This will work like Impact and Threat Probability. A higher number means a lack of controls. For this scale the numbers will be a little different. 1 = No significant controls implemented, 0.75 = Some Controls have been implemented, 0.5 Significant controls have been implemented, and 0.25 Appropriate controls have been implemented. Our controls for our example will be we have 10 character passwords that require numbers, letters at least one uper caes and lower case letter. The password changes every 90 days and locks users out after 3 faild attempts. We have dual control for admin rights. User access is reviewed daily. A backup program is in place and tested. With these contrls we can give a rating of 0.5.
The final thing for the risk assessment is to figure out the total Risk score. We will do this by adding our Threat Probalitiy rating and Impact rating together and the sum of those two componets is multiplied by the control rating to obtain the risk rating. From our example we listed Probalitity as 2 and Impact as 5 giving us a total of 7. Now we will multiply our Control number 0.5 x 7 to get a risk rating of 3.5. We now know our risk number but what does it mean. We need a scale to judge this number by. This scale works just like all the others but we will use 1 to 10. A score of 1 to 3.75 would be Low risk. Scores of 4 to 6.75 would be Moderate Risk, and Scores 7 to 10 would be High Risk. Follows these steps for each type of sytem you use in you day to day business. Other systems to include is payrol, online banking accounts, billing software inventory management, vendors that provide service to you. With a Risk Assessment you can find out what areas are mission critical to you business and which areas are not. You may find mission critical systems with high risk. If you can't get the risk down by adding controls you need to decide if this system is right for you and your risk appetite. You should peform a risk assessment at least annualy to insure nothing is over looked. Threats and controls change all the time and so should your risk assessment.
Policies & Procedures
The first step in securing your network is to define how your company intends to manage and protect its information and resources. Such decisions depend upon things like the nature of your information and the cost of security. But regardless of your final decisions, your security practices should be written down and shared with all your employees.
Policies are the overall company attitudes and intentions. For example, "It is the policy of XYZ Company to back up our data nightly and store this backup at an offsite facility." Procedures, on the other hand, are step-by-step instructions, with the responsibility for each step carefully delineated.
Policies and procedures should be tailored to fit your specific environment, but should deal with such topics as:
The level of privacy an employee can expect on a company computer.
Which employees have access to which systems.
What to do when you suspect an intrusion.
Steps to take when an employee leaves the company.
Security policies and procedures should be documented, regularly enforced, and users should know their obligations for protecting the company's network. Users include all who have authorized accounts on your system. They can play a vital role in detecting signs of intrusion.
How do I get policies and procedures?
You can create your own policies and procedures, have them written for you by a consultant, or purchase them already written. There are several sources on the Internet that can help you:
About.com: Human Resources
The SANS Security Policy Project
Good website on overall security considerations:
CERT Tech Tips
When designing your business's network practices, have written documentation of everything. Every program you buy, every upgrade you install, and every modification you make needs to be documented. Also, you should have written policies on how to react before, during, and after any security breach is discovered.
Your policies should be updated frequently, and cover such items as:
How often to upgrade firewalls.
How often to upgrade anti-virus software.
How often to do data backups, and where they should be stored.
Contacting law enforcement and your financial institution immediately if a security problem is discovered.
Follow these guidelines to minimize your business's risk of intrusion.
Keep backups of all operating system software.
Keep backups of all important data.
Maintain software to recognize attacks and audit defensive steps.
Make sure all audit trails are turned on.
Be aware that there are potential intruders that may be "sniffing" your network.
Routinely test your network for vulnerabilities.
Change passwords frequently, and cancel them for employees who leave the company.
Passwords should require alphanumeric character combinations. These are more difficult to hack.
Minimize the number of modems on your system.
Your business is at risk. Computer crimes, cyber terrorism, physical disasters (theft and vandalism), and natural disasters (tornadoes, floods, power failures) —any of these can cause a complete loss of your operating information: customer names, inventory lists, accounts receivable records, etc.
40% of businesses that experience a disaster –never recover.—Peter Browne, V.P., Predictive Systems' Global Integrity
And those that do recover often take years to get back to their pre-disaster operating level.
Disaster Recovery Plans are helpful, but those take effect too late. You need a plan that starts before there is a disaster, to ensure that your business not only recovers, but also continues to operate smoothly.
Business continuity is the name given to the entire range of procedures, processes, and activities that you can use to ensure that your business keeps operating when the worst happens. Business Continuity Planners Association contains "some of the best known sites on the Internet that have material on business continuity and disaster recovery, as well as a few other resources you may find useful."
When you determine which level of security is right for your business, ask yourself the following questions:
What will be the effect on my business of being non-operational?
How much will it cost me to be non-operational for an hour? How about a day? A week?
How long am I willing to be non-operational?
How much will it cost to prevent excessive downtime?
The majority of the time laptops are stolen for the information they contain not the hardware. Your laptop may contain bank records and login credentials. Your laptop also has sensitive information about your business.
A common laptop theft scam:
Two people at a busy airport target a potential victim—YOU—carrying a laptop computer. After you place your laptop on the security conveyor belt, one of the scam artists will set off the metal detector. While everyone's attention (including yours) is turned toward the individual at the metal detector, the second person picks up your laptop when it appears on the conveyor belt. There might even be a third person that takes the computer as a hand-off and then disappears into the busy crowd. Your laptop is gone before you realize anything has happened
Tips to help you protect your laptop:
Maintain copies of important data somewhere other than the laptop. You might consider using an external portable storage device.
Be sure to back up all data, and make use of encryption features when you do so.
Exit out of programs prior to shutting down your laptop to avoid data loss and program corruption.
Never handle or manipulate a drive while it is operating.
Use a locking cable to secure your laptop to your desk or workstation.
Carry your laptop with you in a very non-descript carrying case, perhaps a backpack. Make sure your carrying case is sturdy, weatherproof, and padded. Keep it with you at all times; never place it on a seat beside you.
When traveling, never check your laptop as baggage.
Never put your laptop on the conveyor belt at a security checkpoint until the person in front of you has successfully passed through the metal detector. Keep a constant eye on it as it enters and exits the X-ray machine. Keep a close eye on the people in front of you and what they are picking up.
Engrave your laptop with your company logo and an identifying number.
Use a disk drive lock to prevent unauthorized access and operation of the computer.
Fannin Banks mission is to provide you with information and resources for protecting your cyber assets. However, we must always understand that any adequate computer security system begins with proper physical security.
The greatest firewall software in the world is not going to protect your data if your server is stolen.
In deciding on sufficient physical security, the goal is the same as with sufficient cyber security: try to make it so difficult to break in that the would-be criminal decides it's just not worth it. This is called "hardening the target" —not only do you make it difficult to get into, but you also make it appear so formidable that no one even tries.
This Business Security Test can assist you in assessing the level of your own security
On the surface, piracy doesn't seem to harm anyone. Expensive software applications are sometimes "loaned" between users to avoid licensing costs. In much the same way, digital music has made trading songs online commonplace.
Most of the piracy on the Internet is carried out using Peer-to-Peer (P2P) network applications such as limewire, Bearshare, and Gnutella. These programs facilitate the sharing of copyrighted files quickly, seamlessly, and virtually anonymously. Unfortunately, these programs can cause many problems including inadvertently downloading a computer virus. Most importantly, if they are not properly configured, these programs may share files on your computer that you never intended anyone else to see.
"Peer-to-Peer" file sharing users have inadvertently given banking information to anonymous users online.
There are four specific categories of piracy:
Social piracy is the unauthorized duplication of only the media, not including any of the packaging, original art, label, title, etc. There is no pretense that these are legitimate products. Examples of social piracy include mixed music discs that friends share with one another and software applications that are copied for coworkers.
Counterfeit piracy describes unauthorized copies of media as well as the unauthorized duplication of original artwork, label, trademark, and packaging. Counterfeits are passed off as legitimate and are often used by the pirate for monetary gain.
Bootleg recordings are the unauthorized recordings of live concerts, movies, or musical broadcasts on radio or television.
Online piracy is the unauthorized uploading of copyrighted material to be made available to the public. Downloading copyrighted material from an Internet site or a Peer-to-Peer network is illegal.
In the United States, software pirates can be punished with statutory damages of up to $100,000. If you are convicted of a felony charge of software piracy, you can get up to a five-year prison sentence plus fines of up to $250,000 for each work that is infringed.
How Piracy in the Workplace Can Damage Your Business
Performance may suffer from the lack of user manuals, reference materials, and product support
The company is liable for all pirated materials within its doors
The business may get a bad reputation if found guilty of copyright infringement
The business forfeits all product warranties and upgrades
Viruses introduced by illegal software can damage or even destroy systems
Serial number clashes can cause serious system disruption
Back-ups and recovery are often not possible when there are no original disks
The business receives no assurance of product authenticity or reliability
Using corporate networks for file sharing can be a hazard to network security
Misuse of bandwidth can slow down the entire network
How to Fight Piracy in the Workplace
The first step in fighting piracy is to make sure you don't contribute to it knowingly or unknowingly.
If you are a business owner, create a policy preventing the duplication, distribution, and use of copyrighted materials within your office doors
Create detailed procedures telling employees how to handle original software, and what steps to take to ensure that it is not copied illegally
Buy media only from authorized dealers
If you discover that you might have a counterfeit copy of a software application, movie, or CD, contact the dealer you bought it from. Keep in mind that they may have been fooled, too.
Disaster can strike any time and in many different ways. There is often no way to avoid a disaster. Whether it's a national crisis, weather-induced tragedy, or cyber attack. Knowing what to do in the event of a catastrophe is crucial for the survival of your business.
Prepare a disaster plan.
Many business owners have not prepared a strategy of what to do in case of a catastrophe. When considering a detailed plan, take into account as many variables as possible. The smallest oversight might damage your company severely. For example, consider the safest locations for your merchandise. Be sure you know how to contact your insurance agent in a hurry. Be familiar with a map of your company's location that includes safety exits and utility connections.
Back up your data, and store it off-site.
Business owners who utilize extensive computer data need to back it up on a regular basis. Back-ups should be safely stored off-site, because if your business is destroyed, you will lose the data as well. Create a schedule for your employees to backup their data regularly.
Be aware of your insurance coverage.
Meet with your insurance agent to make sure that your coverage is up to date. For home-based businesses, make sure that your coverage protects your company's equipment. Consider purchasing guaranteed replacement coverage. This way, you will not have to pay out of pocket if a disaster occurs and destroys your company's equipment.
Be sure to have emergency cash.
If possible, set aside several months' worth of business expenses. In case of an emergency, you'll have money available to pay bills and keep payroll flowing without having to let employees go.
Make everyone at your business aware of your disaster strategy.
Make sure that your employees understand what to do in case of an emergency. You will be depending on them to save your business. Furthermore, make sure that your clients and customers know that you have a contingency plan in case of emergency. This will build their confidence in you and your business.
For more guidelines on preparing a disaster strategy
Visit the U.S. Department of Homeland Security's disaster preparedness web site at Ready.gov.
Corporate Account Takeover is a form of corporate identity theft where cyber thieves gain control of a business bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves. Businesses with limited or no internal computer safeguards and disbursement controls for use with the bank's online banking system are vulnerable to theft when cyber thieves gain access to their computer systems, typically through malicious software (malware). Malware infects a business computer system not just through infected documents attached to an email but also simply when an infected Web site is visited.
Businesses across the United States have suffered large financial losses over the last few years from electronic crimes through the banking system. In Texas electronic thefts through banks have ranged from a few thousand to several million dollars! These thefts have occurred in banks of all sizes and locations and may not be covered by the bank's insurance.
Under the Electronic Funds Transfer Act (Reg E) commercial account do not enjoy the same protection from loss due to electronic fraud as a personal account. Banks are not required to refund any money you lose due to corporate account takeover. The attackers really are stealing your money and you could be the one left holding the empty bag.
Network intrusions are a serious threat to all businesses. They can easily cripple an, unprepared business.
An intrusion may have already happened without you noticing because your system seems to be operating normally.
Hackers can breach your network's defenses from remote locations, or try to physically break into your organization to access your valuable information. Intruders seek unpatched software vulnerabilities and develop sophisticated programs to rapidly penetrate those systems. An intrusion can be achieved in seconds.
Even if your organization has a comprehensive information security protection system, it is essential that you closely monitor your information assets for signs of intrusion.
To prevent intrusions, you need to develop a strategy for handling intrusions that includes preparation, detection, and response.
Invest money into a quality firewall. A good firewall can prevent most brute force attacks and even prevent some forms of malware from sending information home. You should also invest money into someone to set up the firewall for you. There are many companies that can help you do this for a reasonable fee. Firewalls can be tricky to set up and you need someone who has a good understanding of how network and internet traffic work.
A web filter is an inexpensive way to monitor web traffic on your system. Most web filters on the market today come with a block list of known malicious sites. There are many to choose from such as Barracuda, or CC Proxy.
Stand Alone Computer
You should setup a computer that is only used for internet banking. Do not check email surf the web or anything on this computer, other than your internet banking business.
If a stand alone computer is not in the budget you can use a live CD. A live CD is an entire computer operating system on a CD. Every time you boot from the CD it is like having a new computer.
By creating a white list of authorized payees you can help your bank identify suspicious ACH or wire transfers created using the internet banking system.
Dual control requires two people from your place of business to authorize an outgoing ACH or wire transfer created using the ACH or wire transfer feature in Internet Banking.
Use all Security Measures Available
You should use all security measures made available by your bank. The security measures offered by your bank are there for your protection and can not help if you do not use them.
It is estimated that one in every three scams in the United States is aimed at a small business owner. Among the variety of scams that they use are directory scams, vendor scams, and of course the Nigerian scam.
Small businesses are a principal target for scam artists of all types.
The Directory Scam
A con artist approaches a small business to ask if they would like to be included in a physical or on-line "business directory" which is being put together. The scam artist might call it a directory of "recommended" businesses. The business owner pays a fee to be included in the directory, and then never sees it or the salesperson again.
Ask to see the most recent copy of the directory or for the directory's URL
Ask to be referred to another business that has been included in past directories
This scam involves a phony office supply company that tries to sell office supplies at grossly inflated prices. These phony companies have generic names like "ACME Office Supplies" or "Office Supply Warehouse." Often times they'll contact you by e-mail, or even show up uninvited at your business. Even worse they may just send your company an invoice for items that you never ordered, and never received.
Make sure that all of your employees know which vendor supplies your office equipment
Be aware of the prices you usually pay for supplies
Follow up on any and all invoices that appear to be suspicious
The Nigerian Scam:
A con artist will pose as an official representative of Nigeria or some other foreign country who is looking to launder millions of dollars into the United States. If a business owner passes along his bank account and routing numbers, he or she will be offered a percentage of the cash smuggled into the country. Funds will likely exit your bank account rather than enter it.
Don't give your bank account information to anyone but a reputable business partner
Most importantly, use common sense when managing your business
With the birth of the Internet there are new ways to communicate, send data from one part of the world to another, and create exciting places to shop, share your stories, and even play games.
The Biggest Risk?
The more that we use the Internet, the more likely we are to forget to do the things necessary to keep our data, ourselves, and our family safe online. It is this complacency that we must struggle with ever time we sign online.
With all the good things the Internet has to offer there is also a dark side. There are a plethora of cyber-risks that you face anytime that you go online. Learning what the risks are is the first step to becoming safer online.
The term "malware" is short for malicious software and is usually used as a catch-all term to refer to any software that causes damage to a computer, server, or computer network. Some of the most common types of malware are listed below.
Self-replicating malware requiring a host file that depends on human action to spread it
Self-contained malware, needing no host file, that spreads automatically through networks
An apparently useful and innocent application containing a hidden malicious program
A program that secretly monitors your online activity and sends the data back to the programmer
A malicious program that hides itself by convincing the operating system that it isn't there
A cookie is a small information file that a Web site puts on your hard drive in order to remember something about you later. Typically, a cookie keeps track of your preferences when using a particular site. By using cookies, an on-line store like Amazon can keep track of what items you have placed in your shopping cart as you surf the site.
If you'd like, you can view the cookies on your hard drive. The location of the cookies however, generally depends on your browser. Internet Explorer stores each cookie as a separate file under a Windows subdirectory, whereas Opera stores them in a single cookies.dat file.
In Internet Explorer, you can delete cookies by clicking on "Tools," scrolling down to "Internet Options," and clicking "Delete Cookies." Any website that requires cookies will simply replace them.
An Internet site will generally use one of the two following types of cookies:
Session cookies are stored on your hard drive only during the time that you are at a particular site. They are automatically deleted when you terminate your session. A website will use session cookies to assist with navigation by remembering what pages a user has already visited, or whether or not a user has logged-in to the site.
Persistent cookies store your personal preferences on your computer for an extended period of time. Most browsers will allow you to configure how long you would like to keep persistent cookies. If a malicious hacker were to gain access to your computer, they may be able to gather personal information about you from stored persistent cookies.
It may be a good idea to consider adjusting your privacy and security settings to block or limit cookies in your web browser. In Internet Explorer, you can get to both of these settings by clicking on "Tools," and selecting "Internet Options." The "Privacy" and "Security" tabs appear at the top of the options menu.
For more information on cookies, visit this cookie summary, prepared by Microsoft.
Denial of Service Attacks
A "Denial of Service (DoS) attack" broadly refers to an attacker causing an important resource or service to become unavailable to its regular user base. In the cyber world, a DoS means normal network operations, such as e-mail and Internet access, become unavailable.
In its worst form, a DoS attack can force a website to shut down its regular operation. It can also destroy files and programming housed within a network.
Although DoS attacks are usually intentional and malicious, it is possible for a DoS to be purely accidental. Whatever the cause, one thing is certain—a DoS attack can cause its target, be it an individual user or a business, to lose a significant amount of time and money.
A DoS may be executed a number of ways, both digitally and physically. A very simple DoS might be merely cutting a fiber optic cable at an Internet Service Provider, thus denying service to its customers.
Distributed Denial of Service Attacks
A Distributed Denial of Service (DDoS) attack is when an attacker compromises several computer systems and uses them to attack a specific target. The more systems that are used as tools, the more traffic can be sent to the targeting network, and the greater the chances of shutting that system down.
To pull off a DDoS, an attacker first exploits the security vulnerabilities in one computer system, and then goes on to exploit systems, making them "zombies." The number of zombies range from two to as many as several thousand. The attacker then commands the zombies to launch an attack against a single targeted system, causing a massive denial of service.
A distributed denial of service attack is especially severe because it victimizes not only the targeted systems, but each of the "slave" systems as well.
Spam is the common term for "junk email." There are different definitions for it—from the very specific to the very general ("anything I don't want!"). The CAN-SPAM Act of 2003 defines spam as "any unsolicited email message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service."
It May Be Spam If:
It is unsolicited; you did not ask for it.
It is impersonal to the point where the recipient is unimportant. (For example, if you are a collector of rare books, and you receive an email flyer for a rare book auction, many would NOT consider that spam.)
It may have a misleading subject line or a false return address.
It does not include a method for avoiding future e-mails from the same organization.
When advertisements arrive in your inbox for things like low-rate mortgages, miracle drugs, or cheap long distance services, you have been spammed. Spam often advertises suspicious products or "get rich quick" promotions. It is sent out at an extremely low cost to the sender, forcing most of its expenditure onto the Internet Service Providers, and thus, paying consumers.
Spam mailing lists can be created in a number of ways. Spammers will often pay top dollar for mailing lists with verified e-mail addresses.
Spammers also use a variety of "bots," that scour the Internet looking for e-mail addresses posted to websites and message boards. It is very difficult to avoid ending up on a spam mailing list, because marketers are so willing to pay for the information.
Some Tips to Help You Deal With Spam E-mail
Some providers may offer a filtering option for your email account. Check with your specific Internet Service Provider to see what options are available. Below are a few additional suggestions that can help you keep your inbox spam-free.
"... My aim of contacting you is to seek your assistance in transferring the sum of thirty five million united states dollars only out of Nigeria and into your trusted bank account abroad...."
"The Nigerian scam costs Americans more than $100 million a year.”
Mark Connolly, U.S. Secret Service
We have probably all seen the Nigerian scam letter. Also called "419 scams," they combine the threat of identity theft with the old "advance fee scheme."
A letter or email from Nigeria (or sometimes another African country) offers the recipient the "opportunity" to share in a percentage of millions of dollars that the author is trying to transfer illegally out of Nigeria. The recipient is encouraged to send information to the scammer—blank letterhead stationery, bank name, account numbers, and other identifying information using a fax number provided in the letter.
Be advised that this is a scam and not a legitimate offer.
Don't fall for it!
Unfortunately, these scams usually originate outside of the United States, and American law enforcement has great difficulty in pursuing the criminals. In addition, many of these email solicitations contain computer virus, making them even more of a menace—so be very cautious. Be sure to maintain current anti-virus software.
Nigerian Variants and other Scams
There are several variations of the Nigerian Scam that criminals may use to exploit their victims. Here are some examples:
Beneficiary of a Will:
The victim receives an email that claims they are the named beneficiary in the will of an estranged relative, and stand to inherit an estate worth millions. In order to complete the inheritance, the victim's personal financial information is needed to "prove" that they are the beneficiary and to "expedite the transfer of the inheritance."
The victim advertises an item for sale on the Internet, and is contacted by an interested buyer from Nigeria or another African country. The scammer then sends the victim a check or money order for an amount much larger than the asking price of the item. The victim is then asked to deposit the difference back to the scammer. If the victim does not wait for the bank to verify the check, they can end up losing thousands of dollars.
The victim receives an email requesting "donations" to fight an evil government or dictatorship in Africa. The scammer requests that the victim provide bank account information so that the "donation" can be directly withdrawn from the bank.
Fake Web Site:
The scam artist sets up a fake online bank and "deposits" the amount of money referenced in the scam email. When the victim expresses any misgivings about the existence or size of the fund transfer that is to take place, they are directed to the site, which shows a multi-million dollar deposit.
American Soldier in Afghanistan or Iraq:
The victim receives a letter purporting to be from an American soldier in Iraq or Afghanistan who has discovered a treasure of terrorist currency and needs help to embezzle the funds out of the country. The victim needs only to provide their personal and financial information for the soldier to deposit the funds into the victim's account.
The Secret Service asks if you have been victimized by the Nigerian scam to forward appropriate written documentation to the United States Secret Service.
While the Nigerian scam has flourished with the increasing use of email, it has actually been circulating for many years through snail mail and fax.
To contact the U.S. Secret Service:
U.S. Secret Service
Financial Crimes Division
950 H Street N.W.
Washington, DC 20223
Phone: (202) 406-5850
Fax: (202) 406-5031
If you receive a letter from anyone asking you to send personal or banking information, do not reply in any manner.
Pyramid schemes (sometimes called "Ponzi schemes") are illegal in Texas, and in many other states. Pyramid schemes are scams in which large numbers of people at the bottom of the pyramid pay money to a few people at the top. Each new participant pays for the chance to advance to the top and profit from payments of others who might join later.
Please note that pyramid scheme emails are frequently disguised as chain letters advertising new and legitimate business opportunities. We urge you to carefully consider any potential investment advertised on the Internet
...as with most things in life – if it seems too good to be true, it probably is!...
You have probably seen the junk e-mail that makes outlandish claims: to earn you thousands of dollars each month, to make you look years younger, or to guarantee your popularity with the opposite sex. Treat these claims with the same skepticism you use when evaluating any product.
E-mail is very inexpensive to write and send. The scam artist can send thousands of e-mails for pennies, and if only two or three people take the bait, he has earned his money back. Don't be one of those people.
Look at it from this angle: if any of these products could really do what they claim to do, why haven't you heard of them before—on television, in the news, or from a friend? If these "miracle" products could do what they claim, the makers wouldn't need the spam!
These are either deliberate or unintentional email messages warning people about a phony virus or other malicious software program. Some hoaxes create as much trouble as viruses by causing massive amounts of unnecessary email, but most are simply annoying.
Most hoaxes contain one or more of the following characteristics:
Warnings about an alleged new virus and its damaging consequences. Demands that the reader forward the warning to as many people as possible. Pseudo-technical "information" describing the virus.
Bogus comments from officials: FBI, software companies, news agencies, etc. Names and phone numbers are often invented, or "borrowed" from real people who have no knowledge of the virus.
If you receive an email message about a virus, check with a reputable source to ensure the warning is real. Recently, a popular hoax urged users to delete an important system file, jdbgmgr.exe. Consequently, virus hoaxes should be considered as much of a threat as a virus itself.
Do your friends and your colleagues a favor – if you get an email about a virus hoax, DO NOT forward it.
Internet Auction Fraud
Auction fraud is one of the fastest-growing crimes on the Internet. Although it can take many forms, the most common type of auction fraud involves a seller failing to send an item, or sending an item that is significantly different from what was promised in the auction listing.
Auction fraud occurs on eBay, Yahoo Auctions, and all other auction sites. You can find information on the latest forms of auction fraud at FlipShark.com.
The best protection you have against Internet auction fraud is your own common sense.
The following guidelines can help you to avoid auction fraud:
Transfer money through an online escrow service (such as PayPal). Most auction sites maintain lists of these services.
Check the seller's feedback at the auction site. Since feedback generally takes a few days, be wary of feedback dated immediately following a sale — it may be fake.
Be careful of sellers outside the United States, because they are not bound by U.S. laws. If there is a problem with quality or delivery, you may have no one to complain to.
Use a credit card. Credit card payment protects the buyer, because you can dispute the charges if the goods are misrepresented or never delivered. Cancel the card immediately if you suspect fraud.
Never buy anything from a seller who asks for payment to be mailed to a P.O. box.
"Downloading" is the transmission of a file from one computer system or network to another smaller computer system. "Uploading" is transmission in the other direction—from a smaller computer to another larger computer or network.
Many users download files from the Internet or upload files to the Internet. People who share files with others on bulletin board systems (BBS) must upload files to the BBS. File sharing programs like LimeWire and DirectConnect encourage users to make files on their computers available for upload.
In short, to download is to receive a file and to upload is to send a file.
Downloading data from an unknown or unreliable source can be dangerous. Many files available for downloading contain malware. A Trojan horse, for example, is an apparently harmless program that contains malicious or destructive code. Left alone, it has the ability to hurt your computer in a number of ways, such as ruining your hard disk, or sending out your personal information to a hacker.
One of the dangers of downloading from the Internet is spyware. The term refers to any software that aids in the gathering of information about a person or computer without the owner's knowledge or consent. Usually, the information gathered is forwarded to advertisers or other interested parties, sometimes even hackers. Downloaded programs can often contain spyware, as spyware writers use "free" downloads to distribute their product.
Some data collection programs are installed with the user's knowledge; they are not considered spyware if the user fully understands what information is being collected and with whom it is being shared.
Identity theft, or impersonation fraud, occurs when someone assumes your identity to perform a fraud or other criminal act. The sources of information about you are so numerous that it can be difficult to prevent the theft of your identity.
These are a few ways identity thieves acquire your information:
Stealing wallets, purses, or your mail, including bank and credit card statements, pre-approved credit offers, telephone calling cards, and tax information
Stealing personal information you provide to an unsecured site on the Internet
Rummaging through your trash and business trash for personal data
Posing as someone who legitimately and legally needs information about you, such as employers or landlords
Buying personal information from "inside" sources
Tips to Help You Avoid Identity Theft:
Do not throw away ATM receipts, credit statements, credit cards, or bank statements without first shredding them.
Never give out personal information online simply because someone asks for it.
Never give your credit card number over the telephone unless you initiated the call.
Reconcile your bank account monthly and notify your bank of discrepancies immediately.
Keep a list of telephone numbers to call to report the loss or theft of your wallet, credit cards, etc.
Report unauthorized financial transactions to your bank, credit card company, and the police as soon as you detect them.
Review a copy of your credit report at least once each year. Notify the credit bureau in writing of any questionable entries and follow through until they are explained or removed. You can order your free credit report On the Internet www.annualcreditreport.com or on the phone: Call 1-877-322-8228
If your identity has been assumed, ask the credit bureau to print a statement to that effect in your credit report.
If you know of anyone who receives mail from credit card companies or banks in the names of others, report it to local or federal law enforcement authorities.
If You Are a Victim of Identity Theft
There are several steps you should immediately take if you feel your identity has been stolen or used without your permission. Most credit card companies will not hold you responsible for charges made by a thief, but you need to act quickly.
For any accounts that have been fraudulently opened or accessed, contact the security departments of the appropriate creditors or financial institutions, and explain what happened. Close these accounts. Put passwords on any new accounts you open
Contact the fraud departments of each of the four major credit bureaus (Equifax, Experian, Trans Union and Innovis) and report that your identity has been stolen. Ask that a "fraud alert" be placed on your file and that no new credit be granted without your approval. Here are the numbers for reporting fraud:
Equifax — 1-800-525-6285
Experian — 1-888-EXPERIAN (397-3742)
Trans Union — 1-800-680-7289
Innovis — 1-800-540-2505
Contact your local police department or sheriff's office to file a report. When you file the report, provide as much documentation as possible, including copies of debt collection letters, credit reports, and your notarized ID Theft Affidavit.
If you have been a victim of Internet fraud file a complaint with the Internet Crime Complaint Center.
File a complaint with the Federal Trade Commission (FTC) by calling the ID Theft Hotline: 1-877-IDTHEFT (1-877-438-4338) or file online using this form.
Hard Drive Disposal
Selling Your Old Computer
If you have upgraded to a newer computer and are thinking about selling your old one, there is something you should consider —
Your old hard drive likely contains sensitive information about you or your business.
When you "delete" files, even if you reformat the hard drive afterwards, the information in the files could still be recoverable.
"When you delete a file, the operating system does not destroy the file contents from the disk – it only deletes some ‘references’ on the file from some system tables. The file contents remain on the disk until another file ‘happens’ to overwrite it. Any software recovery tool can restore the data if it hasn’t been overwritten yet. Hardware recovery tools may even restore overwritten files by analyzing latent magnetic traces." —EAST Technologies
Actions you can take to keep information secure:
Wipe your hard drive
Wiping or "scrubbing" your hard drive involves deleting all of its files and following up with a program that overwrites all the data with ones and zeros with several layeers of code making your data unreadable.
You should consider wiping your hard drive before selling it, giving it to another person, or donating it to a charity or school.
Destroy the hard drive
Hard drives are relatively inexpensive. Think about simply destroying your old one. That way, no one will ever have access to your data.
“Only 8% of hard drives sold on the secondary market have been properly sanitized.”
Try drilling it full of holes, or taking a few whacks with a sledge hammer — in addition protecting your information, it can also be very refreshing to work off the frustration you've built up against your computer!
As always, if you have any concerns about the security of your data, please consult your trusted computer professional.
Make Sure to Use a Secure Browser.
Make sure your browser meets industry security standards. Features such as the Secure Sockets Layer (SSL) encrypt your personal information as it is sent over the Internet. Most browsers are capable of SSL encryption and other security features.
There are two ways to determine if a website encrypts data before it is sent over the Internet. The first is that the URL displayed in the address bar will begin with the abbreviation "https." This stands for Hypertext Transfer Protocol Secure. Web pages that do not encrypt data only display "http," without the "s."
Secure web pages will also display a second indicator, which differs depending on the particular browser being used. In most browsers, a small lock will appear in the bottom-right corner of the browser window.
Shop Only With Companies You Are Comfortable With.
Ask for paper documentation, such as a catalog or a brochure, if you are unfamiliar with an online merchant. This should help you become familiar with the vendor's services and policies. Never deal with an on-line merchant whose policies are not explicitly clarified.
Keep Your Password(s) Secret.
Never reveal passwords that you use on-line.
Pay by Credit or Charge Card.
Using your credit card online ensures that you will be protected by the Fair Credit Billing Act. This law provides consumers with the right to dispute charges made to their accounts. If unauthorized charges are made to your credit card, by law you are liable only for the first $50, and many companies don't require you to pay anything.
Keep a record of confirmation numbers and purchase orders. Print them out and keep personal copies. On-line orders are covered by the Federal Mail/Telephone Order Merchandise Rule. This rule states that merchandise ordered online must be delivered within 30 days unless otherwise noted. Your records will be able to provide proof of the date and time of purchase.
Paying Your Bills Online
If you're not currently using your banks Bill Pay service you should look into it. By using your banks' online bill pay service gives a single location to pay all your bills online and reduces the amount of places that have personal information about you on the internet.
Peer-to-Peer file sharing, or P2P, is a method of trading files on the Internet. Users can find copyrighted music and movies, as well as computer programs and games.
It is extremely important to know that sharing and downloading these copyrighted files is a violation of copyright laws and is illegal. Recently, the Recording Industry Association of America has been suing file sharers.
Unfortunately, many new viruses and worms also proliferate across P2P networks. It is possible to download a file that appears benign and end up with a vicious computer virus.
The file sharing programs themselves can also cause problems. File sharing ties up shared bandwidth which will significantly slow down other Internet-related activities, and on a shared network, will be a nuisance to other users. Also, if the program is miss-configured, they may even share files on your computer that you never intended anyone else to see like bank records and personal information.
A Safer, Legal Alternative
Recently, several companies have released file distribution programs that allow users to purchase all the songs that they want one at a time. This allows you to pay for the music that you want to listen to and download it legally.
Most of these services include licenses with each song that allow you to copy the song to multiple listening devices and store it on your computer. Furthermore, these pay-per-download services charge as little as 79 cents per song and have hundreds of thousands of selections in their catalogs.
Free Internet access seems to be everywhere – not only in airports and hotels, but also restaurants, libraries, and even doctors’ offices. As a society, we have all come to appreciate being “connected” everywhere we go. But the more we connect, the more bad guys (hackers, scammers, identity thieves) are connecting, too.
And the problem with wireless is…wait for it…NO WIRES. Which means that anyone with the right equipment can intercept your communications.
Although Wi-Fi has a specific meaning and has standards established by the Wi-Fi Alliance, most of us use the term to mean simply a wireless network.
Here are some tips for staying safe the next time you visit Starbucks with your Wi-Fi enabled device.
Always remember that open wireless networks are not secure.
If you can log into a network without a password, that means anyone else can too. Never send personal or confidential information over an open public wireless network. Even something as simple as the password to your web-based email can give hackers access to get your more important data.
If you need a secure connection, use a VPN (virtual private network).
For example, if you need to connect to your work computer from remote locations, your company may provide you with a VPN connection. A VPN provides a secure way of connecting to a remote network by encrypting your transmission so that, even if it gets intercepted, it can’t be read.
Make sure you have a software firewall and keep your anti-virus program updated.
Firewalls keep out hackers, while anti-virus programs detect and remove many types of malicious software.
Watch out for shoulder surfers.
Most public networks are in areas where there are a lot of people (makes sense). Make sure that no one is looking over your shoulder while you conduct your business or read your email.
Verify the name of the network you are connecting to.
Just because you can connect to a network does not mean you may. If the owner of a network has left it open to the public by mistake, it could still be illegal to use it. Remember too, computers with Windows operating systems are set up to connect automatically to available networks, unless you change the settings.