Home Office →
IT Security
Most people understand their department and know how to use their tools to get their tasks done, but are isolated and unaware of security issues all around them. The weakest link in most security programs is people. To be part of the process and not part of the problem, you need to be knowledgeable and aware.

Security awareness is recognizing what types of security issues and incidents may arise Security is about People, Processes and Technology Explaining existing policies and best practices
Security is more than just Technology - There is no Security without U

Network eavesdropping
Data flows across networks every day, including passwords, private personal information, personnel records, email messages, financial documents, and more. By default, data that flows across the network is not protected. Hackers, malicious insiders, and others may want to steal that data and use it for their own advantage. A hacker can tap into a network using a wireless device.
This is known as War Driving. A hacker can literally construct a device, that will allow them to park in front of a building or your home and gain access to a network while sitting in their car. Secure Your Wireless Network
Your operating system will tell you if a wireless network is secured or not.
You should not connect to an insecure network because the data that you send out would be available to everyone around you! Wireless networks are extremely convenient, but that convenience comes at a price: security. With a traditional wired network, data is channelled through cables and cannot be easily intercepted. With a wireless
network, data is beamed through the sky and can be more easily intercepted – unless, that is, you have appropriate security measures in place. Passwords
There several things you should be aware of concerning password security.
Passwords (can be and) are often written down by users who have trouble remembering them. Passwords are also more and more stored electronically, on PDAs or mobile phones. Do not leave passwords recorded anywhere for others to find.

Social engineering and Phishing scams
These scams can trick a user to disclose the password, just by asking the password in some way (e.g. a so called helpdesk-person calling). Key-logging: Passwords can be intercepted by key-loggers (hardware or software) and then transmitted to other people.
Shoulder surfing: refers to using direct observation techniques, such as
looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded
places because it is relatively easy to observe someone as they: Fill out a form Enter their PIN at a cash machine or a POS terminal Use a calling card at a public pay phone Enter passwords at a cybercafe, public and university libraries, or airport kiosks. Enter a code for a rented locker in a public place such as a swimming pool or airport
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using
one’s body or cupping one’s hand.
Cracking: Passwords can be cracked, especially if they are short (although short is a relative concept, taken into account the increased computing power available today). Guessing:
Passwords can be guessed, e.g. if no strong password policy is enforced.
To counter guessing, quite simply, the passwords need to be made as long and as complex as is practicable. Be
significantly different from your previous passwords. Not
contain your own name or user name. (Nor the name of
spouse, children, pets etc.)
Have at least one symbol character in the second
through sixth positions.
Packet Sniffing:
Passwords can be sniffed, intercepted when in transit
between a PC and a server (e.g. on the Internet)
Packet sniffing is the monitoring of data traffic on a
computer network. Computers communicate over the
Internet by breaking up messages (emails, images,
videos, web pages, files, etc.) into small chunks called
“packets”, which are routed through a network of
computers, until they reach their destination, where they
are assembled back into a complete “message” again.
Packet sniffers are programs that intercept these packets
as they are travelling through the network, in order to
examine their contents using other programs. A packet
sniffer is an information gathering tool, but not an
analysis tool. That is it gathers “messages” but it does
not analyze them and figure out what they mean.
Resetting:
Passwords can be reset (which is often easier than
cracking a password). If you have created a password
restore disk for your computer always ensure that it is
stored safely. Anyone can use this disk to reset your
password. No matter how many times you have changed
your password since the disk was created.
Password Best Practice
You should not include personal information in your
password, such as your birthday, the name of your dog,
favourite sports team, etc.
Use as many characters as possible; the longer the
password, the harder it is to crack.
Phrases are better then passwords, e.g. ‘Your
company is #No1′
Do not use dictionary words in any language
Do not use easily guessed patterns (1234,1bcd,
qwerty, etc)
Use a mix of upper and lower case letters, numbers
and special characters
Change your password as often as possible.
Threats and Frauds
Threats
The trends in the use of World Wide Web technology are
changing with the aim to enhance creativity, information
sharing and collaboration among users
But it also comes with new Risks, Threats and Fraud!
Malware
Malware stands for ‘Malicious Software’. It includes any
program or file that is designed to do harm. To distribute
them hackers will often hide them inside other programs
on websites or send them to you by e-mail. These
include:
Viruses and Worms
Trojan Horses
Adware and Spyware
Phishing / Pharming
Spam and Hoax letters
Types of Malware
Malware can gain remote access to your system thus
allowing data to be sent to the hacker and further infect
others through disabling anti-virus and firewall
software.
Pharming
Pharming is an attack in which a user can be fooled into
entering sensitive data such as a password or credit
card number into a malicious web site that impersonates
a legitimate web site. The attacker does not have to rely
on having the user click on a link in an email. Even if
the user correctly enters a URL (web address) into a
browser`s address bar, the attacker can still redirect the
user to a malicious web site.
Adware
Adware stands for ‘Advertising Supported Software’. It
refers to any software that automatically plays, displays
or downloads advertisements. These adverts are seen
after software is installed on a computer or while the
application is being used.
Viruses
A virus is a malicious computer program that can copy
itself and infect a computer by corrupting or modifying
files. It does this without permission or knowledge of
the user. A virus replicates itself by attaching to another
object e.g. via e-mail attachments, internet downloads,
diskettes, CD’s, etc.
Spyware
Spyware is software that is used to gather information
about a person or organization without their knowledge.
Spyware displays advertisements related to what it finds
from spying on you. This is called ‘Targeted
advertising’.
Phishing
An e-mail that masquerades as a legitimate contact from
a business or organization in an attempt to steal
personal or financial information is called Phishing.
Phishing often states that there is a problem or threatens
to terminate an account if you do not respond.
Spam
Spam is unsolicited e-mail on the Internet. In almost all
cases, the sender’s address is ‘spoofed’ – i.e. it
pretends to be from a legitimate sender. Spam is a
common carrier of malicious code. Difficult to stop
completely without stopping a valid mail from time to
time.
Trojan Horses
These are delivery vehicles for malicious or destructive
computer programs, similar to viruses or worms.
Hackers, virus writers, and even advertisers can embed
malicious code into any program or file that appears to
be harmless or useful, such as an animation or video
game.
Worms
A malicious computer program, like a virus, but a worm
can spread itself without any user interaction Usually
more dangerous than a virus as they can cause harm to
the network. Worms are also invisible to the user.
Antivirus Software
Regardless of the type of anti virus software software
running on your PC it should have the following
characteristics.
It will have an antivirus detector, that continuously
monitors your system.
An email scanner than detects viruses in incoming
emails.
An update manager which ensures your virus database
is up to date. You can also update the database now
rather than waiting for periodic updates.
Do not permit activities which can distribute viruses
such as peer-to-peer file sharing from your computer.
Also scan all new files, such as those on CDs, DVDs,
USB drives, flash memory sticks, and diskettes.
Malware Examples
Adware / Spyware
Adware / Spyware comes in many different forms, a
common approach is to try to get you to click on a
button which will install the malware onto your
computer.
Do not install ‘Free Anti-Spyware’ software or software
claiming to speed up your PC. It is usually spyware
itself. Pop-up Windows should be closed down
immediately.
Never click on links that you receive through Instant
Messaging software either. Again this is probably a
hidden installation of Spyware or Adware.
Phishing Attacks
A classic phishing attack will often state that there is a
problem and threatens to terminate an account if you do
not respond by installing software or entering account
details on another site. Now if you look at the properties
of the sender, it appears genuine BUT if we hover over
the link you can see that it is clearly from another
domain. www.tsb.co.uk
Never install unauthorized software on your PC or reply
to an email with personal or financial information. If you
fear you may be a victim of phishing, contact the
appropriate financial institution etc.
Pharming Attacks
A pharming website is one which allows a hacker to
redirect that website’s traffic to another web site. At this
site they can steal your financial or personal details
typically on a registration form.
Pharming conscious websites typically use the HTTPS
web protocol on their login page to allow the user to
verify the web site’s identity.
If an attacker attempts to impersonate a site using
HTTPS, the user will receive a message from the browser
indicating that the web site’s “certificate” does not
match the address being visited.
Under these circumstances you should never proceed
and press “No”. You will return to the previous page.
Spam Email
Spam email is often (although NOT ALWAYS) redirected
to your “Junk” email folder or else quaranteened on the
company mail server.
Do not open unsolicited messages, just delete them.
Be very wary of emails with links on them, especially
when they link to other domains.
Do not reply to emails trying to sell you something if
the supplier is unknown to you.
Do not respond to emails from financial institutions.
Reputable organisations will never ask you for account
details etc by email.
Never open mail that has “Re:” in the subject line if
you did not originally send a message to that address.
Do not post your email on any websites and do not
use a second disposable email account from providers
such as hotmail or yahoo as this will greatly increase
the amount of junk mail you get.
Do not forward chain letters
Never open mail that has “Re:” in the subject line if
you did not originally send a message to that address.
Do not post your email on any websites and do not
use a second disposable email account from providers
such as hotmail or yahoo as this will greatly increase
the amount of junk mail you get.
Do not forward chain letters.
Email Golden Rules
Remember these golden rules surrounding email:
Never open unfamiliar “RE:” emails.
Do not put your email on the web (e.g. Facebook,
Twitter etc.)
Do not use free mailboxes for work emails such as
Hotmail or Yahoo.
Ignore chain letters.
Be wary of replying to spam messages or clicking
‘unsubscribe’.
Do not send personal or financial data via email.
Install latest patches
It is very important to keep your Operating System up to
date with the very latest updates, services packs and
patches. Ensure that updates are automatically
downloaded.