Security




Table of Contents:

 


Information Security is Everyone’s Concern

You are the key to successful information security. An unprotected computer can be infected with a virus, worm, or Trojan in less than five minutes after being placed on a network. IT Security awareness means understanding the various threats that exist in one's environment and taking reasonable steps to guard against them.

Studies show that most breaches of computer security are the result of something a computer user did or failed to do. This training site will provide you with valuable information about best practices, policies, and procedures for ensuring secure information systems at Edison State College, so you can enjoy a safe computing environment.

Be sure to take the time to read all of the materials on this site carefully.




Virus Protection

Worms and Trojans are the most common forms of infection and/or compromise. They depend on computer systems that have not been protected with the most current security updates, or patches, released by operating system and security application vendors. Neglected applications and operating systems provide easy targets for hackers to take advantage of the computer user for their criminal activity.

Some viruses prey on uninformed computer users by embedding attachments in appealing looking e-mails hoping to trick the user into activating the virus, worm, or Trojan. Viruses can also be transmitted during file sharing using Instant Messaging services. Users should not open attachments unless they know and trust the sender. Viruses can come from a friend or relative as easily as from a stranger. A common indicator that a virus is attached to an email is the presence of inadequate or misspelled text or short phrases like, "Attention!!!" or "Your file is attached." in the body of the message. Be suspicious of all attachments and shared files, even those from a known or trusted source.

All Edison College owned desktop computers and laptops are protected with Synamtec Antivirus software. The software is set to download updates and patches automatically when they are made available from the application vendor. Updates will download when College staff are logged into the Edison College network or when they are accessing the Internet through another network (e.g., when traveling or working from home).

If you suspect you have a problem, contact the Help Desk at x1202 or 866-818-4243.

Test Your Knowledge:

To update the antivirus software on your Edison State College computer, you must:

  1. search for updates on the Internet and install them.
  2. open the Symantec application and manually install the update.
  3. nothing, the software automatically installs the update when you log in to the network.
  4. none of the above.

For more information

CERT Computer Virus Resources
http://www.cert.org/other_sources/viruses.html

McAfee Virus Information
http://us.mcafee.com/virusInfo/default.asp

Sophos Security Information
http://www.sophos.com/security/




Passwords

Passwords are an important part of your IT security. Poor, weak passwords can result in the compromise of an entire network or sensitive data. Everyone should be aware of how to select a strong, secure password. Secure passwords include at least three of the following characteristics and should be at least 8 characters long.

  • Numeric character (1,2,3,4,5,6,7,8,9)
  • Special character (!,#,#,$,%,^,&,*,=,etc.)
  • Lower case character (a,b,c,d,e,f,g,etc.)
  • Upper case character (A,B,C,D,E,G,F,G,etc.)

 

Other aspects of a strong password are:

  • A good password is of strong construction and is a password that is not shared by anyone.
  • A good password is not posted, emailed or written down.
  • A good password does not contain your username or any part of your name.
  • A good password does not contain information about family, friends or pets.

 

A mnemonic can make a good password easier to remember. You can base your password on a song, phrase or book. Additionally, you can substitute special characters for letters and numbers. For example “One for the Money” becomes !4tM()nE.

Test Your Knowledge:

A secure, strong password includes:

  1. information about your family.
  2. numbers, letters and special characters.
  3. only lower case characters
  4. your best friends name.

For more information

CERT Home Computer Security
http://www.us-cert.gov/reading_room/HomeComputerSecurity/#6




Storing Sensitive Data

Identity theft can happen to you. Advances in technology have provided criminals with new ways to obtain your personal information. These criminals, or hackers, can enter your computer through the internet and access the personal information you have stored there. Because the goal is to obtain your personal information, it’s extremely important that you make this as difficult as possible. You can help protect yourself, your family and your friends by making sure that:

  1. Your computer is protected with a strong password(s)
  2. Your application and operating system software is patched.
  3. When entering your personal information on a website, make sure that the website is encrypted. Look in the browser window for an object that looks like a lock. When the lock is depicted as closed, it indicates that the website is encrypted.
  4. Check the address line in the browser window for an address that starts with https://. This is another indication that the web site is secured.
  5. Practice smart internet habits when conducting financial transactions on line. Be selective of the sites you visit and check for the security level (the lock) of web pages that require you to enter personal information.

 

Following these steps will help you in your efforts to secure the sensitive information stored on your computer.

For additional information review the section on Phishing.

Test Your Knowledge:

Locating the object in the browser window that looks like a lock is one way to check whether the web site is:

  1. illegal
  2. secure
  3. legal
  4. boring

For more information:

Federal Trade Commission: Fighting back on Identity Theft
http://www.ftc.gov/bcp/edu/microsites/idtheft/

Encrypting file systems in Windows
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

How to Recognize a Spoofed Web Site
http://www.microsoft.com/protect/yourself/phishing/spoof.mspx

Steps for Web Protection
http://support.microsoft.com/?id=833786

Privacy FAQs
http://www.websidestory.com/privacy/faq.html




Spyware and Adware

Spyware is software installed on your computer without your knowledge or consent. These programs can collect various types of personal information and interfere with control of your computer functions. It can also hijack your browser and direct it elsewhere. Spyware, by design, takes advantage of you for commercial gain.

The term adware refers to software that displays advertisements whether or not the computer user has consented. Most adware is also spyware because it displays advertisements based on information it has collected about you. Often this results in many pop up advertisements while you are visiting web pages on the Internet.

Most spyware is installed without your knowledge. Spyware can be bundled in shareware or other downloadable software as well as music CDs. Spyware developers also try to trick people into installing their software by emulating a standard Windows dialog box. The resulting popup box will contain a message such as “Would you like to optimize the performance of your computer?” or “Registry Cleaner Recommended” with buttons that say Yes and No. No matter which button the user clicks, the result is the same – the software is downloaded to your computer. Never click on unwanted popups. Shut them down by clicking on the red X in the upper right hand corner of the box.

To protect your system from Spyware:

  1. Enable the security features in your browser.
  2. Download programs, software and files only from trusted sites.
  3. Install anti-spyware software, keep it updated and schedule it to run regularly. There are several applications that are free which do a terrific job protecting your computer.

 

Test Your Knowledge:

Most adware is also:

  1. advertising
  2. updated
  3. cookies
  4. found in your garage

For more information

Magoo’s Guide to Eliminating Spyware
http://guides.radified.com/magoo/guides/spyware/remove_spyware_01.htm

Securing your Web Browser
http://www.cert.org/tech_tips/securing_browser/

Anti-Spyware Coalition
http://www.antispywarecoalition.org/




Email Hoaxes and Urban Legends

Everyone has received email with an attached petition, warning or an opportunity to win millions. Unsolicited email is also known as SPAM. Clicking on links in these messages can expose the user to a computer virus. Before you forward the message or respond to the request, check the validity of it. There are many web sites available where you can check to see whether the email you received is a hoax, scam, virus or urban legend.

An urban legend is basically a story. It can be funny, terrible or horrifying. Sometimes they are even true. Typically these messages end by asking the user to forward the message to everyone they know or to a specific demographic group.

Scam email messages typically promise that the receiver will collect large sums of money in return for a small investment. Often this type of scam cites a foreign lottery, or an inheritance that the sender cannot collect without your help. Do not attempt to contact the sender of these messages! They are ruthless and violent criminals.

Using the links below, you can check to see if the message you have received is a known hoax, scam, urban legend or chain letter before you hit the forward button.

Test Your Knowledge:

You have received a notice that you have won the lottery in Spain. The sender of the email asks you to contact them at the phone number listed below. What is the best course of action listed below?

  1. Call the number listed in the email.
  2. Reply to the message asking for more information.
  3. Delete the message without responding.
  4. Forward the message to a friend.

For more information

Information about Virus Hoaxes
http://www.sophos.com/security/hoaxes/

Latest Email Hoaxes
http://www.hoax-slayer.com/




Desktop Security

There are many levels of information technology security. If a computer is not protected at the personal level, it could allow someone to obtain access to the information stored there or cause you to lose your network access. You can protect yourself from the average desktop hacker.

Desktop hackers often watch what you are doing by looking over your shoulder. If your computer is positioned such that someone can see what keys you are pressing on the keyboard, place a small mirror on your monitor so that you know when someone is standing behind you.

If you know you are going to be away from your desk for an extended period of time during the work day; a good alternative to shutting down your system is to log off the system. Additionally, it is good practice to log out of your email application, the myEdison portal and the Banner system when you are finished using those applications.

Being aware of who is around you is the first line of defense for desktop computer users. By combining awareness, good password practices, and secure applications, users will have a security formula that makes them less likely to be hacked.

To request assistance, please contact the Help Desk at x1202 or 866-818-4243.

Test Your Knowledge:

When you are finished using your email application, it’s good practice to:

  1. shut down your computer.
  2. log into myEdison
  3. log off the email application.
  4. step away from your desk.

For more information

Microsoft Desktop Security
http://www.microsoft.com/technet/security/guidance/desktopsecurity.mspx

What to do before you connect a new computer to the Internet.
http://www.cert.org/tech_tips/before_you_plug_in.html

Apple Support: Accounts, Passwords and Security
http://www.apple.com/support/tiger/accounts/

 




Phishing

Phishing is an attempt to fool people into providing personal information such as credit card or banking numbers. Typically, the phishing scammers send an email disguised as a request for information from a well known company. They also create fake websites designed to closely resemble the company's official site. The fake website will appear almost identical to the official site.

Recipients of the phishing email are typically asked to click on a hyperlink to correct, confirm or provide information. Clicking the link triggers a phony website to open in the browser. Typically a web form is found that asks for private information such as credit card and banking numbers and other information such as a home address and phone number. Sometimes the user is asked to login with their username and password. Virtually all of the information entered into this phony website can later be collected and used at will by the criminals conducting the phishing scam.

Sometimes this form is embedded within the email with instructions to provide details such as a password and bank account number. Users are then instructed to return the email to the sender. An alternative method attempts to trick recipients into installing a Trojan virus on their computer by opening an email attachment or downloading the Trojan virus from a website. The Trojan is then used to collect information from the user’s computer. These emails are mass-mailed to many thousands of people with the hope that some of the recipients will be customers of the targeted institution. The scammers also hope that people will be unaware and believe the email to be a legitimate request.

Cyber thieves also use official-looking e-mails to lure you to fake websites and trick you into revealing your personal information.

It’s also an example of an even more mischievous type of phishing known as “spear phishing”—a rising cyber threat that you need to know about.
Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive.

How spear phishing works.
First, criminals need some inside information on their targets to convince them the e-mails are legitimate. They often obtain it by hacking into an organization’s computer network (which is what happened in the above case) or sometimes by combing through other websites, blogs, and social networking sites.  Then, they send e-mails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data. Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.

Criminal gain, your loss.
Once criminals have your personal data, they can access your bank account, use your credit cards, and create a whole new identity using your information. Spear phishing can also trick you into downloading malicious codes or malware after you click on a link embedded in the e-mail…an especially useful tool in crimes like economic espionage where sensitive internal communications can be accessed and trade secrets stolen. Malware can also hijack your computer, and hijacked computers can be organized into enormous networks called botnets that can be used for denial of service attacks. 

How to avoid becoming a spear phishing victim.
Law enforcement takes this kind of crime seriously, and we in the FBI work cyber investigations with our partners, including the U.S. Secret Service and investigative agencies within the Department of Defense. But what can you do to make sure you don’t end up a victim in one of our cases?

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via e-mail. If in doubt, give them a call (but don’t use the phone number contained in the e-mail—that’s usually phony as well). 
  • Use a phishing filter…many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an e-mail—always enter the URL manually.
  • Don't be fooled (especially today) by the latest scams. Visit the Internet Crime Complaint Center (IC3) and "LooksTooGoodToBeTrue" websites for tips and information.
Test Your Knowledge:

Phishing is an attempt to:

  1. sell concert tickets.
  2. place cookies on your computer.
  3. display advertising in your browser.
  4. fool people into providing personal information.

For more information

How to Protect Your Computer
FBI Cyber Investigations
Latest E-scams and warnings
Be Crime Smart website
Recognizing Phishing scams - http://www.microsoft.com/protect/yourself/phishing/identify.mspx
Federal Trade Commission: How not to get hooked by a Phishing scam - http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm


Scareware-Protect Your Computer

While surfing the Internet, you may have seen a pop-up message telling you your computer is infected with a virus. The message goes on to explain that you should order the antivirus software advertised in the pop-up. Before you click on the link to the offer consider the following:

The scam, known as “scareware”, attempts to convince you to purchase their “antivirus” software. This software actually installs malicious software (malware) into your system. Additionally, many of these criminals operate outside the U.S., making investigations difficult and complex for law enforcement.

How to spot a “scareware” scam:

  • These pop-ups typically use icons that do not work like a typical button or link.
  • To build authenticity into their software, “scareware” will show a list of reputable icons, like well known software companies or security publications. However, there are no links to the sites so that you can see the actual reviews or recommendations.
  • The pop-up is hard to close. “Scareware” pop-ups employ aggressive techniques. They will not close easily after clicking the “close” or “X” button.
  • Cyber criminals often use easy-to-remember names like Virus Shield, Antivirus, or VirusRemover.

How to protect yourself: Make sure your computer is fully protected by legitimate, up-to-date antivirus software.

To report a fraud or scam contact the Lee County Sheriff’s Office Fraud Line at 239-477-1242.




Firewalls

Whether at work or at home, you have probably heard the term firewall. A firewall is a software or hardware device that is configured to filter information in order to keep destructive data from entering the Edison network—in other words, it provides access control by defining what information is permitted to enter the network as well as your computer. In essence it is not a wall but a door that allows trusted Internet traffic in and out of your network.

More specifically, firewalls can be configured to:

  1. Block ports that viruses, worms, and Trojans use to communicate with other machines on the Internet.
  2. Prevent unwanted sharing of your files and computer devices such as printers.
  3. Prevent applications on your computer from connecting to the Internet if they don't need to.
  4. Make it difficult for hackers to access and take advantage of un-patched network applications and services on your computer.

 

Firewalls are designed to create a secure barrier between your internal network and your computer and the outside world.

Test Your Knowledge:

Firewalls can be configured to:

  1. start programs on your computer.
  2. prevent unwanted sharing of your files.
  3. enable software downloads.
  4. shut down your computer.

For more information

Firewall FAQ
http://www.microsoft.com/protect/computer/firewall/faq.mspx

How to choose a firewall
http://www.microsoft.com/protect/computer/firewall/choosing.mspx

Understanding Windows Firewall
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

MAC OS Security
http://www.apple.com/macosx/features/300.html#security




File Sharing and Copyright

Click here to read the File Sharing Procedure of Edison State College.

Copyright is a form of protection given to authors and creators of intellectual work including, music, drama, art, literature, and more. The author of the work is the only person who has the right to do or let anyone else do the following:

  1. Make copies of the work
  2. Distribute the work
  3. Display the work
  4. Perform the work
  5. Make derivative works

 

“Derivative works” refers to making modifications to the original work, adapting the original work, and translating the original work to another media. Public domain works refer to those works that are not copyright protected and freely available for anyone’s use. This includes work for which the term of copyright expired; works where the author did not comply with statutory procedures to obtain the copyright or it is the work of the U.S. Government.

Most of the recordings and videos found on the Internet today are protected by copyright. To obtain a work that is not in the public domain, you must get permission from the owner of the copyright. A safe way to assure you are obtaining legal copies of a published work is to pay the appropriate fee at a legal download site. Services such as Napster, Apple iTunes, and Musicmatch provide download permission based on a signed agreement with the owner of the work.

Although file sharing is a legal technology with legal uses, many users use it to download and upload copyrighted materials without permission. Accusations of illegal file sharing typically come from either the music or movie industries, in the form of a The Digital Millennium Copyright Act Complaint (DMCA). The DMCA was passed by Congress in 1998 to bring copyright laws in line with digital technology. It defines penalties such as hefty fines for individuals found guilty of illegally circulating copyrighted works.

Summary of Civil and Criminal Penalties for Violation of Federal Copyright Laws

Copyright infringement is the act of exercising, without permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code). These rights include the right to reproduce or distribute a copyrighted work. In the file-sharing context, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement.

Penalties for copyright infringement include civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or "statutory" damages affixed at not less than $750 and not more than $30,000 per work infringed. For "willful" infringement, a court may award up to $150,000 per work infringed. A court can, in its discretion, also assess costs and attorneys' fees. For details, see Title 17, United States Code, Sections 504, 505.

Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense.

For more information, please see the Web site of the U.S. Copyright Office at www.copyright.gov, especially their FAQ's at www.copyright.gov/help/faq.

 

Test Your Knowledge:

The intellectual works that are freely available to anyone are said to be in the:

  1. download site.
  2. search engine.
  3. public domain.
  4. library.

For more information

Copyright or Copywrong?
http://web.utk.edu/~hoemann/copyright-resources.html

Educause: P2P File Sharing
http://connect.educause.edu/term_view/P2P%2Bor%2BFile%2BSharing

Educause: The Digital Millenium Copyright Act
http://connect.educause.edu/term_view/DMCA

Risks of File Sharing Technology
http://www.us-cert.gov/cas/tips/ST05-007.html