Basic Security Considerations for Email and Web Browsing



Similar documents
Tips for Banking Online Safely

ONE Mail Direct for Mobile Devices

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

How to Identify Phishing s

Advice about online security

Law Conferencing uses the Webinterpoint 8.2 web conferencing platform. This service is completely reservationless and available 24/7.

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

Internet threats: steps to security for your small business

What Do You Mean My Cloud Data Isn t Secure?

Business ebanking Fraud Prevention Best Practices

Anti-Phishing Best Practices for ISPs and Mailbox Providers

Payment Fraud and Risk Management

Certified Secure Computer User

Using TS-ACCESS for Remote Desktop Access

ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Cyber Security. Maintaining Your Identity on the Net

BE SAFE ONLINE: Lesson Plan

/ 1. Online Banking User Guide SouthStateBank.com / (800)

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Countermeasures against Spyware

Information Security It s Everyone s Responsibility

NATIONAL CYBER SECURITY AWARENESS MONTH

10 Quick Tips to Mobile Security

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Secure Recipient Guide

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Certified Secure Computer User

How To Secure An Rsa Authentication Agent

Wireless Network Best Practices for General User

Information Security Field Guide to Identifying Phishing and Scams

& INTERNET FRAUD

Best Practices Guide to Electronic Banking

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Safe Practices for Online Banking

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

/ 1. Online Banking User Guide SouthStateBank.com / (800)

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Business Internet Banking / Cash Management Fraud Prevention Best Practices

How to stay safe online

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Online Security Information. Tips for staying safe online

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Importing and Using your Personal Authentication Certificate with Mac OS X Mail / Apple Mail

Your Digital Dollars Online & Mobile Banking

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

WEB ATTACKS AND COUNTERMEASURES

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Protecting your business from fraud

Where every interaction matters.

Ten Tips to Avoid Viruses and Spyware

Secure Your Mobile Workplace

Web Conferencing Version 8.3 Troubleshooting Guide

Malware & Botnets. Botnets

Best Practices for Keeping Your Home Network Secure

Protecting Your Organisation from Targeted Cyber Intrusion

Encryption. How do I send my encryption key?

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Send and receive encrypted s

Basic Computer Security Part 2

Cybersecurity Best Practices

Fraud Prevention Tips

Access Your Cisco Smart Storage Remotely Via WebDAV

Secure Mail Registration and Viewing Procedures

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Secure Client Guide

Using Voltage Secur

Spyware. Summary. Overview of Spyware. Who Is Spying?

Two-Factor Authentication (2FA) Registration Instructions Symantec VIP Access

Secure Your Information and Communication Technology Devices

NS Financials. Client Platform Guide for Mac Using Safari Incl Citrix Setup As A Local Client

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Endpoint Protection Small Business Edition 2013?

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Marlon R Clarke, Ph. D., CISSP, CISM Director Network Operations and Services, NSU

PORTLANDDIOCESE.ORG - How to Connect Table of Contents

Technology Services Group Procedures. IH Anywhere guide. 0 P a g e

Remote Deposit Quick Start Guide

Remote VPN: Remote access for personal devices

Supporting Apple ios Devices

Parla, Secure Cloud

Internet Quick Start Guide. Get the most out of your Midco internet service with these handy instructions.

Workday Mobile Security FAQ

How to Set Up SSL VPN for Off Campus Access to UC eresources

CONNECT-TO-CHOP USER GUIDE

Computer Security Maintenance Information and Self-Check Activities

Payment Systems Department

The Hidden Dangers of Public WiFi

Transcription:

Basic Security Considerations for Email and Web Browsing There has been a significant increase in spear phishing and other such social engineering attacks via email in the last quarter of 2015, with notable success. In many cases, these campaigns appear to be specifically target personal mobile devices such as smartphones, which generally have weaker security postures when compared to business-class computing platforms with appropriate endpoint protection software installed. Some specific examples of such attacks are included in this document. While there is certainly a lot of convenience for both businesses and customers in the current bring your own device (BYOD) approach to mobile computing, the inherent lack of standardization and limited commercial offerings for effective smartphone endpoint protection, as well as a limited or non-existent mechanism in their web browsers to allow users to validate the destination of hyperlinks before opening them, are the primary reasons these attacks are successful. The results range from installation of malware, being locked out of social media and/or email accounts (which are then mined for personal information, contacts and exploited to propagate further attacks), on up to identity theft, fraudulent credit card charges, and money transfers. User awareness of the risks is key to safely leveraging the convenience of mobile computing, without becoming a victim to these campaigns. This white paper provides guidance on a few simple techniques that can improve your cyber security posture. Background facts you may not know: In HTML (the base language most web pages are written in), the text displayed on a hyperlink does not need to be related in any way to the actual destination of the hyperlink. In other words, a hyperlink might say www.mybank.com but actually point to a totally different site, such as www.thanksforyourbankinginfo.cn Just because your web connection is encrypted with SSL (starts with https:// instead of http://) does not mean you are at the site you intended to connect to, or that it is a legitimate site. It just means the certificate is valid. Valid certificates are easy to obtain, through both legitimate and illegitimate means. Inspecting both the certificate itself, and the full URL of the site you are connecting to, are important steps to ensuring you are at your intended destination. Entire web sites, including those used for activities such as online banking, are easily duplicated, modified, and reposted on the web to create phishing sites. This is no more difficult than copying and editing a word document. The resulting sites will often redirect you back to the original site after stealing your credentials (often with a generic message that you typed your password incorrectly, to explain having to enter it a second time.) 1

Malware can be embedded in far more than just executable files these days. Virtually any file type, including images, sound files, videos, office documents, PDF, ZIP files, etc can be embedded with malware. Many conveniences such as autorun (which automatically performs an action such as opening a program when you insert removable media such as a CD-Rom or USB stick) often inherently involve a compromise in security. For example, computers with autorun enabled can be infected with malware by inserting such media for a few seconds and removing it, even if the desktop on the computer is locked. Many such features are enabled by default, and must be disabled on networks via Group Policy to improve the security posture. Increasingly, social engineering attacks that are designed to collect information are conducted with server-side scripting, without downloading any malware to your machine (just legitimate code that has an illegitimate purpose), thus leaving little or no opportunity for endpoint protection software to detect a problem. Once they have the desired information, these attacks may or may not be followed up with the introduction of malware or remote access tools to the machine. Large software vendors such as Microsoft, Apple, and others do not directly contact end-users proactively for support issues with individual systems. If you have been personally contacted by a support desk in regards to a problem we detected with your machine via a popup, online chat or telephone, chances are very high they are scammers. Don t allow remote access to your machine, nor give personal information to such support desks. The same can be said for personnel claiming to be from government agencies such as the Canada Revenue Service, the RCMP, etc. Be very skeptical, and ask for detailed identifying information you can validate yourself through means other than the internet. Web pages can be rendered to very closely replicate the appearance and functionality of windows from other applications or even the operating system itself, making it difficult to know that what you are looking at is in fact a web page (unless you have popup blocking enabled). The sending address displayed in an email is easily spoofed (can be programmatically-set to whatever the sender wants), it is not necessarily the actual sender. The true origin of an email can only be ascertained through examination of the mail header and/or the logs on the receiving email server. So how can you use your computing devices and stay safe from these risks? Start with an awareness of the fact that there is a balance to be struck between security and convenience. Do you really need to make that e-transfer right now from your phone, or can you wait until you can do it more safely from your computer? Just because your buddy knows a little bit more about computers than you do and likes a third-party web browser or to download drivers off the internet, do you really need to let him/her do that on your machine without doing your own research? 2

Consideration of the following tips will reduce your exposure to a variety of security risks, and can improve your confidence in your online activities: Use the browser that came with your operating system (Internet Explorer or Safari), and apply updates to them as they become available. These are maintained by your operating system vendor through the native O/S update process, and have a larger market share than third-party browsers, which usually results in a shorter window between discovery of vulnerabilities and the vendor patching them. Unnecessary third-party software often introduces additional vulnerabilities and complicates support. Disable (block) popups in your web browser: Internet Explorer: http://windows.microsoft.com/en-ca/internet-explorer/ie-security-privacy-settings#ie=ie-11-win-7 Safari: https://support.apple.com/en-ca/ht203987 Avoid opening hyperlinks (web shortcuts) received via email on your smartphone if you think you have received a legitimate email with links that you need to act on, forward it to an address that you can open on your computer, and validate that the destination of the hyperlinks is legitimate. Here are two example of a spear phishing emails received on an iphone, and the same message as it appears in outlook. Note that: o Often the first clues that these are spear phishing emails is immediatelynoticeable on the larger screen of a computer o The real destination of the hyperlinks can be seen by hovering the mouse cursor over the hyperlink on your computer: 3

4

Some spear phishing emails may be more difficult to detect even on a desktop computer; be wary of attachments. With the prevalence of HTML use as the native format within many email messages, it becomes easy to forget that this is language is well-suited to directing a recipient to nefarious content, such as a spoofed Tangerine online banking site (attached to the email): 5

Stationary Phishing is also done to capture traffic to sites by taking advantage of common typing errors users make when entering URLs (web site addresses) into their browser, utilizing spoofed login screens from the actual site. We encourage our customers to carefully create bookmarks or internet shortcuts to their commonly-used websites, and utilize only those bookmarks to reduce this risk. This can be done on all computing platforms, including ipads and smartphones. Packets are easily captured from public wifi access points; minimize use of such access points for sensitive information such as email, financial transactions, or logins to unencrypted sites (sites beginning with HTTP are unencrypted; HTTPS sites are encrypted.) While Bluetooth is convenient for linking external keyboards and similar accessories for smartphones, the security mechanisms in this technology are extremely weak; use of Bluetooth for input devices, or headsets if the conversations are sensitive, is strongly-discouraged. Hardwired accessories are recommended. Cross-site scripting attacks are increasingly-common, where multiple sites are opened in the same browser window or within the same browsing session. When conducting sensitive transactions or logins online, be sure to utilize InPrivate browsing for that specific purpose, and completely close the browser when finished. If InPrivate browsing is unavailable, be sure to clear your browsing history (including cookies) before closing your browser. Install and maintain mainstream anti-virus / endpoint security and firewall software on every device that supports it. We recommend Symantec Endpoint Protection. Be very skeptical of free software that purports to do this, at best you get what you pay for, and at worst, it isn t at all uncommon for malware and back-door remote access tools to be packaged as security solutions or other freeware. Be very wary of using free hardware and media, such as jump drives or external hard drives that are either found or provided by third parties. This has been used in high-profile cyber-attacks as a delivery mechanism for malware and spyware. Do not conduct business on personal devices, or personal activities such as social networking on business devices. For personal business, such as online banking, only do this on private (and encrypted) wifi networks, using only apps provided from the institution you are dealing with (not a browser). Ensure those apps utilize HTTPS encryption (SSL), and employ a multi-tiered authentication system (such as a password combined with a PIN or answering some questions only you would know). 6

Don t use the same password for everything; use separate passwords for each social networking site, as well as any other systems such as corporate sign-ins or online banking. This is critical to ensuring that if one is compromised, the scope is limited to that platform. Change these passwords periodically. If you must write them down, keep these in very secure locations. If you ever share a password with anyone, be sure to change it at the earliest opportunity. If you purchase online, devote a single credit card to online purchases, and monitor the account activity carefully. Be sure to do your homework on the vendor, including searching for customer reviews and online security reports, before purchasing from them. This should include reading their relevant privacy policies. Be wary of vendors that keep your credit card information on file for future purchases (many large vendors do this), to avoid being one of thousands of victims when their systems get compromised. Avoid using your debit card for online purchases; most banks do not afford debit card users the same protections as they do to credit card users for detecting and mitigating fraudulent use, limitations of liability, etc. Your bank account could be drained long before you get a statement. NEVER use your business email address in social networking or online dating! Consider setting up a dedicated email address for these purposes, one that isn t used for any actual business or financial purposes, as this address is likely to become a destination for spear phishing and malware delivery. When using HTTPS (SSL) connections to conduct business online, only allow your browser to display secure content (say no if prompted as to whether or not the website can display insecure content). On legitimate sites, insecure content will be limited to ad banners and other items that are not relevant or essential to the business being conducted. Displaying insecure content on the same page can make your session vulnerable to cross-site scripting or memory-related vulnerabilities. When using HTTPS (SSL) connections to conduct business online, be sure to always inspect the certificate, especially if any errors are reported with it. To do so, click on the padlock icon to the right of the URL (address bar), as shown on the following page. Ensure that the certificate is issued by a certificate authority you trust (be wary of CA s in China, Russia and other eastern block nations, from which a considerable amount of nefarious online activity is conducted), and that the certificate is issued to the site and company you intended to visit. Be skeptical of certificates issued to sites not affiliated with the business you are connected to, certificates using small keys (less than 1024 bits), certificates issued for purposes other than authenticating websites, and certificates with expiration dates longer than 3 years. 7

Checking SSL Certificates in Internet Explorer: 8

9

Checking SSL Certificates in Safari 10

11

Additional Resources Government of Canada Cyber Safety for Small Businesses http://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-eng.aspx Canadian Anti-Fraud Centre http://www.antifraudcentre-centreantifraude.ca/index-eng.htm US Computer Emergency Response Team Cyber Security Tips https://www.us-cert.gov/ncas/tips This document is provided for information purposes only. External links are maintained by third parties, the author assumes no responsibility for their content. Screenshots of Northern Savings Credit Union website used with permission; images 2015 Northern Savings Credit Union. All rights reserved. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information