You are here: Home > Research and Security > Security Awareness

Security Awareness

Eight Cyber Security Practices to Stay Safe Online

The widespread availability of computers and connections to the Internet provides everyone with 24/7 access to information, credit and financial services, and shopping. The Internet is also an incredible tool for educators and students to communicate and learn.

Unfortunately, some individuals exploit the Internet through criminal behavior and other harmful acts. Criminals can try to gain unauthorized access to your computer and then use that access to steal your identity, commit fraud, or even launch cyber attacks against others. By following the recommended cyber security practices outlined here, you can limit the harm cyber criminals can do not only to your computer, but to everyone's computer.

However, there is no single cyber security practice or technological solution that will prevent online crime. These recommended cyber security practices highlight that using a set of practices that include Internet habits as well as technology solutions can make a difference.

The National Cyber Security Alliance's Top Eight Cyber Security Practices are practical steps you can take to stay safe online and avoid becoming a victim of fraud, identity theft, or cyber crime.

Tip 1
Protect your personal information. It's valuable.

Why? To an identity thief, it can provide instant access to your financial accounts, your credit record, and your other personal assets.

If you think no one would be interested in your personal information, think again. The reality is that anyone can be a victim of identity theft. In fact, according to a Federal Trade Commission survey, there are almost 10 million victims every year. It's often difficult to know how thieves obtained their victims' personal information, and while it definitely can happen offline, some cases start when online data is stolen. Visit www.consumer.gov/idtheft to learn what to do if your identity is stolen.

Unfortunately, when it comes to crimes like identity theft, you can't entirely control whether you will become a victim. But following these tips can help minimize your risk while you're online:

• If you're asked for your personal information – your name, email or home address, phone number, account numbers, or Social Security number – learn how it's going to be used, and how it will be protected, before you share it.
• Don't open unsolicited or unknown email messages. If you do get an email or pop-up message asking for personal information, don't reply or click on the link in the message. To avoid opening such messages, you can turn off the "Preview Pane" functionality in email programs, and you can set your default options to view opened emails as plain text to avoid active links or popups in the messages. Most importantly, do not to respond to solicitations for your personal or financial information. If you believe there may be a need for such information by a company with whom you have an account or placed an order, contact that company directly in a way you know to be genuine. Never send your personal information via email because email is not a secure transmission method.
Most email programs have email filters built-in to the application. The links on the left hand side of this webpage contain video tutorials that'll show you how to set your email filters, so you can limit the amount of unsolicited email you receive.
• If you are shopping online, be careful about providing your personal or financial information through a company's website without taking measures to reduce the risk. There are some indicators that show vendors have taken measures to secure their sites such as a lit lock icon on the browser's status bar or a website URL that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some scammers have forged security icons.
• Read website privacy policies. They should explain what personal information the website collects, how the information is used, and whether it is provided to third parties. The privacy policy also should tell you whether you have the right to see what information the website has about you, whether they provide and/or sell your information to third parties, and what security measures the company takes to protect your information. If you don't see a privacy policy – or if you can't understand it – consider doing business elsewhere.

Tip 2
Know who you're dealing with online.

And know what you're getting into. There are dishonest people in the bricks and mortar world and on the Internet. But online, you can't judge an operator's trustworthiness with a gut-affirming look in the eye. It's remarkably simple for online scammers to impersonate a legitimate business, so you need to know whom you're dealing with. If you're shopping online, check out the seller before you buy. A legitimate business or individual seller should give you a physical address and a working telephone number at which they can be contacted in case you have problems.
Phishing — bait or prey?
"Phishers" send spam or pop-up messages claiming to be from a business or organization that you might deal with for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to "update" or "validate" your account information. It might threaten some dire consequence if you don't respond. The message directs you to a website that looks just like a legitimate organization's, but isn't. What is the purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.
Don't take the bait: don't open unsolicited or unknown email messages; don't open attachments from people you don't know or don't expect; and never reply to or click on links in email or popups that ask for personal information. Legitimate companies don't ask for this information via email. If you are directed to a website to update your information, verify that the site is legitimate by calling the company directly, using contact information from your account statements. Or open a new browser window and type the URL into the address field, watching that the actual URL of the site you visit doesn't change and is still the one you intended to visit. Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.
To ensure you're not being victimized and to detect unauthorized purchases, use the same practices as you do in the offline world. Check your credit card bill at least every month, and consider using services that inform you if someone has requested credit in your name.
Free Software and File-Sharing — worth the hidden costs? Every day, millions of computer users share files online. File-sharing can give people access to a wealth of information, including music, games, and software. How does it work? You download special software that connects your computer to an informal network of other computers running the same software. Millions of users could be connected to each other through this software at one time. Often the software is free and easily accessible.
But file-sharing can have a number of risks. If you don't check the proper settings, you could allow access not just to the files you intend to share, but also to other information on your hard drive, like your tax returns, email messages, medical records, photos, or other personal documents.
In addition, you may unwittingly download pornography labeled as something else. Or you may download material that is protected by the copyright laws, which would mean you could be breaking the law. Therefore, downloading file-sharing software is not advisable and could place your personal information and computer at risk. If you do decide to use file-sharing software, set it up very carefully. Take the time to read the End User License Agreement to be sure that you're sharing files legally and that you understand the potentially high risk of any free downloads. For example, some license agreements include an agreement to allow spyware to be installed on your machine.

Spyware
Many free downloads whether from peers or businesses come with potentially undesirable side effects. Spyware is software installed without your knowledge or consent that adversely affects your ability to use your computer, sometimes by monitoring or controlling how you use it. Not only can spyware programs affect your computer use and access your personal information, but in some cases they can also use your computer to access or launch attacks against others. To avoid spyware, resist the urge to install any software unless you know exactly what it is. Your anti-virus software may include anti-spyware capability that you can activate, but if it doesn't, you can install separate anti-spyware software, and then use it regularly to scan for and delete any spyware programs that may sneak onto your computer.

Email Attachments and Links — legitimate or virus-laden?
Many viruses sent over email or Instant Messenger won't damage your computer without your participation. For example, you would have to open an email or attachment that includes a virus or follow a link to a site that is programmed to infect your computer. So, don't open an email attachment - even if it appears to be from a friend or coworker - unless you are expecting it or know what it contains. You can help others trust your attachments by including a message in your text explaining what you're attaching. Hackers often lie to get you to open the email attachment or click on a link. Some virus-laden emails appear to come from a friend or colleague; some have an appealing file name, like "Fwd: FUNNY" or "Per your request!"; others promise to clean a virus off your computer if you open it or follow the link.

Tip 3
Use anti-virus software, a firewall, and anti-spyware software to help keep your computer safe and secure.

Dealing with anti-virus and firewall protection may sound about as exciting as flossing your teeth, but it's just as important as a preventive measure. Having intense dental treatment is never fun; neither is dealing with the effects of a preventable computer virus.

Anti-virus Software
Anti-virus software protects your computer from viruses that can destroy your data, slow your computer's performance, cause a crash, or even allow spammers to send email through your account. It works by scanning your computer and your incoming email for viruses, and then deleting them.

To be effective, your anti-virus software should update routinely with antidotes to the latest "bugs" circulating through the Internet. Most commercial anti-virus software includes a feature to download updates automatically when you are on the Internet.

Anti-Virus Software- What to Look for and Where to Get It
You can download anti-virus software from the websites of software companies or buy it in retail stores. Look for anti-virus software that:
• Recognizes current viruses, as well as older ones;
• Effectively reverses the damage;
• Updates automatically.

Here's a sample list of anti-virus software that you can purchase online.
http://security.getnetwise.org/tools/results/any2.php

This list was gathered and provided by the GetNetWise website. We cannot guarantee the effectiveness of any of the products listed on the GetNetWise website, nor do we endorse any products. The National Cyber Security Alliance is also unable to provide any technical assistance with any of these tools.

Firewalls
Don't be put off by the word "firewall." It's not necessary to fully understand how it works; it's enough to know what it does and why you need it. Firewalls help keep hackers from using your computer to send out your personal information without your permission. While anti-virus software scans incoming email and files, a firewall is like a guard, watching for outside attempts to access your system and blocking communications from and to sources you don't permit.

Some operating systems and hardware devices come with a built-in firewall that may be shipped in the "off" mode. Make sure you turn it on. For your firewall to be effective, it needs to be set up properly and updated regularly. Check your online "Help" feature for specific instructions.

Information on how to turn on your operating system's firewall:

Windows XP and Macintosh OS X operating systems have a built in firewall. Here's a video that teaches you how to turn on the firewall for each of these operating systems. This option is available only if you have these operating system versions.

Window's XP
http://security.getnetwise.org/tools/firewallxp-instruct
This video tutorial shows you how to enable the firewall option built into the Microsoft XP operating system.

Macintosh OS X
http://security.getnetwise.org/tools/firewall-osx-instruct
This video tutorial shows you how to start the built-in firewall of the Macintosh OS X operating system. This option is available only to users of the Macintosh OS X operating system version 10.2 or later.

If your operating system doesn't include a firewall, get a separate software firewall that runs in the background while you work, or install a hardware firewall — an external device that includes firewall software. Several free firewall software programs are available on the Internet. You can find one by typing "free firewall" into your favorite search engine.

Here's a sample list of firewall software that you can purchase online.
http://security.getnetwise.org/tools/results/any1.php
This list was gathered and provided by the GetNetWise website. We cannot guarantee the effectiveness of any of the products listed on the GetNetWise website, nor do we endorse any products. The National Cyber Security Alliance is also unable to provide any technical assistance with any of these tools.

Anti-Spyware Software
Anti-spyware software helps protect your computer from malicious spyware that monitors your online activities and collects personal information while you surf the web. It works by periodically scanning your computer for spyware programs, and then giving you the opportunity to remove any harmful surveillance software found on your computer. Some anti-virus software contains anti-spyware capability. Given the increasing sophistication of spyware programs, consider using two different anti-spyware program search one looks for slightly different sets of threats, and together they may offer increased protection.

Zombie Drones
Some spammers search the Internet for unprotected computers they can control and use anonymously to send unwanted spam emails. If you don't have up-to-date anti-virus protection and a firewall, spammers may try to install software that lets them route email through your computer, often to thousands of recipients, so that it appears to have come from your account. If this happens, you may receive an overwhelming number of complaints from recipients, and your email account could be shut down by your Internet Service Provider (ISP).

Tip 4
Be sure to set up your operating system and Web browser software properly, and update them regularly.

Hackers also take advantage of unsecured Web browsers (like Internet Explorer or Netscape) and operating system software (like Windows or Linux). Lessen your risk by changing the settings in your browser or operating system and increasing your online security. Check the "Tools" or "Options" menus for built-in security features. If you need help understanding your choices, use your "Help" function.

Your operating system also may offer free software patches that close holes in the system that hackers could exploit. In fact, some common operating systems can be set to automatically retrieve and install patches for you. If your system does not do this, bookmark the website for your system's manufacturer so you can regularly visit and update your system with defenses against the latest attacks. Updating can be as simple as one click. Your email software may help you avoid viruses by giving you the ability to filter certain types of spam. It's up to you to activate the filter. In addition, consider using operating systems that allow automatic updates.

Tip 5
Use strong passwords or strong authentication technology to help protect your personal information.

Keep your passwords in a secure place, and out of plain view. Don't share your passwords on the Internet, over email, or on the phone. Your Internet Service Provider (ISP) should never ask for your password.

In addition, without your knowledge, hackers may try to figure out your passwords to gain access to your computer. You can make it tougher for them by:

• Using passwords that have at least eight characters and include numerals and symbols.
• Avoiding common words: some hackers use programs that can try every word in the dictionary.
• Not using your personal information, your login name, or adjacent keys on the keyboard as passwords.
• Changing your passwords regularly (at minimum, every 90 days).
• Using a different password for each online account you access (or at least a variety of passwords with difficulty based on the value of the information contained in each.

One way to create a strong password is to think of a memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble letters. For example, "How much wood could a woodchuck chuck" would become HmWc@wC.

To further increase the security of your online identity and to help protect you from account hijacking,
take advantage of stronger authentication tools wherever available. This may take the form of two-factor authentication – the combination of a password or PIN number (something you know) with a token, smart card, or even a biometric device (something you have). Stronger authentication can also come from a behind-the-scenes identity-verification process, which uses various data to establish whether or not a user is genuine. Ask your bank, your regular online retailers, and your Internet Service Provider (ISP) if they offer stronger authentication tools for more secure transactions.

Tip 6
Back up important files.

No system is completely secure. If you have important files stored on your computer, copy them onto a removable disc, and store them in a secure place in a different building than your computer. If a different location isn't practical, consider encryption software. Encryption software scrambles a message or a file in a way that can be reversed only with a specific password. Also, make sure you keep your original software start-up disks handy and accessible for use in the event of a system crash.

Tip 7
Learn what to do if something goes wrong.

Unfortunately, there is no particular way to identify that your computer has been infected with malicious code. Some infections may completely destroy files and shut down your computer, while others may only subtly affect your computer's normal operations. Be aware of any unusual or unexpected behaviors.
Hacking or Computer Virus If your computer gets hacked or infected by a virus:

• Immediately unplug the phone or cable line from your machine. Then scan your entire
computer with fully updated anti-virus software, and update your firewall.
• take steps to minimize the chances of another incident
• alert the appropriate authorities by contacting:
• Your ISP and the hacker's ISP (if you can tell what it is). Often the ISP's email address is
abuse@yourispname.com or postmaster@yourispname.com. You can probably confirm it by
looking at the ISP's website. Include information on the incident from your firewall's log file. By
alerting the ISP to the problem on its system, you can help it prevent similar problems in the
future.
• The FBI at www.ifccfbi.gov. To fight computer criminals, they need to hear from you.
Internet Fraud

If a scammer takes advantage of you through an Internet auction, when you're shopping online, or in any other way, report it to the Federal Trade Commission, at ftc.gov. The FTC enters Internet, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Deceptive Spam
If you get deceptive spam, including email phishing for your information, forward it to spam@uce.gov. Be sure to include the full Internet header of the email. In many email programs, the full "Internet header" is not automatically included in forwarded email messages, so you may need to take additional measures to include the full information needed to detect deceptive spam. For further information, go to http://getnetwise.org/action/header

Divulged Personal Information
If you believe you have mistakenly given your information to a fraudster, file a complaint at ftc.gov, and then visit the Federal Trade Commission's Identity Theft website at www.consumer.gov/idtheft to learn how to minimize your risk of damage from a potential theft of your identity.

Tip 8
Protect your children online.

Children present unique security risks when they use a computer — not only do you have to keep them safe, but you have to protect their data on your computer. By taking some simple steps, you can dramatically reduce the threats.
• Keep your computer in a central and open location in your home and be aware of other computers your child may be using.
• Discuss and set guidelines/rules for computer use with your children. Post these rules by the computer as a reminder.
• Use the Internet with your children. Familiarize yourself with your children's online activities and maintain a dialogue with your child about what applications they are using.
• Implement parental control tools that are provided by some ISPs and available for purchase as separate software packages. Remember - No program is a substitute for parental supervision. Also, you may be able to set some parental controls within your browser. Internet Explorer allows you to restrict or allow certain web sites to be viewed on your computer, and you can protect these settings with a password. To find those options, click Tools on your menu bar, select Internet Options, choose the Content tab, and click the Enable button under Content Advisor.
• Consider software that allows you to monitor your children's email and web traffic.
• Consider partitioning your computer into separate accounts - Most operating systems
(including Windows XP, Mac OS X, and Linux) give you the option of creating a different user account for each user. If you're worried that your child may accidentally access, modify, and/or delete your files, you can give him/her a separate account and decrease the amount of access and number of privileges he/she has.
• Know who your children's online friends are and supervise their chat areas.
• Teach your children never to give out personal information to people they meet online such as in chat rooms or bulletin boards.
• Know who to contact if you believe your child is in danger. Visit www.getnetwise.org for detailed information.

If you know of a child in immediate risk or danger, call law enforcement immediately. Please report instances of online child exploitation to the National Center For Missing and Exploited Children's Cyber Tipline.
Even though children may have better technical skills, don't be intimidated by their knowledge. Children still need advice, guidance, and protection. Keep the lines of communication open and let your child know that you can be approached with any questions they may have about behaviors or problems encountered on the computer.