Center for Information Technology Services

Cyber Security Tips (For Non-Technical Users)US Cert

  • ST14-001: Sochi 2014 Olympic Games
    Original release date: February 04, 2014 | Last revised: March 10, 2014

    Overview

    Whether traveling to Sochi, Russia for the XXII Olympic Winter Games, or viewing the games from locations abroad, there are several cyber-related risks to consider. As with many international level media events, hacktivists may attempt to take advantage of the large audience to spread their own message. Additionally, cyber criminals may use the games as a lure in spam, phishing or drive-by-download campaigns to gain personally identifiable information or harvest credentials for financial gain. Lastly, those physically attending the games should be cognizant that their communications will likely be monitored.

    Hacktivists

    A number of hacktivist campaigns may attach themselves to the upcoming Olympics simply to take advantage of the on-looking audience. For example, the hacktivist group, Anonymous Caucasus, has launched what appears to be a threat against any company that finances or supports the winter games. This group states the Sochi games infrastructure was built on the graves of 1 million innocent Caucasians who were murdered by the Russians in 1864. According to Trusted Third Party analysis, the group has been linked to distributed denial of service (DDoS) attacks on Russian banks in October 2013. Therefore, the group is likely capable of waging similar attacks on the websites of organizations they believe financed Olympic related activities; however, no specific threat or target has been identified at the time of this report. 

    Olympic coverage

    Whether viewing live coverage, event replays, or checking medal statistics online, it’s important to visit only trusted websites. Events which gain significant public interest and media coverage are often used as lures for spam or spearphishing campaigns. Malicious actors may also create fake websites and domains that appear to be official Olympic news or coverage that can be used to deliver malware to an end user upon visiting the site (also known as drive-by downloads or wateringholes).

    NBCUniversal offers exclusive coverage of the games for viewers via NBC, NBCSN, MSNBC, USA Network, NBCOlympics.com and corresponding Twitter, Facebook and Instagram accounts. Viewers should be wary of any other source claiming to provide live coverage. As always, it is best to visit trusted resources directly rather than clicking on emailed links or opening attachments. 

    Purchasing tickets or merchandise at the Games

    According to the official Winter Olympics website: http://www.sochi2014.com, Visa will be the only card accepted for all purchases including tickets and merchandise at the Games. Tickets may only be purchased through Authorized Ticket Resellers (ATR). Individuals can validate the authenticity of an ATR offering tickets by using the “Website Checker” tool available on the official Sochi website. The designated ATR in the United States is CoSport, and at the time of this report, individuals purchasing tickets through CoSport may only pick up their tickets at CoSport’s Host City Collection Center in Sochi, Russia. Any ticket offer from a site not recognized as an ATR or accepting payment methods outside of VISA are likely fraudulent and should be met with skepticism.

    Traveling to Sochi

    When traveling abroad it’s important to know your host countries laws and policies, particularly when it comes to privacy. Russia has a national system of lawful interception of all electronic communications. The System of Operative-Investigative Measures, or SORM, legally allows the Russian FSB to monitor, intercept, and block any communication sent electronically (i.e. cell phone or landline calls, internet traffic, etc.). SORM-1 captures telephone and mobile phone communications, SORM-2 intercepts internet traffic, and SORM-3 collects information from all forms of communication, providing long-term storage of all information and data on subscribers, including actual recordings and locations. Reports of Rostelecom, Russia’s national telecom operator, installing deep packet inspection (DPI ) means authorities can easily use key words to search and filter communications. Therefore, it is important that attendees understand communications while at the Games should not be considered private.

    Russia also retains broad inbound encryption license requirements. Taking laptops and other devices into the country is unrestricted; however software may be inspected upon departure. This means, any computer or software containing sensitive or encrypted data may be confiscated by Russian authorities when individuals depart from the country . Travelers may want to consider leaving personal electronic devices (e.g. laptops, smartphones, tablets) at home or alternatively bring loaner devices that do not already store sensitive data on them and can be wiped upon return to your home country. If individuals decide to bring their personal devices, consider all communications and files on them to be vulnerable to interception or confiscation. 

    References


    Author: NCCIC Watch & Warning

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST13-003: Handling Destructive Malware
    Original release date: November 04, 2013

    Overview

     Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. This publication is focused on the threat of enterprise-scale distributed propagation methods for malware and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and Incident Response practices.

    While specific indicators and modules related to destructive malware may evolve over time, it is critical that an organization assess their capability to actively prepare for and respond to such an event.

    Potential Distribution Vectors

    Destructive malware has the capability to target a large scope of systems, and can potentially execute across multiple systems throughout a network. As a result, it is important for an organization to assess their environment for atypical channels for potential  malware delivery and/or propagation throughout their systems. Systems to assess include:

    • Enterprise Applications – particularly those which have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include
      • Patch Management Systems,
      • Asset Management Systems,
      • Remote Assistance software (typically utilized by the corporate Help Desk),
      • Anti-Virus,
      • Systems assigned to system and network administrative personnel,
      • Centralized Backup Servers, and
      • Centralized File Shares.

    While not applicable to malware specifically, threat actors could compromise additional resources to impact the availability of critical data and applications.  Common examples include:

    • Centralized storage devices
      • Potential Risk – direct access to partitions and data warehouses;
    • Network devices
      • Potential Risk – capability to inject false routes within the routing table, delete specific routes from the  routing table, or remove/modify configuration attributes - which could isolate or degrade availability of critical network resources.

    Best Practices and Planning Strategies

    Common strategies can be followed to strengthen an organization’s resilience against destructive malware.  Targeted assessment and enforcement of best practices should be employed for enterprise components susceptible to destructive malware.

    Communication Flow

    • Ensure proper network segmentation.
    • Ensure that network-based access-control lists (ACLs) are configured to permit server-to-host and host-to-host connectivity via the minimum scope of ports and protocols – and that directional flows for connectivity are represented appropriately.
      • Communication flow paths should be fully defined, documented, and authorized.
    • Increase awareness of systems which can be utilized as a gateway to pivot (lateral movement) or directly connect to additional endpoints throughout the enterprise.
      • Ensure that these systems are contained within restrictive VLANs, with additional segmentation and network access-controls.
    • Ensure that centralized network and storage devices’ management interfaces are resident on restrictive VLANs.
      • Layered access-control, and
      • Device-level access-control enforcement – restricting access from only pre-defined VLANs and trusted IP ranges.

    Access Control

    • For Enterprise systems which can directly interface with multiple endpoints:
      • Require two factor authentication for interactive logons.
      • Ensure that authorized users are mapped to a specific subset of enterprise personnel.
        •  If possible, the “Everyone” , “Domain Users”  or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.
      • Ensure that unique domain accounts are utilized and documented for each Enterprise application service.
        • Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.
        • Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.
      • If possible, do not grant a service account with local or interactive logon permissions.
        • Service accounts should be explicitly denied permissions to access network shares and critical data locations.
      • Accounts which are utilized to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
    • Continuously review centralized file share access-control lists and assigned permissions.
      • Restrict Write/Modify/Full Control permissions when possible.

    Monitoring

    • Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
      • Failed logon attempts,
      • File share access, and
      • Interactive logons via a remote session.
    • Review network flow data for signs of anomalous activity.
      • Connections utilizing ports which do not correlate to the standard communication flow associated with an application,
      • Activity correlating to port scanning or enumeration, and
      • Repeated connections utilizing ports which can be utilized for command and control purposes.
    • Ensure that network devices log and audit all configuration changes.
      • Continually review network device configurations and rule sets, to ensure that communication flows are restricted to the authorized subset of rules.

    File Distribution

    • When deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined time period).
      • This action can minimize the overall impact in the event that an enterprise patch management or AV system is leveraged as a distribution vector for a malicious payload.
    • Monitor and assess the integrity of patches and AV signatures which are distributed throughout the enterprise.
      • Ensure updates are received only from trusted sources,
      • Perform file and data integrity checks, and
      • Monitor and audit – as related to the data that is distributed from an enterprise application.

    System and Application Hardening

    • Ensure that the underlying Operating System (OS) and dependencies (ex: IIS, Apache, SQL) supporting an application are configured and hardened based upon industry-standard best practice recommendations. Implement application-level security controls based upon best practice guidance provided by the vendor.  Common recommendations include:
      • Utilize role-based access control,
      • Prevent end-user capabilities to bypass application-level security controls,
        • Example – disabling Antivirus on a local workstation
      • Disable un-necessary or un-utilized features or packages, and
      • Implement robust application logging and auditing
    • Thoroughly test and implement vendor patches in a timely manner.

    Recovery and Reconstitution Planning

    A Business Impact Analysis (BIA) is a key component of contingency planning and preparation.   The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations):

    • Characterization and classification of system components, and
    • Interdependencies.

    Based upon the identification of an organization’s mission critical assets (and their associated interdependencies), in the event that an organization is impacted by a potentially destructive condition, recovery and reconstitution efforts should be considered.

    To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within Incident Response exercises and scenarios):

    • Comprehensive inventory of all mission critical systems and applications:
      • Versioning information,
      • System / application dependencies,
      • System partitioning/ storage configuration and connectivity, and
      • Asset Owners / Points of Contact.
    • Comprehensive inventory of all mission critical systems and applications:
      • Versioning information,
      • System / application dependencies,
      • System partitioning/ storage configuration and connectivity, and
      • Asset Owners / Points of Contact.
    • Contact information for all essential personnel within the organization,
    • Secure communications channel for recovery teams,
    • Contact information for external organizational-dependant resources:
      • Communication Providers,
      • Vendors (hardware / software), and
      • Outreach partners / External Stakeholders
    • Service Contract Numbers - for engaging vendor support,
    • Organizational Procurement Points of Contact,
    • ISO / image files for baseline restoration of critical systems and applications:
      • Operating System installation media,
      • Service Packs / Patches,
      • Firmware, and
      • Application software installation packages.
    • Licensing/activation keys for Operating Systems (OS) and dependant applications,
    • Enterprise Network Topology and Architecture diagrams,
    • System and application documentation,
    • Hard copies of operational checklists and playbooks,
    • System  and application configuration backup files,
    • Data backup files (full/differential),
    • System and application security baseline and hardening checklists/guidelines, and
    • System and application integrity test and acceptance checklists.

    Containment

    In the event that an organization observes a large-scale outbreak that may be reflective of a destructive malware attack, in accordance with Incident Response best practices, the immediate focus should be to contain the outbreak, and reduce the scope of additional systems which could be further impacted.

    Strategies for containment include:

    • Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable) – from which a malicious payload could have been delivered:
      • Centralized Enterprise Application,
      • Centralized File Share (for which the identified systems were mapped or had access),
      • Privileged User Account common to the identified systems,
      • Network Segment or Boundary, and
      • Common DNS Server for name resolution.
    • Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
      • Implement network-based access-control lists to deny the identified application(s) the capability to directly communicate with additional systems,
        • Provides an immediate capability to isolate and sandbox specific systems or resources
      • Implement null network routes for specific IP addresses (or IP ranges) – from which the payload may be distributed,
        • An organization’s internal DNS can also be leveraged for this task – as a null pointer record could be added within a DNS zone for an identified server or application
      • Readily disable access for suspected user or service account(s), and
      • For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems.

    As related to incident response and incident handling, organizations are reminded to:

    • Report the incident to US-CERT and/or ICS-CERT for tracking and correlation purposes, and
    • Preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes.

     

     


    Author: ICS-CERT and US-CERT

    This product is provided subject to this Notification and this Privacy & Use policy.

  • 13-002: International Mobile Safety Tips
    Original release date: October 29, 2013 | Last revised: November 04, 2013

    October 29, 2013 marks the 4th Annual Asia Pacific Economic Cooperation Cyber Security Awareness Day. To recognize this occasion and in observance of the 10th year of National Cyber Security Awareness Month in the United States, US-CERT, along with its international partners from Asia and Europe, is promoting a set of International Mobile Safety Tips that were developed by the National Cyber Security Alliance, InfollutionZero, the Cyber Security Awareness Alliance in Singapore, and the iZ HERO Project.

    The goal of the campaign is to use harmonized messaging to reach out to children, families, and schools across the world, and to provide them with core principles and simple tips that can help people of all ages enjoy safer and more secure use of digital devices and the Internet.

    US-CERT encourages users and administrators to view the International Mobile Safety Tips at the following link and share them with their respective communities.

    http://stopthinkconnect.org/campaigns/details/?id=442

     

    The guidelines below provide core principles and recommendations for more secure use of digital devices and the Internet.

    • Keep software updated. Running the most recent versions of your mobile operating system, security software, apps and Web browsers is among the best defenses against malware, viruses and other online threats.
    • Keep your device secure by using a strong password to lock your smartphone or tablet.
    • Enable two-step authentication when offered, and change passwords to any accounts you accessed while connected to an unfamiliar network. 
    • Before downloading an application (app), make sure you understand what information (i.e., location, your contacts, social networking profiles, etc.) the app would access and share before you download it. Download apps from trusted sources.
    • Back up your contacts, photos, videos and other mobile device data with another device or cloud service on a weekly basis.
    • When using a public or unsecured wireless connection, avoid using sites and apps that require personal information like log-ins.
    • Automatically connecting to networks can create vulnerabilities exploitable by hackers and others. Switch off your Wi-Fi and Bluetooth connections when not in use.
    • Delete any online communications (i.e., texts, emails, social media posts) that look suspicious, even if you think you know the source.  
    • When banking or shopping online, use only trusted apps or websites that begin with https://.
    • The Golden Rule. Be respectful on your device. Treat others as you would like to be treated when texting, calling or using social networks.
    • Share with care. Be a true friend when taking and sharing photos and videos with your smartphone. Get permission from friends before you share them via text or social networks.
    • Be Web wise. Stay informed of the latest updates to your device and apps. Know what to do if something goes wrong. 

    Related Topics:

     

     

    References


    Author: US-CERT

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST04-017: Protecting Portable Devices: Physical Security
    Original release date: December 19, 2011 | Last revised: February 06, 2013

    Many computer users, especially those who travel for business, rely on laptops and personal internet-enabled devices like smartphones and tablets because they are small and easily transported. But while these characteristics make them popular and convenient, they also make them an ideal target for thieves. Make sure to secure your mobile devices to protect both the machine and the information they contain.

    What is at risk?

    Only you can determine what is actually at risk. If a thief steals your laptop or mobile device, the most obvious loss is the machine itself. However, if the thief is able to access the information on the computer or mobile device, all of the information stored on the device is at risk, as well as any additional information that could be accessed as a result of the data stored on the device itself.

    Sensitive corporate information or customer account information should not be accessed by unauthorized people. You've probably heard news stories about organizations panicking because laptops with confidential information on them have been lost or stolen. But even if there isn't any sensitive corporate information on your laptop or mobile device, think of the other information at risk: information about appointments, passwords, email addresses and other contact information, personal information for online accounts, etc.

    How can you protect your laptop or internet-enabled device?

    • Password-protect your computer - Make sure that you have to enter a password to log in to your computer or mobile device (see Choosing and Protecting Passwords for more information).
    • Keep your valuables with you at all times - When traveling, keep your device with you. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially wary—these venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms.
    • Downplay your laptop or mobile device - There is no need to advertise to thieves that you have a laptop or mobile device. Avoid using your device in public areas, and consider non-traditional bags for carrying your laptop.
    • Be aware of your surroundings - If you do use your laptop or mobile device in a public area, pay attention to people around you. Take precautions to shield yourself from "shoulder surfers"—make sure that no one can see you type your passwords or see any sensitive information on your screen.
    • Consider an alarm or lock - Many companies sell alarms or locks that you can use to protect or secure your laptop. If you travel often or will be in a heavily populated area, you may want to consider investing in an alarm for your laptop bag or a lock to secure your laptop to a piece of furniture.
    • Back up your files - If your mobile device is stolen, it's bad enough that someone else may be able to access your information. To avoid losing all of the information, make backups of important information and store the backups in a separate location (see Good Security Habits for more information). Not only will you still be able to access the information, but you'll be able to identify and report exactly what information is at risk.

    What can you do if your laptop or mobile device is lost or stolen?

    Report the loss or theft to the appropriate authorities. These parties may include representatives from law enforcement agencies, as well as hotel or conference staff. If your device contained sensitive corporate or customer account information, immediately report the loss or theft to your organization so that they can act quickly.

     


    Author: Mindi McDowell

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST11-001: Holiday Traveling with Personal Internet-Enabled Devices
    Original release date: December 19, 2011 | Last revised: February 06, 2013

    The internet is at our fingertips with the widespread use of internet-enabled devices such as smart phones and tablets. When traveling and shopping anytime, and especially during the holidays, consider the wireless network you are using when you complete transactions on your device.

    Know the risks

    Your smart phone, tablet, or other device is a full-fledged computer. It is susceptible to risks inherent in online transactions. When shopping, banking, or sharing personal information online, take the same precautions with your smart phone or other device that you do with your personal computer — and then some. The mobile nature of these devices means that you should also take precautions for the physical security of your device (see Protecting Portable Devices: Physical Security for more information) and consider the way you are accessing the internet.

    Do not use public Wi-Fi networks

    Avoid using open Wi-Fi networks to conduct personal business, bank, or shop online. Open Wi-Fi networks at places such as airports, coffee shops, and other public locations present an opportunity for attackers to intercept sensitive information that you would provide to complete an online transaction.

    If you simply must check your bank balance or make an online purchase while you are traveling, turn off your device's Wi-Fi connection and use your mobile device's cellular data internet connection instead of making the transaction over an unsecure Wi-Fi network.

    Turn off Bluetooth when not in use

    Bluetooth-enabled accessories can be helpful, such as earpieces for hands-free talking and external keyboards for ease of typing. When these devices are not in use, turn off the Bluetooth setting on your phone. Cyber criminals have the capability to pair with your phone's open Bluetooth connection when you are not using it and steal personal information.

    Be cautious when charging

    Avoid connecting your mobile device to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways that a user may not anticipate. As a result, a malicious computer could gain access to your sensitive data or install new software. Don't Fall Victim to Phishing Scams If you are in the shopping mode, an email that appears to be from a legitimate retailer might be difficult to resist. If the deal looks too good to be true, or the link in the email or attachment to the text seems suspicious, do not click on it!

    What to do if your accounts are compromised

    If you notice that one of your online accounts has been hacked, call the bank, store, or credit card company that owns your account. Reporting fraud in a timely manner helps minimize the impact and lessens your personal liability. You should also change your account passwords for any online services associated with your mobile device using a different computer that you control. If you are the victim of identity theft, additional information is available from http://www.idtheft.gov/.

    For even more information about keeping your devices safe, read Cybersecurity for Electronic Devices.

    References


    Author: Amanda Parente

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST05-017: Cybersecurity for Electronic Devices
    Original release date: December 19, 2011 | Last revised: February 06, 2013

    When you think about cybersecurity, remember that electronics such as smartphones and other internet-enabled devices may also be vulnerable to attack. Take appropriate precautions to limit your risk.

    Why does cybersecurity extend beyond computers?

    Actually, the issue is not that cybersecurity extends beyond computers; it is that computers extend beyond traditional laptops and desktops. Many electronic devices are computers—from cell phones and tablets to video games and car navigation systems. While computers provide increased features and functionality, they also introduce new risks. Attackers may be able to take advantage of these technological advancements to target devices previously considered "safe." For example, an attacker may be able to infect your cell phone with a virus, steal your phone or wireless service, or access the data on your device. Not only do these activities have implications for your personal information, but they could also have serious consequences if you store corporate information on the device.

    What types of electronics are vulnerable?

    Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks (see Securing Wireless Networks for more information). The outside connection provides a way for an attacker to send information to or extract information from your device.

    How can you protect yourself?

    • Remember physical security - Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or easily accessible areas (see Protecting Portable Devices: Physical Security for more information).
    • Keep software up to date - If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities (see Understanding Patches for more information).
    • Use good passwords - Choose devices that allow you to protect your information with passwords. Select passwords that will be difficult for thieves to guess, and use different passwords for different programs and devices (see Choosing and Protecting Passwords for more information). Do not choose options that allow your computer to remember your passwords.
    • Disable remote connectivity - Some mobile devices are equipped with wireless technologies, such as Bluetooth, that can be used to connect to other devices or computers. You should disable these features when they are not in use (see Understanding Bluetooth Technology for more information).
    • Encrypt files - If you are storing personal or corporate information, see if your device offers the option to encrypt the files. By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.

    Authors: Mindi McDowell and Matt Lytle

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST06-001: Understanding Hidden Threats: Rootkits and Botnets
    Original release date: August 24, 2011 | Last revised: February 06, 2013

    Attackers are continually finding new ways to access computer systems. The use of hidden methods such as rootkits and botnets has increased, and you may be a victim without even realizing it.

    What are rootkits and botnets?

    A rootkit is a piece of software that can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of a vulnerability on your computer or has convinced you to download it (see Avoiding Social Engineering and Phishing Attacks for more information). Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected.

    Botnet is a term derived from the idea of bot networks. In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources. An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access. Your computer may be part of a botnet even though it appears to be operating normally. Botnets are often used to conduct a range of activities, from distributing spam and viruses to conducting denial-of-service attacks (see Understanding Denial-of-Service Attacks for more information).

    Why are they considered threats?

    The main problem with both rootkits and botnets is that they are hidden. Although botnets are not hidden the same way rootkits are, they may be undetected unless you are specifically looking for certain activity. If a rootkit has been installed, you may not be aware that your computer has been compromised, and traditional anti-virus software may not be able to detect the malicious programs. Attackers are also creating more sophisticated programs that update themselves so that they are even harder to detect.

    Attackers can use rootkits and botnets to access and modify personal information, attack other computers, and commit other crimes, all while remaining undetected. By using multiple computers, attackers increase the range and impact of their crimes. Because each computer in a botnet can be programmed to execute the same command, an attacker can have each of them scanning multiple computers for vulnerabilities, monitoring online activity, or collecting the information entered in online forms.

    What can you do to protect yourself?

    If you practice good security habits, you may reduce the risk that your computer will be compromised:

    • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses, so you may be able to detect and remove the virus before it can do any damage (see Understanding Anti-Virus Software for more information). Because attackers are continually writing new viruses, it is important to keep your definitions up to date. Some anti-virus vendors also offer anti-rootkit software.
    • Install a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer and limiting the traffic you send (see Understanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.
    • Use good passwords - Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices (see Choosing and Protecting Passwords for more information). Do not choose options that allow your computer to remember your passwords.
    • Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.
    • Follow good security practices - Take appropriate precautions when using email and web browsers to reduce the risk that your actions will trigger an infection (see other US-CERT security tips for more information).

    Unfortunately, if there is a rootkit on your computer or an attacker is using your computer in a botnet, you may not know it. Even if you do discover that you are a victim, it is difficult for the average user to effectively recover. The attacker may have modified files on your computer, so simply removing the malicious files may not solve the problem, and you may not be able to safely trust a prior version of a file. If you believe that you are a victim, consider contacting a trained system administrator.

    As an alternative, some vendors are developing products and tools that may remove a rootkit from your computer. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. Also, the infection may be located at such a deep level that it cannot be removed by simply reinstalling or restoring the operating system.


    Author: Mindi McDowell

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST04-024: Understanding ISPs
    Original release date: July 06, 2011 | Last revised: February 06, 2013

    ISPs offer services like email and internet access. In addition to availability, you may want to consider other factors so that you find an ISP that supports all of your needs.

    What is an ISP?

    An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services. With the development of smart phones, many cell phone providers are also ISPs.

    ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.

    What services do ISPs provide?

    Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Some ISPs bundle internet service with other services, such as television and telephone service. Many ISPs offer a wireless modem as part of their service so that customers can use devices equipped with Wi-Fi.

    As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement (see Understanding Firewalls for more information).

    How do you choose an ISP?

    Traditional, broadband ISPs typically offer internet access through cable, DSL, or fiberoptic options. The availability of these options may depend where you live. In addition to the type of access, there are other factors that you may want to consider:

    • security - Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)? If the ISP provides a wireless modem, what wireless security standards does it support, and are those standards compatible with your existing devices?
    • privacy - Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?
    • services - Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services? If the ISP provides a wireless modem, are its wireless standards compatible with your existing devices?
    • cost - Are the ISP's costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?
    • reliability - Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?
    • user support - Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?
    • speed - How fast is your ISP's connection? Is it sufficient for accessing your email or navigating the internet?
    • recommendations - Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you've uncovered negative points, are they factors you are concerned about?

    Author: Mindi McDowell

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST06-005: Dealing with Cyberbullies
    Original release date: June 01, 2011 | Last revised: February 06, 2013

    Bullies are taking advantage of technology to intimidate and harass their victims. Dealing with cyberbullying can be difficult, but there are steps you can take.

    What is cyberbullying?

    Cyberbullying refers to practice of using technology to harass, or bully, someone else. Bullies used to be restricted to methods such as physical intimidation, postal mail, or the telephone. Now, developments in electronic media offer forums such as email, instant messaging, web pages, and digital photos to add to the arsenal. Computers, cell phones, and PDAs are current tools that are being used to conduct an old practice.

    Forms of cyberbullying can range in severity from cruel or embarrassing rumors to threats, harassment, or stalking. It can affect any age group; however, teenagers and young adults are common victims, and cyberbullying is a growing problem in schools.

    Why has cyberbullying become such a problem?

    The relative anonymity of the internet is appealing for bullies because it enhances the intimidation and makes tracing the activity more difficult. Some bullies also find it easier to be more vicious because there is no personal contact. Unfortunately, the internet and email can also increase the visibility of the activity. Information or pictures posted online or forwarded in mass emails can reach a larger audience faster than more traditional methods, causing more damage to the victims. And because of the amount of personal information available online, bullies may be able to arbitrarily choose their victims.

    Cyberbullying may also indicate a tendency toward more serious behavior. While bullying has always been an unfortunate reality, most bullies grow out of it. Cyberbullying has not existed long enough to have solid research, but there is evidence that it may be an early warning for more violent behavior.

    How can you protect yourself or your children?

    • Teach your children good online habits - Explain the risks of technology, and teach children how to be responsible online (see Keeping Children Safe Online for more information). Reduce their risk of becoming cyberbullies by setting guidelines for and monitoring their use of the internet and other electronic media (cell phones, PDAs, etc.).
    • Keep lines of communication open - Regularly talk to your children about their online activities so that they feel comfortable telling you if they are being victimized.
    • Watch for warning signs - If you notice changes in your child's behavior, try to identify the cause as soon as possible. If cyberbullying is involved, acting early can limit the damage.
    • Limit availability of personal information - Limiting the number of people who have access to contact information or details about interests, habits, or employment reduces exposure to bullies that you or your child do not know. This may limit the risk of becoming a victim and may make it easier to identify the bully if you or your child are victimized.
    • Avoid escalating the situation - Responding with hostility is likely to provoke a bully and escalate the situation. Depending on the circumstances, consider ignoring the issue. Often, bullies thrive on the reaction of their victims. Other options include subtle actions. For example, you may be able to block the messages on social networking sites or stop unwanted emails by changing the email address. If you continue to get messages at the new email address, you may have a stronger case for legal action.
    • Document the activity - Keep a record of any online activity (emails, web pages, instant messages, etc.), including relevant dates and times. In addition to archiving an electronic version, consider printing a copy.
    • Report cyberbullying to the appropriate authorities - If you or your child are being harassed or threatened, report the activity. Many schools have instituted bullying programs, so school officials may have established policies for dealing with activity that involves students. If necessary, contact your local law enforcement. Law enforcement agencies have different policies, but your local police department or FBI branch are good starting points. Unfortunately, there is a distinction between free speech and punishable offenses, but the legal implications should be decided by the law enforcement officials and the prosecutors.

    Additional information

    The following organizations offer additional information about this topic:


    Author: Mindi McDowell

    This product is provided subject to this Notification and this Privacy & Use policy.

  • ST05-002: Keeping Children Safe Online
    Original release date: May 18, 2011 | Last revised: February 06, 2013

    Children present unique security risks when they use a computer—not only do you have to keep them safe, you have to protect the data on your computer. By taking some simple steps, you can dramatically reduce the threats.

    What unique risks are associated with children?

    When a child is using your computer, normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. You need to consider these characteristics when determining how to protect your data and the child.

    You may think that because the child is only playing a game, or researching a term paper, or typing a homework assignment, he or she can't cause any harm. But what if, when saving her paper, the child deletes a necessary program file? Or what if she unintentionally visits a malicious web page that infects your computer with a virus? These are just two possible scenarios. Mistakes happen, but the child may not realize what she's done or may not tell you what happened because she's afraid of getting punished.

    Online predators present another significant threat, particularly to children. Because the nature of the internet is so anonymous, it is easy for people to misrepresent themselves and manipulate or trick other users (see Avoiding Social Engineering and Phishing Attacks for some examples). Adults often fall victim to these ploys, and children, who are usually much more open and trusting, are even easier targets. Another growing problem is cyberbullying. These threats are even greater if a child has access to email or instant messaging programs, visits chat rooms, and/or uses social networking sites.

    What can you do?

    • Be involved - Consider activities you can work on together, whether it be playing a game, researching a topic you had been talking about (e.g., family vacation spots, a particular hobby, a historical figure), or putting together a family newsletter. This will allow you to supervise your child's online activities while teaching her good computer habits.
    • Keep your computer in an open area - If your computer is in a high-traffic area, you will be able to easily monitor the computer activity. Not only does this accessibility deter a child from doing something she knows she's not allowed to do, it also gives you the opportunity to intervene if you notice a behavior that could have negative consequences.
    • Set rules and warn about dangers - Make sure your child knows the boundaries of what she is allowed to do on the computer. These boundaries should be appropriate for the child's age, knowledge, and maturity, but they may include rules about how long she is allowed to be on the computer, what sites she is allowed to visit, what software programs she can use, and what tasks or activities she is allowed to do.

      You should also talk to children about the dangers of the internet so that they recognize suspicious behavior or activity. Discuss the risks of sharing certain types of information (e.g., that they're home alone) and the benefits to only communicating and sharing information with people they know (see Using Instant Messaging and Chat Rooms Safely, Staying Safe on Social Network Sites, and the document Socializing Securely: Using Social Networking Services for more information). The goal isn't to scare them, it's to make them more aware. Make sure to include the topic of cyberbullying in these discussions (see Dealing with Cyberbullies for more information).
    • Monitor computer activity - Be aware of what your child is doing on the computer, including which websites she is visiting. If she is using email, instant messaging, or chat rooms, try to get a sense of who she is corresponding with and whether she actually knows them.
    • Keep lines of communication open - Let your child know that she can approach you with any questions or concerns about behaviors or problems she may have encountered on the computer.
    • Consider partitioning your computer into separate accounts - Most operating systems give you the option of creating a different user account for each user. If you're worried that your child may accidentally access, modify, and/or delete your files, you can give her a separate account and decrease the amount of access and number of privileges she has.

      If you don't have separate accounts, you need to be especially careful about your security settings. In addition to limiting functionality within your browser (see Evaluating Your Web Browser's Security Settings for more information), avoid letting your browser remember passwords and other personal information (see Browsing Safely: Understanding Active Content and Cookies). Also, it is always important to keep your virus definitions up to date (see Understanding Anti-Virus Software).
    • Consider implementing parental controls - You may be able to set some parental controls within your browser. For example, Internet Explorer allows you to restrict or allow certain websites to be viewed on your computer, and you can protect these settings with a password. To find those options, click Tools on your menu bar, select Internet Options, choose the Content tab, and click the Enable... button under Content Advisor.

      There are other resources you can use to control and/or monitor your child's online activity. Some ISPs offer services designed to protect children online. Contact your ISP to see if any of these services are available. There are also special software programs you can install on your computer. Different programs offer different features and capabilities, so you can find one that best suits your needs.

    Additional information

    The following websites offer additional information about protecting children online:


    Authors: Mindi McDowell and Allen Householder

    This product is provided subject to this Notification and this Privacy & Use policy.