TECHNOLOGY GUIDE 3
Protecting Your Information Assets
1
Technology Guide Overview
2
Agenda
TG3.1 Behavioural Actions
TG3.1.1 General behavioural actions
TG3.1.2 What to do in the event of identity theft
TG3.2 Computer-Based Actions
TG3.2.1 Determining where people have visited on the internet
using your computer
TG3.2.2 The dangers of social networking sites
TG3.2.3 Determining If your computer is infected
TG3.2.4 Computer actions to prevent malware infections
TG3.2.5 Protecting your portable devices and information
TG3.2.6 Other actions that you can take on your computer
TG3.2.7 Protecting your privacy
TG3.2.8 Preparing for personal disasters
3
LEARNING OBJECTIVES
1.
Identify the various behavioural actions you can
take to protect your information assets based upon
your risk assessment of information asset risks.
(TG3.1)
2.
Identify the various computer-based actions you can
take to protect your information assets based upon
your information asset risks.(TG3.2)
4
TG3.1 Behavioural Actions
There are a number of behavioural actions that you
should take to protect your information assets. We
discuss these actions in this section.
TG3.1.1 General behavioural actions
TG3.1.2 What to do in the event of identity theft
5
TG3.1.1 General behavioural actions
Use of personal information
 Use of the social insurance number
 Use of credit cards
 Use of debit cards
 Use of financial accounts
 Use of the mailbox
 Dealing with old records

6
Use of personal information

You should not provide personal information to strangers in any
format (physical, verbal, or electronic).

For example, verify that you are talking to authorized personnel
before you provide personal information over the telephone. To
accomplish this, you should hang up and call the person or
company back. If you have a caller-ID telephone, check the display
for the company name that is shown.
7
Use of the social insurance number (SIN)

A critically important behavioural action that you can take is to
protect your social insurance number.

Unfortunately, far too many organizations use your social insurance
number to uniquely identify you. When you are asked to provide
this number, ask if there is other information that can be used as
unique identification, such as your telephone number or address.

If the person asking for your social insurance number, for example
your physician’s clerk, is not responsive, ask to speak with a
supervisor.
8
Use of credit cards & debit cards




Where available, use credit cards with your picture on them
You may also want to use virtual credit cards, which offer you the
option of shopping on-line with a disposable credit card number.
Pay close attention to your credit card billing cycles.You should
know, to within a day or two, when your credit card bills are due. If
a bill does not arrive when expected, call your credit card company
immediately.
limit your use of debit cards. Debit cards are linked to your bank
account, meaning that a person who steals your debit card and
personal identification number (PIN) can clean out your bank
account.
9
Use of financial accounts
 It is important to be aware of what is happening with
your financial accounts, as the source of identity theft
could be someone hacking into the places where you
bank or conduct your transactions.
 For example, in April 2006 a breach was reported in the
Bank of Canada accounts that handle automatic payroll
deductions for Canada Savings Bonds.
10
Use of the mailbox
 Depending on the type of traffic in the area where you
live, you might choose to avoid using a personal mailbox
at your home or apartment for anything other than
catalogues and magazines. You could use a private
mailbox or a Post Office box. Think about the wealth of
information that could be stolen from your mailbox:
credit card statements, bank statements, investment
statements, and so on.
11
Dealing with old records
 When you discard mail or old records, use a crosscut,
or confetti, shredder to cut them up.
12
TG3.1.2 What to do in the event of ID theft

If your social insurance number has been compromised, you would
contact Service Canada; in the event of passport theft you would
contact your local passport office.

If you believe your mail is being diverted, contact your local Canada
Post office.

Cancel all affected credit cards and obtain new credit card numbers.

Consult a lawyer for the type of paperwork that may be required to
deal with disputes with financial institutions or credit-granting
organizations.

Get organized. Keep a file with all your paperwork, including the
names, addresses, and phone numbers of everyone you contact about
this crime.

File a detailed police report. Send copies of the report to creditors and
other agencies or organizations that may require proof of the crime.
13

Get the name, and phone number of your police investigator, along with
the Police Incident Report Number and give it to all your creditors.

In all communications about the crime, use certified, return-receipt mail.

Report that you are the victim of identity theft to the fraud divisions of
both credit reporting agencies: Equifax and TransUnion. Due to the
increased incidence of identity theft, federal law now gives you the right

to have one free credit report per year. If you request your free annual
credit report from both of the agencies, you will receive one free report
every six months.

Be sure to get your unique case number from each credit agency, and ask
each agency to send you your credit report.

Tell each agency to issue a fraud alert. The fraud alert requires mortgage
brokers, car dealers, credit card companies, and other lenders to scrutinize
anyone who opens an account in your name for 90 days.
14

Get the document that you need to file a long-term fraud alert, which lasts
for seven years and can be cancelled at any time.

Ask the credit agencies for the names and phone numbers of lenders with
whom recent accounts have been opened in the affected time frame, so
you can identify fraudulent accounts that have been opened.

Point out all entries generated due to fraud to each agency. Ask each
agency to remove the specified fraudulent entries.

Tell each agency to notify anyone who received your report in the last six
months (or the affected time frame) that you are disputing the
information.

You may be able to order a “credit freeze” with all three major credit
agencies. This freeze requires lenders, retailers, utilities, and other
businesses to get special access to your credit report through a PIN-based
system. It also helps prevent anyone from getting any new loans or credit
in your name.
15

Be alert for change-of-address forms in your mail. The post office must
send notifications to your old and new addresses. If someone tries to
change your mailing address, it is a major indication that you have been
victimized.

If debt collectors demand payment of fraudulent accounts, write down the
name of the company as well as the collector’s name, address, and phone
number. Tell the collector that you are the victim of identity theft. Send the
collection agency a registered letter with a completed police report. If this
does not work, refer the agency to your lawyer.
16
TG3.2 Computer-Based Actions
TG3.2.1 Determining where people have visited on the internet
using your computer
TG3.2.2 The dangers of social networking sites
TG3.2.3 Determining If your computer is infected
TG3.2.4 Computer actions to prevent malware infections
TG3.2.5 Protecting your portable devices and information
TG3.2.6 Other actions that you can take on your computer
TG3.2.7 Protecting your privacy
TG3.2.8 Preparing for personal disasters
17
TG3.2.1 Determining where people have
visited on the internet using your computer

You can check to see where anyone who may have used
your computer has visited on the Internet. By checking
the Browser history by following these steps in Internet
Explorer:
◦
◦
◦
◦
Click on Tools in the menu bar
Click on Internet Options
Under the section Browsing History, click on Settings
Click on View Files
18

If the Browser History is empty, it means that someone
has either (1) not been surfing the Internet at all or (2)
has erased the browser history.

If you now check the Recycle Bin and it is also empty,
this means that someone has also emptied the Recycle
Bin. At this time, you should consider installing
monitoring software on your computer (discussed
later).
19
TG3.2.2 The dangers of social networking
sites

You should never post personal information about yourself or your
family in chat rooms or on social networking sites. In fact, you
should access these websites and review any entries that you have
made.

One reason for these precautions is that potential employers are
now searching these websites for information about you. Wellknown social networking sites include MySpace, Friendster, Xanga,
YouTube, Facebook, and Flickr.

The full profiles of MySpace users aged 18 and over are available to
everyone on the Internet by default.
20

On LinkedIn, most people want public profiles and that
is the default. The information that LinkedIn users share
tends to be professional credentials, not details of their
social lives, so there is less need for privacy. If you want
additional privacy on LinkedIn, follow these steps:
◦ Click on Profile
◦ Click on Edit Public Profile Settings
◦ Scroll down to Public Profile and adjust your privacy settings
21
TG3.2.3 Determining If your computer is
infected




Your first action is to determine if your computer system is
infected with malicious software. Here are the signs to look for:
Your computer shuts down unexpectedly by itself.
Your computer refuses to start normally.
Running the DOS CHKDSK (CHECK DISK) command shows that
less than 655,360 (640 kilobytes) bytes are available. To run the
CHKDSK command, follow these steps:
◦ Click on Start
◦ Click on Programs
◦ Click on Accessories
◦ Click on Command Prompt
◦ Type in CHKDSK and hit Enter
22

Your computer shows erratic behaviour, exhibiting some or all of
these characteristics:
◦ Your system unexpectedly runs out of memory on your computer’s
hard drive.
◦ Your system continually runs out of main memory (RAM).
◦ Programs take longer to load than normal.
◦ Programs act erratically.
◦ Your monitor displays strange graphics or messages.
◦ Your system displays an unusually high number of error messages.
◦ Your e-mail program sends messages to all the contacts in your address
book without your knowledge or permission.
23
TG3.2.4 Computer actions to prevent
malware infections





Never open unrequested attachments to e-mail files, even those
from people you know and trust.
Never open attachments or web links in e-mails from people you
do not know.
Never accept files transferred to you during Internet chat or
instant messaging sessions.
Never download any files or software over the Internet from
websites that you do not know.
Never download files or software that you have not requested.
24












Test your system
Install a security suite on your computer
Install an anti-malware product on your computer
Install a firewall on your computer
Install an antispyware product
Install monitoring software
Install content filtering software
Install anti-spam software
Install proactive intrusion detection and prevention software
Manage patches
Use a browser other than Internet Explorer
Use an Operating System other than Windows
25
TG3.2.5 Protecting your portable devices
and information

Before we discuss these steps, there are two common-sense
precautions that many people forget.
1. Keep your laptop in an inconspicuous container. Laptop cases
with your company logo simply draw the attention of thieves.
2. Do not leave your laptop unattended in plain view (for
example, in the back seat of your car where it can be seen).
You should lock it in the trunk.
26

Use alarms. Laptop security systems operate by detecting motion,
analyzing it to determine whether a threat exists, and implementing
responses. They are battery powered, they are independent of the
computer operating system, and they operate whether the laptop is
on or off.

Data encryption provides additional protection by turning data into
meaningless symbols, decipherable only by an authorized person.
You can encrypt some or all of the data on your computer by using
Windows XP’s built-in encryption, folder-based encryption, or fulldisk encryption.

Use tracing tools or device reset/remote kill tools
27
TG3.2.6 Other actions that you can take on
your computer

There are other actions that you can take on your
computer for added protection:
◦
◦
◦
◦
◦
Detecting worms and Trojan horses
Turning off peer-to-peer file sharing
looking for new and unusual files
Detecting spoofed (fake) websites
Adjusting the privacy settings on your computer
28
TG3.2.7 Protecting your privacy
Use strong passwords
 Adjust your privacy settings on your computer
 Surf the web anonymously
 E-Mail anonymously

29
Use strong passwords

You can use the Secure Password Generator at PCTools
(www.pctools.com/guides/password) to create strong passwords.
The Generator lets you select the number and type of characters
in your password.

Remembering multiple passwords is difficult.You can use free
software such as Password Safe
(http://passwordsafe.sourceforge.net/) or Roboform
(www.roboform.com) to help you remember your passwords and
maintain them securely.
30
Adjust your privacy settings on your computer

Most web browsers allow you to select the level of privacy that
you want when using your computer. Make sure you choose the
level of privacy you want when surfing the Internet.
31
Surf the web anonymously


Surfing the Web anonymously means that you do not make your IP
(Internet protocol) address or any other personally identifiable
information available to the websites that you are visiting.
There are two ways to go about surfing the Web anonymously:
◦ you can use an anonymizer website as a proxy server,
◦ you can use an anonymizer as a permanent proxy server in your
web browser.
32
E-Mail anonymously




Anonymous e-mail means that your e-mail messages cannot be
tracked back to you personally, to your location, or to your
computer.
That is, your e-mail messages are sent through another server
belonging to a company—known as a re-mailer—that provides
anonymous e-mail services.
The recipient of your e-mail sees only the re-mailer’s header on
your e-mail. In addition, your e-mail messages are encrypted so that
if they are intercepted, they cannot be read.
Leading commercial re-mailers include CryptoHeaven
(www.cryptoheaven.com), Ultimate Anonymity (www.ultimateanonymity.com), and Hushmail (www.hushmail.com).
33
TG3.2.8 Preparing for personal disasters
Restoring backup files
 Wireless security

34
Restoring backup files
 You can use the Windows Backup utility to restore the
backup copies to your hard disk. In Windows XP, you
launch Backup following these steps:
◦
◦
◦
◦
◦
Click on Start
Click on Programs
Click on Accessories
Click on System Tools
Click on Backup
35
Wireless security
 Hide your Service Set Identifier (SSID)
 Use encryption
 Filter out Media Access Control (MAC) Addresses
 Limit Internet Protocol (IP) Addresses.
 Sniff out intruders
 Using a public hotspot
36
Hide your Service Set Identifier (SSID)
 A step-by-step guide to perform these security
measures is available at:
http://netsecurity.about.com/od/stepbystep/ss/change_ss
id.htm.
37
Use encryption
 To avoid broadcasting in the clear, you must use
encryption with your wireless home network. Wireless
equivalent protocol (WEP) is an old protocol that is
now very easy to crack and should not be used. Instead,
you should use Wi-Fi Protected Access (WPA2), which
is the second generation of WPA. WPA2 is much
stronger than WEP and will strengthen your encryption
from attackers trying to crack it.
38
Filter out Media Access Control (MAC) Addresses
 You should get the MAC address of all computers on
your home wireless network. Then, instruct your router
to connect only with these computers and deny access
to all other computers attempting to connect with your
network.
 Use ipconfig/all to find the MAC address of your
computer
39
Limit Internet Protocol (IP) Addresses.
 You should instruct your router to allow only a certain
number of IP addresses to connect to your network.
 Ideally, the number of IP addresses will be the same as
the number of computers on your network.
40
Sniff out intruders


A variety of wireless intrusion detection systems will monitor your
wireless network for intruders, tell you they are on your network,
show their IP addresses and their activity, and even tell them you
know that they are there. Commercial products include the
Internet Security Systems (www.iss.net)
Wireless scanner and AirDefense Personal (www.airdefense.net).
AirSnare is a free wireless intrusion detection system
( http://home.comcast.net/~jay.deboer/airsnare).
41
Using a public hotspot





If you must use a computer wirelessly at a public hotspot, here are
several things you should do before you connect.
Use virtual private networking (VPN) technology to connect to
your organization’s network (discussed in Chapter 3).
Use Remote Desktop to connect to a computer that is running at
your home.
Configure the Windows firewall to be “on with no exceptions.”
Only use websites that use secure socket layer (SSL) for any
financial or personal transactions.
42
Copyright
Copyright © 2011 John Wiley & Sons Canada, Ltd. All rights reserved.
Reproduction or translation of this work beyond that permitted by
Access Copyright (the Canadian copyright licensing agency) is unlawful.
Requests for further information should be addressed to the
Permissions Department, John Wiley & Sons Canada, Ltd. The purchaser
may make back-up copies for his or her own use only and not for
distribution or resale. The author and the publisher assume no
responsibility for errors, omissions, or damages caused by the use of
these files or programs or from the use of the information contained
herein.
43