TECHNOLOGY GUIDE 3 Protecting Your Information Assets 1 Technology Guide Overview 2 Agenda TG3.1 Behavioural Actions TG3.1.1 General behavioural actions TG3.1.2 What to do in the event of identity theft TG3.2 Computer-Based Actions TG3.2.1 Determining where people have visited on the internet using your computer TG3.2.2 The dangers of social networking sites TG3.2.3 Determining If your computer is infected TG3.2.4 Computer actions to prevent malware infections TG3.2.5 Protecting your portable devices and information TG3.2.6 Other actions that you can take on your computer TG3.2.7 Protecting your privacy TG3.2.8 Preparing for personal disasters 3 LEARNING OBJECTIVES 1. Identify the various behavioural actions you can take to protect your information assets based upon your risk assessment of information asset risks. (TG3.1) 2. Identify the various computer-based actions you can take to protect your information assets based upon your information asset risks.(TG3.2) 4 TG3.1 Behavioural Actions There are a number of behavioural actions that you should take to protect your information assets. We discuss these actions in this section. TG3.1.1 General behavioural actions TG3.1.2 What to do in the event of identity theft 5 TG3.1.1 General behavioural actions Use of personal information Use of the social insurance number Use of credit cards Use of debit cards Use of financial accounts Use of the mailbox Dealing with old records 6 Use of personal information You should not provide personal information to strangers in any format (physical, verbal, or electronic). For example, verify that you are talking to authorized personnel before you provide personal information over the telephone. To accomplish this, you should hang up and call the person or company back. If you have a caller-ID telephone, check the display for the company name that is shown. 7 Use of the social insurance number (SIN) A critically important behavioural action that you can take is to protect your social insurance number. Unfortunately, far too many organizations use your social insurance number to uniquely identify you. When you are asked to provide this number, ask if there is other information that can be used as unique identification, such as your telephone number or address. If the person asking for your social insurance number, for example your physician’s clerk, is not responsive, ask to speak with a supervisor. 8 Use of credit cards & debit cards Where available, use credit cards with your picture on them You may also want to use virtual credit cards, which offer you the option of shopping on-line with a disposable credit card number. Pay close attention to your credit card billing cycles.You should know, to within a day or two, when your credit card bills are due. If a bill does not arrive when expected, call your credit card company immediately. limit your use of debit cards. Debit cards are linked to your bank account, meaning that a person who steals your debit card and personal identification number (PIN) can clean out your bank account. 9 Use of financial accounts It is important to be aware of what is happening with your financial accounts, as the source of identity theft could be someone hacking into the places where you bank or conduct your transactions. For example, in April 2006 a breach was reported in the Bank of Canada accounts that handle automatic payroll deductions for Canada Savings Bonds. 10 Use of the mailbox Depending on the type of traffic in the area where you live, you might choose to avoid using a personal mailbox at your home or apartment for anything other than catalogues and magazines. You could use a private mailbox or a Post Office box. Think about the wealth of information that could be stolen from your mailbox: credit card statements, bank statements, investment statements, and so on. 11 Dealing with old records When you discard mail or old records, use a crosscut, or confetti, shredder to cut them up. 12 TG3.1.2 What to do in the event of ID theft If your social insurance number has been compromised, you would contact Service Canada; in the event of passport theft you would contact your local passport office. If you believe your mail is being diverted, contact your local Canada Post office. Cancel all affected credit cards and obtain new credit card numbers. Consult a lawyer for the type of paperwork that may be required to deal with disputes with financial institutions or credit-granting organizations. Get organized. Keep a file with all your paperwork, including the names, addresses, and phone numbers of everyone you contact about this crime. File a detailed police report. Send copies of the report to creditors and other agencies or organizations that may require proof of the crime. 13 Get the name, and phone number of your police investigator, along with the Police Incident Report Number and give it to all your creditors. In all communications about the crime, use certified, return-receipt mail. Report that you are the victim of identity theft to the fraud divisions of both credit reporting agencies: Equifax and TransUnion. Due to the increased incidence of identity theft, federal law now gives you the right to have one free credit report per year. If you request your free annual credit report from both of the agencies, you will receive one free report every six months. Be sure to get your unique case number from each credit agency, and ask each agency to send you your credit report. Tell each agency to issue a fraud alert. The fraud alert requires mortgage brokers, car dealers, credit card companies, and other lenders to scrutinize anyone who opens an account in your name for 90 days. 14 Get the document that you need to file a long-term fraud alert, which lasts for seven years and can be cancelled at any time. Ask the credit agencies for the names and phone numbers of lenders with whom recent accounts have been opened in the affected time frame, so you can identify fraudulent accounts that have been opened. Point out all entries generated due to fraud to each agency. Ask each agency to remove the specified fraudulent entries. Tell each agency to notify anyone who received your report in the last six months (or the affected time frame) that you are disputing the information. You may be able to order a “credit freeze” with all three major credit agencies. This freeze requires lenders, retailers, utilities, and other businesses to get special access to your credit report through a PIN-based system. It also helps prevent anyone from getting any new loans or credit in your name. 15 Be alert for change-of-address forms in your mail. The post office must send notifications to your old and new addresses. If someone tries to change your mailing address, it is a major indication that you have been victimized. If debt collectors demand payment of fraudulent accounts, write down the name of the company as well as the collector’s name, address, and phone number. Tell the collector that you are the victim of identity theft. Send the collection agency a registered letter with a completed police report. If this does not work, refer the agency to your lawyer. 16 TG3.2 Computer-Based Actions TG3.2.1 Determining where people have visited on the internet using your computer TG3.2.2 The dangers of social networking sites TG3.2.3 Determining If your computer is infected TG3.2.4 Computer actions to prevent malware infections TG3.2.5 Protecting your portable devices and information TG3.2.6 Other actions that you can take on your computer TG3.2.7 Protecting your privacy TG3.2.8 Preparing for personal disasters 17 TG3.2.1 Determining where people have visited on the internet using your computer You can check to see where anyone who may have used your computer has visited on the Internet. By checking the Browser history by following these steps in Internet Explorer: ◦ ◦ ◦ ◦ Click on Tools in the menu bar Click on Internet Options Under the section Browsing History, click on Settings Click on View Files 18 If the Browser History is empty, it means that someone has either (1) not been surfing the Internet at all or (2) has erased the browser history. If you now check the Recycle Bin and it is also empty, this means that someone has also emptied the Recycle Bin. At this time, you should consider installing monitoring software on your computer (discussed later). 19 TG3.2.2 The dangers of social networking sites You should never post personal information about yourself or your family in chat rooms or on social networking sites. In fact, you should access these websites and review any entries that you have made. One reason for these precautions is that potential employers are now searching these websites for information about you. Wellknown social networking sites include MySpace, Friendster, Xanga, YouTube, Facebook, and Flickr. The full profiles of MySpace users aged 18 and over are available to everyone on the Internet by default. 20 On LinkedIn, most people want public profiles and that is the default. The information that LinkedIn users share tends to be professional credentials, not details of their social lives, so there is less need for privacy. If you want additional privacy on LinkedIn, follow these steps: ◦ Click on Profile ◦ Click on Edit Public Profile Settings ◦ Scroll down to Public Profile and adjust your privacy settings 21 TG3.2.3 Determining If your computer is infected Your first action is to determine if your computer system is infected with malicious software. Here are the signs to look for: Your computer shuts down unexpectedly by itself. Your computer refuses to start normally. Running the DOS CHKDSK (CHECK DISK) command shows that less than 655,360 (640 kilobytes) bytes are available. To run the CHKDSK command, follow these steps: ◦ Click on Start ◦ Click on Programs ◦ Click on Accessories ◦ Click on Command Prompt ◦ Type in CHKDSK and hit Enter 22 Your computer shows erratic behaviour, exhibiting some or all of these characteristics: ◦ Your system unexpectedly runs out of memory on your computer’s hard drive. ◦ Your system continually runs out of main memory (RAM). ◦ Programs take longer to load than normal. ◦ Programs act erratically. ◦ Your monitor displays strange graphics or messages. ◦ Your system displays an unusually high number of error messages. ◦ Your e-mail program sends messages to all the contacts in your address book without your knowledge or permission. 23 TG3.2.4 Computer actions to prevent malware infections Never open unrequested attachments to e-mail files, even those from people you know and trust. Never open attachments or web links in e-mails from people you do not know. Never accept files transferred to you during Internet chat or instant messaging sessions. Never download any files or software over the Internet from websites that you do not know. Never download files or software that you have not requested. 24 Test your system Install a security suite on your computer Install an anti-malware product on your computer Install a firewall on your computer Install an antispyware product Install monitoring software Install content filtering software Install anti-spam software Install proactive intrusion detection and prevention software Manage patches Use a browser other than Internet Explorer Use an Operating System other than Windows 25 TG3.2.5 Protecting your portable devices and information Before we discuss these steps, there are two common-sense precautions that many people forget. 1. Keep your laptop in an inconspicuous container. Laptop cases with your company logo simply draw the attention of thieves. 2. Do not leave your laptop unattended in plain view (for example, in the back seat of your car where it can be seen). You should lock it in the trunk. 26 Use alarms. Laptop security systems operate by detecting motion, analyzing it to determine whether a threat exists, and implementing responses. They are battery powered, they are independent of the computer operating system, and they operate whether the laptop is on or off. Data encryption provides additional protection by turning data into meaningless symbols, decipherable only by an authorized person. You can encrypt some or all of the data on your computer by using Windows XP’s built-in encryption, folder-based encryption, or fulldisk encryption. Use tracing tools or device reset/remote kill tools 27 TG3.2.6 Other actions that you can take on your computer There are other actions that you can take on your computer for added protection: ◦ ◦ ◦ ◦ ◦ Detecting worms and Trojan horses Turning off peer-to-peer file sharing looking for new and unusual files Detecting spoofed (fake) websites Adjusting the privacy settings on your computer 28 TG3.2.7 Protecting your privacy Use strong passwords Adjust your privacy settings on your computer Surf the web anonymously E-Mail anonymously 29 Use strong passwords You can use the Secure Password Generator at PCTools (www.pctools.com/guides/password) to create strong passwords. The Generator lets you select the number and type of characters in your password. Remembering multiple passwords is difficult.You can use free software such as Password Safe (http://passwordsafe.sourceforge.net/) or Roboform (www.roboform.com) to help you remember your passwords and maintain them securely. 30 Adjust your privacy settings on your computer Most web browsers allow you to select the level of privacy that you want when using your computer. Make sure you choose the level of privacy you want when surfing the Internet. 31 Surf the web anonymously Surfing the Web anonymously means that you do not make your IP (Internet protocol) address or any other personally identifiable information available to the websites that you are visiting. There are two ways to go about surfing the Web anonymously: ◦ you can use an anonymizer website as a proxy server, ◦ you can use an anonymizer as a permanent proxy server in your web browser. 32 E-Mail anonymously Anonymous e-mail means that your e-mail messages cannot be tracked back to you personally, to your location, or to your computer. That is, your e-mail messages are sent through another server belonging to a company—known as a re-mailer—that provides anonymous e-mail services. The recipient of your e-mail sees only the re-mailer’s header on your e-mail. In addition, your e-mail messages are encrypted so that if they are intercepted, they cannot be read. Leading commercial re-mailers include CryptoHeaven (www.cryptoheaven.com), Ultimate Anonymity (www.ultimateanonymity.com), and Hushmail (www.hushmail.com). 33 TG3.2.8 Preparing for personal disasters Restoring backup files Wireless security 34 Restoring backup files You can use the Windows Backup utility to restore the backup copies to your hard disk. In Windows XP, you launch Backup following these steps: ◦ ◦ ◦ ◦ ◦ Click on Start Click on Programs Click on Accessories Click on System Tools Click on Backup 35 Wireless security Hide your Service Set Identifier (SSID) Use encryption Filter out Media Access Control (MAC) Addresses Limit Internet Protocol (IP) Addresses. Sniff out intruders Using a public hotspot 36 Hide your Service Set Identifier (SSID) A step-by-step guide to perform these security measures is available at: http://netsecurity.about.com/od/stepbystep/ss/change_ss id.htm. 37 Use encryption To avoid broadcasting in the clear, you must use encryption with your wireless home network. Wireless equivalent protocol (WEP) is an old protocol that is now very easy to crack and should not be used. Instead, you should use Wi-Fi Protected Access (WPA2), which is the second generation of WPA. WPA2 is much stronger than WEP and will strengthen your encryption from attackers trying to crack it. 38 Filter out Media Access Control (MAC) Addresses You should get the MAC address of all computers on your home wireless network. Then, instruct your router to connect only with these computers and deny access to all other computers attempting to connect with your network. Use ipconfig/all to find the MAC address of your computer 39 Limit Internet Protocol (IP) Addresses. You should instruct your router to allow only a certain number of IP addresses to connect to your network. Ideally, the number of IP addresses will be the same as the number of computers on your network. 40 Sniff out intruders A variety of wireless intrusion detection systems will monitor your wireless network for intruders, tell you they are on your network, show their IP addresses and their activity, and even tell them you know that they are there. Commercial products include the Internet Security Systems (www.iss.net) Wireless scanner and AirDefense Personal (www.airdefense.net). AirSnare is a free wireless intrusion detection system ( http://home.comcast.net/~jay.deboer/airsnare). 41 Using a public hotspot If you must use a computer wirelessly at a public hotspot, here are several things you should do before you connect. Use virtual private networking (VPN) technology to connect to your organization’s network (discussed in Chapter 3). Use Remote Desktop to connect to a computer that is running at your home. Configure the Windows firewall to be “on with no exceptions.” Only use websites that use secure socket layer (SSL) for any financial or personal transactions. 42 Copyright Copyright © 2011 John Wiley & Sons Canada, Ltd. All rights reserved. Reproduction or translation of this work beyond that permitted by Access Copyright (the Canadian copyright licensing agency) is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons Canada, Ltd. The purchaser may make back-up copies for his or her own use only and not for distribution or resale. The author and the publisher assume no responsibility for errors, omissions, or damages caused by the use of these files or programs or from the use of the information contained herein. 43