Internet Security Advice

Internet security awareness
What does it mean…?

Spam refers to unsolicited email - speculative email that you didn't ask for. It comes from a number of sources, including personal computers that have been hijacked by the unwitting installation of malware.

Malware is the generic term for small programs intended to disrupt, damage or steal. This includes viruses, trojans, worms, spyware, intrusive adware, rootkits and other, more exotic nasties. The results can range from minor annoyance, through data loss, to identity and financial theft.

Keyloggers are designed to capture keystrokes, ie everything you type in, and then transmit them to a third party. They will reveal bank passwords, for example. Keyloggers are widely available, but generally well detected by anti-spyware software.

The main concern used to be viruses and trojans in email attachments. The bigger worry now is being lured to specially crafted websites, which then install malware. This can be automatic or more commonly by prompting the user to download a new anti-virus application, anti-spyware suite or codec for example. All sound attractive, even essential, but all can be harmful and extremely difficult to remove.

  1. The advice for years has been never to open email attachments unless you are absolutely confident of their source. This is as true as ever.
  2. Exactly the same applies to website links in emails.
  3. Use common sense. For example:
    • Ask: "Did I request this?" or "How could they know?" Be suspicious by default.
    • No responsible organization will send unsolicited emails asking for personal details or asking you to click on a website link that then asks for them ("phishing.")
    • No bank or other reputable organization (eg eBay/Paypal) will ask for account details by email. In general banks won’t use unsecured email at all anyway.
    • Microsoft will never send software vulnerability or threat information by email. Many others have the same policy, eg Adobe.
    • If it looks too good to be true, it is: it’s illegal or they’ve got another reason to be tempting you.
  4. Simply because an email came from a trusted source doesn’t automatically mean that its content is safe: they could have been infected and the email could have been generated automatically. If in doubt, check with the source…or simply delete.
  5. Never forward or reply to spam, or anything you suspect might be spam. Just delete it. Don’t try to "unsubscribe" — all this does is confirm that your email address is valid.
  6. Always keep software updated, particularly Windows Updates. For those on our Managed Services platform, NetMaster, this is done and verified automatically. For others, make sure that Windows updates are set to "Automatically download...", keep an eye open for the little yellow shield icon (bottom-right, near the clock) and do a manual Windows Update on the second Wednesday of every month to check that nothing’s been missed.
  7. Use effective spam-filtering on your incoming email path and consider deleting spam automatically (at the risk of losing the odd genuine email) or at least use an Outlook inbox rule to move it to a different folder. For those using our hosting – HyperHosting – or using a server that we installed, spam-filtering will already be in place.
  8. Use effective anti-malware software and keep it updated: Trend Micro, AVG, Norton, McAfee, Sophos, Kasperski, etc. Again, for those on NetMaster or using a network we installed this will already be in place.
  9. Turn on the phishing filter built into most current browsers. For example:
    • In Internet Explorer 7: "Tools", "Phishing filter", "Turn on…" (If you still have IE6, update it to IE7 through Windows Update unless you have a very good reason not to.)
      Internet Explorer 7
    • In Firefox: "Tools", "Options", "Security". Tick "Warn me when…" and "Tell me if…".
      Firefox 3
  10. Never "run" or "install" anything from any website unless you are absolutely sure it’s OK or have been specifically asked to do so by an expert you trust. Avoid those little "lunchtime" games.
  11. Always check for the padlock (or for the prefix "https://" in the website address) before entering any personal details into a website, particularly card details, and then only into a website that you trust absolutely. If in doubt, use the phone.
  12. If a website has asked you to login, always actively "logoff" from it. Don’t just close the browser or move on to another website.
  13. Avoid the seamier side of the web. Apart from the obvious, we include in this peer–to–peer download networks like Kazaa, bittorrent, Limewire, etc. Of course there can be all manner of copyright issues, but these are also particularly high–risk vectors for malware. Several of the download applications themselves contain spyware and adware. It would be most unusual to need these for business. Access to them can easily be restricted through NetMaster and most professional firewalls now have tools to do so.
  14. There is no doubt that Windows Vista can be intrinsically more secure…but for many this opens a can of worms that isn’t appropriate here.
  15. Ensure that your organisation's Acceptable Use Policy is specific about web and email hygiene and that this is linked to employment contracts/staff handbook.
Prizebyte IT Support
T. 0845 054 5064