Think of the specific threats like symptoms of an illness. A doctor can prescribe medicine to temporarily treat the symptoms or the doctor can do a more thorough job and eliminate the illness and alleviate the symptoms permanently. In keeping with this analogy, viruses, worms, phishing, and other cyber attacks are symptoms of an illness. The illness is threefold.
For example, if software developers were to make security a top priority during development of their products, we would be much less likely to have software that was vulnerable and there would be fewer attack avenues for malicious individuals. Similarly, if users were more educated about security and a bit more suspicious, they would be less likely to open unexpected attachments they received or click on links that end up infecting their machine. Of course, these ideas don’t eliminate all cyber security threats, but they could drastically reduce many of them.
Some of the technical solutions include:
Q: How effective are firewalls, anti-virus software and anti-spyware in warding off cyber criminals? How can computer users maximize those tools?
When properly configured, firewalls are very effective at stopping intruders and keeping unauthorized outbound traffic from exiting. However, they are only one layer of security, and even when properly configured can allow harmful traffic through.
Unfortunately, anti-spyware and anti-virus programs are not as effective. These protection mechanisms rely on a signature file which helps them to identify malicious code or files known as malware. Malware is the general term for malicious software such as viruses, spyware, trojans, worms and so on. The problem with any protective technology is that there is a lag time from when the malware is released in the wild on the Internet to when it is identified and added to the signature file so it can be detected by your anti-virus software. Even though it’s not instantaneous, anti-virus and anti-spyware software do help protect your computer. With up-to- date anti-virus, you may be vulnerable to a new form of malware for up to a half a day or so until the updated signature file is released; but without anti-virus, you are vulnerable 100 percent of the time. To maximize these tools, users should make sure they are properly configured and kept updated at all times.
Q: When shopping, paying bills or banking online, how can users protect their credit card and bank numbers and other sensitive personal information?
I highly suggest freezing your credit. Indiana state law provides consumers the right to freeze their credit to prevent identity thieves from opening accounts or lines of credit in their victims’ name. It basically keeps new creditors from accessing your credit report without your permission. This does not negatively affect your credit score or your ability to use credit cards or other lines of credit you already have and it’s free. It is important to note that if you perform this freeze, you should expect additional steps when you apply for new lines of credit. However, it’s a small price to pay for security. More information is available at the Indiana Attorney General’s website.
Never perform online banking or shopping on a public or shared computer or on a public/open network. There could be software on the computer or a malicious person lurking on the network ready to capture your credentials or credit card number. Consider dedicating a single machine (possibly a separate machine or a virtual machine) to use only for online banking. By doing nothing more than banking on this machine, you can avoid malware from Internet surfing or infected email attachments. If your bank or credit card company offer automated account monitoring, you should configure and enable it. This feature will alert you of specific changes to your account like adding a new payee, changes made to your security settings or password, and can alert you to a low balance. Many of these alerts can be configured so that a text message is sent to your mobile phone. This offers some additional protection in terms of being timely alerted to a possible issue. Finally, if your bank offers advanced authentication methods, such as the use of a password token, take advantage of them because they drastically improve the security of your account.
Users also need to get into the habit of checking the bank balances and credit card statements once or twice a week for unauthorized charges and transactions. Along these same lines, users should check their credit reports yearly at minimum. Everyone is eligible for one free credit report from each of the three major credit reporting agencies yearly by going to AnnualCreditReport.com. I suggest checking it more frequently.
Using different credentials for different sites is another easy way to protect yourself. At the very least, use different passwords for different sites. This does create a level of complexity that you have to manage. There are programs available that act as a safe for your credentials so you can set different logins and passwords for all of the sites that you visit. All you have to do is remember the master password for your password safe. These products allow you to easily use long, strong passwords for various Internet sites without having to worry about remembering them all. Many of these password-safe programs even have portable versions that can be run from a thumb drive or your mobile phone. The vault itself is encrypted so that you don’t have to worry about compromising your passwords if you lose it. Of course, be sure you have a backup! Some examples of these programs are KeePass and PasswordSafe. For more information, see the article on password manager software on the SecurePurdue website.
Q: What tools and resources are available from ITaP to Purdue employees for use on their personal laptops and home computers?
Q: Can you provide a list of tips for keeping users’ personal information and computer files safe?
* * *
More information about cyber security is available on the SecurePurdue website. The site also offers a three-video training series about prudent Internet practices for social networking, password security, and proper handling of spam.
Nathan Heck is an IT Security Engineer with Purdue University working for IT Networks and Security. His duties include developing new security solutions, performing incident response and computer forensic investigations and advising other departments on security-related matters. He graduated from Purdue University in 2000 with a bachelor of science degree in computer technology and psychology. He is currently working on a master of science degree in computer technology.