TECHNOLOGY GUIDE 3TECHNOLOGY GUIDE 3

1

Protecting Your Information Assets

Technology Guide OverviewTechnology Guide Overview

2

AgendaAgendaTG3.1 Behavioural Actions

TG3.1.1 General behavioural actions

TG3.1.2 What to do in the event of identity theft

TG3.2 Computer-Based ActionsTG3.2.1 Determining where people have visited on the internet

using your computer

TG3.2.2 The dangers of social networking sites

TG3.2.3 Determining If your computer is infected

TG3.2.4 Computer actions to prevent malware infections

TG3.2.5 Protecting your portable devices and information

TG3.2.6 Other actions that you can take on your computer

TG3.2.7 Protecting your privacy

TG3.2.8 Preparing for personal disasters

3

LEARNING OBJECTIVESLEARNING OBJECTIVES

1. Identify the various behavioural actions you can take to protect your information assets based upon your risk assessment of information asset risks. (TG3.1)

2. Identify the various computer-based actions you can take to protect your information assets based upon your information asset risks.(TG3.2)

4

TG3.1 Behavioural ActionsTG3.1 Behavioural Actions

There are a number of behavioural actions that you should take to protect your information assets. We discuss these actions in this section.

TG3.1.1 General behavioural actionsTG3.1.2 What to do in the event of identity

theft

5

TG3.1.1 General behavioural TG3.1.1 General behavioural actionsactionsUse of personal information Use of the social insurance numberUse of credit cardsUse of debit cardsUse of financial accountsUse of the mailboxDealing with old records

6

Use of personal information You should not provide personal information to

strangers in any format (physical, verbal, or electronic).

For example, verify that you are talking to authorized personnel before you provide personal information over the telephone. To accomplish this, you should hang up and call the person or company back. If you have a caller-ID telephone, check the display for the company name that is shown.

7

Use of the social insurance number (SIN) A critically important behavioural action that you can

take is to protect your social insurance number.

Unfortunately, far too many organizations use your social insurance number to uniquely identify you. When you are asked to provide this number, ask if there is other information that can be used as unique identification, such as your telephone number or address.

If the person asking for your social insurance number, for example your physician’s clerk, is not responsive, ask to speak with a supervisor.

8

Use of credit cards & debit cards Where available, use credit cards with your picture on

them You may also want to use virtual credit cards, which

offer you the option of shopping on-line with a disposable credit card number.

Pay close attention to your credit card billing cycles. You should know, to within a day or two, when your credit card bills are due. If a bill does not arrive when expected, call your credit card company immediately.

limit your use of debit cards. Debit cards are linked to your bank account, meaning that a person who steals your debit card and personal identification number (PIN) can clean out your bank account.

9

Use of financial accounts It is important to be aware of what is

happening with your financial accounts, as the source of identity theft could be someone hacking into the places where you bank or conduct your transactions.

For example, in April 2006 a breach was reported in the Bank of Canada accounts that handle automatic payroll deductions for Canada Savings Bonds.

10

Use of the mailboxDepending on the type of traffic in the area

where you live, you might choose to avoid using a personal mailbox at your home or apartment for anything other than catalogues and magazines. You could use a private mailbox or a Post Office box. Think about the wealth of information that could be stolen from your mailbox: credit card statements, bank statements, investment statements, and so on.

11

Dealing with old recordsWhen you discard mail or old records, use a

crosscut, or confetti, shredder to cut them up.

12

TG3.1.2 What to do in the event of TG3.1.2 What to do in the event of ID theftID theft If your social insurance number has been compromised, you

would contact Service Canada; in the event of passport theft you would contact your local passport office.

If you believe your mail is being diverted, contact your local Canada Post office.

Cancel all affected credit cards and obtain new credit card numbers.

Consult a lawyer for the type of paperwork that may be required to deal with disputes with financial institutions or credit-granting organizations.

Get organized. Keep a file with all your paperwork, including the names, addresses, and phone numbers of everyone you contact about this crime.

File a detailed police report. Send copies of the report to creditors and other agencies or organizations that may require proof of the crime.

13

Get the name, and phone number of your police investigator, along with the Police Incident Report Number and give it to all your creditors.

In all communications about the crime, use certified, return-receipt mail.

Report that you are the victim of identity theft to the fraud divisions of both credit reporting agencies: Equifax and TransUnion. Due to the increased incidence of identity theft, federal law now gives you the right

to have one free credit report per year. If you request your free annual credit report from both of the agencies, you will receive one free report every six months.

Be sure to get your unique case number from each credit agency, and ask each agency to send you your credit report.

Tell each agency to issue a fraud alert. The fraud alert requires mortgage brokers, car dealers, credit card companies, and other lenders to scrutinize anyone who opens an account in your name for 90 days.

14

Get the document that you need to file a long-term fraud alert, which lasts for seven years and can be cancelled at any time.

Ask the credit agencies for the names and phone numbers of lenders with whom recent accounts have been opened in the affected time frame, so you can identify fraudulent accounts that have been opened.

Point out all entries generated due to fraud to each agency. Ask each agency to remove the specified fraudulent entries.

Tell each agency to notify anyone who received your report in the last six months (or the affected time frame) that you are disputing the information.

You may be able to order a “credit freeze” with all three major credit agencies. This freeze requires lenders, retailers, utilities, and other businesses to get special access to your credit report through a PIN-based system. It also helps prevent anyone from getting any new loans or credit in your name.

15

Be alert for change-of-address forms in your mail. The post office must send notifications to your old and new addresses. If someone tries to change your mailing address, it is a major indication that you have been victimized.

If debt collectors demand payment of fraudulent accounts, write down the name of the company as well as the collector’s name, address, and phone number. Tell the collector that you are the victim of identity theft. Send the collection agency a registered letter with a completed police report. If this does not work, refer the agency to your lawyer.

16

TG3.2 Computer-Based ActionsTG3.2 Computer-Based Actions

TG3.2.1 Determining where people have visited on the internet using your computer

TG3.2.2 The dangers of social networking sites

TG3.2.3 Determining If your computer is infected

TG3.2.4 Computer actions to prevent malware infections

TG3.2.5 Protecting your portable devices and information

TG3.2.6 Other actions that you can take on your computer

TG3.2.7 Protecting your privacy

TG3.2.8 Preparing for personal disasters

17

TG3.2.1 Determining where people TG3.2.1 Determining where people have visited on the internet using have visited on the internet using your computeryour computerYou can check to see where anyone who

may have used your computer has visited on the Internet. By checking the Browser history by following these steps in Internet Explorer:◦ Click on Tools in the menu bar◦ Click on Internet Options◦ Under the section Browsing History, click on

Settings◦ Click on View Files

18

If the Browser History is empty, it means that someone has either (1) not been surfing the Internet at all or (2) has erased the browser history.

If you now check the Recycle Bin and it is also empty, this means that someone has also emptied the Recycle Bin. At this time, you should consider installing monitoring software on your computer (discussed later).

19

TG3.2.2 The dangers of social TG3.2.2 The dangers of social networking sitesnetworking sites You should never post personal information about

yourself or your family in chat rooms or on social networking sites. In fact, you should access these websites and review any entries that you have made.

One reason for these precautions is that potential employers are now searching these websites for information about you. Well-known social networking sites include MySpace, Friendster, Xanga, YouTube, Facebook, and Flickr.

The full profiles of MySpace users aged 18 and over are available to everyone on the Internet by default.

20

On LinkedIn, most people want public profiles and that is the default. The information that LinkedIn users share tends to be professional credentials, not details of their social lives, so there is less need for privacy. If you want additional privacy on LinkedIn, follow these steps:◦ Click on Profile◦ Click on Edit Public Profile Settings◦ Scroll down to Public Profile and adjust your privacy

settings

21

TG3.2.3 Determining If your TG3.2.3 Determining If your computer is infectedcomputer is infected Your first action is to determine if your computer

system is infected with malicious software. Here are the signs to look for:

Your computer shuts down unexpectedly by itself. Your computer refuses to start normally. Running the DOS CHKDSK (CHECK DISK) command

shows that less than 655,360 (640 kilobytes) bytes are available. To run the CHKDSK command, follow these steps:◦ Click on Start◦ Click on Programs◦ Click on Accessories◦ Click on Command Prompt◦ Type in CHKDSK and hit Enter

22

Your computer shows erratic behaviour, exhibiting some or all of these characteristics:◦ Your system unexpectedly runs out of memory on your

computer’s hard drive.◦ Your system continually runs out of main memory (RAM).◦ Programs take longer to load than normal.◦ Programs act erratically.◦ Your monitor displays strange graphics or messages.◦ Your system displays an unusually high number of error

messages.◦ Your e-mail program sends messages to all the contacts

in your address book without your knowledge or permission.

23

TG3.2.4 Computer actions to TG3.2.4 Computer actions to prevent malware infectionsprevent malware infections Never open unrequested attachments to e-mail files,

even those from people you know and trust. Never open attachments or web links in e-mails from

people you do not know. Never accept files transferred to you during Internet

chat or instant messaging sessions. Never download any files or software over the

Internet from websites that you do not know. Never download files or software that you have not

requested.

24

Test your system Install a security suite on your computer Install an anti-malware product on your computer Install a firewall on your computer Install an antispyware product Install monitoring software Install content filtering software Install anti-spam software Install proactive intrusion detection and prevention

software Manage patches Use a browser other than Internet Explorer Use an Operating System other than Windows

25

TG3.2.5 Protecting your portable TG3.2.5 Protecting your portable devices and informationdevices and information

Before we discuss these steps, there are two common-sense precautions that many people forget.

1. Keep your laptop in an inconspicuous container. Laptop cases with your company logo simply draw the attention of thieves.

2. Do not leave your laptop unattended in plain view (for example, in the back seat of your car where it can be seen). You should lock it in the trunk.

26

Use alarms. Laptop security systems operate by detecting motion, analyzing it to determine whether a threat exists, and implementing responses. They are battery powered, they are independent of the computer operating system, and they operate whether the laptop is on or off.

Data encryption provides additional protection by turning data into meaningless symbols, decipherable only by an authorized person. You can encrypt some or all of the data on your computer by using Windows XP’s built-in encryption, folder-based encryption, or full-disk encryption.

Use tracing tools or device reset/remote kill tools

27

TG3.2.6 Other actions that you can TG3.2.6 Other actions that you can take on your computertake on your computerThere are other actions that you can take on

your computer for added protection: ◦ Detecting worms and Trojan horses ◦ Turning off peer-to-peer file sharing◦ looking for new and unusual files◦ Detecting spoofed (fake) websites◦ Adjusting the privacy settings on your

computer

28

TG3.2.7 Protecting your privacyTG3.2.7 Protecting your privacy

Use strong passwordsAdjust your privacy settings on your

computerSurf the web anonymouslyE-Mail anonymously

29

Use strong passwords You can use the Secure Password Generator at

PCTools (www.pctools.com/guides/password) to create strong passwords. The Generator lets you select the number and type of characters in your password.

Remembering multiple passwords is difficult. You can use free software such as Password Safe (http://passwordsafe.sourceforge.net/) or Roboform (www.roboform.com) to help you remember your passwords and maintain them securely.

30

Adjust your privacy settings on your computer

Most web browsers allow you to select the level of privacy that you want when using your computer. Make sure you choose the level of privacy you want when surfing the Internet.

31

Surf the web anonymously Surfing the Web anonymously means that you do not

make your IP (Internet protocol) address or any other personally identifiable information available to the websites that you are visiting.

There are two ways to go about surfing the Web anonymously: ◦ you can use an anonymizer website as a proxy

server, ◦ you can use an anonymizer as a permanent proxy

server in your web browser.

32

E-Mail anonymously Anonymous e-mail means that your e-mail messages

cannot be tracked back to you personally, to your location, or to your computer.

That is, your e-mail messages are sent through another server belonging to a company—known as a re-mailer—that provides anonymous e-mail services.

The recipient of your e-mail sees only the re-mailer’s header on your e-mail. In addition, your e-mail messages are encrypted so that if they are intercepted, they cannot be read.

Leading commercial re-mailers include CryptoHeaven (www.cryptoheaven.com), Ultimate Anonymity (www.ultimate-anonymity.com), and Hushmail (www.hushmail.com).

33

TG3.2.8 Preparing for personal TG3.2.8 Preparing for personal disastersdisastersRestoring backup filesWireless security

34

Restoring backup filesYou can use the Windows Backup utility to

restore the backup copies to your hard disk. In Windows XP, you launch Backup following these steps:◦ Click on Start◦ Click on Programs◦ Click on Accessories◦ Click on System Tools◦ Click on Backup

35

Wireless securityHide your Service Set Identifier (SSID)Use encryptionFilter out Media Access Control (MAC)

AddressesLimit Internet Protocol (IP) Addresses.Sniff out intrudersUsing a public hotspot

36

Hide your Service Set Identifier (SSID)A step-by-step guide to perform these

security measures is available at: http://netsecurity.about.com/od/stepbystep/ss/change_ssid.htm.

37

Use encryptionTo avoid broadcasting in the clear, you must

use encryption with your wireless home network. Wireless equivalent protocol (WEP) is an old protocol that is now very easy to crack and should not be used. Instead, you should use Wi-Fi Protected Access (WPA2), which is the second generation of WPA. WPA2 is much stronger than WEP and will strengthen your encryption from attackers trying to crack it.

38

Filter out Media Access Control (MAC) Addresses

You should get the MAC address of all computers on your home wireless network. Then, instruct your router to connect only with these computers and deny access to all other computers attempting to connect with your network.

Use ipconfig/all to find the MAC address of your computer

39

Limit Internet Protocol (IP) Addresses.You should instruct your router to allow only

a certain number of IP addresses to connect to your network.

Ideally, the number of IP addresses will be the same as the number of computers on your network.

40

Sniff out intruders A variety of wireless intrusion detection systems will

monitor your wireless network for intruders, tell you they are on your network, show their IP addresses and their activity, and even tell them you know that they are there. Commercial products include the Internet Security Systems (www.iss.net)

Wireless scanner and AirDefense Personal (www.airdefense.net). AirSnare is a free wireless intrusion detection system

( http://home.comcast.net/~jay.deboer/airsnare).

41

Using a public hotspot If you must use a computer wirelessly at a public

hotspot, here are several things you should do before you connect.

Use virtual private networking (VPN) technology to connect to your organization’s network (discussed in Chapter 3).

Use Remote Desktop to connect to a computer that is running at your home.

Configure the Windows firewall to be “on with no exceptions.”

Only use websites that use secure socket layer (SSL) for any financial or personal transactions.

42

Copyright © 2011 John Wiley & Sons Canada, Ltd. All rights reserved. Reproduction or translation of this work beyond that permitted by Access Copyright (the Canadian copyright licensing agency) is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons Canada, Ltd. The purchaser may make back-up copies for his or her own use only and not for distribution or resale. The author and the publisher assume no responsibility for errors, omissions, or damages caused by the use of these files or programs or from the use of the information contained herein.

CopyrightCopyright

43