text-only page produced automatically by LIFT Text TranscoderDecrease Text SizeIncrease Text SizePrinter Friendly Page
 

Proactive Information Security Practices

The prevalence of identity theft, viruses, and attacks against networks - which continues to rise - has made it a necessity for organizations, employees, patrons, and individuals to take proactive measures against these cyber crimes. Remember, the first line of defense is informed practice.

Let's take a look at some information security recommendations that everyone can practice.

Personally Identifiable Information: What is it?

Personally identifiable information (PII) refers to personal data that an individual provides to an organization for some business purpose. Data is considered PII if it is specifically associated with an individual, if it was disclosed by the individual to the organization and persistently stored for future use, and if the individual who submitted the data has an interest, either directly expressed or by legal right, in limiting the propagation of the data within the organization or to other organizations or individuals.

Safeguarding Personally Identifiable Information (PII)

  • Ask how information will be used before giving it out.
  • Avoid common names/dates for passwords and PINs.
  • Pick up mail promptly.
  • Pay attention to credit card and bank statements.
  • Shred personal documents that contain personally identifying information.
  • Order credit report annually.
  • Refrain from carrying SSN card and passport.

Password Security Tips

When creating a password:

  • Combine letters, numbers, and special characters.
  • Do not use personal information.
  • Do not use common phrases or words.
  • Do not write down your password, memorize it.
  • Change password according to organizational policy.

Never share your password! UAS IT services will never ask for your password.

E-mail Security Tips

As a general rule use the following tips when accessing e-mail:

  • Do not access the web by selecting links in e-mail or pop-up messages.
  • View all e-mail in plain text.
  • Delete unsolicited/suspect e-mail - err on the side of caution.
  • Use antivirus software to scan e-mail attachments - even if you think the file is clean. 
  • Type the web address or use bookmark.
  • Contact the organization by phone.

Social Engineering

To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

Social Engineering Security Tips

  • Do not participate in unapproved telephone or online surveys.
  • Do not give out personal information.
  • Do not give out computer or network information.
  • Do not follow instructions from unverified personnel.
  • Document interaction: 1) Verify the identity of all individuals, 2) Write down phone number, 3) Take detailed notes.
  • Contact your security point of contact or help desk.

What is Phishing?

Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

How to Recognize Phishing

  • Tend to use e-mail or pop-ups
  • Appear to be from legitimate sources: Government, Internet Service Providers (ISP's), Your bank, etc.
  • Claims you must update or validate information.
  • Directs you to a website that looks real.

*Note: Legitimate companies/organizations do not ask for personal information.

Additional Resources

For additional information, please see the following links:

U.S. Computer Emergency Readiness Team (US-CERT)

National Institute of Standards and Technology (NIST) Computer Security Resource Center

Online DoD Anti-Phishing and Information Systems Security Awareness (ISSA) Training for non-DoD personnel. Provided by the Information Assurance Support Environment.


Content maintained by Helpdesk.