Information Protection and Security

Cyberbullying refers to the new, and growing, practice of using technology to harass, or bully, someone else. Cyberbullying can range in severity from cruel or embarrassing rumors to threats, harassment, or stalking. It can affect any age group; however, teenagers and young adults are common victims.

 

For more information, please visit:

• MS-ISAC "Parent's Guide to Cyberbullies"
• MS-ISAC Newsletter on "Dealing with Cyberbullies"
• US-CERT Newsletter on "Dealing with Cyberbullies"
• NCSA Tip on "Cyber Bullying and Harassment"

Partnerships
Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

Be cautious about all communications you receive, and clicking on links in an
email, instant message or a website. Even if you know and trust the sender of
the email, or an instant message, or are on a known website or a friend's social
networking page, it is still prudent to use caution when navigating pages and
clicking on links or photos, because links, images or other content contained on
the pages may include malicious code placed there by hackers.

For more information, please visit:

• MS-ISAC Newsletter on "Phishing"
• MS-ISAC National Webcast on Phishing

Partnerships

Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

The term "cybercrime" is usually referred to as any criminal offense committed against or with the use of a computer or computer network. A cyber crime incident can lead to loss of business and consumer confidence, financial loss, productivity loss, and even loss of intellectual property. For something to be considered a crime, however, requires a law to denote it as such, and the laws have, to this point, lagged behind technology.

 

If you become a victim of cybercrime, you should report the incident to the appropriate law enforcement authorities. Depending on the scope of the crime, the appropriate agency may be local, state, federal, or even international. The US DOJ maintains a list of federal agencies to which computer related crimes may be reported at the following address: http://www.usdoj.gov/criminal/cybercrime/reporting.htm . In addition, you may report cybercrimes to the Internet Crime Complaint Center (IC3), a partnership among the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance (BJA).

 

For more information, please visit:

• http://www.msisac.org/awareness/news/2009-07.cfm
• http://www.staysafeonline.org/content/cyber-crime-security-and-safety-reports
• http://www.cybercrime.gov/

 

Partnerships
Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

It is important to make sure you secure your portable devices to protect both
the device and the information contained on the device.

The following outlines steps you can take to protect your mobile communication
device. Some of the steps are dependant upon the functionality of your device.

• Use a password to access your device. If the device is used for work purposes,
  you should follow the password policy issued by your organization.
• If the Bluetooth functionality is not used, check to be sure this setting is
  disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth
  functionality is used, be sure to change the default password for connecting
  to a Bluetooth enabled device.
• Do not open attachments from untrusted sources. Similar to the risk when using
  your desktop, you risk being exposed to malware when opening unexpected
  attachments.
• Do not follow links to untrusted sources, especially from unsolicited email or text messages. Again, as with your desktop, you risk being infected with
  malware.
• If your device is lost, report it immediately to your carrier or organization. Some devices allow the data to be erased remotely.
• Review the security setting on your device to ensure appropriate protection. Be sure to encrypt data transmissions whenever possible.

For more information, please visit:

• National Webcast Initiative on Securing Mobile Devices
• MS-ISAC Cyber Security Newsletter Tips - Security of Mobile Communication Devices
• US-CERT National Cyber Security Alert System
• National Cyber Alert System - Cyber Security Tip ST06-007, Defending Cell Phones and PDAs Against Attack
• NIST Special Publication 800-124, Guidelines on Cell Phone and PDA Security
• FTC Consumer Alert - The 411 on Disposing of Your Old Cell Phone
• NASCIO - Security at the Edge - Protecting Mobile Computing Devices

Partnerships

Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

Microsoft has released security advisory 977544 to address a vulnerability in the Server Message Block (SMB) protocol. This vulnerability may allow an attacker to cause a denial-of-service condition. This vulnerability only affects Windows 7 and Server 2008 software.brbrUS-CERT encourages users and administrators to review Microsoft security advisory a href="http://www.microsoft.com/technet/security/advisory/977544.mspx" target="_self"977544/a and apply the workarounds.

Social networking sites (e.g., Facebook®, Youtube®), are used widely; but, we must learn how to be safe on such sites. While these sites can increase your circle of friends, they also can increase your exposure to people with less-than-friendly intentions. Learn how to help your kids - and other family members - socialize online safely.

 

What can you do to protect yourself?

• Make sure your computer is protected before visiting sites
• Do not assume you are in a trusted environment
• Be cautious in how much personal information you provide
• Use common sense when communicating with users you DO know
• Use common sense when communicating with users you DON'T know
• Understand what information is collected and shared
• Make sure you know what sites your child is visiting

For more information, please visit:

• MS-ISAC Monthly Newsletter Tips - Social Networking Sites
• US-CERT Cyber Security Tips - Staying Safe on Social Networking Sites
• Security of Social Networking Sites / Web 2.0
• OnGuard Online

 

Partnerships
Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

Peer-to-peer (P2P) networking is a popular method for sharing files, music, photographs and other information. Just remember that this method can come with its share of major risks. It is best to know with whom you are sharing data and files versus browsing for a site that you believe meets your criteria. The data may be corrupted with malware or expose you to legal ramifications (e.g., copyrights, pirated software or music). So, be safe and know what your buddy is offering before you load a copy onto your device.

 

For More Information, please visit:

• Peer-to-Peer (P2P) Network Security
• P2P File Sharing Tips
• How To Disable Various P2P Software On Your Computer
• Good and Bad Executable File Extension
• US-CERT Cyber Security Tip ST05-007

Partnerships
Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers
  

Apple has released Safari 4.0.4 to address multiple vulnerabilities in a number of components. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct cross-site request forgery, or obtain sensitive information. These vulnerabilities affect Safari running on both the Mac OS X and Windows platforms.brbrUS-CERT encourages users and administrators to review Apple article a href="http://support.apple.com/kb/HT3949" target="_self"HT3949/a and upgrade to Safari 4.0.4 to help mitigate the risks.

Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for a href="http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx" target="_self"November 2009/a. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.brbrUS-CERT encourages users and administrators to review the a href="http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx" target="_self"bulletins/a and follow best-practice security policies to determine which updates should be applied.nbsp;

Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct a man-in-the-middle attack, operate with escalated privileges, or obtain sensitive information.brbrUS-CERT encourages users and administrators to review Apple article a href="http://support.apple.com/kb/HT3937" target="_self"HT3937/a and apply any necessary updates to help mitigate the risks.

Safeguarding your business and personal data has never been more difficult or important. How do you safeguard sensitive/confidential data? The manner of protection often depends on what kind of data you are safeguarding, how important or sensitive it is to you, to your organization or your customers.

The following tips will help you become aware of how to protect data both at work and at home:

• Password-protect your access - Use a strong password or pass-phrase to protect access to your data.
• Identify where the data is stored - Have specific places within your network or computer where you store sensitive/confidential data. Those network shares, hard drives, servers, or system folders can then have specific protection methods used to keep them more secure.
• Encrypt stored sensitive/confidential data - Whenever possible, encrypt stored sensitive/confidential data, whether it is being permanently or temporarily stored. This can help prevent unintended disclosure even if your system has been compromised.
  

For more information, please visit:

• MS-ISAC Monthly Newsletter Tips - Safeguarding Your Data
• US-CERT Cyber Security Tips -- Safeguarding Your Data
• National Webcasts

 

Partnerships
Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

Multiple vulnerabilities have been discovered in Microsoft Office Excel. These vulnerabilities can be exploited by opening a specially crafted Excel document. The document may be received as an email attachment, or by visiting a web site where the document is posted. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. SYSTEMS AFFECTED: Microsoft Office XP Microsoft Office 2003 Microsoft Office 2007 Microsoft Office ...

A vulnerability has been discovered in Microsoft Office Word. This vulnerability can be exploited by opening a specially crafted Word document. The document may be received as an email attachment, or by visiting a web site where the document is hosted. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions. SYSTEMS AFFECTED: Microsoft Office XP Microsoft ...

A vulnerability has been discovered in the way Microsoft Windows parses Embedded OpenType Font (EOT) which could allow for remote code execution. Embedded OpenType Fonts are fonts within Microsoft Windows that are used for designing web pages and documents. These vulnerabilities can be exploited if a user opens a specially crafted file or webpage, including opening an e-mail attachment. Successful exploitation may result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with this user, an attacker could then install programs; view, change, or delete data; or create new accounts. ...

Cyber ethics refers to the code of responsible behavior on the Internet. Just as we are taught to act responsibly in everyday life, with lessons such as "Don't take what doesn't belong to you," and "Do not harm others," -- we must act responsibly in the cyber world as well. The basic rule is do not do something in cyber space that you would consider wrong or illegal in everyday life.

 

When determining responsible behaviors, consider the following:

• Do not use rude or offensive language.
• Don't be a bully on the Internet.
• Do not call people names, lie about them, send embarrassing pictures of them, or do anything else to try to hurt them.
• Do not copy information from the Internet and claim it as yours. That is called plagiarism.
• Adhere to copyright restrictions when downloading material including software, games, movies, or music from the Internet.
• Do not break into someone else's computer.
• Do not use someone else's password.
• Do not attempt to infect or in any way try to make someone else's computer unusable.

For more information, please visit:

• U.S Department of Justice
• MS-ISAC Cyber Security Newsletter Tips
• Symantec
• Cyber-Ethics Champions Code
• NCSA

Partnerships
Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officers

A vulnerability exists in the Transport Layer Security (TLS) protocol that could allow attackers to intercept secure communications from unsuspecting users. TLS is widely used to provide secure communication over the Internet. If successfully exploited, this could result in information disclosure or credential theft of the affected user. Please note: Proof of concept code has been published and is publically available. However, we have not received any reports of active exploitation of this vulnerability. SYSTEMS AFFECTED: Apache Software Foundation Apache 2.2.8 Apache Software Foundation Apache 2.2.9 GNU GnuTLS 2.0.0 - 2.8.3 Microsoft IIS 7.0 Microsoft IIS ...

US-CERT is aware of reports of publicly available exploit code for a vulnerability within the SSL and TLS protocols. Reports indicate that exploitation of this vulnerability may allow an attacker to conduct a man-in-the-middle attack, allowing an attacker to inject plaintext into the beginning of the application protocol stream.brbrUS-CERT encourages OpenSSL users and administrators to review the a href="http://www.openssl.org/source/" target="_self"OpenSSL 0.9.8l/a release and apply any updates.brbrUS-CERT has not received any reports of active exploitation and will continue to provide additional information as it becomes available.

Microsoft has issued a a href="http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx" target="_self"Security Bulletin Advance Notification/a indicating that its November release cycle will contain six bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows. There will also be three important bulletins for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, November 10.brbrUS-CERT will provide additional information as it becomes available.

Research in Motion has released Security Advisory a href="http://www.blackberry.com/btsc/search.do?cmd=displayKCamp;docType=kcamp;externalId=KB19701" target="_self"KB19701/a to address a vulnerability in BlackBerry Desktop Manager. This vulnerability may allow an attacker to execute arbitrary code.brbrUS-CERT encourages users to review BlackBerry Security Advisory a href="http://www.blackberry.com/btsc/search.do?cmd=displayKCamp;docType=kcamp;externalId=KB19701" target="_self"KB19701/a and apply any necessary updates.

You may find that an infection has affected your computer so much that the
operating system and applications need to be reinstalled. In cases like this it
is best to have your important data backed up already so you can restore your
system without fear of losing your data. Below are some important steps you can
follow:

• System and Data Backups: Review, update and test your file backup process.
• Operating System: Check for updates and remove unneeded programs.
• Anti-Virus, Anti-Spam, and Anti-Spyware: Check all products for current
  versions and updates.
• Back-up important files on a weekly basis - at least.
  

For more information, please visit:

• MS-ISAC Cyber Security Newsletter Tips "Annual Maintenance For Computers"
• US-CERT Newsletter on Good Cyber Security Habits

Partnerships

Additional information and resources for educating citizens on cyber issues and implementing sound cyber security practices are available at the following websites:

• DHS United States Computer Emergency Readiness Team
• National Cyber Security Alliance
• National Association of State Chief Information Officer