For years my kids viewed me as not very tech savvy. I suspect that was because I wasn’t a power gamer or perhaps they believed that parental units just don’t get it. Over time however, I have found it ironic that several of these now young adults occasionally call home for instructional help and guidance with their laptops and smart phones. One call of note occurred a few years ago and concerned a laptop that was dying a painful death due an inordinate number of nasty viruses and Trojans that had erased restore points and data as well as turned over control of that laptop to someone else. I was not able to help with this problem since we were separated by several thousand miles at the time. My only advice was to suggest that the time had come to seek the advice of an expert and take the system in. With any luck and perhaps a few hundred bucks, the laptop could be cleaned up. I didn’t offer any monetary assistance because all of our kids were educated about safe practices when using the Internet. Further, this particular young adult didn’t ask for financial assistance because he knew that this outcome was of his own doing. There was an unspoken acknowledgement that “stupid is as stupid does.” You see, I believe that one learns best by dealing with the consequences of one’s own actions, particularly when one should have known better. Unfortunately, that laptop eventually had to be put out of its misery due to the extensive damage.
In a work setting such as a law office, however, allowing similar life lessons to play out isn’t an option as the wrong mouse click by anyone in the office could result in serious and unintended consequences to the office network. I have worked with a number of firms that have had the entire network taken down by malware infections. Other firms have had systems hacked and client records accessed and some firms have even had the misfortune of having someone hack into the network in order to gain access to bank accounts and steal client funds. While my son’s actions were stupid because he did know better, many computer users truly aren’t aware of all the ways that they could expose the network. With this in mind, I share the following list of behavioral safety tips for those of us who work in the wired world. Share them with all in the office because it’s too easy to assume that everyone knows these things. Truth be told, many don’t and that’s a problem.
Go directly to the source; don’t have someone else offer to take you there. Offers of a lifetime, outlandish headlines, and breaking news about the latest sports star or Hollywood actress are just examples. Don’t follow links in email, instant messages, or in a Tweet. Go to the news source or website directly if you wish to confirm the veracity of the offer or information. This is particularly important with links in chain email that so many seem to love forwarding. Have you stopped to consider why someone might want to create these chain emails? The joke of the day, the call for patriotism, the political party bashing, or the plea for money to help those in need after a major disaster is often not what it portends to be. Others are preying on you and taking advantage of your sensitivities. Finally, be aware that email that appears to come from a friend or loved one may actually not have. There is nothing wrong with a quick call or text to the sender to confirm that they actually sent the email or Ecard. I have prevented more than a few attacks by doing just that.
With free you get what you pay for, nothing. The use of a free file sharing network is a security risk, period. Free music, free toolbars, free screen savers, free third party apps, and free movies (the list goes on and on) can sometimes bring network or PC instability due to a software incompatibility issue. They can also bring with them more than just what you see. As an example, after downloading a free song from a bit torrent site, you might find yourself dealing with a real mess. This is what has happened to several of our progeny, including the one mentioned above. Why do you think these things are free? Yes, not every download comes with a nefarious payload, but you have no way of knowing which downloads do and which don’t.
Never give out personal information over the web unless you have initiated the contact by going directly to the website and have a secure connection. Look for “https” at the beginning of the web address. That “s” means secure. If, after receiving some email notification, you really are concerned and feel that your bank, the IRS, or Pay Pal is trying to confirm information, call or email them directly. Don’t respond to incoming email that asks for personal information. It’s almost always a fake.
Keep your Internet security software suite and operating system software up to date at home and at work. Your systems can’t protect you if they are not kept current and often the operating system updates are addressing known security issues. This advice also applies to Mac and tablet users. A recent botnet attack on Macs known as Flashback managed to infect over 1% of Macs worldwide. Staying current with updates is particularly important if a home computer or tablet will be used for work in any way. Don’t allow personal devices to be the weak link. Also, always remember to back up data. One firm that I worked with ended up having to rebuild their data set by hand after a successful network attack.
Never click on a pop up window!! Not even to close it as doing so can result in an unintended download of malware. Very malicious types of malware have been spread in this fashion to include software that will record your keystrokes (a keylogger) once you login to a bank or credit card account. Note: In Windows, you close a popup by right clicking on its icon on the taskbar and click “close window”.
Don’t respond to unsolicited junk email as this simply validates that your email address is a good address. You will see more junk, some of which will be a security risk if opened. Simply delete it.
Do not connect to the Internet via free WiFi hotspots absent the ability to encrypt your session. Others can and sometimes will monitor what you are doing, which might include recording any login information that you used while on the Internet. Heaven help you if your credit card account login information is stolen in this fashion. In California it is now unethical for an attorney to use unsecured wireless hotspots for work. Other states are sure to follow.
Visit only reputable sites especially when making any kind of online purchase or downloading anything. Confirm that the site is secure (https:) prior to entering any payment information. Programs like McAfee’s “SiteAdvisor” can help with this. If you have a legitimate reason to visit a non-reputable site, for instance as part of an investigation, consider doing so by using a freestanding laptop or tablet that connects directly to the Internet and will never be connected to the office network.
Do not use public computers for work to include computers at Internet cafés, hotel business centers, libraries, and the like. These are not safe computers, period. If you absolutely must for some personal reason, always uncheck any “remember me” boxes at login, log out of all sites that you were logged into when finished, and close the browser. This will help prevent someone from later obtaining personal information about you by following the trail you left behind. If you know how, you should also delete your browsing history, temporary folders, and cookies. Of course, if the public computer happens to have a keylogger installed, none of these steps will matter.
Never disable the firewall in order to visit a website. Don’t change your browser security setting to low or turn off your security program solely to allow a website to load. The site isn’t loading for a valid security reason.
Read and follow your firm’s Internet Use Policy, if one is in place, and ask for clarification on any item that you don’t understand. If you don’t have an Internet Use Policy, a great place to start would be to view sample policy language found at http://www.sans.org/security-resources/policies/.