Author: Susan Tenby, Community Manager, TechSoup.org
The transfer of sensitive information on the Web is inevitable. With hackers on the rise,
even the altruistic nonprofit world is not totally safe. From protecting
yourself from shoulder surfing in the office to safeguarding your organization
from major hacking endeavors, you can never be too careful.
This article
is sort of a Security 101 for the office. It focuses on the following three
categories:
1. How to intelligently choose a password
2. How to write discreet yet effective e-mail
messages
3. Everything you wanted to know about cookies
Password Security
The first
thing to think about when you implement an office security policy is passwords.
It seems to be so obvious, and yet it is often overlooked. If someone has your
password, they have access to all the files on your workstation. Here are some
common-sense guidelines for keeping your password secure:
Do
- Change your password often (monthly is
recommended) - Use letter/number/special character
combinations - Choose a password that is easy to type
- Choose a password that is easy to remember
- Make your password at least six characters
long - Make up words either by switching syllables
in real words (tefalone=telephone) or by joining words
Don't
- Don't use your first or last name
- Don't use the name of your pet or partner
- Don't use any easily traceable personal
information (license plate or home address) - Don't use your login or username
- Don't ever write your password down (on
paper or e-mail) - Don't use a password of all numbers or all
letters - Don't ever tell anyone your password
- Don't leave a password on someone's
voice-mail - Don't use the same password for all your
password needs
It might seem
difficult to meet all the criteria while creating a password that is memorable.
But it is possible, and a good guide is Netscape's "Choosing a Good Password" page. Consider following the guide's
advice by using a phrase that is unique to you but easy to remember: for
example, "My brother Charlie's birthday is November 29."
A Note on Hackers:
One of the
most common hacking methods is called social engineering; a hacker relies on a
human to give a password. You may get a call from someone claiming to be a
representative of your ISP. He may tell you that in order to
determine whether there has been a security break in your account, he needs to
know your password. Or you may receive a call from someone who claims that he
is an employee of your organization, and that he is about to leave on an
airplane and he forgot his password. These situations are not uncommon; get a
name and a contact number for the individual and check up before you give any
information out.
Never give
your password out over the phone. There is a useful password-related link from
the people at CERN (the organization where the Web was
conceived).
E-mail Security
It is
important to remember that e-mail is transferred from sender to receiver, and that
this transfer is often not secure. An e-mail message is potentially viewable
through every service provider through which it passes. David Raikow, Internet
Security Specialist says, "Sending e-mail is like sending a postcard, only
less secure because [the postcard] passes by fewer eyeballs. E-mail is more
like note-passing in class, because it has the ability to be passed, saved,
deleted, or changed without the sender or receiver ever having known of
it."
Not to induce
complete hysteria, but any individual with authorized access (and many without)
can read your e-mail. e-mail is also
easily misrouted and forwarded without your permission. And let's not forget
the BCC (Blind Carbon Copy) that will allow
another pair of eyes to see an e-mail message without the recipient ever
knowing it.
You can read
more about e-mail in TechSoup's article on Using E-mail Effectively. Even if an e-mail message is deleted,
there may be back-up copies that are retrievable for years.
Because e-mail
and the Internet are so new, the boundaries and limits of Fourth Amendment
protection have not yet evolved in the courts. But remember that your employer
can read any e-mail that passes through its servers. So while the Fourth
Amendment may apply to e-mail, it doesn't apply to mail sent through your
office. And the standard agreement that you most likely have with your ISP is
that the ISP can do whatever it likes with your e-mail. So if
you want to remain completely safe, do not send private or sensitive
information over the Internet.
Having said
that, don't believe the hype. There is a lot to be said for avoiding complete
panic and steering clear of hoaxes. Salon
helps soothe the excessively paranoid in their article about security.
Keep in mind
that it's always good to use a common sense standard for e-mail -- don't write
something that could be libelous (or even hideously embarrassing), illegal, or
indiscreet in an e-mail message. Sooner or later, someone inappropriate could
see it (if for no other reason than you accidentally hit the wrong key late one
afternoon and posted your highly personal message to the entire office or listserv).
If you must
send a secret or sensitive message, try hiding, or embedding, the message
within another type of file. There are simple ways to embed files, like
embedding a message in a JPEG picture file, that will help throw any
snoopers off track. If you must send a very sensitive message, use an
encryption software program like PGP (Pretty Good Privacy), discussed later in
this article.
Encryption is
a system that allows only those with the correct key to decode the message. It
is the one of the safest methods of sending information.
E-mail List Security
E-mail lists
are discussion bulletin boards that are visited by people with a common
interest (for example, Internet Security). They are referred to as listservs,
conferences, majordomo, exploders, and salons. See TechSoup's section on Listservs for more information. Because
listservs can e-mail a number of people at once using one address (the listserv
address), and the subscribers have access to the subscription list's inbox,
there is plenty of room for security violations. Conversely, if you e-mail a
listserv, you have no idea who may receive the information that you send. Some
listservs are much more secure than others, and you have no idea who may be
posing as a sympathizer, but is actually an opponent. If you have any privacy
questions about a listserv, contact the owner of the list.
We recommend
that you follow basic e-mail security rules and refrain from mentioning
sensitive or private information to a listserv. Keep in mind that e-mails are
permanently archived, and that they pass through many viewers. Use discretion
when you CC (Carbon Copy) or forward a listserv to a person that does not
subscribe.
Web Security
The main issue
in Web security is online forms. Sensitive information should not be sent to a
webmaster via an online form. Any information that you submit through the
Internet has an indefinite life span. Always keep in mind that the information
you submit in a Web form is vulnerable to prying eyes in electronic transport.
Fortunately, secure servers encrypt the information in transmission.
You can tell
if you are on a secure site by looking at the URL. On a secure site, it will
start with https:// and not http://. There will also be a small lock in the
window of the browser, or at the bottom of the browser's frame.
Cookies Can Make You Sick
Cookies are
pieces of code that lodge themselves on your computer and allow a Web site to
trace and harvest information about your activities on that site. This means
that a Web site knows when and how many times you've been there. When you log
in to a site with cookies, the site saves your specific preferences (or any
other information) on its server. When you go back to the site, it is able to
"remember" who you are. This can be useful if the computer you're
using is your home computer, or if the computer that you share does not contain
any sensitive information, like your stock portfolio, that is saved to the site
in the form of cookies.
The good news
is cookies can be useful tools that remember your personal profile and make
your surfing quicker on a site that you frequent. They are also useful for
remembering that your site preferences.
The bad news
is that most sites use cookies for marketing information. For example, the
creepy and invasive message that you receive on your computer that informs you
that it's time you update your virus
software is the result of a cookie. Only the Web site that sets a cookie can
access it.
Different
Browsers have different cookie settings. With Netscape, you can have the
browser allow all cookies, warn you when it comes across a cookie, or
completely disable cookies. Internet Explorer has an additional feature that
lets you specify different settings for different security zones. You can
choose to allow Web sites to create cookies for you in your "trusted
sites," warn you before you create them in your local Intranet zone, or give you an option to never
allow them in a "restricted zone."
A basic
precautionary rule to follow for cookies is if you're browsing and you're
afraid of leaving a breadcrumb trail for marketers, disable your cookies.
Be aware that
you are leaving a trail everywhere you accept a cookie.
- Cookies will tell Web advertisers which
ads you click through. - The disadvantage of cookies is that your
usage becomes a marketing tool. - Cookies can be helpful to save your
preferences in a site that you frequently visit. - On an office computer, never give your
sensitive information to a site with cookies - If you are uncertain about whether you
want them, uncheck the "Accept All Cookies" box in your browser's
Settings menu. - If you are afraid of not having access to
all sites, select "Warn Before Accepting," although this may be
annoying if an - individual
site has set a lot of cookies.
Version history:
Authored by Susan Tenby.
Posted as Word document by Michael Schrecker.
Reposted as book page by Zac Mutrux.