• City of Tacoma QA
  • City of Tacoma Data

Security Tips

What is malware?

You have heard this term before but what is it? Malware is a generic term for software that can compromise a computer’s security. It includes viruses, worms, bots and spyware. The most common ways malware might end up on your computer is by:

  • Clicking an attachment in an email message.
  • Clicking on a malicious link in an email or web page.
  • Downloading software, toolbars, browser add-ins, and screen savers from untrustworthy or compromised web sites.
  • Sharing infected files on USB thumb drives.


What is a social-engineering attack?

In a social engineering attack, an attacker uses human interaction to obtain, or compromise, information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

Be cautious when giving out information and verify a person’s identity. Refer questions to the appropriate responder. 

What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:

  • Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami.)
  • Epidemics and health scares (e.g., H1N1.)
  • Economic concerns (e.g., IRS scams.)
  • Major political elections.
  • Holidays.

Be wary of attachments and links in emails.

Do you think the typical hacker is an adolescent loner?
Think again. Most recent attacks resulting in identity theft or financial loss have been brought about by organized crime. These entities have real programmers creating malware that steals information either entered, or residing, on your PC. It is big business. Conservative estimates from the FBI are around $5 million in direct financial loss due to cybercrime in the United States alone. The software is often sophisticated enough to allow these entities to stealthily remote control hundreds of thousands of machines in organized “botnets.”  

Some Websites May Collect Your Information for Malicious Purposes
If attackers are able to access files, passwords, or personal information on your computer, they may be able to use this data to their advantage. The attackers may be able to steal your identity, and use and abuse your personal information for financial gain. A common practice is for attackers to use this type of information once or twice, then sell or trade it to other people. The attackers profit from the sale or trade, and increasing the number of transactions makes it more difficult to trace any activity back to them. The attackers may also alter the security settings on your computer so that they can access and use your computer for other malicious activity.  

What is cyber-crime?
Cyber-crime is a generic term for crimes committed from the behind the screen of anonymity that the internet provides. It is nearly impossible to tract the identity of a cyber-crook. Organized cyber-crime is big business, as it provides a safe haven for thieves with little risk of being caught.

Avoid becoming a victim of Cyber-crime by not revealing personal or financial information over the internet, and do not respond to email solicitations for this information. This includes following links sent in email.

Pay attention to the URL of the website you are visiting. Look for a lock symbol or an S in the HTTP part of the address. HTTPS means you are on a secure site.

Be wary of attachments and links in emails.  

What is SPAM?
SPAM is unsolicited email sent to large groups of people. It is wise to be very cautious about unexpected email, especially if it has an attachment. Cyber-criminals are constantly finding new ways to spread malware, and PDF files, Microsoft Office documents, ZIP files, and shortcut links, have become a popular method of delivery as email attachments.

  • Do not follow links that you are unsure about or surf dangerous sites.
  • Do not open any email attachment you were not expecting, even if it is from a friend.
  • Delete SPAM emails without opening them.

What are symptoms of a computer virus?

Symptoms of a computer virus infection vary widely, and are different depending on the type of virus or malware. You can be certain your computer is infected if it suddenly starts acting erratically; slows to a crawl or shuts down unexpectedly; directs you to websites that offer to sell you anti-virus software; or pop-up messages start appearing. Be warned however, that there are some viruses that do not present symptoms.  This is because they do not want you to know your computer is infected. The first thing some viruses do is disable your anti-virus/anti-spyware software.

What do I do if I am sure I have a computer virus?
If you are the unlucky recipient of a computer virus, do not send emails or share files until the problem is resolved. If you are on-the-job, contact your computer support person immediately. If you are at home, try running your antivirus software and contact technical support. Remember that you are the first line of defense in protecting your computer.

Safe Surfing When Navigating Websites
Practicing safe surfing when navigating websites means being aware of and using the following best practices.  Following these steps will help minimize the risk of catching and spreading computer viruses.

  • Do not follow links that you are not sure about.
  • Do not surf dangerous sites.
  • Do not open email attachments you were not expecting even if it is from a friend.
  • Use a different password for each website that requires one and change your password often.
  • Keep your computer system software up to date with vendor provided security enhancements.
  • Pay attention to the URL of the website you are visiting.  Look for a lock symbol or an “s” in the “http” part of the website's address.  The icon and additional "s" mean you are using a secure site.  This is what you want if you are using a credit or debit card or providing personal information on the Internet.  

Staying Safe When Shopping Online
The Internet can present unique risks, so it is important to take steps to protect yourself. Here are some steps you can take:

  • Conduct independent research before you buy from a seller you have never done business with. Some attackers try to trick you by creating malicious websites that appear legitimate, so you should verify the site before supplying any information.
  • Pay attention to the URL of the website you are visiting.  Look for a lock symbol or an “s” in the “http” part of the website's address.  The icon and additional "s" mean you are using a secure site.  This is what you want if you are using a credit or debit card or providing personal information on the Internet.  
  • Never use unsecured wireless networks to make online purchases.  
  • Print and save records of your online transactions, including the product description, price, online receipt, terms of sale and copies of any email exchanges with the seller. Read your credit card statements as soon as you get them to make sure there are not any unauthorized charges.
  • Use safe payment options. Credit cards are generally the safest option because they allow buyers to seek a credit from the credit card issuer if the product was either not delivered or ordered.  

Staying Safe When Using Social Networks 
Social networking is a general term used to describe sites like Facebook, Twitter, and LinkedIn. Social networking is a great way to send and receive updates, but you should be wary about how much personal information you post. Follow these tips to stay safe when using social networking.

Privacy and security settings exist for a reason. They are there to help you control who sees what you post and manage your online experience in a positive way. Learn about the privacy and security settings on social networks and use them.

Remember that once something has been posted it is always posted.  Protect your reputation on social networks. What you post online stays online, even if it appears that you have successfully deleted it. Think twice before posting pictures you would not want the public to see. Did you know that recent research has found that 70 percent of job recruiters have rejected candidates based on information found online?

Keep personal info personal. Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data or stalk you.

Be cautious about messages you receive that contain links. Even links that look like they come from a friend can be part of a phishing attack (an attempt to collect personal information like your user logon and password and other identifying information by pretending to be a message from a friend or legitimate business.) If you are suspicious, contact your friend or the business directly to verify the validity. 

Choosing Strong Passwords
The Internet can present unique risks, so it is important to take steps to protect yourself.  The passwords you use are often the only barrier between you and your personal information. There are programs attackers use to help guess or crack passwords, but choosing strong passwords and keeping them confidential makes it more difficult for unauthorized persons to access your information. Here are some password tips:

  • Always choose a password containing eight or more characters. 
  • Do not use passwords that are based on personal information, such as your birthday, house number, phone number, family names or the last four digits of your social security number.
  • Use acronyms instead of actual words. For example, instead of “golf” use “GimL” for Golf is my Life.
  • Use combinations of capital and lowercase letters, numbers, and special characters.
  • Do not carry passwords around with you.  If your purse or wallet is stolen, and you have account numbers and passwords listed for your convenience, that also provides easy access for an unauthorized person. 

Protecting Passwords
Once you have chosen a password that is easy for you to remember, but difficult for anyone to guess, the next step is to keep it secure.  Writing down your computer password and leaving it under your keyboard makes it easy for anyone who has access to your workspace to access your computer.  Keeping a list of bank accounts or their associated PINs in your purse or wallet is an open invitation to criminals. Here are some tips on protecting your passwords: 

  • Many websites offer a function to store your log in information.  It is best to bypass this option. Some programs do not have strong security, so it is best to input your password each time you log into any site.
  • Use a different password on different systems or for different accounts. If your information is compromised at one location, an unauthorized person will not be able to access your other accounts using the same password.
  • Do not share your password with anyone.
  • Be wary of phone calls or email messages requesting your password. These are often phishing attacks where the initiator tries to trick you into revealing data that will provide easy access to your personal data. 
  • Do not carry passwords with you or leave them out on your desk.

What does antivirus software do?
Most of us understand that surfing the Internet exposes the user’s computer to risks of virus and malware attacks, and that using antivirus software can help minimize that risk.  But, how does that software work, and what does it actually do?

Antivirus software can identify and block many viruses before they can infect your computer. The software scans your files and your computer's memory for certain patterns that may indicate an infection. For that reason, once you install antivirus software, it is important to keep it up to date, as virus authors are continually releasing new and updated viruses.

Be aware that the first thing a virus often does is attack and disable antivirus software. There is no absolute guarantee that if you purchase and use antivirus software you will be safe from a computer infection.

It is a good idea to manually scan files you receive from an outside source before opening them. This includes saving and scanning email attachments or web downloads rather than selecting the option to open them directly from the source.   Also scan any media, including CDs and DVDs, for viruses before opening any of the files.

If the antivirus software finds an infection, it will normally notify the user and either isolate or quarantine the virus.  Once done it will attempt to clean or remove the virus from the system. When purchasing antivirus software, familiarize yourself with its features so you know what to expect.

The United States Computer Emergency Readiness Team website has information on computer safety precautions. 

Understanding Encryption
Encrypting data is a good way to protect sensitive information. It ensures that the data can only be read by the person who is authorized to have access to it. Exactly what is encryption? What is encryption?
In very basic terms, encryption is a way to send a message in code. The only person who can decode the message is the person with the correct key. To anyone else, the message looks like a random series of letters, numbers and characters.

Encryption is especially important if you are trying to send sensitive information that other people should not be able to access. Because email messages are sent over the Internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information. 

The purpose of encryption is confidentiality and concealing the content of the message by translating it into a code.

How does encryption work?
Obtain the public key for the person you want to be able to read the information. If you get the key from a public key ring, contact the person directly to confirm that the series of letters and numbers associated with the key is the correct fingerprint.

Encrypt the email message using their public key. Most email clients have a feature to easily perform this task.

When the person receives the message, he or she will be able to decrypt the information.

The United States Computer Emergency Readiness Team website has more information on encryption in Cyber Security Tip ST04-019
Coordinating Virus and Spyware Defense
The Security and Enterprise Architect Office (SEAO) recommends the following excerpts from the National Cyber Alert System for useful information on coordinating virus and spyware defense on home computers:Is it better to have more protection?
Spyware and viruses can interfere with your computer's ability to process information or can modify or destroy data. You may feel that the more antivirus and anti-spyware programs you install on your computer, the safer you will be. It is true that not all programs are equally effective, and they will not all detect the same malicious code. However, by installing multiple programs in an attempt to catch everything, you may introduce problems.

How can antivirus or anti-spyware software cause problems?
It is important to use antivirus and anti-spyware software, but too much or the wrong kind can affect the performance of your computer and the effectiveness of the software itself. Scanning your computer for viruses and spyware uses some of the available memory on your computer. If you have multiple programs trying to scan at the same time, you may limit the amount of resources left to perform your tasks. It is also possible that in the process of scanning for viruses and spyware, antivirus or anti-spyware software may misinterpret the virus definitions of other programs. Instead of recognizing them as definitions, the software may interpret the definitions as actual malicious code. Not only could this result in false positives for the presence of viruses or spyware, but the antivirus or anti-spyware software may actually quarantine or delete the other software.

Avoid Problems with Virus and Spyware Defense
Using antivirus and anti-spyware software is an important part of cyber security. But, in an attempt to protect yourself, you may unintentionally cause problems.

Some other tips include: Investigating your options in advance Research available antivirus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes, and try to find out how frequently the virus definitions are updated. Also check for known compatibility issues with other software you may be running on your computer.

Limit the Number of Programs You Install
Many vendors are now releasing packages that incorporate both antivirus and anti-spyware capabilities together. However, if you decide to choose separate programs, you really only need one antivirus program and one anti-spyware program. If you install more, you increase your risk for problems.

Install the Software in Phases
Install the antivirus software first and test it for a few days before installing anti-spyware software. If problems develop, you have a better chance at isolating the source and then determining if it is an issue with the software itself or with compatibility.

Watch for Problems
If your computer starts working more slowly, you are seeing error messages when updating your virus definitions, your software does not seem to be recognizing malicious code, or other issues develop that cannot be easily explained, check your antivirus and anti-spyware software.

Protect Your Personal Information and Beware of Phishing Scams
A recent security breach at Epsilon, a major email marketing firm, exposed names and email addresses for customers of some of the nation’s largest companies. These customers may be exposed to an unusually high number of email-based scams. Check out these tips and resources to help you avoid being scammed.

  1. Beware of suspicious emails that urge you to “act quickly or your account may be locked, suspended, or closed.” Do not respond to them or click on links or attachments. Always call the company directly to see if there is a problem with your account.
  2. Due to the scope of this breach, the criminals sending these “phishing” emails may have specific information related to your email account. They can use this information to create an email that looks like it is for you specifically. Do not provide any personal information in response to these emails.
  3. Consider changing your email address and sending it to companies you still want to communicate with via email.