Computer Security

Over the decades, our use of information technology has changed, give us more powerful ways of communicating and exchanging information with business associates, friends, and family. Unfortunately others who do not share our values and ethics see in this technology new opportunities to exploit us.

The largely invisible nature of information security threats makes these difficult to control. As a result the state of security on the Internet today is very poor, reflecting our culture's general lack of concern or interest. Some very simple protective measures will go a long way to avoiding serious problems, because the threats will go after softer targets.

Let's face it, our home computer environment is not NSA. We do not need their level of protection and we do not have their resources. But we do not want to have our computers misused to distribute spam, attack other Internet users and we do not want to have our identities stolen, and our financial or other personal information exploited by criminals around the world. Here are some simple things you can do when you set up your home computer

1. Use a separate administrator account. Setup the accounts you normally use for your web browsing or email as non-administrators. If you open a malicious email or connect to a website with malware, you cannot accidentally install viruses or trojans on your computer, because your account does not have install privileges. Use your administrator account only when you need to install software.
2. Do not share computer accounts. Give each user their own personal computer login. This way they can personalize their settings and preferences, and this reduces the exposure of information across communities.
3. Use separate email accounts. Don't use your company account for personal business and don't use your personal account for business. Have a separate account for online purchases, because these will always get you on marketing and spam lists. Separate accounts will allow you to distinguish spearphishing messages because their topic such as banking would not be coming to your business account.

4. Use anti-virus. If you are using any version of the Windows operating system, you should install as a minimum Microsoft's free Security Essentials. Be sure to get this directly from Microsoft's website. There are sites that impersonate Microsoft to sell this free software bundled with their own bogus products. Additional anti-virus software is also a good idea, but stick to only American products. The strongest products are from Symantec (e.g. Norton). McAfee is a fair product, but not as strong as Symantec. Never use Russion products (Kaspersky) unless you want to give Vladimir Putin and his mafia buddies a privileged seat on your computer. Be aware that Kaspersky pays BestBuy to push their products.

Anti-Spam

No-one likes receiving spam and other unwanted electronic messages. They clutter our mailboxes, consume server processing, storage, network bandwidth, and require time to review, recognize, and delete. All of this costs money

What We Have Done

In response to this problem we have already implemented several significant improvements. All incoming email from the Internet currently is handled by the Exchange Server 2010 built-in junk-mail and anti-spam systems. You can adjust your settings using the built in junk-mail tools to designate specific types of messages as spam. They will be automatically routed into your Junk Mailbox for review as needed.

Earlier this year we have implemented several significant changes to counter the growing spam problem.

First, we have retired the legacy f.last@mybctllc.com domain and email addresses that are carry-overs from a hosting provider we have not used for over four years. Most of the messages still coming to these old addresses are spam, and our legitimate corresponents have had over four years to update their address books for our current addresses. Messages sent to the old addressse will become undeliverable.

Second, we have droped the use of the alternate f.last@bct-llc.com email alias since this compromises user login identities to intruders. The default email policy has always been the first.last@bct-llc.com format, but to smooth the transition from our legacy system, we supported the older address format as an alternate. This ended in January. Users who have a requirement to retain the legacy format will be given a new login account, to ensure that it is different from their email address.

What You Can Do

The most important thing you can do is to protect your email address. If spammers don't have your address, they can't put you on their distribution lists. There is a very active market in mailing lists. Addresses are bundled by the thousands, sold, and redistributed among email mass-marketers, spammers, and criminal elements. This many of these operate on the global Internet, there is generally no-one who can curtail these activities once they have your email address. The Government and the Internet Service Providers are powerless against this plague.

The most effective protection is prevention. You can help in these specific ways.

1. Never post your company email address on public websites, blogs, social networks, mailing lists. Spammers are constantly mining the Internet to harvest email addresses.
2. Never reply or attempt to unsubscribe to spam. This only serves to confirm that your address is live, making it more valuable to spammers who can charge a premium for it once it has been "verified".
3. Never sign up for distribution lists with your company address. Use a third-part account for these purposes, or request us to set up a temporary alias.
4. Never provide your company address to vendors. Their terms of service generally allow them to sell their customer lists to email mass marketers. Use a third-part account.
5. Never use your company address with third party Internet services such as Evite or file-sharing services. Our corporate servers provide all of these capabilities without the need of a third party. Theses "free" services actually make money by harvesting information about their users and marketing this information to email mass marketers. They are only offering their services as a way to collect email accounts and user data to resell. Nothing is free.
6. Never install software on your company workstation. This is a violation of company policy and undermines the security and integrity of our networked infrastructure. Many free products such as FireFox web brower include embedded spyware and adware.
7. Never share your screen with third-part vendors. This is a violation of company policy and undermines the security and integrity of our networked infrastructure. All screen-sharing services function by installing trojan software into your company profile that starts-up automatically and opens a back-door through our corporate firewalls to allow your system to be viewed and manipulated by untrusted outsiders.
8. Use only your company address for company business, never your personal accounts. Mixing business and personal communications exposes our company email addressses to exploitation by your personal mail providers, whose usage policies permit them to harvest and market your information to their advertisers.

Third Party Filtering - Connecting to Other Mail Accounts

Storing customer and company information on public internet servers violates both Government and company policies.

While, several Internet mail service providers such as Comcast or Gmail provide anti-spam capabilities, none of these webmail applications offers the full experience provided by Microsoft's Outlook Web App, and there is no reason to use them. Most of these use public shared Internet resources that lack the security and privacy provided by BCT systems. Additionally connecting these systems mixes business and personal information, exposing our information systems to exploitation.

Slaving your BCT account to external providers is a serious violation of BCT information security policy since it involves compromising your user account and Active Directory credentials to an untrusted third party and storing customer and company information on public Internet servers that are not accredited for this information.

Keep in mind that your Active Directory account is your single sign on for access to all BCT services including private web sites, protected file services, your electronic timesheet, and other systems requiring confidentiality, integrity, and authentication. It is your responsibility to protect your user credentials. If you choose to violate this responsibility, you expose highly sensitive customer and company information to exploitation by competitors and foreign Governments.

Remember, all of the home mail service providers are routinely compromised and cannot be trusted to protect BCT information and services.

Spearphishing

No, this article is not really about fishing, but about the most common form of Internet exploits that we are seeing today. In fact, over 50% of all Internet attacks take a form called Spear Phishing. Phishing is an attempt to acquire information from a target by impersonating a person or organization in an electronic message and motivating the target to either open a malicious attachment or connect to a linked website containing malicious files. Spear Phishing refers to Phishing targeting specific individuals or companies.

Targets that open these malicious attachments or connect to these linked websites can have spyware installed on their workstations to compromise their usernames, passwords, address books, banking accounts, and other information sought by the perpetrators of these attacks. Compromised accounts are often used to distribute spam to new targets, often identified in the target's address books, people who will recognize the sender and open messages or attachments thinking they are from a trusted associate.

Spear phishing has become so predominant because of the ease with which it can be employed against anyone. All someone needs to have to attack you is your email address. They can get it from websites where you may have posted it or from your friends and business associates if their workstations are compromised.

Many of the spear phishing messages may look authentic and may include genuine graphics and content copied from the actual organizations being impersonated. these include banks, electronic commerce sites, PayPal, phone companies, Internet service providers, Federal Express, DHL, the US Postal Service, or similar businesses. The common thread to watch for is a sense of urgency in their message urging immediate or impulsive action involving opening an attachment or connecting to a website.

Others may include links to web sites that impersonate Canadian pharmacy sites or social media. Fake Canadian pharmacy sites are popular with the Russian mafia and are used primarily to harvest credit card numbers from unwitting customers. None of these sites actually sell anything; they exist only for large scale mining of credit card numbers.

Secondary markets have developed where stolen user accounts and credit cards are bundled into groups of thousands of entries and resold to other attackers. Malicious software is also developed and sold making it easy for anyone interested in engaging in this activity to acquire the tools and information they need to conduct their intended purposes.

Most Spear Phishing attacks are so naive that it is easy to dismiss them as serious threats; however their popularity with criminal organizations and hostile foreign agencies is the result of their success. These attacks are easily automated and conducted on a large global scale. The attackers only need a small percentage of these attacks to succeed in order to yield the desired results.

The best defense against Spear Phishing is prevention. Protect your email accounts from exposure. Use different accounts for different purposes. Delete suspicious messages without opening attachments or clicking links. Legitimate businesses such as Banks do not operate using email messages. Feel free to contact us if you have any questions or assistance.

This is an example of a typical fake Canadian web site, actually operated by the Russian Mafia to steal credit card numbers.

This is an example of a typical fake administrator message, actually operated by the Russian Mafia to compromise your system. Remember we never send security messages by emails, and we never use generic administrator accounts.

Defense Security Service (DSS)

DSS's Center for Development of Security Excellence (CDSE) has released a new Counterintelligence (CI) Security short, "Suspicious Emails." This short provides learners with an opportunity to practice identifying what constitutes a suspicious email while increasing awareness about the importance of reporting suspicious contacts. To access the new CI short, go to:

Click here to connect to the DSS CI Short on Suspicious Emails.

Better Business Bureau

These videos produced by the Better Business Bureau provide more information about today's Phishing and Identity Theft threats.

Better Business Bureau Video: Avoiding Internet Phishing

Better Business Bureau Video: Phishing Scam Protection

Better Business Bureau Video: Avoiding Phishing Scams

Better Business Bureau Video: Technology and Identity Fraud

Anti-Virus

Today's computing environment is over-run with malicious software that attacks our systems in every aspect of our operations, including normal email and web activities. Many of these attacks are dinistinguishable from legitimate communications. The open nature of the Global Internet exposes all Internet-connected systems to continuous automated attacks. As a Defense contractor, we are specifically targeted by intelligence and cyber exploitation forces of hostile foreign Governments. Although our Federal, State, and Local Government agencies protects us against physical attacks, there is no-one protecting companies and citizens against cyber attacks. We are all on our own to protect our information and systems.

Symantec Endpoint Protection

Our corporate solution is Symantec's Endpoint Protection technology instead of individual anti-virus systems. The benefits of this solution include enterprise managability, scaleability, and situational awareness. Within this architecture, all workstations, laptops, and file servers run an agent that communicates with our central server to maintain current attack signatures, monitor traffic, and scan stored files for malware. These signatures are continuously updated by Symantec's Global Threat Monitoring systems, ensuring that we are always on the look-out for the latest threat activities.