 |
||||
|
|
|
||
|
Insight Focus 
Introduction
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security |
|
||
|
|
||||
|
|
||||
- Corporate security is not impenetrable, so from time to time malicious e-mails will sneak through the organisation's spam and virus filters before vendors can provide the latest signatures. This is where your awareness becomes crucial -- you must know how to recognise these e-mails, and to treat them with extreme caution. Another problem is the emergence of "boutique malware", designed so it doesn't spread very far and may not come to the attention of antivirus vendors.
- A first step is to resist viewing or replying to messages from questionable or unknown sources, or opening dubious attachments.
If a message purports to come from a familiar e-mail address but the sender's name doesn't match the address, the subject contains apparently random words or characters, or the writing style doesn't match your correspondent's, treat the message with great suspicion and delete it. Do the same with anything that purports to a protestation of affection, a joke, a celebrity video or other non-business content. Several worms have used such tricks.
Assume the worst: if it seems out of place, either delete the message immediately or call the apparent sender to confirm authenticity.
- Don't follow links in e-mails -- type the URLs directly into the browser instead. This is a big ask seeing as people have been conditioned to click on links, and URLs can often be long and generally contain seemingly random sequences of characters.
You're not really likely to retype long links, so one compromise is to copy and paste an address from an e-mail into the browser. You'll need to take care to avoid clicking on the link while doing so. While that handles the old trick of showing a "good" URL in the text but linking to a "bad" one, it offers no protection against the more recent Internationalised Domain Names (IDN)/homograph exploit that uses international characters closely resembling English letters to create domain names that appear familiar but are associated with bogus sites. - Phishing attacks, where people are tricked into visiting fake Internet banking (or similar) sites through seemingly genuine e-mails, are becoming more common.
A recent development is "spearphishing" where the e-mail is designed to trick specific people within an organisation in order to gain access to confidential information by installing keyloggers or other malware. So be on your guard, even when e-mail apparently comes from within the organisation. - Finally, e-mail is not secure. If you have to use e-mail to send confidential information, use an approved encryption tool to protect the data in transit.
