When the threat comes from within...
Sometimes, the biggest threat to your network security can come from within, either intentionally or unintentionally. In fact, many breaches comes from someone on the inside doing something unintentionally that "invites" some external exploit in. Here is my list of the top ten list of dangerous activities to be doing on the Internet at work. Share these with your employees and let them know that their Internet excursions could bring risk to the company:
1. Opening forwarded emails with jokes, videos, pictures, etc.
These are emerging as the biggest new threat to internal network security. Many people do not realize that these emails are merely attachments and often have been forwarded hundred or thousands of times, often originating overseas. Crackers and identity thieves are starting to use these innocuous looking emails as payloads for their malicious code because people will gladly click on them even though they have been trained to not click on attachments from unknown parties. Do not click on these emails nor should you forward them to any others. You quite possibly can be helping to infect your friends and family with spyware or worse.
2. Peer to Peer (file sharing) programs (BitTorrent, EDonkey, Limewire, etc)
In addition to tying up your companies bandwidth, you could expose your bank to lawsuits for copyrighted material on your work computer. The penalty for possessing copyrighted materials is up to $125,000 per incident (read this as per FILE!). Also these programs often share out your hard drive without your knowledge so other downloaders can get what you have, opening up your computer and network to attack. Finally, many of have been reported to have numerous security flaws and holes allowing remote attack.
3. Music or Movie Download sites
Similar to the comments above, the materials on these sites are often copyrighted and posted without the owners consent. Additionally these sites are often rife with spyware and pop-up adds.
4. Free Software or Game sites Same comments as above.
Unless it’s the manufacturer's site (like Microsoft) or a legitimate reseller (like Newegg), don’t go there to download software. Claims of a FREE Antivirus or Anti-spyware program are often spyware themselves. Do not load any programs off the web without the consent of your network administrator.
5. Online Gaming or Gambling sites
These sites present as special problem for employers and employees alike since it is usually against federal law to use such sites. Some sites have been raided and they have traced bets back to individual bettors. Also such sites are often run from overseas by less than scrupulous individuals.
6. Webpage profile sites such as Myspace and Facebook
You have probably heard the news stories about pedophiles and other criminals that prey on children (and adults) on these sites. Identity thieves have now figured out that they can use such profiles to “case” individuals for “social engineering” attacks. They submit random requests to become your “friend’ or be added to your site and then collect personal data. They are a gold mine for such criminals, often containing birthdays, family member or friend names, addresses or other personal information. System administrators, company execs, or people in valuable or high profile positions are particularly sought out.
7. Personals sites such as Match.com, e-harmony.com
Using online personal sites has become the new way to date in the 21st century. While there are some benefits to these sites (allowing busy professionals or particularly shy people meet mates), there are also dangers. Again, having your personal information available for review by anonymous browsers can be a lure for identity thieves who often attempt to develop a rapport or friendship with their marks by appearing to know their social circle. Also, posters to such sites often misrepresent themselves in minor or even major ways. A recent study of one of the major dating sites found that over 30% of the applicants were already married.
8. Chat programs
While it can be fun to chat or IM with people all around the world, keep in mind that using such programs at work can be a security risk as well as a productivity drain. These programs often have flaws that allow for files to be downloaded off your computer and some of them even allow remote control of your computer.
9. Freemail sites such as hotmail, yahoo mail or gmail.
Many people use these free services as their primary or secondary email source. However, they should never be used for work purposes or especially not sensitive company business. The email is unsecured as it passes over the Internet, opening up your correspondence to eavesdroppers. Also, these sites are notoriously insecure and cracking into someone’s hotmail or gmail is a trivial task for any neophyte hacker. Because almost all of the sites allow for password resetting by email, hackers can request a password reset and then intercept the response or just guess your challenge questions which are often easy to discern via public information searches. Freemail sites are not held to the same security standard as your IT systems so you should not use them from work computers.
10. Streaming Audio or Video.
Watching CNN or ESPN via the Net can be a great way to get news right away or catch that game while you work. And while watching major, reputable sites is a not a danger other than being a productivity and bandwidth drain, some of the lesser sites (such as youtube.com) can have copyrighted and/or obscene materials on them without warning. Remember you can be held liable for anything downloaded or watched on your computer so think before you click.
Keep in mind, im not saying never do these things, im just saying be careful and think twice about doing them at work.