Get Donated Products

Norton AntiVirus 2005 (from Symantec)
Remove viruses, worms, and Trojan horses automatically.

Admin fee $70 (retail $1,000)

Message Boards

Share security tips and tricks with the TechSoup community.

An Introduction to Internet Security in the Workplace

Praise for the paranoid

By: Susan Tenby

The transfer of sensitive information on the Web is inevitable. With hackers on the rise, even the altruistic nonprofit world is not totally safe. From protecting yourself from shoulder surfing in the office to safe-guarding your organization from major hacking endeavors, you can never be too careful.

This article is sort of a Security 101 for the office. It focuses on the following three categories:

How to intelligently choose a password
How to write discreet yet effective e-mail messages
Everything you wanted to know about cookies

Password Security

The first thing to think about when you implement an office security policy is passwords. It seems to be so obvious, and yet it is often overlooked. If someone has your password, they have access to all the files on your workstation. Here are some common-sense guidelines for keeping your password secure:

Do

Change your password often (monthly is recommended).
Use letter/number/special character combinations.
Choose a password that is easy to type.
Choose a password that is easy to remember.
Make your password at least six characters long.
Make up words either by switching syllables in real words(tefalone=telephone) or by joining words.

Don't

Don't use your first or last name.
Don't use the name of your pet or partner.
Don't use any easily traceable personal information (license plate or home address).
Don't use your login or username.
Don't ever write your password down (on paper or e-mail).
Don't use a password of all numbers or all letters.
Don't ever tell anyone your password.
Don't leave a password on someone's voice-mail.
Don't use the same password for all your password needs.

It might seem difficult to meet all the criteria while creating a password that is memorable, but it is possible. Consider using a phrase that is unique to you but easy to remember: for example, "My brother Charlie's birthday is November 29."

A Note on Hackers:

One of the most common hacking methods is called social engineering; a hacker relies on a human to give a password. You may get a call from someone claiming to be a representative of your ISP. He may tell you that in order to determine whether there has been a security break in your account, he needs to know your password. Or you may receive a call from someone who claims that he is an employee of your organization, and that he is about to leave on an airplane and he forgot his password. These situations are not uncommon; get a name and a contact number for the individual and check up before you give any information out.

Never give your password out over the phone.

E-mail Security

It is important to remember that e-mail is transferred from sender to receiver, and that this transfer is often not secure. An e-mail message is potentially viewable through every service provider through which it passes. David Raikow, Internet Security Specialist says, "Sending e-mail is like sending a postcard, only less secure because [the postcard] passes by fewer eyeballs. E-mail is more like note-passing in class, because it has the ability to be passed, saved, deleted, or changed without the sender or receiver ever having known of it."

Not to induce complete hysteria, but any individual with authorized access (and many without) can read your e-mail. e-mail is also easily misrouted and forwarded without your permission. And let's not forget the BCC (Blind Carbon Copy) that will allow another pair of eyes to see an e-mail message without the recipient ever knowing it.

You can read more about e-mail in TechSoup's article on Using E-mail Effectively . Even if an e-mail message is deleted, there may be back-up copies that are retrievable for years.

Because e-mail and the Internet are so new, the boundaries and limits of Fourth Amendment protection have not yet evolved in the courts. But remember that your employer can read any e-mail that passes through its servers. So while the Fourth Amendment may apply to e-mail, it doesn't apply to mail sent through your office. And the standard agreement that you most likeley have with your ISP is that the ISP can do whatever it likes with your e-mail. So if you want to remain completely safe, do not send private or sensitive information over the Internet.

Having said that, don't believe the hype. There is a lot to be said for avoiding complete panic and steering clear of hoaxes. Salon helps soothe the excessively paranoid in their article about security, The great e-mail scare .

Keep in mind that it's always good to use a common sense standard for e-mail -- don't write something that could be libelous (or even hideously embarrassing), illegal, or indiscreet in an e-mail message. Sooner or later, someone inappropriate could see it (if for no other reason than you accidentally hit the wrong key late one afternoon and posted your highly personal message to the entire office or listserv).

If you must send a secret or sensitive message, try hiding, or embedding, the message within another type of file. There are simple ways to embed files, like embedding a message in a JPEG picture file, that will help throw any snoopers off track. If you must send a very sensitive message, use an encryption software program like PGP (Pretty Good Privacy), discussed later in this article.

Encryption is a system that allows only those with the correct key to decode the message. It is the one of the safest methods of sending information.

E-mail List Security

E-mail lists are discussion bulletin boards that are visited by people with a common interest (for example, Internet Security). They are referred to as listservs, conferences, majordomo, exploders, and salons. See TechSoup's article Introduction to E-mail Listservs and Internet Mailing Lists for more information. Because listservs can e-mail a number of people at once using one address (the listserv address), and the subscribers have access to the subscription list's inbox, there is plenty of room for security violations. Conversely, if you e-mail a listserv, you have no idea who may receive the information that you send. Some listservs are much more secure than others, and you have no idea who may be posing as a sympathizer, but is actually an opponent. If you have any privacy questions about a listserv, contact the owner of the list.

We recommend that you follow basic e-mail security rules and refrain from mentioning sensitive or private information to a listserv. Keep in mind that e-mails are permanently archived, and that they pass through many viewers. Use discretion when you CC (Carbon Copy) or forward a listserv to a person that does not subscribe.

Web Security

The main issue in Web security is online forms. Sensitive information should not be sent to a webmaster via an online form. Any information that you submit through the Internet has an indefinite life span. Always keep in mind that the information you submit in a Web form is vulnerable to prying eyes in electronic transport. Fortunately, secure servers encrypt the information in transmission.

You can tell if you are on a secure site by looking at the URL. On a secure site, it will start with https:// and not http://. There will also be a small lock in the window of the browser, or at the bottom of the browser's frame.

Cookies Can Make You Sick

Cookies are pieces of code which lodge themselves on your computer and allow a Web site to trace and harvest information about your activities on that site. This means that a Web site knows when and how many times you've been there. When you log in to a site with cookies, the site saves your specific preferences (or any other information) on its server. When you go back to the site, it is able to "remember" who you are. This can be useful if the computer you're using is your home computer, or if the computer that you share does not contain any sensitive information, like your stock portfolio, that is saved to the site in the form of cookies.

The good news is cookies can be useful tools that remember your personal profile and make your surfing quicker on a site that you frequent. They are also useful for remembering that your site preferences.

The bad news is that most sites use cookies for marketing information. For example, the creepy and invasive message that you receive on your computer that informs you that it's time you update your virus software is the result of a cookie. Only the Web site that sets a cookie can access it.

Different Browsers have different cookie settings. With Netscape, you can have the browser allow all cookies, warn you when it comes across a cookie, or completely disable cookies. Internet Explorer has an additional feature that lets you specify different settings for different security zones. You can choose to allow Web sites to create cookies for you in your "trusted sites," warn you before you create them in your local Intranet zone, or give you an option to never allow them in a "restricted zone."

A basic precautionary rule to follow for cookies is if you're browsing and you're afraid of leaving a breadcrumb trail for marketers, disable your cookies.

Be aware that you are leaving a trail everywhere you accept a cookie.

Cookies will tell Web advertisers which ads you click through.
The disadvantage of cookies is that your usage becomes a marketing tool.
Cookies can be helpful to save your preferences in a site that you frequently visit.
On an office computer, never give your sensitive information to a site with cookies.
If you are uncertain about whether you want them, uncheck the "Accept All Cookies" box in your browser's Settings menu.
If you are afraid of not having access to all sites, select "Warn Before Accepting," although this may be annoying if an individual site has set a lot of cookies.

skip navigation Search TechSoup Home How To Discussions Products Find Services News and Views TechSoup Stock
Free Newsletters By the Cup: weekly news, how-to, and more New Product Alert: TechSoup Stock product donation news Learn More... In How To Articles Accessible Technology Consultants CTCs Databases Funding Hardware Internet Connections Networks Software Technology Planning Training Using the Internet Volunteers Web Building Worksheets Your Stories	Login \| Join \| First Time Here? Home » How To » Articles » Using the Internet Get Donated Products Norton AntiVirus 2005 (from Symantec) Remove viruses, worms, and Trojan horses automatically. Admin fee $70 (retail $1,000) Message Boards Share security tips and tricks with the TechSoup community. An Introduction to Internet Security in the Workplace Praise for the paranoid By: Susan Tenby The transfer of sensitive information on the Web is inevitable. With hackers on the rise, even the altruistic nonprofit world is not totally safe. From protecting yourself from shoulder surfing in the office to safe-guarding your organization from major hacking endeavors, you can never be too careful. This article is sort of a Security 101 for the office. It focuses on the following three categories: How to intelligently choose a password How to write discreet yet effective e-mail messages Everything you wanted to know about cookies Password Security The first thing to think about when you implement an office security policy is passwords. It seems to be so obvious, and yet it is often overlooked. If someone has your password, they have access to all the files on your workstation. Here are some common-sense guidelines for keeping your password secure: Do Change your password often (monthly is recommended). Use letter/number/special character combinations. Choose a password that is easy to type. Choose a password that is easy to remember. Make your password at least six characters long. Make up words either by switching syllables in real words(tefalone=telephone) or by joining words. Don't Don't use your first or last name. Don't use the name of your pet or partner. Don't use any easily traceable personal information (license plate or home address). Don't use your login or username. Don't ever write your password down (on paper or e-mail). Don't use a password of all numbers or all letters. Don't ever tell anyone your password. Don't leave a password on someone's voice-mail. Don't use the same password for all your password needs. It might seem difficult to meet all the criteria while creating a password that is memorable, but it is possible. Consider using a phrase that is unique to you but easy to remember: for example, "My brother Charlie's birthday is November 29." A Note on Hackers: One of the most common hacking methods is called social engineering; a hacker relies on a human to give a password. You may get a call from someone claiming to be a representative of your ISP. He may tell you that in order to determine whether there has been a security break in your account, he needs to know your password. Or you may receive a call from someone who claims that he is an employee of your organization, and that he is about to leave on an airplane and he forgot his password. These situations are not uncommon; get a name and a contact number for the individual and check up before you give any information out. Never give your password out over the phone. E-mail Security It is important to remember that e-mail is transferred from sender to receiver, and that this transfer is often not secure. An e-mail message is potentially viewable through every service provider through which it passes. David Raikow, Internet Security Specialist says, "Sending e-mail is like sending a postcard, only less secure because [the postcard] passes by fewer eyeballs. E-mail is more like note-passing in class, because it has the ability to be passed, saved, deleted, or changed without the sender or receiver ever having known of it." Not to induce complete hysteria, but any individual with authorized access (and many without) can read your e-mail. e-mail is also easily misrouted and forwarded without your permission. And let's not forget the BCC (Blind Carbon Copy) that will allow another pair of eyes to see an e-mail message without the recipient ever knowing it. You can read more about e-mail in TechSoup's article on Using E-mail Effectively . Even if an e-mail message is deleted, there may be back-up copies that are retrievable for years. Because e-mail and the Internet are so new, the boundaries and limits of Fourth Amendment protection have not yet evolved in the courts. But remember that your employer can read any e-mail that passes through its servers. So while the Fourth Amendment may apply to e-mail, it doesn't apply to mail sent through your office. And the standard agreement that you most likeley have with your ISP is that the ISP can do whatever it likes with your e-mail. So if you want to remain completely safe, do not send private or sensitive information over the Internet. Having said that, don't believe the hype. There is a lot to be said for avoiding complete panic and steering clear of hoaxes. Salon helps soothe the excessively paranoid in their article about security, The great e-mail scare . Keep in mind that it's always good to use a common sense standard for e-mail -- don't write something that could be libelous (or even hideously embarrassing), illegal, or indiscreet in an e-mail message. Sooner or later, someone inappropriate could see it (if for no other reason than you accidentally hit the wrong key late one afternoon and posted your highly personal message to the entire office or listserv). If you must send a secret or sensitive message, try hiding, or embedding, the message within another type of file. There are simple ways to embed files, like embedding a message in a JPEG picture file, that will help throw any snoopers off track. If you must send a very sensitive message, use an encryption software program like PGP (Pretty Good Privacy), discussed later in this article. Encryption is a system that allows only those with the correct key to decode the message. It is the one of the safest methods of sending information. E-mail List Security E-mail lists are discussion bulletin boards that are visited by people with a common interest (for example, Internet Security). They are referred to as listservs, conferences, majordomo, exploders, and salons. See TechSoup's article Introduction to E-mail Listservs and Internet Mailing Lists for more information. Because listservs can e-mail a number of people at once using one address (the listserv address), and the subscribers have access to the subscription list's inbox, there is plenty of room for security violations. Conversely, if you e-mail a listserv, you have no idea who may receive the information that you send. Some listservs are much more secure than others, and you have no idea who may be posing as a sympathizer, but is actually an opponent. If you have any privacy questions about a listserv, contact the owner of the list. We recommend that you follow basic e-mail security rules and refrain from mentioning sensitive or private information to a listserv. Keep in mind that e-mails are permanently archived, and that they pass through many viewers. Use discretion when you CC (Carbon Copy) or forward a listserv to a person that does not subscribe. Web Security The main issue in Web security is online forms. Sensitive information should not be sent to a webmaster via an online form. Any information that you submit through the Internet has an indefinite life span. Always keep in mind that the information you submit in a Web form is vulnerable to prying eyes in electronic transport. Fortunately, secure servers encrypt the information in transmission. You can tell if you are on a secure site by looking at the URL. On a secure site, it will start with https:// and not http://. There will also be a small lock in the window of the browser, or at the bottom of the browser's frame. Cookies Can Make You Sick Cookies are pieces of code which lodge themselves on your computer and allow a Web site to trace and harvest information about your activities on that site. This means that a Web site knows when and how many times you've been there. When you log in to a site with cookies, the site saves your specific preferences (or any other information) on its server. When you go back to the site, it is able to "remember" who you are. This can be useful if the computer you're using is your home computer, or if the computer that you share does not contain any sensitive information, like your stock portfolio, that is saved to the site in the form of cookies. The good news is cookies can be useful tools that remember your personal profile and make your surfing quicker on a site that you frequent. They are also useful for remembering that your site preferences. The bad news is that most sites use cookies for marketing information. For example, the creepy and invasive message that you receive on your computer that informs you that it's time you update your virus software is the result of a cookie. Only the Web site that sets a cookie can access it. Different Browsers have different cookie settings. With Netscape, you can have the browser allow all cookies, warn you when it comes across a cookie, or completely disable cookies. Internet Explorer has an additional feature that lets you specify different settings for different security zones. You can choose to allow Web sites to create cookies for you in your "trusted sites," warn you before you create them in your local Intranet zone, or give you an option to never allow them in a "restricted zone." A basic precautionary rule to follow for cookies is if you're browsing and you're afraid of leaving a breadcrumb trail for marketers, disable your cookies. Be aware that you are leaving a trail everywhere you accept a cookie. Cookies will tell Web advertisers which ads you click through. The disadvantage of cookies is that your usage becomes a marketing tool. Cookies can be helpful to save your preferences in a site that you frequently visit. On an office computer, never give your sensitive information to a site with cookies. If you are uncertain about whether you want them, uncheck the "Accept All Cookies" box in your browser's Settings menu. If you are afraid of not having access to all sites, select "Warn Before Accepting," although this may be annoying if an individual site has set a lot of cookies. Related Links on Security: Electronic Frontier Foundation Electronic Privacy Information Center Article date: December 5, 2002 Write for TechSoup Have an article idea? Find out how to contribute to TechSoup. Back to Top Copyright 2001-2005, CompuMentor. All Rights Reserved.
Powered By: TechSoup Home \| How To \| Discussions \| Products \| Find Services \| News and Views \| TechSoup Stock Local Editions: SF Bay Area \| Los Angeles \| New York Copyright ©2001-2004, CompuMentor. All Rights Reserved. Privacy Statement \| Terms of Use