Water and electricity do not mix. Keep that in mind as you go over
your disaster recovery plans. Remember that water damage can come
from something as dramatic as a hurricane or broken water main, or
from more mundane things like defective fire sprinkler heads, plugged
drains and toppled water coolers.
For more extensive water problems, backing up and/or replication of
data to an off-site location is mandatory, just as it is for most
disaster recovery operations. Off-site storage of the data is just as
important as the backup itself, particularly if you live in a flood plain.
In the case of floods, the disaster tends to be far-reaching, affecting
entire groups of buildings and beyond. Since any tapes or other backup
systems located within the flood zone will be either inaccessible or
possibly damaged or destroyed, keeping the tapes and other systems in the
same physical location as the protected systems is a bad idea.
Regarding recovery from a large-scale flood, you may need to restore data
and/or fail over to another location. Keep in mind that
employees in the same location may have left the area, and therefore don't
have access to their PC's, giving you more time to get things back to normal.
Once you've decided where you will restore to (something you can do well
ahead of time), you can then get the required hardware, set up your
systems, and restore the data.
Often, you can have secondary systems ready to go at another location, or
have hardware vendors overnight equipment to your alternate site.
Avoiding less catastrophic water-related problems generally requires
that you use common sense and apply a critical eye to the placement of
all of your systems. Having critical equipment in a room with fire
sprinklers is probably a bad idea. Placing servers next to a kitchen
area or restrooms should also be avoided. Basements or other areas
that could flood should also be avoided.
By definition, the term "social engineering" refers to the practice of
conning people into revealing sensitive data on a computer system, often
on the Internet. If a computer cracker can trick you into giving him
your password or credit card number, all your time-consuming and expensive
computer security precautions will have been an enormous waste of money and effort.
One of the most common forms of social engineering are the phishing scams
that have been clogging your Inbox. These are the emails that tell you
that your PayPal or eBay account is about to be closed unless you update certain
critical information (like your social security number, password, etc.)
These emails certainly look authentic in that they usually do a decent
job of replicating logos, however if you look carefully at the links
they want you to click to do the updating, you will see that they do
not lead to the site they claim to be from.
While most phishing schemes revolve around email and the web, many are
perpetrated over the telephone. For example, someone calls claiming to
be from your bank and tricks you into giving out your account number
and PIN.
How can you protect yourself from these scams? You can
start by following these three rules:
If you have an account with a company, don't trust ANYTHING
you read in account-related email or in any phone call you get
from that company. If there REALLY is a problem with your
account, the company will contact you via snail mail.
NEVER click on a hyperlink in an email from a company with
whom you have an account, regardless of how legitimate the
email or hyperlink might appear. If you need to visit the
company's website, close your email program, ignore everything
you read in that email [including any web page addresses you
may have seen], open your web browser, and manually key in the
regular web page address for the company's *homepage*. Then
login to your account with that company like you normally
would. If there is a problem with your account, the company's
website will tell you once you login.
If you need to personally contact a company with whom you have
an account, the ONLY contact information you should trust is
the information on your monthly, paper statement or on the
back of your credit card. Assume that any contact information
in a business email only points to a criminal wanting to steal
your personal information.
In addition to the steps detailed above to avoid social engineering scams,
here are some other measures you can take to improve security while
you are online:
Never leave any sensitive data (password, account number, social security
number, etc.) on ANY site (even a legitimate one) unless the connection is a
secured one, identified by the little padlock at the lower left of your
browser screen and "https:" instead of 'http" in the browser address bar.
Make sure all security features are enabled in your system by applying
the latest security patches; installing and running the latest antivirus
software, keep its definitions current, and operating its total scan
frequently; and, installing and keep active a good firewall
Keep your financial and sensitive data off public computers such as
libraries, Internet cafes, colleges and universities, etc.
Don't install programs needlessly.
Don't open email attachments from sources you don't know and trust.
Frequently remove spyware, adware, scumware, and all the nasties from your
system. While it's doubtful you can avoid all this stuff, perform regular
maintenance with Adaware, Spyware Search & Destroy, or any of a dozen good
packages for that purpose.
Carefully read all privacy and security statements on sites before you buy
online.
Be innovative in creating passwords for your various accounts. Use a
combination of upper and lower case, digits, and symbols.
Check your credit report at least annually, to determine if someone has had
access. Report suspected attempts at identity theft
I just recently purchased a "smartphone" - essentially a combination hand-held computer
running Windows Mobile and a cell phone all rolled into one. (Now I can check my
email and browse the web right from my phone!) As I use this great new toy more and
more, it has dawned on me that protecting the data on this device is just as important
as for my desktop computer. Here are some ideas on how to do this:
Synchronize the handheld with your desktop regularly so the data stored
on the handheld is backed up.
Password protect the device when it is turned on.
Disable unused network methods. If you are not using WiFi, disable it.
If you are not using Bluetooth, disable it.
Carry the PDA in a secure manner. Top pockets don't work. (I've tried.)
Belt clips work best, preferably one that will allow you to rotate the
device so that its long dimension is paralell to the ground. (Great for
when you are sitting down or when you have a seatbelt on.)
Encrypt the data stored on your PDA and any "smartcards" it uses.
Its pretty easy to lose these things or for them to get stolen.
Buy insurance. When you buy the device you can usually buy insurance
that protects against theft, damage or just plain losing the device. It
runs about $5/month and is well worth it if your PDA set you back more than
a few hundred dollars.
Computers running Windows
use a period and a three letter extension added to the end of a file name to
identify a file's type. When a file or email attachment is opened, Windows uses
the file extension to determine what program should be used to open
the file or if the file is a program that should be executed.
The following list contains types
of files identified by Microsoft as having the potential to contain dangerous programs.
Dangerous File Extensions
File Extension
Description
File Extension
Description
ADE
Microsoft
Access Project Extension
MDB
Microsoft
Access Application
ADP
Microsoft
Access Project
MDE
Microsoft
Access MDE Database
BAS
Visual
Basic® Class Module
MSC
Microsoft
Common Console Document
BAT
Batch
File
MSI
Windows
Installer Package
CHM
Compiled
HTML Help File
MSP
Windows
Installer Patch
CMD
Windows
NT® Command Script
MST
Visual
Test Source File
COM
MS-DOS®
Application
PCD
Photo CD
Image
CPL
Control
Panel Extension
PIF
Shortcut
to MS-DOS Program
CRT
Security
Certificate
REG
Registration
Entries
EXE
Application
SCR
Screen
Saver
HLP
Windows®
Help File
SCT
Windows
Script Component
HTA
HTML
Applications
SHS
Shell
Scrap Object
INF
Setup
Information File
URL
Internet
Shortcut (Uniform Resource Locator)
INS
Internet
Communication Settings
VB
VBScript
File
ISP
Internet
Communication Settings
VBE
VBScript
Encoded Script File
JS
JScript®
File
VBS
VBScript
Script File
JSE
JScript
Encoded Script File
WSC
Windows
Script Component
LNK
Shortcut
WSF
Windows
Script File
WSH
Windows
Scripting Host Settings File
Any file received as an
email attachment with any of the above extensions should NEVER be opened
unless you know the person that sent the file, why they sent it,
and the purpose of the file.
The list of dangerous file types may be hard to remember.
It may be easier to remember the common safe file types:
Safe File Extensions
File Extension
Description
GIF
Picture -
Graphics Interchange Format (CompuServe)
JPG or
JPEG
Picture -
Joint Photographic Expert Group
TIF or
TIFF
Picture -
Tagged Image File Format (Adobe)
MPG or
MPEG
Movie -
Motion Picture Expert Group
MP3
Sound -
MPEG compressed Audio
WAV
Sound -
Audio (Microsoft)
If an attachment does not have one of these safe extensions
its best not to open it. Be especially suspicious of any file that has
a doubled extension (e.g. TsunamiPix.gif.exe). Normally files have only one
extension so a file with more than one is probably an attempt to trick you
into opening the attachment.
Also note that a file could have a name like www.yahoo.com,
it looks like a URL to a web site, but if you check the dangerous extensions
list above you will notice that .com in the extension used by some MS-DOS
applications. This was the trick used by the 'My Party' worm. Legitimate URLs should be listed in the body
of the message like www.yahoo.com (usually
blue and underlined) and preferably preceded by http:// as in http://www.yahoo.com/. If in doubt, copy the
text of the URL and paste it into the address bar of your web browser instead
of clicking on the link.
