The last line of defense is you

Hackers don’t always use sophisticated methods to fish for information from your computer. Beware of phishing emails, suspicious attachments and links from unknown sources. Photo: Stomchak

I spent the last week at the DOE Cyber Security Training Conference, where many presentations from both national lab and federal employees focused on ways to combat cyber threats and operate securely. Attackers are becoming increasingly sophisticated in the methods they use to break into computers and misappropriate data. However, even the most technically advanced attackers continue to rely on the simplest of vulnerabilities: careless actions by computer users.

Fermilab users have a good track record in sidestepping many standard Internet perils. But it is still appropriate to repeat oft-given advice since even a single careless action can compromise most of our sophisticated defenses. So even if you have heard this before, remember:

Don’t trust email.
You can never be sure an email is coming from the person your email client shows as the sender. It is trivial to insert a fictitious or forged sender address. And since most of Fermilab’s organization charts are public, it is easy for an attacker to determine which email addresses a particular individual would trust and tailor a phishing email accordingly. Be suspicious.

Don’t click on links.
Since you can’t trust where the email comes from, you should be extremely reluctant to click on a link in email since it might be specifically designed to infect your computer. Very occasionally we need to send links that are legitimate lab business, but this is unusual, and we try to warn lab users in advance when this occurs.

Don’t open email attachments.
Even worse than links embedded in an email message are attachments. Try to post documents for review on some file-sharing service like FermiPoint instead of emailing files as attachments. And be wary of clicking on attachments unless you have some assurance that they are legitimate.

Use care when Web browsing.
Every link on a website may pose a danger. Be judicious in your surfing, especially when using any Web forms that ask you to input personal data.

Do not give up your passwords.
We all get regular spam messages telling us we must log on to correct some deficiency or take some action. These are attempts to get you to reveal a username-password combination. Never type your password into anything other than the recognizable lab services (FermiMail or Workday, for example) that you use regularly.

Be cautious about giving information over the phone.
There is no legitimate reason for a person to call you to verify your name, job title or email address. At best, this is some salesperson trying to create a contact list. But such social engineering is also a favorite tool of attackers gathering information that can be used to craft targeted spam or extract passwords.

Please continue to report any suspicious attempts to computer_security@fnal.gov, which will allow us to block the sites from which attacks originate and protect other individuals who might not be as careful as you.

Irwin Gaines