What is Computer Security?

Computer Security is the protection of computing systems and the data that they store or access.

Why is Computer Security Important?

Computer Security allows KindHealth to fufill its mission by:

• Enabling people to carry out their jobs

• Supporting critical business processes

• Protecting personal and sensitive information

Why do I need to learn about Computer Security? Isn't this just an IT problem?

Good Security Standards follow the "90 / 10" Rule:

• 90% of security safeguards rely on an individual ("YOU") to adhere to good computing practices

• 10% of security safeguards are technical.

Example: The lock on the door is the 10%. You remembering to lock the lock, checking to see if the door is closed, ensuring others do not prop the door open, keeping control of the keys, etc. is the 90%. You need both parts for effective security.

What Does This Mean for Me?

• This means that everyone who uses a computer or mobile device needs to understand how to keep their computer, device and data secure.

  • --> Information Technology Security is everyone's responsibility!

• KindHealth employees are also responsible for familiarizing themselves and complying KindHealth policies, procedures and standards relating to information security.

Security Objectives

• Learn "good computing security practices."

• Incorporate these practices into your everyday routine. Encourage others to do so as well.

• Report anything unusual - Notify your supervisor and submit a Support Ticket if you become aware of a suspected security incident

Many cyber security threats are largely avoidable.

How to Stay Secure

One-stop spot to learn about using ITS services and how to make smart security choices to do your part in complying with KindHealth security policies.

What are the consequences for security violations?

• Fines, penalties or civil actions.

• Damage to KindHealth reputation.

Don't be fooled by scams!

Criminals and hackers are constantly coming up with new schemes designed to compromise computers, steal passwords, trick you into revealing valuable information (personal, financial, etc.), or trick you out of money.

It can be difficult to know if someone is telling the truth on the Internet.

Scams can lead to identity theft, regular theft, access to your accounts and personal information, and compromised computers.

A compromised computer can put ALL of your information and passwords at risk

Social Engineering

The practice of trying to trick or manipulate people into breaking normal security procedures is called “Social Engineering”. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force.

Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis. The scams described on this page are all classic examples of social engineering.

Key indicators of a scam

Scams commonly use email, the internet, or the telephone to trick people into revealing sensitive information or get them to do something that is against policy. Key indicators:

• You are being asked for personal or private information, your password, financial account information, Social Security Number, or money.

• Unexpected/unsolicited email with a link or an attachment

• Scare tactics or threats stressing that if you don't act quickly something bad will happen

• Promises of something too good to be true. This includes bargains and “great offers,” or links to claim an award/reward.

• Requests that you forward emails, attachments, links, etc. to your friends, co-workers or family

• Other indicators that an email isn’t legitimate:

  • It’s not addressed to you, specifically, by name.

  • The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address.

  • It has spelling or grammatical errors.

  • It has a link that doesn’t seem match where the email says the link will take you, or an attachment with an incorrect or suspicious filename – or a suspicious file extension (e.g.: *.zip, *.exe, *.vbs, *.bin, *.com, *.pif, *.zzx)

  • It has a link/attachment to view an unexpected e-card or track an unknown package

  • It includes links to pictures or videos from people you don’t personally know

Phishing

• Phishing is a scam designed to steal information or passwords, compromise computers or trick you out of money - typically via deceptive emails, texts, posts on social networking sites, pop-ups or phone calls. A phisher may ask for your name, account information, date of birth, Social Security number, address, etc. They may also try to get you to click on a link or open a file.

• Hover over any links to see specifically where you are being directed. If it's not legit, don't click.

• Some examples include:

  • “There’s a problem with your account” – trying to trick you into sending your password or clicking on a link in order to fix a problem.

  • Phony security alerts – email, pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.

  • Phony computer support

  • Money Phishing – trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money. Or an IRS agent claiming that you owe taxes and must pay immediately over the phone.

• KindHealth and other reputable organizations will NEVER email you for your password, Social Security number, or any confidential or personal information.

• Test your phishing know-how through these online sources.

  • Google Phishing Quiz: Google has published a fun, informative quiz to test if you can spot when you're being phished.

  • Open DNS Phishing Quiz: Open DNS has published an effective quiz to help you differentiate between phishing websites and legitimate websites.

• For examples of email phishing scams see the Phishing Examples.

Learn How to Report an Email Phishing Attempt

Other examples of scams

Impersonation: Attackers pose as someone in authority, or an IT representative, in order to obtain information or direct access to systems. Attackers may research the target so they know enough to convince you to trust them.

• An example of this is the "Microsoft computer support" scam. Someone supposedly from the Microsoft or Windows Support Center calls you and tells you there's a problem with your computer, or someone's trying to hack in. They usually have you run some simple commands then they ask you to install something that will allow them to "fix the problem". They might send you an attachment or a link, or just read you a URL. Following the instructions will give them full access to your computer to do whatever they want.

Ransomware: Scams that lock your computer and you have to pay money to get it unlocked. A classic example is: You get a popup telling you that there is a problem with your computer. The popup offers you free or cheap "anti-virus" to fix the problem. After you install the fake anti-virus, it locks your computer and you have to pay to get it unlocked. Another recent variant is that the popup prompts you to sign in with your windows account or email or something in order for "Windows" to fix the problem. After you sign in, the program locks your browser. In order to unlock it you need to buy "anti-virus" for $200 or $300. This is also a double-whammie because you also give the attacker your credit card information.

Dumpster Diving: Going through trash to obtain valuable information for targeted attacks. Any sensitive information--paper or electronic--that is thrown away or recycled intact is vulnerable to dumpster diving.

How to protect yourself:

• Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current.

• Don't respond to email, instant messages (IM), texts, phone calls, etc., asking for your password. You should never disclose your password to anyone, even if they say they work with KindHealth, IT in a Pinch, or places you do business with (like your bank).

• Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via email, IM, text, Facebook, Twitter, etc.

• Don't open files, click links, or call numbers in unsolicited emails, text messages, IMs, Facebook postings, tweets, etc.

  • Instead of clicking on a link, look up the website yourself by a method you know to be legitimate – or contact the sender separately by a method you know to be legitimate to verify.

  • Malicious links can infect your computer or take you to web pages designed to steal your information. Malicious attachments can infect your computer. Even seemingly legitimate links and attachments can be harmful.

  • If you can't verify something is legitimate, ignore or delete it.

  • Cryptic or shortened URLs (e.g. Tiny URLs) are particularly risky because you can't easily tell where they are supposed to go.

• Don’t click on links in pop-up ads/windows; don't respond to them in any way. Use your web browser’s pop-up blocker, if it has one, to help prevent these ads from getting through.

• Delete spam and suspicious emails; don't open, forward or reply to them.

• Some email and general security tips from eWeek.com (from 2012, but still relevant): Email Security: 10 Steps for Dealing With Dangerous Messages

Report spam and phishing in your KindHealth email

Report spam and phishing to Google:

• From your kindhealth.co gmail inbox:

  • For spam, select the message and click on the spam button in the toolbar above your message list (the one that looks like a stop sign with an exclamation mark).

  • To report phishing, open the message and click on the little drop down arrow next to the reply button in the top right corner of the email and select "Report phishing" (you can also report spam this way). For additional details, see Google's instructions.

Why should you protect passwords? Because passwords can be used to:

• Gain access to your computer or mobile device and to data on it.

• Authorize transactions without your knowledge.

• Access programs, files and applications that only you and/or a selected group of others should have access to.

• Change passwords and lock you out of your own accounts.

Use strong, unique passwords and keep them secret

• Passwords should be at least eight (8) characters long with a mixture of upper- and lower-case letters, numbers, and symbols. Passwords that can't be this complex should be at least 10 characters long.

• Passwords shouldn't be a complete dictionary word in any language spelled forwards or backwards, or a word preceded or followed by a digit (e.g., password1, 1password), your username or login, child's name, pet's name, birthdays, abc123, qwerty123, password1, or anything else easily guessable.

• A longer password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one. (Example)

• Be aware that "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements.

• Use different passwords for different accounts. Also use different passwords for work and non-work.

• Passwords should not be examples you have seen in print, such as the ones on this page.

Protect your Passwords

• Don't reveal your passwords to anyone, even if they say there’s a good reason.

  • This includes co-workers and supervisors.

  • Any reputable service provider will never ask you for your password.

• Avoid writing your passwords down.

  • PASSWORD MANAGERS: Passwords can also be stored securely in free and low-cost "password vault-type" encryption tools, including your computer's keychain.

  • If you store your passwords in a file on your computer, don't include the word "password," "pwd" or anything along these lines in the filename or in the file, itself.

  • If you need to write your password down on paper, safeguard the paper in a locked drawer or cabinet rather not on or under your monitor/keyboard, or in a drawer near your computer!

• Change initial passwords, password resets and default passwords the first time you log in. These passwords can be extra vulnerable to guessing or hacking.

• Ensure that passwords are transmitted securely. Before logging in to a web site, look for "https" (not http) in the URL to indicate that there is a secure connection.

Enable Two-Step/Multi-Factor authentication or other layers of protection where available

Adding another layer of protection means someone needs more than just your password to get in.

• Examples include use of a one-time code in addition to a password, typically sent via text, app, or voice when you want to log in; thumb scans (biometrics); and lockouts after several incorrect login attempts.

• Enable Google's two-step verification for your KindHealth Google account.

Special notes about mobile devices

• Password-protect your mobile device with a strong password. Set it to automatically lock after a short period of inactivity, and be sure your device requires a password to start up or resume activity.

• Don't store passwords that provide access to protected data on mobile devices unless they are encrypted.