DO
• Use a password with mixed-case letters. Use uppercase letters throughout the password.
• Use a password that contains alphanumeric characters and include punctuation, where supported by the operating system.
• Use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password.
• Use at least six characters, eight characters for Windows NT.
• Use a seemingly random selection of letters and numbers.
• Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as “shoulder surfing”).
• Change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.

DO NOT
• Use a network login ID in any form (reversed, capitalized, or doubled as a password).
• Use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have or anyone else’s.
• Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
• Use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
• Use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
• Use dates e.g., September, SEPT1999 or any combination thereof.
• Use keyboard sequences, e.g., qwerty.
• Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security.
• Use any of the above things spelled backwards, or in caps, or otherwise disguised.
• Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
• Use shared accounts. Accountability for group access is extremely difficult.
• Reveal a password to anyone.

SUGGESTIONS
Common suggestions for constructing seemingly random passwords are:
• Use the first letter of each word from a line in a book, song, or poem. For example: “Who ya gonna call? Ghost Busters!” would produce “Wygc?GB!”
• Use the output from a random password generator. Select a random string that can be pronounced and is easy to remember. For example, the random string “adazac123″ can be pronounced a-da-zac, and you can remember it by thinking of it as “A-to-Z,1 through 3.” Add uppercase letters to create your own emphasis, e.g., aDAzac.2
• Use two short words connected by punctuation, e.g., T1me#0ff
• Use numbers and letters to create an imaginary vanity license plate password, e.g., 1H8work!

A common theme of these suggestions is that the password should be easy to remember. Avoid passwords that must be written down to be remembered. If unrecallable, someone in your office may find the password you have written down, and compromise your network identity.
These guidelines and suggestions should enable you to choose strong passwords that will help you improve the security of your system.

Additional Notes:
The CERT/CC (Computer Emergency Response Team / Coordination Center), a federally funded organization based at Carnegie Mellon University, estimates that 80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security.

On April 1^st a worm that has been estimated to have infected close to 15 million computers is programmed to ‘call-home’ for directions on what to do next. The potential for this threat causing wide-spread problems is great, but nobody knows how the infected computers will be manipulated. Programmers of the malware choose the date to confuse individuals, as April 1^st is known as a day of pranks.

Regardless of whether or not something detrimental will take place on Wednesday, all computer owners and users should install the necessary protection and Microsoft patches that have been released.

Check us out on the news talking about the threat:

KHON2

KITV4

KHNL8

Additional information online:

http://cyberinsecure.com/days-before-conficker-outbreak-researchers-de tect-an-easy-detection-method-for-infected-machines/

http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html

Todd Kingman is the Ring Leader at SuperGeeks

What part of your business do you consider most important?

Is it your employees, your technology, or how about your bank account?

Business owners spend a lot of time putting security measures in place to protect their business assets. This may be in the form of an alarm system for your building, specialized screening for potential hires, or a firewall for your network. All of these systems have something in common: it prevents criminals from walking off of the street and stealing from us.

So what about someone stealing from inside your business? Is your data safe?

A recent study shows that 60% of employees surveyed have stolen information from a company they worked for. We all want to trust our employees and we should, but the fact is that your data is king. The risk of your data’s security in an act of espionage is an increasing problem as companies make the difficult decision to downsize their staff.

Recently a Fortune 500 company came to us as they were concerned about an employee’s work activity. Upon their request we conducted forensic work on the computer this person used. We discovered that financial records and customer information was emailed to an outside source by that user. With the information collected we assisted in litigations against this individual.
Here are a few steps that you can take to help to avoid such a risk:

STEP 1: Understand your data. Take a moment to consider what data you use to conduct business. Whether it is a contact list, financial record, or confidential documentation, in the wrong hands it could be crippling. Decide which data should be restricted, and which should be unrestricted.

STEP 2: Regulate your data. Although you may trust your employee, you should only provide access to things that are related to his job description. Make a list of your employees and you decide who sees what data.

STEP 3: Lock it down. There are varying ways this can be done and it depends on how your network is set up. Most business’s have a server computer that holds data like emails, contacts, and financial records. This is one of the best ways to control access as accounts can be created that limit a user to specific data on the server. These limitations will do no good if just anyone can log into the server. It should have a password that may only be shared with the business owner and your IT professional.

STEP 4: Monitor your data. Have your IT professional look for any signs that your data has been comprised. Servers have logs of who accessed what and when. Make sure that it is clear to your employees the seriousness related to breaching a security policy.

- By Todd Kingman the Ring Leader at SuperGeeks

Another day, another data breach.

If you bought something at a Best Buy store in West Palm Beach, Fla., late last year, or stayed at a Wyndham hotel in Florida last summer, or use a U.S. government travel Web site you might want to check your credit card statements closely.

Best Buy warned this week that 4,000 customers of a store in West Palm Beach may have had their credit card information stolen when they made their purchases.

The chain terminated the employment of a worker at the store after learning that a skimming device was used to steal data from the magnetic strips on credit cards last November and December, according to an advisory issued by Best Buy (PDF).

Best Buy said it learned of the data breach on January 5 and that the employee was taken into federal custody on January 7.

Read more…