What is cybersecurity?

Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. It seems that everything relies on computers and the internet now—communication (e.g., email, smartphones, tablets), entertainment (e.g., interactive video games, social media, apps ), transportation (e.g., navigation systems), shopping (e.g., online shopping, credit cards), medicine (e.g., medical equipment, medical records), and the list goes on. How much of your daily life relies on technology? How much of your personal information is stored either on your own computer, smartphone, tablet or on someone else's system?

What are the risks to having poor cybersecurity?

There are many risks, some more serious than others. Among these dangers are malware erasing your entire system, an attacker breaking into your system and altering files, an attacker using your computer to attack others, or an attacker stealing your credit card information and making unauthorized purchases. There is no guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances.

What can you do to improve your cybersecurity?

The first step in protecting yourself is to recognize the risks. Familiarize yourself with the following terms to better understand the risks:

• Hacker, attacker, or intruder — These terms are applied to the people who seek to exploit weaknesses in software and computer systems for their own gain. Although their intentions are sometimes benign and motivated by curiosity, their actions are typically in violation of the intended use of the systems they are exploiting. The results can range from mere mischief (creating a virus with no intentionally negative impact) to malicious activity (stealing or altering information).
• Malicious code — Malicious code (also called malware) is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses. Malicious code may have the following characteristics:
  • It might require you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular webpage.
  • Some forms of malware propagate without user intervention and typically start by exploiting a software vulnerability. Once the victim computer has been infected, the malware will attempt to find and infect other computers. This malware can also propagate via email, websites, or network-based software.
  • Some malware claims to be one thing, while in fact doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending confidential information to a remote intruder.
• Vulnerabilities — Vulnerabilities are flaws in software, firmware, or hardware that can be exploited by an attacker to perform unauthorized actions in a system. They can be caused by software programming errors. Attackers take advantage of these errors to infect computers with malware or perform other malicious activity.

To minimize the risks of cyberattacks, follow basic cybersecurity best practices:

• Keep software up to date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it. 
• Run up-to-date antivirus software. A reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware. Be sure to enable automatic virus definition updates to ensure maximum protection against the latest threats. Note: Because detection relies on signatures—known patterns that can identify code as malware—even the best antivirus will not provide adequate protections against new and advanced threats, such as zero-day exploits and polymorphic viruses.
• Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters. 
• Change default usernames and passwords. Default usernames and passwords are readily available to malicious actors. Change default passwords, as soon as possible, to a sufficiently strong and unique password.
• Implement multifactor authentication (MFA). Authentication is a process used to validate a user's identity. Attackers commonly exploit weak authentication processes. MFA uses at least two identity components to authenticate a user's identity, minimizing the risk of a cyber attacker gaining access to an account if they know the username and password.
• Install a firewall. Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. Some device operating systems include a firewall. Enable and properly configure the firewall as specified in the device or system owner's manual.
• Be suspicious of unexpected emails. Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device. Be suspicious of all unexpected emails. 

What unique risks are associated with children?

When a child is using your computer, normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. You need to consider these characteristics when determining how to protect your data and the child.

You may think that because the child is only playing a game, or researching a term paper, or typing a homework assignment, they can't cause any harm. But what if, when saving their paper, the child deletes a necessary program file? Or what if they unintentionally visit a malicious web page that infects your computer with a virus? These are just two possible scenarios. Mistakes happen, but children may not realize what they've done or may not tell you what happened because they're afraid of getting punished.

Online predators present another significant threat, particularly to children. Because the nature of the internet is so anonymous, it is easy for people to misrepresent themselves and manipulate or trick other users. Adults often fall victim to these ploys, and children, who are usually much more open and trusting, are even easier targets. Another growing problem is cyberbullying. These threats are even greater if a child has access to email or instant messaging programs, visits chat rooms, and/or uses social networking sites.

What can you do?

• Be involved - Consider activities you can work on together, whether it be playing a game, researching a topic you had been talking about (e.g., family vacation spots, a particular hobby, a historical figure), or putting together a family newsletter. This will allow you to supervise your child's online activities while teaching them good computer habits.
• Keep your computer in an open area - If your computer is in a high-traffic area, you will be able to easily monitor the computer activity. Not only does this accessibility deter children from doing something they know they're not allowed to do, it also gives you the opportunity to intervene if you notice a behavior that could have negative consequences.
• Set rules and warn about dangers - Make sure your child knows the boundaries of what they are allowed to do on the computer. These boundaries should be appropriate for the child's age, knowledge, and maturity, but they may include rules about how long they are allowed to be on the computer, what sites they are allowed to visit, what software programs they can use, and what tasks or activities they are allowed to do.

  You should also talk to children about the dangers of the internet so that they recognize suspicious behavior or activity. Discuss the risks of sharing certain types of information (e.g., that they're home alone) and the benefits to only communicating and sharing information with people they know. The goal isn't to scare them, it's to make them more aware. Make sure to include the topic of cyberbullying in these discussions.

• Monitor computer activity - Be aware of what your child is doing on the computer, including which websites they are visiting. If they are using email, instant messaging, or chat rooms, try to get a sense of who they are corresponding with and whether they actually know them.
• Keep lines of communication open - Let your child know that they can approach you with any questions or concerns about behaviors or problems they may have encountered on the computer.
• Consider partitioning your computer into separate accounts - Most operating systems give you the option of creating a different user account for each user. If you're worried that your child may accidentally access, modify, and/or delete your files, you can give them a separate account and decrease the amount of access and number of privileges they have.

  If you don't have separate accounts, you need to be especially careful about your security settings. In addition to limiting functionality within your browser, avoid letting your browser remember passwords and other personal information. Also, it is always important to keep your virus definitions up to date.

• Consider implementing parental controls - You may be able to set some parental controls within your browser. For example, internet browsers allow you to restrict or allow certain websites to be viewed on your computer, and you can protect these settings with a password.

  There are other resources you can use to control and/or monitor your child's online activity. Some ISPs offer services designed to protect children online. Contact your ISP to see if any of these services are available. There are also special software programs you can install on your computer. Different programs offer different features and capabilities, so you can find one that best suits your needs.

What is cyberbullying?

Cyberbullying is using technology to harass, or bully, someone else. Bullies used to be restricted to methods such as physical intimidation, postal mail, or the telephone, but computers, cell phones, tablets, and other mobile devices offers bullies forums such as email, instant messaging, web pages, and digital photos.

Forms of cyberbullying can range in severity from cruel or embarrassing rumors to threats, harassment, or stalking. It can affect any age group; however, teenagers and young adults are common victims, and cyberbullying is a growing problem in schools.

Why has cyberbullying become such a problem?

The relative anonymity of the internet is appealing for bullies because it enhances the intimidation and makes tracing the activity more difficult. Some bullies also find it easier to be more vicious because there is no personal contact. The internet and email can also increase the visibility of the activity. Information or pictures posted online or forwarded in mass emails can reach a larger audience faster than more traditional methods, causing more damage to the victims. A large amount of personal information is available online, so bullies may be able to arbitrarily choose their victims.

Cyberbullying may also indicate a tendency toward more serious behavior. While bullying has always been an unfortunate reality, most bullies grow out of it. Cyberbullying has not existed long enough to have solid research, but there is evidence that it may be an early warning for violent behavior.

How can you protect yourself or your children?

• Teach your children good online habits. Explain the risks of technology, and teach children how to be responsible online. (See Keeping Children Safe Online for more information.) Reduce their risk of becoming cyberbullies by setting guidelines for and monitoring their use of the internet and other electronic media (cell phones, tablets, etc.).
• Keep lines of communication open. Regularly talk to your children about their online activities so that they feel comfortable telling you if they are being victimized.
• Watch for warning signs. If you notice changes in your child's behavior, try to identify the cause as soon as possible. If cyberbullying is involved, acting early can limit the damage.
• Limit availability of personal information. Limiting the number of people who have access to contact information or details about interests, habits, or employment reduces exposure to bullies that you or your child do not know. This may limit the risk of becoming a victim and may make it easier to identify the bully if you or your child are victimized.
• Avoid escalating the situation. Responding with hostility is likely to provoke a bully and escalate the situation. Depending on the circumstances, consider ignoring the issue. Often, bullies thrive on the reaction of their victims. Other options include subtle actions. For example, you may be able to block the messages on social networking sites or stop unwanted emails by changing the email address. If you continue to get messages at the new email address, you may have a stronger case for legal action.
• Document the activity. Keep a record of any online activity (emails, web pages, instant messages, etc.), including relevant dates and times. In addition to archiving an electronic version, consider printing a copy.
• Report cyberbullying to the appropriate authorities. If you or your child are being harassed or threatened, report the activity. Many schools have instituted anti-bullying programs, so school officials may have established policies for dealing with activity that involves students. If necessary, contact your local law enforcement. Law enforcement agencies have different policies, but your local police department or Federal Bureau of Investigation (FBI) branch are good starting points.

How can I minimize the access others have to my information?

It may be easy to identify people who could gain physical access to your devices—family members, roommates, coworkers, people nearby, and others. Identifying the people who have the capability to gain remote access to your devices is not as simple—as long as your device is connected to the internet, you are at risk for someone accessing your information. However, you can significantly reduce your risk by developing habits that make it more difficult.

• Improve password security. Passwords are one of the most vulnerable cyber defenses. Improve your password security by doing the following
  • Create a strong password. Use a strong password that is unique for each device or account. Longer passwords are more secure. An option to help you create a long password is using a passphrase—four or more random words grouped together and used as a password. To create strong passwords, the National Institute of Standards and Technology (NIST) suggests using simple, long, and memorable passwords or passphrases. 
  • Consider using a password manager. Password manager applications manage different accounts and passwords while having added benefits, including identifying weak or repeated passwords. There are many different options, so start by looking for an application that has a large install base (e.g., 1 million plus) and an overall positive review. Properly using one of these password managers may help improve your overall password security.
  • Use multifactor authentication, if available. Multifactor authentication (MFA) is a more secure method of authorizing access. It requires two out of the following three types of credentials: something you know (e.g., a password or personal identification number [PIN]), something you have (e.g., a token or ID card), and something you are (e.g., a biometric fingerprint). Because one of the required credentials requires physical presence, this step makes it more difficult for a threat actor to compromise your device. 
  • Use security questions properly. For accounts that ask you to set up one or more password reset questions, use private information about yourself that only you would know. Answers that can be found on your social media or facts everyone knows about you can make it easier for someone to guess your password.
  • Create unique accounts for each user per device. Set up individual accounts that allow only the access and permissions needed by each user. When you need to grant daily use accounts administrative permissions, do so only temporarily. This precaution reduces the impact of poor choices, such as clicking on phishing emails or visiting malicious websites.
• Choose secure networks. Use internet connections you trust, such as your home service or Long-Term Evolution connection through your wireless carrier. Public networks are not very secure, which makes it easy for others to intercept your data. If you choose to connect to open networks, consider using antivirus and firewall software on your device or using a Virtual Private Network service, which allows you to connect to the internet securely by keeping your exchanges private. When setting up your home wireless network, use Wi-Fi Protected Accessed 3 (WPA3) encryption. All other wireless encryption methods are outdated and more vulnerable to exploitation. 
• Keep all of your personal electronic device software current. Manufacturers issue updates as they discover vulnerabilities in their products. Automatic updates make this easier for many devices—including computers, phones, tablets, and other smart devices—but you may need to manually update other devices. Only apply updates from manufacturer websites and built-in application stores—third-party sites and applications are unreliable and can result in an infected device. When shopping for new connected devices, consider the brand's consistency in providing regular support updates.
• Be suspicious of unexpected emails. Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device. Be suspicious of all unexpected emails. 

How do you know if your privacy is being protected?

• Privacy policy — Before submitting your name, email address, or other personal information on a website, look for the site's privacy policy. This policy should state how the information will be used and whether or not the information will be distributed to other organizations. Companies sometimes share information with partner vendors who offer related products or may offer options to subscribe to particular mailing lists. Look for indications that you are being added to mailing lists by default—failing to deselect those options may lead to unwanted spam. If you cannot find a privacy policy on a website, consider contacting the company to inquire about the policy before you submit personal information, or find an alternate site. Privacy policies sometimes change, so you may want to review them periodically.
• Evidence that your information is being encrypted — To prevent attackers from stealing your personal information, online submissions should be encrypted so that it can only be read by the appropriate recipient. Many sites use Secure Sockets Layer (SSL) or Hypertext Transport Protocol Secure (HTTPS). A lock icon in the bottom right corner of the window indicates that your information will be encrypted. Some sites also indicate whether the data is encrypted when it is stored. If data is encrypted in transit but stored non-securely, an attacker who is able to break into the vendor's system could access your personal information.

What additional steps can you take to protect your privacy?

• Do business with credible companies. Before supplying any information online, consider the answers to the following questions: Do you trust the business? Is it an established organization with a credible reputation? Does the information on the site suggest that there is a concern for the privacy of user information? Is legitimate contact information provided? If you answered "No" to any of these questions, avoid doing business online with these companies.
• Do not use your primary email address in online submissions. Submitting your email address could result in spam. If you do not want your primary email account flooded with unwanted messages, consider opening an additional email account for use online. Make sure to log in to the account on a regular basis in case the vendor sends information about changes to policies.
• Avoid submitting credit card information online. Some companies offer a phone number you can use to provide your credit card information. Although this does not guarantee that the information will not be compromised, it eliminates the possibility that attackers will be able to hijack it during the submission process.
• Devote one credit card to online purchases. To minimize the potential damage of an attacker gaining access to your credit card information, consider opening a credit card account for use only online. Keep a minimum credit line on the account to limit the amount of charges an attacker can accumulate.
• Avoid using debit cards for online purchases. Credit cards usually offer some protection against identity theft and may limit the monetary amount you will be responsible for paying. Debit cards, however, do not offer that protection. Because the charges are immediately deducted from your account, an attacker who obtains your account information may empty your bank account before you even realize it.
• Take advantage of options to limit exposure of private information. Default options on certain websites may be chosen for convenience, not for security. For example, avoid allowing a website to remember your password. If your password is stored, your profile and any account information you have provided on that site is readily available if an attacker gains access to your computer. Also, evaluate your settings on websites used for social networking. The nature of those sites is to share information, but you can restrict access to limit who can see what. 

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

• Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
• Epidemics and health scares (e.g., H1N1, COVID-19)
• Economic concerns (e.g., IRS scams)
• Major political elections
• Holidays

What is a vishing attack?

Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public's misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.

What is a smishing attack?

Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.

What are common indicators of phishing attempts?

• Suspicious sender's address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
• Generic greetings and signature. Both a generic greeting—such as "Dear Valued Customer" or "Sir/Ma'am"—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
• Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
• Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
• Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.

How do you avoid being a victim?

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the internet before checking a website's security. 
  • Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http."
  • Look for a closed padlock icon—a sign your information will be encrypted.
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group. 
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. 
• Take advantage of any anti-phishing features offered by your email client and web browser.
• Enforce multifactor authentication (MFA).

What do you do if you think you are a victim?

• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
• Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
• Watch for other signs of identity theft. 
• Consider reporting the attack to the police, and file a report with the Federal Trade Commission.

What is ransomware?

Ransomware is a type of malware threat actors use to infect computers and encrypt computer files until a ransom is paid. After the initial infection, ransomware will attempt to spread to connected systems, including shared storage drives and other accessible computers.

If the threat actor’s ransom demands are not met (i.e., if the victim does not pay the ransom), the files or encrypted data will usually remain encrypted and unavailable to the victim. Even after a ransom has been paid to unlock encrypted files, threat actors will sometimes demand additional payments, delete a victim’s data, refuse to decrypt the data, or decline to provide a working decryption key to restore the victim’s access. The Federal Government does not support paying ransomware demands. 

How does ransomware work?

Ransomware identifies the drives on an infected system and begins to encrypt the files within each drive. Ransomware generally adds an extension to the encrypted files, such as .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted—the file extension used is unique to the ransomware type.

Once the ransomware has completed file encryption, it creates and displays a file or files containing instructions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that the victim can use to unlock the files, making them accessible.

How is ransomware delivered?

Ransomware is commonly delivered through phishing emails or via “drive-by downloads.” Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment. A “drive-by download” is a program that is automatically downloaded from the internet without the user’s consent or often without their knowledge. It is possible the malicious code may run after download, without user interaction. After the malicious code has been run, the computer becomes infected with ransomware.

What can I do to protect my data and networks?

• Back up your computer. Perform frequent backups of your system and other important files, and verify your backups regularly. If your computer becomes infected with ransomware, you can restore your system to its previous state using your backups.  
• Store your backups separately. Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. Once the backup is completed, make sure to disconnect the external hard drive, or separate device from the network or computer.
• Train your organization. Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.

What can I do to prevent ransomware infections?

• Update and patch your computer. Ensure your applications and operating systems (OSs) have been updated with the latest patches. Vulnerable applications and OSs are the target of most ransomware attacks. 
• Use caution with links and when entering website addresses. Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organization's helpdesk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different domain (e.g., .com instead of .net). 
• Open email attachments with caution. Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.
• Keep your personal information safe. Check a website’s security to ensure the information you submit is encrypted before you provide it. 
• Verify email senders. If you are unsure whether or not an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email. If possible, use a previous (legitimate) email to ensure the contact information you have for the sender is authentic before you contact them.
• Inform yourself. Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website. You may also want to sign up for CISA product notifications, which will alert you when a new Alert, Analysis Report, Bulletin, Current Activity, or Tip has been published.
• Use and maintain preventative software programs. Install antivirus software, firewalls, and email filters—and keep them updated—to reduce malicious network traffic. 

How do I respond to a ransomware infection?

• Follow the Ransomware Response Checklist on p. 11 of the CISA-MS-ISAC Joint Ransomware Guide.
• Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.

What do I do if my computer is infected with ransomware?

• Home users: immediately contact your local FBI office or local U.S. Secret Service office to request assistance.
• Organizations: immediately report ransomware incidents to your IT helpdesk or security office.
• All users: change all system passwords once the ransomware has been removed. You can submit ransomware files to CISA for analysis via https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf. 

What is malicious code?

Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.

• Viruses have the ability to damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.
• Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer's resources, which can cause your computer to stop responding.
• Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.
• Malicious data files are non-executable files—such as a Microsoft Word document, an Adobe PDF, a ZIP file, or an image file—that exploits weaknesses in the software program used to open it. Attackers frequently use malicious data files to install malware on a victim's system, commonly distributing the files via email, social media, and websites.

How can you protect yourself against malicious code?

Following these security practices can help you reduce the risks associated with malicious code:

• Install and maintain antivirus software. Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up-to-date.
• Use caution with links and attachments. Take appropriate precautions when using email and web browsers to reduce the risk of an infection. Be wary of unsolicited email attachments and use caution when clicking on email links, even if they seem to come from people you know. 
• Block pop-up advertisements. Pop-up blockers disable windows that could potentially contain malicious code. Most browsers have a free feature that can be enabled to block pop-up advertisements.
• Use an account with limited permissions. When navigating the web, it's a good security practice to use an account with limited permissions. If you do become infected, restricted permissions keep the malicious code from spreading and escalating to an administrative account.
• Disable external media AutoRun and AutoPlay features. Disabling AutoRun and AutoPlay features prevents external media infected with malicious code from automatically running on your computer.
• Change your passwords. If you believe your computer is infected, change your passwords. This includes any passwords for websites that may have been cached in your web browser. Create and use strong passwords, making them difficult for attackers to guess. 
• Keep software updated. Install software patches on your computer so attackers do not take advantage of known vulnerabilities. Consider enabling automatic updates, when available. 
• Back up data. Regularly back up your documents, photos, and important email messages to the cloud or to an external hard drive. In the event of an infection, your information will not be lost.
• Install or enable a firewall. Firewalls can prevent some types of infection by blocking malicious traffic before it enters your computer. Some operating systems include a firewall; if the operating system you are using includes one, enable it. 
• Use anti-spyware tools. Spyware is a common virus source, but you can minimize infections by using a program that identifies and removes spyware. Most antivirus software includes an anti-spyware option; ensure you enable it.
• Monitor accounts. Look for any unauthorized use of, or unusual activity on, your accounts—especially banking accounts. If you identify unauthorized or unusual activity, contact your account provider immediately.
• Avoid using public Wi-Fi. Unsecured public Wi-Fi may allow an attacker to intercept your device's network traffic and gain access to your personal information.

What do you need to know about antivirus software?

Antivirus software scans computer files and memory for patterns that indicate the possible presence of malicious code. You can perform antivirus scans automatically or manually.

• Automatic scans — Most antivirus software can scan specific files or directories automatically. New virus information is added frequently, so it is a good idea to take advantage of this option.
• Manual scans — If your antivirus software does not automatically scan new files, you should manually scan files and media you receive from an outside source before opening them, including email attachments, web downloads, CDs, DVDs, and USBs.

Although anti-virus software can be a powerful tool in helping protect your computer, it can sometimes induce problems by interfering with the performance of your computer. Too much antivirus software can affect your computer's performance and the software's effectiveness.

• Investigate your options in advance. Research available antivirus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes and how frequently the virus definitions are updated. Also, check for known compatibility issues with other software you may be running on your computer.
• Limit the number of programs you install. Packages that incorporate both antivirus and anti-spyware capabilities together are now available. If you decide to choose separate programs, you only need one antivirus program and one anti-spyware program. Installing more programs increases your risk for problems.

There are many antivirus software program vendors, and deciding which one to choose can be confusing. Antivirus software programs all typically perform the same type of functions, so your decision may be based on recommendations, features, availability, or price. Regardless of which package you choose, installing any antivirus software will increase your level of protection.

How do you recover if you become a victim of malicious code?

Using antivirus software is the best way to defend your computer against malicious code. If you think your computer is infected, run your antivirus software program. Ideally, your antivirus program will identify any malicious code on your computer and quarantine them so they no longer affect your system. You should also consider these additional steps:

• Minimize the damage. If you are at work and have access to an information technology (IT) department, contact them immediately. The sooner they can investigate and "clean" your computer, the less likely it is to cause additional damage to your computer—and other computers on the network. If you are on a home computer or laptop, disconnect your computer from the internet; this will prevent the attacker from accessing your system.
• Remove the malicious code. If you have antivirus software installed on your computer, update the software and perform a manual scan of your entire system. If you do not have antivirus software, you can purchase it online or in a computer store. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

Threats to your computer will continue to evolve. Although you cannot eliminate every hazard, by using caution, installing and using antivirus software, and following other simple security practices, you can significantly reduce your risk and strengthen your protection against malicious code.

Is identity theft just a problem for people who submit information online?

You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it. If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans.

The internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases; if a thief can access that database, he or she can obtain information about many people at once rather than focus on one person at a time. The internet has also made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals.

How are victims of online identity theft chosen?

Identity theft is usually a crime of opportunity, so you may be victimized simply because your information is available. Thieves may target customers of certain companies for a variety of reasons; for example, a company database is easily accessible, the demographics of the customers are appealing, or there is a market for specific information. If your information is stored in a database that is compromised, you may become a victim of identity theft.

Are there ways to avoid being a victim?

Unfortunately, there is no way to guarantee that you will not be a victim of online identity theft. However, there are ways to minimize your risk:

• Do business with reputable companies — Before providing any personal or financial information, make sure that you are interacting with a reputable, established company. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information. 
• Take advantage of security features — Passwords and other security features add layers of protection if used appropriately. 
• Check privacy policies — Take precautions when providing information, and make sure to check published privacy policies to see how a company will use or distribute your information. Many companies allow customers to request that their information not be shared with other companies; you should be able to locate the details in your account literature or by contacting the company directly.
• Be careful what information you publicize — Attackers may be able to piece together information from a variety of sources. Avoid posting personal data in public forums. 
• Use and maintain anti-virus software and a firewall — Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall. Make sure to keep your virus definitions up to date.
• Be aware of your account activity — Pay attention to your statements, and check your credit report yearly. You are entitled to a free copy of your credit report from each of the main credit reporting companies once every twelve months. 

How do you know if your identity has been stolen?

Companies have different policies for notifying customers when they discover that someone has accessed a customer database. However, you should be aware of changes in your normal account activity. The following are examples of changes that could indicate that someone has accessed your information:

• unusual or unexplainable charges on your bills
• phone calls or bills for accounts, products, or services that you do not have
• failure to receive regular bills or mail
• new, strange accounts appearing on your credit report
• unexpected denial of your credit card

What can you do if you suspect or know that your identity has been stolen?

Recovering from identity theft can be a long, stressful, and potentially costly process. Many credit card companies have adopted policies that try to minimize the amount of money you are liable for, but the implications can extend beyond your existing accounts. To minimize the extent of the damage, take action as soon as possible:

• Start by visiting IdentityTheft.gov — This is a trusted, one-stop resource to help you report and recover from identity theft. Information provided here includes checklists, sample letters, and links to other resources.
• Possible next steps in the process — You may need to contact credit reporting agencies or companies where you have accounts, file police or other official reports, and consider other information that may have been compromised.

Why you need strong passwords

You probably use personal identification numbers (PINs), passwords, or passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Tracking all of the number, letter, and word combinations may be frustrating, but these protections are important because hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of non-secure and inadequate passwords. Once a system is compromised, it is open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone's birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to "Il!2pBb." creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should consider using the longest password or passphrase permissible (8—64 characters) when you can. For example, "Pattern2baseball#4mYmiemale!" would be a strong password because it has 28 characters and includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—for example, some applications limit the length of passwords and some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don'ts

Once you've come up with a strong, memorable password it's tempting to reuse it—don't! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to your other accounts with the same password. Use the following techniques to develop unique passwords for each of your accounts:

• Use different passwords on different systems and accounts.
• Use the longest password or passphrase permissible by each password system.
• Develop mnemonics to remember complex passwords.
• Consider using a password manager program to keep track of your passwords. 
• Do not use passwords that are based on personal information that can be easily accessed or guessed.
• Do not use words that can be found in any dictionary of any language.

How to protect your passwords

After choosing a password that's easy to remember but difficult for others to guess, do not write it down and leave it someplace where others can find it. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, makes it easily accessible for someone with physical access to your office. Do not tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. 

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a primary password. If you use a password manager, remember to use a strong primary password.

Password problems can stem from your web browsers' ability to save passwords and your online sessions in memory. Depending on your web browsers' settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There's no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

Don't forget security basics

• Keep your operating system, browser, and other software up to date.
• Use and maintain antivirus software and a firewall. 
• Regularly scan your computer for spyware. (Some antivirus programs incorporate spyware detection.)
• Use caution with email attachments and untrusted links.
• Watch for suspicious activity on your accounts.

Why aren't passwords sufficient?

Passwords are a good first layer of protection, but attackers can guess or intercept passwords. Additional security measures can protect you even if an attacker does obtain your password. You can strengthen that first layer of protection by avoiding passwords based on personal information or words found in the dictionary; building passwords from combinations of numbers, special characters, and lowercase and capital letters; and not sharing your passwords with anyone else.

What additional levels of security are available?

Multi-factor authentication, simultaneously using multiple pieces of information to verify your identity, is becoming more common. (You may see multi-factor authentication (MFA) advertised as two-factor authentication.) Even if an attacker obtains your password, he may not be able to access your account if it’s protected by MFA. The theory behind this approach is similar to requiring two or more forms of identification or two keys to open a safe deposit box. You should turn on MFA where it’s available. Authentication categories include something you know (e.g., answers to secret questions or passwords); something you have (e.g., a token or other item in your possession); and something you are (e.g., a biometric measure such as a fingerprint).

Something you know – This includes passwords or pre-established answers to questions. (See tips below for setting up good answers to these “secret questions.”)

Something you have – This could be a small physical token such as a smart card, a special key fob, or USB drive. You might use this token in conjunction with a password to log into an account. However, software-based tokens are also common. These software-based tokens can generate a single-use login personal identification number (PIN). Other variations include SMS messages, phone calls, or emails sent to the user with a verification PIN. These token PINs can often be used only once and are voided immediately after use. So, even if an attacker intercepts the exchange, the attacker will not be able to use the information again to access your account.

Something you are – Biometric identification can include scanning of eyes (retinas or irises) or fingerprints, other facial recognition, voice recognition, or authentication through signatures or keystroke movements. A common example of biometric identification is the fingerprint scanner used to sign in users on many modern smartphones.

Another form of verification is the use of personal web certificates. Unlike certificates used to identify web sites, personal web certificates are used to identify individual users. A website using personal web certificates relies on these certificates and the authentication process of the corresponding public/private keys to verify that you are who you claim to be. Because information identifying you is embedded within the certificate, an additional password is unnecessary. However, you should have a password to protect your private key so that attackers can't gain access to your key and represent themselves as you. This process is similar to MFA, but it differs in this way: the password protecting your private key is used to decrypt the information on your computer and is never sent over the network.

What other measures keep your passwords secure?

IT security professionals and administrators should implement the following security measures to help further protect passwords:

• "Salt and hash" passwords. Salting is the addition of unique, random characters to the password before it is hashed. The salt value should be no less than 32 bits in length. Hashing is the process of scrambling a password using a set algorithm.
• Use strong authentication recovery mechanisms. Weak authentication recovery mechanisms can be misused to allow an attacker to gain unauthorized access to an affected system. Strong mechanisms prevent unauthorized access to an account or to reset the user's password.
• Implement an account lockout policy. Account lockout should initiate after a pre-defined number of failed attempts.
• Set accounts to automatically disable. Accounts should be disabled after being inactive for a pre-defined amount of time.

What if you lose your password or certificate?

Perhaps you've forgotten your password or you've reformatted your computer and lost your personal web certificate. Most organizations have procedures for giving you access to your information in these situations. For the best security, keep information on your account up to date. This includes alternate email addresses or phone numbers that can help verify your identity if you forget your password.

In the case of certificates, you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No matter what happened, the organization needs a way to verify your identity. To do this, many organizations rely on secret questions.

When you open a new account (e.g., email, credit card), some organizations will prompt you to provide them with the answer to a question. They may ask you this question if you forget your password or request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. In theory, secret questions and answers can protect your information. However, common secret questions ask for mother's maiden name, social security number, date of birth, or your pet's name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions.

Realize that the secret question is really just an additional password. When establishing the answer, you don't have to supply real information. In fact, if you’re asked to provide a pre-established answer, dishonesty may be the best policy. Choose your answer as you would choose any other good password, store it in a secure location (e.g., in a password manager), and don't share it with other people.

While additional security practices offer you more protection than a password alone, they should not be considered completely effective. Increasing the level of security only makes it more difficult for attackers to access your information. Be aware of MFA and other security practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don't be afraid to ask what kind of security practices the organization uses.

Why is it important to dispose of electronic devices safely?

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information, which could be exploited by cyber criminals.

Types of electronic devices include:

• Computers, smartphones, and tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications;
• Digital media — these electronic devices create, store, and play digital content. Digital media devices include items like digital cameras and media players;
• External hardware and peripheral devices — hardware devices that provide input and output for computers, such as printers, monitors, and external hard drives; these devices contain permanently stored digital characters; and
• Gaming consoles — electronic, digital, or computer devices that output a video signal or visual image to display a video game.

What are some effective methods for removing data from your device?

There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.

Before sanitizing a device, consider backing up your data. Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if you accidently erase information you had not intended to or if your device is stolen (this can also help you identify exactly what information a thief may have been able to access). Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see Using Caution with USB Drives for more information).

Methods for sanitization include:

• Deleting data. Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting "delete" from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.
  • Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.
    • Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.
    • Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.
  • Smartphones and tablets. Ensure that all data is removed from your device by performing a "hard reset." This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.
  • Digital cameras, media players, and gaming consoles. Perform a standard factory reset (i.e., a hard reset) and physically remove the hard drive or memory card.
  • Office equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.
• Overwriting. Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.
  • Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.
  • Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.
• Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.
  • Magnetic media degaussers. Degaussers expose devices to strong magnetic fields that remove the data that is magnetically stored on traditional magnetic media.
  • Solid-state destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.
  • CD and DVD destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).

How can you safely dispose of out-of-date electronic devices?

Electronic waste (sometimes called e-waste) is a term used to describe electronics that are nearing the end of their useful life and are discarded, donated, or recycled. Although donating and recycling electronic devices conserves natural resources, you may still choose to dispose of e-waste by contacting your local landfill and requesting a designated e-waste drop off location. Be aware that although there are many options for disposal, it is your responsibility to ensure that the location chosen is reputable and certified.