Ottaway Communication, Inc.

Ottaway Communications, Inc.

Mistakes That Will Compromise Your Site’s Security

Credentials Protection



  1. Do not store the credentials (username
    and password) in an unsecure place.


    • This includes when your browser asks you if you
      want to save your password.  Stored passwords are not fully
      protected.

    • This includes in plain text in a password
      file.

    • This includes in an email account.

    • This includes on a left out piece of
      paper.


      • Lock a written password
        away.


    • This includes in an unlocked rolodex or file
      cabinet.


  2. Do not send credentials to others over
    email.


    • If you need to give someone the login
      credentials, call them, but limit the information as much as
      possible.


      • Try to be as obscure as possible because
        phone calls can be intercepted. If you give out the username, password,
        and web address, anyone who hears that
        information doesn’t just have the credentials, but they have the
        location as well.  They can log in and make changes, cause
        damage, download sensitive information, etc.

      • Do not text (SMS) the
        information.


        • It is a little known fact that employees at
          cell phone companies can read all text messages in plain
          text.

        • It is also a fact that your text messages
          can be intercepted by a third party with the correct software and a
          configured wireless router.


      • People can also listen to your call from
        nearby.  Make sure that no one is listening before giving out
        sensitive information.


  3. Change your passwords periodically.


    • At least twice a year, preferably every three
      months.


  4. Choose passwords that are difficult to
    guess.


    • When selecting passwords, use a combination of
      uppercase and lowercase letters.

    • Use at least 8 characters.

    • Include at least one number.

    • Adding a punctuation character greatly
      increases password security.


      • So does using more than one word, or
        eliminating vowels from single words.


    • When implementing these procedures, use
      something memorable, but do not be obvious.


      • Making your password “password” is extremely
        obvious.


        • Password1 is obvious.

        • #PssWrd5 is far
          less obvious.

        • #CellarDoors5 is memorable and not
          obvious.

        • #cLLrDrs5 is very secure, while still being
          memorable.


          • Do not use any of the
            suggested passwords in this
            memo.


      • Using your name or username as your password
        is obvious.


  5. Ensure that no one is watching you as you type in
    your credentials.


    • This includes cameras, coworkers, family
      members, friends, guys with binoculars, and little robotic
      insects.

Email


  1. Never send usernames or passwords in
    emails.

    • Email traffic is not necessarily secure from
      viewing by a third party.

      • Any email program that does not send emails
        with https in the address is able to be seen by other people on the
        web.

  2. When logging on to webmail, make sure the address
    is in this format: https://www.domain.com:2083


    • This ensures that any passwords or emails are
      secure.
    • If any information transmission is intercepted,
      it is encrypted and therefore unusable by a third party.

  3. If using an email program, ensure in the
    settings that you are using a secure connection on port 587.

    • If you do not understand this, please consult an
      IT person or look through the Help section for your program.

  4. Do not send emails or log in to your email on a
    computer that you are not certain you can trust, even if it is your
    own.

    • If you suspect that your computer may be
      infected by malicious software, programs such as a keylogger may not only
      share your credentials with a third party, but may also log other personal
      information such as social security numbers and credit cards.

      • Just because you are on a secure website, or
        just because your password is hidden in the password field, does not
        prevent a keylogger from recording everything you type and sending it to
        someone else.

  5. Do not give out your email address and password to
    websites that will “add contacts” from your address book.

    • There may be reputable sites that offer this
      service, but it is always safer just to add your contacts
      yourself.

Browsing The Internet From

Your Work Computer -
“Work computer” is defined as any computer that
you use to log into work related websites, services, or networks.  This
includes, but is not limited to, shopping cart admin areas, merchant
accounts, content management systems, domain management accounts, FTP,
VPN, remote desktop connections, databases, and control
panels. The best policy for browsing the
internet in terms unrelated to work from your work computer is:
don’t.  If you accidentally download a virus or
malware, then a third party have may access to all of your
information, passwords, customer information, programs, etc. If you must
browse the internet, see the rules below.



  1. Any website that asks for your username and
    password to an account other than the one on the website is automatically
    suspect.  If you come across one of these, leave
    immediately.


    • For example, if you’re on
      UntrustableWebsite.com, and they ask for your Facebook Username and Password
      in order to add an app to your page, even if you have an account with
      UntrustableWebsite.com, you should pass on providing the information, and
      possibly never return to that site again.


  2. Limit browsing to known websites.


    • It is a good idea not to click on links to
      websites you have never been to before.  If you do not know what is on
      the other side of a link, you may compromise your work
      computer.


  3. Avoid downloading executable files from the
    internet.


    • A work computer is intended for performing
      work.  If you are going to use it for that purpose, downloading a
      program from an unknown author because you want to play online tennis is an
      unnecessary risk to your computer’s integrity that doesn’t meet the intended
      purpose of the machine in the first place.

    • Just because a program comes from it’s
      own website, doesn’t mean the program is trustworthy. 
      BikiniTennisMasters.com can still provide spyware for you to download with
      the lure of a flashy tennis game.  Only download programs from well
      known companies.


  4. Do not transmit sensitive information on
    nonsecure websites.


    • A website is generally secure if it has
      https:// in the web
      address.


      • Unfortunately, many forms exist on pages that
        are not secure, but the locations that the forms send the information to
        are.  This is still secure, but without knowing how to determine
        where the form is sending to before sending it makes it difficult to
        know whether you can trust the site.  If in doubt, consult your IT
        department.


  5. If a browser does not recognize the certificate
    for a website, do not use the site to transmit sensitive
    information.


    • There are some sites that issue what is called
      a server certificate to themselves.  A server certificates only purpose
      is to provide encryption for data and you can be sure that the information
      you send is definitely going to that server.  However, there is no way
      to know who the server belongs to.  This is why a self
      issued server certificate is not recognized by the browser.  If you
      definitely know who the server belongs to, you can proceed.


      • An example would be our webmail
        service.  If you log into href="https://www.yourdomain.com:2083">https://www.yourdomain.com:2083,
        you will see an unrecognized certificate.  Since the website belongs
        to you, you can rest assured that you can trust yourself not to send your
        own sensitive information to a third party or use it for
        malicious purposes.  Further, the information you transmit will be
        encrypted.


  6. Do not surf for or download pirated software,
    music, movies, e-books, whatever.


    • It is not our responsibility to judge what you
      do.  We do however, need to advise you that many places that provide
      these services do not have any qualms about invading your
      computer.


  7. When you are done making changes to the admin
    area, viewing emails, or using other web applications that require a login,
    log off, close the browser completely (this includes ALL browser windows), or
    both.

 

Virus/Malware/Spyware Protection

You have to be sure that the computer
you use to process sensitive information, payments, credentials, or anything
else you would not want a third party to see has protection.  We can
provide protection for your website and any sensitive information it stores or
essential business services it provides from hackers on the web, but if your
computer is not safe then our efforts are completely
undermined.


  1. You must maintain security software on any
    computer you use to perform work with sensitive information, accounts,
    programs.


    • An antivirus program is requisite.


      • Contrary to colloquial wisdom resulting from
        effective marketing from Apple, Apple computers are not infallible to
        malicious software.  Apple computers have fewer infections because
        they have less market share.  They still need an antivirus
        program for real protection.


        • Let me reiterate: Even if you own a Mac,
          you still need virus
          protection          .


    • If the antivirus program you have does not
      explicitly include malware/spyware protection, you will need to install
      a seperate program that handles these types of
      intrusions.


  2. You should periodically scan your
    computer.


    • At least once a month, preferably once a
      week.

    • Most antivirus, anti-malware/spyware programs
      offer settings to complete automatic scans.


      • Usually these programs allow you to set them
        to automatically scan during hours when you will not be using your
        computer.


        • You will need to be sure the computer will
          be on during the auto scan time or else the scan will not take
          place.


  3. Keep all of your software up to date.  This
    is inclusive of all programs on your computer, not just
    Antivirus.


    • This, too, can usually be a setting in the
      program to automatically perform.

    • Do not forget to keep your Operating System up
      to date as well.

Work Computer Security


  1. Use only
    your own Windows/Mac/Ubuntu/Linux/other user account that is
    password protected.


    • Other members of your
      office should not have access to your computer account.


  2. Do not walk away from
    the computer with your user account open.

  3. If using wireless, send
    your credentials only to a secure wireless router (secure means the
    transmissions are encrypted).

  4. You must be absolutely
    sure that the wireless router you are using is transmitting secure
    communications or you are allowing anyone within range to intercept and view
    the information you are sending or receiving.

  5. If you are not sure
    that the wireless router you are attempting to connect to is not secure,
    either do not use it or consult an IT professional.

  6. If you are using a
    laptop, ensure full laptop security.


    • Do not leave the
      laptop unattended, especially in public places.

    • Lock up the
      laptop when you leave the office.


      • Cleaning crews
        or coworkers could have access to your laptop after
        hours.


    • Do not leave the
      laptop in your vehicle.

Logging Into Your Website Outside Of Work

If you have to log in to your email,
admin sections, merchant account, control panel, ftp account, or any other
sensitive area that you would not want a third-party getting into, then you
should avoid doing this at home, but especially from any computer you don’t not
know with 100% certainty that you can trust is clean.  Even if there
is an emergency, logging into your site from, for example, a library
computer, a friend’s, or from an internet cafe will probably only add to
your problems.  If you have to log in from a computer other than your work
computer, then you will want to follow these guidelines.


  1. Ensure there is Virus/Malware/Spyware Protection
    on the computer you are going to use.


    • If you are unsure of the regularity of the
      virus software scanning and/or updating, run an update and then scan
      the computer before proceeding.

    • Just because it is an Apple does not mean it is
      inherently secure.  You still need protection from malicious
      software.


  2. Follow the rules in the Credentials Protection
    Section

  3. It is a good policy that, if you are going to
    regularly connect to your website from home, to follow the same guidelines on
    your home computer as if it were your work computer.


    • This includes having your
      own Windows/Mac/Ubuntu/Linux/other user account that is password
      protected.


      • Other members of your household should not
        have access to your computer account.

      • Do not walk away from the computer
        with your user account open.


  4. If using wireless, send your credentials
    only to a secure wireless router (secure means the transmissions are
    encrypted).


    • You must be absolutely sure that the wireless
      router you are using is transmitting secure communications or you are
      allowing anyone within range to intercept and view the information you are
      sending or receiving.

    • If you are not sure that the wireless router
      you are attempting to connect to is not secure, either do not use it or
      consult an IT professional.