Information Security Tips from Westfield Insurance

This tip is part of Westfield's occasional series on general security definitions. To look up other topics, follow the Definitions at left.

You just got a popup on your computer that "there is an error with XYZ's certificate" and asking whether you'd like to accept the certificate forever, accept it only for one visit, or choose not to accept it. (See the example below) What exactly is a web site certificate and should you accept it or not?

Certificates are small bits of code used by organizations to show that they are who they say they are online. Certificates are generally purchased from third parties called 'certificate authorities – trusted companies who give the on-line equivalent of a Good Housekeeping seal of approval on the connection. Note: Certificate authorities do not evaluate the company, the website or their products. A certificate does not mean that the site is free of viruses or other malicious content. Certificate authorities merely verify that the web address actually belongs to the organization buying the certificate. When you type a URL or follow a link to a secure web site, your browser will check the certificate to make sure that the web site address matches the address on the certificate and that the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority.

If the organization wants to set up a secure website (that is, one that uses https instead of just http and has the yellow padlock in the bottom right of the window), they will need a site or host-certificate to set up the encryption. By making sure that the website encrypts your information and has a valid certificate, you can reduce your online risks.

The problem is that almost anyone can create the piece of code that looks like a certificate. Many legitimate companies want to set up secure connections but don't want to pay extra to the certificate authority for verification so they self-generate a certificate. Hackers can generate certificates, too, and use them to more closely mimic the legitimate secure site.

If the certificate is not from a trusted authority that your browser recognizes (there are about 100 trusted authorities loaded into your browser by default) or has some error or inconsistency, you have to decide whether or not to trust the web address and allow the connection.

To verify a certificate, look for the certificate feature in the browser's menus. In Internet Explorer, you can find it under File/Properties when you are on the secured site. When you click on the certificate button, it should show:

• who issued the certificate - Make sure that the issuer is a legitimate, trusted certificate authority.
• who the certificate is issued to – This should match the owner of the web site.
• expiration date - Most certificates are issued for one or two years. Be cautious of certificates that are valid for longer than two years or that have expired.

If you want to see all of the certificates currently on your machine, try Tools/Internet Options/Content and look for the certificate button.

If you have the time and need, you can verify every aspect of the certificate by contacting the company or the certificate authority. For most sites, you don't need to bother. But if it's a connection that you're using for highly confidential information (like your banking website) or if you have a reason to be suspicious of the site (perhaps a phishing site), take the time to verify the certificate. You'll only have to do it once – your computer will remember your decision thereafter.

Most people surf the web and chat online thinking that they are hidden behind the anonymity of the computer screen. Few people realize that they are leaving footprints all over the web anytime they go online. Here are some of the things that are automatically sent to the website's computer whenever you visit the site:

• Your IP address - Every computer on the internet is assigned a specific, unique IP (internet protocol) address. That IP address can't be easily traced to a name directly except by your internet service provider but it can be correlated with your other online activity. So if you disclose your name in a blog or when writing a book review, someone might be able to trace that back and match it to your other internet habits. You can look up your current IP address at showmyip.com.
• Your computer's software load - Many websites want to know what web browser you are using (including which version). Legitimate sites use this information to adjust for differences between the way browsers display the webpage. A page that looks fine on Internet Explorer may not display properly through Mozilla's Firefox so the website developer adds code to tweak the display based on your browser. Unfortunately, the information sent to the website does not end with the browser. They may also be able to read your operating system and other details.
• Your page visit history - The website can often track which pages you visited, how long you stayed on a given page and where you were just before you came to the website. (This is often helpful for companies who want to know if you came to the site from a search engine and if their advertising dollars are being well-spent.)

If a web site uses cookies, they can collect even more information. The information they can collect about your browsing habits is limited only by their own privacy policy.

On the other hand, If the site you're visiting is malicious, all bets are off. Your privacy is completely dependent on the strength of your antivirus/antispyware programs and how up-to-date you keep your patches. Hackers at these sorts of sites can use all sorts of techniques to either steal information or trick you into revealing more than you intended. They will try to steal passwords (knowing that many people reuse the same password and that, by compromising this password, they have a very good guess at your online bank or work password), load viruses and may even attempt to alter the security settings on your computer so that they can access and use your computer for other malicious activity.

You can reduce the amount of information revealed about yourself by only visiting legitimate sites, checking privacy policies and paying careful attention to the personal information you provide. Don't post your address, password, or credit card information unless you trust the site. Look for indications that the site uses SSL to encrypt your information. Limit what cookies you allow and be careful which web sites you visit; if it seems suspicious, leave the site.

And, of course, always keep your antivirus software up-to-date and your computer fully patched.

Based in part on US-CERT Cyber Security Tip ST05-008

At some point, you've probably seen an error message pop up that "Active Content on this webpage has been blocked. Click here for options." Microsoft and the other browser makers give us these warning so we can try to make choices about what to trust on the web and what to avoid. Unfortunately, most average computer users don't know what "active content" is or how to decide what to trust. There are no easy answers for deciding who to trust but after reading this overview, you should have a little more idea of the risks you are taking.

Active content today comes in two basic flavors – web scripts like JavaScript or VBScript and programs such as Java or ActiveX. Both use code embedded in the webpage to help the webpage do something extra (like drop-down menus) or formatting of the page look better. While these scripts make the webpage more user-friendly, they can offer a way for hackers to get into your computer.

Web scripts are used on almost every web site now. These scripts let the web designer customize the look and feel of the site and are very easy to use. The script is written into the webpage and is executed by your browser. There are limits to what the script can do, making them mostly safe. Unfortunately, one of the ways they can be exploited is to redirect you from a legitimate web site to a look-alike malicious one that may download viruses or collect personal information.

Java and ActiveX controls are actual programs that are already on your computer or can be automatically downloaded into your browser. ActiveX can do anything on your computer that you can do. That's helpful if the web page is supposed to find and run a program for you but very dangerous if exploited by a hacker. Untrustworthy ActiveX controls can be used to load spyware, collect personal information, connect to other computers or do other damage. (If you're trying to load or update well-known software like Flash Player or Adobe Reader, it's probably okay. On the other hand, if the browser is trying to launch something like WeatherBug or MemoryMeter, SAY NO!) Java applets usually run in a more restricted environment and have less rights on your computer (and therefore can do less damage if exploited), but if that environment isn't secure, malicious Java applets may be used for attack as well.

In general, you should set your Internet Options to block ActiveX. For computers containing highly sensitive information, you should also consider disallowing Java and JavaScript. Only allow the content through if you are sure that you are at a trusted website. Recognize, however, that the added security may cause some features of the website to not function or to function improperly. Once you've verified the security of a site, you can designate it a "Trusted Site" and allow future active content from that site. And always keep your anti-virus, anti-spyware and firewalls running and your software fully patched.

A cookie is a tasty treat.

It's also a small string of text that's used to keep track of your computer when you browse the Internet. An HTTP cookie might track general information about your computer (such as IP address you used to connect or the type of browser you use) or more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).

The bit of text that makes the cookie is sent to your computer by a server when you first visit a website (or sometimes when you sign in to the site). After that, whenever your computer accesses that server, it sends the text string unchanged back to the server. The cookie identifies your computer to the server and lets the server know to send back the content that's relevant to your request and keeps it from mixing up the reply with the next person's request.

Cookies serve several different purposes depending on how long your computer stores them.

• Session cookies store information only as long as you're using the browser. Once you close the browser, it is erased. Session cookies are a way to keep you logged in so you don't have to reinput your password on every page. Session cookies can also hold onto your preferences or keep track of whether you've already visited a particular page. Session cookies are used on many websites to keep track of the contents of your electronic shopping cart.
• Persistent cookies are stored on your computer's hard-drive so that your personal preferences can be retained over time. Persistent cookies are how your computer knows to fill in your username by default when you open your Yahoo! or Hotmail email account or to display your personalized page appears when you visit Amazon.com. Persistent cookies can also be used by advertisers and others to keep track of your browsing patterns. If an attacker gains access to your computer, he/she may be able to gather personal information about you through these files. Persistent cookies may be set to "expire" after a certain period of time (usually a few days or weeks) but can be set to never expire.

Because of the privacy concerns, cookies can be controversial. Many people recommend blocking or limited the use of cookies in your web browser. While this can make sense in many situations, it will cause some sites to stop working. To control cookies, go to the options or preferences section in your web browser. In Internet Explorer, the path is Tools/Internet Options/Privacy. In general, you should set higher restrictions on third-party cookies – those used by advertisers on a site to track your behavior across multiple webpages – than on first-party cookies – those used by the site that you are actually visiting.

If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.

This article was originally published in the Mar 2007 edition of The Agent Newsline, a publication of Westfield Insurance.

When John retired last month, when Sue left the company, when Sam moved into another department, did their access rights get updated? Or can they still log onto the computer and see your customers' confidential information? Can they log onto one of your partner web sites and prospect against your customers?

Identity and rights management is a complex and serious problem for any company with more than a few employees. Federal and state regulations require that private customer information be protected based on a business need-to-know. Social Security numbers, credit scores and driver license numbers are just a few of the fields that are considered private. If your employees, contractors or support staff have access to files or programs holding that kind of data, I recommend creating a plan to make sure that only the right employees have access.

Here are suggestions to help keep your data safe:

• Keep a current list of users for your systems.
• If you have a user who no longer needs access, you should remove the name from the list of authorized users. According to Secret Service Internet crime statistics, most penetrations of electronic systems are carried out by former insiders whose access was not properly shut down. Make someone responsible for changing access rights whenever an employee's status changes to ensure users do not keep rights they should no longer have.
• Keep an employee access checklist of all carriers' systems, bank systems industry web sites, etc.
• Make sure that they also know of the employee's status change. A sample checklist with some of the most common considerations is available on Agent's Web Passport* and can be used as a template to build or expand your own list.

* Agent's Web Passport is a proprietary web portal for independent agents affiliated with Westfield Insurance. The sample checklist is not currently available through this blog.

As a general rule of thumb, it costs 40 times as much to fix the security of a project after the fact as it would have cost to build security in at the front of the project.

You should always design your applications and solutions be designed with security in mind. Call the Information Security team in your IT department for help identifying and prioritizing security risks. They should also be able to help you develop the business requirements and technical controls necessary to ensure that your confidential data is properly secured. Contact them as early in the design cycle as possible – preferably during the business case stage of the initiative. They can help make sure that all the hidden costs and implications have been identified.

If you're planning to buy a service from a third party where the vendor or service provider will have access to any company data, especially confidential customer data, or will have access to any system or accounts which could be used to get access to our data, the vendor's security practices should be evaluated against your company's security standards. Many companies use an Application Service Provider (ASP) Questionnaire to evaluate the vendor's security practices. Again, contact your IT department for help with understanding the vendor's practices. Do not assume that their practices live up to your standards without checking on them.

Authentication means knowing who is on the other end of the line. Authentication is essential before you share any non-public information with the other person whether you are sharing it by phone, email, instant messaging or in person. Authentication is based on one of three "factors":

• Something you are – recognizing your face, voice, fingerprint, signature, etc.
• Something you have – a car key, a digital certificate on your computer, an ID card or security token
• Something you know – a password, the last four of your SSN, mother's maiden name, etc.

Multi-Factor Authentication means checking against two or more of those types of authentications. For example, the HELP Desk might check caller ID to see if you are calling from your own phone (something you have) and still ask for your employee ID number (something you know). A debit card is another form of two-factor authentication. You need both the physical card and the four digit PIN to get cash out of the ATM. Authentication methods that use more than one factor are more difficult to compromise than single-factor methods.

In the weaker sense, multi-factor authentication is sometimes interpreted as asking for two things you know – a password and a PIN. This is better protection than just asking for a single password but considerably weaker than proper multi-factor authentication. If a hacker knows enough to compromise your password, they are also likely to be able to compromise your PIN. Still, internet sites which require both a password and PIN have added "friction" to the process. They force the hacker to do more work and make it more likely that the hacker will go somewhere else instead.