Internet Behavior Recommendations

In order to avoid revealing sensitive information about your organization or personal life, abide by the following guidelines while accessing the Internet.

1. Exercise Caution when Accessing Public Hotspots
   Many establishments, such as coffee shops, hotels, and airports, offer wireless hotspots or kiosks for customers to access the Internet. Because the underlying infrastructure of these is unknown and security is often weak, these hotspots are susceptible to adversarial activity. If you have a need to access the Internet while away from home, follow these recommendations:
   1. If possible, use the cellular network (that is, mobile Wi-Fi, 3G, or 4G services) to connect to the Internet instead of wireless hotspots. This option often requires a service plan with a cellular provider.
   2. Set up a confidential tunnel to a trusted virtual private network (VPN) service provider (for example, StrongSwan's StrongVPN). This option can protect your traffic from malicious activities such as monitoring. However, the use of a VPN carries some inconvenience, overhead, and often cost. Additionally, you are still vulnerable during the initial connection to the public network before establishing the VPN.
   3. If using a hotspot is the only option for accessing the Internet, limit activities to web browsing. Avoid accessing services such as banking websites that require user credentials or entering personal information.
2. Do Not Exchange Home and Work Content
   The exchange of information (e.g. emails, documents) between less-secure home systems and work systems via email or removable media may put work systems at an increased risk of compromise. If possible, use organization-provided laptops to conduct all work business from home. For those business interactions that are solicited and expected, have the contact send work-related correspondence to your work, rather than personal, email account.
3. Be Cognizant of Device Trust Levels
   Home networks consist of various combinations of wired and wireless devices and computers. Establish a level of trust based not only on a device's security features but also on its usage. For example, children typically are less savvy about security than adults and may be more likely to have malicious software on their devices. Avoid using a less savvy user's computer for online banking, stock trading, family photograph storage, and other sensitive functions.
4. Be Wary of Storing Personal Information on the Internet
   Personal information historically stored on a local computing device is steadily moving to on-demand Internet storage called the cloud. Information in the cloud can be difficult to permanently remove. Before posting information to these cloud-based services, ask yourself who will have access to your information and what controls do you have over how the information is stored and displayed. In addition, be aware of personal information already published online by periodically performing a search using an Internet search engine.
5. Take Precautions on Social Networking Sites
   Social networking sites are a convenient means for sharing personal information with family and friends. However, this convenience also brings a level of risk. To protect yourself, do the following:
   1. Think twice about posting information such as an address, phone number, place of employment, and other personal information that can be used to target or harass you. If available, limit access of your information to "friends only" and attempt to verify any new sharing requests either by phone or in person.
   2. Take care when receiving content (such as third party applications) from friends because many recent attacks deliver malware by taking advantage of the ease with which content is generally accepted within the social network community.
   3. Periodically review the security policies and settings available from your social network provider to determine if new features are available to protect your personal information. For example, some social networking sites now allow you to opt-out of exposing your personal information to Internet search engines.
   4. Follow friends' profiles to see whether information posted about you might be a problem.
6. Enable the Use of Secure Sockets Layer (SSL) Encryption
   Application encryption (SSL or TLS) over the Internet protects the confidentiality of sensitive information while in transit when logging into web-based applications such as webmail and social networking sites. Fortunately, most web browsers enable SSL support by default. When conducting sensitive personal activities such as account logins and financial transactions, ensure the website uses SSL. Most web browsers provide some indication that SSL is enabled, typically a lock symbol either next to the URL for the web page or within the status bar along the bottom of the browser. Additionally, many popular web applications such as Facebook®[17] and Gmail®[18] have options to force all communication to use SSL by default.
7. Follow Email Best Practices
   Personal email accounts, either web-based or local to the computer, are common attack targets. The following recommendations will help reduce exposure to email-based threats:
   1. Use different usernames for home and work email addresses. Unique usernames make it more difficult for someone targeting your work account to also target you via your personal accounts. To prevent reuse of compromised passwords, use different passwords for each of your email accounts.
   2. Do not set out-of-office messages on personal email accounts, as this can confirm to spammers that your email address is legitimate and can provide information to unknown parties about your activities.
   3. To prevent others from reading email while in transit between your computer and the mail server, always use secure email protocols (Secure IMAP or Secure POP3), particularly if using a wireless network. You can configure these on most email clients, or select the option to "always use SSL" for web-based email.
   4. Consider unsolicited emails containing attachments or links to be suspicious. If the identity of the sender cannot be verified, delete the email without opening. For those emails with embedded links, open a browser and navigate to the website directly by its well-known web address or search for the site using an Internet search engine.
   5. Be wary of any email requesting personal information such as a password or social security number as any web service with which you currently conduct business should already have this information.
8. Protect Passwords
   Ensure that passwords and challenge responses are properly protected since they provide access to personal information.
   1. Passwords should be strong, unique for each account, and difficult to guess. Consider using a passphrase that you can easily remember, but which is long enough to make password cracking more difficult.
   2. Disable the feature that allows websites or programs to remember passwords.
   3. Many online sites make use of password recovery or challenge questions. Your answers to these questions should be something that no one else would know or find from Internet searches or public records. To prevent an attacker from leveraging personal information about yourself to answer challenge questions, consider providing a false answer to a fact-based question, assuming the response is unique and memorable.
   4. Use two-factor authentication when available for accessing webmail, social networking, and other accounts. Examples of two-factor authentication include a one-time password verification code sent to your phone or a login based on both a password and identification of a trusted device.
9. Avoid Posting Photos with Global Positioning System (GPS) Coordinates
   Many phones and newer point-and-shoot cameras embed GPS location coordinates when a photo is taken. An attacker can use these coordinates to profile your habits/pattern of life and current location. Limit the exposure of these photos on the Internet to be viewable only by a trusted audience or use a third-party tool to remove the coordinates before uploading to the Internet. Some services such as Facebook automatically strip out the GPS coordinates in order to protect the privacy of their users.