Governor

Jim Gibbons

Daniel H. Stockwell

Director/CIO

 

 

Christopher Ipsen
CISO

 
 

DEPARTMENT OF INFORMATION TECHNOLOGY
400 W. King Street, Suite 300
Carson City, Nevada 89703-4204
(775) 684-5800
 

October 17, 2008
 
To:  All State Employees
 
From: Christopher Ipsen, Chief Information Security Officer
State of Nevada
 
Subject: Email Security
 
Recently, an email went out to some state employees stating that if you had an email account from govmail.state.nv.us and you did not reply to the message, providing personal information about your account within two days, your account would be terminated. That email was not generated from the state email administrators and, as such, should be deleted without action. In fact, that email was a typical example of a “phishing” attack. Phishing is a form of attack that attempts to lure an email recipient into providing personal information by imitating a normal message from an authoritative source. Those types of email should be disregarded and deleted.

To assist you with making good decisions protecting state resources like email, I have prepared a series of recommendations that should provide some guidance. These recommendations represent best practices for email use and will help you to combat phishing and other unsolicited/ unwanted email (spam). Your actions in securing the data of the state are absolutely critical. Thank you in advance for your support in securing the state’s data infrastructure.

Recommendations:
 

  • If you do not know the sender of an unsolicited email message, delete it.
    While most spam is usually just annoying text, a spam email message could actually contain a virus and/or other exploit that could damage the computers of all who open it.
     

  • Never respond to any spam messages or click on any links in the message.
    Replying to any spam message, even to "unsubscribe" or be "removed" from the email list only confirms to the spammer that you are a valid recipient and a perfect target for future spamming.
     

  • Avoid using the preview functionality of your email client software.
    Many spammers use advertising techniques that can track when a message is viewed, even if you don't click on the message or reply. Using the preview functionality essentially opens an email and tells spammers you are a valid recipient, which can result in even more spam.
     

  • When sending email messages to a large number of recipients, use the blind copy (BCC) field to conceal their email addresses.
    Sending email where all recipient addresses are "exposed" in the "To" field makes it vulnerable to harvesting by a spammer's traps.
     

  • Think carefully before you provide your email address on websites, newsgroup lists or other online public forum.
    Many spammers utilize "web bots" that automatically surf the internet to harvest email addresses from public information and forums.
     

  • Never give your primary email address to anyone or any site you don't trust.
    Share it only with your close friends and business colleagues.
     

  • Have and use one or two secondary email addresses.
    If you need to fill out web registration forms, or surveys at sites from which you don't want to receive further information, consider using secondary addresses to protect primary email accounts from spam abuse. Also, always look for a box that solicits future information/offers, and be sure to select or deselect as appropriate.
     

  • Never respond to emails that request personal financial information.
    Banks or e-commerce companies generally personalize emails, while phishers do not. Phishers often include false but sensational messages ("urgent - your account details may have been stolen") in order to get an immediate reaction. Reputable companies don't ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don't respond - contact the company by phone or by visiting their website. Be cautious about opening attachments and downloading files from emails, no matter who they are from.
     

  • Visit trusted websites containing personally identifiable information by typing the URL into the address bar.
    Phishers often use links within emails to direct their victims to a spoofed site, usually to a similar address such as mybankonline.com instead of mybank.com. When clicked on, the URL shown in the address bar may look genuine, but there are several ways it can be faked, taking you to the spoofed site. If you suspect an email from your bank or online company is false, do not follow any links embedded within it.
     

  • Check that the website you are visiting is secure.
    Before submitting your bank details or other sensitive information there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data:

    Check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://".

    Also look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.

    Note that the fact that the website is using encryption doesn't necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.
     

  • Be cautious with emails and personal data.
    Most legitimate organizations that require personal information (like a bank) have a security page on their website with information on carrying out safe transactions, as well as the usual advice relating to personal data: never let anyone know your PINS or passwords, do not write them down, and do not use the same password for all your online accounts. Avoid opening or replying to spam emails as this will give the sender confirmation they have reached a live address. Use common sense when reading emails. If something seems implausible or too good to be true, then it probably is.
     

  • Keep your computer secure.
    Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). Make sure that antivirus software is installed on your computer, it is up to date, and all patches to the operating system are installed.
     

  • Never make a purchase from an unsolicited email.
    If spamming weren't economically viable, it would be obsolete. Not only can an email user fall prey to a potentially fraudulent sales scheme, but his or her email address can also be added to the numerous email lists that are sold within the spamming community, further compounding the number of junk emails received.
     

  • Always report suspicious activity.
    If you receive an email you suspect isn't genuine, forward it to the spoofed organization (many companies have a dedicated email address for reporting such abuse).

###