Proofpoint: Security, Compliance and the Cloud

You've probably seen news this week about a large scale exposure of names and email addresses as hackers gained access to a database controlled by Epsilon, a third-party marketing firm that provides email list management services for some of the world's biggest and most popular brands.

You can find a good summary of the Epsilon breach and its potential implications in these two articles from our "Security, Compliance and the Cloud" news feed. See, "Email Data Breach at Texas-based Marketing Company Epsilon Highlights Need for Extensive Security" and "Email Security Breach at Epsilon May Lead to Phishing Attacks."

It's important to note that this particular breach seems to have involved "only" names and associated email addresses, unlike other recent breaches that exposed usernames and passwords. Email users that are protected by highly-effective anti-spam solutions like Proofpoint Enterprise Protection don't need to particularly fear exposure of their email addresses. For example, I share mine publicly all the time (like this - feel free to email me at kcrosley@proofpoint.com).

But not everyone has access to that level of protection. And, in the wake of this breach, many email users are probably wondering what they should do to stay safe. So I thought this would be a good time to reiterate Proofpoint's "Seven Simple Rules for Staying Safe Online." Feel free to share these tips with your email users and friends!

Proofpoint's Seven Simple Rules for Staying Safe Online

1. Be aware: View with suspicion any email with requests for personal identification, financial information, user names or passwords, especially in the wake of recent large-scale security breaches that may have exposed your email address to spammers and scammers. Your bank, online services, government agencies or legitimate online stores are extremely unlikely to ask you for this type of information via email. The same goes for your own employer's IT department: Consumers should be suspicious of similar emails that appear to come from an employer or friend. And never send personal financial information such as credit card numbers and Social Security numbers via email.

Today’s malicious emails and phishing attacks are disguised as communications from all sorts of organizations, including government agencies, software vendors and money transfer services, as these examples from the Proofpoint Email Security Blog show.

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments. Never click email links from anything but 100 percent trusted sources. Links embedded in emails may install malicious software or take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure.

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site and ensure that the page you are using is both legitimate and secure before entering sensitive information.

5. Keep an eye on your accounts: Check the accuracy of your credit card, bank statements and online payment system accounts (such as PayPal) on a regular basis. If you see anything suspicious, contact the financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook and Twitter are increasingly used to deliver the same kinds of scams and malicious links to unsuspecting users. Spammers and malware writers are riding the social media wave, commonly using malicious, but convincing, emails that masquerade as notifications such as friend requests or message notifications. Keep all of the preceding tips in mind when using the latest communication tools.

7. Make security your first stop: Are your home computers protected from malware? Whenever you set up a new computer, netbook or upgrade operating system, install a good desktop anti-virus or Internet security solution before doing anything else online. Always make sure that your net-connected computers are protected by such a solution—and that you keep your subscription up to date! Reputable vendors include F-Secure, McAfee and Symantec. There are also reputable free solutions such as Avast, so a lack of resources doesn't mean you have to go without security.

Be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers usually lead to fraudulent anti-virus solutions that are actually malicious software.

Be safe!