Show Menu

Information Security Awareness Cheat Sheet (DRAFT) by

Awareness cheatsheet for end users

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Introd­uction - Inform­ation Security

Comput­­er­-­r­elated crimes affecting businesses or consumers are frequently in the news. While companies normally have technical defense systems in place, end-users and staff members also need to know how to protect and maintain their computer systems so they can steer clear of frauds­­ters. Here is a short set of recomm­end­ations for keeping yourself safe online.

Private data and its value

Protect your and your client's data

Hackers find private data very valuable. It is important that you protect ALL types of data as these can be used for many purposes, such as

- Identity theft
- Targeted attacks
- Data sold to other parties for data mining

Data such as personal inform­ation and system creden­tials are very sought after and will fetch a hacker a good price. Be always aware and always protect the inform­ation you handle.


Phishing is one of the most common methods of attack nowadays. Phishing involves tricking a user into giving their password into a seemingly legitimate site. Use the list of tips below to increase your awareness and prevent your creden­tials from being stolen:

Be wary of emails asking for confid­ential inform­ation
Especially inform­ation of a financial or personal nature. Legitimate organi­zations will never request sensitive inform­ation via email, and most banks in NZ will tell you that they won't ask for your inform­ation unless you're the one contacting them.

Don't get pressured into providing sensitive inform­ation.
Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain inform­ation. Be sure to contact the merchant directly to confirm the authen­ticity of their request.

Watch out for generi­c-l­ooking requests for inform­ation.
Phishing emails are often not person­alized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with "Dear Sir/Ma­dam­", and some come from a bank with which you don't even have an account with.

Never submit confid­ential inform­ation via forms embedded within email messages.
Senders are often able to track all inform­ation entered into a form. If you suspect you may have entered inform­ation into an illegi­timate form, proceed to change your passwords ASAP.

Never use links in an email to connect to a website unless you are absolutely sure they are authentic.
Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original - look at the address bar to make sure that this is the case.

Other types of attacks

Be aware of other types of attacks you may encounter

SMS Phishing is called smishing, and it is a form of social engine­ering technique that attempts to acquire personal inform­ation (such as your password) by masque­rading as a trustw­orthy company via text messages on your mobile phone. If you receive an unsoli­cited, seemingly legitimate SMS text from a bank, service or company, don't open the accomp­anying link. Instead, call them directly in regards to the text message contents if required.

Vishing is the telephone equivalent of phishing. It is often an attempt of acquiring inform­ation using the telephone. Oftentimes these are calls from IRD, Microsoft or other service providers with an apparently legitimate query for further inform­ation. Be wary and if in doubt always hang up and call their known, main number instead.

Best Practices

Be careful where and how you connect to the Intern­et.
A public computer, such as at an Internet café or hotel business center, may not have up-to-date security software and could be infected with malware. Also, for online banking or shopping, avoid connecting your computer, tablet or smartphone to a wireless network at a public "­­ho­t­s­po­­t" (such as a coffee shop, hotel or airport).

Be suspicious of unsoli­­cited e-mails and text messages asking you to click on a link or download an attach­­ment.
It's easy for fraudsters to copy corporate or government logos into fake e-mails that can install malware on your computer.
Your best bet is to ignore any unsoli­­cited request for immediate action or personal inform­­ation, no matter how genuine it looks. If you decide to validate the request by contacting the party that it is supposedly from, use a phone number or e-mail address that you have used before or otherwise know to be correct. Don't rely on the one provided in the e-mail.

Use "­­st­r­o­ng­­" IDs and passwords and keep them secret.
Choose combin­­ations of upper- and lower-case letters, numbers and symbols that are hard for a hacker to guess. Don't, for example, use your birth date or address. Also don't use the same password for different accounts because a criminal who obtains one password can log in to other accounts. Finally, make sure to change your passwords on a regular basis.

Data leaks

Preventing data leaks is something everyone can do. Follow these recomm­end­ations to ensure that you are not unknow­ingly disposing of private data that could end in the wrong hands:

1. Always shred or destroy private inform­ation you no longer need
2. Do not take USB pendrives with confid­ential data out of the office if possible
3. Use encrypted USB drives for data you need to take out of the office
4. Always securely dispose of devices (compu­ters, laptops and cellph­ones) to avoid data being leaked by accident.