With the continuously changing security threat landscape it can be tricky to understand how to protect your online data. We want to help our customers be more security aware—whether you're using Salesforce or other cloud-based services. Following are some of the best practices we've given our own employees, which may help you be more secure:

1. Validate suspicious email

Why: Attackers may gain entry into a network by getting their targets to click on a malicious link in an email and visit a website, enter credentials, or download an attachment.

How:

• Hover your mouse over a link in the suspicious email you received. Often the links in the email text will all go to a URL that does not correlate with the sender. If the link does not correlate with the sender, do not reply or click on any of the links, including a link to “unsubscribe.”   

• Verify email sender’s identity. Did the email include contact information that you could validate through other sources? Is the branding of the email correct? Does the  “From:” address match the purported company sending the email?

• Beware of URL shorteners. URL shorteners are dangerous because you can not tell where the link will take you. If you have reason to suspect a shortened URL may not be legitimate, do a quick check online with a URL expander that can expose the full URL.  

2. Limit password reuse and protect your security challenge questions

Why: If one website is compromised, the passwords that were used for that site will often be sold or published on the Internet. Attackers may then try to reuse your password on other sites like bank account or email accounts. Further, if you have security challenge questions that are easy to research using public information, it does not provide a very significant barrier for an attacker to reset your password.

How:

• Use a password manager app to generate and store all your passwords. This way you can have a unique strong password for each site and never have to remember it.   For extra security, activate two-factor authentication for the password manager.

• Use illogical answers to security challenge questions that cannot be guessed or researched.  A user’s account can be hacked simply because security questions for password reset could be found by an attacker on the internet or in public records.  For example: “What’s your mother’s maiden name?” Pizza.

3.  Use VPN when connected to public Wi-Fi

Why: When using public Wi-Fi, all of your internet traffic is sent unencrypted and anyone else on that network can see what you are browsing. Attackers may even be able to steal your credentials in an attack called “Sniffing.” Wi-Fi signals in coffee shops, hotels, and airports should all be considered untrusted.

How:

• Use a VPN. Virtual private networks provide an encrypted tunnel so that you can securely access the internet. Connect to your company’s VPN when on a work computer.

• Use sites with SSL/TLS. This provides an encrypted session between you and the site so that when you conduct sensitive transactions like email or banking, your data is protected from sniffing attacks. You know you are using SSL when the URL starts with “HTTPS” instead of just “HTTP.” 

• Don't accept invalid certificates. When going to a website or connecting to a wireless network, do not click proceed anyway when you receive a notification that the “certificate is invalid.” This notification appears when a website is not considered trusted and may contain malicious content.

4. Enable two-factor authentication

Why: Even if an attacker gains access to your password, two-factor authentication will prevent an attacker from logging into a website since they don't have access to your mobile device and the verification code.

How:

Two-factor authentication adds a second step when logging into an account. In addition to entering in a password as usual, you’ll also be asked for a code that will be sent to your phone via text, voice call, or mobile app. The second step will only be activated when you log in from a new location or a new device. You should consider enabling two-factor authentication for as many applications as you can, including Gmail, Facebook, Apple ID and Salesforce. An example of how to enable Google two-factor authentication can be found here.

5. Don’t plug unknown USBs into your computer

Why: Attackers may distribute USBs infected with malware by either giving them away or leaving them in places for individuals to find them. These USBs may contain interesting documents that will entice you to click on them, thereby installing the attacker’s malicious software. Sometimes, if autorun is enabled on the computer, it is enough to just plug in the USB to compromise your machine.

Want to learn more about salesforce.com security?

1.  Visit our Trust website: trust.salesforce.com

2. Are you a Salesforce administrator? Check out our Salesforce Security Implementation Guide.

3.  Are you a developer? Click here.

—Salesforce.com Trust Team