Employee at Maryland state agency posts client information online

Sensitive database compromised at Buena Vista University

Hospital: files with personal, medical data on 800,000 gone

Whether a state agency, hospital or university, the issues are the same. Confidential information must remain confidential and there must be practices in place to maintain this confidentiality.

This is true for the small business, also.

I have heard many small business owners state that “no one would care about them”. This may have been correct in the past, but it is certainly no longer the case.

Policy statements, and enforcement of that policy, can be a significant deterrent to events such as are depicted in the above links.

Think about this: Who is in charge of updating the business website? Is only authorized information put on the Internet? Who is the one responsible for authorization?

Sometimes a file may accidentally get put on a web server. The contents of the web server should be a part of the regular audits.

Regardless of policy, breach and data loss events are usually a result of someone not being diligent.

I sure not would want to be the one responsible for any of these data loss events.

- Dan

The scams discussed are:

1. Online dating scams
2. Fake anti-virus software
3. Facebook impersonation
4. Becoming a bot
5. The fakosphere

Take the time to read, and focus on the last one, The fakosphere. You just cannot believe everything that you read on the Internet.

- Dan

Yesterday, there was an article posted at dark Reading detailing recent credit card skimming incidents at gas station pumps. It is reported that 180 gas stations in Utah were found to have skimming devices in the pumps.

Bruce Schneir is correct when he states that “The consumer can’t be expected to notice these things.”

What can you do? How about the following …

• Always pay with cash
• Use your credit card inside
• Keep all receipts and watch you statements closely
• Ride a horse

So, watch those statements. If you find charges that are not yours, contact your card company.

- Dan

Trust is a critical foundational element of life, government and information security.

Things would be different if trust was non-existant…

• Husbands and wives would always be paranoid.
• Negotiations between teachers and school boards would always go to impasse.
• You wouldn’t have any confidence in your antivirus or IDS system.

Right now, you’re probably saying that is the way things already are. To some extent you are right.

Distrust between two parties is as natural as entropy.

But, consider some of the ways that you do trust.

• You trust that the gas pump gives you what you pay for and that the meter is accurate.
• You trust that the government who puts the accreditation sticker on the gas pump has actually tested it.
• You trust that the person testing the gas pump knows how to accurately test it.
• You trust that the magnetic card reader for swiping your credit or debit card is not skimming that information.

Of course, there are many more examples.

• You trust Google to not share information about your searches, or the contents of your GMail account.
• You trust the security that your bank uses for your on-lne banking.
• You trust the validity of the certificates that are checked when accessing secure web sites.

Our society is built upon the expectation of trust. Sometimes people and organizations successfully show that they can be trusted. Othertimes, not.

Back to President Reagan…

There are times when I trust, but verify.

However, there are many more times when I trust, but either choose to not verify, or the risk is so low that it makes to sense to take the time to verify.

Carefully consider which times verification is important. It just might save the day for you sometime.

- Dan

7 Reasons Websites Are No Longer Safe – Network World

And so that you don’t have to read the long version, here is the short version…

1. Polluted ads
2. SQL Injection attacks
3. User-provided content
4. Stolen site credentials
5. Compromised hosting service
6. Local malware
7. Hacker-engineered fakes

Information technology professionals should take the time to understand each of these attack vectors. Users should look at this as an opportunity to increase their awareness.

- Dan

.

..

…

Now, pull all your credit cards out. Grab your debit cards, also.

Look at them closely. Can you identify where each one of them has been used?

Have you ever used your debit card for on-line transactions?

By spreading your credit and debit card numbers out across cyberspace, you are increasing your target profile, and increasing the risk of compromise.

Speaking from experience, you don’t want those numbers to be used without your permission.

Tip: Create a plan and strategy for the use of your cards.

Here are some things you can do. You may do some other things…

1. Never use your debit card for on-line transactions.

Different banks will give differing explanations about your liability for unauthorized transactions. Minimize your footprint.

2. Have one credit card that is only used for transactions you don’t fully control.

(such as on-line transactions or paying for dinner where you give your card to the server and it’s gone for 10 minutes…)

3. Closely monitor the charges to your cards.

Use the on-line tools your card issuer gives you to see what transactions appear.

4. Don’t write your PIN on the back of the debit card, and don’t give it to your kids to use.

Believe it or not, I just noticed that a friend had done this. It’s like writing the burglar alarm code on the door of your house.

5. Don’t use credit and debit cards.

This is somewhat like using the Google Opt-Out that was reported on the Onion News Network. Radical and gets the job done, but probably not all that practical!

These cards are like the keys to your financial kingdom. Guard them!

- Dan

This article came out yesterday. The short description is that a compromised personal email account led to a compromise at Twitter.

Although the article is written with the focus on Twitter, this can just as easily happen to you and your organization.

Tip: Keep work email and data separate from personal email and data.

We need to constantly remind folks that there needs to be separation between work and personal email and storage. The selling point is that it protects both the employee and the company in the event the other is compromised.

Once again, the weakest link is The Human.

- Dan

I had breakfast this morning and was stunned to overhear someone on their cell phone give the administrative login credentials for the company website to someone else. They also very carefully spelled out the entire URL to the login page.

If I were not trustworthy, I could log into their website and cause havoc.

What’s the moral to this story? You never know who is listening to your conversations. Be careful what you share, and with whom you are sharing.

Let’s keep quiet with confidential information…

- Dan

For a functioning description, consider Operations to be the tasks required to maintain a desired level of security. It is easy to get bogged down thinking about the security posture and auditing to make sure that we are maintaining that posture.

Regardless of what level of security you want, the following are some ideas to get you started thinking about InfoSec Operations…

Good InfoSec operations will be driven by policy.

• Acceptable Use Policy – The AUP clearly lays out what the organizations resources can or can not be used for. Check out some reasons you need an Acceptable Use Policy.
• Configuration Change Policy – Even the smallest of businesses needs to have guidelines and policies of who can make and when changes can be made to computer, software and infrastructure. Chaos ensues without this.

Good InfoSec operations will work to minimize the risk from malware.

• Operation system patches – Whether you are running Unix, Linux, Windows or OS X as you operating system, there are frequent patches that should be applied. Depending upon your business, you may even need to test patches on test servers and workstations prior to general deployment.
• Anti-virus updated and scanning – Malware is a significant attack vector. Viruses, worms or spyware are often used to gather personal information from the infected host. A major step in minimizing the risk if to keep the anti-virus software updated and scanning.

Good InfoSec operations will be aware of threats.

• Know what the risks are to your organization – The risks to a small bank are different than the risks for the fitness club. Awareness of the risks to your specific industry will enable you to establish sound defenses.
• Know what has been done to remediate specific threats – I keep a “risk register” of the various risks, threats, problems that I encounter. It includes the date found, a brief description of the risk, what I have done to address the risk, and the date that was done. Not only does it help me remember, but it is good to periodically review it to make sure the remediation is still valid.

Good InfoSec operations will be ready to recover from an incident.

• Backups – Having good backups can make you look like a genius! (and they can be the difference between an inconvenience and the organization shutting the doors…)
• Disaster Recover Planning – Even the smallest of businesses needs a DRP. Ready.gov can be a good starting place.

- Dan

You could have someone assigned to capture and analyze every packet that is aimed toward your your network, but they wouldn’t be able to do this with the speed and consistency required to effectively protect your information assets. That is where technology comes in.

Your small or medium business, or even your home, network needs to have some technology used to help defend and protect.

Consider the use of these basic technologies in your defense in depth strategy…

• Anti-virus and anti-spyware – Defends against malware and helps to ensure availability and confidentiality. Your computers stay running and the information on them stays in the organization. Opportunities to accidently install viruses and spyware come from shared files, or even from just surfing the Internet. Even legitimate sites often will spread malware!
• Firewall – Defends against unauthorized access and helps to protect the perimeter of your network. Your connection to the Internet is being frequently tested for openings that would allow entrance to hackers. The firewall is a basic first line of defense.
• File system encryption – Defends against loss of data if the computer is stolen. Many solutions exist, but both Windows and Mac OS X have built-in features for encrypting the file systems. Learn how to use this feature, and then make sure that you really are using it!
• Automatic Backup – Makes your information available in the event of a disk drive failure. This is an often overlooked element to information security in the small business. The usability of the backups should periodically be tested.

Of course, there are many others steps that can be taken ranging from segmenting your network to installing (and monitoring) intrusion detection/prevention systems to installing hardware encryption to active application scanning to multi-tiered firewall architectures to data classification systems to access control methodologies to …

So, by now we have learned that just being careful (the People element) is not all you need for good information security. You also need technology to supplement your people.

The last element of Defense in Depth is Operations. We will be looking at that in the next week or so…

- Dan