Category Archives: Information Security Awareness

Securing your digital life

It is long overdue time to rejuvenate the site with fresh information security content that will help you protect what is digitally important to you. The answer to what is important to protect is going to be different for each person but some of the things that are most likely to be important to you are:

  • Protecting your online financial information (online banking account & retirement accounts)
  • Protecting your primary email accounts that often control the reset functionality to other important accounts if you forget the passwords.
  • Protecting your social media presence to avoid embarrassment or being used to infect others with malware
  • Protecting your online file storage including documents and pictures that are important to you
  • Protecting information that you consider private while engaging online
  • Protecting your expensive digital devices from theft

All of us have something important to protect and awareness that you are a target is the first step towards taking the needed actions to lower your probability of having problems down the line. Next up will be suggestions on what you need to do to help safeguard your digital life.

How do LinkedIn’s security problems affect you?

The recent news that top business networking site LinkedIn had a significant number of passwords compromised has been the biggest story in the information security world this week. It is disappointing but not surprising that LinkedIn was affected this breach. What went wrong in their security process?

  • An as of yet undisclosed vulnerability (probably some type of database injection attack) led to unauthorized access which allowed the hacker to download the site’s hashed password database.
  • Even though the passwords were hashed they were not salted to provide an additional level of security. This meant that the he hashed passwords were susceptible to attacks that could quickly crack weak passwords.
  • LinkedIn was relatively slow to fess up to the attack and notify the users to change their passwords. This has now happened and after taking some initial grief LinkedIn has now forced password changes on those they believe were affected. This should help minimize the damage to users who had passwords disclosed.

So how do LinkedIn’s security problems affect you?

If you are a LinkedIn user make sure to reset your site password and the passwords on any other sites if you use the same passwords across multiple sites.

What information security lessons does this incident teach an average website user?

Even professional companies with a lot of money to spend will be subject to information security compromises. For that reason it is important to utilize different user account names and separate passwords on each site you use to minimize the impact if any one account is compromised. To help manage this level of security and keep your sanity in the process I highly recommend that you use a password management program such as LastPass. This will help you spread out your risk and minimize the damage of any one site being compromised (and if your password management company gets compromised be sure to change that one with lightening speed). Lastly, it is important to keep up with the news and know when information security problems occur for sites you utilize. That will help you take swift action to minimize your chance of problems.

 

Best information security blogs run by universities

Information security is an important topic for both businesses and individuals. It is nice to see many leading Colleges and Universities stepping up to the information security challenge and launching blogs and using social media tools to help educate students and faculty about the importance of information security. Information security groups at colleges and universities have a challenging job getting the word out and driving information security compliance since students are often prone to engaging in risky online behavior that leads to an increased likelihood of information security incidents.

Best edu information security blogs & social media presence

Indiana University – IU is running a well designed blog that looks like something you would see from a saavy expensively run 3rd party site. The information security news is regularly updated and it appears that IU has a pretty big team working on this effort because many of the posts are by different individuals. Kudos to the team for the excellent work on information security and from a quick scan it appears personal information protection is a big component of the overall awareness effort.

Missouri State Information Security Blog – Charla Berry is doing an excellent job helping keep the Missouri State community aware of information security threats and how they can stay protected. Recent posts feature awareness tips about holiday scams and keeping online financial information secure.

Georgetown Information Security Blog -Nicole Kegler has been a longtime blogger on information security the site’s index is listed back to March 2010. My favorite post is the one warning that Macs are not immune to information security problems since many people make this statement in error. With the ever increasing popularity of Apple devices  you can expect reported information security problems in Apple devices to grow this year.

Rochester Institute of Technology –  RIT has an excellent page for information security education but what really make them stand out is their use of Facebook to spread the information security gospel using social media tools. They have over 5300 Facebook page likes, a lot of  awareness material and discussions going online so be sure to give their page a visit.

Kansas State University -Information Security program is run by Harvard Townsend and the school has an excellent overall online information security presence but they run a blog dedicated to information security threats which I have linked to that talks about common problems like spam, malware, and phishing attempts.

University of Connecticut – Mick DiGrazia has done a nice job with this information security blog that dates back to June 2010. I assume he will be back with a vengeance for the Spring semester.

The Ohio State University – I had to include the “The” since I always hear it on sports name/university roll calls plus it is listed that way on the site. The site contains a nice RSS feed highlighting information security awareness messages that students and faculty should be aware of. In addition, it looks like the institution has embraced encryption tools like PGP for faculty so that is a good sign that the information security program has been able to work effectively and get faculty support.

Stanford School of Medicine Information Security Blog – Site hasn’t had a recent post but previously published excellent awareness reminders around common scams and other pertinent information security information. Hopefully this recognition will help provide incentive to post more updates in the future.

If you run or know of other edu blogs that I should index please send me an email or reply below.

Best information security news and email feeds

Here are the information security news feeds/email subscriptions I subscribe to in order to stay current with the latest in information security news. Drop me a line if you have others that you follow that should be added to the list. I am including details about average number of posts per week when they are available because I know it is easy to get swamped in reading material and understanding frequency of publishing vs. value you get from it is important so you can efficiently use your time.

RSS subscriptions

  • SANS Newsbites – SANS is my go to resource for information security related news and training.
  • All of the US-CERT feeds – I view the US CERT organization as a leading authority along with SANS and subscribe to all of their feeds most of them average less than 1 per week which is manageable.
  • NIST.ORG – Network Information Security & Technology News organization is a leading authority on all things information security.
  • Help Net Security – Excellent source with concise articles detailing the latest in information security threats, tools, and news.
  • Krebs on Security – Nice in depth security investigations especially around the underground criminal market in information security assets.
  • Darkreading Weblog – Good source for staying on top of the latest security compromises and exploits. Averages 20 posts per week
  • Infoworld Security Blog – Covers a variety of diverse and useful information security topics. Averages 1 post per week
  • Experian Data Breach Blog – Provides info around data breaches and things you can do to help stay secure. Averages 1.2 posts per week
  • SearchSecurity: Threat Monitor – Good summary of current information security threats in the wild. Averages .2 posts per week
  • SearchSecurity: Security Wire Daily News – Feed for general information security information around a variety of topics. Averages 3.5 posts per week
  • Qualys Newsletter – Security feed put out by Vendor Qualys I use it to get a vendor’s take on vulnerabilities and vulnerability management best practices. Averages .7 posts per week
  • Eeye Security Blog – Eeye Digital Security’s blog for keeping track of their information security ideas and news. Averages 1.6 posts per week.
  • SC Magazine Cybercrime Corner – Another source for staying on top of cybercrime news. Averages 2 posts per week.

Email newsletters

  • SANS Security Awareness Newsletter – Nice monthly newsletter that can be used for internal information security awareness campaigns.
  • SANS @RISK Newsletter – Weekly newsletter that summarizes the top 3-8 vulnerabilities that currently matter most and how to mitigate the risk from them.
  • Security Focus Mailing lists – I subscribe to a few of the many different mailing lists they offer including Web Application Security and Penetration Testing. I used to subscribe to the popular BUGTRAQ but opted out due to the volume.
  • Slashdot newsletter – Useful cutting edge information security stuff here but I get the summary newsletter because the general RSS feed is very busy and difficult to stay on top of.
  • Microsoft Monthly Newsletter – Nice email newsletter for those of you using and trying to secure Microsoft products
  • Apple security mailing list – For you Apple fans to keep on top of security issues (yes security things happen on Apple devices too, and expect it to expand in the future)

 

10 Information Security Lessons Everyone Should Know

Information security is an afterthought to most people left to the domain of nerds and professionals. This is a big mistake that could have major ramifications for your financial, social or emotional well being. Identity theft, financial loss, time wasted, and social/reputation stress are just a few of the potential problems awaiting if you fail to take information security seriously. Without any further buildup (as if any were possible) here are the Top 10 Information Security Lessons Everyone Should Know.

1. You are a potential victim – It isn’t just the rich and famous who are targeted for information security attacks. Everyone is a potential victim and must take adequate precautions to protect their systems and information. If you do not take the risk seriously you are more likely to become a victim.

2. Email and internet browsing are the two riskiest activities you do every day If you click on every email, open every attachment, and click on web sites of unknown quality you are at an increased risk for being compromised with malware or viruses. Once your machine has been compromised it may become unusable or worse it may be silently harvesting your important usernames and passwords.

3.  Anyone you let use your system or device can put you at risk

Anyone you let use your system can spoil all of the careful planning you have done and create problems for you later. If you allow others to use your device be sure they have good judgement and set some ground rules around email and internet usage.

4. Do not reuse username/passwords especially for important accounts

Most people reuse username and passwords for their activities even for important accounts like email and online banking. This is a big mistake and it makes you susceptible to widespread problems if only one of the sites you frequent has a security incident. It is better to use unique strong passwords for all sites and use a free password manager such as LastPass to help keep track of your passwords in a secure manner.

5. Do not go without security protection for your pc, tablet or mobile device.

Going without some type of antivirus, personal firewall software, and security updates  is just asking for problems. These are your last line of defense if you make a mistake and click on an infected attachment or website. If you do not want to pay for this there are high quality free security tools available to help.

6. It is easy to impersonate you

Anyone can create a Facebook, linkedin (insert any other social media site here), or email account pretending to be you. It is easy to find an image for most people using google or a variety of other sources to make the account look authentic. If you get reports from friends about any accounts that do not sound familiar do not dismiss them take action immediately.

7. Backup your important information

Always have a back up plan to restore documents, photos or other items you can not stand losing. If you do not have a backup your putting too much faith in never losing your device or having it become inoperable. Use a dvd, a backup system, or online available storage but use something.

8. Protect your mobile devices while out and about

Electronic equipment is most vulnerable to loss or theft when you are on the go. Take it with you but always keep an eye on it and make sure not to leave it unattended and visible or you may regret it later. Assume if you like it someone else might too.

9. Secure your wireless access point

Using WEP encryption is better than nothing but not totally sufficient since it is easily crackable with online tools. You should be using WPA encryption to make sure others can not cause trouble with your connection. Read this horror story of what normal people went through with their neighbor from hell if you are not convinced.

10. Anything you do electronically is forever

Many people post things in the spur of the moment thinking they can go back and delete it later. This is usually not the case since nearly everything is indexed, archived, and kept for posterity. Think twice before posting something (pictures, emails, social media posts) because it will endure and might be used against you in unexpected ways later on.

Some of these recommendations may sound a bit alarmist but awareness is most of the battle. Compute safely my friends

The Most Interesting Security Man in the World

10 Top Websites for Information Security

Coming up with a Top 10 information security resource list like this is always subjective and based on personal preferences. So with that disclaimer out of the way here are my 10 favorite information security sites out there today. I regularly follow all 10 of these and try to comment and be active as much as possible on several of them.

Top 10 Information Security Sites

Krebs on Security

I consider Brian Krebs to be the leading information security reporter out there right now and it is convenient all of his stuff is easily available online. I love his material highlighting the risks that small-mid size businesses face while banking online. His coverage of the hacking underground economy is also a fascinating look into the economics behind the hack for profit crime culture. Favorite posts:

Dancho Danchev’s Blog

Dancho is an information security consultant whose posts specialize in cyber counter intelligence focusing on the current threats facing both individuals and corporations. There is a wide range of topics from the latest in bot net dissection to the inside workings of money mule recruiting. Favorite posts include:

TaoSecurity

Information Security professional Richard Bejtlich’s blog is a personal favorite of mine for the in depth reviews of information security related materials. I follow Richard on twitter as well and also enjoy his posts around the US-China relationship and the cyber security rivalry that exists between the powers. Favorite posts:

 

Ars technica

Their work on the Anonymous v.s HB Gary was so riveting that it deserved an award and it would have made for a fabulous Hollywood screenplay. I always link in to see what they have to say with respect to Anonymous and other high profile information security incidents. Favorite posts:

 

Lenny Zeltser on Information Security

I discovered this gem a little later in the game vs. a lot of these other sites but I really love the content. This is probably the site that is the closest to targeting the same type of audience that I write for. I will definitely be spending a lot of time catching up on the content here. Favorite posts so far:

 

ThreatChaos Security Blog

I love eye appealing design of this site and the content is top notch too. A lot of the subject matter in 2011 has focused on the information security exploits of China and Google. My favorite posts:

Roger’s Information Security Blog

Roger focuses his content from the perspective of a hands on information security practitioner and it is good to keep up with his latest writings. Roger has a ton of information security certifications and experience and a wealth of knowledge. Favorite posts:

 

Uncommon Sense Security

Great simple information security blog resource to keep up with Jack Daniel’s take on current issues (awesome name too). Favorite posts:

Kai Roer on Security

I first ran across Kai’s blog via some other people I follow on twitter and it has been a good find as I have enjoyed several of his recent posts. Kai focuses on current events in the information security industry and his material is more at a managerial level vs. that of a technical person. Favorite recent post:

Schneier On Security

Schneier on Security

Bruce Schneier is operating at near deity level when it comes to the field of information security so it would be outright heresy not to include him on the list. I like to check out his blog on occasion although I tend to focus more on business risk mitigation vs. detailed technical analysis. Alot of the posts are archived and hard to link but a current favorite post is:

Hopefully you have picked up some new information security resources by reviewing the information security site top 10 list. Feel free to disagree and make suggestions as to what I missed as I always have an appetite for new information.

 

 

Social Engineering – Don’t fall for these email phishing attacks

Spear phishing is the term given to fraudulent malicious emails that attempt to infect your computing device and gain unauthorized access. The messages will appear to come from a trusted source such as a well known company often in the financial services or payment processing industries. In targeted attacks it is also common for the email to appear to generate from the recipient’s own company. Scammers that have done their research will know the names of high level directors which are commonly available online in annual reports. Their goal is to defraud you out of your money or intellectual property that keeps your business ahead of the competition.

Here are two timely examples that I happened to see in my spam inbox today:

Spear Phishing Example 1: Fake email posing as HSBC Bank

HSBC Account Holder,

HSBC is constantly working to increase security for all Online Banking users.
To ensure the integrity of our online payment system, we periodically review accounts. Your
account might be restricted due to numerous login attempts into your online account.
Restricted accounts continue to receive payments, but they are limited in their ability
to send or withdraw funds. To lift up this restriction, you need to confirm your online
banking details.

Notice that the scam is appealing to the need to stay secure and keep an account open. This was a broad attempt because I am not even an HSBC account holder but people fall for these type of scams every day and it only takes one lapse in judgement to have your device infected.

Spear Phishing Example 2: Fake email posing as United Parcel Service Notifications

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

I received about 6 copies with different tracking #s for this example so it is one of the more prevalent attacks circulating right now. There was a .pdf document attached that likely would have infected my machine if I would have let my guard down and opened this attachment.

Avoiding spear phishing scams takes cyber street smarts and for email users to constantly question if the document is legitimate and expected. Those with a trusting nature are at a disadvantage at an increased risk of becoming a spear phishing victim. Now that you have some information on two current spear phishing threats you should learn more about social engineering and how you can protect your personal and business interests  from this serious information security threat.

Information Security for Online Gurus

Everyone who creates a blog or seeks to develop themselves as a brand hopes to one day become an online guru. The type of person who’s every tweet or new post becomes the topic of conversation and considered online gospel. But as either Socrates or Spider Man’s Uncle Ben (depending on your preferred reference point) would say “with great power comes great responsibility”. If you are one of the industrious ones who has built up a following this is your information security wake up call.

Online Gurus YOU ARE RESPONSIBLE for the information security health of your communities.

This is a responsibility that should not be taken lightly or be easily dismissed. Allow me to explain. You have obtained a following as a thought leader by standing out and delivering value to your community. Your effective branding has placed you in a position of trust where your audience hangs on your every word and eagerly opens your latest email and any links you may include.

This makes you a perfect target for savvy online social engineers who do their research and are attempting to exploit you and your community for their own financial gain.

Your email, website, auto responder, and social networking sites are your identity in the online world. If any of these accounts become compromised they could serve as an effective springboard to cause devastating harm to your entire online community. This could potential cause a ripple effect destroying the trust you have worked so hard to build up along with a primary source of your income. Social engineers can ruin your relationship with your customers causing both of you financial loss and unneeded anxiety in the process.

Is your information security plan sufficient to protect your business and the community you have worked hard to build?

There is no silver bullet to keep you and your community safe from information security risks. Here are some general information security tips that you should have built into your information security plan:

  • Be aware and vigilant that due to your influence you are an attractive target
  • Proceed cautiously opening unsolicited links from untrusted sources (or consider having a separate device to perform such activities that is totally separate from the device you use to manage your online presence.
  • Educate your employees on the risks of information security and the threats to your business. Awareness is power.
  • Use separate passwords for your different accounts to minimize the damage done if any one of your accounts were to become compromised. If you are looking for ways to simplify your password management process look no further.
  • Keep your WordPress or other CMS systems current with the latest patches
  • If you use a customized CMS consider having a professional application security review conducted
  • Ensure your site backups are adequately secured to prevent unintended information leakage or security problems
  • Carefully consider what type of system access you give to virtual assistants and ensure you have effective processes for removing account access when the situation calls for it.

This is not meant to be a comprehensive list but only to serve as a reminder of the important role that you play in helping to ensure the security of your online community. Your reputation and business may ultimately be at stake.

Be sure to check out my detailed information on social engineering to get some good tips on how to defend your reputation and business from this important information security risk.

Information Security Awareness – What can the average business learn from HBGary?

The information security world has been abuzz with extensive coverage documenting the fascinating story of anonymous vs HBGary. The hacktivist group anonymous targeted security company HBGary Federal after CEO Aaron Barr pursued a plan to oust its members to generate publicity and new business opportunities for his security company that was hemorrhaging cash and desperate to survive. The incident reads like a screenplay with intrigue and ties to current events such as Wikileaks scandals, so it would not surprise me at all if a hit movie was made about the happenings. Since HBGary Federal specialized in information security it is important to examine what went wrong and determine what type of information security learnings other businesses can learn as a result.

Information Security lessons your business can learn from the HBGary Federal information security incident:

  1. Overconfidence is a deadly sin in information security. HBGary CEO was overconfident in his abilities and that hubris led to his downfall. He was unwise to solicit the attention of skilled hackers and tempt them in a dangerous game of chicken pitting their freedom vs. his companies continued survival. Lay low and do not make boastful claims that might tempt skilled hackers to test your security.
  2. Don’t expect the same old attack method. Aaron Barr falsely assumed that just because his adversaries had primarily used denial of service attacks in the past that they would do so again. Instead they found much larger holes and compromised his company’s web presence and email service in the process. It is good to assume you know what your adversaries may do but in doing so you should assume the worst instead of the typical.
  3. Custom built does not equal secure. HBGary Federal had a custom designed web content management system but custom built does not translate to secure. Custom built systems do not have the benefit of wide deployment base where bugs are detected and corrected (for example the WordPress platform). It is for that reason that you must conduct your own detailed web site assessments if you are using a custom developed system.
  4. Sensible password strategies are a must. It is widely recommended that passwords for sensitive accounts such as corporate email or online banking should not be the same as more common accounts such as general websites. Failing to follow this advice can lead to bad results and increase your exposure to a simple account compromise.
  5. Social engineering is the biggest information security threat facing your company and the hardest to protect against. It is necessary to train all of your employees about the dangers of social engineering and perform periodic audits to assess your company’s vulnerability. Experienced HBGary Federal’s system administrators fell for social engineering attempts that occurred via the company’s compromised email system so that is a teachable moment that helps drive home the point that just because a request seems to be coming from a legitimate requester does not mean that the request itself is valid. It is important for employees to consider the normalcy of a request and its adherence to policy prior to performing an action vs. blindly performing it because it is coming from a legitimate user account.

This information is not being provided to further vilify HBGary but so that you can learn from their mistakes and improve your company’s information security program in the process.