Category Archives: Information Security Awareness

Information Security Awareness – Social Engineering

Social engineering is the term for the act of tricking someone into performing actions they would not otherwise perform often times it involves the divulging of sensitive information. Social engineering plays on people’s desires to be helpful or to comply with requests that seem to be coming from an authoritative source. Social engineering can often be used to defeat expensive and elaborate information security programs so it is important to educate your employees about the risks of social engineering to help keep your business secure.

Social engineering can take many forms including:

Physical Social Engineering – Involves a direct personal interaction where the perpetrator engages the target directly. Physical social engineering still occurs but is riskier to the individual attempting it because there is an increased chance of being identified and caught for the incident. Examples of physical social engineering include:

  • Attempting to gain unauthorized access to a building by getting someone to hold a door, tagging along behind them, or the flashing of a fake badge credential
  • Impersonating authorized personnel like cleaning staff, electricians or other service professionals to gain access to areas that are off limits.
  • A wide variety of other actions including asking someone to disclose a password, access a file on a USB drive, access a system or perform other actions that are intended to aid the attackers cause.

Telephone Based Social Engineering – Telephone based social engineering is a widely used method that helps the perpetrator gain needed information while minimizing the risk of being identified in comparison to physical social engineering. Examples of telephone based social engineering include:

  • Impersonating the help desk via telephone and dialing users in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)
  • Impersonating business executives via the telephone and calling the help desk in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)

Computer Based Social Engineering – Has become the dominant form of social engineering taking place today. Computer related correspondence is much harder to trace compared to personal or telephone based contacts and that anonymity makes it an attractive attack venue for social engineers. Examples include:

  • Email based phishing attempts that trick a user into clicking on a malicious link or disclosing a password
  • Internet sites set up to take advantage of mistyped names of prominent web sites
  • Social media based interactions attempting to gain access to personal information

Top 10 social engineering tips to help educate your employees and protect your business

10. Anyone can be targeted for a social engineering attempt and those that are most confident in their abilities to spot an attempt often end up a victim. Hubris is deadly so always have humility and use your best judgement to avoid falling for a scam.

9. The most common risk for physical social engineering is piggybacking into a facility. A social engineer attempting to piggyback will wait until someone with valid building access opens the door and then seeks to tag along the person. Teach your employees to always ask for a valid idea before letting someone in behind them and audit for compliance.

8. Just because an email appears to be coming from a trusted friend or co-worker you know does not mean you actually know the sender. If the request is out of the ordinary and seems suspicious follow-up with a phone call to make sure it is legitimate. A high profile information security company recently failed to do this and suffered disastrous consequences as a result.

7. Determined social engineers do their homework. They perform a lot of due diligence on the Internet and will be equipped with knowledge to aid in their goal of tricking you. They will know executive names, titles etc.. but that doesn’t make their request any more legitimate only harder to detect.

6. Be very suspicious of emails requesting password information or validations that are required immediately. These are typical tactics of spearfishing social engineer attempts and you must teach your employees to avoid these scams.

5. Practice the “Need to Know” principle. Just because an individual asks for certain information does not mean they require it so all requests should be evaluated based on the need to know principle. Teach your employees to ask “Does this individual making the request really have a legitimate need to know this information?”

4. Avoid using USB and other media devices that have unknown sources. This is a common method for social engineers to gain a foothold into an organization through a malicious executable file and it is avoidable by educating your employees about the threat.

3. Regularly remind employees about the dangers of social engineering to your business and provide real life examples.

2. Set up a process so your employees can report social engineering attempts that occur. It is important to measure the threats your business faces and determine if any patterns can be detected to help minimize your long term risk.

1. Trust your instincts but also reference established policies. Many social engineering victims will often mention something seemed out of place  but they went along with the request anyway out of the desire to be helpful. Train your employees in the proper procedures you want them to follow and perform audits to validate that the procedures are being followed.

Social engineering is the most difficult threat to protect your company from because it requires that all of your employees become active participants to stay secure. Follow these tips and make social engineering awareness part of your regular information security awareness program.

Facebook Security Tips – How To Stay Secure while using the largest social media site

A recent article I read stated that nearly 7% of the world’s population is currently utilizing Facebook. That fact comes as no surprise because Facebook is a convenient way to stay in contact with friends and family, spend some downtime, or for businesses a   growing avenue to market products and interact with new and existing customers. But what are the information security risks you should consider when using Facebook? Many of the information security risks you face while using Facebook are equivalent to those you face while doing general web surfing or using email so everything you read below won’t be unique to Facebook but should serve as a good reminder.

Top 10 Facebook Security Tips

1. Do not click on links or emails that look suspicious Facebook has the largest dedicated user group on the planet and that makes them an attractive target for all types of spammers. The spammers goal might be to sell you a product, steal your credentials, or infect your pc. Use good judgement to avoid email and link scams to keep yourself protected and notify friends or colleagues if you have reason to believe their account may have been compromised by spammers.

2. Use a unique password to access Facebook

Do not reuse passwords on multiple sites especially for sites that you consider important. The Gawker password loss incident (among other notable events) helps highlight the potential risk that a site you utilize less frequently might compromise the security of sites that are more important to you. Mitigate this risk by using unique passwords for sites that are most critical to you.

3. Select a strong password that can not be easily guessed

A lot of the information we post on Facebook is a rich source for potential password guessing and identity theft. Until we reach the days of stronger authentication using good password management practices is key to keeping your account secure.

4. Implement general information security controls for any machines that will be accessing Facebook.

All of the standard PC protection mechanisms including patches, updates, anti-virus and firewall protection are required to help secure your machine and the accounts that you access. These controls give you additional protection to prevent or detect problems before they do serious damage.

5. Avoid logging into Facebook on shared PCs or machines you do not own

It may not be convenient if you want to quickly check Facebook or your email while on vacation or at a friend’s house but you can not be confident of the security of a machine you do not control. Your credentials could be cached or recorded in a hidden keystroke logger leaving you vulnerable to account abuse. It is preferable to check your accounts on a mobile device you own vs. resorting to utilizing a machine you can not vouch for.

6. Be careful about utilizing insecure wireless hotspots

The information you send could be intercepted so it is wise to stick to utilizing trusted networks. If you do use an untrusted wireless hotspot it is a good idea to change your password once you return to your primary location.

7. Recognize Facebook information can be used by identity thieves and other agencies

Identity thieves have begun to mine Facebook for information to aid their schemes. A lot of this information involves maiden names, former addresses, and relations to family members all of which could be available via Facebook. This is especially a risk if you have an extensive group of friends or are quick to approve new requests. If you have a wider network consider separate Facebook accounts to segment the information you share and lower your risk.

8. Facebook ads or applications may contain malware

Be selective about which ads you click on and which applications you install. Just because these ads and applications are available via Facebook does not mean Facebook the entity vouches for their security.

9. Monitor your account and take action if you notice a problem

Many people fail to act even if they notice a problem or if someone reports an issue to them. Be a responsible user and quickly follow-up to address any security issues so you are not a source of spam or malware to friends or colleagues.

10. Consider the appropriateness of information you are posting

Once you post information there could be instantaneous eyeballs and replies plus an archived copy of your post somewhere on the web so be sure to use good judgement before posting and make sure information you share is in line with the image you are trying to maintain.

Hard Drive Wiping – It doesn’t take a rocket scientist

Photo courtesy of http://www.flickr.com/photos/jurvetson/

You have likely heard about the recent NASA information security incident where PCs were sold without first having their hardrive’s properly wiped. Failing to perform this essential information security step has resulted in an embarrassing public disclosure and also the possibility that sensitive shuttle information that was subject to export control restrictions may have been disclosed.

What are the information security lessons that you should learn from the NASA incident?

1. Old assets are often overlooked in the desire to quickly get rid of them. Out with the old in with the new right? Not so fast remember that if you do not take security steps to securely wipe the data prior to selling or returning the asset your information is at risk.

2. Build the requirement to secure data prior to asset disposal into your security policy (NASA did this but failed to enforce it which brings up pt #3)

3. Audit compliance against your policies to validate that actions are happening as they should be and take corrective action when you find a problem.

Make sure to follow our previously published hard drive wiping recommendations to take the necessary steps to protect your data before it leaves your location to help keep your company’s information secure.

FBI advisory for Businesses – Online Banking Accounts at risk

Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.

The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.

What does the FBI Advisory recommend to avoid becoming a victim?

1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.

2. Secure Your computers and networks

3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.

4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.

5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.

6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.

Information Security for laptops, desktops, and servers

Your companies laptops, desktops, and servers are critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

Here are the key items you need to consider to stay protected

Update your software – The developers that make the software you utilize are not perfect, in fact there are thousands of yet to be detected errors in every piece of software you own. Nearly every company is regularly updating its software to improve functionality and eliminate security vulnerabilities and you need to quickly update your systems to prevent against known security threats.

Utilize auto update functionality – For most desktop/laptop systems auto updates are the best way to ensure that you are installing any needed security patches in a timely manner. This link to Microsoft’s site shows you how to set the auto update functionality for their most common operating systems. Application software updates for the common applications you use including Microsoft Office, and Adobe among others are also required to round out your protection. Your internet browser (whichever you choose to utilize) is also one of the most critical things to have running at the most current version because a lot of malware is picked up via the Internet.

How to update Internet Explorer – While in IE go to Tools > Windows Update and install any recommended patches

How to update Firefox – While in Firefox go to Help > Check for Updates

* Note it is also important to ensure any Firefox updates you have installed are updated in a timely manner when a new release is available.

How to update Google Chrome – Follow the instructions provided by Google in the attached link.

The one exception you should make for auto updates is to not perform it on critical servers. All updates should be tested in a more controlled manner on a critical server to avoid potential problems with new security patches.

Utilize Antivirus software – Antivirus software is essential for minimizing the risks of getting infected with all forms of malware including viruses and worms. If you do happen to get infected antivirus software can often help you fix the issue and remove the problem. In addition to antivirus software, Microsoft’s Malicious Software Removal Tool is an excellent free tool that offers malware removal options.

Practice Safe Internet Browsing – Educate your users and train them to limit their Internet activity to trusted sites to lower their chances of picking up nasty malware. Even if you patch and have anti-virus you could be pushing your luck if you visit untrusted sites as a 0 day vulnerability could be waiting to infect your systems and defeat the other security mechanisms you have implemented.

Information Security – Is it a productivity road block?

Image provided by http://www.flickr.com/photos/wwarby/

A recent survey conducted by Government Business Council shows that many officials in government agencies think information security is a barrier to increased productivity.The survey references blocked websites that prevents access to needed information and inability to effectively work remotely (presumably due to security limitations) as the primary pain points. An interesting but unsurprising side effect noted in the survey was that user’s who are blocked from getting information in one method will sometimes resort to utilizing less secure methods to access the information.

How do your users feel about information security impacting their productivity? If you have not asked recently through informal checks or surveys you may be surprised. They likely feel the same way and may be taking additional risk to access the information they are trying to get. It is important to balance information security protection with usability to ensure you are not missing opportunity or limiting productivity.

Some things to consider

  1. Information security requires continual education and engagement with your user community. It involves a give and take where you must educate and inform but also listen to feedback to ensure you have not set up unneeded barriers that negatively impact productivity
  2. As much as possible schedule security scans to occur at a less than peak time to minimize disruption. When this time is will vary by company so plan it based on your business requirements
  3. If you have implemented web filtering create a feedback loop so you can learn about web sites needed for business use that are being blocked inappropriately. Evaluate and take action as appropriate to show that you are listening and care about business requirements. This is an important step to building trust that will help further all of your information security objectives later on.
  4. Remember when people think security is a barrier they will be creative and potentially use unauthorized methods to get what they need. It is better to understand what user pain points are and help them be removed vs. giving an incentive to get around the barriers that could cause a big exposure.

In closing, be sure to build a relationship with your users so you can find out how they really feel and validate that your information security program is meeting business requirements.

Information Security and Physical Security

Photo Courtesy of http://www.flickr.com/photos/eprater/

Information security is often thought to be very technical in nature and a lot times it is. After all technology is exciting and many people prefer to focus on firewalls, intrusion prevention systems and other state of the art technologies. Physical security is an essential often neglected aspect of information security and it is every bit as important as the more technical aspects. If you neglect implementing adequate physical security measures all of your other efforts can be in vain.

The following are the primary business risks if you fail to implement adequate physical security measures:

  • Disclosure of sensitive business information
  • Theft of your business assets
  • Financial loss for replacing assets
  • Loss of ability to use data that may be critical for sustaining ongoing operations (if no backups are available)
  • Negative publicity if the event is disclosed

So now that you agree it is important what do you need to do? One of the first steps should be to perform a risk assessment so you can document and prioritize based on business risk. This helps you focus your efforts and decide how much you are willing to spend to mitigate certain risks. I will provide a sample risk assessment at a later date to serve as a template but for now here are items to consider when implementing  physical security.

Physical Security Things to Do At Your Business

  1. Control access to your business facility to only allow authorized personnel inside. At the minimum this should mean securing your business at least as much as you do your home. Locked doors, security systems, and  or more advanced control mechanisms like building control devices.
  2. Secure rooms with computer servers and networking equipment in it with an additional level of security. Ideally physical access to these systems should be restricted to individuals that need to access them. In addition, a simple guest log in book is a good way to document who is accessing a security controlled room (of course badge access control is even better but it is all based on your cost/risk tolerance).
  3. Consider using a camera/DVR based security system. I have not yet purchased one but for under 400$ I am looking to get one very soon likely the Defender SN500. This set looks quite nice and is very cost effective for the additional protection it provides.
  4. Utilize cable locks for your desktops, laptops, projectors and network equipment. Physical theft is the greatest threat to these assets so lock it down to get a little more secure.
  5. Lock up sensitive physical files in drawers or cabinets and do the same with portable electronic media such as USB devices or cd/dvds.
  6. Make sure you follow our backup tips to ensure you do not lose critical data in the event of an environmental disaster such as a fire or flood.

Physical Security Things to Do on the Go

Laptop thefts are the biggest risk to your business assets while in transit. Follow these tips to make sure you minimize your likelihood of becoming a victim of laptop theft.

  • Place your laptop in your trunk immediately when leaving work for the day. A majority of laptops stolen from vehicles are stolen because they are visible tempting targets to thieves.
  • Never leave your laptop unattended when it is not locked up. Keep an eye on it at all times much like you would a small child playing in the yard.
  • Consider utilizing a laptop recovery service if you will be storing sensitive information on your machine.
  • When traveling on a plane never check a laptop always carry it on yourself.
  • If you are in a hotel room the best option is to lock your laptop in the in room safe. Next best options include using a cable lock to secure it to some furniture or shelving in the room. A last resort option is to use the do not disturb sign and hide it as best you can as recommended in these tips from Microsoft.
  • If you have to step away for even just a moment ask a trusted person to keep an eye on it for you. If there is no one available take it with you.

In summary, do not neglect physical security as part of your information security program. Doing so will leave you with a false sense of security and an incomplete protection program.

Information Security – Who needs it? Law Firms Do!

You own or manage a law firm and have a lot of important cases. But are you taking information security seriously? If not, you are exposing your clients and your firm to potential negative ramifications as evidenced by several Atlanta law firms who failed to secure sensitive documents. Due to poor information protection practices several law firms dumped sensitive documents containing case information, W2 information, bankruptcy files, and old checks among other data directly into an insecure location. When some of the original documents were traced back to a firm it was learned that the employee who performed that action was instructed to dispose of the documents in a large dumpster that was believed to be a secure site.  The original article linked above quoted the employee as saying “My understanding is that once stuff goes in nobody can take anything out because it’s very deep.”

Business Risk

By failing to secure sensitive client information the law firm exposed themselves to liability lawsuits and a damage to their reputation of being trust worthy representatives of their clients

Information Security Lessons Learned

  • Sensitive information residing in physical form should not just be thrown out. More thorough destruction techniques such as shredding or incineration are necessary to safely eliminate records that have outgrown their usefulness. You could also consider hiring a firm that specializes in these activities but be sure to audit their compliance on occasion.
  • Sensitive electronic media should be secured by overwriting it as detailed in a previous article.
  • Once you have implemented effective techniques as outlined above educate your employees how to perform the desired actions and audit their compliance on a periodic basis.

Remember simply putting information in a dumpster does not equal information security!

Photo by http://www.flickr.com/photos/caterina/

Information Security – Who needs it? Colleges & Universities Do!

We have previously highlighted an information security incident where a laptop theft from a hospital caused significant data loss and negative publicity. You might be thinking what does that have to do with me? I am safe because I have a desktop and those don’t get stolen like laptops do. Think again! Desktops are also a frequent target of theft as City College of New York learned the hard way. A desktop computer was stolen that contained the personal information of 7000 students who are now at an increased risk of identity theft.

Information Security Lessons Learned

  • Desktops and laptops should utilize encryption when any sensitive data will reside on the machine. Often times it is not easy to know up front if the machine will be used to store sensitive data so it is best to default to a secure installation and install encryption every time.
  • Laptops are not the only devices that could benefit from a cable lock. Desktops and other computer equipment like portable projectors should also utilize them to add an extra dimension of physical security and theft deterrence.

Information Security – Who needs it? The Police Do!

Photo courtesy of http://www.flickr.com/photos/gadgetdude

The latest in our continuing series on real life information security incidents shows that even the police need information security. The Manchester Police Department recently experienced an information security incident and the negative publicity that results from such an event. The source of the incident was an unencrypted USB drive that was lost and was found to be holding sensitive records including information about officers and emergency response information including such gems as information about crowd control plans. Losing this information potentially puts the officers at undue risk and also gives groups seeking greater knowledge about internal workings of the police department a leg up in better understanding how the department works. This incident is especially troubling since the article mentions that this department also had an issue with worm problems awhile back, so it is clear a new security mindset is needed to keep data secure.

 Information Security lessons learned

  • Do not store sensitive information on USB drives
  • If you find recommendation #1 draconian be sure to utilize an encrypted USB device such as the IronKey device available at places like Amazon.com
  • Educate your users regarding information security to help make sure your security policies are not violated

PS: I realize the picture is not the Manchester Police department but same country and it was just too tempting to pass up!