Tag Archives: Information Security Awareness

Best information security news and email feeds

Here are the information security news feeds/email subscriptions I subscribe to in order to stay current with the latest in information security news. Drop me a line if you have others that you follow that should be added to the list. I am including details about average number of posts per week when they are available because I know it is easy to get swamped in reading material and understanding frequency of publishing vs. value you get from it is important so you can efficiently use your time.

RSS subscriptions

  • SANS Newsbites – SANS is my go to resource for information security related news and training.
  • All of the US-CERT feeds – I view the US CERT organization as a leading authority along with SANS and subscribe to all of their feeds most of them average less than 1 per week which is manageable.
  • NIST.ORG – Network Information Security & Technology News organization is a leading authority on all things information security.
  • Help Net Security – Excellent source with concise articles detailing the latest in information security threats, tools, and news.
  • Krebs on Security – Nice in depth security investigations especially around the underground criminal market in information security assets.
  • Darkreading Weblog – Good source for staying on top of the latest security compromises and exploits. Averages 20 posts per week
  • Infoworld Security Blog – Covers a variety of diverse and useful information security topics. Averages 1 post per week
  • Experian Data Breach Blog – Provides info around data breaches and things you can do to help stay secure. Averages 1.2 posts per week
  • SearchSecurity: Threat Monitor – Good summary of current information security threats in the wild. Averages .2 posts per week
  • SearchSecurity: Security Wire Daily News – Feed for general information security information around a variety of topics. Averages 3.5 posts per week
  • Qualys Newsletter – Security feed put out by Vendor Qualys I use it to get a vendor’s take on vulnerabilities and vulnerability management best practices. Averages .7 posts per week
  • Eeye Security Blog – Eeye Digital Security’s blog for keeping track of their information security ideas and news. Averages 1.6 posts per week.
  • SC Magazine Cybercrime Corner – Another source for staying on top of cybercrime news. Averages 2 posts per week.

Email newsletters

  • SANS Security Awareness Newsletter – Nice monthly newsletter that can be used for internal information security awareness campaigns.
  • SANS @RISK Newsletter – Weekly newsletter that summarizes the top 3-8 vulnerabilities that currently matter most and how to mitigate the risk from them.
  • Security Focus Mailing lists – I subscribe to a few of the many different mailing lists they offer including Web Application Security and Penetration Testing. I used to subscribe to the popular BUGTRAQ but opted out due to the volume.
  • Slashdot newsletter – Useful cutting edge information security stuff here but I get the summary newsletter because the general RSS feed is very busy and difficult to stay on top of.
  • Microsoft Monthly Newsletter – Nice email newsletter for those of you using and trying to secure Microsoft products
  • Apple security mailing list – For you Apple fans to keep on top of security issues (yes security things happen on Apple devices too, and expect it to expand in the future)

 

10 Information Security Lessons Everyone Should Know

Information security is an afterthought to most people left to the domain of nerds and professionals. This is a big mistake that could have major ramifications for your financial, social or emotional well being. Identity theft, financial loss, time wasted, and social/reputation stress are just a few of the potential problems awaiting if you fail to take information security seriously. Without any further buildup (as if any were possible) here are the Top 10 Information Security Lessons Everyone Should Know.

1. You are a potential victim – It isn’t just the rich and famous who are targeted for information security attacks. Everyone is a potential victim and must take adequate precautions to protect their systems and information. If you do not take the risk seriously you are more likely to become a victim.

2. Email and internet browsing are the two riskiest activities you do every day If you click on every email, open every attachment, and click on web sites of unknown quality you are at an increased risk for being compromised with malware or viruses. Once your machine has been compromised it may become unusable or worse it may be silently harvesting your important usernames and passwords.

3.  Anyone you let use your system or device can put you at risk

Anyone you let use your system can spoil all of the careful planning you have done and create problems for you later. If you allow others to use your device be sure they have good judgement and set some ground rules around email and internet usage.

4. Do not reuse username/passwords especially for important accounts

Most people reuse username and passwords for their activities even for important accounts like email and online banking. This is a big mistake and it makes you susceptible to widespread problems if only one of the sites you frequent has a security incident. It is better to use unique strong passwords for all sites and use a free password manager such as LastPass to help keep track of your passwords in a secure manner.

5. Do not go without security protection for your pc, tablet or mobile device.

Going without some type of antivirus, personal firewall software, and security updates  is just asking for problems. These are your last line of defense if you make a mistake and click on an infected attachment or website. If you do not want to pay for this there are high quality free security tools available to help.

6. It is easy to impersonate you

Anyone can create a Facebook, linkedin (insert any other social media site here), or email account pretending to be you. It is easy to find an image for most people using google or a variety of other sources to make the account look authentic. If you get reports from friends about any accounts that do not sound familiar do not dismiss them take action immediately.

7. Backup your important information

Always have a back up plan to restore documents, photos or other items you can not stand losing. If you do not have a backup your putting too much faith in never losing your device or having it become inoperable. Use a dvd, a backup system, or online available storage but use something.

8. Protect your mobile devices while out and about

Electronic equipment is most vulnerable to loss or theft when you are on the go. Take it with you but always keep an eye on it and make sure not to leave it unattended and visible or you may regret it later. Assume if you like it someone else might too.

9. Secure your wireless access point

Using WEP encryption is better than nothing but not totally sufficient since it is easily crackable with online tools. You should be using WPA encryption to make sure others can not cause trouble with your connection. Read this horror story of what normal people went through with their neighbor from hell if you are not convinced.

10. Anything you do electronically is forever

Many people post things in the spur of the moment thinking they can go back and delete it later. This is usually not the case since nearly everything is indexed, archived, and kept for posterity. Think twice before posting something (pictures, emails, social media posts) because it will endure and might be used against you in unexpected ways later on.

Some of these recommendations may sound a bit alarmist but awareness is most of the battle. Compute safely my friends

The Most Interesting Security Man in the World

Social Engineering – Don’t fall for these email phishing attacks

Spear phishing is the term given to fraudulent malicious emails that attempt to infect your computing device and gain unauthorized access. The messages will appear to come from a trusted source such as a well known company often in the financial services or payment processing industries. In targeted attacks it is also common for the email to appear to generate from the recipient’s own company. Scammers that have done their research will know the names of high level directors which are commonly available online in annual reports. Their goal is to defraud you out of your money or intellectual property that keeps your business ahead of the competition.

Here are two timely examples that I happened to see in my spam inbox today:

Spear Phishing Example 1: Fake email posing as HSBC Bank

HSBC Account Holder,

HSBC is constantly working to increase security for all Online Banking users.
To ensure the integrity of our online payment system, we periodically review accounts. Your
account might be restricted due to numerous login attempts into your online account.
Restricted accounts continue to receive payments, but they are limited in their ability
to send or withdraw funds. To lift up this restriction, you need to confirm your online
banking details.

Notice that the scam is appealing to the need to stay secure and keep an account open. This was a broad attempt because I am not even an HSBC account holder but people fall for these type of scams every day and it only takes one lapse in judgement to have your device infected.

Spear Phishing Example 2: Fake email posing as United Parcel Service Notifications

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

I received about 6 copies with different tracking #s for this example so it is one of the more prevalent attacks circulating right now. There was a .pdf document attached that likely would have infected my machine if I would have let my guard down and opened this attachment.

Avoiding spear phishing scams takes cyber street smarts and for email users to constantly question if the document is legitimate and expected. Those with a trusting nature are at a disadvantage at an increased risk of becoming a spear phishing victim. Now that you have some information on two current spear phishing threats you should learn more about social engineering and how you can protect your personal and business interests  from this serious information security threat.

Information Security for Online Gurus

Everyone who creates a blog or seeks to develop themselves as a brand hopes to one day become an online guru. The type of person who’s every tweet or new post becomes the topic of conversation and considered online gospel. But as either Socrates or Spider Man’s Uncle Ben (depending on your preferred reference point) would say “with great power comes great responsibility”. If you are one of the industrious ones who has built up a following this is your information security wake up call.

Online Gurus YOU ARE RESPONSIBLE for the information security health of your communities.

This is a responsibility that should not be taken lightly or be easily dismissed. Allow me to explain. You have obtained a following as a thought leader by standing out and delivering value to your community. Your effective branding has placed you in a position of trust where your audience hangs on your every word and eagerly opens your latest email and any links you may include.

This makes you a perfect target for savvy online social engineers who do their research and are attempting to exploit you and your community for their own financial gain.

Your email, website, auto responder, and social networking sites are your identity in the online world. If any of these accounts become compromised they could serve as an effective springboard to cause devastating harm to your entire online community. This could potential cause a ripple effect destroying the trust you have worked so hard to build up along with a primary source of your income. Social engineers can ruin your relationship with your customers causing both of you financial loss and unneeded anxiety in the process.

Is your information security plan sufficient to protect your business and the community you have worked hard to build?

There is no silver bullet to keep you and your community safe from information security risks. Here are some general information security tips that you should have built into your information security plan:

  • Be aware and vigilant that due to your influence you are an attractive target
  • Proceed cautiously opening unsolicited links from untrusted sources (or consider having a separate device to perform such activities that is totally separate from the device you use to manage your online presence.
  • Educate your employees on the risks of information security and the threats to your business. Awareness is power.
  • Use separate passwords for your different accounts to minimize the damage done if any one of your accounts were to become compromised. If you are looking for ways to simplify your password management process look no further.
  • Keep your WordPress or other CMS systems current with the latest patches
  • If you use a customized CMS consider having a professional application security review conducted
  • Ensure your site backups are adequately secured to prevent unintended information leakage or security problems
  • Carefully consider what type of system access you give to virtual assistants and ensure you have effective processes for removing account access when the situation calls for it.

This is not meant to be a comprehensive list but only to serve as a reminder of the important role that you play in helping to ensure the security of your online community. Your reputation and business may ultimately be at stake.

Be sure to check out my detailed information on social engineering to get some good tips on how to defend your reputation and business from this important information security risk.

Information Security Awareness – What can the average business learn from HBGary?

The information security world has been abuzz with extensive coverage documenting the fascinating story of anonymous vs HBGary. The hacktivist group anonymous targeted security company HBGary Federal after CEO Aaron Barr pursued a plan to oust its members to generate publicity and new business opportunities for his security company that was hemorrhaging cash and desperate to survive. The incident reads like a screenplay with intrigue and ties to current events such as Wikileaks scandals, so it would not surprise me at all if a hit movie was made about the happenings. Since HBGary Federal specialized in information security it is important to examine what went wrong and determine what type of information security learnings other businesses can learn as a result.

Information Security lessons your business can learn from the HBGary Federal information security incident:

  1. Overconfidence is a deadly sin in information security. HBGary CEO was overconfident in his abilities and that hubris led to his downfall. He was unwise to solicit the attention of skilled hackers and tempt them in a dangerous game of chicken pitting their freedom vs. his companies continued survival. Lay low and do not make boastful claims that might tempt skilled hackers to test your security.
  2. Don’t expect the same old attack method. Aaron Barr falsely assumed that just because his adversaries had primarily used denial of service attacks in the past that they would do so again. Instead they found much larger holes and compromised his company’s web presence and email service in the process. It is good to assume you know what your adversaries may do but in doing so you should assume the worst instead of the typical.
  3. Custom built does not equal secure. HBGary Federal had a custom designed web content management system but custom built does not translate to secure. Custom built systems do not have the benefit of wide deployment base where bugs are detected and corrected (for example the WordPress platform). It is for that reason that you must conduct your own detailed web site assessments if you are using a custom developed system.
  4. Sensible password strategies are a must. It is widely recommended that passwords for sensitive accounts such as corporate email or online banking should not be the same as more common accounts such as general websites. Failing to follow this advice can lead to bad results and increase your exposure to a simple account compromise.
  5. Social engineering is the biggest information security threat facing your company and the hardest to protect against. It is necessary to train all of your employees about the dangers of social engineering and perform periodic audits to assess your company’s vulnerability. Experienced HBGary Federal’s system administrators fell for social engineering attempts that occurred via the company’s compromised email system so that is a teachable moment that helps drive home the point that just because a request seems to be coming from a legitimate requester does not mean that the request itself is valid. It is important for employees to consider the normalcy of a request and its adherence to policy prior to performing an action vs. blindly performing it because it is coming from a legitimate user account.

This information is not being provided to further vilify HBGary but so that you can learn from their mistakes and improve your company’s information security program in the process.

Information Security Awareness – Social Engineering

Social engineering is the term for the act of tricking someone into performing actions they would not otherwise perform often times it involves the divulging of sensitive information. Social engineering plays on people’s desires to be helpful or to comply with requests that seem to be coming from an authoritative source. Social engineering can often be used to defeat expensive and elaborate information security programs so it is important to educate your employees about the risks of social engineering to help keep your business secure.

Social engineering can take many forms including:

Physical Social Engineering – Involves a direct personal interaction where the perpetrator engages the target directly. Physical social engineering still occurs but is riskier to the individual attempting it because there is an increased chance of being identified and caught for the incident. Examples of physical social engineering include:

  • Attempting to gain unauthorized access to a building by getting someone to hold a door, tagging along behind them, or the flashing of a fake badge credential
  • Impersonating authorized personnel like cleaning staff, electricians or other service professionals to gain access to areas that are off limits.
  • A wide variety of other actions including asking someone to disclose a password, access a file on a USB drive, access a system or perform other actions that are intended to aid the attackers cause.

Telephone Based Social Engineering – Telephone based social engineering is a widely used method that helps the perpetrator gain needed information while minimizing the risk of being identified in comparison to physical social engineering. Examples of telephone based social engineering include:

  • Impersonating the help desk via telephone and dialing users in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)
  • Impersonating business executives via the telephone and calling the help desk in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)

Computer Based Social Engineering – Has become the dominant form of social engineering taking place today. Computer related correspondence is much harder to trace compared to personal or telephone based contacts and that anonymity makes it an attractive attack venue for social engineers. Examples include:

  • Email based phishing attempts that trick a user into clicking on a malicious link or disclosing a password
  • Internet sites set up to take advantage of mistyped names of prominent web sites
  • Social media based interactions attempting to gain access to personal information

Top 10 social engineering tips to help educate your employees and protect your business

10. Anyone can be targeted for a social engineering attempt and those that are most confident in their abilities to spot an attempt often end up a victim. Hubris is deadly so always have humility and use your best judgement to avoid falling for a scam.

9. The most common risk for physical social engineering is piggybacking into a facility. A social engineer attempting to piggyback will wait until someone with valid building access opens the door and then seeks to tag along the person. Teach your employees to always ask for a valid idea before letting someone in behind them and audit for compliance.

8. Just because an email appears to be coming from a trusted friend or co-worker you know does not mean you actually know the sender. If the request is out of the ordinary and seems suspicious follow-up with a phone call to make sure it is legitimate. A high profile information security company recently failed to do this and suffered disastrous consequences as a result.

7. Determined social engineers do their homework. They perform a lot of due diligence on the Internet and will be equipped with knowledge to aid in their goal of tricking you. They will know executive names, titles etc.. but that doesn’t make their request any more legitimate only harder to detect.

6. Be very suspicious of emails requesting password information or validations that are required immediately. These are typical tactics of spearfishing social engineer attempts and you must teach your employees to avoid these scams.

5. Practice the “Need to Know” principle. Just because an individual asks for certain information does not mean they require it so all requests should be evaluated based on the need to know principle. Teach your employees to ask “Does this individual making the request really have a legitimate need to know this information?”

4. Avoid using USB and other media devices that have unknown sources. This is a common method for social engineers to gain a foothold into an organization through a malicious executable file and it is avoidable by educating your employees about the threat.

3. Regularly remind employees about the dangers of social engineering to your business and provide real life examples.

2. Set up a process so your employees can report social engineering attempts that occur. It is important to measure the threats your business faces and determine if any patterns can be detected to help minimize your long term risk.

1. Trust your instincts but also reference established policies. Many social engineering victims will often mention something seemed out of place  but they went along with the request anyway out of the desire to be helpful. Train your employees in the proper procedures you want them to follow and perform audits to validate that the procedures are being followed.

Social engineering is the most difficult threat to protect your company from because it requires that all of your employees become active participants to stay secure. Follow these tips and make social engineering awareness part of your regular information security awareness program.

Information Security for laptops, desktops, and servers

Your companies laptops, desktops, and servers are critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

Here are the key items you need to consider to stay protected

Update your software – The developers that make the software you utilize are not perfect, in fact there are thousands of yet to be detected errors in every piece of software you own. Nearly every company is regularly updating its software to improve functionality and eliminate security vulnerabilities and you need to quickly update your systems to prevent against known security threats.

Utilize auto update functionality – For most desktop/laptop systems auto updates are the best way to ensure that you are installing any needed security patches in a timely manner. This link to Microsoft’s site shows you how to set the auto update functionality for their most common operating systems. Application software updates for the common applications you use including Microsoft Office, and Adobe among others are also required to round out your protection. Your internet browser (whichever you choose to utilize) is also one of the most critical things to have running at the most current version because a lot of malware is picked up via the Internet.

How to update Internet Explorer – While in IE go to Tools > Windows Update and install any recommended patches

How to update Firefox – While in Firefox go to Help > Check for Updates

* Note it is also important to ensure any Firefox updates you have installed are updated in a timely manner when a new release is available.

How to update Google Chrome – Follow the instructions provided by Google in the attached link.

The one exception you should make for auto updates is to not perform it on critical servers. All updates should be tested in a more controlled manner on a critical server to avoid potential problems with new security patches.

Utilize Antivirus software – Antivirus software is essential for minimizing the risks of getting infected with all forms of malware including viruses and worms. If you do happen to get infected antivirus software can often help you fix the issue and remove the problem. In addition to antivirus software, Microsoft’s Malicious Software Removal Tool is an excellent free tool that offers malware removal options.

Practice Safe Internet Browsing – Educate your users and train them to limit their Internet activity to trusted sites to lower their chances of picking up nasty malware. Even if you patch and have anti-virus you could be pushing your luck if you visit untrusted sites as a 0 day vulnerability could be waiting to infect your systems and defeat the other security mechanisms you have implemented.

Online Banking Security – Another Town Bites the Dust

Just in case you thought I might have been crying wolf over the risks of online banking and the need to implement online banking security measures here is another report that proves the risks are very real. Another New Jersey city has become a victim of online banking fraud because they failed to implement adequate information security measures. The city feels confident they will recover most of the $400,000 that was lost but if I was a taxpayer in that area I would be very concerned about the lax information security practices that put the funds at risk to begin with.

The article linked above from Brian Krebs is a great read because it shows fascinating detail into the other end of the criminal process, how do the criminals get the money out without getting caught? Cyber thieves are utilizing social networking, job boards and a high unemployment rate to their benefit to recruit “money mules” that help move the money around quickly and minimize the likelihood of them getting caught. This is a good example of how the scam works and shows you what kind of thieves you are up against.

Remember online banking is convenient but a lot can go wrong if you are not taking information security seriously. Just as Brigantine, New Jersey could not rely on their bank to stop unauthorized transactions neither can you. The security of your financial health is reliant on you so get started today.

Information Security – Is it a productivity road block?

Image provided by http://www.flickr.com/photos/wwarby/

A recent survey conducted by Government Business Council shows that many officials in government agencies think information security is a barrier to increased productivity.The survey references blocked websites that prevents access to needed information and inability to effectively work remotely (presumably due to security limitations) as the primary pain points. An interesting but unsurprising side effect noted in the survey was that user’s who are blocked from getting information in one method will sometimes resort to utilizing less secure methods to access the information.

How do your users feel about information security impacting their productivity? If you have not asked recently through informal checks or surveys you may be surprised. They likely feel the same way and may be taking additional risk to access the information they are trying to get. It is important to balance information security protection with usability to ensure you are not missing opportunity or limiting productivity.

Some things to consider

  1. Information security requires continual education and engagement with your user community. It involves a give and take where you must educate and inform but also listen to feedback to ensure you have not set up unneeded barriers that negatively impact productivity
  2. As much as possible schedule security scans to occur at a less than peak time to minimize disruption. When this time is will vary by company so plan it based on your business requirements
  3. If you have implemented web filtering create a feedback loop so you can learn about web sites needed for business use that are being blocked inappropriately. Evaluate and take action as appropriate to show that you are listening and care about business requirements. This is an important step to building trust that will help further all of your information security objectives later on.
  4. Remember when people think security is a barrier they will be creative and potentially use unauthorized methods to get what they need. It is better to understand what user pain points are and help them be removed vs. giving an incentive to get around the barriers that could cause a big exposure.

In closing, be sure to build a relationship with your users so you can find out how they really feel and validate that your information security program is meeting business requirements.