Threats Feed

02/01/2012

Armed Robberies Hit Close to Home

Our local business community is up in arms about a recent string of (currently 9) armed robberies that have occcured over the last several weeks. Many businesses are now taking extra precautions to protect their valuables and their employees.

In a community targeted release about the situation, Hilliard City Police Department suggests that

"Every business should take an active part in making their business safe. Here are some suggestions to help prevent robbery:

  • Have at least two employees open and close the business
  • Install a robbery alarm
  • Place a surveillance camera behind the cash register facing the front counter with a digital recorder
  • Vary times and routes of travel for bank deposits
  • Keep a low balance in the cash register. Don’t leave large bills under the drawer
  • Place excess money in a safe or deposit it as soon as possible
  • Stay Alert! Know who is in your business and where they are.
  • If you see something suspicious, call the police. Never try to handle it yourself.
  • Use care after dark. Be cautious when cleaning the parking lot, taking out the trash, or going to your car after work.
  • Make sure to post important signs “Clerk cannot open the time lock safe” , “Premises protected 24 hrs by video surveillance”, etc.
  • Cooperate with the robber for your own safety and the safety of others. Comply with a robber’s demands. Remain calm and think clearly. Make mental notes of the robber’s physical description and unique characteristics."

Posted by Douglas Davidson at 10:31 PM in Information Security, Secure Value, Security Awareness, Security in the Business News, Threats | | Comments (1) | TrackBack (0)

| | |

04/04/2011

Aftermath of Epsilon Hack ... More FUD on Horizon, Third Party Verification Gets Boost, Confirm You Have Strong Passwords ...

Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company.  The hack affects a long list of major brands and probably includes some companies that you use. 

If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.

No big deal?  Maybe, maybe not.

Some security experts think it means more spearfishing attacks on businesses and individualsOthers don't think it is all that big of a deal

I predict three outcomes and suggest remedies:

First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase.  With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack.  Be an informed buyer, particularly of items as critical as security technologies.

Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands.  I've worked with small businesses that provide services to some of these firms.  We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits.  If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.

Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:

  • Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
  • Accounts that depend on your email address might be at risk.  Better safe than sorry.  I would suggest you change your passwords on those accounts and make sure they are strong passwords.

What impacts to business and personal security do you think will be the aftermath of the Epsilon hack?  What fears do you have about how it impacts your business or yourself?

Related articles
Enhanced by Zemanta

Posted by Douglas Davidson at 08:38 PM in Living Securely, Online Business, Secure Value, Security Awareness, Security in the Business News, Small Business, Threats, Vendor Selection | | Comments (3) | TrackBack (0)

Technorati Tags:

| | |

05/13/2010

Go ahead and take the social media risk .... your competitors are ... BUT do it safely and securely!

SecureImage by Bindaas Madhavi via Flickr

Learning something new that you can use in your business doesn't just secure value ... it can help build value as well ... I had a chance to teach today as well as learn about related topics.  Here's a quick summary ... I"ll add some additional seasoning and follow up tonight and over the weekend.

I had a great day. 

This morning I spent time teaching entrepreneurs and small business managers who took the time to invest in some new skills.

I presented "Securing Social Media" to 15 members and guests of the Hilliard Chamber of Commerce. Chamber member Hampton Suites hosted the event.  Our take at Jacadis regarding social media is essentially "Go ahead and take the social media risk .... your competitors are ... BUT do it safely and securely!"  We discussed what risks faced both users and businesses and what should be done to manage those risks.

Then I got to become the student.

Jacadis endpoint security partner SOPHOS presented the findings of their Security Threats Report 2010 to the regular monthly chapter luncheon of ISACA - Columbus.   The representative from SophosLabs USA pointed out that their analysis of 80,000 daily identified malware cases showed:

  • Social media, because that's where the victims are, is the major growing attack vector.
  • Attacks continue in traditional vectors such as email and web.
  • Mobile computing attacks are beginning and we'll need to keep our eyes open, both as businesses and individuals, as that vector grows.

Some highlights that were consistent from both sessions:

Hacking activity has shifted from the lone amateur hobbyist (thick the role the young Matthew Broderick played in WarGames) to the professional organized criminal operating in a syndicate.

Any organization who pays people has sensitive information and systems useful to a cyber criminal.

Like any well thought marketing program hackers go to where the targets are ... and for now we are massing ourselves as targets in the world of social media.

What do you do about it?  Here's a start ...

Take a few minutes, at least, and write out your social media plans (a mission statement?).  Hold yourself accountable to that statement.

  • Make sure your computer is hardened and secure.
  • Know the tools you use particularly how to set and tune security and privacy settings.  This includes your computer, your browser(s), and your social media tools (which for most of us in the business world is LinkedIn, Facebook and Twitter at a minimum).
  • Use strong passwords.  Use a different password for every site you use.
  • Use discretion when browsing and networking online.  If it is too good to be true it probably is.  If an email or tweet or wall posting tugs at your emotion, your vanity or threatens dire consequence if you don't follow that link "NOW!" don't!  Don't post things online you don't want Mom to see.

Once you've secured your own work environment ensure that the same is done for your business.

  • Work from a written plan.  Define your values for using social media in a written policy published throughout the company.
  • Ensure through professional IT participation that systems and tools should be used properly.  Find someone to check their work (I, of course, am biased that that someone, regardless of the size of your business is Jacadis).
  • Require the use of strong passwords.
  • Teach your staff how to properly use browsing and networking online to enhance their jobs and run and grow your business.

And again ....

Go ahead and take the social media risk .... your competitors are ... BUT do it safely and securely!

Reblog this post [with Zemanta]

Posted by Douglas Davidson at 06:29 PM in Information Security Basics, Policy, Risk Management, Secure Value, Small Business, Social Media, Speaking Engagement, Threats | | Comments (0) | TrackBack (0)

Technorati Tags: ,

| | |

05/12/2010

Could your data be held hostage?

Secure Value by knowing what your valued information assets are and where they are collected, stored and processed.

This originally appeared on my business partner's blog Thought in May, 2009.  The type of crime from the news report that motivated his post is still relevant to you securing your business.

Many of you have heard me mention the “Cyber Mafia.” Some of you chuckle, grin, and raise your eyebrows at first. The rest of you know organized crime is a prevalent and dangerous threat. To drive this point home, I want to share a security incident I read about in the Washington Post this week:

“A posting on Wikileaks.org claims that cyber attackers stole data of about eight million patients from the Virginia Department of Health Professionals' Virginia Prescription Monitoring Program website; they are demanding US $10 million in ransom for their return. The intruders claim to have encrypted the database and protected it with a password. That particular site is presently unavailable as are several others related to the Virginia Department of Health Professionals. The ransom note says that if the money is not paid within seven days, the data will be offered for sale. Federal and state authorities are investigating.”

Cyber extortion isn’t a new threat. Crime syndicates have used massive botnets to launch denial of service attacks against gambling and gaming sites before. Only when the ransom is paid does the DOS attack stop. “Protection” is then offered, for a fee of course, to prevent other criminals from launching additional attacks. But what about taking sensitive information, claiming exclusive access, and threatening to sell that data? Sure it’s also been done before, but this attack is overt and gutsy.

If it’s really that easy to steal 8 million identities from a government agency, then this is a signal to other criminals that there’s money to be made and the fields are ripe for harvest.

I predict there’s more of this to come. But please don’t be fooled -- you don’t have to be a state or federal organization to be targeted. Public, private, or non-profit, if you store, forward, or process confidential and personal information (PHI, SSNs, CCNs, etc.) for clients or employees, then you need to carefully consider the following questions:

1. What’s valuable to your organization, where is it stored, and how is it forwarded and processed within your company?

2. Who has access to it, how do they access it, and from where is it accessed?

3. What does the law say about your security practices from #1 and #2. Do you have a plan to close the gaps?

4. Do you frequently verify that security safeguards are functioning as designed?

Meet with your IT management and Executive team to find the answers. This is more than firewalls, antivirus, and a good security policy. If these answers aren’t “at your fingertips” or available within 1 business day, then we need to connect and chat.

Security focused,

Simon

See other security focused articles from Simon at thought.jacadis.com.

Posted by Douglas Davidson at 09:24 AM in Compliance, Information Security, Information Security Basics, Policy, Risk Management, Secure Value, Security in the Business News, Small Business, Threats | | Comments (0) | TrackBack (0)

| | |

02/24/2010

Secure Value by Understanding the Criminals in the Digital Neighborhood

Highland Park's Only Gated CommunityImage by waltarrrrr via Flickr

I just got a crack at reading Deloitte’s new Center for Security and Privacy Solutions' report titled Cyber Crime: A Clear and Present Danger.  It is a quick 16 page read and worth it for any entrepreneur or emerging business innovator, CEO or COO.

We are building business in a digital world.  Knowing the neighborhood, so to speak, is important.  Along with all the good things things about the neighborhood -- effeciency, effectiveness, new markets, new products and services, collaboration -- comes new forms of crime, new scams, new ways that our business dreams can be damaged or destroyed.

My business partner at Jacadis, Simon Herring, often speaks of our efforts as cyber security and risk professionals at protecting 10-foot walls againts 11-foot ladders.  The reports key finding "Threats posed to organizations by cyber crimes have increased faster than potential victims—or cyber security professionals—can cope with them, placing targeted organizations at significant risk.

In interpreting the survey responses Deloitte reports that "cyber crime constitutes a significantly more common and larger threat than respondents recognize."Bluntly cyber criminals are innovating in the digital marketplace just like the rest of us; only their innovation is outpacing what are traditionally considered best practices.

The report in Deloitte's words "is directed toward senior leaders including CIOs, CSOs, CROs, operational risk managers, government agency budgeting and procurement professionals, and other executives and professionals with decision-making roles in the security of their organization’s IT environment and of the assets within that environment.

It is a quick 16 page read and worth it for any entrepreneur or emerging business innovator, CEO or COO.  It is worth reading for those in the IT audit profession as well.

Some trends pointed out in the report:

  • Cyber attacks and security breaches are increasing in frequency and sophistication, with discovery usually occurring only after the fact, if at all.
  • Cyber criminals are targeting organizations and individuals with malware and anonymization techniques that can evade current security controls.
  • Current perimeter-intrusion detection, signature-based malware, and anti-virus solutions are providing little defense and are rapidly becoming obsolete—for instance, cyber criminals now use encryption technology to avoid detection.
  • Cyber criminals are leveraging innovation at a pace which many target organizations and security vendors cannot possibly match.
  • Effective deterrents to cyber crime are not known, available, or accessible to many practitioners, many of whom underestimate the scope and severity of the problem.
  • There is a likely nexus between cyber crime and a variety of other threats including terrorism, industrial espionage, and foreign intelligence services.
Or more simply put.  You lock your office, warehouse, storage, retail, etc. facility because leaving the door open would invite a criminal. 

Do you lock your digital doors?

Does your business design, operation, IT infrastructure invite criminals?

The report can be found at: http://www.cio.com/documents/whitepapers/CyberCrime.pdf.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted by Douglas Davidson at 10:56 PM in Competitive Advantage, Information Security, Information Security Basics, Innovation, Online Business, Secure Value, Threats | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

| | |

01/29/2010

Secure Value by Understanding that Cybercrime Increasing Faster than Company Defenses

How are your company's defenses? Don't forget to tend to them as your run and grow your business!

Tonight I read the 2010 CyberSecurity Watch Survey.  "The 2010 CSO CyberSecurity Watch Survey was sponsored by Deloitte and conducted in 2009 in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Center at Carnegie Mellon."

The report hit close to home because in the past 30 days we have:

  • begun projects with several firms that have had web sites targeted and attacked;
  • assisted a firm manage an longstanding employee out of the organization because he had "quit and stayed", taking an offer from a competitor while continuing to "work", explore available confidential information and download it, and;
  • developed an incident handling and forensic process for a large Software as a Service (SaaS).

The report is a quick read (16 pages).  I suggest you dive into it and then use it to talk to your HR and IT management to make sure you are properly protected.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted by Douglas Davidson at 12:02 AM in Risk Management, Secure Value, Security in the Business News, Small Business, Threats | | Comments (0) | TrackBack (0)

| | |

10/14/2009

Secure Value by Understanding Common Threats

DangerImage by zenonline via Flickr

Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur

Threat models are commonly used in information security analysis to illustrate the potential for risks to impact an organization. The threat model is used to describe the characteristics of a given threat and the harm it could to do a vulnerable system. 

 If we do a project where we identify threats scenarios we’ll go into detail.  At a simple level we’ll identify the pieces of the threat scenarios including the actor (WHO), the action (HOW), the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the potential impact (think DAMAGE). 

We do not address the probability of these events occurring which in most cases is impossible to predict accurately.

Over your morning coffee run through these common scenarios and ask yourself if you how they would impact you:

 A trusted employee decides to:

 ·         Download unauthorized software from the Internet which contains a Trojan horse or other malicious software. 

·         Disable antivirus scanning prior to the download of an emailed MS Office document.

·         Transfer information from a third-party computer to their work computer bringing in a virus or other malicious software into the company. 

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

A disgruntled employee decides to retaliate against your company:

 ·         With knowledge of the backup tape courier routine the tape drop off is intercepted and the information contained on the tapes are used to attack your company’s reputation or are used for material gain.

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

 A former employee decides to retaliate against your company:

 ·         With a haphazard termination process the former employee uses his/her still active network access and credentials to damage or steal information from an outside location.

·         With a haphazard termination process the former employee gains access to a company facility and uses his/her still active network credentials to damage or steal information from an outside location.

An authorized visitor or an unauthorized visitor or intruder penetrates one of your company’s facilities and:

 ·         Unchallenged as they walk the floors of the facility they exploit targets of opportunity such as unlocked, unattended systems, backup tapes set unsecured waiting for courier pickup, etc.

 A third party caretaker of your company information has a security incident.  While that incident may not impact your company network, your company has no controls to prevent that incident from impacting your company at a business level.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted by Douglas Davidson at 11:58 PM in Information Security, Secure Value, Threats | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

| | |

My Photo

About

TypePad Profile

Get updates on my activity. Follow me on my Profile.

Categories

Twitter Updates

    follow me on Twitter
    Blog powered by TypePad
    Creative Commons Attribution-ShareAlike 3.0 Unported