IT Security: Preventing Insider Threat

A “Logic Bomb” isn’t really logical, it’s a virus, designed to take down your corporate network and disable existing systems that may monitor data, protect it, back it up or access it. A logic bomb is designed to multiply like any virus and spread throughout a network multiplying its effects.

In a Wall Street Journal story an example provided, depicts an employee at Fannie Mae, knowing he is about to be fired commits an act of workplace violence by installing a logic bomb set to detonate almost 3 months after his departure. The detonation would have taken the organization off line for almost a week and cost millions and millions of dollars.

In this true insider threat story, an observant programmer, still employed noticed the code and disabled it before the damage could be done.

Think for a moment about your small business and how you would get in if you lost your keys. Maybe through an unlocked window?  And if a burglar knew what you knew about where you hide that extra key? How much damage could he do, knowing what you know? Insider threats pose the same problem. They know the ins and outs of all systems in place and can wreak havoc on your operation while they are employed and sometimes after they are let go.

The problems begin when we put people in a trusted place. They are granted access because that’s their job to perform certain duties and they are granted carte blanche access. Ultimately IT security is a people problem and needs to be addressed that way.

Preventing Insider Threat

1. Limited Sources; only grant access to a few trusted sources. Minimize the amount of staff that has access to whatever systems in place.

2. Due Diligence; in the information age, our lives are an open book. Background checks from information brokers are very necessary. Not doing a background check increases your liability. A person previously convicted of a crime just might do it again.

3. Limit Access; even a good apple eventually can go bad. By restricting the access to even those who are in a trusted position, in the event they turn sour, they can only do limited damage.

4. Defense in Depth; audit, audit, audit. This is all about checks and balances. Separation of powers. Multiple layers of authorization. We’ve all watched the movie where in order to launch the missile there were 2 keys held by 2 people, who pressed 2 buttons in order for the missile to launch. Put systems in place that facilitate someone always watching over someone’s shoulder. This way the bad apple can’t hide or execute their malicious intent.

5. Prosecute the Guilty; in the event of a breach of trust, make an example of the person that others won’t forget. Public hangings set a strong deterrent.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Spring Cleaning Your PC

If your PC is bogged down with useless software and your desktop is jammed with icons and documents, then your PC is next to useless as a productivity tool. Even scarier is the increased likelihood that if you have lost track of your files, you could easily have sensitive personal information exposed without your knowledge.

Begin by emptying your trash, since these unwanted files are still taking up valuable space on your hard drive, then follow these tips for a cleaner, faster machine:

Organize software: Gather all your software disks and serial numbers, and back them up in two or three different locations. I keep all my software on the original CDs or DVDs, and I’ve also ripped copies, which I save in organized folders on external hard drives. (Ripping is the process of copying audio files, video files, or software to a hard disk.) This includes all your drivers, recent versions of browsers, antivirus and anti-spyware software, and any free applications you use.

Get Belarc Advisor: This free utility takes a snapshot of your entire system and generates a convenient list of everything that’s installed, including serial numbers. This helps you identify and eliminate bloat—programs with an excess of superfluous features that are unnecessary for users.

Remove old programs: If you have software that you haven’t used for at least a year, it is time to remove these programs from your PC as they are taking up space and could contribute to a slow down your PC.

Eliminate clutter and back up important files: Delete files that aren’t important to you and organize the files that you want to save into clearly labeled, easy to find folders.

Defrag: If you have a Windows machine, find “disk defragmentation” in your programs menu to start this process.

Upgrade your operating system: Upgrades usually offer new features that can help your machine run smoothly, and often include security patches that keep your computer protected from the latest threats.

Clear your cache: Clearing your browser’s cache of temporary files and cookies can free up a lot of space on your hard drive. Search online for specific instructions on how to clean your browser’s cache.

Do a reinstall: Adventurous and tech-savvy types can bypass all of the above and do a full reinstall. This means gathering all your installation CDs, software and files on external CDs or drives and then wiping the hard drive clean.

If you need help identifying problems with your computer, try McAfee TechCheck, a free diagnostic tool that quickly scans your PC to pinpoint possible problems with your operating system, network, applications, hardware, or peripherals.

If you want help maintaining your computer or have more serious issues, check out McAfee TechMasterservice, which can rescue an ailing PC or help you set up and optimize a new computer or smartphone. They can also help you set up, troubleshoot, and protect monitors, printers, and other peripherals as well as help you set up a home wireless network—all from the comfort of your home! And McAfee TechMaster is available 24 hours a day, 365 days a year.

So before the summer rolls around, make sure you finish this last bit of spring cleaning.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

What Is Business or Corporate Identity Theft?

Business or corporate identity theft occurs when a thief uses an existing business’ name to obtain credit, or bills a business’s legitimate clients for products and services. Often, but not always, a Social Security Number of a company officer is required to commit business identity theft. Other identifiers, such as Federal IDs or Employer’s Identification Numbers are readily available in public records, dumpsters, or inter­nally, and the relative ease of access to these identifiers facilitates this crime.

NPR reports “Business identity theft takes many forms. Posing as a look-alike or sound-alike business to lure customers is one of them. But in many cases, shady operators go after information to tap into business’ credit and reputation. They change a business’s contact information, for example, then use it to obtain credit cards or order goods, skipping town before bills arrive.”

Perpetrators of business identity fraud are often employees or former employees with direct access to financial documentation. They have the opportunity to pad the books in favor of their scheming.

Victims of business identity theft often do not find out about the crime until significant losses accumulate, or someone discovers discrepancies on the books Because of the hidden nature of the transactions, businesses can lose vast amounts of money. Business identity theft can remain unde­tected for years.

The most efficient ways to prevent identity theft is with an identity theft protection service and a credit freeze. This will only protect the business when everything is done under an officer’s name and Social Security number. Otherwise this crime is difficult to prevent. It is vitally important to do all the things a consumer would do to prevent identity theft such as shed documents, get a locking mailbox and make sure your network is secure.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Your New Best Friend May Not Protect You

Your mobile phone may arguably be your new best friend. There are few people, places, or things in our lives today that get as many hours of attention as your mobile phone or is with you as often (and for some of us, that means 24/7). Four out of seven people on the planet have mobile phones, because a phone really is a great companion that brings us into contact with all the actual people we love, media that entertains us, music that makes us feel good, and finances that help us eat.

But unlike a German Shepherd, your mobile isn’t exactly a security device. Certainly, it can help you get help, but we often forget that our smartphones are our most personal computer and are usually with us most of the time. Even though we use our smartphones for way more than just calling people, we don’t protect it like we should. Below are some tips from McAfee on mobile security.

Lock it: Configure your phone to lock automatically after two or three minutes, and to require a PIN to unlock. And make sure you’re not using a PIN like 1234 or 1111.

Install trusted apps: Only download from reputable app stores. Third parties are risky. Use crowdsourcing and checking reviews before downloading any app.

Back up: Most smartphones have the ability to back up wirelessly, locally or to the cloud. Just like your computer, it’s good to do this with your smartphone on a regular basis.

Update your OS: Operating system updates are meant to patch vulnerabilities in your OS and allow it to play well with other apps.

No “jailbreaking” or “rooting”: These terms refer to the act of hacking your device so that it can go beyond the intended walls it was designed to stay behind. Those walls offer protection you won’t get otherwise.

Log out: Just like on a PC, before you close that window or walk away from the device, log out of any websites or programs. And remember, don’t “save” your information so that you can automatically log in the next time—if your mobile is lost or stolen, someone else can easily access your accounts or files.

Turn off WiFi/Bluetooth: If you aren’t using wireless services, shut them down. Open, unattended wireless connections are easy targets for criminals.

Don’t get scammed: Any emails or text messages you receive requesting personal information are usually scams. Unless you specifically initiated the conversation, just hit delete.

Don’t click links in emails or texts: Unless I’m expecting an email from a friend, colleague, or company as a result of an action I’ve taken, I don’t click links, since they can often result in your device becoming infected with malware. And it’s much harder to see if a link is not valid from your mobile device vs. your computer.

Install mobile security: Comprehensive security is as important and necessary for your smartphone as for your PC and even your Mac. And don’t forget that just like your computer, you need more than antivirus.

McAfee’s 10 Quick Tips To Mobile Security

You can download these tips in a PDF document to share with your friends and family.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Consumer Banking Security Products & Services

Today’s banks aren’t your “Dads’” bank. Having been around for hundreds of years, banks are a significant part of our everyday lives. Traditionally, banks haven’t been known for their “thought leadership” in technology, but today’s banks have to be cutting edge to compete, and stay secure.

All the conveniences of digital banking have its set of risks which requires upgrades in card technologies and authentication. In response banks have provided numerous methods for protecting your personal information and also making your banking experience more secure domestically and internationally.

Multifactor authentication: This is generally something the user knows like a password plus something the user has like a smart card and/or something the user is like a fingerprint. In its simplest form, it is when a website asks for a four digit credit card security code from a credit card, or if our bank requires us to add a second password for our account.

Key chain fobs: Some institutions offer or require a key fob that provides a changing second password (one-time password) in order to access accounts, or reply to a text message to approve a transaction.

Travel credit cards: Americans who travel abroad are finding that many smaller merchants and most unattended kiosks overseas won’t take their American based credit card leaving them high and dry and making cash a necessity and credit cards useless in these situations. Travelers can use their old magnetic stripe cards, but will often find resistance or outright refusal of acceptance.

In response big banks are issuing new EMV cards also known as “Chip and Pin” or smartcards.

SMS Banking: Banks know you are going mobile and have built secure infrastructure to accommodate banking on the go. One option might include receiving notifications of various banking transactions for security purposes. SMS banking is also handy when the consumer wants to check an account balance before heading to an ATM.

Ask your bank what they offer to keep you safe and secure. You’d probably be surprised at how much they have evolved with technology.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Merchants at Greatest Risk For POS Skimming Fraud

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have figured out how to skim customer cards.

BankInfoSecurity reports “The news is just one in a growing line of POS skimming fraud schemes. From the Michaels POS PIN pad swapping scam, which hit in May, to the Save Mart Supermarkets self-checkout breach announced in the last two weeks, merchant-level card security is garnering new attention.”

In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted for card skimming.

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar card skimming scam was pulled off at the Stop and Shop Supermarket chain.

Anyone with inside knowledge of payments can easily hack a POS system. “Then they simply use tools to crack a Windows remote desktop – defaults at port 3389 – program’s password, and they are in.”

Here’s an abridged version of the protection tips against POS skimming fraud offered by BankInfoSecurity

#1 Never affiliate the business name with the name of the Wi-Fi network.

#2 Upgrade POS equipment and software regularly, and continually change device passwords. ”

#3 Ensure payments systems comply with Payment Card Industry Data Security Standard from end to end.

#4 Monitor network traffic.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

How Does Your Bank Protect Your Data?

Consumers tend to be oblivious to the various layers of security financial institutions utilize to protect their bank accounts. But having a better understanding of what occurs behind the scenes can help consumers adapt to influential new technologies.

The Federal Financial Institutions Examination Council responds to innovations and increases in cybercrime with updated security guidelines for banks and financial institutions. In January of 2012, new rules went into effect requiring banks to protect their consumers with increased security. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

Financial institutions have established a layered security approach that includes multi-authentication, which may involve requiring users to punch in a second security code or carry a key fob, as well as doing due diligence when it comes to identifying customers as real people whose identities haven’t been stolen. This defense-in-depth approach is all about assessing risk throughout multiple points on an organization’s website.

These layers of security include:

Device identification: Complex device identification identifies the user’s PC, mobile, or tablet. The next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences.

Out-of-wallet questions: “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” are examples of typical challenge questions, as opposed to out-of-wallet questions, which are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Malware prevention & detection: Many banks offer antivirus, anti-spyware, and anti-phishing tools from well-known security vendors as full suites of total protection products.

You can take comfort in knowing that your bank has systems in place to protect your investments. But you should also bear in mind that your own PC or mobile that might be the weakest link in the process, so be sure to keep your device secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Top 7 Tips to Business Continuity In a Disaster

Whether it is a natural disaster, manmade disaster, terrorist attack or Murphy’s law wreaking havoc on your business, having an emergency plan of action is an absolute necessity to ensure business continuity and keep the organization running.

The Better Business Bureau has compiled basic tips to ensuring business continuity.

Don’t be caught off guard. Consider the different types of disasters—fire, flood, tornado, etc.—that can occur and how your business would respond differently to being displaced for a week, a month, or longer.

Know your surroundings. Determine alternate locations for your business to operate if you are displaced from your current building. This could mean enabling employees to work from home or finding an alternate location for your office or store.

Prepare your staff. Identify essential staff who are core to the operations of the business and keep a list of their phone numbers (home, work, pager, cell) and e-mail addresses that can be accessed by employees from several locations (home, Internet, etc.).

Communicate, communicate, and communicate. Devise an emergency communications plan that outlines how your business will communicate with employees, customers, vendors and other key external contacts in the days following a disaster. Contact vendors and suppliers to confirm their emergency response plan procedures. Be prepared to use alternate vendors for essential supplies and equipment. Have your data back-up equipment kept in good working condition.

Have an up-to-date inventory of your assets. Review your insurance policies to ensure that you have adequate coverage for items you cannot afford to lose. A standard policy may not cover business interruption losses.

Store your documents safely and efficiently. Keep duplicates of personnel, payroll, payables and receivables and other essential records at an off-site location. Regularly make back-up copies of important computer files.

Establish a succession of management for the company. Determine who will manage the company to ensure business continuity if key leaders are unavailable.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Business Security Measures to Prevent Fake Twitter Accounts

Hacking a business Twitter account seems to be a favorite pastime for those wanting some kind of retribution and for others it’s just plain fun.  Once the businesses Twitter account is hacked their reputation is sullied making them look like they aren’t protecting their client’s data either.

In the past year NBC, Fox News, USA Today and a CNN anchor were the most visible of those attacked. Here are some twitter scams to be aware of:

Jacked Twitter Accounts:  Accounts including those of President Obama, Britney Spears, and others were taken over and used to make fun of, ridicule, harass or commit fraud.

Social Media Identity Theft: Hundreds of fake twitter accounts are set up every day. Sarah Palin, St Louis Cardinals Coach Tony LaRussa, Kanye West, Huffington Post and many others have had Twitter accounts opened in their names or names likened to them.

Twitter Worms: Worms infiltrating Twitter spread easily because rather than activating by clicking, users only needed to hover over a link to trigger an action.

Twitter as a Botnet Controller: Twitter account Hackers are now using Twitter account to send coded update messages to computers they’ve previously infected with rogue code

Twitter Phishing: If you receive a direct message or a direct message email notification that redirects to what looks like—don’t sign in. Look closely at the URL because it could be a scam.

Twitter Spam: The use of short URLs has made Twitters 140 character limit the perfect launch pad for spam leading to diet pills, Viagra and whatever else you don’t need.

#1 When experiencing problems revoke all access to 3rd party accounts connected to your Twitter account.

#2 Change up your password every 6 months or when experiencing issues (which ever comes first).

#3 Don’t click links in DMs or your feed unless you uncover short URLs first.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Online Banking Vs. Mobile Banking

While PC-based online banking is not much older than a high school student, mobile banking is still in elementary school. With the proliferation of smartphones, however, online banking’s younger sibling is quickly catching up to the slightly more established option.

Banking through your PC’s web browser offers a full menu of services. You can easily and conveniently schedule payments, transfer funds, add new payees, open new accounts, apply for loans, view current and past statements, and access information about specific checks that have been deposited. A PC or Mac allows you to view an extensive array of details and options, giving you full control of your accounts.

Mobile banking is very popular internationally. In some parts of the world, traditional banking infrastructure is not consistently available, and so mobile banking is the primary banking option. With a few exceptions, mobile banking, typically conducted via mobile application, offers the same basic features as browser-based online banking. In particular, mobile banking emphasizes “transactional” features, such as bill payments, check deposits (where available, this feature allows a customer to take a picture of a check to be deposited), mobile person-to-person payments, and balancing checks.

Mobile banking can also offer additional security by enabling text-backs, which employ a customer’s phone as a second form of authentication when using either browser-based or mobile banking.

If you use your smartphone to access your bank’s website directly, the website may recognize that you are using a mobile browser and automatically offer you a dedicated application. If not, search your preferred mobile market or app store to see what your bank offers. Either way, it’s a good idea to give mobile banking a try. It’s a time-saver that can often be more secure than traditional online banking.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures