Data Breaches: How To Protect Your Business From Internal Threats

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

14DThe NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.

Cracking The Code

We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found:

  • 66 percent of federal network users believe security is time-consuming and restrictive.
  • 69 percent say their work takes longer because of additional cyber security measures.
  • One in five users report an inability to complete work because of security measures.
  • 31 percent of users work around security measures at least once a week.

Forrester found:

  • 36 percent of breaches stem from inadvertent misuse of data by employees.
  • 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
  • 57 percent say they’re not even aware of their organization’s current security policies.
  • 25 percent say a breach occurred because of abuse by a malicious insider.

Guarding What’s Yours

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.

Other procedures and tools you might want to consider implementing include:

  • System-wide encryption
  • Tools that report alerts and events
  • Inspection access controls
  • Password management
  • Multifactor authentication
  • Device recognition
  • Data disposal for e-data, paper data and discarded devices
  • Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.

The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Ransomware Attacks Small Businesses

The rate of malware (ransomware) attacks on small businesses climbs at an alarming rate. The security firm McAfee warns that soon, attacks that come through social platforms will be “ubiquitous.” Small businesses are typically not able to subsidize the internal security placements to fend off these attacks, which mostly come from abroad.

6DRansomware blocks your access to data, and the DoS (denial of service) attack threatens to crash your website unless you pay an extortion fee. It’s more organized, it’s more efficient, it’s more automated, it’s more stealthy.

While some businesses give in to DoS extortion demands, others won’t have it. Attacks usually start with relatively small demands, such as $300, to see who’s game. The demands will get pumped up into the thousands quickly once a businessperson pays the initial demand: Pay once, and it’s never over.

If you get a DoS, roll with it; have the extortionist think you need time to prepare payment. Then collect all relevant e-mails and other information for your defense—but not for the police (who lack tech savvy) or the FBI (unless the loss exceeds $5,000), but for your website hosting provider.

The hosting company can collect traffic logs and often can activate DoS defenses or link you to a provider of advanced DoS resolution.

A virus, however, is a different story. Once the virus gets in there and attacks your information, it’s pretty much game over.

Bottom line: Don’t pay the ransom unless you want escalating demands or the strong possibility the extortionist won’t unlock your data after taking your money. A DoS attack will render your site down for days and can permanently lose data and upset visitors.

To avoid a DoS, go anti: virus, spyware, phishing, and use a firewall and run backups. Train your employees well. You have to be conscious of where you’re going and what you’re clicking on.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Medical Identity Theft Protection And Prevention

Identity theft can be fatal to the victim — if it’s of the medical kind. Medical ID theft can result in getting the wrong blood type during a transfusion, the wrong diagnosis or the wrong prescription — all because the thief’s medical history gets integrated with the victim’s.

4DI hope you’re scared, because that’s my goal.

Up to 43 percent of ID theft is medical, says the Identity Theft Resource Center. The nonfatal fallout of medical identity theft can be quite dastardly, like the crook using your private data to commit other forms of ID theft.

Prevent Medical ID Theft

  • Always review your medical bills. Is a bill for service your child never received?
  • Never give your health insurance card to anyone for their use.
  • Shred medical documents you no longer need, including prescription information.
  • Every year, examine your credit report from the big three outfits.
  • Give your health insurance card the same protection you’d give a credit card. Contact your insurance company asap if it gets lost. In police reports, include it as a loss if it’s stolen.
  • If news breaks of a data breach involving a company you use, inquire about this.
  • Be especially alert to reviewing documents if you’ve been receiving extensive medical treatment.

Suspicious Activity

  • Call the provider and insurance carrier if you spot an unfamiliar charge on a medical bill.
  • Save all relevant documents and record the names of every person you connect with and the dates.
  • Contact the big three credit reporting agencies.
  • Filing a police report may be necessary.
  • If you’ve already been the victim of medical ID theft, inquire about the accuracy of your records with your provider, and request a copy of the records.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Hidden Covert Cameras found in Woman’s Home

Nicole Muscara’s alarm clock acquired an alarming feature: a hidden camera placed by a stalker. She discovered something odd when she one day set the alarm; it wasn’t her clock.

CAMStories like this are happening more commonly. Recently a Kansas City, Missouri woman discovered 11 hidden cameras in her apartment—placed there by her landlord.

As for Muscara, turns out a good friend of hers (whom she had initially refused to suspect) had put in the camera clock.

It’s common to not know you’re being stalked, or if you do, not know whom the stalker is. The stalker is an unhealthy person who feeds on the energy of their victim to get through the day.

It’s tough to keep track of the prevalence of stalking, especially with today’s technology, with predators spying via webcams and other schemes.

Consider the following recommendations for protection:

Take note of unwanted attention. Does anyone keep texting you, for instance, even though you don’t like this? Is someone continuing to make unwarranted comments or advances even though you’ve told them to stop? Who has access to your home even though you don’t trust them?

Set up a home security system. They’re now wireless, cheap and portable. Wireless IP cameras can connect to your Internet and you can watch your home via smartphone.

Shield your hotel room’s peep hole with paper. A creep can get a “reverse peep hole” and watch you from the outside in.

Get a wired/wireless camera detector. Cameras that creeps use are tiny and hard to spot visually. A reliable camera detector (costs at least $100) will scan your home/hotel room.

Call the police. If you “feel” someone is watching you, your sixth sense may very well be correct.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

6 Tools to protect your Privacy Online

The more advanced that communications become, the more likely your personal information is getting leaked out—every time you search the Web, send texts or e-mails, etc. Your private data is literally “out there.” However, there are six software programs to protect your privacy online.

1PExpiration date tag. Files, photos and messages are tagged with an extinguish date, then erased from your smartphone. The iOS and Android application for this is Wickr and it’s free. The only content that passes the wire is encrypted. The user’s device will encrypt and decrypt.

Block the intrusion. Where you go on the Web is tracked so that advertisers know what to market to you, but this technology is intrusive. How would you like to return the favor? You can with the free Ghostery service, an extension for the main Web browsers. It records who’s tracking your online activity, providing you information on these entities. You can instruct Ghostery to block such activity.

Multi-prong privacy features. This free program produces disposable e-mail addresses; e-mails are forwarded to the user’s main address, but a detection of spam will shut off e-mails; a login and password manager will keep track of multiple passwords and also help generate strong new passwords.

These features come with an extension for the Firefox and Chrome browser and is called MaskMe. Additional masking features come for $5/month, such as a one-time credit card number.

Easy encryption setup. If that can ever be easy, GPG Suite has made it so. With this Mac-only software, you can set up public and private encryption keys. The encrypted message, which works with Apple’s Mail, is sent by clicking a lock. The GPG Keychain Access component searches for and stores another user’s public key, plus import and export keys. The suite is supported by donations.

Stay anonymous. Today’s technology can identify you simply based on your online search history. Your search terms are retained by search engines, but if this data gets in the wrong hands, it could spell big trouble, or more likely, just be plain embarrassing.

DuckDuckGo is the alternative, as it does not record your search terms or leave them with the site you visit. It doesn’t record your computer’s IP address or the browser’s user agent string.

 VPN Use a VPN to be protected from cookies that track where you’ve visited. Knowledge of where you’ve visited can be used against you by insurance companies and lawyers, to say the least; you just never know what can happen when something out there knows your every online move.

A VPN will encrypt your online sessions with an HTTPS security feature, protecting you from non-secure Wi-Fi such as at airports and hotels. VPN will mask your IP address from tracking cookies. Hotspot Shield is a VPN provider that’s compatible with Android, iOS, Mac and PC, running in the background once installed.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Children significantly affected by Burglary

Here’s why you should never assume that burglary won’t have negative effects on your children.

2BVictim Support, an independent charity, and home security specialist ADT, have new research findings: Children who’ve experienced a home burglary are more likely to have problems at school and sleep difficulties.

Ten percent of the participating parents said their child’s school performance was negatively affected, and one-fourth of parents reported that their child had problems sleeping, post-burglary.

Bedwetting was a problem, according to 10 percent of the parents. One-third reported that their kids’ sense of personal safety was affected.

The investigation also turned up that the psychological impact of burglary can have a long lasting negative effect on children.

So what does this mean for adults, who, as children, experienced a home burglary?

One-third of the participants in the study, whose homes were burglarized when they were kids, believed that this experience was affecting them as adults. Thirty percent slept with the light on; 44 percent preferred to sleep with another person in the home.

Back to the effect that burglary has on children:

Forty percent of parents reported that their kids needed mental support after the crime.

There was a separate survey of 53 young victims of the crime, and the results indicate that the negative effects may be greater than parents realize.

About one-third of these young victims admitted they still have nightmares, and said that the burglary impaired their self-confidence.

Victim Support and ADT have launched The Take No More campaign. The purpose is to change the way people view and respond to burglary. The campaign calls for harsher sentences for criminals who target homes with children.

For the next three years, Victim Support and ADT will be working on this campaign, which will include free crime prevention schemes for members of a household. Also on the roster is increasing awareness of the support services that are available for victims of burglary, and the drive to get justice for victims.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

What is a Backdoor Threat?

Did you accidentally leave the back door open? This thought can be scary because you know that leaving the back door open at home could allow someone to enter your home and take your personal belongings.

6DThe same is true for a backdoor in the computer world. It is a vulnerability that gives an attacker unauthorized access to a system by bypassing normal security mechanisms. This threat works in the background, hiding itself from the user, and it’s very difficult to detect and remove.

Cybercriminals commonly use malware to install backdoors, giving them remote administrative access to a system. Once an attacker has access to a system through a backdoor, they can potentially modify files, steal personal information, install unwanted software, and even take control of the entire computer.

These kinds of attacks represent a serious risk to users of both computers and mobile devices since an attacker can potentially gain access to your personal files, as well as sensitive financial and identity information.

Say, for instance, an attacker uses a backdoor to install keylogging software on your computer, allowing them to see everything that you type, including passwords. And once this information is in the hands of the cybercriminals, your accounts could be compromised, opening the door to identity theft.

Here are a few tips to protect you from back door threats:

  • Use comprehensive security software on your computers and mobile devices, like McAfee LiveSafe™ service, to protect you from malware.
  • Never click on an email attachment or a link sent from people you don’t know and watch what you download from the web.
  • Be careful about which sites you visit, since less secure sites could contain a so-called “drive-by download”  which is able to install malware on your computer simply by visiting a compromised web page. You can check the safety of a website before you visit it by using our free McAfee® SiteAdvisor® tool, which tells you if a site is safe or not right in your search window.
  • Only install programs that you really need, minimizing your exposure to potential vulnerabilities.

Make sure you don’t leave any back doors open. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Private Identifiers Not Private

Today’s commerce occurs very much online, with products and services ranging from A to Z. Hence, these many online merchants have hundreds of millions of people around the globe registered with them for convenient purchases.

1PTo verify authentication as the true user of these services, the registrant must supply personal data. If cyber criminals get ahold of this data, much of it can be changed by the user after the breach, such as user name, password and even the address they’ve been using.

However, the Social Security Number and date of birth cannot be changed. When cyber crooks get personal data off of these online retailers and service providers, it invades the customer’s privacy.

Online enterprises must take full responsibility for stolen data. It’s a real serious issue when permanent (“static”) data like DOB and SSN is breached, as opposed to temporary data like a password or answer to a security question.

Of course, the registrants to these sites do bear some culpability when they post their personal data in the public domain. But business sites make posting personal data a requirement to use their site. Unique data like the SSN should not be a requirement.

The online commerce world should know that such a requirement destroys confidence in current and potential customers, and that their competitors who abandon this practice will have the upper hand in gaining and retaining business.

More and more users are realizing that the security systems of online enterprises are weak, putting users at risk for identity theft—a risk that they’re catching onto.

NSS Labs, Inc., a world leader in information security research and advisement, has the following recommendations:

  • Online businesses should limit requiring data that can be shared among other enterprises.
  • Online enterprises should be designed with the anticipation of possible data breaches; this way they’ll minimize risk and be more prepared to mitigate problems.
  • Third-party data breaches should be analyzed by online companies to protect users if data seeps out.
  • “At risk” users should be able to be re-authenticated.
  • Governments need to reassess the idea of using static data like DOB and SSN.
  • Online enterprises must embrace the possibility that legislation will eventually make it illegal to require SSNs from users.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures

10 Ways you may get Hacked this Summer

Can you name 10 ways you can get hacked this summer? I can.

Hotel Hacking

4DThose hotel electronic card locks for doors aren’t as secure as you think. A criminal attaches a little electronic gizmo beneath the lock, and presto, he’s in your room. You can’t stop this, but you can make the burglary worthless by not leaving valuables in your room. Always have your door locked overnight.

Car Hacking

Forget the bent coat hanger trick — that’s for rookies. But even a dimwitted thief could hack into your car this summer. For only $5, the thief buys a “black box,” a key fob spoofer, that electronically forces car doors open. Short of disabling your keyless entry, what you can do is park your car in lighted areas and keep valuable out of it. Or have your mechanic install a kill switch.

Credit Card Skimming

Criminals set up those card readers at stores with devices that will steal your card information. If you can’t pay with cash, use a credit card since there’s a delay in payment, whereas a debit card takes money from your account at the point of purchase. Keep a close eye on your credit card statements and bank account.

Hacking a Charging Phone

Avoid charging up your phone at a public kiosk. It doesn’t take a mental giant to install malware into these kiosk plugs. Once your phone gets plugged in, it’ll get infected. Use only your plug or wall outlets.

Finders Keepers Finders Weepers

If you happen to find a CD-ROM or thumb drive lying around in public, leave it be, even if it’s labeled “Hot Summer Babes at the Seashore.” You can bet that a crook left it there on purpose and wants you to plug it into your computer. You’ll end up installing malware that will allow the thief to remotely control your computer.

Phishing for Victims

You get an e-mail with a striking message in the subject line such as “Pics of you drunk at my party!” A percentage of people for whom these messages apply to will open the e-mail and take the bait: a link to click to see the photos. The link is malware and will infect your computer.

Wi-Fi Sharing

Using a public computer is always risky, as anyone can monitor your online actions. Hackers can even “make” your device go to malicious websites that will infect your device. Stay away from public Wi-Fi or use a VPN (virtual private network) like Hotspot Shield. A VPN will protect you summertime and all time at public WiFis.

Photo Geotagging

Every time you take a picture and post online, your location will be up for grabs in cyberspace, unless you’ve disabled your device’s geotagging.

Social Media

Beware of clickjacking and XSS. Clickjackers place a phony screen over an obscured malicious link, luring you to click. The hidden link then is triggered and gives the hacker your contacts, taking you to a malicious site. XSS puts a malicious script right in your browser that will install malware. So be judicious about clicking on popular videos and whatnot.

Airplane WiFi Hacking

Connect while 35,000 feet high and you can be revealing all sorts of private goodies. Airplanes lack online security. The aforementioned VPN is your best bet when connecting to airplane WiFi

Start your summer off securely by avoiding becoming a victim of hackers.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

10 Tips to Protect Yourself on Social Networks

With the prevalence of mobile devices, more than ever, it’s easy for us to share our lives with the world. And yes, social networks are all about staying in touch with friends and family, and sharing events in your life, but perhaps it’s too easy to share information?

14DWith just a few clicks, posts and messages, you could give away enough personal information to compromise your privacy and even open yourself up to identity theft. So that’s why it’s critical that you know how to protect yourself when using these sites. Here’s my top 10 list:

  1. Remember the Internet is permanent: Assume that once you put information on the site, it stays there forever. Even if you delete the account, you don’t know if someone has already printed/copied your text or photos off of it.
  2. Be selective when accepting a friend: Do you really know that their profile is real and not fake? Only “friend” people you know in the real world.
  3. Exercise caution when clicking on links: Even if they’re from friends. Hackers prey on social networks because you are more likely to click on something from your friends. Also be wary of offers with the word “free” in them, or ones that sound too good to be true, as they usually are.
  4. Manage your privacy settings: Make sure that you are only sharing information with friends and family and check them regularly in case there are any changes.
  5. Be aware of the fact that the information you share on one social network may be linked to another: For instance, a photo you post to Twitter may automatically post to your Facebook profile.
  6. Don’t reveal personal information: Be suspicious of anyone who asks for your personal information online and never share your home address, phone number, Social Security number, or other personal identifying information.
  7. Turn off the GPS function on your smartphone camera: If you plan to share images online, make sure that you turn off the GPS on your device to keep your exact location private.
  8. Don’t enable auto login: Make sure that you don’t have your apps set to automatically log you in and that you don’t have your computer’s browser “remember” your login and password. That way if someone does get access to your devices, they can’t automatically access your social sites.
  9. Change your passwords frequently: Choose hard-to-guess passwords that are at least eight characters long and a combination of letters, numbers, and symbols, and change them regularly. Also make sure you use different passwords for each account.
  10. Close old accounts that you don’t use anymore: Don’t risk leaving personal data in an old account, such as a MySpace page you haven’t used in years, or on an online dating site you no longer need. Instead, close the accounts you don’t use and delete as much personal information from them as possible.

Social networking is meant to be fun…let’s keep it that way by staying safe online. 

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.