USB Drives – With Convenience Comes Risk

I’m sure most of us have used a USB drive (or thumb drive) at one point or another. They are super convenient to transfer files, especially when they are too large for email or you don’t have access to an Internet connection.

2DBut it’s this same convenience of being portable, readily available, and inexpensive that make them a prime target for cybercriminals. There’s a number of ways that these devices can fall victim to the underworld.

Because USB drives are primarily used to share and transfer files, it’s an easy target for hackers who are looking to distribute malware. And because most USB drives are set to auto-run (meaning that when you plug it into your computer, it will automatically open up the drive), the malicious software could be automatically transferred to your computer as soon as you plug this in. So once they get you to copy an infected file to the USB drive, it’s easily spread to other computers every time the USB drive is plugged in.

While their small size and portability make them easy to carry in your pocket or pretty much anywhere, it also makes them susceptible to loss or theft. Depending on what type of information is stored on here, losing this device could expose your personal information. A USB drive could easily be misplaced, dropped or taken from a table so it’s important to be careful when using these devices.

Another thing to keep in mind is that files aren’t really deleted, even if you hit the “delete” button to take something off your USB drive. In this case “delete” really means “hide” so unless you run a “wipe” program to really get rid of the files, someone could still retrieve your data, so you still need to make sure you are careful with these devices.

So here’s some tips how can you ensure that you stay safe and protect your information when using USB drives:

  • Watch your USB drive – don’t set it down and make sure you keep track of it so it’s not lost or stolen.
  • Disable auto-run – Turn off auto-run on your computer so that if a USB drive has malware, then it won’t automatically be transferred to your machine.
  • Be careful who you share your USB drives with – Be careful what computers you place your USB drive in and who you let borrow your USB drive.
  • Use comprehensive security software – make sure your security software not only scans your computer for threats, but also any drives that are attached.

Remember just as with being online, we need to make sure our conveniences don’t expose us to risk.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Study Shows Businesses not prepared for Attacks

Amazing: With the proliferation of cyber attacks globally, most businesses are ill-prepared to deal with this, says research from the Economist Intelligence Unit and Arbor Networks.

1DPerhaps businesses have an “It won’t happen to us” mindset, even though hackers steal the most sensitive data, force the company to make enormous payments to fix the situation, and crush its customers’ trust, in turn damaging future profits. It’s a pebble-thrown-into-a-pond effect: Those ripples just keep going out and out.

Haven’t companies learned from that giant retailer breach in December of 2013? That big retailer was left toppled. Companies don’t realize that if they nickel-and-dime security, they’ll get what they pay for.

The research turned up the following after surveying 360 senior business leaders in organizations nationwide and in Europe and Asia-Pacific:

  • 77 percent experienced a security breach within the past two years.
  • 38 percent lack a response plan for a cyber attack.
  • 17 percent believe they’re “fully prepared” for a cyber attack.
  • Many of the survey participants reported that they relied upon IT departments to deal with the issue of cyber threats. However, companies that indeed suffered a data breach within the past two years were actually twice as likely to have relied upon a third-party IT team.
  • 41 percent of business decision makers believe that a more solid understanding of risks and potential threats would assist them in being better prepared, but, oddly, only one-third of businesses share concerning situations with other businesses for the sake of spreading best practices and information.
  • 57 percent do not report incidents on a voluntary basis if they’re not legally required to do this.

Interestingly, while 41 percent of business decision makers believe that a more solid understanding of potential threats would increase preparedness, only one-third of businesses are willing to share information with other businesses about incidents concerning data security.

The big message regarding cyber attacks on businesses all over the world: It’s not “if,” it’s WHEN.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How to store Water for long term Survival

Here’s what everyone should know about how to efficiently store water to be prepared for a catastrophe.

1MEver thought about the possibility that your water service could cease in the event of some kind of catastrophe? Would you have enough for your children to drink for a week? If you live in the Southwest, what if your city ran out of water?

I know something about long term water storage, not because I’m a security analyst, but because I have enough water stored to last my family a month.

In general, one person needs one gallon of water every day (drinking and hygiene). More water is needed for special circumstances such as medical conditions and hot weather.

According to FEMA, you should have enough stored water to last three days, the time it usually takes to get water running again following a tornado, ice storm or earthquake.

But sometimes it takes longer, and many people have decided to store enough water to exceed one week, even 30 days’ worth.

To play it safe, have at least two weeks of stored water: 14 gallons per person. Of course, living in a small place will make a month’s worth of water storage for a family of four challenging. However, being resourceful can conquer this problem.

I recommend starting off with a 14 day supply of stored water, then add onto that as more money and space come your way. Strangely, storing water can become addictive, for lack of a better term. After filling my 55-gallon barrels, I want to fill a third one.

Tips on Water Storage Long Term

  • Pre-packaged bottled water. Store under beds.
  • Refill plastic bottles. Thoroughly clean beforehand (empty soda, sports drink, sports bottles).
  • 5-7-gallon water jugs. Their plastic (usually blue) is sturdy.
  • Bathtub water. But don’t fill the bathtub (very germy). Instead, run the tap into a “waterBOB” plastic bag. Google it. Get this.
  • 55-gallon water barrels. The plastic is BPA-free plus UV-resistant.
  • Rain barrels. Place at the base of your home’s gutter and collect rainwater.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

What is a Man-in-the-Middle Attack?

There’s a reason why most people feel uncomfortable about the idea of someone eavesdropping on them—the eavesdropper could possibly overhear sensitive or private information. This is exactly the risk that computer users face with a common threat called a “Man-in-the-Middle” (MITM) attack, where an attacker uses technological tools, such as malware, to intercept the information you send to a website, or even via your email.

11DJust imagine you are entering login and financial details on an online banking site, and because the attacker is eavesdropping, they can gain access to your information and use it to access your account, or even steal your identity.

There are a variety of ways that attackers can insert themselves in the middle of your online communications. One common form of this attack involves cybercriminals distributing malware that gives them access to a user’s web browser and the information being sent to various websites.

Another type of MITM attack involves a device that most of us have in our homes today: a wireless router. The attacker could exploit vulnerabilities in the router’s security setup to intercept information being sent through it, or they could set up a malicious router in a public place, such as a café or hotel.

Either way, MITM attacks pose a serious threat to your online security because they give the attacker the ability to receive and request personal information posing as a trusted party (such as a website that you regularly use).

Here are some tips to protect you from a Man-in-the-Middle attack, and improve your overall online security:

  • Ensure the websites you use offer strong encryption, which scrambles your messages while in transit to prevent eavesdropping. Look for “httpS:” at the beginning of the web address instead of just “http:” which indicates that the site is using encryption.
  • Change the default password on your home Wi-Fi connection so it’s harder for someone to access.
  • Don’t access personal information when using public Wi-Fi networks, which may, or may not, be secure.
  • Be wary of any request for your personal information, even if it’s coming from a trusted party.
  • Protect all of your computers and mobile devices with comprehensive security software, like McAfee LiveSafe™ service to protect you from malware and other Internet threats.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

How to Respond in an active Shooter Scenario

Here’s how to respond if a shooting breaks out.

7HThere’s no such thing as a perfect world in which guns and bullets don’t exist. Would you know what to do in the event of an unexpected shooting situation?

The first thing you should do in a shooting crisis is to remain calm, even though your head might be telling you to fight or escape. However, an attempt at fighting or escaping may not always be possible, regardless, maintain calm to determine what is possible.

Be aware of your surroundings: people nearby, what they’re doing, odd behaviors, unfolding situations. If you spot dissonance (e.g., an escalating argument), look for possible exits or safe spots to get to, rather than get closer to the unfolding train wreck. If someone brandishes a gun, you’ll then immediately know where the fastest exit or barricade is. Always know where the exits are in any room you’re in.

In general, if you’re in a threatening situation, especially if a shooting occurs, 1) run, 2) hide, and 3) fight. And not always in that order.

If you see the exit, run. If you can see the gunman, he can see you; drop any belongings, crouch and bolt away to a safe place, even if you become injured. Then call 9-1-1.

If there’s a quiet, dark room that you can lock yourself into, do so. Bring other people with you if possible, but keep them quiet: no screaming. If the door doesn’t lock, block it with furniture. Stay put until the authorities find you.

If running and hiding aren’t options, you must fight: a very last resort, however. If possible, recruit others to join forces. Use any weapons available (chair, lamp) and fight for your life. If the gunman’s weapon freezes, lunge at him or sprint away. A 120 pound woman can do this; 120 pounds is a lot of weight coming at a full grown man, whether it’s a big rock or a woman.

This boils down to situation awareness and preparedness. Never think that preparing ahead of time for a shooting that probably will never happen is a form of paranoia. It’s simply being proactive.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussingburglar proofing your home on Fox Boston. Disclosures.

Risk Reduction: #1 Concern of Bank Boards

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

11DIt’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

  • 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
  • 63 percent said that a separate risk committee on the board oversaw risks.
  • 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren’t doing this.
  • 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
  • Of this 30 percent, less than half actually use it to supply limits to the board and management.
  • The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren’t getting fully used.
  • And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
  • 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
  • 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
  • 53 percent want more understanding of newer risks like cyber security issues.
  • Senior execs want the board to have more training in overseeing the risk appetite and related issues.
  • 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
  • Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Home Invasion ends in Death

A man died at the hands of two intruders who invaded his home in Sacramento County recently. The 30-year-old victim had been shot. According to witnesses, two intruders barged into the apartment, then shot the man, but not before stealing some of his belongings.

1BCan something like this be prevented? Most likely, even though we don’t have the details. How were the intruders able to force their way into the apartment in the first place? Did the man open the door, and that’s how they got in? Was the door unlocked, and the intruders simply walked in?

Tips to help prevent a home invasion:

  • Instruct your kids or any children visiting that they are never to answer a knock at the door or the doorbell ringing, even if pizza or some other delivery is expected. Your kids must know that they are forbidden from responding to the door even if you’re momentarily indisposed ( in the shower, on a ladder painting the ceiling, etc.).
  • Have an alarm system installed, and always keep it on, and yes, that means making it a habit to turn it off before you step outside to let the dog out, water the garden, retrieve the mail, take out the trash, etc. Kids, too, must learn this habit, since they are often in and out of a house many times in one day.
  • To make it easier to embrace the idea of keeping the alarm on at all times, realize that often, a burglar or rapist won’t even ring your doorbell or knock. They’ll just make their way in and creep up on you.
  • Install a 24-hour video surveillance system. If a burglar or rapist spots that camera, or even the system’s company’s warning decals, this will be a great deterrent. All doors and entry points should have a camera.
  • If a stranger is at your door, speak to that person with the main door closed, never through just the screen door.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

How to safely and securely recycles Devices

Don’t just throw out your old devices; take measures to protect your personal information.

13DBack Up

Before ridding your device, back up everything on it—everything. Use an automated PC service and/or a flash drive. For the iOS and Android, activate Apple’s iCloud or the Google Auto Backup service.

Wipe

Wiping refers to removing all your data. Simply hitting “delete” or reformatting the hard drive won’t do. I purchased 30 used computers off Craigslist, scoured their hard drives with a forensics expert, and discovered that half of the devices—that had been reformatted—still had personal information.

To wipe Windows PCs, you can use Active KillDisk. For Macs, use the OS X Disk Utility or WipeDrive. “A factory reset should be enough to secure most recent smartphones, provided that you remove any SIM cards that could contain personal info. To be super safe, use Blancco Mobile to wipe the iOS or Android.

Destroy

If you can’t wipe the device, destroy it if you don’t plan on donating or reselling. For example, I recently recycled a laptop that was missing its power supply, so there was no way to turn it on and wipe the disc. Instead I removed the hard drive with a screwdriver, and then took a sledgehammer to it. (Aside from protecting my personal data, it was also a lot of fun.)

Recycle
Ask the recycling company just who does the downstream recycling so that your e-waste doesn’t find its way into a foreign landfill. Make sure the company is part of R2 (Responsible Recycling) or e-Stewards certification programs.

Keep Records

Make sure you document donations with a receipt so that the IRS can give you a little return.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Spring Clean Your Online Reputation

Spring is fast approaching, which means that spring break and college graduation are not too far away. Things could get ugly if your friends take photos of you acting foolish and then post them online for everyone to see.

14DWhether you’re searching for your next career move or are on the verge of graduation and feverishly sending out your resume, like it or not, potential employers are going online and Googling you. (Yes, Googling is considered a verb now.) Every time they find something online that is appropriate, they print it out and attach it to your resume. While I can’t confirm whether or not people are pulling your past and laughing at your expense, let’s just say I’d put money on it.

When was the last time you cleaned up your online (especially on social media) profile so that prospective employers can’t discover “bad” things about you? McAfee conducted a study, and the results show that 13.7% of people ages 18-24 know someone who was given the pink slip, courtesy of online postings.

Job seekers and upcoming college graduates take note: Difficulty getting or keeping a job due to negative social media content is a reality. I assure you anything on your social media profile that makes you look less than desirable as an employee, even an innocuous comment such as, “I always have trouble being on time,” can kill your chances at getting that dream job.

Tips on how you (the job seeker) can make your online profile look good:

DON’T:

  • Don’t friend someone you don’t know, just so you can crank up that friend-total tally. (Wow, 8,000 friends! Really?)
  • Don’t let anyone photograph or video you holding alcohol, smoking, being promiscuous or aggressive, shirtless, using vulgar gestures, or even doing something perfectly legal but stupid looking like the seflie fishy face.
  • Don’t use offensive language online, even if your privacy settings are at the highest. If you really need to get your point across, use “fudge,” “freakin,” “effing,” etc.
  • Don’t log on when your judgment may be compromised by raging hormones or alcohol/drugs.
  • Don’t negatively comment online about any person in authority (your boss, former boss, parents, a political candidate). Exception: The object of your scathing remark is a puppy beater.

DO:

  • Make sure your social network privacy settings are on high, but remember that this doesn’t give you the green light to be inappropriate.
  • Look at the past year of what you’ve posted on social media profiles. Delete every photo, video and comment that is even remotely off color.
  • Google your name, address, phone number, email address and pseudonyms to see what’s out there about you. If it’s bad and it’s deleteable, then delete.
  • If it’s not deleteable, but under the control of someone else, see what your options are to have them remove it. Email, call, beg and plead if you must.
  • Once you’ve removed what you can then start the process of pushing out good stuff. This means propagating social and search with digital content that would make your mother actually proud she spawned you. The more good stuff that shows on the first few pages of search, the more the bad stuff will be pushed down into the abyss.

If you are saying “I’m not concerned, my life is an open book, if a potential employer doesn’t want to hire me because of who I am, then I don’t want that job anyway.” Fine. But when it comes time to pay the bills, you’ve been forewarned.

You may be a college grad with a 170 IQ or a businessman with 10 years of experience, but to a prospective employer, your fishy face selfie makes you look like a tool. Be careful what you do online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Data Breaches: How To Protect Your Business From Internal Threats

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

14DThe NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.

Cracking The Code

We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found:

  • 66 percent of federal network users believe security is time-consuming and restrictive.
  • 69 percent say their work takes longer because of additional cyber security measures.
  • One in five users report an inability to complete work because of security measures.
  • 31 percent of users work around security measures at least once a week.

Forrester found:

  • 36 percent of breaches stem from inadvertent misuse of data by employees.
  • 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
  • 57 percent say they’re not even aware of their organization’s current security policies.
  • 25 percent say a breach occurred because of abuse by a malicious insider.

Guarding What’s Yours

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.

Other procedures and tools you might want to consider implementing include:

  • System-wide encryption
  • Tools that report alerts and events
  • Inspection access controls
  • Password management
  • Multifactor authentication
  • Device recognition
  • Data disposal for e-data, paper data and discarded devices
  • Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.

The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.