IT Security: Preventing Insider Threat

A “Logic Bomb” isn’t really logical, it’s a virus, designed to take down your corporate network and disable existing systems that may monitor data, protect it, back it up or access it. A logic bomb is designed to multiply like any virus and spread throughout a network multiplying its effects.

In a Wall Street Journal story an example provided, depicts an employee at Fannie Mae, knowing he is about to be fired commits an act of workplace violence by installing a logic bomb set to detonate almost 3 months after his departure. The detonation would have taken the organization off line for almost a week and cost millions and millions of dollars.

In this true insider threat story, an observant programmer, still employed noticed the code and disabled it before the damage could be done.

Think for a moment about your small business and how you would get in if you lost your keys. Maybe through an unlocked window?  And if a burglar knew what you knew about where you hide that extra key? How much damage could he do, knowing what you know? Insider threats pose the same problem. They know the ins and outs of all systems in place and can wreak havoc on your operation while they are employed and sometimes after they are let go.

The problems begin when we put people in a trusted place. They are granted access because that’s their job to perform certain duties and they are granted carte blanche access. Ultimately IT security is a people problem and needs to be addressed that way.

Preventing Insider Threat

1. Limited Sources; only grant access to a few trusted sources. Minimize the amount of staff that has access to whatever systems in place.

2. Due Diligence; in the information age, our lives are an open book. Background checks from information brokers are very necessary. Not doing a background check increases your liability. A person previously convicted of a crime just might do it again.

3. Limit Access; even a good apple eventually can go bad. By restricting the access to even those who are in a trusted position, in the event they turn sour, they can only do limited damage.

4. Defense in Depth; audit, audit, audit. This is all about checks and balances. Separation of powers. Multiple layers of authorization. We’ve all watched the movie where in order to launch the missile there were 2 keys held by 2 people, who pressed 2 buttons in order for the missile to launch. Put systems in place that facilitate someone always watching over someone’s shoulder. This way the bad apple can’t hide or execute their malicious intent.

5. Prosecute the Guilty; in the event of a breach of trust, make an example of the person that others won’t forget. Public hangings set a strong deterrent.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

What Is Business or Corporate Identity Theft?

Business or corporate identity theft occurs when a thief uses an existing business’ name to obtain credit, or bills a business’s legitimate clients for products and services. Often, but not always, a Social Security Number of a company officer is required to commit business identity theft. Other identifiers, such as Federal IDs or Employer’s Identification Numbers are readily available in public records, dumpsters, or inter­nally, and the relative ease of access to these identifiers facilitates this crime.

NPR reports “Business identity theft takes many forms. Posing as a look-alike or sound-alike business to lure customers is one of them. But in many cases, shady operators go after information to tap into business’ credit and reputation. They change a business’s contact information, for example, then use it to obtain credit cards or order goods, skipping town before bills arrive.”

Perpetrators of business identity fraud are often employees or former employees with direct access to financial documentation. They have the opportunity to pad the books in favor of their scheming.

Victims of business identity theft often do not find out about the crime until significant losses accumulate, or someone discovers discrepancies on the books Because of the hidden nature of the transactions, businesses can lose vast amounts of money. Business identity theft can remain unde­tected for years.

The most efficient ways to prevent identity theft is with an identity theft protection service and a credit freeze. This will only protect the business when everything is done under an officer’s name and Social Security number. Otherwise this crime is difficult to prevent. It is vitally important to do all the things a consumer would do to prevent identity theft such as shed documents, get a locking mailbox and make sure your network is secure.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Merchants at Greatest Risk For POS Skimming Fraud

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have figured out how to skim customer cards.

BankInfoSecurity reports “The news is just one in a growing line of POS skimming fraud schemes. From the Michaels POS PIN pad swapping scam, which hit in May, to the Save Mart Supermarkets self-checkout breach announced in the last two weeks, merchant-level card security is garnering new attention.”

In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted for card skimming.

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar card skimming scam was pulled off at the Stop and Shop Supermarket chain.

Anyone with inside knowledge of payments can easily hack a POS system. “Then they simply use tools to crack a Windows remote desktop – defaults at port 3389 – program’s password, and they are in.”

Here’s an abridged version of the protection tips against POS skimming fraud offered by BankInfoSecurity

#1 Never affiliate the business name with the name of the Wi-Fi network.

#2 Upgrade POS equipment and software regularly, and continually change device passwords. ”

#3 Ensure payments systems comply with Payment Card Industry Data Security Standard from end to end.

#4 Monitor network traffic.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Business Security Measures to Prevent Fake Twitter Accounts

Hacking a business Twitter account seems to be a favorite pastime for those wanting some kind of retribution and for others it’s just plain fun.  Once the businesses Twitter account is hacked their reputation is sullied making them look like they aren’t protecting their client’s data either.

In the past year NBC, Fox News, USA Today and a CNN anchor were the most visible of those attacked. Here are some twitter scams to be aware of:

Jacked Twitter Accounts:  Accounts including those of President Obama, Britney Spears, and others were taken over and used to make fun of, ridicule, harass or commit fraud.

Social Media Identity Theft: Hundreds of fake twitter accounts are set up every day. Sarah Palin, St Louis Cardinals Coach Tony LaRussa, Kanye West, Huffington Post and many others have had Twitter accounts opened in their names or names likened to them.

Twitter Worms: Worms infiltrating Twitter spread easily because rather than activating by clicking, users only needed to hover over a link to trigger an action.

Twitter as a Botnet Controller: Twitter account Hackers are now using Twitter account to send coded update messages to computers they’ve previously infected with rogue code

Twitter Phishing: If you receive a direct message or a direct message email notification that redirects to what looks like Twitter.com—don’t sign in. Look closely at the URL because it could be a scam.

Twitter Spam: The use of short URLs has made Twitters 140 character limit the perfect launch pad for spam leading to diet pills, Viagra and whatever else you don’t need.

#1 When experiencing problems revoke all access to 3rd party accounts connected to your Twitter account.

#2 Change up your password every 6 months or when experiencing issues (which ever comes first).

#3 Don’t click links in DMs or your feed unless you uncover short URLs first.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Watch Those Corporate Card Statements to Prevent Credit Card Scams

Charges on corporate credit cards can often go unnoticed even when employees are submitting expense reports. Especially if the charges are small.

The Federal Trade Commission filed a lawsuit describing a criminal enterprise responsible for “micro charges,” fraudulent charges ranging from 20 cents to $10, to as many as one million credit cards since approximately 2006. Because the amounts were low, most of the fraud went unnoticed by cardholders. Money mules were used to divert the funds to Eastern European countries. (“Money mules” are typically individuals who are recruited to assist in a criminal enterprise via help wanted advertisements on job placement websites. In this case, the mules believed they were applying to be financial services managers.) These mules opened numerous LLCs and bank accounts. They also set up websites with toll free numbers, creating an apparently legitimate web presence. Thanks to this facade, the websites were granted merchant status, allowing them to process credit card orders.

The victims of this credit card scam would see the fictional merchant’s name and toll free number on their credit card statements. If they attempted to dispute a charge, the toll free numbers would go to voicemail or be disconnected. Most frustrated consumers may not bother to take the additional step of disputing a 20 cent charge with the credit card company.

Victims of fraudulent credit card charges only wind up paying the unauthorized charges if they don’t detect and report the credit card fraud within 60 days. A 60 day window covers two billing cycles, which should be enough for most account-conscious consumers who keep an eye on their spending. During that time, you are covered by a “zero liability policy,” which was invented by credit card companies to reduce fears of online fraud. Under this policy, the cardholder may be responsible for up to $50.00 in charges, but most banks extend the coverage to charges under $50.00.

If you fail to recognize and dispute unauthorized transactions on your credit card statements, you take responsibility for the fraudulent charges. While 20 cents may not seem worth the bother, these seemingly minor charges are certainly funding criminal activity, and perhaps even terrorism. So to prevent credit card scams take the time to scrutinize those unauthorized credit card charges every single month.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Network Hacking – Why Taunting Computer Hackers Isn’t a Good Idea

Would you dare a burglar to break into your home while your family was sleeping? Would you taunt a murderer or serial killer to try and get you? And would you say to a gang of thieves “just try and break into my business”. Maybe if you are a little daring and maybe if you had a screw loose you’d make these irresponsible requests. But in reality “bring it on” is never a good idea. Especially when it comes to your network security. Because “they” just might win.

The UFC.com, the official website of the Ultimate Fighting Championship, was hacked by a group calling themselves the “Underground Nazi H4ck3rGr0up.”

Fox5 reported Dana White, UFC President issued the challenge to hackers because he supports the recently debated online piracy legislation known as SOPA and PIPA.

“They will not intimidate me,” White said in a phone interview with FOX5. “I’m not intimidated. I’m not scared of what they’re doing.”

The computer hacker, known only as UgNazi, successfully took over UFC.com

Within a day of this attack it was reported that Whites Social Security number and additional personal information was hacked and exposed for the world to see. But in fact the information was for another person who went through a pretty harrowing harassment over the course of a few days.

Kicking a hornets’ nest isn’t advisable. And neither is taunting a collective of criminal hacktivists who have lots of time and lots of resources to make your small business network a target.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

15 Break-ins at Boston Area Churches – Nothing is Sacred

Last year around the holidays I wrote about burglars preying on churches.

This year is no different. The Boston Globe reports You know things are bad when they start knocking off churches. And judging by the number of churches knocked off recently, things are very bad indeed.”

“I’m seeing levels of desperation out there I haven’t seen for a long while,’’ said the churches Priest. “Like most priests and ministers, he sees a lot of people who live on the margins. They come to the three churches he oversees for food and laundry money and help with the rent. They come because they don’t belong anywhere else.

And sometimes they come to steal. There have been 15 break-ins at Boston area churches in the last few months. And that’s just the Catholic ones.”

It doesn’t matter where, when or who, a burglar will go where there is easy access and easy money, or goods to be resold.

Often, it is those on the inside that have knowledge of how things work and where they are. So, it is important to beef up security to protect from the inside-out and from the outside-in.

In some cases burglars enter through unlocked doors; in others, broken windows and they will even bust doors off of their frames.

Theft happens. Protect against it.

  1. Lock up. Even if it’s an “open access” environment
  2. Have someone always watching the door
  3. Install visible motion sensitive security cameras everywhere recorded by a DVR
  4. Install hidden motion sensitive security cameras everywhere recorded by a DVR
  5. Install “Monitored by Video Surveillance” signs everywhere
  6. Lock doors and windows always
  7. Install glass break prevention film
  8. Install a monitored alarm system

9.     Be proactive with the help of wireless home security systems and new interactive smart home solutions that go beyond traditional security to a new level of control, accessibility and connection with the property.

Robert Siciliano personal security expert to Home Security Source discussing  Home Security and Identity Theft on TBS Movie and a Makeover.