Be your Family’s Chief Security Officer

Schlage is all about safety and security. But you need not be in the profession of security analyst to be vigilant about your home and family’s security. And when it comes to security, this doesn’t just mean protection from home invasions and burglaries, but anything and everything, such as online security and guarding against viruses, hackers and other fraudulent invasive cyber crimes that can really mess things up for you or a family member.

1HBe your family and home’s Chief Security Officer, even if your job outside the home is unrelated to security measures. Make sure everything is safe and sound inside your home. This includes child-proofing the house; senior-proofing if there are elderly occupants; and just in general, making the environment safe—e.g., cleaning up spills on the floor to prevent a disastrous fall.

I won’t lie: This kind of vigilance requires a lot of thought to get it rolling. It’s not second nature to many people, but they can work on that element and improve over time so that it’s automatic to put the alarm system on when going to bed.

You must be fierce so that fires don’t start in your home, and so that you don’t end up in the news as a victim of a crime.

Sometimes, a person’s greatest enemy is themselves. So you have all the windows penetration-proofed, triple bolts on all the doors, maybe a protection dog and an extensive video surveillance system…but one second…you get lazy and don’t lock your doors and after you leave and you took the dog with you, then some bad guy chooses your home simply because he saw you leave. Locking your doors, that little extra effort might have saved all kinds of heartache.

So it takes a little extra time to create a safety system, and then stick with it, to prevent bad things from happening. If you can’t make time for safety and security, you’ll have to make time for catastrophe. When you make security a habit, it really doesn’t require that much effort after a while. Lead your family and home as its Chief Security Officer.

Robert Siciliano home security expert to Schlage discussing home security and identity theft on TBS Movie and a Makeover. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Top Security Techniques That Work For The Masters

Banks know security just about better than anyone. Find out what they can teach you about safeguarding your small business.

8DSecurity is a journey, not a destination. This is a security industry axiom that means we can strive for security, and by making this effort, we can put ourselves on a path to security. But while we may achieve a relative degree of security, our businesses will never be 100 percent secure—the destination we all strive for. Even Fort Knox, the White House and the New York Stock Exchange are vulnerable.

But that doesn’t mean we shouldn’t strive to reach our destination. In order to protect our businesses, we can apply strategies that significantly reduce our risk level. One of the best security techniques is layering. Layers of security make a criminal’s job more difficult, as they are forced to address all the vulnerabilities in our business.

Helen Keller once said, “Security is an illusion; life is either a daring adventure or nothing at all.” Her quote has significance, although it’s not entirely accurate. That’s because security is part illusion and part theater. The illusion, like a magic act, seems believable in many cases.

Security theater, on the other hand, refers to security intended to provide a sense of security while not entirely improving it. The theater gives the illusion of impact. Both play a role in deterring criminals, but neither can provide 100 percent security, as complete security is unattainable. Hence, security is a journey, not a destination.

Banks know security, both the illusion and the theater. They have to, because robbers target these buildings daily. Because banks want to promote a friendly and inviting environment, consumers are mostly oblivious to the various layers of security that financial institutions utilize to protect their bank accounts. And that’s not a bad model to follow.

What Banks Know About Security

Banks have multiple layers of security. The perimeter of most banks are often designed to include large windows, so passersby and law enforcement can easily see any problems occurring inside. The bank’s doors also have locks. There is, of course, an alarm system, which includes panic buttons, glass-break detectors and motion sensors. These are all layers, as are the security cameras, bulletproof glass and armed guards. Ideally, the tellers and members of management should have robbery-response training. Many banks also use dye packs or GPS devices to track stolen cash.

All banks have safes, because banks know that a well-constructed safe is the ultimate layer of security. A safe not only makes it extremely difficult for a bank robber to steal the bank’s money, but it also protects the cash in the event of a fire.

And then there are the multiple layers of computer security. The basics include antivirus, antispyware, antiphishing and firewalls. However, there are numerous additional layers of protection that monitor who is accessing data and why, and numerous detectors that look for red flags which indicate possible identity theft.

Banks also recognize that a simple username/password is insufficient, so they require their clients to adopt multifactor authentication. Multifactor authentication is generally something the user knows, such as a password or answers to knowledge-based questions, plus something the user has, such as a smart card, token or additional SMS password, and/or something the user is, such as identification through a biometric fingerprint, facial recognition, hand geometry or iris scan. In its simplest forms, multifactor authentication occurs when a website asks for a four-digit security code from a credit card or installs a cookie on your machine, or when a bank requires a client to add a second password to his or her account. Some institutions also offer or require a key fob that provides a changeable second password (a one-time password) to access accounts, or it might require a reply to a text message in order to approve a transaction.

Every layer of protection the bank adds is designed to make it harder for a criminal to get paid.

Consider a layered approach for your small-business security plan. Think about the current layers of business protection you have in place, and then consider how many more layers you might want to install to ensure a seamless customer experience and a security-minded culture.

Robert Siciliano CEO of, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

11 Tips to Hotel Safety and Security

Can you name 11 tips for hotel safety and security? How about just five?

4HHave you ever walked down the hallway of a hotel and passed by rooms with doors left wide-open by cleaning staff? Ever thought of how easy it would be to enter and pretend the room is yours? Imagine what you could steal.

This is why a hotel that takes security seriously will be very strict about whom is issued an electronic key to rooms, and will issue regulations regarding housekeeping tasks. In more remote hotels or those in less developed countries, the hotel staff itself may be the thieves.

Nevertheless, whether you’re in the ritziest hotel or the shoddiest dump, Schlage locks wants you to know there’s a baseline of precautions you should take.

#1. Never leave valuables in your room unless you’re present. If you must, use the hotel safe and be sure to get a receipt.

#2. When in the room, keep the door locked, including the chain feature.

#3. Always use the peephole before opening the door.

#4. If you anticipate the door won’t have a lock (such as in a foreign country), bring along a traveler’s door lock, a motion detector that you hang on the knob that sounds when the door opens, and/or a doorstop alarm—it wedges against the door’s base.

#5. Don’t open the door to strangers.

#6. If the “stranger” claims to be a hotel service person, call the front desk for verification first.

#7. Consider have all food deliveries made to the lobby. This isn’t convenient, but it’s safer. You never know if the delivery person is actually a predator looking for a target. Men should also practice this procedure; men can be targeted for violent crimes too. The delivery person may also case you as a potential target later on.

#8. Be mindful of what you leave outside your door. E.g., what appears to be leftovers from one person’s meal, indicates you’re alone.

#9. Before going to bed, double check all possible entry points.

#10. Make people think you’re there when you’re not: Place the “do not disturb” sign on the door—after you put the TV on loud. But first make sure this won’t coincide with maid service.

#11. If your hotel wants you to turn your key in when you go out, keep the key so that nobody knows you’re out.

Robert Siciliano home security expert to Schlage discussinghome security and identity theft on TBS Movie and a Makeover. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Windows XP not dead yet—but users Beware

Would you reasonably expect success when attempting to drive cross country in a 1975 Pinto with balled tires, no brakes, dried cracked belts and with already 250k on the motor? You might if you didn’t stop and think about things.

winxpThe same is true of an individual or a business who’s still using a Windows XP operating system on devices that have even 1 megabyte of sensitive data. You cannot reasonably expect security with one of the most hacked operating systems in existence.

But I digress. Fret not, there’s temporary hope yet for Windows XP procrastinators: Microsoft is extending support into 2015. It was previously believed that April 8, 2014 was the end of the world for support towards MS Security Essentials, System Center Endpoint Protection, Forefront Endpoint Protection and Forefront Client Security.

This meant that on that date, new malware signatures plus engine updates to XP users would cease, even though updates for the same software that was running on Windows Vista would continue to be provided.

However, a recent blog post by Microsoft’s Malware Protection Center notes that XP users will continue receiving support—but it won’t last long: July 14, 2015 will be here before business owners know it.

With hackers swarming in like killer bees, knowing that XP’s support’s days are limited, XP users must stay in heavyweight mode for any attacks. Thieves can even use new security updates for Windows Vista (and later) as a guide to hacking into systems running on XP.

Anti-malware solutions aren’t very effective on operating systems that lack support, and hackers know this. But more alarming is that fewer users, including business owners, are ready to accept this or even have a clue about it.

After all, it’s estimated that almost 30 percent of all the personal computers across the world are using Windows XP. Business owners and other decision makers of organizations need to overestimate just how risky it is to cling onto an old favorite rather than promptly switch to a new system that has stronger support.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tightening up Security is Everyone’s Responsibility

Most information technology (IT) experts are very much unnerved by cyber criminals, says the biggest study involving surveys of IT professionals in mid-sized businesses.3D

  • 87% send data to cloud accounts or personal e-mail.
  • 58% have sent data to the wrong individual.
  • Over 50% have confessed to taking company data with them upon leaving a post.
  • 60% rated their company a “C” or worse for preparation to fight a cyber threat.

Here is an executive summary and a full report of the survey’s results.

second study as well revealed high anxiety among mid-size business IT professionals.

  • Over 50% of those surveyed expressed serious concern over employees bringing malware into an organization: 56% for personal webmail and 58% for web browsing.
  • 74% noted that their organization’s networks had been infiltrated by malware that was brought in by web surfing; and 64 percent via e-mail—all in the past 12 months.

The above study is supported by this study.

  • 60% of respondents believed that the greatest risk was employee carelessness.
  • 44% cited low priority given to security issues in the form of junior IT managers being given responsibility for security decisions.

The first (biggest) study above showed that about 50% of C-level management actually admitted that it was their responsibility to take the helm of improving security.

And about half of lower level employees believed that IT security staff should take the responsibility—and that they themselves, along with higher management, should be exempt.

The survey size in these studies was rather small. How a question is worded can also influence the appearance of findings. Nevertheless, a common thread seems to have surfaced: universal concern, and universal passing the buck. It’s kind of like littering the workplace but then thinking, “Oh, no problem, the custodian will mop it up.”

  • People are failing to appreciate the risk of leaving personal data on work systems.
  • They aren’t getting the memo that bringing sensitive data home to personal devices is risky.
  • Web browsing, social sharing and e-mail activities aren’t being done judiciously enough—giving rise to phishing-based invasions.

IT professionals are only as good as their weakest link: the rest of the employees who refuse to play a role in company security will bring down the ship.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cloud Computing 101

A public cloud service can bring on five risks to a business. Here they are, and their solutions.

3DThe three A’s: authentication, authorization, access control. Here are some questions to ponder about a cloud service:

  • How often does it clean up dormant accounts?
  • What kind of authentication is necessary for a privileged user?
  • Who can access or even see your data?
  • Where is it physically stored?
  • Does your organization share a common namespace with the service (something that greatly increases risks)?
  • Are private keys shared among tenants if a data encryption is used?
  • Ask your cloud vendor these questions. Get answers.

Multiple tenants

There’s always that concern of data inadvertently slipping out to tenants who share the cloud service with you. One little error can expose your data and set you up even for identity theft. Breaches that can occur include: accessing data from other tenants from supposedly new storage space; and peering into other tenants’ IP address and memory space.

Virtual exploits

There are four chief kinds of virtual exploit risks: 1) server host only, 2) host to guest, 3) guest to host, and 4) guest to guest. Many cloud customers are in the dark about virtual exploits and are clueless about the vendor’s virtualization tools. Ask the vendor:

  • What virtualization products do you have running?
  • What’s the version currently?
  • Who is patching the virtualization host?
  • How often?
  • Who’s able to log into any virtualization host and guest?


Here’s a surprise: Quite a few cloud vendors state in their contracts that the customer’s data belongs to the vendor, not the customer. Vendors like ownership because they get to have more legal protection should a mishap occur. They can also do other things with the data that can bring more profit.

  • Find out if the contract contains language referring to vendor ownership of data.
  • Learn what the cloud provider can do with it if indeed, they get ownership.


Even the biggest and best cloud services can become dismantled due to service interruptions, attacks or some miscellaneous issue with the vendor.

Funny, because a cloud provider typically insists it has superior, super-protected data backups in place. Be aware that even when a provider claims a guarantee for data backup, data can indeed get lost, even permanently.

  • Back up your data!
  • Require some language in the contract that entitles you to damages should your data become permanently lost.

Cloud services haven’t been around long enough for analysts to have come up with a predictable, clear model of all the possible risks, how likely they are, likeliness of security failures and how much, if at all, risks will negatively impact customers. And that’s just in general. Figuring this out for a particular vendor is even more vexing.

  • There are many unknowns, but at least you can work on minimizing them.
  • Obtain a copy of the vendor’s last relevant, successful audit report.
  • Seek out information from the vendor about prior incidents of tenant data problems.
  • Ask the vendor about its policy of reporting data compromises to customers.
  • Grind out just what the provider’s responsibility really is.

Robert Siciliano is an Identity Theft Expert an is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

You’re Not a Cop or Firefighter…but You Still May Be in a High-risk Profession

One of my audiences is real estate agents. I present programs on personal security and how they can avoid and remove themselves from dangerous situations. You see, as crazy as it seems, real estate agents are targeted by criminals every day. Rape, robbery and murder are some of the issues they face.

1SLeighvalleylive reports that a man approached a model home asking if he could see it. The agent, a woman, quickly felt odd in this man’s company and told him to go inside by himself. The man returned 45 minutes later and said the home had a water leak and insisted the agent come with him to look at it, but she chose not to. When the agent’s male coworker entered the room where they were talking, the man abruptly left. When the saleswoman went into the home, she could not find a leak—but she did notice the bedroom’s curtains had been shut and the lights turned off.

The police were called. They researched the man’s truck registration, found the truck and, they report, uncovered a knapsack containing matches, duct tape, two handguns, ammunition, rope, a ski mask, metal chains and padlocks, among other items.


It’s not just real estate agents: cab drivers, late-night store clerks and other professionals are considered at risk, too. When dealing with the public, it can lead to troublesome behaviors by select weirdoes.

If you are in a high-risk profession, you need to think about security both on and off the job.

On the job, always be suspect of everyone you encounter. Trust your gut, ask inquisitive questions and seek out their motivations. If something seems wrong, it is wrong. Due to the nature of your job, there will be situations unique to you. Investigate what the proper safety/security procedures are, and exercise them daily. Always stay on your toes and never let your guard down.

Off the job, your home is your haven and should be treated as such. Invest in a home security system and sleep peacefully after a crazy day dealing with the public.

Robert Siciliano personal and home security specialist to discussing burglar proofing your home on Fox Boston. Disclosures.

10 Holiday Security Tips

Christmas trees, mistletoe, candy canes, turkey and stuffing bring out scammers, phishers, burglars and identity thieves. I’m not purposefully trying to be a Grinch here, but I’m just reminding you that good times, unfortunately, bring out the worst in bad people. This time of the year is prime season for criminals to seek out victims and separate them from their money and stuff.

Stay merry. Here’s how:

  1. Lock up. No matter how long you are gone, lock your home’s doors and use quality locks from Schlage.
  2. Don’t forget car locks. Don’t leave your keys in the ignition; lock your car doors, even when you are at the gas station and filling up.
  3. Be aware. When in parking lots or garages, at malls or festivals, watch your back, be aware of your surroundings and look for red flags.
  4. Free up your hands. Don’t weigh yourself down with lots of bags and packages. Use a carriage.
  5. Get delivery notices. Package theft is big. Most shippers offer email notifications for tracking packages, so you have the tools with which to become acutely aware of when your stuff is supposed to arrive and be there to accept it.
  6. Set up security cameras. Inside and outside your home, you should have cameras to allow you to peek in on all home activity. They also act as a deterrent to burglars and thieves.
  7. Put your jewels away. When home or away, and even when you are entertaining, lock up your stuff in a bolted safe.
  8. Update your browser. Viruses often end up on a PC because the browser is out of date.
  9. Update your operating system. It’s not enough to have antivirus; you must also update the critical security patches in your computer’s operating system.

10. Check your statements. Every week around the holidays, pay close(r) attention to your credit card statements and reconcile your charges.

Robert Siciliano home security expert to Schlage discussing home security and identity theft on TBS Movie and a Makeover. Disclosures. For Robert’s FREE eBook text- SECURE Your@emailaddress -to 411247.

High-tech vs. Low-tech Locks

High technology doesn’t necessarily mean better, stronger or faster. It does usually mean more convenient, as the word technology is defined as “including the use of materials, tools, techniques, and sources of power to make life easier or more pleasant and work more productive.”


This is the opposite of low-tech, which is essentially utilizing equipment and production techniques that are relatively unsophisticated—but unsophisticated doesn’t necessarily mean insecure. For example, all Schlage Grade 1 deadbolts, keys or touchscreen locks endure 300,000 cycles of testing in the company’s state-of-the-art testing facility…which is 50,000 more than required for Grade 1 certification. A bad guy with intent is going to have a hard time compromising even a low-tech lock

And then there are high-tech locks, such as Schlage’s Touchscreen Deadbolt, which is the best keyless lock out there. It’s a motorized bolt that automatically locks and unlocks when a four-digit user code is entered, and its lock-and-leave functionality requires only one touch to instantly safeguard the home. The Touchscreen Deadbolt can hold up to 30 unique access codes and is designed to support temporary codes when used with Nexia Home Intelligence for homeowner convenience. For example, codes can be tailored to specific days and times of the week to provide home access only when scheduled, such as for cleaning service personnel – a benefit of having an easy to use keyless lock with a built in alarm.

The biggest difference between high-tech and low-tech locks is the ability to remotely manage a high-tech lock. Nexia Home Intelligence makes it high-tech. This is a home automation system that allows you to control locks, thermostats, lights, cameras and more from wherever you and the internet happen to be. Lock or unlock your door from anywhere with your cell phone, or schedule lock codes to be active only on certain days at specific times. You can also receive text alerts when an alarm triggers or when specific codes provided to your kids are entered at the lock.

Robert Siciliano home security expert to Schlage discussinghome security and identity theft on TBS Movie and a Makeover. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Seminar to Feature ISECOM’s OSSTMM v3

Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC.

Pete rarely gets to the US, so this is a unique opportunity for security professionals to have an open discussion with him about trust-based security models and how to apply sound logic to securing and testing web applications.

“About 5 years ago, while searching for any existing methodologies, I stumbled across ISECOM and the Open Source Security Testing Methodology Manual. It changed the way my company and I engaged with clients at every angle,” Michael Menefee of WireHead Security recently wrote.

“As a security consultant, I’ve always looked for ways to increase consistency, efficiency and value when conducting security analysis on a client’s network or business,” Menefee stated. “This would, of course, require both a data collection methodology as well as a reporting methodology in order to work properly.”

The OSSTMM is a peer-reviewed methodology for performing security tests and metrics, and the test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

On the origins of the OSSTMM, Pete Herzog wrote that, “in the research for factual security metrics, factual trust metrics and reliable, repeatable ways for verifying security, including concretely defining security, we found that the practice of guessing forecasting risk was not only non-factual but also backwards. Risk stuck us into a never-ending game of cat and mouse with the threats.”

“Beginning with version 3, the OSSTMM is no longer just about security testing. The break-throughs we’ve had in security had us re-visit how we work with security. This includes risk assessments.”

Christoph Baumgartner, CEO of OneConsult GmbH in Switzerland – whose firm has been using the OSSTMM methodology since its inception – recently commented on the value proposition the methodology standard offers, stating that, “the most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security.”

“Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations affect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM.”

OSSTMM was developed by the Institute for Security and Open Methodologies (ISECOM), a non-profit collaborative community established in January 2001.

ISECOM is dedicated to providing practical security awareness, research, certification and project support services for non-partisan and vendor-neutral projects to assure their training programs, standards, and best practices are truly neutral of national or commercial influence.