Are you connected to unknown networks?

Chances are you are not only connected to your business network but that you are also connected to another unknown or malicious networks with highly sophisticated cyber criminals. Let me explain…

You are aware of your local network. It consists of servers, printers, other systems and even devices like PDA’s. Then there are peer to peer file sharing networks or P2P networks. These are networks that consist of subscribers to services like Napster, Kazaa and Gnutella where users can share files like music, images and video. The threat with being associated with these networks is you are giving other anonomyous users access to your system and with little efforts they can access other files that consist of your financial information or office documents. This is a growing concern with business leaders that have users that use their corporate systems for these purposes.

Then there is the botnet. A Robot Network is where an agent (software program) is installed on your system and makes you part of a network. One of the most poplular and recent bots is the Conficker worm, said to have made its way onto over 7 million government, business and home systems. Most of these networks are run by cyber crime syndicates like the Russian Business Network, Shadow Crew and the Gray Pigeons.

Albert Gonzalez, one of the captains of Shadow Crew, was responsible for the largest security breachs including companies like 7-Eleven Inc., New England grocery store chain Hannaford, and payment card processor Heartland Payment Systems.

Have your systems checked and checked often to make sure you aren’t sharing information you would have rather not have. The other threat is these other networks use your system resources to spread spam and host images just to name a few.

Here is an interesting story about a company that was breached as a result of a user having a P2P application installed on one of its systems. Below is a video that YOU MUST WATCH that illustrates how your children can expose all kinds of information that is stored on your system.

Information Week Article

Related Articles

• The Most Dangerous Site Online? (spectrum.ieee.org)
• New York City’s new “offline P2P file-sharing” network [TNW Shareables] (thenextweb.com)
• LimeWire Ordered To Shut Down (crunchgear.com)
• Three Limewire alternatives for easy peer-to-peer downloading (downloadsquad.com)

10 ways malicious software gets installed on your computer

If you take note all of these methods are self inflected. In other words most of the time you install the malware for the cyber criminals. Don’t be fooled… security isn’t a firewall, anti-virus or other security software solution. Security is a mindset combined with a holistic approach including protection, detection and a prompt response methods.

1. Email attachments

2. Portable media (i.e. usb drives, CD”s, external hard drives, etc.)

3. Visiting Malicious Web Sites

4. Downloading files from web sites

5. Participation in P2P File Sharing Services (Limewire, Napster, etc.)

6. Instant messaging

7, Social Networking sites

8. Social Engineering Attacks

9. Not following security guidelines and policies

10. Ignoring common sense

Related Articles

• Be Aware of the Threat of Trojans (brighthub.com)

5 steps to secure your data

There are five steps to creating a good security plan: assess, plan, execute, monitor and repeat.

• Risks Assessment. Identify key digital assets and information that need to be protected, including hardware, software, documentation and data. Review the threats and risks. Make a prioritized list of items to protect.
• Plan. Create a work plan for preventing, detecting and responding to security threats. Identify who will be responsible for implementing and monitoring the plan. Agree a timetable for implementation.
• Execute. Communicate with staff. Train where necessary. Remediate until all know threats are mitigated.
• Monitor. Continue to monitor for new threats and followed with prompt remediation. Build a mindset that security is a discipline and build this mindset into your culture. Software tools alone can’t secure your data. Continue to educate end users and those that have access to the data. Update and modify the plan as changes occur in personnel, hardware or software.
• Repeat. Plan for a complete review periodically. Consider assessing quarterly but not longer than a time from of six to twelve months after you complete the first plan or when your business goes through significant changes.

Commit to the program and don’t wait until an incident disrupts your business. It isn’t the breach that will really cost you it is the tarnished image that businesses get following the breach is the most costly. Statistics show that customers, typically the high profile ones, will abandon a company or system if they feel uncomfortable with the security of it.

Here is a great example.

Related Articles

• Remote Computing Goes Rogue: There’s an App for That! (itexpertvoice.com)
• As Mobile Devices Explode, So Do The Corporate Security Risks (blogs.forbes.com)

Are your employees Facebook addicts?

If you have over 500 friends, continue to change your profile picture over and over again, check your profile 2-3 times per hour and you update your status while your driving then you have a problem. This is becoming a major issue for employers and we have had some of our clients go as far as firing employees for their online social media abuse. Facebook isn’t the only culprit it just seems to be the biggest one.

What can we do to prevent this from killing productivity?

There are filters that can be added to control your the content that your users can access. This will not only increase productivity but it will increase the security of your information as many malicious infections are installed on your systems when your users are excepting a virtual drink from their Facebook friends. In addition to filtering your web traffic you could talk to your employees and let them know about the dangers to your data and to their job!

Maybe passing this video around your office might make your users aware of how silly their addiction is and encourage them to stop wasting company time.

Protect your children from online threats

Here are a couple of great videos to help you protect your children from online predators, cyber bullying and other problems that come from posting personal information online. It is critical that we stay proactive in understanding these threats and talking with our children to make sure they are aware of the dangers. Here are a couple of additional links to some good audio clips and a free ebook as well.

Audio Clips – I love Marvin’s story
Free eBook Link

Related Articles

• Are your kids protected on Facebook? (realmendriveminivans.com)
• Keeping Kids Safe Online (gloucestercitynews.net)
• Free E-book Educates Parents about Online Dangers (prweb.com)

9 myths of safe web browsing

Myth #1: The web is safe because I have never been infected before.
You may not even know you’re infected. Many web malicious software (aka malware) attacks are designed to steal personal information and passwords or use your machine for distributing spam, malware or inappropriate content without your knowledge

Myth #2: My users aren’t wasting company time surfing the web
The fact is that more than 40% of corporate internet use is inappropriate and going unchecked—an average of 1 to 2 hours per day per user. To make matters worse, the potential for employees being exposed to inappropriate content can have serious legal ramifications to any organization. The internet is full of studies related to internet use in the work place, from gambling and pornography to less nefarious activity such as social networking and travel planning. Furthermore, incidents of internet addiction disorder are increasing, with current estimates suggesting up to 5% to 10% of internet surfers have some form of web dependency.

Myth #3: We control web usage and our users can’t get around our policy
Anonymizing proxies make it easy for employees to circumvent your web filtering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike. Hundreds of new anonymizing proxies are published daily. If you don’t think this is an issue, you can simply Google “bypass web filter” to see there are over 1.8 million ways to do this.

Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous
Hijacked trusted sites represent more than 83% of malware hosting sites. That’s correct. The majority of infected sites are websites that you trust and visit daily—they’ve just been hacked to distribute malware. Why? Because these sites are popular, high-traffic venues that silently distribute malware to unsuspecting visitors. Download the infected sites list to see just a small sampling of these kinds of sites.

Myth #5: Only naive users get infected with malware and viruses
Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have. The fact is, if you are visiting sites on the internet, you are at risk.

Myth #6: You can only get infected if you download files.
Most malware infections now occur through a “drive-by” download. Hackers inject the malicious code into the actual web page content, then it downloads and executes automatically within the browser as a by-product of simply viewing the web page.

Myth #7: Firefox is more secure than Internet Explorer
All browsers are equally at risk because all browsers are essentially an execution environment for JavaScript, which is the programming language of the web and therefore used by all malware authors to initiate an attack. In addition, many exploits leverage plug-ins such as Adobe Acrobat reader software, which runs across all browsers. Although the more popular browsers may get more publicity about unpatched exploits, it’s the unpublicized exploits you should be most concerned about. The fact is, there is no safe browser.

Myth #8: When the lock icon appears in the browser, it’s secure.
The lock icon indicates there is an SSL encrypted connection between the browser and the server to protect the interception of personal sensitive information. It does not provide any security from malware. In fact, it’s the opposite because most web security products are completely blind to encrypted connections: it’s the perfect vehicle for malware to infiltrate a machine.

Myth #9: Web security requires a trade-off between security and freedom
While the internet has become a mission critical tool for many job functions, whether it’s Facebook for HR or Twitter for PR, it’s completely unnecessary to create a trade-off between access and security. A suitable web security solution provides the freedom to grant access to sites that your users need while keeping your organization secure.

source: Sophos

Related Articles

• What are Cookies & Do They Compromise Security? (brighthub.com)
• Google’s Niels Provos battles malware on the Web (news.cnet.com)

Reasons how your data will be compromised

If you notice all of these reasons have to do with your employees and their awareness (or lack there of). Firewalls, passwords and other popular security measures won’t stop your data from ending up in the wrong hands. Start a security awareness program within your organization, remind them often (at least quarterly) and make it a priority (or they won’t care).

1. Employees taking information from the office to work at home.
2. Failure to recognize and report adverse information about a co-worker.
3. Processing data on unapproved computer systems.
4. Employee reluctance to challenge strangers in restricted areas.
5. Business travelers not reporting suspicious contacts or foreign travel.
6. Employees falling for social engineering ploys for sensitive data (hoax, spam, etc).
7. Cleared workers’ failure to recognize potential approaches from foreign spy services.
8. Improper handling and disposal of sensitive data.
9. Workers bringing unauthorized portable devices into work and opening up the network to hackers, spies and information thieves.

Related Articles

• Hot to avoid growing number of Internet scams (news.cnet.com)
• Hackers use fake Obama e-mail to steal data (msnbc.msn.com)

Are you smarter than internet scammers?

I’m certain everyone reading this has received and clicked on an email scam, Facebook post or some other kind of scam that seemed to be legit. It is an attack called phishing and it can be really tough to detect the really good ones. Many times when an organized crime syndicate compromises a database of users it is with the intent to send them phishing emails to scam them. For instance when Monster.com was compromised, a job posting and seeking website, the users would recieve emails indicating that they had been selected for a job but had to fill out a “prescreen” survey due to the large number of applicants. The eager and in most cases recently laid off applicants would rush to send in the application which included personal information that was giving the scammers enough information to create virtual identities and get to work.

Below is a story that just happened within the past couple of weeks. If you own a Honda you will want to read this article and be cautious if you receive what seems like legit emails or phone calls. Educating your users and implementing prevention measures like content and spam filters are the most effective ways to reduce the likelihood that this could happen to someone in your organization or circle of friends.

–Honda Customer Database Security Breach
(December 29, 30 & 31, 2010)
Honda Motor Company is warning millions of its customers that intruders
have gained access to their email addresses, probably through an attack
on Silverpop Systems, a third-party marketing services provider.  The
breach appears to affect two million Honda owners and three million
Acura owners and also includes names and vehicle identification numbers.
The compromised information could be used in phishing attacks.

Honda Web Site Hacked – MSNBC Report

 

Related Articles

• Honda’s Customer Database breached – millions of email addresses and VIN numbers leaked (gansec.com)
• Honda Warns 4.9 Honda and Acura Owners That Their Emails Were Compromised (spectrum.ieee.org)

Wikileaks – How leaked secrets can impact you?

If you haven’t heard of the Wikileaks story I’ll sum it up briefly and further the point that end user awareness is the secret behind securing your corporate digital assets (data). Wikileaks is a site with the mission to expose important information to the public, they are leveraging their “anti-censorship” rights but at the risk of jeopardizing our country’s security. In doing so many are viewing this as an act of terrorism. Many technology companies have taken their stand against Wikileaks. For example Amazon kicked them off of their web hosting servers and Apple banned the news feed app that was developed.

These secrets were leaked mostly by whistle-blowers from the inside. As an example… Bradley Manning, an Army intellegence specialists, has been charged with multiple counts of mishandling and handing over many classified documents and videos.

What if this were to happen to your business? What valuable information could be leaked out that could hurt the integrity of your business, your employees or yourself? Could you stop it from happening? Could you control it? What if financials were exposed, legal attacks made public, sexual abuse accusations and alike? With social media services like Twitter, Facebook and Linkedin information can be spread to thousands of individuals in just minutes, whether the information is factual or not once it is out it can spread like wild fire. Your firms reputation can be destroyed because an employee had a bad day and posted something negative about you or your company on their Facebook wall, and they might have not even realized what they were doing when the idea struck them.

Educate your employees, let them know the dangers and protect your companies image and information.

End User Awareness – The key to security

We already know that completely securing our data will never be solved. This problem can only be minimized through a holistic approach and mindset. Dave Stelzl uses the illustration of a house to further this point. Stelzl states that you can not keep criminals out of our homes using traditional locks, bolts, fences and other prevention mechanisms. I know this because I have all of these security measures on my home and we still had an intruder come in and take valuables one evening a couple of years ago. Security is the same no matter what you are trying to protect, including your family or your corporate data. I’m not advocating that you don’t try, in fact I’m suggesting just the opposite. You wouldn’t just take the locks, bolts, alarm systems and weapon of choice out of your home, right? I’m suggesting applying the protection, detection and response mindset that we have with our homes onto our data.

Our employees have access to pretty much all of our data and they need access to it to perform their job and help operate the business. So if the largest cause of security breaches are simply because an end user of the information miss handled it, typically on accident, then wouldn’t it make sense to educate them and make the aware of this? Of course! Here is a video from the CEO of AVG, a security software company, making this very point. Oddly most of these software/hardware manufactures will make you believe that simply installing their product will solve all of your problems.