blogging becoming vehicle for industrial espionage t ?· blogging becoming vehicle for industrial...

Download Blogging Becoming Vehicle for Industrial Espionage T ?· Blogging Becoming Vehicle for Industrial Espionage…

Post on 28-Apr-2019




0 download

Embed Size (px)


Blogging Becoming Vehicle forIndustrial Espionage

The proliferation of weblogs, or blogs, has some information securityexperts concerned about the possibility of this online medium becoming avehicle for industrial espionage.

Like e-mail and instant messaging, employee blogging poses risks ofdisclosure (inadvertent or otherwise) of sensitive corporate informationwhen used without appropriate policies. And that risk is increasing as thenumber of people jumping on this online journal bandwagon continues toincrease. Between 2003 and 2004, the blogging population doubled fromabout 4 million to 8.8 million, according to analysts estimates.

Wild WestThe blogging world is, virtually by definition, difficult to define and describe. An employee may blog abouthis pet hamster or he may write detailed technical papers that could potentially expose valuable data tocompetitors, or even hostile nations.

Even when employees blog primarily about their lives outside the office, occasional references to their bossesor their work may be unavoidable.

And people dont realize that they can be socially engineered in a blog just as they can in any other scenario,experts say. For example, in one incident, an IT engineer working for a Web-based firm was having troublewith the security of his companys network and found a blog site that actually discussed the same issues hewas having.

In an effort to improve matters, the engineer used a blog to seek opinions on how he might reinforce theperimeter defenses and be more resistant to hackers. After several weeks of this blogging, one reader agreedto help him out. It turned out, however, that the blogger offering help was a hacker tricking the troubledengineer into divulging proprietary information about his companys IT security architecture.

National Security Institute, Inc.

Password Protection Q&A

Todays average computer user has a staggering 40 accounts requiringusernames and passwords. Here are answers to some common questions on howto stay secure.

Q: Why cant I use the same password for all my accounts?A: Thats one of the most dangerous things you can do. If your work logonbecomes known to anyone else, then your employers and all of your coworkerssecurity and confidentiality are at risk (as well as your own data and privacy).

Q: OK, but why do I need such difficult passwords? I work in a secureenvironment.A: There are very good reasons for using strong passwords. For starters, all it takes is one disgruntledco-worker to steal your logon or infect the company network. Also, skillful hackers can crack weakpasswords in minutes with an average PC.

Q: Why do I have to change my password so often?A: Strong passwords may take months or years to crack, but it can be done. So experts advise that youchange yours every three months or so, or after you learn of any network intrusion.

Q: Whats the best strategy for creating super-strong passwords?A: Heres what experts advise: Use an uncommon phrase that you can remember, but replace some of theletters with numbers or special characters. For instance, "k1$$thew@!!" (kiss the wall), or better yet,"3k1$$thew@!!4" (kiss the wall between a pair of numbers). Keep in mind that if your password looks likesomething that someone might add to a dictionary definition file, its probably not a good password.Dictionary definition files are used with hacker tools to do "brute force" attacks. These dictionary files containcommon words, names, slang, and even many common password phrases and keyboard combinations suchas; "Pa$$w0rd," "1qaz@WSX," (type it) and "Bi!!yJ0e."

National Security Institute, Inc.

Traveling with Your Laptop? Keep Itand Your Data Safe

If youre among the millions of people who travel with a laptop PC forbusiness or pleasure, heres some timely advice to protect your computer andthe often-priceless data that resides on it.

Ensure your data is safe by encrypting and password- protecting sensitivefiles. Don't conduct any confidential business via a Wi-Fi connection in theairport or at your hotel; instead, make sure your IT department or computersupport consultant has set up a virtual private network that will allow you tosend e-mail and use the web when on the road.

Dont get caught without the software applications you need. Check yourlaptop, especially if its a company computer, to make sure you have all the correct programs loaded.

Check with your wireless provider to make sure you have voice and data access along your route. Severalcell-phone providers now offer internationally compatible phones, but many phones only work in the U.S., sosome international travelers may have to rent an extra phone for their trip, or buy a disposable one when theyreach their destination.

Remember your memory device. As the price of flash-memory "thumb drives" has dropped while theirmemory has increased, more travelers are using these handy devices to store and transport presentations, files,and important documents. Thumb drives may even allow you to leave your laptop at home in some situations,though it is important to password-protect and encrypt your data, in case the drive is lost.

Back up all data before you hit the road, in case your laptop goes missing. Remember, the computer itselfis relatively easy to replace its the data on it that could cost your company millions!

National Security Institute, Inc.

Employee-Caused BreachesHurting Bottom Line

Whats the most serious information security threat today? Hackers? Overlycomplicated corporate networks? None of the above: its good old-fashionedhuman error.

Thats the key finding from a new study performed by the ComputingTechnology Industry Association, or CompTIA. In the industry groups annualreport on information security, human error was found to be responsible foralmost 60% of security breaches last year.

That was a large increase over the prior years survey, in which human error was to blame for 47% ofbreaches. Experts say that in an industry that prides itself on constant progress, such a large shift in the wrongdirection is a major red flag.

Inevitable result?To some extent, U.S. businesses have only themselves to blame for the rise in human error. For despite yearsof warnings on the importance of training and education, the CompTIA survey found the following:

Security training was required in only 29% of the companies surveyed.

Similarly, only 36% of respondents said they offer security awareness training to end users.

To put these numbers in perspective, 99% of companies use anti-virus software, and 91% use firewalls.Security analysts have long known that as security technology improves, hackers and corporate spies simplywork harder to break the weakest link in the security chain: employees.

Other notable results from CompTIA:

Virus and worm attacks were the most commonly mentioned security problems for the fourthyear in a row.

Approximately 40% of responding companies said theyd experienced at least one securityattack in the past year.

Large companies (those with more than 7,000 workers) and educational institutions weremost likely to be attacked.

National Security Institute, Inc.

FAQ: The New Phace of Phishing

Phishing scams are becoming ever more sophisticated. Once crude-lookingand poorly written, they are now often so smooth and well targeted that evenexperts have to look twice. Research shows 70% of computer users are fooledat least some of the time.

We thought it an opportune time to answer some frequently asked questionsabout the evolution of phishing.

Q: What are phishers doing to fool skeptical consumers?A: One recent development is the use of genuine-looking (but bogus, of course) security certificates that trickvictims into thinking the Web page theyve been linked to is legit. Many people look for a Secure SocketsLayer (SSL) certificate as evidence that a site is on the up-and-up, but phishers have concocted SSLcertificates that can fool most people.

Q: I have friends who fell for phishing scams because the e-mail they received actually had part of theircredit-card number. How is this possible?A: Thats another new phishing trick that is diabolically clever. Banks issue thousands of credit cards with thesame first four digits. Phishers know that if they shotgun out enough e-mails, some recipients will recognizethese digits and be tricked.

Q: What is spear phishing, and why is it effective?A: Spear phishing is essentially a phishing attack aimed at a very small group of people. It is more effectivethan large-scale phishing simply because its unexpected. For example, Bank of America customers arecynical because theyve seen so many phishing e-mails but customers of XYZ Local Credit Union may beeasier to fool.

Indeed, spear phishing can actually be targeted at employees of a single company. Hackers sometimes sende-mails claiming to be help-desk employees, in an effort to learn recipients computer logons.

National Security Institute, Inc.

How Confidential DataWalks Out the Door

A new survey reveals that nearly half of government workers have takensensitive data files home in the past six months to keep up with their work.

A new round of publicity about the problem was sparked recently when aVeterans Administration employee took home a laptop that containedpersonal information on 26.5 million U.S. veterans. The laptop was stolen,placing an unprecedented quantity of data at risk.

The theft has sent government agencies a chilling message about the needto take new data security measures to prevent confidential data fromwalking out the door.

Unfortunately, new research confirms theres good reason for govern