Blogging Becoming Vehicle forIndustrial Espionage

The proliferation of weblogs, or blogs, has some information securityexperts concerned about the possibility of this online medium becoming avehicle for industrial espionage.

Like e-mail and instant messaging, employee blogging poses risks ofdisclosure (inadvertent or otherwise) of sensitive corporate informationwhen used without appropriate policies. And that risk is increasing as thenumber of people jumping on this online journal bandwagon continues toincrease. Between 2003 and 2004, the blogging population doubled fromabout 4 million to 8.8 million, according to analysts’ estimates.

Wild WestThe blogging world is, virtually by definition, difficult to define and describe. An employee may blog abouthis pet hamster – or he may write detailed technical papers that could potentially expose valuable data tocompetitors, or even hostile nations.

Even when employees blog primarily about their lives outside the office, occasional references to their bossesor their work may be unavoidable.

And people don’t realize that they can be socially engineered in a blog just as they can in any other scenario,experts say. For example, in one incident, an IT engineer working for a Web-based firm was having troublewith the security of his company’s network and found a blog site that actually discussed the same issues hewas having.

In an effort to improve matters, the engineer used a blog to seek opinions on how he might reinforce theperimeter defenses and be more resistant to hackers. After several weeks of this blogging, one reader agreedto help him out. It turned out, however, that the blogger offering help was a hacker tricking the troubledengineer into divulging proprietary information about his company’s IT security architecture.

© National Security Institute, Inc.

Password Protection Q&A

Today’s average computer user has a staggering 40 accounts requiringusernames and passwords. Here are answers to some common questions on howto stay secure.

Q: Why can’t I use the same password for all my accounts?A: That’s one of the most dangerous things you can do. If your work logonbecomes known to anyone else, then your employer’s and all of your coworkers’security and confidentiality are at risk (as well as your own data and privacy).

Q: OK, but why do I need such difficult passwords? I work in a secureenvironment.A: There are very good reasons for using strong passwords. For starters, all it takes is one disgruntledco-worker to steal your logon or infect the company network. Also, skillful hackers can crack weakpasswords in minutes with an average PC.

Q: Why do I have to change my password so often?A: Strong passwords may take months or years to crack, but it can be done. So experts advise that youchange yours every three months or so, or after you learn of any network intrusion.

Q: What’s the best strategy for creating super-strong passwords?A: Here’s what experts advise: Use an uncommon phrase that you can remember, but replace some of theletters with numbers or special characters. For instance, "k1$$thew@!!" (kiss the wall), or better yet,"3k1$$thew@!!4" (kiss the wall between a pair of numbers). Keep in mind that if your password looks likesomething that someone might add to a dictionary definition file, it’s probably not a good password.Dictionary definition files are used with hacker tools to do "brute force" attacks. These dictionary files containcommon words, names, slang, and even many common password phrases and keyboard combinations suchas; "Pa$$w0rd," "1qaz@WSX," (type it) and "Bi!!yJ0e."

© National Security Institute, Inc.

Traveling with Your Laptop? Keep Itand Your Data Safe

If you’re among the millions of people who travel with a laptop PC forbusiness or pleasure, here’s some timely advice to protect your computer – andthe often-priceless data that resides on it.

Ensure your data is safe by encrypting and password- protecting sensitivefiles. Don't conduct any confidential business via a Wi-Fi connection in theairport or at your hotel; instead, make sure your IT department or computersupport consultant has set up a virtual private network that will allow you tosend e-mail and use the web when on the road.

Don’t get caught without the software applications you need. Check yourlaptop, especially if it’s a company computer, to make sure you have all the correct programs loaded.

Check with your wireless provider to make sure you have voice and data access along your route. Severalcell-phone providers now offer internationally compatible phones, but many phones only work in the U.S., sosome international travelers may have to rent an extra phone for their trip, or buy a disposable one when theyreach their destination.

Remember your memory device. As the price of flash-memory "thumb drives" has dropped while theirmemory has increased, more travelers are using these handy devices to store and transport presentations, files,and important documents. Thumb drives may even allow you to leave your laptop at home in some situations,though it is important to password-protect and encrypt your data, in case the drive is lost.

Back up all data before you hit the road, in case your laptop goes missing. Remember, the computer itselfis relatively easy to replace – it’s the data on it that could cost your company millions!

© National Security Institute, Inc.

Employee-Caused BreachesHurting Bottom Line

What’s the most serious information security threat today? Hackers? Overlycomplicated corporate networks? None of the above: it’s good old-fashionedhuman error.

That’s the key finding from a new study performed by the ComputingTechnology Industry Association, or CompTIA. In the industry group’s annualreport on information security, human error was found to be responsible foralmost 60% of security breaches last year.

That was a large increase over the prior year’s survey, in which human error was to blame for 47% ofbreaches. Experts say that in an industry that prides itself on constant progress, such a large shift in the wrongdirection is a major red flag.

Inevitable result?To some extent, U.S. businesses have only themselves to blame for the rise in human error. For despite yearsof warnings on the importance of training and education, the CompTIA survey found the following:

Security training was required in only 29% of the companies surveyed.

Similarly, only 36% of respondents said they offer security awareness training to end users.

To put these numbers in perspective, 99% of companies use anti-virus software, and 91% use firewalls.Security analysts have long known that as security technology improves, hackers and corporate spies simplywork harder to break the weakest link in the security chain: employees.

Other notable results from CompTIA:

Virus and worm attacks were the most commonly mentioned security problems for the fourthyear in a row.

Approximately 40% of responding companies said they’d experienced at least one securityattack in the past year.

Large companies (those with more than 7,000 workers) and educational institutions weremost likely to be attacked.

© National Security Institute, Inc.

FAQ: The New Phace of Phishing

Phishing scams are becoming ever more sophisticated. Once crude-lookingand poorly written, they are now often so smooth and well targeted that evenexperts have to look twice. Research shows 70% of computer users are fooledat least some of the time.

We thought it an opportune time to answer some frequently asked questionsabout the evolution of phishing.

Q: What are phishers doing to fool skeptical consumers?A: One recent development is the use of genuine-looking (but bogus, of course) security certificates that trickvictims into thinking the Web page they’ve been linked to is legit. Many people look for a Secure SocketsLayer (SSL) certificate as evidence that a site is on the up-and-up, but phishers have concocted SSL“certificates” that can fool most people.

Q: I have friends who fell for phishing scams because the e-mail they received actually had part of theircredit-card number. How is this possible?A: That’s another new phishing trick that is diabolically clever. Banks issue thousands of credit cards with thesame first four digits. Phishers know that if they shotgun out enough e-mails, some recipients will recognizethese digits and be tricked.

Q: What is “spear phishing,” and why is it effective?A: Spear phishing is essentially a phishing attack aimed at a very small group of people. It is more effectivethan large-scale phishing simply because it’s unexpected. For example, Bank of America customers arecynical because they’ve seen so many phishing e-mails – but customers of XYZ Local Credit Union may beeasier to fool.

Indeed, spear phishing can actually be targeted at employees of a single company. Hackers sometimes sende-mails claiming to be help-desk employees, in an effort to learn recipients’ computer logons.

© National Security Institute, Inc.

How Confidential DataWalks Out the Door

A new survey reveals that nearly half of government workers have takensensitive data files home in the past six months to keep up with their work.

A new round of publicity about the problem was sparked recently when aVeterans Administration employee took home a laptop that containedpersonal information on 26.5 million U.S. veterans. The laptop was stolen,placing an unprecedented quantity of data at risk.

The theft has sent government agencies a chilling message about the needto take new data security measures to prevent confidential data fromwalking out the door.

Unfortunately, new research confirms there’s good reason for government officials and the public at large tobe concerned. A recent survey in a magazine for government computer workers found that 46% ofrespondents have taken government data files home in the past six months.

That data is moved or carried through a variety of means. The most frequent methods survey respondentsreported were the following:

Laptop computer: 54%

Virtual private network or secured network: 41%

Key drive: 34%

CDs/DVDs: 32%

E-mail: 31%

External/portable disk drive: 17%

Paper copies: 4%

PDAs/cell phones: 2%

Security analysts say the most important lesson, for government agencies and private businesses alike, is toenforce existing policies around moving sensitive information. The VA had a policy strictly limiting thepractice, but hearings have shown that a lax culture led agency employees to ignore it at will, which in turn

led to the disastrous loss.

Generally speaking, sensitive customer data should only go home with employees when it is encrypted and amanager signs off on the idea.

© National Security Institute, Inc.

Security Reminder:Protect What You Print

While warnings about digital security get all the attention, don’t forget about thevulnerability of physical documents.

Picture this typical scenario: You’re in the final stages of preparing a businessproposal or contract. You hit Print, then get distracted by a co-worker or the phone.

Ten minutes later, you finally get to the shared printer and either A) pick up yourdocument, or B) see that it’s not there, curse the printer, and go hit Print again.

In the case of A, do you really know what happened to the document in the 10minutes you left it there? Can you be sure it wasn’t photocopied or at least eyeballed by a disgruntledco-worker who may be bent on sabotaging the company?

And in the case of B, note that you assumed the printer has screwed up again – but did it? Or did theaforementioned co-worker simply walk off with your document?

Inherent trustSecurity experts point out that there is an enormous amount of “inherent trust” in printers. Sadly, that makesthem hotbeds for hacking and spying. Printer makers and company security departments need to attack thesevulnerabilities.

On the physical side, the solution can be as simple as requiring employees to key in a PIN at the printerbefore their print job rolls. More and more enterprises are taking this approach.

The other side of the coin is that today’s printers (as well as copiers) create copies of files, which creates yetanother area of vulnerability. Security experts have long called this a ticking time bomb, as few IT groupshave addressed the need for improved security around these devices.

© National Security Institute, Inc.

Online Banking: WhatYou Need to Know to Stay Safe

You may be stunned to read this, but it’s true: Even with all the highlypublicized risks surrounding Internet banking, statistics show it’s safer to bankonline than with traditional manual methods.

Of course, that doesn’t make online banking foolproof; far from it. But if youknow what to look for, you can maximize your chances at a safe experience.Here’s the info you need to make informed choices:

Confirm. Whether you’re selecting a traditional, “brick-and-mortar”bank that has a website, or a 100% Internet bank, you should nail downsome basic information before signing up. Make sure your deposits will befederally insured (up to $100,000, the FDIC limit). Check the Better Business Bureau and theFDIC website for complaints.

Check encryption. Encryption is the process of scrambling digital data so that onlyauthorized users can see it. Ask about your prospective bank’s practices, keeping in mind that thehigher the number, the better – 128-bit algorithm encryption is the present gold standard.

Security icons. Always make sure your web transactions are taking place in a securedenvironment. The easiest way to check is to look for a small padlock or key icon in the lower barof your Internet browser.

Monitor regularly. One nice feature of Internet banking is that you can check yourtransactions almost in real-time, as opposed to waiting for a monthly statement. Take advantageof this access – log in regularly and scan your accounts for unauthorized transactions.

© National Security Institute, Inc.

Social Engineering: Recognizing an Attack

In the world of computer security, the term “social engineering” refers totricking someone into revealing information that’s useful to attackers, such as apassword.

Experts agree that in most successful cyber-attacks, the human factor is theweak link. Social engineers are merely con artists – often very good ones –who use their powers of persuasion to get victims to act against their ownbetter judgment.

Here are some tips to make sure you don’t fall for social engineering andendanger proprietary company information.

Protect your password. The single most common social engineering attack is a phone call requestingyour computer password. The caller confidently says he’s a help-desk technician or a member of the IT staff.He may speak some gobbledygook about why your password is needed immediately. Don’t fall for it! Theattacker is hoping that the tech jargon and businesslike tone will buffalo you into doing what you know youshouldn’t: telling your precious password to a complete stranger.

Badger for badges. Brazen social engineers often walk right into facilities to do a little “dumpsterdiving” (searching trash cans for valuable info), or to pose as IT workers. If employees and visitors in yourbuilding are required to wear ID badges or display your key cards, it is your responsibility to challengestrangers for appropriate identification. This is not easy for most people, as it is a confrontation that canpotentially be unpleasant – but remember, the attackers are counting on your hesitance!

Common sense prevails. The rule of thumb for preventing successful social-engineering attacks is simplebut requires nerve, experts say: don’t do things that make you vaguely uncomfortable, or which deep downyou know you shouldn’t do. Remember, your company is counting on you to safeguard data.

© National Security Institute, Inc.

Laptop Thieves Stake OutWi-Fi Hotspots

These days, it’s as much as your life is worth to sit down in a Starbuck’swith a latte and a laptop.

Think we’re joking? A San Francisco man recently suffered a collapsed lungwhen he was stabbed in the chest by thieves who made off with his ApplePowerbook. According to law-enforcement officials in many U.S. cities,cyber-cafes and other popular wireless nesting grounds have grown popularwith creeps after quick cash.

This may seem radical, but as one expert pointed out, what other thousand-dollar objects do you see lying around unprotected in urban areas?

The brazen thieves sell the computers for a fraction of their value, police say – often as little as $100.

Priceless dataFor employees whose laptops hold key company information, the $1,000 to $2,500 it costs to replace thehardware is a minor issue. Much more important is the potential loss to the company of the data on the harddrive. Recent studies show that laptops often include over $1 million worth of information, including productand marketing plans, customer lists, and other information.

Moreover, many respected U.S. businesses have been embarrassed publicly and faced costly lawsuits whenpersonal information belonging to customers went missing due to a lost or stolen laptop.

Experts say a few commonsense precautions can prevent employees from costing their companies millions:

Think very carefully about whether customer data should even reside on laptop computers.

Before using your laptop in a library, café, or airport lounge, look around and assess thesecurity of your environment.

Encrypt important files so that even if your computer is lost or stolen, the vital data within itremains safe.

© National Security Institute, Inc.