Tuesday, December 2, 2014

The 4 R's of ID Fraud (part 2)

   As promised, in this post we'll wrap up the series about ID Fraud.  Check here if you'd like to see the first 3 parts of this series, and the first half of this post.

   So far we've focused on what ID Fraud is, and in the third installment, the steps you should take now if you are a victim.  As we've discussed, having the information for one of your credit cards grabbed in an attack such as we saw on Target or Home Depot doesn't automatically mean you will have other ID Fraud related problems.

   But we should all take steps to reduce our exposure and the odds that our ID and financial information will be fraudulently used... or at least increase the odds that we'll notice any problems quickly.

   We'll continue with the 4 R's: Review, Reduce, Record, Report. (unlike the 5 D's of dodge ball! :-)

Reduce - the amount of information you give out online.
  • Use care when emailing personal information.  Don't unless you need to.  Provide a minimum amount of information. Use encrypted email if it's available.
  • Choose passwords and hints that are not based on personal information.
  • Don't "click here to unsubscribe" from a spam or unwanted message - it just let's them know you exist.
  • Shop online with reputable or known vendors.
  • Delete doesn't really delete.
  • Use malware protection on your home computers and devices.
  • And a bonus tip for online - watch out for Phishing messages.  That's a big topic that I've covered in the past, and probably will revisit as scammer techniques evolve.

Tuesday, November 18, 2014

The 4 R's of ID Fraud (part 1)

   As part of our celebration of US Cyber Security Awareness Month, we've been talking about ID Fraud.  Check here if you'd like to see the first 3 parts of this series.

   So far we've focused on what ID Fraud is, and in the third installment, the steps you should take now if you are a victim.  As we've discussed, having the information for one of your credit cards grabbed in an attack such as we saw on Target or Home Depot doesn't automatically mean you will have other ID Fraud related problems.

   But we should all take steps to reduce our exposure and the odds that our ID and financial information will be fraudulently used... or at least increase the odds that we'll notice any problems quickly.

   Our theme for today is the 4 R's: Review, Reduce, Record, Report (just like you learned when you were a kid! :-)

[as I was writing this, the post became really long so I've broken it up into 2 parts]

Review - your credit report.  You are entitled to 1 free report from each of the big 3 credit reporting agencies each year.  So, spread it out and get 1 every 4 months.  The US FTC endorsed site to get these reports is www.annualcreditreport.com.  You can also put a fraud alert on your account as we discussed last time.
   You're also entitled to a free copy of your credit report if you:

Tuesday, November 4, 2014

Got ID Fraud? - Stop, Drop and Roll

   OK, maybe not stop, drop and roll (I'll always remember that fire safety phrase from my childhood), but take action!

   Cyber Security Awareness Month is now over, and I haven't finished covering the ID Fraud topic I started at the beginning of Oct.  I did get distracted on some other issues.  Besides, we can't confine our celebrating to only one month!

   I covered the basics of ID Fraud in these posts.  But if you have been a victim, and particularly if you recently discovered you are victim, you need to take action... and time matters.

   Here are the four key things you need to do, right now, if you have recently been the victim of ID Fraud in the US:
  1. Contact one of the three major Credit Bureaus (we'll leave a discussion of the "4th credit bureau" for another time).
  2. Close the suspect accounts.
  3. File a police report.
  4. File a report with the FTC by phone and in writing.
   I'll provide more detail and add a few more steps below.

   One additional thing you must do throughout this process is to keep a record of everything you do.  This includes: noting date/time of phone calls; copies of letters; printout any web forms, and; keep a chronological log of your overall progress.

   The FTC website has the specifics here.

Contact one of the Credit Bureaus and put a fraud alert on your account.
   This is the first thing to do.  You can put what is called an initial fraud alert on your credit record.  This initial alert will last 90 days.  It should not cost anything to place this alert.  The bureau you call should contact the other two credit bureaus, but it doesn't hurt to verify this with them.
   The fraud alert basically requires extra effort to authenticate any requests for new credit.  This typically means that the credit issuer needs to contact you before issuing credit.  This should make it tougher for a fraudster to open credit in your name.  That's good!  The downside is that it also might make it more difficult for you to open new credit.
   After the initial 90 day period, you can renew the alert each 90 days.  This may cost a nominal fee depending upon what state you live in (US).
   (we'll talk about other measures like credit monitoring services in a future post)

Close the affected accounts.
   Contact the credit issuer and close any accounts you know were affected.  If your purse or wallet was stolen, then close all the accounts for the cards you were carrying.
   If you're not sure if a particular account was affected, you're probably best off closing it as well.

File a police report.
   Contact your local police and file a report.  Except in rare cases where there was additional theft (for example, if your identifying documents and credit cards were stolen as part of a home break-in), the police will not actually take any action.  You're not contacting the police so they will investigate the problem.  You are establishing documentation and proof of the event.  In the future, you may need to prove that you took action and when you took action.  The police report accomplishes this.  Get a copy of that report.

File a complaint with the FTC (US Federal Trade Commission).
   Again, this is part of establishing your documentation trail.  The FTC has a great website for information that I'll link below.  The specific instructions for filing the FTC complaint is here.  Note that they suggest filing with the FTC before filing the police report.  That is not critical, and you need to do both.  You can complete the FTC form online so that might be easier and it's available 24x7.

   Those are the first steps to take.  But there are more.  Here are a few more steps to take:

Who else to notify?
   You may want to notify your other banks and creditors both to find out if there has been any unusual activity (banks and card issuers are usually pretty good at finding anomalous activity before you do) and so they can flag your accounts.  Consider notifying anyone who bills you monthly for services including utilities and insurance providers.

   If you think your US social security number has been compromised, you should contact the Social Security Administration.

   You can notify your state driver and vehicle services department in case someone tries to get a driver's license in your name.

Online defense.
   If this problem started online, perhaps through an information breach, you should change your passwords and consider using multi-factor authentication as I've covered in the past.

   There are more complete details on these steps on the FTC website here.

   Even under the best of circumstances, the process of reporting, documenting and repairing ID Fraud is a major pain.  In our next installment I'll talk about things you can do to help prevent you from becoming a victim, or in those circumstances where this is out of your control, how to increase the odds of early detection and minimize the impact.

   Have you had experience with any of the steps I list above?  Do you have any advice on additional steps to take?

Tuesday, October 21, 2014

Dropbox Wasn't Hacked... This Time!

   I'm sure that many of you have read the news about an apparent attack, and subsequent account breach at Dropbox this past week.  There have been conflicting reports flying around, but Dropbox's own blog points out what appears to be the truth... Dropbox wasn't hacked.

   The story is that apparently the attackers got user IDs and passwords from attacks on other applications.  They then tried these same credentials on a number of internet sites, including Dropbox.  You can read the Dropbox blog post here.

  This is a typical attack scenario, as I've discussed before.  Among the value of stealing a password file from a site or organization is that people unfortunately reuse their IDs and passwords on other sites.  This is because it's difficult to remember all those passwords!  I won't go into that issue because I've covered it plenty of times in the past.

   In this case, like many others, the attackers simply try the IDs and passwords on other sites.  It's almost guaranteed that they will get some logins that work.  That is apparently what happened here.

   So... Dropbox wasn't hacked... this time!  Of course, there have been a number of successful breaches of Dropbox in the past!

   More on that in a moment, but I want to make a quick editorial comment on the use of the term "hacked".

Tuesday, October 7, 2014

Celebrate Cyber-Style!

   It's time again to celebrate that wonderful US event... Happy Cyber Security Awareness month!  This event started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   Over the past couple of posts I've focused on Identity Fraud (here and here).  We'll pause on that topic until next time.

   Today I give you...  The Top 10 Ways to Celebrate Cyber Security Month 2014!
  1. Change your password
  2. Yes, I know... I said in the past that just changing your password is not the effective measure.  That's true but with the frequency with which online sites get compromised, it's not a bad idea.  Even better - use really long passwords.  Remember, when it comes to passwords... size matters!

  3. Use a password vault
  4. A password vault is a program that encrypts and holds all your passwords.  I explain these in detail, and list some good products, in this post.

  5. Look before you click
  6. With most links to can "mouse over" the link.  That means you just move your mouse so it's on the link, but don't click yet!  Your browser will display the address to which the link will lead.  This displays at the bottom of the browser.  The actual link in the display should make sense and be the location you're expecting.  If not then... don't click!

Tuesday, September 23, 2014

"Who Am I?" (or, Who Was I?)

   I like the story of Les Mis.  I definitely like the musical.  I was not wild about the movies.  The book is definitely a good, and very long, read (or listen!).

   At it's core, Les Mis is a story about Identity Fraud!  It's the story of a man, seemingly wrongly convicted, who operates under a false identity in order to be able to live his life.  It's a common literary theme, used in stories like Martin Guirre, The Count of Monte Cristo and Matchstick Men.  In "olden times", Identity Fraud penalties were very serious. Today... not as much.  Last time we started a discussion of Identity Fraud - we'll continue our discussion of this topic.

   Breaches of online merchant websites and databases get a lot of media attention.  But there are many ways ID fraud is committed including:
  • Shoulder Surfing - this means someone looking over your shoulder, for example when you enter your PIN at an ATM
  • Dumpster Diving - it's amazing what people throw away
  • Mailbox theft - checks, financial statements and other sensitive documents get stolen from mailboxes
  • Stolen purse, wallet, laptop, tablet, phone - these all contain plenty of personal information
  • Social Engineering - be careful about what information you give out about yourself
  • Phishing - email or phone - con artists will call or email pretending to be your bank, law enforcement or other authority and ask you for information.
  • Social media - do you really know who your "friends" are?... there are all kinds of requests and information gathering schemes
  • Copy-cat websites - it's pretty easy for scam artists to create a fake site that looks just like your bank's website, perhaps with a misspelled URL like nationa1bank.com (that's a one instead of an L), and then collect the info you enter.
  • By known or unknown thieves! - some ID thieves know their victims.

   So many choices!

Tuesday, September 9, 2014

(SuperValu) Wrote Me A Letter

   I'm hearing the Joe Cocker version of Box Tops song! (though I always picture John Belushi doing this!)

   I don't want my summer to end, but October is coming soon and, in the US, October is National Cyber Security Month.  This will be the first post of a series on Identity Theft that will carry us into October.

   First of all, the term Identity Theft is a misnomer.  According to Findlaw:
 Theft is often defined as the unauthorized taking of property from another with the intent to permanently deprive them of it. Within this definition lie two key elements:
1) a taking of someone else's property; and
2) the requisite intent to deprive the victim of the property permanently.
The taking element in a theft typically requires seizing possession of property that belongs to another, and may also involve removing or attempting to remove the property. However, it is the element of intent where most of the complex legal challenges typically arise in theft-related cases.
   But, with Identity Theft, your identity is not actually stolen, because you still have use of it.  A more accurate term is Identity Fraud.  Someone is using your identity, without permission, to execute fraudulent transactions or commit other crimes.  And, in many cases it's just aspects of identifying or financial information that is being used fraudulently, like your credit card.

Tuesday, August 26, 2014

When USBs Attack!

   Sometimes it seems that the more things change, the more they stay the same.  In information security, we've known for a long time that if someone can get physical access to your system, there's a chance they can get into your system.  Once an attacker has possession of your computer, laptop, tablet or smartphone, they can take their time and try multiple attacks.  We can take some preventative measures like encryption, but it needs to be implemented well.

   Of course, it's best to keep your portable devices in your possession!  But they do get lost or stolen.

   Unfortunately, there's more than one way for an attacker to physically get to your system.  If you've ever been to a conference, or a state fair, or just about any kind of gathering with give-aways, you've probably seen free USB sticks (also called thumb drives).  These supposedly have programs, games or advertising files.  And they usually do.  But they can also contain viruses or other malware.  To make matters worse, USB systems have an auto-run feature to make (legitimately) running these files "easier".

Tuesday, August 5, 2014

When Androids Attack!

   All computers, devices and software have flaws.  In fact, there are so many it's hard to keep up.  In the past (not so long ago), we only had to worry about computers... and they were mostly big desktops.  Then came laptops, and with them the additional problems introduced when connecting to unknown and open networks.  And lately, we seem to spend plenty of time talking about flaws in smartphones and tablets.

   The latest in a long string of smartphone issues is the so-called "Fake ID" flaw affecting Android devices.  This attack exploits a vulnerability in the way an Android device checks the authenticity of an app.

   The issue is kind of similar to controls around US credit cards.  When you sign a credit card receipt or at a terminal, the clerk or cashier might check that signature against the one on the card.  Even if the signatures match (and when does that happen???  I can barely duplicate my own signature! :-), that doesn't mean that you are the owner of the card nor does it let anyone know if the card is fake or stolen.

   In a somewhat analogous way, apps are "signed".  The flaw allows Android phones to accept unverified apps.  This provides a potential opportunity to download fake or malicious apps.

   This issue should be patched on your phone by now.  But this is not the first time this kind of problem has emerged. And it won't be the last time!  This can be a serious issue.

Tuesday, July 22, 2014

Beach to Breach - It's not just for work data!

   I heard a great term recently... Beach to Breach.  SC Magazine did an article about a Sourcfire study on employees bringing their portable devices on vacation.  They found that 77% of employees bring their devices with them on vacation to keep in touch with work and that 97% of the use is email.

   Hopefully you can see some of the security problems right away... the devices have a good chance of getting lost or stolen when one is out of their "element"; plenty of opportunities to connect to unknown networks; potential to use hotel printers; possible "incentive" to bypass controls to see that one "important" message, and of course; sand in our devices!

   Organizations certainly should be concerned about the potential for breach of data or loss of equipment.  But what about the rest of us?  Should we take extra precautions with our personal devices and information when out of town?... Definitely!

Tuesday, July 1, 2014

CISOs are from Mars, CIOs are from Venus

   I recently had the opportunity to speak at the Argyle CIO Leadership Forum in Chicago.  I sat on a couple of panels and had some fun delivering a talk called "CISOs are from Mars, CIOs are from Venus" (slideshare).
   There was a clear theme of cloud, mobile and BYOD.  There were both CIOs and CISOs in attendance so there were different perspectives on these challenges.  That certainly tied into my closing keynote.

   After the conference I was interviewed by the conference organizer.  The interview will be posted on the conference website, but here is a copy:

Tuesday, June 10, 2014

Security Awareness and Password Safety

   I've written about problems with passwords plenty of times.  I've also written about my philosophy on security awareness.

   I recently cut another security awareness video.  This one gives staff some tips on how to protect their information by choosing and protecting passwords.  Here it is:

   Here are a set of powerpoint slides covering the important points and tips.  Feel free to use this information to protect yourself and your information and, for information security professionals, to use this info in your security awareness programs.

Tuesday, May 13, 2014

The Best (First Good) Password Policy Ever!

In the past I've discussed a number of aspects of the password dilemma.  Among the key issues are
  • good passwords are hard to remember, and;
  • passwords you can remember are easy for attackers to guess.
   But, maybe one of the key issues is that password policies are universally so bad that consumers can't do the right thing because they can't figure out what that is!  We've been living with that old dogma of.... say it with me...
  • 8 characters;
  • upper/lower case;
  • numbers;
  • special characters.
   That's been around since the 60's.  Perhaps it worked in a world when people had only one password, when systems weren't all networked together, and attacking systems wasn't the lucrative business it is now.

Tuesday, April 29, 2014

How Do You Spell CISO? - What's a CISO Do? part 2

   A while back I started a new job as a CISO.  It's the second time I've held that title at an organization.  What's interesting about that is that both time it was a new position to the organization.  I wrote about my initial thoughts and plans in a post here.  I expanded upon those ideas in a follow-up post here.  This post will round out this series.  They will also serve as the "outline" of a talk I'll be doing at Secure360 this year.

   For those of you who are not familiar with Secure360, it's THE upper midwest US security conference.  There's still time to register, come on out and enjoy!

   There are many demands on the CISO.  But part of the art of the position is to juggle the more granular tasks with overall priorities while trying to be strategic.

Friday, April 11, 2014


   Well, I had no intention of talking about this topic!  But there is so much confusion and misinformation out there.  And the mainstream media is really having a field day.

   So I'm jumping in with some facts, a few opinions, and some action steps that you be taking now.

   First we'll look at the consumer/user side of things.  Then the organization side.  Finally, I'll talk a bit more about what this is and what this isn't.

   If you use the Internet and enter any personal or financial information on any website, then you might be effected by this issue. To find out, follow these steps:

Tuesday, April 1, 2014

What's a CISO Do?

   A while back I started a new job as a CISO.  It's the second time I've held that title at an organization.  What's interesting about that is that both time it was a new position to the organization.  I wrote about my initial thoughts and plans in a post here.  That was before I started the job!  I've been meaning to follow up on that post, both to provide more insight and list next steps.

   In this post I'll dive a bit into the execution of the plans I originally discussed.  In another post I'll get into what came next, including the weightier topics of strategic and tactical plans.

   And yes, I know it's April 1st, but I'm keepin' it real!

   For my first 90 days on the job I tried to keep focus toward three key accomplishments:
  • Learn the business;
  • Start to establish a Culture of Security, and;
  • Baseline the environment.
   Let's talk a bit about each of these areas.

Tuesday, March 18, 2014

XP End of an Era or... Deja Vu All Over Again!

   Unless you just came back from time traveling, you know that Microsoft is ending support for the XP
operating system on April 8.  To be clear... April 8 is Patch Tuesday, so that will be the last set of updates for XP.  Sort of.

   XP has been one of Microsoft's most popular desktop operating systems and many organizations are dependent upon it.  Many organizations have not yet updated to Windows 7 or 8 and the clock is ticking.  I'd like to look at what that means and share a few ideas of what we can do to protect ourselves and our organizations.

   Microsoft will be stopping all patches, hotfixes and enhancements to XP after April 8.  Anti-virus signatures will continue to be made available.  This means that any vulnerabilities that are discovered or disclosed might not be fixed.  Organizations will need to figure out if they are vulnerable to any new threats and then weigh the risks associated with their options.

   There has been some speculation that online criminal organizations may be stocking up on new vulnerabilities so these can be released after the last patch date.  We can't know if this is true, but it is possible.

   So... if you are still running XP, and need to continue to run XP, what can you do?  Let's do a high-level threat analysis:

Tuesday, February 25, 2014

No, You Can't Have Local Admin!

   If you have responsibility for security and/or access management for an organization, then there is a "simple" request that you have received, and will always receive... Users request local admin access to systems.

   Most of you know what I mean.  I'm referring to the local administrator or root account on a system.  When a person has local admin, they can access any part of the system, change or disable settings (including deactivating anti-malware or other security software), and, perhaps most importantly, install and run any software.  This last item is probably the primary reason people request this level of access.

   We're talking about Minimum Necessary... the idea that everyone should have exactly the level of access needed to do their job, and no more.  In most, if not all, organizations, far more people have local admin than really need it.

   Security vendor Avecto recently released a new study showing that over 90% of the most serious vulnerabilities in Microsoft software products in 2013 could have been mitigated by simply removing administrator rights.  Put another way, this means that only your systems administrators were vulnerable to all of the most critical Microsoft software vulnerabilities!  And these are the people who have the most access on your systems!  Here are a two good articles on the subject and here is a link to the full report.

   Let's break this down...

Tuesday, February 11, 2014

Bad Policies = Bad Passwords

   It seems that passwords are in the news again.  In the past I've discussed a number of aspects of the password dilemma.  Among the key issues are:
  • good passwords are hard to remember, and;
  • passwords you can remember are easy for attackers to guess.
   Adding to this mess is that many organizations do a poor job of protecting their storage of your password.  And now we have some new information...
Many organizations allow you to pick poor passwords on their websites by enforcing few or weak password construction requirements.
   We call these password policies, and these specify things like: how long the password can be; the minimum length it must be; what kinds of characters can or must be used; if the password needs to change, and; if there are some passwords that can't be chosen.

Tuesday, January 28, 2014

Are You a "Target"? - Incident Managment (part 2)

   I'm calling this part 2, but it's really the third in a series covering the consumer and enterprise sides of incidents and breaches.  This is always an important infosec topic, but the recent highly publicized issues effecting Target, Neiman Marcus and, as we're told, 3 other organizations to be named later brings this to the forefront.

   Many say that it's not a question of if we will suffer a breach, but when and how we will suffer a breach.  And yet there are organizations that consider this an optional capability.

   Last time we talked about the first two parts of the Incident Management program: Prevention and Planning/Preparation.

   Next is:
Communication. So these groups know their roles:

Tuesday, January 14, 2014

Are You a "Target"? - Incident Managment (part 1)

   It seems that every few days we get additional news about the Target breach.  There has been plenty posted about this including articles here, here and here.  And, unfortunately for my colleagues at Target, I don't think we heard the last on this.

   Last time I talked about the consumer side of the issue, and how individuals should protect themselves from the effects of an information breach.  Today we'll look at the corporate side... Incident Management.

   Incident Management is a critical part of any information security program.  I don't think there's any governance framework that doesn't include this important topic.  I'm a fan of the way NIST lays this out in SP800-61, with a few modifications.

   In boxing and martial arts, the saying goes: the best way to avoid getting hit is to not be there.