What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

Related posts:

1. Defend your Small Business against Online Bank Fraud Is your banking practices putting your business at risk? Protect...
2. Security On A Shoestring SMB Budget The e-mail appeared to be an invitation from an old,...
3. Facebook poses biggest security threat to businesses According to it’s  Security Threats 2010 report published today, security...

According to Google, Web History allows the following:

• View and manage your web activity.
  You know that great web site you saw online and now can’t find? From now on, you can. With Web History, you can view and search across the full text of the pages you’ve visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.
• Get the search results most relevant to you.
  Web History helps deliver more personalized search results based on the things you’ve searched for on Google and the sites you’ve visited. You might not notice a big impact on your search results early on, but they should steadily improve over time the more you use Web History.
• Follow interesting trends in your web activity.
  Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends in your web activity.

If you don’t care to have that information recorded, you can and should “pause” it.

https://www.google.com/history

Related posts:

1. Google pulls out of China Is this a divorce or separation?  I chronicled Google’s dysfunctional...
2. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...
3. Big Broth…I mean, Google Last week ( December 3. 2009), Google announced it Public...

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of  “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say.  Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom??  Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

Related posts:

1. Changing Internet passwords a waste of time?? From the following article: http://wcbstv.com/seenat11/internet.passwords.microsoft.2.1633927.html “The study concluded someone hacking...
2. Did Facebook CEO play fast and loose with user login data? Did you Facebook CEO play fast and loose with user...
3. How much is your Twitter Account worth on the Hacker Underground? Well, that depends on the name of your account and...

“The study concluded someone hacking into your computer and stealing your password is similar to a crook getting your house key.

The crook will likely use it right away and not wait until after you’ve changed the locks.

“As soon as they’ve got it, they’re using it and then they’re gone,” said Lance Ulanoff, editor of PC Magazine.

Ulanoff advises people to get stronger passwords in the first place. ”

The so-called “expert” advise: Use stronger, more complex passwords.

I guess he is not familiar with the fact that stolen account credentials are bartered and traded like goods in the hacker underground. Ofscourse you should use complex passwords. But it’s still a good practice to change it occasionally.

Related posts:

1. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
2. ISSA-NOVA Chapter December Meeting The Northern Virginia Chapter of the Information System Security Association...
3. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

This particular  scam page had taken in more than 37,000 users by last Friday, offering them a $1,000 gift certificate in exchange for promoting Ikea to  friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day.

To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect.com, where they are asked personal information such as name, address, date of birth and home telephone number.

After that step, the victim is told to sign up for two online marketing offers – these ones with legitimate websites such as Netflix and CreditReport.com – in order to claim the gift card.

The promised cards in these scams never show up. Who would have thunk it??

** Cross-posted from www.secur3t.com**

Related posts:

1. Facebook intros Revamped Home Page, Important New Privacy Setting On Friday, Facebook  rolled out a new home page and...
2. Don't plan Federal Crimes on Facebook! There have been numerous stories recently about the fact that...
3. Don't install fake Facebook Antivirus Alas, another day, another Facebook security alert. As soon as...

When Google decided to unilaterally opt Gmail users into Buzz and share your contact information, it received bad press and an FTC filing. I can only hope the same and more happens here.

Under Facebook’s current rules you’re asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn’t implemented yet, would bypass asking you for approval when visiting some sites and applications Facebook has business relationships with, sharing limited personal information automatically.

Tell Facebook how you feel about it here: http://blog.facebook.com/blog.php?post=376904492130

Related posts:

1. Beware of fake Facebook apps Facebook is warning users to avoid bogus apps that claim...
2. Did Facebook CEO play fast and loose with user login data? Did you Facebook CEO play fast and loose with user...
3. Facebook intros Revamped Home Page, Important New Privacy Setting On Friday, Facebook  rolled out a new home page and...

That’s a quote from a woman whose house was robbed by a Facebook “friend” after she updated her status indicating she was on her way to a concert. She appeared on the CBS Early Show this morning. The robber  had contacted her six month previously claiming to be long lost neighbor from 20 years ago. Fortunately for her, she had cameras installed at home and recorded  the culprit in the act.

I can’t stress enough the importance of limiting the information you put out there. With friends like these, ….

Source: CBS NEWS

Related posts:

1. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
2. Facebook to share your information with other sites Facebook users are expressing strong disapproval of proposed privacy changes...
3. SMB Cyber Security Alliance helps Small Businesses address Cyber Security Risks Across all industries, small businesses are increasingly facing new threats...

“Police say a hacking investigation in Fairfax County, Virginia started with a Facebook pregnancy announcement. But, it turns out the woman is not expecting a baby.

According to police, someone hacked into her Facebook account and posted the fake status update. The victim, who is from Springfield, also claims someone accessed her Hotmail account and sent out nasty emails.

All of the victim’s classes at Northern Virginia Community College were canceled by the hacker.

Police are investigating the Facebook and Hotmail hacking claims, but so far no charges have been filed.”

Source: http://www.myfoxdc.com/dpp/news/local/woman-says-facebook-account-was-hacked

Related posts:

1. 1000 hacked Facebook accounts for as low as 25 dollars Facebook claims to have identified the self-proclaimed Russian hacker calling...
2. Did Facebook CEO play fast and loose with user login data? Did you Facebook CEO play fast and loose with user...
3. ISSA-NOVA Chapter December Meeting The Northern Virginia Chapter of the Information System Security Association...

Check out FBI Going Rogue on Facebook on DarkReading.com

Related posts:

1. Facebook and Twitter I have never found much use for social networking sites...
2. Blippy, the Next Evolution of Stupid At what point do we as a society realize this...
3. Alert your connections if your Social Networking Account get compromised Social Network attacks are becoming more popular as daily we...

“Don’t believe any applications that claim they can show you who’s viewing your profile or photo. They can’t.”

Maybe it’s time Facebook reviewed it’s policy regarding vetting third-party applications.

Related posts:

1. Facebook to share your information with other sites Facebook users are expressing strong disapproval of proposed privacy changes...
2. Facebook intros Revamped Home Page, Important New Privacy Setting On Friday, Facebook  rolled out a new home page and...
3. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...

RSA COVERAGE

RSA 2010: Infosec Pros Get Raises Despite Recession An (ISC)2 survey suggests salary increases and hiring went up for many security practitioners in the last year despite the Great Recession. Ironically, the recession may be WHY it’s happening.

RSA 2010: Why 41 Percent of You Would Fail a PCI Audit Miscellaneous news bytes from the RSA 2010 press room: QSAs tell Ponemon Institute that 41 percent of companies would bomb their PCI security audit; hackers industrialize their sinister revolution and VeriSign opens a new compatibility lab.

RSA 2010: Can Adobe Stop the Hate? Security pros are unhappy with Adobe Systems over recent flaws and attacks. Adobe Security Chief Brad Arkin on what the company is doing about it.

RSA Conference 2010: 4 Survival TipsFor the newcomer, the RSA security conference can be overwhelming. Follow these four strategies to get the most from it.

Social Networking is Risky Business From Computerworld: A panel discusses the risks associated with social networking sites.

Chertoff: Tracking Attacks to the Source is Key for Cybersecurity From Computerworld: An exclusive interview with former DHS leader Michael Chertoff.

RSA PODCASTS

RSA 2010: Microsoft’s Plan for Cloud Security Audio: Microsoft VP Jim Jones explains his company’s approach for securing its services in the cloud.

RSA 2010: Verizon Releases Its Threat Report Recipe Verizon Business will share the research framework used for its Data Breach Investigations Reports so companies can create reports tailored to their specific environments.

SECURITY B-SIDES COVERAGE

Security B-Sides: Perfect Authentication Remains Elusive Everyone realizes passwords have their shortcomings. But alternatives like two-factor authentication are not as powerful as one would expect. The problem? As always — human behavior.

One Man’s Life on the Security D-List At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn’t all it’s cracked up to be.

Security B-Sides: Rise of the ‘Anti-conference’ The RSA 2010 conference had some nearby competition. Here’s the story of Security B-Sides as the conference alternative.

Related posts:

1. Shmoocon 2010 Videos Online Shmoocon was this weekend. Unfortunately,I couldn’t get a ticket this...
2. Top 10 Web Application Security Risks for 2010 Yesterday, OWASP released its list of top ten web application...
3. Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...

Related posts:

1. Beware of Haiti-Themed Scams and Attacks! Our thoughts and prayers go out to all those affected...
2. IRS reminds you not to go Phishing this tax season It’s tax time again and IRS phishing scams are alive...
3. "Show me the malware"- says Google A fews weeks ago, I had a discussion with a...

Acknowledge the attack to anyone who might have been adversely impacted; Be detailed: Tell them what message they might have received as a result of the malware/phishing and what might have happened as a result; Caution your contacts: Use this as an opportunity to remind everyone that just because they think a message comes from someone they know, there really is no way of telling for sure. If they ever do click a link that then leads to a login page or to a video codec install, they should close the page immediately and contact their friend via some other method to inquire (and possibly alert them) about the seemingly malicious link.

When Twitter accounts are phished, the 140 character limitation makes it a bit harder to convey the message. Using as few words as possible, try to include enough details about the message sent so folks can identify it, ended with a brief “I’m sorry”. Don’t ever include a link in that apology; after all, it was clicking on a link that got folks in trouble in the first place.

Related posts:

1. Sweet!! Yourr bootyy look awseome on thiss ivdeo! Gee Thanks! I’ve been working out! …..oh wait a minute!...
2. Brevity is the soul of…..getting yourself infected with all kinds of nasties! Would you click on the link : http://www.click-here-to-give-me-access-to-all-your-computer-files.com? No? How...
3. Your guilty conscience could get you pwned From Trend Micro Countermeasures Blog: I just received an email...

The IRS does not initiate taxpayer communications through e-mail.

• The IRS does not request detailed personal information through e-mail.
• The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
• Report suspicious e-mails and bogus IRS Web sites to phishing@irs.gov

If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,

• Do not reply.
• Do not open any attachments. Attachments may contain malicious code that will infect your computer.
• Do not click on any links. If you clicked on links in a suspicious e-mail or phishing Web site and entered confidential information, visit our Identity Theft page.
• Use the following steps to report the e-mail or bogus Web site to the IRS.

How to report phishing, e-mail scams and bogus IRS Web sites
If you receive an e-mail or find a Web site you think is pretending to be the IRS,

• Forward the e-mail or Web site URL to the IRS at phishing@irs.gov.
• You can forward the message as received or provide the Internet header of the e-mail. The Internet header has additional information to help us locate the sender.
• After you forward the e-mail or header information to us, delete the message.

How to identify phishing e-mail scams and bogus IRS Web sites

• Sample of phishing e-mails
  • First sample of an actual phishing e-mail – PDF
  • Second sample of an actual phishing e-mail – PDF
• All IRS.gov Web page addresses begin with, http://www.irs.gov/

Related posts:

1. Beware of Chile Earthquake Scams An 8.8 magnitude earthquake struck Santiago, Chile in the early...
2. Beware of fake Facebook apps Facebook is warning users to avoid bogus apps that claim...
3. Twitter users hit hard by "LOL" phishing attack IT security and data protection firm Sophos is warning that...

They need to be aware of the consequences of sending out seemingly innocent tweets which could still get them into deep trouble. In December 2009, a Vodafone employee was fired after his post was deemed by the company to go against fair competition. Drastic? Maybe, but it showed that even a humorous post could backfire.

Some basic rules to limit the risks posed by Twitter and other social networking sites  include:

1. Think twice before posting. Employees need to think compliance, integrity, security… then post.

2. Access URLs in tweets with care. If there is no real need to check out the site, leave it.

3. Show employees what to look out for. How to notice when someone is stalking or attempting to social engineer information.

4. Avoid confrontation on Twitter. It is a great tool for customer feedback but a disaster in resolving issues.

5. Create a policy in a language that is understood by employees. Have them sign it. There should be no excuses that they did not know what they could or could not say.

Related posts:

1. Staff Leak Military Secrets on Facebook and Twitter Are your employees ( or you ) leaking sensitive data...
2. Twitter makes security enhancements to help users Twitter has added a new service that detects malicious URLs...
3. What is the values proposition for allowing users access to social networks? What is the values proposition for allowing employees access to...

Are your employees ( or you ) leaking sensitive data over the social networks? This report from the UK should give you pause.

The Ministry of Defence has admitted that staff leaked secret information 16 times on social networking sites such as Facebook and Twitter over an 18-month period.

The admission comes in response to a Freedom of Information request by Lewis PR, which handles public relations for security firm F-Secure.

Lewis said the Ministry of Defence had disciplined 10 personnel, although was unable to specify individual cases.

Are your employees leaking your sensitive data via social networks? This report from the UK should give anyone pause.

Ministry of Defence staff aren’t banned from using social networks, but Lewis pointed out that the department’s code tells employees: “Remember you are a member of HM Forces/MOD civil servant. Observe the same high standard of conduct and behaviour online as would be expected of you in your professional or personal life.”

However, F-Secure said the Ministry of Defence should do more to ensure the guidelines are adhered to.

“It’s worrying that employees in sensitive positions have been sharing confidential information via Twitter and other means,” said F-Secure’s security expert Mikko Hypponen

“They might think they are confiding in friends or family when they go on Facebook. However, the recent changes in Facebook’s privacy settings might make them disclose information to the world. This is a potential security risk.”

Source: http://www.csoonline.com/article/525613/MoD_Staff_Leak_Military_Secrets_on_Facebook_and_Twitter

Related posts:

1. How to limit Twitter risks Twitter is now used by over 350 million people worldwide....
2. What is the values proposition for allowing users access to social networks? What is the values proposition for allowing employees access to...
3. Facebook, Twitter, ….Buzz? Update: Power to the people!! In response to the concerns...

How about http://www.bit.ly/12345? Not so threatening, is it?

Yet, those two links could just as easily take you to the same end. The rise of social networking  services like Twitter which limits the number of characters a user can post to 140 has made link shortening services even more popular. Services like bit.ly and tinyurl.com allows one to mask a much longer url with a fairly short one.  The risks here is that users have now grown accustomed to clicking on links and having no idea what they are clicking on. Oh I’m not so naive as to think most users actually read the entirely url before clicking. I know better. The point here is that those who chose to were able to. With link shortening services today, Cyber-criminals and spammers no longer have to go through the trouble of purchasing a nice-sounding domain name and redirecting your request to to their malicious server. It takes seconds to sign up with one of the free link shortening services and on you go.

I’m certainly not advocating against the use of such services as I use them myself to promote my blog on Twitter, Facebook and LinkedIN. I would advice that before you click on a shortened link, consider the source. How much do you trust the source? Give a little more thought before clicking.

Related posts:

1. Alert your connections if your Social Networking Account get compromised Social Network attacks are becoming more popular as daily we...
2. New Facebook Clickjacking Attack Here is a post by Stan Schroader warning users of...
3. Sweet!! Yourr bootyy look awseome on thiss ivdeo! Gee Thanks! I’ve been working out! …..oh wait a minute!...

Related posts:

1. Brevity is the soul of…..getting yourself infected with all kinds of nasties! Would you click on the link : http://www.click-here-to-give-me-access-to-all-your-computer-files.com? No? How...
2. Facebook to share your information with other sites Facebook users are expressing strong disapproval of proposed privacy changes...
3. More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...

This presentation by Johnny Long is a must-see for anyone interested in security. Hackers are very familiar with your soft underbelly. Are you?

Related posts:

1. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
2. Pentagon and Congress wants control of your network during cyberattack There has been a lot of chatter in the news...
3. SMB Cyber Security Alliance helps Small Businesses address Cyber Security Risks Across all industries, small businesses are increasingly facing new threats...