Tuesday, September 24, 2013

Mobile Device Security: More than Software

mobile security, sensitive information, data securityWhen it comes to mobile security, everyone is still a little bit in the dark. After all, everyone and their grandma has a Smartphone or tablet right now, but the general public’s information about the true threats to their devices is probably limited to computer viruses or bugs—little things that are automatically corrected with anti-virus software.

Wednesday, September 18, 2013

Confidential Data and Mobile Devices

According to a recent article at CIO.com, “more than half of employees admit to storing, sharing and working on corporate documents on their personal devices—and this number is growing.”

This is concerning for a number of reasons, not the least of which is the fact that confidential work information is being stored on devices where far fewer security measures are available and that receive much less security attention.

Tuesday, September 17, 2013

Choose Your Vendors Wisely

Just a couple weeks ago, the New York Times and Twitter domains were hacked—and not through a DoS (Denial-of-Service) attack or network port sniffing.

The Syrian Electronic Army (SEA) is taking credit for the attack, and they carried it out through targeting phishing emails. They obtained usernames and passwords from employees of Melbourne IT, who is the registrar for NYTimes.com and Twitter.com and used that information to access the registrar system and make fraudulent changes to the DNS for NYT and Twitter, pointing their site to another server. And then, just to rub salt in the wound, they taunted everyone with their Syrian logo and a pretty sarcastic message – “Hacked by SEA, Your servers security is very weak.”

Now, in this case, it looks like nothing was stolen. Whatever their motive, the culprits seem more interested in belittling the company than in damaging the company or stealing identities (so far). But the lesson here is the same: be very aware of who you trust with your private information. Even if you secure your local data well, you may store information on servers or cloud services that are managed by untrustworthy people. 

You cannot trust your secure information to companies that do not take security very seriously. If hackers can infiltrate your hosting company or your online cloud storage company or your domain registrar or even your photo storage service, then they are just as exposed as if you personally used poor security methods. 

Wednesday, September 11, 2013

IRS Exposes Social Security Numbers

Well, this one’s a real comedy of errors. An audit on July 1 by independent transparency and public-domain group Public.Resource.org indicates that the IRS may have accidentally exposed some social security numbers.

Actually, it might have been as many as 2319 Social Security numbers...attached to highly sensitive non-profit political groups…which sat exposed on the Internet for 24 hours.

Here’s just one more example of how easy it is to let really sensitive information slip through the cracks. The IRS are professionals at keeping people’s most private financial information under wraps, and breaches even happen to them.

California Releases First Data Breach Report

The State of California just released its first data-breach report for 2012 last week. Some of the report’s key findings include:
  • Reports of 131 data breaches affecting more than 500 Californians.
  • The breaches exposed 2.5 million Californians’ personal data.
  • More than half of the breaches (56 percent) involved Social Security numbers.
  • The use of encryption could have protected 1.4 million Californians’ data.
Yet, one of the most striking quotes was that “more than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.”

That says to me that breaches are all about people—whether they are social engineers or hackers intent on fraud, or regular hard-working employees who aren’t adequately protecting the information they access.

In either case, it’s obvious that California can’t really blame the computers. These breaches are a people problem, and can also be solved with people—people who are adequately trained to ward off hackers and social engineers and take steps to safeguard data or devices that contain sensitive information.

California Attorney General Kamala D. Harris opened the report by reminding readers of California’s strong consumer privacy laws and required data breach notification. If our “strongest” state still has data leaks to plug, then I wonder how the other 49 are faring.


Thursday, September 5, 2013

It's The Human Side of Security

Information security is everywhere these days. Just turn on the TV and flip channels for a minute or two. Or click around on some news websites. From government spying to rampant identity theft, this subject has got everyone up in arms—even when they don’t have the whole story.

It’s about time for someone to demystify information security and shine a light through that fog of threats and fears. And it's time for everyone to get a firmer grasp on personal, Internet, and information security threats.

Welcome to the Sight Training blog! We are determined to make the truth about information security accessible to everyone.

Who Are We?

Be aware: we are not computer nerds, and this is not an IT blog for programmers. We are a team of professional security consultants, ethical hackers, and project managers with a background in security awareness and social engineering. The primary risk to businesses is no longer technical hacking, but slick, clever conmen and identity thieves who use regular people to get sensitive information. This is today’s threat, and you need to know how to defend against it.

Our consulting and white-hat social engineering experiences have given us unique insight into information privacy, security, and protection that we want to share with companies, managers, and employees in every sector. Each week, we’ll use this forum to cover the security information that really matters to you, day to day.

We hope to:
  • Provide practical ways to protect yourself, your organization, or the folks you employ.
  • Use the security breaches that make the news as valuable lessons.
  • Inform you about the latest security threats and tactics, and how they really impact businesses and individuals.
  • Give you a place to share, ask questions, and provide insights from your own corporate experience.
We want to bring things down to earth and give people something they can use. Real risks. Real-world scenarios. Real language.

It's the human side of security.