tag:blogger.com,1999:blog-18958647989194383682024-03-14T01:28:07.819-04:00The Human Side of SecurityWe're a team of professional security consultants, ethical hackers, and project managers with a background in security awareness and social engineering. Let's make the truth about information security accessible to everyone.Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.comBlogger40125tag:blogger.com,1999:blog-1895864798919438368.post-90851536923451334512014-06-27T15:21:00.000-04:002014-06-27T15:21:50.387-04:00Training Trouble: Why E-Learning Doesn't Work for EveryoneI took a little look back at my calendar today and it seemed high time for a blog. My colleagues and I took a little hiatus to finish up the first draft of our corporate book—a project 6 months in the making and one we are very excited to be bringing your way soon. Check back throughout the year for more information about how to get a copy of our step-by-step guide, <i>From Here to Security</i>.<br />
<br />
But for now, we're back in the business of blogging—and with something a little different this time.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFT9u3RXbOGrHUx0ZRS8Kpf8A3z2Z0R0jD-ofDAWoJTKGRntclUj2u32GY1SumLf2MhVJlPkWeLTBXidEQwgbgvXd1eGp7cR4TyAOcT-iGc9jycyKz000fEN7FKnjCnVe1UKODKBN8TX4/s1600/man+at+office+314312.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="e-learning, online training, online courses, security awareness training" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFT9u3RXbOGrHUx0ZRS8Kpf8A3z2Z0R0jD-ofDAWoJTKGRntclUj2u32GY1SumLf2MhVJlPkWeLTBXidEQwgbgvXd1eGp7cR4TyAOcT-iGc9jycyKz000fEN7FKnjCnVe1UKODKBN8TX4/s1600/man+at+office+314312.jpg" height="212" title="e-learning works if you avoid the pitfalls" width="320" /></a><br />
I know my blogs usually cover ITSec, security breaches, and big business blunders when it comes to securing sensitive information. But in my work on the book, I've really felt a renewed interest in covering the "Why" of all that. Why are companies struggling to close the gaps in corporate security? Why are we seeing a dramatic rise in security breaches in the news?<br />
<br />
While I don't believe there is one right answer that covers everyone, I do think that inadequate training has a lot to do with it.<br />
<br />
I was poking around some e-learning sites today and stumbled across this article: <a href="http://blog.commlabindia.com/elearning-design/reasons-why-elearning-projects-fail?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+CommLabIndia-CustomTraining-ElearningBlog+%28Custom+Training+and+eLearning+Blog%29">5 Reasons that Everyone Should Know: Why E-learning Projects Fail</a>. And, in fact, Sonal Paul does a pretty good job laying out a number of the pitfalls companies fall in when establishing an online training program. According to Paul, the 5 main problems are<br />
<br />
<ul>
<li>Poor Need Analysis</li>
<li>Gaps in Communication</li>
<li>Poor Project Management</li>
<li>Failing to Understand the Learner</li>
<li>Wrong Instructional Strategy</li>
</ul>
<br />
Bing, bing, bing! That list hits some pretty big nails right on the head. As a company that specializes in crafting training campaigns and individual courses for big businesses, I'd say that our clients run into at least one of these in almost every project (and especially big projects usually struggle with all five).<br />
<br />
But listing the problems doesn't even come close to solving them. Many of our e-learning clients would be ill-equipped to address these issues even if they were well aware of the problems up front. So I'd like to take Paul's article a step further and offer some practical advice on each of these points.<br />
<a name='more'></a><br /><br />
<h4>
Poor Need Analysis: </h4>
When the time comes to explore training options, every wise manager should first ask not “How much will e-learning cost?” or “How long will this online training campaign take?” Instead, the conversation must begin with “What are we trying to accomplish?” or even "Is e-learning right for our environment?' Web-based training is not necessarily superior to classroom training. More advanced training with all the bells and whistles does not necessarily produce better outcomes in every environment. That’s why those in charge of training must carefully consider their industry, their employee population, and the subjects on which they plan to train before choosing a methodology.<br />
<br />
<h4>
Gaps in Communication:</h4>
While Paul's article focuses primarily on communication be the e-learning company and the client, let me suggest that internal communication between the managers who develop the training and the employees that take it is equally important. You must use the employees to create good training—and including all levels of staff in the process from the beginning may make your training more effective.<br />
<br />
<h4>
Poor Project Management: </h4>
Don't make training development a back-burner process that can be left behind or forgotten. This is your company, folks. Take the protection of it seriously, and put people in charge that will also take it seriously. Too many times, we've seen e-learning campaigns dissolve into terrible messes because the project was not valued or given the time and attention it deserved.<br />
<br />
<h4>
Failing to Understand the Learner:</h4>
Your training may represent the latest in online instruction, but if it’s boring and mind numbing, then you can bet it’s not teaching anyone much of anything. If you’re training humans (and I assume you are), then be prepared to battle against human nature. Humans get bored. Humans get distracted. Humans complain.<br />
<br />
But humans also respond to things that are interesting, interactive, and a removal from the ordinary. When you write and develop training, consider the fact that you must keep the user focused—and that there are many out-of-the-box ways to do this. Use audio and video that represent true situations your employees may face. Keep your employees engaged with interactive games, puzzles, or simulation. Encourage the use of multiple parts of the brain. Give real world examples, use case studies, or even teach principles with humor.<br />
<br />
<h4>
Wrong Instructional Strategy:</h4>
Think back to school. What were the lessons that you remember most? Never-ending lectures on American history? Mind numbing sentence diagrams?<br />
<br />
Yeah, I don't remember those lessons either. What I do remember is Mr. Williams ninth grade history class. The one where we bundled into our coats, trooped out to the parking lot, lined up into formation carrying spear-like two-by-fours, and charged at our classmates on the other side. Roman battalion formations? Check. Mr Williams picked the right instructional strategy for a boring subject and I’ll never forget it.<br /><br />
<h4>
Approach E-learning Right.</h4>
Smart people make a company successful. But no one’s staff is going to effectively protect anything until managers break out of the “Read and Understand” mentality and change the way they approach e-learning.<br />
<br />
Ask yourself: “Have we given our employees what they need to succeed?” If not, then get on the ball and train them well.<br />
<div>
<!--EndFragment--></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-60629937520182439872014-05-22T08:40:00.000-04:002014-05-22T08:43:56.873-04:00Bad Customer Service vs. Data Breaches: Competing for "Best Way to Lose Customers" Award<div>
So which is worse: bad customer service or a data breach? Well, when it comes to brand reputation and customer loss rate, they may be equivalent.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimWq3MGdYu3Q5Usr0JqE5tQE-v6ARZBwP3kxfucRoPcAx8-tb9vHN2dztZgO8gZpmyINmhr_ygvJH9AlvMwM0AyUlQEmVPYH5rnr-zT1ansV51NbqgRg92poVucsh5FJVIdaiwtaptCHo/s1600/Distressed+Woman.jpeg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="identity theft, ID protection, data breach, information security" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimWq3MGdYu3Q5Usr0JqE5tQE-v6ARZBwP3kxfucRoPcAx8-tb9vHN2dztZgO8gZpmyINmhr_ygvJH9AlvMwM0AyUlQEmVPYH5rnr-zT1ansV51NbqgRg92poVucsh5FJVIdaiwtaptCHo/s1600/Distressed+Woman.jpeg" height="277" title="poor customer service or a data breach?" width="320" /></a>Customer service has always been a sticking point for brands. After all, a bad in-store or phone experience with a company can send customers heading for the door, never to be heard from again. Environmental disasters also still rank high on the list of reasons customers may consider discontinuing their loyalty to a brand or company (think Exxon Mobile or BP). Yet, <a href="http://www.experian.com/data-breach/2014-aftermath-study-consumer-sentiment.html?WT.srch=ecd_dbres_pr_referral">according to a recent study by the Ponemon Institute, </a>customers now rate data breaches right along with customer service and environmental disasters as a major reason to ditch a company and run into the loving arms of its competitors.</div>
<div>
<br /></div>
<div>
It was really bound to happen, if you think about it. With the increase of very highly publicized data breaches in recent years (think Target a few months ago and eBay getting headlines today), customers are beginning to sit up and take notice. After all, the threat of identity theft promises much worse consequences than a bad experience with a rude customer service rep, and it hits much closer to home than an oil spill hundreds of miles away.</div>
<div>
<br /></div>
<div>
The average American consumer understands the long-lasting and potentially devastating effects of a breach of their personal information. According to the study, “prior to having their personal information lost or stolen, 24 percent of respondents (customers) said they were extremely or very concerned about becoming a victim of identity theft. Following the data breach, this concern increased to 45 percent, Ponemon says. Almost half of respondents feel their identity is at risk for years or forever.”</div>
<div>
<br />
<a name='more'></a><br /></div>
<div>
And yet, it seems that companies are just catching on. It’s not enough to manage the press after a disastrous security breach. It’s high time that data security, security awareness training, and social engineering were given just as much care as customer service training. It’s not enough to put firewalls and technical blocks in place, since it’s been proven time and again that social engineers and other thieves can get around them. It’s not enough to just offer free identity protection after a breach. In fact, the Ponemon study suggests that only 30% of customers even accept the offer of free ID protection services. </div>
<div>
<br /></div>
<div>
And here’s the real irony: customer service departments are often the first areas to target by those interested in swiping sensitive information. So, in an effort to keep customers content, management throws money, time, and training costs at customer service to create employees that generate a positive experience for every customer—but who may also be opening the door to a data breach every day.</div>
<div>
<br /></div>
<div>
After all, it’s pretty easy to steal sensitive information from someone who is desperate to make you happy at all costs. </div>
<div>
<br /></div>
<div>
It’s high time for a more proactive and well-rounded approach that promotes good customer service and information security. Sound impossible? It’s really not. It just requires that the powers that be in each corporation reject the traditional silo mentality and start collaborating, creating solutions that meet both needs. While employees may be the ones handling the customers on a daily basis, management is responsible for setting them up for success or failure—and unfortunately, there is often a real disconnect between security and customer service in the minds of those in charge. </div>
<div>
<br /></div>
<div>
Customer service and security—you can have both, and can keep customers in the bargain. It just requires care, concern for the safety of every piece of sensitive information, and a willingness to spend time creating valuable security questions and sympathetic customer representatives with both the best interests of the company and the customer at heart.</div>
<div>
<br /></div>
<div>
Interested in learning more? <a href="http://www.sighttraining.com/Training/CourseLibrary.aspx">Visit the Sight Training course library to review the diverse courses we provide to secure your company's sensitive information.</a></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-71542222400311568412014-05-07T10:40:00.001-04:002014-05-07T10:40:42.381-04:00Data Breach Costs Rise 9% in 2013<div class="MsoNormal">
<a href="http://www.cio.com/article/752412/Data_Breaches_9_More_Costly_in_2013_Than_Year_Before">The 2013 statistics are in from the Ponemon Institute.</a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5B4KyBLfuBW-TgWSjvx7io2EHLryfDnuONu0vGRQBBmNsSrz82VjNt2ym_IXK-f3DuPDt18uFK-e6MMW7n6OCU7e9n_rCJ0-kVjU7pz5orDk-WsFT3-zS63JhxaIFxhTWqBc_W3ebWy4/s1600/3d+graph+3724777.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="data breach, data security, corporate security" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5B4KyBLfuBW-TgWSjvx7io2EHLryfDnuONu0vGRQBBmNsSrz82VjNt2ym_IXK-f3DuPDt18uFK-e6MMW7n6OCU7e9n_rCJ0-kVjU7pz5orDk-WsFT3-zS63JhxaIFxhTWqBc_W3ebWy4/s1600/3d+graph+3724777.jpg" height="240" title="Data breach costs are up and profits are down, says Ponemon Institute" width="320" /></a></div>
<div class="MsoNormal">
So just how much money did companies lose last year to data breaches? Which industries are most at risk? Let’s break down the facts for 2013:</div>
<div class="MsoNormal">
</div>
<ul>
<li>Average cost of a data breach to US companies: <b>$5.4 million</b></li>
<li>Average cost per lost record: <b>$201</b></li>
<li>Industries with <b>highest breach costs</b> (in this order):</li>
<ul>
<li>Healthcare</li>
<li>Transportation</li>
<li>Energy </li>
<li>Financial services </li>
<li>Communications </li>
<li>Pharmaceuticals</li>
<li>Manufacturing</li>
</ul>
</ul>
<br />
<div class="MsoNormal">
While 2013 did not reach 2011’s high ($214 per lost record), this information still represents a <b>9% rise in data breach costs</b> from last year’s $188 loss per lost record—and they think this may be due to loss of customers. A<b> 15% “churn rate”</b> (or tendency for customers to abandon a company) based on a data breach represented a steep increase from prior years. Folks are getting wise to companies that don't make securing their sensitive information a priority.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Will this rising cost trend cause companies to sharpen their security behaviors and stay on top of the dangers? We hope so. After all, security is our business. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Maybe your company in that high-ri<a href="http://www.sighttraining.com/Training/CourseLibrary.aspx">library of security courses</a>, <a href="http://www.sighttraining.com/Training/SecurityAwareness.aspx">security awareness campaigns</a>, or even <a href="http://www.sighttraining.com/Training/SecurityAwareness.aspx">social engineering consulting and penetration testing</a>. These first steps can go a long way towards ratcheting those costs down and keeping customers feeling safe and satisfied. </div>
sk list. Maybe you are a small company with limited resources that still feels the pressure of social engineering and identity theft. Or maybe you just need more ideas about how to secure your own company’s assets. Consider Sight Training’s <br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="http://sighttraining.blogspot.com/search/label/Corporate%20Security">More About Corporate Security</a></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-13970618695674238672014-04-30T12:00:00.001-04:002014-04-30T12:00:57.676-04:00Oh the Humanity: Picture of a ThiefIn order to improve security awareness among staff, the first step is to change each employee’s mental picture of what it means to be a thief. Every social engineer who calls will not be an easy-to-spot gentleman with an oily voice and diabolical laugh. Awareness cannot be based on preconceived notions about gender, personality, and level of authority.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEQNX4S2L5VO1-FVcGcskQ8_CrOkY8m_vqTN5smyjIOc1eIXnRr_-IsRMOyD3W2geF4Ce4rzA-s4vMb4tsLKniWSv9ePWItq1rcgxHTFk82e18NzOcmUMUzUN2zIf0rU0WoL3zsue5M8g/s1600/callcentergirl.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="social engineering, phone fraud, theft, danger" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEQNX4S2L5VO1-FVcGcskQ8_CrOkY8m_vqTN5smyjIOc1eIXnRr_-IsRMOyD3W2geF4Ce4rzA-s4vMb4tsLKniWSv9ePWItq1rcgxHTFk82e18NzOcmUMUzUN2zIf0rU0WoL3zsue5M8g/s1600/callcentergirl.jpg" height="213" title="A social engineer can look or sound like anyone." width="320" /></a></div>
In order to be successful, social engineers will go to any lengths, will play on your employees’ weaknesses, and will find ways to get in their heads. <a href="http://sighttraining.blogspot.com/2013/10/cute-girl-voice-social-engineers-secret.html">For many men, that weakness is a friendly girl.</a><br />
<br />
For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.<br />
<br />
<a name='more'></a><br />
<br />
<h4>
Problem #1: The Perception of Danger</h4>
<br />
Imagine your average social engineer. What do you picture? If you’re thinking about either of our chief pretexting experts, picture a bearded guy, around 6’4.” Hairy and manly.<br />
<br />
Now imagine our very manly caller trying to get a VPN password reset. In one particular case, he found himself blocked every time he was asked for an employee ID. Since he didn’t have an ID, he had to get creative, and began a second round of calls to employees, just asking for employee IDs.<br />
<br />
Finding an staff member who was willing to give up that sensitive little building block was not easy—thumbs up for them! Yet, a persistent social engineer is almost always rewarded—and he finally found someone willing to share: Isabelle Martin.<br />
<br />
Elderly. Southern. Female. Sweet as molasses.<br />
<br />
Yes, our gruff and masculine pretexter was forced call the IT help desk as the lovely Mrs. Martin.<br />
<br />
He called and just gave it a try, speaking in a high, sweet, Southern female voice. Not surprisingly, he found himself on hold for 10 minutes. Then, after a few more questions, he was put back on hold for five more minutes. Since “on hold” is the death knell for any social engineering attack, he was sure it was over.<br />
<br />
Was his cover was blown? Nope.<br />
<br />
Turns out, at the end of the conversation, it was revealed that Mrs. Martin didn’t even have VPN at all. Our caller wasn’t on hold because the clients were suspicious. They were just desperate to help a little old lady with a computer problem.<br />
<br />
These two stories prove that suspicion is a very uncommon response. Customer service is often desperate to help anyone with an even slightly plausible story and moderately believable accent. This perfectly illustrates the first problem: employees are easily distracted by their preconceived notions about who is—and who is not—dangerous.<br />
<br />
<h4>
Problem #2: Familiarity Breeds Complacency.</h4>
<br />
Most workdays run smoothly. People do their jobs, projects go according to plan, and everyone goes home at 5:00. And when it’s business as usual 99% of the time, it is hard to maintain employee vigilance toward malicious attacks. Frankly, it’s very hard for people to admit that they are being lied to, even when situations seem unusual or suspicious.<br />
<br />
Here’s an example. Several years ago, we were hired by a financial organization to see if we could fraudulently obtain the ability to run people’s credit. This group has stringent guidelines for gaining access to customer information, because a breach of their system would be catastrophic. They asked us to help them vet their process by applying to gain customer credit information.<br />
<br />
In order to get the information they wanted, we needed to be a financial business— with a business license, two business references, leases, corporate contact information, a bank account that could be checked by phone and email, and even a mandatory site visit.<br />
<br />
Initially, it sounded impossible. But Photoshop helped us fake a lease and business license (both of which looked like it had been copied a million times). It took a couple of weeks to fake two separate reference companies and fabricate a bank—and we tacked on another couple of weeks to fake fully functional websites for each of these fake businesses.<br />
<br />
Finally, after clearing out our office and adding a fake sign, we were ready. Prepaid cell phones and hand-printed credentials in hand, we waited for our site visit.<br />
<br />
The day came. Our visitors came in the door, verified the fact that our establishment was, in fact, an office, checked a box, and left.<br />
<br />
Due diligence? Nada. They never even looked at our paperwork.<br />
<br />
All it would have taken to shut us down was a little checking. Look up the bank and see if it exists. Check the references. Check the business license. It would have been so easy to get caught, but we weren’t—and we had customer credit information at our fingertips by the end of the day.<br />
<br />
Businesses who complete these sorts of checking processes should get a chill up their spine when they read stories like this. “Seems legit” is no way to approach due diligence, but the average employee may do the job halfway, simply because it’s so statistically unlikely that they are being defrauded. Again, it’s hard to believe you are being lied to.<br />
<br />
Social engineers and other thieves know exactly how to manipulate employees—and it's hard to change human nature. And, while there is no one way to improve your human firewall, you can <a href="http://www.sighttraining.com/">start with training written for employees by folks who understand the struggle. </a><br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Oh%20The%20Humanity">More Stories in our "Oh, the Humanity" series</a><br />
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-66603705288772461772014-04-24T09:35:00.001-04:002014-04-24T09:35:15.275-04:00Are Buzzfeed Quizzes Lowering our Defenses?So I’ve been toying with shutting down my Facebook account again—mainly because it gets on my nerves. The simple act of scrolling through the posts each morning has reached a ratio of 20% pleasurable and 80% grind. One reason? Buzzfeed quizzes.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwSe1kx4iXpyLHf-aEIy0uCFxJxwp1QWFTFmRmAbuR_z6if0Ptl8WB8mdmc-7Y0NCNPURwA8uRU34C5xL4KQTfFNb5hQ9y8DnNDfsXGd3hud_s1ICklbdj1txfFUPe3Rea7oIExBcMKfE/s1600/couple+online.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="security awareness, identity theft, infosec" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwSe1kx4iXpyLHf-aEIy0uCFxJxwp1QWFTFmRmAbuR_z6if0Ptl8WB8mdmc-7Y0NCNPURwA8uRU34C5xL4KQTfFNb5hQ9y8DnNDfsXGd3hud_s1ICklbdj1txfFUPe3Rea7oIExBcMKfE/s1600/couple+online.jpg" title="Spam quizzes may be fun and dangerous" /></a>Oh, Buzzfeed quizzes. Zimbio quizzes. Shudder.<br />
<br />
To be fair, I’ve taken my share. The nerd gene in me just has to know what character I most identify with in every Joss Whedon universe. And while I rarely share my results (because that’s pretty annoying), I have started to wonder about some inherent dangers in the culture of quiz taking.<br />
<br />
So, I spent a little time on “Internet research” yesterday (read: surfing the web). I wanted to see if I could get any hard, fast evidence that the data in Buzzfeed quizzes were dangerous. Do they harbor malware? Are they used for phishing purposes? Are there records of any data breaches that stemmed from a Buzzfeed quiz?<br />
<br />
Not really. Although it would be a pretty clever ruse for social engineers, it appears that the quizzes are fairly harmless. The danger, it seems, lies more in the attitude and culture behind these personality tests. So many of my “friends” (ok, friended acquaintances) rant regularly about the dangers of Facebook privacy settings. They have a real “Big Brother is watching” or “Everyone is out to get my personal information” complex. But these folks may be very the same ones who will readily answer personal question after personal question in a Buzzfeed quiz and then share the answers with anyone who scrolls past their profile.<br />
<br />
Jordan Shapiro hit the nail on the head for me <a href="http://www.forbes.com/sites/jordanshapiro/2014/01/18/the-reason-personality-tests-go-viral-will-blow-your-mind/">in an article this past January.</a><br />
<br />
“Why is it that when it comes to novelty quizzes, we enjoy being analyzed by simple algorithms that divide and reduce us into a limited number of determinate categories, but when it comes to Google and the NSA we’re terrified of the same thing?”<br />
<br />
Personal information is personal information, whether is stolen from us by a social engineer, secretly gathered by the NSA, or voluntarily offered through an online personality quiz.<br />
<br />
We seem to have developed an almost desperate need to share our opinions or facts about ourselves in an effort to identify with a larger group of like-minded people. Go ahead and admit it. You feel good when your poll answer is the most popular. The appeal of belonging has made many of us irresponsible—and irresponsible Internet users can be easily lured out of their comfort zones and into a trap.<br />
<br />
While the danger may not come directly from an online quiz, click-happy Internet users are bound to slip up in other areas. And the more comfortable we become with oversharing, the more likely we are to find ourselves victims of social engineering scams or identity theft.<br />
<br />
“Well, but…what difference does it make?” you say. “It’s not like they’re asking for my social security number. The results are all made up.” OK, that’s true. There is no proven rubric designed to accurately determine which superpower you should have, or whether or not you would in fact die of dysentery on the Oregon Trail. Yet, that does not mean the questions have <i>no</i> value to someone.<br />
<br />
“We brush them off as ‘merely entertainment,’ forgetting that by participating–through the act clicking–we’ve once again provided Google with a plethora of personality data that is forever stored in our file,” says Shapiro.<br />
<br />
In fact, some limited evidence suggests that quiz and Internet poll builders may be inserting more probing questions into harmless entertainment quizzes to get an idea of who you are, how you behave, or even what you might choose to buy. Lee Munson at BH Consulting gave his take on it in <a href="http://bhconsulting.ie/securitywatch/?p=2115">this week's Security Watch blog on oversharing. </a><br />
<br />
“…in a few instances the polls can pose some more serious questions…sometimes some of the sneakier sites on the web will even make completion of the poll mandatory in order to proceed onto your ultimate aim of, say, reading a particular news story. Such polls may not demand your name and address but they do drift roughly into areas of personally identifiable information.”<br />
<br />
He also offered a bit of sound advice.<br />
<br />
“If you share information you need to be alert. Even if you are divulging personal information within an environment in which you feel safe, you need to be certain that the audience is the one you expect. I myself have a few friends who have completed polls on Facebook only to later discover that they actually handed all that info to a third party unawares.”<br />
<br />
It may be time to find new ways to entertain ourselves rather than buying in to a culture of irresponsible clicking and mindless answering. While I may never know which Twin Peaks character I am or how well I know the movie ‘Clueless,” at least no one else will either.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Information%20Security">More about Information Security</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-91022065046004443502014-04-16T09:19:00.001-04:002014-04-16T09:20:31.819-04:00New "Smishing" Scam has Tampa Bay banks on alert<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3KWmeBED2XMBHjtN9FI5W1lE3gfiX3pPabaM2LHpcIzZg5GGTLJepe6o5K63h2RzFhZXuKrm8k-h80KLTnHwslHQeCOE6XgAQfWMcnKUin1ikoXDBzkL8cYI3AjS5q7xM0oOpDzmpHYc/s1600/iphone.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="phishing, smishing, data security" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3KWmeBED2XMBHjtN9FI5W1lE3gfiX3pPabaM2LHpcIzZg5GGTLJepe6o5K63h2RzFhZXuKrm8k-h80KLTnHwslHQeCOE6XgAQfWMcnKUin1ikoXDBzkL8cYI3AjS5q7xM0oOpDzmpHYc/s1600/iphone.jpg" height="320" title=""Smishing" is SMS phishing by text message" width="152" /></a>Just last week, <a href="http://www.wfla.com/story/24957966/tampa-bay-banks-warn-of-text-phishing-incidents">several Tampa Bay area banks reported a new “smishing” scam</a> (SMS phishing, or phishing texts sent to mobile devices) in which mobile users are informed by “bank personnel” that their debit card has been flagged. The text then encourages mobile users to contact a fraudulent number and provide personal financial information.<br />
<br />
Phishing through text messages are further proof that attacks continue to come from every angle at once, and are getting more and more clever.<br />
<br />
Why is it so hard to practice safe surfing on a mobile device? Why do otherwise intelligent Internet users take actions on their phones that they would never take on a home desktop or laptop computer?<br />
<a name='more'></a><br />
<br />
One reason may be the difference between actual security and perceived security. Most people are aware of the threats they face on their home computers and laptops, because information about security hacks is everywhere. They likely know at least one person who has experienced identity theft or a malware attack. But connecting on a phone may feel safer, because the threat has not been fully established.<br />
<br />
People might also say they are busy and distracted, but still feel the need to maintain a constant connection even when they are out and about. Let’s face it: it is pretty much impossible to always make wise choices while you are checking email on your phone, ordering a latte, fumbling for your wallet in your laptop bag, and running through your mental To Do list.<br />
<br />
So, before you click that link in a text message, or call that unknown number passed through an unexpected message, ask these questions:<br />
<br />
1) Do I know the person who sent this text message? If not, ignore it.<br />
<br />
2) Is the tone of the text message urgent or persuasive? This is often a dead giveaway that you’ve been singled out for a phishing attack.<br />
<br />
3) Is the text message providing an unfamiliar link to click or an unfamiliar number to call? If so, be suspicious.<br />
<br />
Here’s the good news: every legitimate bank and business has a real phone number—one you can easily access from the company website. If you receive a text message that you assume is a smishing attempt but are still concerned about your account, don’t jump the gun and take the bait. Just contact the group directly to check in. You’ll get the information you need—and the bank will appreciate the heads up about a scam involving their brand.<br />
<br />
Let us also make a suggestion. Consider training your employees on <a href="http://www.sighttraining.com/EmailUseandSecurity.aspx">phishing</a> and <a href="http://www.sighttraining.com/WirelessandMobileDevices.aspx">mobile security</a>, so they are aware of the threats to both personal and corporate information.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Information%20Security">More About Information Security</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-7054451302036909052014-04-10T10:53:00.001-04:002014-04-10T10:53:13.314-04:00More Hooks in the Water: Spearphishing Up 91%This just in from Symantec: <a href="http://www.securityweek.com/spear-phishing-hooked-businesses-big-and-small-2013-symantec-report">spearphishing increased 91% in 2013.</a><br />
<br />
Here’s why: it still works. Even though <a href="http://www.sighttraining.com/Training/CourseLibrary.aspx">security awareness training</a> and a constant stream of worrisome new stories may be improving the average employee’s click-through rate in run-of-the-mill phishing emails, social engineers still know just how to pinpoint the areas that will lower even a seasoned email user’s defenses. That’s just what spearphishing is: targeted attacks that are hand-crafted to startle or scare an employee into making a bad decision—usually clicking an embedded link that routes to a fraudulent website prepared to collect personal information.<br />
<br />
According to Symantec, two of the most common words in last year’s string of emails were “order” and “payment.” In our experience, words like “benefits,” “payroll,” “cancelled,” and “dropped” also do the trick.<br />
<a name='more'></a><br />
<br />
<h4>
Spearphishing in Action</h4>
<br />
Here’s a good example we used in one <a href="http://www.sighttraining.com/Training/SecurityAwareness.aspx">legitimate phishing test</a> for a customer. What would you do if you got this email? It seems pretty urgent…<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTM3oDJ2Y90w9h-rCwR6xm3uz_LHuhz4RTh3avbj__F1HgVK_vwrmcjeqA3HQtWBrQXcmOngqE5QqpA3e5MnzpTcoMs__h2VAiUYcILcImzPweUIIyYhYuHMW88Q2rzJVYVSs7o7h-i2o/s1600/SpamEmail2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="fraud, phishing, spearphishing" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTM3oDJ2Y90w9h-rCwR6xm3uz_LHuhz4RTh3avbj__F1HgVK_vwrmcjeqA3HQtWBrQXcmOngqE5QqpA3e5MnzpTcoMs__h2VAiUYcILcImzPweUIIyYhYuHMW88Q2rzJVYVSs7o7h-i2o/s1600/SpamEmail2.jpg" height="265" title="Phishing email" width="400" /></a></div>
<br />
If you’d been one of a number of employees who clicked the embedded link, you'd have been routed to a fake website designed to capture your login information.<br />
<br />
Here’s the hard truth: most savvy email users have become conditioned to ignore the most common phishing scams: the Nigerian bank scam, the eBay attack, and the free iPad scam. But just as we become conditioned, social engineers become smarter and more resourceful, and there has been a recent increase in spearphishing emails that appear to be from employers.<br />
<br />
<h4>
Phishing Emails and Social Engineers Getting More Sophisticated </h4>
<br />
Even more concerning: “While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better.” The article goes on to say that these more sophisticated and carefully orchestrated attacks led to a 62% increase in the number of data breaches, compared to 2012.<br />
<br />
Don’t be the key to a mega breach. Remember: every unexpected or sketchy email deserves a second look, even if it looks like legitimate communication from your supervisor, Human Resources personnel, or whoever manages your 401K. Ask before you click.<br />
<br />
Need spearphishing training for your employees? <a href="http://www.sighttraining.com/SocialEngineeringTheElectronicAttack.aspx">Look no further. It's one of our most popular courses.</a><br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Spearphishing">More About Spearphishing</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-47597129100212640062014-04-01T11:20:00.000-04:002014-04-01T11:20:12.969-04:00Why April Fool's Day is NOT the Most Dangerous Day on the InternetAh, April Fool’s Day. A day of too-good-to-be true deals, too awful-to-be-true news stories, and more fake pregnancies in my social media stream than I care to shake a stick at.<br />
<br />
It’s the one day of the year that I avoid Facebook like the plague.<br />
<br />
It’s not that I don’t appreciate a good joke. I mean, I love a good food-that-looks-like-another-food joke (mashed potato cupcakes, anyone?). But on the Internet, April Fool’s feels different. To me, it’s symptomatic of a bigger problem: folks are still not skeptical enough—and every April Fool’s Day reminds me of this fact.<br />
<br />
Watching people “fall for it” over and over again—reposting “Baby Born with Three Heads!” or signing up for any website that promises a free iPad—upsets me. And not just because it makes them look dumb.<br />
<br />
Of course, as <a href="http://www.washingtonpost.com/lifestyle/style/on-the-internet-every-day-is-april-fools-day/2014/03/30/97bdb5d2-b820-11e3-9a05-c739f29ccb08_story.html?tid=hpModule_d39b60e8-8691-11e2-9d71-f0feafdd1394">Caitlin Dewey mentions in this Washington Post article</a>, most of the stuff on Facebook or Twitter that people compulsively repost or retweet is harmless. No, Denzel Washington did not die from a heart attack. And no, they have still not found that Malaysian airplane.<br />
<br />
Sigh.<br />
<br />
But, here’s the kicker: “On the Internet, every day is April Fool’s Day,” and everything out there is not harmless. Our need for a wary eye should not be limited to one day a year, and every web user needs to develop a habit of checking before we click suspicious links or view suspicious pages.<br />
<br />
For example, “a number of Web sites that propagate fake stories — including Mediamass or the dubious News-Hound.org profit from display ads when their frauds go viral. Others redirect to phishing sites that attempt to draw out the gullible clicker’s e-mail address and personal information,” says Dewey.<br />
<br />
Also, according to <a href="http://www.workintelligent.ly/information/data-security/2014-3-28-worrying-data-security-trends/">this recent list of the seven security trends</a> that may affect your business, 1) phishing is only going to get worse and 2) social media spreads malware very effectively.<br />
<br />
So please, on this day of fake engagement posts and “I won the lottery!” jokes, let me make an appeal. Treat every day on the Internet like April Fool’s Day. Ignore strange requests or commands for action or promises of reward on social media sites. Be skeptical of all emails—especially those with embedded links. Slow down, take a deep breath, and think about what you are doing before you mindlessly click, forward, repost, retweet, or otherwise spread potential malware.<br />
<br />
Oh, and an added bonus? Your friends will thank you.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Social%20Media">More About Social Media</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-14779774386460616802014-03-26T11:42:00.001-04:002014-03-26T11:42:25.343-04:00Phone Fraud Flavor of the Month: 2014's IRS Scam<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjDKupVXCgtoG3XnOZB9_16P82lWgsQvXRSQOVs_ndPbjFjjIXFJt0zbCbZk0Q0DMZByr1rowYid6Ud7p133k77rFy-NqsKmFnNiazZ8gjAa5ZJ4eIzgXkk9hP6IUY46_I0x-NXPvGIas/s1600/woman+confused.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="pretexting, social engineering, fraud, scam" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjDKupVXCgtoG3XnOZB9_16P82lWgsQvXRSQOVs_ndPbjFjjIXFJt0zbCbZk0Q0DMZByr1rowYid6Ud7p133k77rFy-NqsKmFnNiazZ8gjAa5ZJ4eIzgXkk9hP6IUY46_I0x-NXPvGIas/s1600/woman+confused.jpg" height="320" title="Woman receiveing a pretext phone call" width="213" /></a>I spent a little time this morning reading about that new IRS scam that’s running rampant during the 2014 tax season. You know the one—you can <a href="http://www.forbes.com/sites/ashleaebeling/2014/03/21/if-the-irs-calls-hang-up/">read all about it here</a>, It’s the one where social engineers claiming to be IRS officials bully people into offering sensitive information through threatening phone calls.<br />
<br />
Actually, that doesn’t sound so new, does it?<br />
<br />
That’s because it’s not. It’s the same pretexting technique that scammers have been using for years. Even though each year (or each tax season or election or Olympic Games or world relief effort) brings a new wrinkle to the scam, there is nothing new here, folks. It’s just another example of how thieves try to steal sensitive information from regular people. Every. Single. Day.<br />
<br />
The possibility of daily threats demands constant vigilance—and you are raising your awareness just by reading this. But maybe it’s time for a little refresher on the best ways to handle any social engineer who comes calling.<br />
<a name='more'></a><br />
<h4>
<br />Don’t take a phone attack personally.<br /><br /></h4>
Social engineers can use almost any piece of information to build or carry out an attack—and they may play on your emotions to get it.<br />
<br />
If you get the call at work, remember this: strictly following company policies in any emotionally charged situation may be your best defense.<br />
<br />
If the call comes at home or on your mobile device, then remember this: it’s ok to be rude to a thief. If the signs are there and your red flags go up, do not let them in your head. Just hang up. This is particularly good advice for folks who may be receiving calls from this year’s batch of pushy IRS imposters. Threats and demands from unsolicited callers should never be taken seriously.<br />
<br />
<h4>
Don’t get cocky with a social engineer.</h4>
<br />
Social engineers are masters at preying on a target’s ego—and the person who is most sure of his or her security is often the easiest to “get.” If you suspect that you are speaking with a social engineer, don’t run off at the mouth or try to make them feel bad about what they’re doing. First of all, it won’t work. And second, you might let slip some small, innocuous piece of information they can actually use against you.<br />
<br />
<h4>
Know the signs of a fraudulent call.</h4>
<br />
Maybe above all, be aware of the signs of a pretext call.<br />
<br />
<ul>
<li>Was the call unsolicited?</li>
<li>Is the caller asking outright for any type of personal information?</li>
<li>Is the caller leading you along towards personal information?</li>
<li>Is the caller overly chatty or overly aggressive?</li>
<li>Does the caller sound nervous or distracted?</li>
</ul>
<br />
<br />
An affirmative to one or more of these questions is definitely a red flag. Don’t be THAT guy. The low-hanging fruit. The guy that falls for it. Protect yourself.<br />
<div>
<br /></div>
<div>
<a href="http://sighttraining.blogspot.com/search/label/Pretexting">More About Pretexting</a></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-71865142041383394252014-03-20T09:09:00.000-04:002014-03-20T09:09:24.779-04:00Are Deceptive Pen Testing Methods Always the Wrong Way to Go?<a href="http://3.bp.blogspot.com/-UtvoHGHmv_M/Uyrn7_oH_ZI/AAAAAAAAAFk/SWiL2gW1VjE/s1600/password+8048767.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="phishing, pen testing, data security" border="0" src="http://3.bp.blogspot.com/-UtvoHGHmv_M/Uyrn7_oH_ZI/AAAAAAAAAFk/SWiL2gW1VjE/s1600/password+8048767.jpg" height="211" title="Phishing attacks can cause panic and alarm" width="320" /></a>It’s been interesting to watch all the articles and stories fly about the Army phishing attack carried out by an internal commander, and which was finally shut down last week.<br />
<br />
Words like “panic,” disaster,” and “terrible’ and “irresponsible” are being thrown around like confetti.<br />
<br />
Do I agree with the commanding officer’s decision to take matters into his own hands? No. He was one man acting on his own intuition, rather than one part of a concerted effort with proper executive notification. In an organization as large as the US military, no test should be completed without a lot of feedback and forethought.<br />
<br />
It was also unfair to include the Thrift Savings Plan in an attack they knew nothing about—and then leave them to clean up the messy backlash.<br />
<br />
But let’s get to the brass tacks here: we can’t necessarily call the commander’s actions “irresponsible” just because some folks got panicked or felt like guinea pigs.<br />
<a name='more'></a><br />
<br />
Now, certainly a key issue in this story is the confusion and alarm that can be caused by a phishing awareness test. It is in people’s nature to become concerned when money or benefits is involved.<br />
<br />
But testing cannot be as simple as “Let’s do whatever will upset people the least.” Going into any security awareness analysis with that attitude will likely not produce valid and true results.<br />
<br />
It’s the classic struggle: employee vs. management, little guy vs. “Big ole’ DOD.”<br />
<br />
Those who will be tested say that when a test is done with false motivators, it can lower people's confidence in real programs and systems. People don’t like to feel used and they want to have faith in the systems that protect their assets. As Matthew Biggs said in the article “The big government bullies are just pushing us around and using us as guinea pigs.”<br />
<br />
Fair enough.<br />
<br />
Yet, the testers say that security awareness evaluators need to use methods for testing that are representative of what malicious people would actually do. After all, social engineers don’t pull punches. Tests that don’t use real-world scenarios do not give a true picture of <br />
a company’s security.<br />
<br />
Also fair.<br />
<br />
It really comes down to the severity of the threat. Before each security test, the powers that be must ask, "How serious are our threats and what underhanded methods will they use to hurt us?"<br />
<br />
We have experienced numerous situations where <a href="http://www.sighttraining.com/Training/SecurityAwareness.aspx">our testing methods</a> caused minor panic or upset the people we were impersonating—but it was necessary to discover security holes through which social engineers could gain access to extremely sensitive data or other high-risk assets.<br />
<br />
Deceptive testing or alarming claims to motivate users might not always be required—but sometimes they just might. Sometimes, ruffling a few feathers is the only way to get the job done when the threat is high and the risk is great.<br />
<div>
<br /></div>
<div>
<a href="http://sighttraining.blogspot.com/search/label/penetration%20testing">More About Pen Testing</a></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-43529742022850878082014-03-11T10:14:00.002-04:002014-03-11T10:14:54.506-04:00It Could Happen to You: The Value of Small Biz to Attackers<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQvahq5aevVn4yVugFs8JqTTzucsCW3sLN0WX-2O0xfFuNAykdF0zAS6dL1z0U-mYHyqMPu3GMy3M51eLdOBZliPY6ly1peHB3B-Y_SZS6j5TIFdQNviBt1qS7_cuVjjl4rQoPl5zWMZQ/s1600/robber.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="social engineering, DDoS, identity theft, phishing" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQvahq5aevVn4yVugFs8JqTTzucsCW3sLN0WX-2O0xfFuNAykdF0zAS6dL1z0U-mYHyqMPu3GMy3M51eLdOBZliPY6ly1peHB3B-Y_SZS6j5TIFdQNviBt1qS7_cuVjjl4rQoPl5zWMZQ/s1600/robber.jpg" height="320" title="Small businesses are targets of fraud and social engineers" width="240" /></a>Read <a href="http://www.theverge.com/2014/3/4/5469546/give-me-300-or-the-website-gets-it">this little article</a> yesterday and thought it might make a nice follow-up to last week’s interview with Naoki Hiroshima. Quick update on that story: @N has been restored to its rightful owner. <br />
<br />
Unfortunately, though, that was not an isolated incident. In fact, according to this recent article on The Verge, small and mid-range companies should be especially alert to these kinds of attacks.<br />
<br />
”Stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection.”<br />
<a name='more'></a><br />
<br />
It’s a common scenario, unfortunately. Small and mid-size businesses often do not believe they have anything of value that would interest an attacker. In our own experience with both social engineering audits and employee training, folks are pretty quick to say, “Yeah, we know we should _____________...but we’re a small company. Why would someone attack us?” That blank could easily be filled with all kinds of security procedures: <a href="http://www.sighttraining.com/Training/CourseLibrary.aspx">social engineering training</a>, <a href="http://www.sighttraining.com/Training/SecurityAwareness.aspx">security audits</a>, risk analysis, or DDoS protections. <br />
<br />
Hey, small biz. I’ll tell you why someone would attack you: because you aren’t even trying to stop them.<br />
<br />
Now, this blog isn’t really about what steps to take to prevent an attack. If you’ve hung around here much, you’ve probably heard it all before (<a href="http://www.sighttraining.com/">and can learn more at our website</a>). Today, let’s talk about what to do when you find yourself smack in the middle of an attack.<br />
<br />
As discussed in the article, "You can't negotiate with terrorists,” and that’s the same advice we give. The safest thing is to never engage a malicious person in any way, whether it’s an extortionist threatening a DDoS attack or a social engineer working his way through a phone scam.<br />
<br />
Whatever you do, don’t bite—even in jest. You might be surprised how much information you give away while trying to be coy, cocky, or clever. In fact, on more than one occasion during white-hat social engineering audits, we have encountered IT departments willing to engage us, just for the chance to be funny or act superior.<br />
<br />
What those IT specialists don’t know (but should) is that even a quick, harmless jab like “Don't insult us with your weak attacks” may tell us something we need to know. In fact, any time we get communication from a "victim,” it’s helpful. It may simply tell us that someone is there to receive our messages or threats. But more often than not, we are able to twist the communication to our advantage and give the mark a false sense of control.<br />
<br />
Remember: an anonymous attacker has nothing to lose—and in the case of an extortionist, there’s really nothing to stop them from carrying out the attack after you pay up. If you pay them or beg them or try to intimidate them, you will always lose one way or another.<br />
<br />
Ignore. Report. Never engage.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Information%20Security">More About Information Security</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-51634839733542503652014-02-25T11:26:00.000-05:002014-02-25T11:28:57.349-05:00Interview: Naoki Hiroshima, or How One Social Engineer Used the Phone as a Weapon<div class="MsoNormal">
It didn’t take long for Naoki Hiroshima’s story to take Twitter by storm when he posted his article on Medium on January 29. After all, no one likes it when a social engineer wins—especially when his target is smart, tech-savvy, and prepared.<br />
<br />
Here’s the story in a bright, colorful nutshell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlu3pDMq9q_J3zoVW1LyWxi49lh2kZlGciLLyBqb3lSJqiPUpi9LEInTKn1uiI1-f_VZYzZyMpX5Fg-1jpSqbc8h2T-yu1tA325wC06NMvOflCDZwHnBdYY9wjhZB3TSWyqooEs3ZV3Jc/s1600/AnatomyOfAnAttack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="phone fraud, pretexting, social engineering" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlu3pDMq9q_J3zoVW1LyWxi49lh2kZlGciLLyBqb3lSJqiPUpi9LEInTKn1uiI1-f_VZYzZyMpX5Fg-1jpSqbc8h2T-yu1tA325wC06NMvOflCDZwHnBdYY9wjhZB3TSWyqooEs3ZV3Jc/s1600/AnatomyOfAnAttack.jpg" title="Pretexting and Social Engineering" /></a></div>
<br />
<h3>
Share this Image On Your Site</h3>
<textarea onclick="this.focus();this.select()" style="height: 100px; width: 500px;"><p>
<strong>Please include attribution to SightTraining.com with this graphic.</strong><br />
<br />
<a href='http://sighttraining.com/Training/Infographic.aspx'><img src='http://sighttraining.com/portals/0/SocialEngineeringAttack.jpg' alt='Don't Get Hooked' width='675px' border='0' /></a></p>
</textarea>
<br />
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px;">
<br /></div>
So, Naoki lost his Twitter handle and the thief got away. Grrr.<br />
<br />
That’s what makes this story such a model for the danger of social engineering. In fact, the details of Naoki’s story were so frustrating that we sat down with him last week for a little more detail.<br />
<a name='more'></a><br />
<br />
<h4>
What Went Wrong? Bad Authentication.<br /></h4>
There’s no doubt that PayPal’s and GoDaddy’s weak authentication procedures made this possible, and Naoki agrees. “GoDaddy should not allow the attacker to reset my password until they could confirm it was me,” he says. “They could've asked my driver's license or such.”<br />
<br />
Unfortunately, remote verification is a real problem for companies these days for a number of reasons—most notably, that the average call center employee who answers the phone does not have the tools to properly authenticate each caller. Authentication cannot be based on one or two authentication questions with easily discoverable answers. Weak policy and weak authentication mean weak security.<br />
<br />
After engaging the social engineer by email, Naoki was shocked to discover that both companies offered the attacker all the information he wanted on a silver platter.<br />
<br />
“I was astonished by his answers that PayPal and GoDaddy facilitated the attack, he said. “I took [the attacker’s] advice.”<br />
<br />
<h4>
How To Win: Advice from a Victim and a Social Engineer</h4>
<br />
Even more shocking, Naoki received sound advice on how to better secure his accounts in the future. The attacker suggested two things:<br />
<br />
1)<span class="Apple-tab-span" style="white-space: pre;"> </span>Call PayPal and add a personal note to the account that bans any employee from releasing credit card details over the phone.<br />
2)<span class="Apple-tab-span" style="white-space: pre;"> </span>Drop GoDaddy like a hot potato and find a more secure location for his domain. The attacker even recommended a couple of options.<br />
<br />
That’s good advice for anyone. All of us use companies that house our personal, sensitive, or financial information. Insurance companies, banks, online stores, schools, and places of employment all know an awful lot about us—but we have the right to demand that details about ourselves and our lives be protected with an extra layer of security.<br />
<br />
And Naoki has his own set of advice for PayPal and GoDaddy. First, he cautions against of the use of personal domain names.<br />
<br />
“Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised,” he says. “If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.”<br />
<br />
And through our interview, he had even more to say.<br />
<br />
“PayPal should employ a bank-level security practice. At a bank, employees are not allowed to talk over the phone until they recognize each other using one-time identification key that you cannot have unless you are at the bank and employee account to log in the system,” he says. “[And] GoDaddy should simply revert the previous change when one claims it was false. What's the chance that a legit user changes something and an attacker tries to revert the change immediately after, and the opposite case.”<br />
<br />
Is there a bright side to this story? Maybe. As his story spreads across the Internet, the value of @N will hopefully diminish.<br />
<br />
“The person who currently owns @N will keep it until somebody will pay for it. It became useless for ordinary people or companies but some may not care.”<br />
<br />
Ultimately, though, Naoki would like justice.<br />
<br />
“Well, I'd say, whether I gave [@N] up or he stole it might be arguable in the eye of the law. [But] it's clear that it was under duress and I want it back,” he says. “And after millions of people have read my post and the attacker still has it, it simply suggests that it was OK for Twitter. I really wish Twitter was on the good guys side, and did the right thing so that attackers couldn't win. Twitter could've used this case to make public that you can't blackmail to take a username.<br />
<br />
We’d love to see Naoki’s attacker lose, and we’re doing our part to get the word out. But unfortunately, sometimes, the good guys don’t always win. Yet, stories like these can at least be used as teaching tools.<br />
<br />
“I hope people realize this could happen to anyone, and choose and rely on right companies to deal with,” says Naoki.<br />
<br />
Do your part in the fight against social engineering. Choose your vendors wisely, and <a href="http://www.sighttraining.com/Training.aspx">train your employees on safe call center practices, the dangers of social engineers, and the best ways to defend sensitive information.</a></div>
<div class="MsoNormal">
<br />
<a href="http://sighttraining.blogspot.com/search/label/Pretexting">More About Pretexting</a></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Template>Normal.dotm</o:Template>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>668</o:Words>
<o:Characters>3810</o:Characters>
<o:Company>RocketReady</o:Company>
<o:Lines>31</o:Lines>
<o:Paragraphs>7</o:Paragraphs>
<o:CharactersWithSpaces>4678</o:CharactersWithSpaces>
<o:Version>12.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>0</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:DrawingGridHorizontalSpacing>18 pt</w:DrawingGridHorizontalSpacing>
<w:DrawingGridVerticalSpacing>18 pt</w:DrawingGridVerticalSpacing>
<w:DisplayHorizontalDrawingGridEvery>0</w:DisplayHorizontalDrawingGridEvery>
<w:DisplayVerticalDrawingGridEvery>0</w:DisplayVerticalDrawingGridEvery>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:DontGrowAutofit/>
<w:DontAutofitConstrainedTables/>
<w:DontVertAlignInTxbx/>
</w:Compatibility>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="276">
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal" style="mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-61722022501317787252014-02-11T10:25:00.001-05:002014-02-11T10:25:13.015-05:00Oh the Humanity: The Problem with Security PolicyEverybody talks about people using easy passwords. For example, using the same password forever and adding a 2. ‘Password.’ ‘12345.’ We all joke about it (even though it’s no laughing matter).<br />
<br />
<a href="http://3.bp.blogspot.com/-FVz63e1wVqI/UvpARy_1UcI/AAAAAAAAADE/CgG5mFsmYgo/s1600/woman+reading+disclosures.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-FVz63e1wVqI/UvpARy_1UcI/AAAAAAAAADE/CgG5mFsmYgo/s1600/woman+reading+disclosures.jpg" /></a><a href="http://www.sighttraining.com/Training/SecurityAwareness.aspx">In the past decade, we’ve had the unique opportunity to see long lists of actual passwords through penetration tests for large companies.</a> Now, initially, I didn’t know this was unique. I mean, everyone talks about what passwords people use, but honestly, nobody really knows. They are private, after all, and sometimes encrypted. Even though we all think we already know, it’s still eye opening to see what real people use for their passwords. And, as in the case of one particular job, those passwords are not always what you expect.<br />
<a name='more'></a><br />
<h4>
A Real Phishing Attack<br /></h4>
In most cases, this is how the attack goes in a penetration test. We set up a website with a username and password field. Often, this is a complete duplicate of a real website that the employees are comfortable accessing.<br />
<br />
We then send fraudulent emails to employees, letting them know they need to login and check some very important information. Usually, we prompt them to log in and correct some error in their healthcare package, or check a box for a time-sensitive agreement to a corporate healthcare change. We know (and social engineers know) that an urgent email with details about health insurance turns typically savvy employees into fish in a barrel.<br />
<br />
And once the employees log in to our site, we’ve already skimmed their usernames and password before they realize anything is wrong. Sometimes, the employees never even realize they were part of an attack.<br />
<br />
We’ve done this many times, and have gotten hundreds of usernames and passwords. In fact, some employees try four or five times with every password they’ve ever had.<br />
<br />
So…what do you think the most common ones are? Is it, in fact, “password?” Their birthdate? Or the new darling of 2014, “123456?”<br />
<br />
Nope. In fact, in one case, 20 -30% of the retrieved passwords were “Summer 2010.” Why? Because that company has a policy that requires employees to change their passwords every 90 days—so everyone would just uses the season and the year.<br /><br />
<h4>
When Security Policy is the Problem<br /></h4>
This is a real problem, for several reasons. First, those passwords are easy to guess, especially in a setting where the season (or semester) is important to the work. In addition, once an attacker guesses that password, he doesn't just know it once. He knows it forever.<br />
<br />
But the bigger issue here is a policy problem. Companies think that, by making people change their passwords every 90 days, they’ve created an extremely secure environment. Unfortunately, as in the case above, hard-nosed policy actually lowers security.<br />
<br />
Security policies are only valuable if they actually improve security—and every policy must be evaluated from that perspective.<br />
<br />
Here’s another example. In some companies with which we’ve worked, policy requires all employees to leave a detailed voicemail greeting if they’ll be out of the office for any extended period of time. In one case, for a gentleman who would be out of the office for a year, that message included his title, his position, how long he would be gone, and who would act in his place. It sounded something like this:<br />
<br />
“Hi I’m Jack Jenkins, VP of blah blah. I’ll be out of the office from Feb 2011 to Feb 2012. I will not be able to receive information. If you need help, please contact Jeff Walters.”<br />
<br />
Bad policy. Easy pickings.<br />
<br />
After a quick hack of “Jack’s” voicemail, we were able to receive messages full of sensitive information, impersonate Jack, and even enter conference calls and accept tasks. We had full control of Jack’s office for an entire year.<br />
<br />
Was it “Jack’s” fault? Not really. After all, he was just following protocol.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Oh%20The%20Humanity">Read the rest of the stories in our Oh, the Humanity series</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-9710645826368945352014-01-28T10:21:00.000-05:002014-01-28T10:21:31.560-05:00Avoid Tax Fraud and Identity Theft: Tips from a Professional<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivH0YmwbNuYbrBejybdj-nT0jWxdn3WWZeNjt4Kla46GpkN5fASvURBdc1aHzYLDOzrztUiIVcro7MMK80iLk7mFuqL4ff7zKfrQido8cPz8soTT_hkzbMIkSvfVxNDwkCqbDSHwIhWI8/s1600/explainingdisclosure.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="ID theft, identity theft, tax fraud, information security" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivH0YmwbNuYbrBejybdj-nT0jWxdn3WWZeNjt4Kla46GpkN5fASvURBdc1aHzYLDOzrztUiIVcro7MMK80iLk7mFuqL4ff7zKfrQido8cPz8soTT_hkzbMIkSvfVxNDwkCqbDSHwIhWI8/s1600/explainingdisclosure.jpg" height="213" title="Avoid Identity Theft and Tax Fraud by Using a Professional" width="320" /></a>Once again, it’s about time to talk about tax fraud. Yes, I know. Every year around this time, just about every information security blog brings it up—you know, how it’s really fraud, how identity theft really happens, and how it could happen to you.<br />
<br />
Well…it is, it does, and it could.<br />
<br />
But I’ll eschew the scary tax fraud stories this time and just give everyone some practical tips they can use. Last year, a local tax accountant provided us with some really good, basic advice to provide to readers and clients on the subject. It was well received, so I’m going to post it again.<br />
<a name='more'></a><br />
<br />
<i><b>From David Dvorak</b></i><br />
<i>Tampa accountant</i><br />
<i>Owner, Dvorak CPA (<a href="http://www.sunshinestatecpa.com/">www.sunshinestatecpa.com</a>) </i><br />
<i><br /></i>
<i>Want to Avoid Tax Fraud? </i><br />
<i><br /></i>
<i>A few small steps and a little extra care can make all the difference in a safe tax season.</i><br />
<i><br /></i>
<h4>
<i>1) Keep Valuable Personal Information Safe.</i></h4>
<i><br /></i>
<i>Fraudsters need three pieces of information to file a fraudulent tax return for you: name, SSN, and. These are the holy grails of tax fraud information. Avoid giving out these three pieces of information unless you trust the recipient.</i><br />
<i><br /></i>
<i>The truth is, most organizations don’t need your personal information, so don’t give it out regularly. If an organization does ask for your social security number, birthday, or both, ask why they need it, and decline to provide the information if anything feels fishy. </i><br />
<i><br /></i>
<i>Also, never carry your social security card in your wallet. Since your driver’s license usually has your birthday, anyone who finds your wallet with a driver’s license and social security card has everything needed to commit identity theft and tax fraud.</i><br />
<i><br /></i>
<h4>
<i>2) Be Diligent and File Early to Avoid Fraud.</i></h4>
<i><br /></i>
<i>File your tax return as early as possible. By filing your return before an identity thief, the IRS will accept your legitimate return and reject the thief’s. If you file your return after the IRS has accepted the fraudulent return, then you will have to deal with the hassle of proving your return is the legitimate one.</i><br />
<i><br /></i>
<h4>
<i>3) Do Your Research.</i></h4>
<i><br /></i>
<i>Use an IRS-registered tax preparer. Beginning a few years ago, the IRS began requiring all professional tax preparers to register for a PTIN number. Ask any preparer you’re interviewing for their PTIN. If they give you a strange look of non-recognition, don’t use them.</i><br />
<i><br /></i>
<i>And, in case it’s too late, here’s a little helpful information if someone has already filed a fraudulent return in your name.</i><br />
<i><br /></i>
<i>You’ll need to complete Form 14039—Identity Theft Affidavit and include it, along with a form of identification, with your paper return. Of course, your return’s processing will be delayed, but at least the IRS will finally have the correct return.</i><br />
<br />
Thanks, David. And if you’re looking for a little more information about tax fraud prevention, <a href="http://www.irs.gov/uac/Newsroom/Tips-for-Taxpayers,-Victims-about-Identity-Theft-and-Tax-Returns-2014">visit the IRS website for the 2014 tip sheet</a>.<br />
<div>
<br /></div>
<div>
<a href="http://sighttraining.blogspot.com/search/label/identity%20theft">More About Identity Theft</a></div>
Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-74158843785741700342014-01-14T13:58:00.000-05:002014-01-14T13:58:42.142-05:00When Ego Gets in the Way: Infosec at the TopSo, I try to be pretty fair when it comes to information security issues. I mean, everyone’s human, right? Everyone makes mistakes. And often, for the average Joe in an office, mistakes are the result of poor security awareness training or a general lack of knowledge about the threats of social engineering, phishing, or the danger-of-the-week (you name it).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3eoI_YLuzQqkvJe5niJUxiqGwVG7nOeOl1FKYqnrpduWksUPAvjdq4KQSrimiu2uHU5-VvOBw4x34UvHEsrw9oAYVDjkgxJOc3m1YgRT1C_GrXBy3M549ipPDVQvaj1gROUHbLSMTcPM/s1600/young+professionals.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="data security, information security, security awareness training" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3eoI_YLuzQqkvJe5niJUxiqGwVG7nOeOl1FKYqnrpduWksUPAvjdq4KQSrimiu2uHU5-VvOBw4x34UvHEsrw9oAYVDjkgxJOc3m1YgRT1C_GrXBy3M549ipPDVQvaj1gROUHbLSMTcPM/s1600/young+professionals.jpg" title="security training awareness for managers" /></a></div>
But then there are those folks that just let their egos get in the way of security. <a href="http://www.cio.com/article/745729/Senior_Managers_Fumble_Security_Much_More_Often_Than_Rank_and_File">According to a recent study by Sroz Friedberg</a>, senior managers may be the worst when it comes to protecting sensitive information.<br />
<br />
Review these disturbing statistics:<br />
<br />
<ul>
<li>9 in ten senior managers upload work files to personal accounts </li>
<li>58% of the managers studied accidentally sent sensitive information to the wrong person. </li>
<li>51% took files containing sensitive information with them after leaving a job. </li>
</ul>
<br />
The study goes on to suggest that people in management positions are more likely to flout the rules regarding information security because they’re under pressure, because they’re super busy—and because some have a serious attitude problem.<br /><br />
<a name='more'></a><br />
<br />
“In a company where there's not a pervasive culture of security emanating from the top of the organization, the top people believe that somehow their status exempts them from corporate policies," Friedberg said.<br />
<br />
For example, the article quotes the chairman of one unnamed company with which Friedman worked, who didn’t change his password for six months because “I’m above it,” he says. “Changing passwords is not for me.”<br />
<br />
Ugh.
<br />
<br />
Evidently, this gentleman’s phone was tapped for six months because of his lazy security posture—and I say he made his own bed.<br />
<br />
As <a href="http://www.sighttraining.com/">a training and security consulting company</a>, we spend most of our time developing courses and security awareness campaigns for those low on the totem pole. Training is for the folks in the call centers, those manning the front desk, or the ones on the ground floor, right?<br />
<br />
Wrong.<br />
<br />
Cubicle or corner office, six-figure salary or hourly wage, every single person in every single organization has the same responsibilities when it comes to security: follow the rules, protect every piece of sensitive information you touch, and actively pursue secure behaviors.<br />
<br />
That’s why <a href="http://www.sighttraining.com/SocialEngineeringForManagement.aspx">we have an entire course dedicated to managers and executives</a>. Secure behavior has to start at the top and trickle down.<br />
<br />
And here’s another thing to consider—managers, CEOs, and others in positions of power can be the golden goose during a social engineering attack. Think about it: who has the most access, the most power, and the least time to protect it all?<br />
<br />
Want to impersonate someone on a phone call or conference call? Choose the individual who is always out of the office on business—the one whose voicemail says he’ll be out of the office for a month.
<br />
<br />
What’s the fastest way to the most sensitive information in a company? Go through the accounts of the person who has unlimited access to every system—and who uses the same password for every one.
<br />
<br />
Want to embarrass a big corporation? Demonstrate how easy it is to fool or outwit the powerful people at the top.<br />
<br />
Really, when it comes right down to it, any manager who chooses to ignore security policy is poking giant holes in the expensive and time-consuming efforts to training everyone else.<br />
<br />
He may as well start chucking money out the window. Someone will definitely be there to catch it.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Security%20Awareness">More About Security Awareness</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-13241887941819208172014-01-09T13:24:00.001-05:002014-01-09T13:24:10.455-05:00Cyberwarfare, ID Theft, and Social Engineering: What's It All Mean?Read an interesting article at CIO the other day: “<a href="http://www.cio.com/article/745504/Talk_of_Cyberwarfare_Meaningless_to_Many_Companies_Experts_Say?taxonomyId=3089">Talk of Cyberwarfare Meaningless to Most Companies.</a>” And it got me thinking…how much of what we do and say as security companies goes over the average company’s head (or better yet, in one ear and out the other)?<br />
<br />
<a href="http://2.bp.blogspot.com/-uaT-CRZ7exY/Us7o_ShQ2uI/AAAAAAAAAFM/HptnJVInGSw/s1600/world.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-uaT-CRZ7exY/Us7o_ShQ2uI/AAAAAAAAAFM/HptnJVInGSw/s1600/world.jpg" height="206" width="320" /></a>Think about “cyberwarfare” for a minute. Does it mean going to war with other nations using robots and computers? Is it when a terrorist brings down the Internet? Does it even matter to me? Or my business? Or my industry?<br />
<br />
The reality is that cyberwarfare is a danger because bad people can use technical resources and systems to disrupt legitimate businesses and prevent them from performing their core work.<br />
<br />
In a way, the term "cyberwarfare" falls into the same category as "identity theft.” It sounds really scary, but many regular people (even managers and business owners) don’t really know how it is executed, and with what tools and upon whom it is executed. Most people don't know what to do to protect themselves besides signing up for Lifelink.<br />
<br />
Or how about “social engineering,” one of the most misunderstood terms in our security vocabulary. Internationally, it’s understood as a way to analyze and influence social systems. But in the security community, it describes con artists who use social situations (phone conversations, office visits, etc) to commit crimes. It’s real. It’s a major threat. But folks don’t understand it, so they don’t worry about it.<br />
<br />
This lack of knowledge results in major complacency. Companies do not feel PERSONALLY threatened by identity theft or a social engineering attack—but they should. <a href="http://www.sighttraining.com/Training/CourseLibrary.aspx">Executives need to educate themselves on the true impact to corporations and then educate their employees. </a><br />
<br />
Cyberwarfare, identity theft, social engineering—these are real threats with real every day impact on real people. They are not just international news headlines.<br />
<br />
So security companies and IT professionals: it’s time to be louder. Time to be bolder. Maybe most importantly, it’s time to learn to speak the language of small and mid-range businesses with limited budgets and even more limited time. This is how we raise awareness.<br />
<br />
We’ve got our work cut out for us.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Corporate%20Security">More About Corporate Security</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-4870105341814622682013-12-23T15:55:00.000-05:002013-12-23T15:56:05.533-05:00Risk, Recrimination, and Reporting: Detecting and Handling BreachesI read <a href="http://www.darkreading.com/perimeter/using-the-human-perimeter-to-detect-outs/240164428">Ericka Chickowski’s article on empowering employees to detect outside attacks</a> earlier this month and I made some notes that have finally found their way into a blog…three weeks later.<br />
<br />
Well, better late than never—especially when it comes to the importance of <a href="http://www.sighttraining.com/training">teaching effective employee behaviors</a>. There is always something good to say about it. Here’s my sum-up of this article: Chickowski is 100% right, and she has some particularly notable quotes here.<br /><br />
<a name='more'></a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-7NgPdMJMIs0/UriiA6TafVI/AAAAAAAAAFA/wVBLkk4cPaY/s1600/cut_out_men.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="data security, human firewall, training" border="0" src="http://2.bp.blogspot.com/-7NgPdMJMIs0/UriiA6TafVI/AAAAAAAAAFA/wVBLkk4cPaY/s1600/cut_out_men.jpg" title="employee training improves data security" /></a></div>
<i>Quote #1: "They should be teaching employees to spot suspicious activity and report it without fear of recrimination..." </i><br />
<br />
Yes, yes, yes. Fear of recrimination is the key here. Unfortunately, it’s hard to convince a person that they will not come under some form of scrutiny if they are victimized. In fact, many are not necessarily afraid of getting fired. Rather, they are just embarrassed by their own dumb mistake. This really is similar to <a href="http://www.calcasa.org/2010/01/victims-of-crime-still-unwilling-to-report/">violent crime victims who do not report crimes</a>—often from embarrassment, shame, or a simple lack of faith in the authorities to handle it properly.<br />
<br />
In fact, many are not necessarily afraid of getting fired. Rather, they are just embarrassed by their own dumb mistake. This really is similar to <br />
<br />
<i>Quote 2: "The fact is that security has always been a game of reducing the odds of exposure rather than eliminating it." </i><br />
<br />
This is exactly right. Risk management is not a 0-100% dilemma. It is just a minimization effort. Yet, IT security leadership may develop a “crying wolf” attitude when it comes to taking reports seriously (since the vast majority of reports will not be malicious). Obviously, this creates a vicious cycle.<br />
<br />
<i>Quote #3: "In many cases, human intuition may not kick in fast enough to prevent someone from falling for a phishing ploy or a malicious link altogether..."</i><br />
<br />
There is a false perception that, once a successful attack takes place, the damage is done and the danger is past. Unfortunately, in the vast majority of circumstances, that successful attack was just a part of a campaign that can be repeated as long as it can be successful. That is why it is so important to react to and report even small suspicious events.<br />
<br />
<i>Quote #4: "Not only should this team be working to sift through these reports and triangulating them with logs and other detection technology output, but it also needs to establish solid and positive communication with the employees that send the reports to encourage future cooperation..." </i><br />
<br />
Correlation of data and report incidents is key. Having a simple and painless way for employees to report events is worthless if no one is assessing and correlating the data in conjunction with other event logs and resources.<br />
<br />
Someone has to make judgments about how to respond to reported issues—and, all too often, it is just low on the priority list. Responsible parties just hope against hope that no serious threats arise.<br />
<br />
Now, does that sound like any way to manage security?
<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Information%20Security">More on Information Security</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-36025186063435386292013-12-19T08:30:00.002-05:002013-12-19T08:46:24.409-05:00Wasted Energy: How Info Purges and a Third-Party Test Could Have Helped the DOE<a href="http://3.bp.blogspot.com/-pjcysklvKmM/UrL0LBsDpsI/AAAAAAAAAEk/RiVVPJEh5jE/s1600/money+in+fist.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="cost, cleanup, data breach, security breach" border="0" src="http://3.bp.blogspot.com/-pjcysklvKmM/UrL0LBsDpsI/AAAAAAAAAEk/RiVVPJEh5jE/s1600/money+in+fist.jpg" title="Security data breaches are expensive" /></a>There’s been a lot of online chatter this week about last summer’s Department of Energy breach—and rightly so. 150,000 affected employees is nothing to sneeze at. The worst part? All the affected employees may not even know yet.<br />
<br />
<h4>
The Real Cost of Data Breach Cleanup<br /></h4>
In our experience, there is not a deep enough respect in the market for how difficult and expensive the notification requirements for data breaches can be. Not only can this cause public embarrassment, but it can also put the organization at serious legal and financial risk. Many organizations are mostly worried mostly about the intrinsic dangers of losing the actual data but do not demonstrate fear or motivation to invest in preventing the process of notification and remediation.<br />
<a name='more'></a><br />
<br />
This particular breach is also teaching the world more about just what PII is being saved—and what is most valuable to hackers. More and more often, the information leaks from these breaches exceed the standard “names, dates, and numbers.” In this case, lost PII extended to include bank account numbers, security answers, disability information, and more.<br />
<br />
<a href="http://1.bp.blogspot.com/-tJUwwjmqWbc/UrL0LPGUo4I/AAAAAAAAAEo/Vqt1vJy90CE/s1600/informing.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="pen test, security audit" border="0" src="http://1.bp.blogspot.com/-tJUwwjmqWbc/UrL0LPGUo4I/AAAAAAAAAEo/Vqt1vJy90CE/s1600/informing.jpg" title="Third-party penetration tests are valuable." /></a>Organizations need to assess their true need for storing such sensitive information long term. In our audits, we’ve discovered companies that store HIGHLY sensitive information on consumers and employees for no real reason. They don’t use the information, and they don’t need it. In many cases, a good healthy "purge" may be the best idea.<br />
<br />
<h4>
The Value of Second Security Opinion</h4>
<br />
This seems to be a classic instance in which <a href="http://sighttraining.com/Training/SecurityAwareness.aspx">a third-party test might have uncovered weaknesses before it was too late.</a> We have frequently be asked by government agencies to perform a third-party test because of 1) a lack of faith in the methods of the Inspector General or 2) an uneasiness about whether or not the real threats will be uncovered.<br />
<br />
On numerous occasions we’ve come in and identified real-world, imminent threats that were not deemed serious by the IG. In some cases the department and the IG are just at odds because the IG has given a poor security grade to the department.<br />
<br />
The IG certainly provides valuable insight to its agencies, but sometimes there is a disconnect between the IG and the agency that renders some results void. The best course of action is for any organization to ensure that its risk assessment is both unbiased and accounts for current real-world threats.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Data%20Breach">More About Data Breaches</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-84970814393558513392013-12-11T13:58:00.000-05:002013-12-11T13:59:48.531-05:00Picture Yourself Secure: Passwords, Phrases, and the FutureIn 1492, Columbus sailed the ocean blue…<br />
<br />
Every Good Boy Does Fine….<br />
<br />
Thirty days hath September….<br />
<br />
<a href="http://3.bp.blogspot.com/-nsevsMVD6K0/Uqi0Mef3WUI/AAAAAAAAACo/pOjVpwyZy-0/s1600/password+8048767.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="password, passphrase, security, data" border="0" height="211" src="http://3.bp.blogspot.com/-nsevsMVD6K0/Uqi0Mef3WUI/AAAAAAAAACo/pOjVpwyZy-0/s320/password+8048767.jpg" title="Password security" width="320" /></a>Ah yes…mnemonic devices. Those performance-enhancing tools used successfully by middle schoolers and beginner-level music students all over the country for…well, for forever, it seems.<br />
<br />
Enter any 7th grade classroom on test day and you’ll see small, strained faces searching their memory banks for that rhyme or song that will bring to mind the order of taxonomy (“King Phillip Opens Five Green Snakes”) or the five Great Lakes (HOMES).<br />
<br />
Depending on your college degree, you might have carried this technique into college. But most of us probably gave up these memory aids along with No-Doze and an actual Spring Break after tossing our grad cap in the air.<br />
<br />
But why? The human brain loves association and repetition at any age and for any reason—and that’s why <a href="http://www.cio.com/article/744158/Researchers_Picture_Way_Better_Password_Memory_Scheme">researchers at Carnegie Mellon think we should keep it up when it comes to security.</a><br />
<a name='more'></a><br />
<h4>
The Future of Passwords</h4>
<br />"If you can memorize nine stories, our system can generate distinct passwords for 126 accounts," says Jeremiah Blocki, a Ph.D. student in Carnegie Mellon's Computer Science Department.<br />
<br />
Now, these “naturally rehearsing passwords” are little bit more involved than R.O.Y. G. B.I.V. These passphrases require the user to create a one-sentence story in their mind that can be recalled when the computer provides images that correspond to words in the story.<br />
<br />
Now, the system is still in the works, say researchers. One roadblock: prompting for special characters, numbers, or capital letters. But until these sorts of high-tech, make-our-password-for-us systems are commonplace, we can still use the principles to create very effective passphrases and acronyms.<br />
<br />
Are passwords, passphrases, and acronyms the ultimate, end-all-be-all answer to security? Of course not. <a href="http://www.huffingtonpost.com/james-grundvig/changing-your-password-wo_b_4414149.html">The recent “you’re going to get hacked anyway” movement has reminded us all that there’s a lot more to security</a>. And yet, passwords are still a part of life for everyone. We all still have to use them, so why not do the best we can?<br />
<br />
<h4>
Craft an Effective Passphrase </h4>
<br />
The basic steps:<br />
<br />
<ul>
<li>Make up a phrase that is close to you, or that’s about something you think of often. Here’s one for me: “I eat more chicken at Chick-Fil-A.”</li>
<li>Distill that phrase down to a minimum of 8 characters: "iemcacfa"</li>
<li>Replace letters with symbols, mix it up with lowercase and uppercase letters, throw in some numbers, and voila!</li>
</ul>
<br />
<b>1Emc@C-F-A</b><br />
<br />
Would it be better (read: more convenient) to have a computer construct a hundred unique passphrases for us? Maybe. But here's our best option while we patiently wait for some of these inventive and (hopefully) user-friendly solutions to come down the pike.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Data%20Security">More About Data Security</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-23508410013999529612013-12-09T12:02:00.001-05:002013-12-09T12:14:59.597-05:00Phishing Infographic: Don't Get Hooked!<div>
By now, most folks are aware of phishing emails—or at the very least, that social engineers use email to steal average people's sensitive information. Yet, we are continually surprised that the how and why of phishing still eludes many average folks. What do phishing emails look like? How would someone get information from me through an email? What could a social engineer do with that information?</div>
<div>
<br /></div>
<div>
Some folks just respond better to pictures and diagrams. So...voila! <a href="http://sighttraining.com/Training/Infographic.aspx">Our first foray into the world of infographics</a>, and what is hopefully the first of many.</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfWoVHo_faUGkbofGGmbo6S0_k-a_uX-qevV4fSNqPO_t5z8UCKaDrMF9EUx4oCAbxjuRWg6nTVizp5nkZWohyphenhyphenriXioDFG3TNBRuqTsM5nctBPEDsye3e3y5L3mbUiPa72QCgOja93Z58/s1600/phishing_email.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfWoVHo_faUGkbofGGmbo6S0_k-a_uX-qevV4fSNqPO_t5z8UCKaDrMF9EUx4oCAbxjuRWg6nTVizp5nkZWohyphenhyphenriXioDFG3TNBRuqTsM5nctBPEDsye3e3y5L3mbUiPa72QCgOja93Z58/s1600/phishing_email.jpg" /></a></div>
<div>
<br /></div>
<h3>Share this Image On Your Site</h3>
<textarea onclick="this.focus();this.select()" style="width: 460px; height: 100px;">
<p><strong>Please include attribution to SightTraining.com with this graphic.</strong><br />
<br />
<a href='http://sighttraining.com/Training/Infographic.aspx'><img src='http://sighttraining.com/portals/0/phishing_email.jpg' alt='Don't Get Hooked' width='660px' border='0' /></a></p>
</textarea>
<h4>
Employee Training: Out of the Box</h4>
<div>
As a <a href="http://sighttraining.com/Training.aspx">training company</a>, this is just one more way for <a href="http://sighttraining.com/Home.aspx">Sight Training</a> to encourage folks to do their homework—and by homework, we mean doing a little extra checking before you hand over sensitive information through a phishing email. Your credit card number, SSN, and bank information are yours and no one else's. Guard them at all cost. </div>
<div>
<br /></div>
<div>
And remember: emails are just digital versions of the in-the-flesh thieves who are behind them. They can dress up and look impressive. They can be cool, casual, and persuasive. And they can pull off an official posture with approved logos and embedded links that mimic real websites. Here are a few more tips:</div>
<div>
<ol>
<li>Remember: stranger danger! Don't know who sent it? Don't open it.</li>
<li>Be wary of attachments. </li>
<li>Ignore commands and requests for action—no matter how urgent they may seem.</li>
<li>Use the phone. Try contacting the sender by telephone. If the email is from your “bank,” then you should be able to get the truth pretty quickly. And if you cannot get in touch with the sender, then delete the email and forget about it.</li>
</ol>
</div>
<div>
Slow down, take a deep breath, and think about what you are doing before you offer it up to a social engineer on a silver platter.</div>
<div>
<br /></div>
<div>
<a href="http://sighttraining.blogspot.com/search/label/Phishing">More About Phishing</a></div>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-39796310975035719522013-12-03T09:35:00.001-05:002013-12-03T09:38:43.876-05:00Oh, The Humanity: The Danger of AnonymityAnd now for something a little different. Throughout our “Oh, the Humanity!” series, we want to demonstrate some of the most dangerous ways social engineers can infiltrate a company—and pretty often, that involves the phone or email. But every now and then, it’s a simple (and downright silly) move that gives a thief access to very sensitive information.<br />
<br />
<h4>
Security Breach: Signed, Sealed, Delivered</h4>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-4nD4wIlMpLw/Up3rtem9CMI/AAAAAAAAAEU/OI0j53dyvTs/s1600/delivery.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="security breach, social engineering attack, red flag" border="0" height="212" src="http://3.bp.blogspot.com/-4nD4wIlMpLw/Up3rtem9CMI/AAAAAAAAAEU/OI0j53dyvTs/s320/delivery.jpg" title="special delivery security breach" width="320" /></a></div>
Here's the story. When we begin a project with any company, one of things we most want to demonstrate is how easily we can get access to their network as outsiders. While social engineers are frequently insiders, we often attempt to replicate that level of access from our “basement.”<br />
<br />
In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.<br />
<a name='more'></a><br />
<br />
We racked our brains for a while, coming up with complex scenarios that always fell short in the carryout. And then, the simplest option became the obvious choice: pretend we are out-of-town employees with VPN problems. We explained that our VPN wasn’t working, no matter what we tried, and that we probably just needed to reinstall it. We said we were staying at a particular hotel and asked if the company would mind Fed Ex-ing the CD to the hotel.<br />
<br />
And of course, our clients were happy to oblige.<br />
<br />
We went to the hotel, asked for a package for so-and-so, and walked away with a major building block for the attack.<br />
<br />
<h4>
The Takeaway: Anonymity and Red Flags</h4>
<br />
It is essential to educate employees on the danger of employees, vendors, or clients that demand anonymity—and help them recognize behaviors that should send up red flags.<br />
<br />
Employees should be trained to make a mental note if they are:<br />
<br />
<ul>
<li>Asked not to track or write down any information about a phone call.</li>
<li>Asked to call a caller back at a different number than the one listed.</li>
<li>Asked to just not mention a phone conversation or email they’ve received.</li>
<li>Asked to send a package to a public location instead of a published corporate address.</li>
</ul>
<br />
At best, these requests may indicate some sketchy employee behavior that may need to be investigated. At worst, they may indicate a <a href="http://sighttraining.com/SocialEngineeringOverview.aspx">social engineering attack</a> in progress.<br />
<div>
<br />
<a href="http://sighttraining.blogspot.com/search/label/Sight%20Training">More About Sight Training</a></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-72063058196718511862013-11-19T12:16:00.000-05:002013-11-19T12:16:35.511-05:00Open Letter to IT Departments: People are Important to Your Security Plan.Read a Dark Reading article this morning that I really enjoyed. First of all, <a href="http://www.darkreading.com/compliance/doomsday-prepping-your-business/240164046">any article on information security that can work in the zombie apocalypse</a> is A-OK in my book. Nicely done, Glenn Phillips.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF09Dbz4__MbsX7i_YmCHI9mfCeFk-SdGbqKSGuT38HVsA9cXDHLTj5WpXz_23dozYhBQCNXJS_UVmVM7cOHNmH1f6AVlX9BEX4VinmioZs6jMJtMuxoNdfrERAKnDHi9WPrPf8_7T1Wg/s1600/man+in+pain.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="employee training, security awareness training, information security" border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF09Dbz4__MbsX7i_YmCHI9mfCeFk-SdGbqKSGuT38HVsA9cXDHLTj5WpXz_23dozYhBQCNXJS_UVmVM7cOHNmH1f6AVlX9BEX4VinmioZs6jMJtMuxoNdfrERAKnDHi9WPrPf8_7T1Wg/s320/man+in+pain.jpg" title="distracted employee" width="320" /></a></div>
And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).<br />
<br />
Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”<br />
<br />
I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.<br />
<a name='more'></a><br />
<br />
Are you the CIO where you work? The information security specialist? The IT support center manager? Then listen up. The average employee doesn’t know what you know—and they aren’t really keen to learn. But the answer is not setting up systems and processes that make things harder for them.<br />
<br />
Why? Because people are convenience-obsessed. People are careless. People are impatient. People are preoccupied with all kinds of other things.<br />
<br />
They don’t understand why you want them to change their password every 60 days. They don’t care whether or not it includes a good, long mix of letters and numbers. They forgot all about that boring training you sent about never clicking links in phishing emails. They can’t even get their printer working.<br />
<br />
And you know what else? If your IT security team is elitist, superior, and creates rules that are irritating and hard to follow, then your business will not be secure.<br />
<br />
So now, let me make this formal statement of apology on behalf of employees everywhere. They're sorry. They really don't mean to be lazy or thoughtless or cause security breaches.<br />
<br />
Forgive? Ok, great. Now, begin to assume the worse. Expect that they'll lose flash drives on the way through the parking garage. Expect that they will open emails they shouldn’t. Expect that they will take the easy way out most of the time, when it comes to security.<br />
<br />
And then, take action. Don’t talk down to them. <a href="http://sighttraining.com/Training.aspx">Train them</a>. Teach them. Use language they can understand and expect it to take a little while to sink in. It will be worth it once they are your strong frontline of security.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Information%20Security">More About Information Security</a>Anonymoushttp://www.blogger.com/profile/12957418155057119096noreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-49680527729608484622013-11-14T09:33:00.002-05:002013-11-14T09:35:43.421-05:00Oh, the Humanity! Train Employees to Say "No" to Social EngineersLet’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.<br />
<br />
After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.<br /><br /><br />
<a name='more'></a><br />
<br />
<h4>
A Classic Pretexting Ploy</h4>
<br />
<a href="http://3.bp.blogspot.com/-DCGFilZbpaA/UoTbnGEAnEI/AAAAAAAAAD8/ly15SBovILA/s1600/man+on+cell+phone.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="pretexting, social engineering, fraud, information security" border="0" src="http://3.bp.blogspot.com/-DCGFilZbpaA/UoTbnGEAnEI/AAAAAAAAAD8/ly15SBovILA/s1600/man+on+cell+phone.jpg" title="victim of pretexting and social engineering" /></a>We tried a few different things, but it became clear pretty quickly that the most effective tactic was calling “work at home” employees and folks in the field. It’s been our experience that the further an employee is from the office, the less likely he or she is to adopt secure phone and email practices.<br />
<br />
It was the standard spiel: we pretended to be calling from the IT support center at the home office, saying that we’ve noticed some anomalies on VPN access.<br />
<br />
“It looks like people are not shutting down their connections properly and we need to check your settings,” we’d say.<br />
<br />
Blah, blah, blah.<br />
<br />
And as always, this caused a good deal of concern, since people wanted to make sure they were not the problem (i.e. in trouble). Everyone was very helpful. Incidentally, we also wound up answering a lot of tech support questions, like why their printer isn’t working or why their WiFi is so slow. We’re nice like that.<br />
<br />
After a several calls, we reached “Bob” and dove into the standard story. He seemed especially helpful throughout the troubleshooting process, so we went in for the kill. We thought we’d see if he would just read the host name to us.
We quickly reached the moment of truth.<br />
<br />
<i>Us</i>: ”Bob, are you on the configuration screen? Do you see where it says host name or IP address? Ok, can you tell us what it says?<br />
<br />
<i>Bob</i>...“Um…I’m not really sure if I’m supposed to tell you that. How do I know you are who you say you are? Wait…do you really work for ABC Company?”<br />
<br />
<i>Us</i>: “Um….yes. Yes, we do.”<br />
<br />
<i>Bob</i>: “Ok! I had just had to be sure.”<br />
<br />
And just like that, he read us the host name, giving us everything we needed to connect to their VPN.<br />
<br />
<h4>
The Takeaway: Empower Your Employees to Say "No."</h4>
<br />
Though Bob made a (feeble) attempt at authentication, he failed because he didn’t know how to proceed once he’d reached that point. He was clearly suspicious, but had no real recourse.<br />
<br />
It isn’t enough to just make your employees suspicious. You have to empower them to take action on their suspicion and give them tools and clear escalation processes. Let them know that they can say no. Give them steps to take or just good questions to use for authentication.<br />
<br />
Otherwise, you may find your own “Bob” has handed over the keys to your kingdom.<br />
<br />
<h4>
Take Action: Training, Audits, and Security Awareness Campaigns</h4>
<br />
Perhaps this story hit home. Maybe you see a problem in your own organization—or maybe you just realized that your people don't know much about this type of social engineering threat. Don't panic. There's a lot you can do. Here are few steps toward a safer (and more suspicious) employee culture.<br />
<br />
<ul>
<li>Develop clear policies and procedures for phone authentication.</li>
<li>Engage your employees with <a href="http://sighttraining.com/Training.aspx">interactive training</a> that is customized for your industry and puts themselves in a victim's shoes. </li>
<li>Keep security at the forefront with <a href="http://sighttraining.com/Training/SecurityAwareness.aspx">security awareness posters, newsletters, and campaigns</a>. </li>
</ul>
<br />
And if you aren't sure where the problems really lie, begin the process with <a href="http://www.socialengineering.com/">the most comprehensive security and social engineering audit in the industry</a>. If sensitive information is slipping out of your company, find the holes and plug them before a security breach causes damage.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Training">More on Training</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-46084943301483834282013-11-12T11:18:00.000-05:002013-11-14T10:50:30.482-05:00When Identity Theft Hits HomeMy office was quieter than usual when my cell phone buzzed. It was my mother. While it was no surprise for her to call, a mid-morning Thursday call was unusual.<br />
<br />
"Hey, Mom. How's it going?"<br />
<br />
"Well…" she said, voice cracking. "Not too good."<br /><br />
<a name='more'></a><br />
<br />
I could hear her sniffling. As with everything in my life, I labored to hide any shock at her response. In reality, my blood ran cold and I immediately began to rattle through all of the unpleasant possibilities: a death in the family, some terminal disease. But I wasn't even close.
<br />
<br />
"Really? What's wrong?"<br />
<br />
"Uh…well…your sister was arrested this morning."
<br />
<br />
<a href="http://2.bp.blogspot.com/-4gh8n6iDgGk/UoJTjCVlf2I/AAAAAAAAADs/N_eLBUKqcuY/s1600/handcuffs.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="identity theft, personal information, cost, breach" border="0" height="127" src="http://2.bp.blogspot.com/-4gh8n6iDgGk/UoJTjCVlf2I/AAAAAAAAADs/N_eLBUKqcuY/s200/handcuffs.gif" title="identity theft consequences" width="200" /></a>Once again I masked my utter astonishment.<br />
<br />
"What? What happened?... For what?"<br />
<br />
"They said it was for check fraud!"<br />
<br />
"What?!"<br />
<br />
Here's what you should know about my sister, Christy. She is a smart, confident, resourceful—and extremely tender-hearted. She was never in trouble growing up. I don't think she's ever even gotten a parking ticket. Needless to say, this situation seemed impossible and was growing stranger by the second.<br />
<br />
<h4>
Identity Theft: The Indignity</h4>
<br />
First thing that morning, a knock came at Christy's door. Her oldest child, who turned five that day, was the only one awake with her. Her two-year-old daughter and still-nursing infant were asleep. Her husband had left early for work. And at the door were two stern-looking uniformed police officers.<br />
<br />
"Hello miss. We're looking for Christy Michelle Pitt?"<br />
<br />
"Yes, that's me. How can I help you?"<br />
<br />
"We have a warrant for your arrest."<br />
<br />
Christy gasped with shock.
"For what? I am sorry, but you must have made a mistake!"<br />
<br />
Christy did not have the slightest clue what they were there for, but there they were—ready to take her into custody. She sat at the kitchen table pleading with them until our parents came. The officers were nice enough, but they had a warrant and there was no persuading them to ignore it.<br />
<br />
After a litany of confused questions and exasperated conversation, it became clear that the charges were for some fraudulent checks written over 7 years before—and that Christy was on her way to jail. They led her to the car alone and in tears while her husband, who had now arrived, tended to the distraught toddlers and a hungry baby.<br />
<br />
<a href="http://1.bp.blogspot.com/-TIDaWfl4je0/UoJS4zGgCxI/AAAAAAAAADk/dwZGan5S7UI/s1600/check+small.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="identity theft, sensitive information, identity protection" border="0" src="http://1.bp.blogspot.com/-TIDaWfl4je0/UoJS4zGgCxI/AAAAAAAAADk/dwZGan5S7UI/s1600/check+small.jpg" title="check fraud identity theft" /></a>Christy spent the entire day in jail with no information other than the fact that some checks were forged and her driver's license number was written on them.<br />
<br />
<h4>
Identity Theft: The Consequences</h4>
<br />
To this day, Christy remains in litigation and her financial situation grows worse. Before all is said and done, it may cost her upwards of $20,000. And she probably won't see one penny of that money back.<br />
<br />
All of this mayhem stemmed from one simple event: her driver's license number got into the wrong hands. It is this realization that helped me better understand the indelible connection between corporate security and personal impact.<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/identity%20theft">More About Identity Theft</a>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-1895864798919438368.post-6080676819915480642013-11-05T14:39:00.003-05:002013-11-14T10:52:57.855-05:00Oh, The Humanity! Another Pretexting Success Story.And welcome back to our social engineering success story series: <a href="http://sighttraining.blogspot.com/search/label/Oh%20The%20Humanity">"Oh, The Humanity!"</a> Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...<br />
<br />
A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.<br />
<br />
Here were the ground rules:<br />
<br />
Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.<br />
<br />
Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.<br /><br />
<a name='more'></a><br />
<h4>
Starting Like a Social Engineer</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pcsRNxaS6QE/UnlDcFKFZuI/AAAAAAAAADU/vnQ3B3Bp_ss/s1600/call+center+employee+on+phone.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="pretexting, social engineer, information security" border="0" height="244" src="http://2.bp.blogspot.com/-pcsRNxaS6QE/UnlDcFKFZuI/AAAAAAAAADU/vnQ3B3Bp_ss/s320/call+center+employee+on+phone.jpg" title="call center pretexting victim" width="320" /></a></div>
With the rules in place, we got started—and upon calling the call center, we learned their verification procedures pretty quickly. Their call center representatives used a standard, multi-tiered system that required them to first ask account questions (first car, first pet, first whatever) and then ask personal questions (birthday, SSN, mother’s maiden name, etc.).<br />
<br />
Like I said before, we were flying blind. Since we never knew the first level of questions, we always tanked them—and our calls were always escalated to the next level.<br />
<br />
So on we went, call after call, until I reached one particular young lady. I fed her a heartbreaking story (as usual): my daughter had been checked into the hospital and I desperately needed to check my balance.<br />
<br />
Of course, we rolled around to the inevitable SSN and birthday questions. I tanked them both.<br />
<br />
So she kept trying, asking personal question after question, until I miraculously managed to guess enough close-enough answers to be validated by the company’s authentication procedures.<br />
<br />
<h4>
Suspicious, But Not Supported<br /></h4>
Now, let me give this young lady some credit. She was <i>clearly</i> suspicious. I mean, who doesn’t know their birthday?<br />
<br />
And she didn’t make it easy on me. After I missed the first two questions, she put me on hold—forever. Then she came back on the line again, asked me some more questions, and then put me on hold again—again, for forever. She was trying to do the right thing.<br />
<br />
But when she came back the third time, she not only gave me the information I was asking for but she apologized for the system error and updated the record with the fake birthday and fake social security number.<br />
<br />
Was she new? Clueless? Untrained? Nope. She was just following orders.<br />
<br />
After reviewing the call, we discovered that both times she put us on hold, she was reviewing the information with her supervisors—first her manager and then the security group.<br />
<br />
And in both cases, even after indicating her suspicions, they just asked her just one question:<br />
<br />
“Did they pass authentication procedures? Yes? OK…then give him what he wants.”<br />
<br />
<h4>
Pretexting: The Takeaway<br /></h4>
You can’t give lip service to policies that let employees escalate situations when they feel suspicious or uncomfortable. Sure, everyone has to give good customer service and respectful communication—but if an employee feels suspicious enough to escalate to two different people, then there is justification for handling the call and account with great care. At the least, it is the kind of thing that requires a review of the account and certainly does not justify the changing of a social security number.<br />
<br />
Bottom line: Your authentication procedures are not foolproof. Sometimes you need to go the extra mile.
<br />
<br />
<a href="http://sighttraining.blogspot.com/search/label/Pretexting">Read More About Pretexting</a>Anonymousnoreply@blogger.com0