Monday, March 29, 2010

Don't take offense but the biggest risk to security - It's Likely To Be You!

Everyone asks me what the greatest theat to security is.  They are visibly disappointed when I give them my answer.  I think most of them expect me to say, "China!  They are out to get us!" or, "The Russian Business Network - they are wicked smart!"or, "Cybercriminals, they are always after your money."  These are real threats and you need to protect yourself from them.

I believe there is a bigger threat, and dear reader, I believe it is you or maybe your co-worker.

Are you Mr. Incredible?  You do it all - juggle kids, work, family obligations.  This requires you to take work with you everywhere you go.

Imagine this...
You have work to do but your kid's soccer game is coming up.  Well, just download 3.3 Million borrower records to your thumb drive and you are in business.  Can work anywhere.  You might be able to work in the car while your kid's team warms up.

Well, Mr. Incredible, if you worked at ECMC, you just created the largest most incredible breach ever.

We don't know why an employee downloaded to a thumb drive, 3.3 million people's student loan records, but we will soon.  3.3MM people equates to as many as 5% of all federal student-loan borrowers.  Their data is on a thumb drive that is now missing.

Not to worry, students, I think it only had on it your Names, addresses, Social Security numbers and other personal data.

This particular Mr. Incredible works in St. Paul, Minn., at the headquarters of Educational Credit Management Corp., a nonprofit guarantor of federal student loans.

You will be glad to read this quote from the ECMC spokesperson, Paul Kelash:  "It was simple, old-fashioned theft.  It was not a hacker incident."  Wow, that is comforting!

This is right on the heals of another data theft earlier in March 2010, a former employee of HSBC Holdings PLC allegedly stole data on about 24,000 Swiss private-bank accounts.


The conversation about the insider threat, is the non-sexy side of security but it can cause some of the greatest chinks in the armor.  The “insider threat”, is often like carbon monoxide poisoning, silent and hard to detect.  I break the threat down into three character profiles:
1.  Robert Hanssen
2.  Eve from Wall-E
3.  Mr. Incredible

Robert Hanssen – Intentional:
Robert Hanssen was a former U.S. FBI agent who turned over information to Russian intelligence services for cash and diamonds.  It is also suspected he did it because he wanted to prove something to himself and others.  This employee-type knowingly wants to cause harm either because they want to make a buck or because they feel it is their version of payback time.

Eve from Wall-E – Unintentional Public Disclosure (Think Millenials):
Eve is on a mission and she wears that mission on her chest.  She’s after plantlife and she does not care who she broadcasts that mission to.  She cannot keep a secret and she is overjoyed and beams when she finds plant life.  The generation joining the workforce now and for the next 10-15 years is a lot like Eve.  When they experience emotions, they will wear them openly via cyber space.  That openness may also include blogging, tweeting, and Facebooking posts about the latest project they are working on.

Recently, an over exuberant Microsoftie was caught talking about the virtues of Windows 8.    His posts have been removed.  Before they were, we did manage to learn that the next version will be “unlike anything users expect of the operating system”. And that they are moving to 128-bit.  A tough blow for their competitors and for bad guys that want to be ready to hack the new version the moment it arrives.

Mr. Incredible – Accidentally Breaks Your Defenses:
Your model employee, the hidden threat until it’s too late:
I love Mr. Incredible.  He has great strength and a heart of gold.  He wants to take on the world and use his talents but was forced to hide his talents within the system.  In one scene, in striving to do what is right and just, he accidentally injures his own boss.

I tell organizations that their biggest threat may actually be their Mr. Incredible employees.  These are the people that will do whatever it takes to work for you days, nights, weekends, and holidays.  They are the fearless defenders of creating the latest report or implementing the last technology for your company.  If that means downloading tons of information to a portable device so they can work on their vacation, they will.  If it means throwing the laptop in the car on the way to pick up their kids with a stop at the grocery store and the laptop is left unattended…whoops!  They do not mean to put the company at risk but their drive to get it done exposes your data.

The missing data costs your reputation, puts your intellectual property at risk, may expose innocent people to identity theft, and can create lengthy, costly lawsuits.  Just ask the VA.  A model employee was working on VA business at home and their home was burglarized.  A VA laptop was among the stolen goods and had the Social Security numbers of 26.5MM active duty military and veterans on it.  The VA has agreed to pay $20MM to settle a class action lawsuit.  In a true miracle mix of skills and luck, the FBI managed to recover the stolen laptop and it is believed the data was not used by the criminals.

Until we deal with the insider threat, I will not run out of blog posts!

As always, would love your comments and feedback.

Friday, March 26, 2010

My Twitter List - People That Will Inform, Help and Support You!

If you think someone should be added to this list.  Please post a comment.

These are people that I follow that will:
1.  Provide honest opinions
2.  Provide you with great facts
3.  Support you and your questions
4.  Interesting tweets and more...

News and Media:
@scottstanzel
@wbtvkristenM
@almacy


Security and Safety Online
@intel_chris
@pranheim
@isa_808
@cybersafety808
@infragard
@marykayhoal
@sue_scheff
@googlebombbook
@kakroo
@gtiadvisors
@cybersafety808
@crispthinking
@janebalvanz
@marjieknudsen
@getgamesmart
@inspiringmoms
@meowatthesun
@bethantuttle
@awaythrough
@808cop_retired
@co2hog
@momsmaterial
@mbenlakhoua
@anthonymfreed
@gregwhoward
@micheleborba
@security_faqs
@lindacriddle
@theonlinemom
@heykim
@sysadrockstar
@inspiringmoms
@rebeccanewton
@websecuritynews
@iammilitary
@dorothyhill
@rebeccanewton
@myntPR
@WiredMoms
@CrispThinking
@RobertSiciliano
@MomsMaterial
@Security_FAQs
@MBenLakhoua
@Suzidk
@PandaLabs
@Intel_Chris
@RebeccaNewton
@e_Mint
@Cvallejo64
@Bugspy
@DigitalSteward
@D_Rittenhouse
@WebEyesOpen
@McAfeeAvertLabs
@OaklandCtyMoms
@usmcdog


Saturday, March 20, 2010

Big Brother Has the Power to...turn off your car

Turn off your car?  What?

As our world becomes more automated and every day gadgets are infused with computer machinery, you are more at risk of a glitch, or worse.

Over 100 car owners in Austin, TX had the worst surprise ever recently.   Cars began behaving badly - they would not turn on or the horns were honking.

How could this happen?

Many consumers have no idea that their dealerships are installing a little black box on cars.  This little black box allows the dealerships to disable YOUR car if you fall behind on payments.  It is the modern day alternative to the Repo Man.

The culprit? Not a technology glitch but a ticked off employee who had been fired.  Police in Austin's High Tech Crime Unit arrested 20 year old, Omar Ramos-Lopez.  Police tracked him down using access logs and then tracing the traffic back to his IP address.

Martin Garcia, Texas Auto Center manager where Omar worked said, "Omar was pretty good with computers".  Really?  Maybe Mr. Garcia was taken out of context, let's hope so.

I have said it before, sometimes the greatest risk in cybersecurity is the INSIDER THREAT - from the model employee to the displaced employee.

They can put Ramos in jail but until businesses address the risk of insider threat, Ramos will not be the last.

This leaves another question open, if Ramos was able to access the system using another employee's account, what could someone with a real plan have done to immobilize drivers?

Who needs an EMP (electomagnetic pulse) to take out computer systems when you can just hack into devices?

Comments?  Questions?  Please send me your reaction to this story.

Thursday, March 4, 2010

Avoid the nightmare of losing your address book. Helpful tips.

Link the WBTV Video


n the US, over 12 million cell phones are lost each year and 700,000 are stolen.

This is a nightmare scenario.  You need to make a phone call and find out that your address book is suddenly empty or your cell phone is missing.  If your job counts on you having a large rolodex this situation can be overwhelming.

What would happen to you if your contacts were lost?

Former White House Cyber Security Expert, Theresa Payton has some options for saving your contacts to a safe place and recovery options in the event something happens to your cell phone.

How to avoid a BAD situation:

B - Back up files.  Most smart phones and cell phones come with software that you can use on your computer so you can create a back up file.

A - Access to your contacts may be available another way.  You may have files on your computer or Mac that you could use.  For example:

 ."ipd" at the end, that file has BlackBerry contacts.

."csv" at the end, that file can be imported into most address book and email programs and then synchronized to your phone.

vCard files can be imported into most contact programs.

D - Don't rely on just having your contacts on your phone or computer.  Keep a copy in multiple places.  Have a hard copy of the 5 most important contacts in the event of an emergency.

The following are resources that can help you build or re-build your list of contacts on your phone and computer.

See this link for helpful resources on how to back up your contacts:  Website Tips & Resources

As always. please make comments and suggestions on what you want to hear about!

Thank you!