Monday, December 24, 2012



The “bad guys” go where the action is.  They surf the web looking for winners of contracts for government agencies or companies.  They actively track and profile companies, prominent political figures, celebrities, and people of financial wealth for ill-gotten gains.  They exploit weaknesses, not just in our technology protection, but also in our human nature.  

Cybercreeps and cybercriminals are experts at understanding what makes a person click on a link, open an attachment, or visit a particular website.  They target their victims by mimicking day to day tasks and trap them into letting them into their devices, computers and networks.  It used to be that if you put in place the best, leading edge technology that you could fortify your network and protect your digital assets and then you were “safe”.  That is no longer the case.  

The points of entry are increasingly sophisticated.  Our point of view is that they have the advantage of potential anonymity, scale of attack, time to prepare, and the element of surprise in their favor.  

We have seen cybercriminals that use sophisticated spear phishing, a focused email scam, to target a specific person or entity.  We have also watched some cybercriminals hijack press releases of legitimate companies and convince you to click or download information.  Another set of cybercriminals are particularly expert at poisoning search engine results.  Cybercriminals are fond of using current news events to set their malicious software trap.  Any hot news topic, from the death of Morgan Freeman (who is not dead) to the exploits of Julian Assange at Wikileaks, presents perfect opportunities to poison search results.  Google reported that 1.3% of their search results are infected.  So, if you get 100 potential hits for your search request, that means 1 of them could be a trap.  

So what can you do to protect your customer data?

1.  Educate your staff on the risks and the threats.  Just a conversation about a news headline helps with awareness.

2.  Provide them with written guidelines such as "Never put customer data on a thumb drive" or "Ask someone else at the company before you click on a link in an email and give up company data".

3.  Practice a disaster - "Today, we found out that a cybercriminal made a copy of our customer data and is selling it online....what would we do in the next 60 minutes to recover?"

4.  Create a written policy about confidentiality of customer data and ask your employees to sign it annually.  The policy should include:
a.  not talking about customers by name or industry online or offline
b.  not sending customer data to personal email accounts
c.  whether or not it is okay to have customer data on portable media

We have been advising our customers for over 4 years about the risks of social networking.  Not only do some entities accidentally let the bad guys in but often their staff also provides too much information to the bad guys.  67% of people polled by Sophos, a software security company, said they had been spammed via social networking.  Facebook seems to have a scam story or survey regularly.  In addition, we have been able to reconstruct our client’s whereabouts, company habits, and company information using social networking sites such as Facebook, LinkedIn, Twitter, and FourSquare as well as messaging boards like Microsoft and Cisco.  57% of businesses polled by Sophos said they think their employees share too much online but they do not know how to teach them not to, or how to write policies that would enforce keeping company secrets a secret without encroaching on First Amendment rights.

Even though cyberspace can be unsecure, there are several tactics and strategies that can protect people and entities from cybercriminals that want to conduct any or all of the following activities:  steal sensitive information, take intellectual property, commit cyberhactivism, launder money through accounts, take over identities, commit attacks hiding behind your computer, and/or steal money.

A recent Verizon study revealed that 87% of breaches could have been avoided had adequate security controls been in place. Our aim is to prevent your company from becoming a part of that statistic.  We find that implementing current policies and procedures and providing education and awareness training are two critical pieces in protecting you against the bad guys. 

No comments:

Post a Comment