Industry News Recap: Verizon Publishes 2013 Data Breach Investigations Report

By | April 26th, 2013|Uncategorized|

verizon_reportThis week Verizon released their sixth annual Data Breach Investigations Report, analyzing more than 47,000 reported security incidences in 2012. The report found that 75 percent of data breaches were driven by financial motives and 20 percent of attacks fell in the cyber espionage category, targeting intellectual property.

“Typically what we see in our data set are financially motivated breaches, so the targets usually include retail organizations, restaurants, food-service-type firms, banks and financial institutions,” said Jay Jacobs, senior analyst with the Verizon RISK team, in PC World. “When we looked at the espionage cases, those industries suddenly dropped down to the bottom of the list and we saw mostly targets with a large amount of intellectual property like organizations from the manufacturing and professional services industries, computer and engineering consultancies, and so on.”

The types of industries affected are widespread. Principal author of the report Wade Baker believes “the bottom line is that unfortunately, no organization is immune to a data breach in this day and age. We have the tools today to combat cybercrime, but it’s really all about selecting the right ones and using them in the right way. In other words, understand your adversary – know their motives and methods, and prepare your defenses accordingly and always keep your guard up.”

What are some ways your business prepares for a potential security breach? Does your business need to protect itself from financially motivated cybercriminals, those looking for intellectual property or both? Download the full report or get a quick look at the security landscape with the executive summary and let us know what you think on Twitter and Facebook. Be sure to check out our Tumblr page for the latest industry news stories.

Security Insights: Are you a “safe surfer”? How Crooks Steal Your Data

By | April 10th, 2013|Uncategorized|

internet_safetyDo you consider yourself a “safe surfer”? A “safe surfer” can be defined as someone who avoids the suspicious parts of the web, only downloads files that they are expecting, and one who inputs confidential data on only https sites. Even if you do practice these measures, you are still at risk. However, your level of risk is lower than someone who visits any website, downloads anything and everything, and inputs data into insecure websites.

How crooks hack legitimate websites to steal your data
Paul Ducklin of Sophos recently outlined this process in his article, “Anatomy of a phish – how crooks hack legitimate website to steal your details.” Here’s what he concluded:

Old school phishing is where cybercrooks lure you into logging in to your bank account on one of their websites. When you enter your personally identifiable information (PII), as you would on the bank’s real site, it gets uploaded to the crooks instead of to your bank. The idea, of course, is that they then use the credentials they just stole to start draining your account.

Many individuals have learned to take great care when banking online, and to check for “vital signs” of a scam before trusting a website with usernames and passwords. Phishers are now creating banking scams that are much more believable than the crude and misspelled emails and websites that were common a few years ago.

Many banks now have a closed cloud-style email service built into their Internet banking sites. The idea is that you’ll get into the habit of logging in securely to read important messages, rather than believing what arrives in insecure emails.

The bank will still send you emails, but they don’t contain any detail – they just give you an overview (e.g. “your statement is ready”), and advise you to read the full message on the secure site. What your bank won’t do is invite you to click a link to get to the secure site. They rightly leave you to find your own way to the banking portal, so you’re not at the mercy of the URL embedded in the email.

What the crooks are doing is relying on legitimate servers, owned by legitimate organizations and operated by unsuspecting sysadmins. The phishing email will contain part of an actual real URL that utilizes a redirect to take you off to the actual hacked site, sometimes this will be specified in the URL as an IP number rather than as a domain name.

Nevertheless, this phish didn’t take you to any sites that would have stood out, under normal circumstances, as part of the cybercriminal world. The crooks want to redirect your browser into harm’s way, and they want to use your servers to help them do so.

Be careful out there. And that applies whether you’re browsing or running an online business.

Read the full article on NakedSecurity.

How to protect yourself and your company
Below are some tips that you can follow in order to avoid phishing scams:

  • Only browse websites that are required to fulfill your job duties
  • Do not submit confidential data on insecure HTTP websites
  • Go directly to websites instead of being at the mercy of embedded URLS in emails
  • Only open attachments that you are expecting and from senders that you recognize
  • Pay attention to URLs – If you are unsure about one, be on the safe side and do not visit it
  • Never email confidential information – pass this information on through telephone
  • Never enter confidential information in a pop-up screen
  • Pay attention to your web browser warnings
  • Report suspicious activity to the Information Security Officer
  • Always be suspicious

Share your tips for protecting your business with us on Facebook and Twitter.

Security Insights: Protecting Your Business in 2013

By | January 14th, 2013|Uncategorized|

Knowing the emerging and continuing trends of threats in cybersecurity gives us an idea of where to start improving for the new year. Cyber criminals historically have followed the trends of the majority of the cyber community. Their goal is to negatively impact as many individuals and corporations as possible. With that said, it is great to know the threats, but even better to know how to mitigate the threats that come across to you as an individual and as an employee.

Existing and Emerging Trends and Threats

“Just like legitimate businesses, fraudsters are planning ahead for 2013,” said James Gifas, head of RBS Citizens Treasury Solutions. During, and just after the holidays is when many fraud schemes pick up, as more people feel stretched with greater year-end expenses. Gifas warns companies that they might have several blind spots they’re not considering, particularly when it comes to employee fraud, according to an aritcle by Chad Brooks of Fox Business.

Here are a few ways you can protect your business and the organization you work for.

1. Create strong passwords:
Hackers have more processing power to crack passwords than ever before. With that said, ensure that passwords are complicated and include a combination of uppercase letters, lowercase letters, digits, and symbols that aren’t easily searchable. – Chad Brooks, Fox Business

2. Store passwords safely:
The strongest password in the world won’t protect an account if the perpetrator can read it from a slip of paper that has been placed in a desk drawer. Keep passwords behind lock and key. – Chad Brooks, Fox Business

Keep passwords secure with password keepers such as RoboForm or Keepass. Employees and individuals can store their passwords and only have to remember that one complex password that they created for the password keeper. Excel spreadsheets, post-it notes, and other insecure methods for storing passwords are fully discouraged. – Kristin B., CSID

3. Continued and increased employee security training:
Many fraudsters find it easier to trick a person into revealing account credentials than to hack into a computer. Training employees to not provide any user name or password information over the phone or email is a vital measure of protection. – Chad Brooks, Fox Business

4. Locking computers:
Ensure employees are locking computers each time they leave their desk, even if they are just stepping away for a minute. – Chad Brooks, Fox Business

5. Know vendors:
It is wise to conduct some due diligence around new vendors or other payees. – Chad Brooks, Fox Business

6. Surprise Audits:
Surprise audits are a good way to detect and deter occupational fraud schemes so that funds can’t be manipulated ahead of scheduled financial reviews. – Chad Brooks, Fox Business

7. Vacation policies:
Making sure that there are periods of time in which employees are away from their desks and have their records available for oversight has been supported by financial regulators for years, but all companies benefit from this policy. A one- or two-week window can provide the additional transparency needed to expose internal fraud. – Chad Brooks, Fox Business

8. Dual Approvals:
Implementing processes that require dual approvals for escalated privileges is an easy way to minimize certain fraud risks. – Chad Brooks, Fox Business

9. Company Money Access:
Do not have company checkbooks out in the open, as it leaves bank account information visible and increases risk of theft. – Chad Brooks, Fox Business

10. On-site Collections:
Outsourcing collections mitigates risks that emerge when receivables checks are lying around the office. – Chad Brooks, Fox Business

Take a look at the full article from Fox Business. You can also check out CSID’s blog post recapping the Top Security and Identity Stories of 2012.

How to protect yourself and your company

These tips can turn out to be very useful in preventing an attack on your personal or professional life. With cyber security threats expected to increase, make a point to increase your mitigation tactics.

Share your tips for protecting your business with us on Facebook and Twitter.

A Year in Review: The Top Identity and Security Stories of 2012

By | December 20th, 2012|Uncategorized|

Another year has come and gone and what a year it was! CSID looks back at the top five identity and security stories of 2012.

Number 5: Anonymous claims it hacked PayPal, PayPal denies it
On its Twitter account, Anonymous claimed to have more than 28,000 passwords from PayPal, but the online purchasing store verified that the passwords were actually from ZPanel, a free open source hosting site.

Number 4: Identity theft against children doubles
Many parents don’t realize that their children’s social security numbers could be stolen before they even need to use them.  More and more, when children go to obtain a driver’s license, credit card or lease an apartment, they’re met with the reality that their identity has been stolen and used for years.

Number 3: Reporter Mat Honan’s life is wiped out by hackers
Wired reporter Mat Honan had his online identity hacked and lost precious photos of his daughter because of it. His story reminded us that getting your personal information is easier than you think.

Number 2: Flashback malware targets Macs
Macs have long been known to be more resistant to viruses and malware than their PC counterparts, but in early April, cybercriminals released a version of password-stealing malware that exploited a Java vulnerability Apple had been slow to fix. Users were advised to disable Java until Apple was able to create a patch.

Number 1: LinkedIn suffers a massive security breach
A Russian hacker stole more than 6.4 million passwords from LinkedIn, the popular career-oriented website. LinkedIn hashtagged and salted many passwords, but millions of users were prompted to reset their login information.

2012 taught us that passwords are very fallible. To learn more about consumer password habits and what you can do to protect yourself, check out CSID’s blog post on the subject. And, see what CSID predicts will be the top trends in 2013.

Happy holidays from CSID!

Mobile Apps: Protect Your Children’s Privacy and Identity

By | December 12th, 2012|Uncategorized|

This week the FTC released an alarming reporton mobile apps, announcing that hundreds of popular smartphone and tablet apps aimed at children are collecting personal data and sharing without proper disclosure to parents. Of the 400 apps surveyed from Apple’s App Store and the Google Play Store for Android, 60 percent sent the devices’ ID to third parties such as ad networks and analytics companies. Some of these ad networks are even storing this ID with more sensitive data such as email addresses and passwords.

This report has sparked a larger discussion among parents and industry professionals on how to combat these privacy and security concerns. Some of these apps are encouraging children to share personal information on social networking sites without providing any privacy notices. This topic highlights the importance of another issue – monitoring your child’s identity to protect them from the risk of identity theft. Below we’ve suggested some ways to equip your child with the proper tools to protect their identity when using a mobile device.


A recent study found that 72 percent of the 100 top-selling education apps in Apple’s App store were aimed at preschoolers and those in elementary school. Kids are being equipped with technology from a very early age. Parents need to provide children with an honest discussion on cybersecurity and the risks involved when providing personal information via an app to a social media site or the app itself.


To protect your child’s device, install a security app like Lookout. This will help protect them from downloading a bad app or visiting a malicious website. In addition, security apps can show you which apps can access your location and personal data.


The final measure of defense in protecting your child’s personal data is to use a strong password. A weak password (or no password) provides cybercriminals with the breadcrumbs necessary to accessing your personal data. Practice strong password habits by creating alphanumeric passwords with punctuation. 

Share your thoughts on mobile device privacy and security with us on Facebook and Twitter.

Webinar Recap: What to do when a password is no longer secure?

By | October 1st, 2012|Uncategorized|

We recently hosted a webinar featuring CSID VP Marc Ostryniec and Toopher CEO Josh Alexander. Marc and Josh discussed consumer password habits, supplemented by statistics from our  recent consumer survey. The two also revealed how these habits put consumers and businesses at risk for compromise, and what businesses can do to mitigate these risks now and in the future.

It was a really interesting conversation and we encourage you to listen to the full webinar recording. If you are short on time, here are a handful of key takeaways from the discussion:

  • A business’ security is only as strong as its weakest link, which is often the human element. Human fallibility doesn’t stop at downloading a virus or clicking on the wrong link. An email or password compromised from one company’s data breach can open up vulnerabilities across a multitude of completely unrelated websites such as banking, financial, online retailers and the like.
  • To mitigate these risks, businesses should educate, monitor and authenticate their customers and employees.
  • Businesses can consider compulsory password education for customers and employees—require the use of a stronger password or regular password changes.
  • Monitoring breached data for customer and employee credentials can help a business 1) identify compromised information that puts them at risk and 2) alert owners of the credentials to take responsive action (i.e. change passwords, cancel credit cards). 
  • Businesses should adopt two-factor authentication whenever possible. It can be based on a combination of:
  1. Something the consumer knows (password, personal question)
  2. Something the consumer has (mobile device, smart card)
  3. Something the consumer is (biometrics)

Thank you to all who helped put this webinar together and joined us live. We had a great turnout for a fascinating discussion. If you missed us, you can watch a recording of the webinar, and check out Facebook and Twitter for an extension of the conversation.

We have another webinar in the works. Join our mailing list for an invitation (see footer, below), and stay tuned for updates!

Security Insights: Information Technology Security Part II

By | September 18th, 2012|Uncategorized|

As mentioned in Part I of this post, security breaches are an imminent threat and danger. While there are many types of data that should be secured, finding concise ways to improve technology security can be difficult.

Here are some steps and tips to improving your company’s information technology security.

Companies can help improve information technology security first and foremost by strongly encouraging and monitoring that employees follow all policies and procedures put in place. As an employee, at some point you will come across confidential and/or restricted information and it is your duty to ensure that this information is protected appropriately from unauthorized disclosure. Some ways to ensure sensitive information is protected:

  • Lock your workstation and/or laptop when you are away from your workspace (hold down window key and L simultaneously)
  • Store all sensitive information in locked file cabinets and shred when its useful life is over
  • Secure laptops with locking cable
  • Remove sensitive information from printers immediately and securely dispose of (shred) when no longer needed
  • Do not leave any sensitive information unattended
  • Secure confidential documents on your desk

Email is a tool most people frequently use and should be used appropriately and with proper etiquette:

  • It is recommended not to use work email for personal purposes
  • Only send relevant information to relevant people
  • ALWAYS check for confidential and/or restricted information before sending and/or forwarding
  • Be aware of phishing attacks that could be used to deceive you

Also, by keeping yourself aware of social engineering you can utilize the following methods to prevent it:

  • Educate yourself on how social engineering works
  • Comply with password policies
  • Do not disclose any information without proper validation of one’s identity
  • Lock your computer when you are away
  • Be aware of and confront visitors who are not escorted or wearing a visitor badge

Utilizing the items above will help ensure a company’s information technology security, which can only be effectively achieved as a whole through employee engagement and active participation.

Share your technology security tips with us on Facebook and Twitter.

Security Insights: Information Technology Security Part I

By | August 29th, 2012|Uncategorized|

In today’s world, companies need to be prepared to secure all assets including confidential documents and employee data, client enterprise data and customer data so that information does not get into the wrong hands. Companies should take all precautions and employ information technology security practices to avoid any compromised data in the event of a cyberattack.

So, what exactly is information technology security?

PriceWaterhouseCoopers has defined information technology security as “controlling access to sensitive electronic information so only those with a legitimate need to access it are allowed to do so.”

Allowing access to only individuals who need it is key in keeping technology secure. PriceWaterhouseCoopers notes the three main objectives for this as:

  • Confidentiality – protecting access to sensitive data form those who don’t have a legitimate need to use it
  • Integrity – ensuring that the information is accurate and reliable and cannot be modified in unexpected ways
  • Availability – ensures the data is readily available to those who need to use it

Once these objectives are priority, there is much data that should be secured, including:

  • Member Data: Social Security Number, Credit Card Information including Primary Account Number (PAN), CVV or CVV2 (security codes), and Credit Card PIN
  • Personal Identifiable Information (PII): Full Name, ID Number, Driver’s License Number, Credit Card Information, Birthday, Birthplace, and Social Security Number, etc.
  • Company Data: Financial Data, Assets, Employee Information, Business Plans, System Configurations and Requirements, Proprietary Software, Personnel Records, Member and Account Information, Budget Information, Security Plans and Standards, Encryption Keys, Passwords, PINS, Database Information, Authentication Information, Security Audits and Logs, IP Addresses, Regulatory Examinations
  • Client Data: Contract Information, Statements of Work, Payment Information, Employee Information, Passwords, IP Addresses, etc.
  • The Network: any and all networks should be secured
  • Email: do not send out confidential and/or restricted information
  • Desktops/Laptops: lock computer when away and ensure hard drive is encrypted
  • Servers: servers that contain sensitive information should be protected
  • Firewalls: must ensure these are configured properly to protect the network
  • Phone System: phone systems also need to be secured
  • Cell Phones: company cell phones and cell phones that receive work email should require a password

Stay tuned to Part II of this post with details on how technology security at your company can be improved.

Facebook Takes on Security with Universal Authentication

By | July 25th, 2012|Uncategorized|

You’ve surely come across it—the “connect using Facebook” option on a variety of websites these days—but is it safe?

Nearly half a million of Formspring’s hashed passwords were compromised this month. As The Verge’s Ellis Hamburger observed, Formspring CEO Alde Olonoh recommended that users login through Facebook Connect for a secure connection.

According to Hamburger, “Implementing Facebook Connect (also known as Facebook Login) is kind of like hiring a security detail for each of your users, and getting this service for free.” Facebook has been recognized for its security features, from proactively monitoring user credentials for compromise to partnering with anti-virus companies. In fact, Facebook has an entire team dedicated to developing and implementing the site’s security features. Through these security systems, partnerships and the site’s reputation, Facebook has fostered one of the most popular universal authentication systems available.

Facebook Connect allows websites and online businesses to provide users with a more secure login option than may otherwise be possible. For consumers, the feature allows users to eliminate the number of passwords they have to remember and more easily change their credentials in the instance of a breach.

On the other hand, there are concerns surrounding Facebook’s universal presence and new technologies. For instance, if a consumer logs into a site using Facebook connect, and that site is breached, what does this mean for their Facebook account? Furthermore, consumers are wary of their privacy rights—Facebook is able to collect an astounding amount if personal information about each user, including facial recognition, which has drawn criticism from the U.S. Senate.

What do you think about Facebook Connect as a universal authentication system? Do you trust it and find it valuable, or are you wary and have concerns? As always, let us know via comments, Twitter or Facebook.  

Security Insights: Handling Credit Card Data

By | July 16th, 2012|Uncategorized|

According to the Unisys Security Index, credit and debit card fraud is the no. 1 fear of Americans in the midst of the global financial crisis. This concern regarding fraud supersedes that of terrorism, computer and health viruses, and personal safety.

Now, that is big deal – especially as data breaches become more apparent and more user credentials including name, email, and credit card information are being exposed.

So what can you do as a company and as an employee of a company who handles credit and debit card information? Here a few Q & A’s and tips for handling sensitive information:

Who is responsible for handling credit card data properly?

  • Any employee, who accepts, captures, transmits, stores, and/or processes credit card data.
  • Any individual who supports any efforts to accept, capture, transmit, process, or store credit card data

What credit card information applies?

  • Primary Account Number (PAN) 16 digit number on credit card
  • CVV or DVV2 (security codes)
  • Credit Card PIN (Personal Identification Number)
  • Card Expiration Date
  • Type of Card (Visa, MasterCard, etc.)
  • Cardholder’s name in conjunction with any items listed above

Who bears the loss of credit card fraud and/or theft?

In most situations of credit card fraud the merchant bears the loss. This keeps the liability for fraud on the merchant, who is required to meet compliance such as PCI DSS (Payment Card Industry Data Security Standard) in order to prevent credit card fraud through various controls. The merchant often pays the full cost of the fraud including the services sold, payment, fees for processing the payment, and chargeback fee, if applicable.

What preventative measures can you take as an employee to secure credit card data?

  • Follow all of your company’s security policies
  • Educate yourself on credit card fraud
  • Do not permit non-employees to access company equipment or resources
  • Do not disclose information without proper validation of one’s identity
  • Do NOT write down passwords
  • Follow shredding policies and store information in appropriate locked filing cabinets

Quick tips for handling credit card data:

  1. Keep all credit card data secure and confidential. Do not store sensitive cardholder data on computers, such as full account numbers, type, expiration date or CVC2/CVV2 data.
  2. Do not transmit credit card data in an insecure manner, including email, unsecured fax or via chat.
  3. Secure all documents containing credit card information in locked file cabinets with access to staff on a need-to-know basis in order to carry out job duties.
  4. Destroy all documents containing credit card information by shredding, so that they are unreadable after their useful life has expired.
  5. Restrict access to credit card data to appropriate and authorized personnel ONLY. Perform background checks prior to hiring any positions with unrestricted access to cardholder information.
Load More Posts