CSID Participates in IAPP Austin KnowledgeNet

By | June 21st, 2012|Uncategorized|

CSID’s Tim Brown joined local security professionals and lawyers as a panelist on the panel “Who Watches the Watchers?: Third-Party Vendor Privacy and Data Security Issues” earlier this week. The panel discussed privacy and data security issues facing organizations that work with a multitude of third-party vendors as well as the challenges faced by both the organization and the third party vendor in managing privacy, data security, and risk issues.

Some key findings from the panel included:

  • It is the data owners’ responsibility to inform the vendor of what type of data is being handled, describe its sensitivity and assess compliance needs.
  • A vendor should disclose its security compliance, breach history and be transparent with an organization when working through MSA’s, contracts and processes.
  • The cost of the contract should be assessed and compared with the value of data being exchanged in the event that data is exposed and responsibility for the data is taken.
  • Challenges that organizations face when working with vendors include comparing vendor compliance and performance; time frame for when security issues and data exposure should be resolved; and on-going monitoring to increase security efforts.

The panel also discussed FISMA (Federal Information Security Management Act) regulation and its impact on selecting vendors as well as meeting federal criteria and guidelines for various information systems.

Follow CSID on Twitter and Facebook to learn more about the IAPP event and keep up with future events we are participating in.

Security Insights: Security Breaches

By | June 14th, 2012|Uncategorized|

A security breach is an act from an outside organization that bypasses or contravenes security policies, practices, or procedures. A similar internal act is called a security violation (businessdictionary.com).

While a security breach can seem imminent at times, there are ways to avoid IT security breaches within a company. Take a look at 10 simple measures to help protect your organization from Michael Kassner of Tech Republic.

10 ways to avoid IT security breaches:

  1. Change default passwords – many devices and applications are protected by default passwords, which can be found in a web search by an attacker
  2. Don’t reuse passwords – attackers are aware that it is easier to reuse username and password combinations, so once obtained, they will likely try it on all of your accounts
  3. Disable user accounts when an employee leaves – security breaches are easier to pull off when the attacker has inside information (make sure to disable all accounts whether the employee leaves under amicable terms or not
  4. Examine security logs – reviewing security logs daily can alert security personnel of things such as login failures and unwanted login attempts
  5. Do regular network scans – network scans allows the administrator to find rogue equipment on a network as well as detect security vulnerabilities in the network
  6. Monitor outbound network traffic – suspicions should be raised when the number of outbound connections or the amount of traffic deviates from the normal baseline operation
  7. Patch and update regularly – keeping operating system and application software up to date is the best way to foil breach attempts from outside the network’s perimeter (Internet)
  8. Implement a security plan – a security plan is invaluable for the following reasons: First, everyone is working off the same playbook, which provides continuity; second, when the organization is in panic mode, the security plan will provide solutions developed at a time when everyone was less anxious
  9. Raise user awareness about information security – it is important to train users to be able to function on the Internet securely
  10. Get upper management to buy in – ensure that your upper management understands the importance of security policies and purchasing required technology

In addition to taking security measures for your business, individual employees can also take action follow simple steps in defense of a breach. As an employee, you have a crucial role in the security of your company, whether you know it or not. A company cannot be secure without the help of every single employee. Below are some tips that you can follow in order to help your company avoid a security breach:

  • Stay informed
  • If you do not understand or are not sure, ask
  • Follow your company’s password policies and DO NOT reuse passwords, write down passwords, or share passwords under any circumstance
  • Create strong passwords consisting of capital letters, lowercase letters, special characters, numbers. Some examples include: Mu5+hAv32s33!, 33thr33;trEEs!, L0v3Ev3r,HuR+NeVeR
  • NEVER use passwords less than 8 characters
  • Reset your password as prompted every 90 days
  • Follow your company’s security and clean desk policies
  • Pay attention during training sessions and be sure to ask any questions that you might have
  • Dispose of any confidential and/or restricted data properly as defined by your company’s classification policy
  • Do not open suspicious emails
  • Ensure proper validation of one’s identity is obtained before releasing ANY information


Lesson From the LinkedIn Breach: Be Proactive.

By | June 7th, 2012|Uncategorized|

Hackers recently posted 6.5 million unique hashed passwords from LinkedIn, with already 200,000 of these passwords cracked. LinkedIn is a global social networking site for professionals—and it’s likely that many of the site’s users use the same password with other sites, including online retail stores, news websites and sites related to their employers.

What does this mean? Each of these other online businesses—those retail stores, news sites and employers—is now at risk. Hackers can potentially use the exposed log in details to access private information stored on these websites, from credit card numbers to emails to private company documents. What if these online businesses could do something to prevent that misuse?

CSID’s VP of sales Marc Ostryniec recently posed a solution to this issue: proactive identity monitoring. Using third party identity monitoring technologies, online businesses can proactively monitor their customers’ and employee’s credentials for compromise on other sites (like LinkedIn) and can then take the proper action to protect their own business from the ramifications of that compromise. For instance, they can instantly notify their customers or employees of the breach and reset passwords as necessary.

And as a consumer, this helps maintain that your online accounts are secure. Was your LinkedIn password exposed through the breach? (You can check through www.leakedin.org, which has been deemed trustworthy by numerous valid sources.) If so, you should reset your password for not just LinkedIn, but for any other account that uses the same login and password combination.

Let us know what you think about the LinkedIn breach and the idea of proactively monitoring identities. Join the conversation on our Facebook and Twitter.

ID360 Conference Poster

Marc Ostryniec Presents at ID360

By | April 24th, 2012|Uncategorized|

Marc Ostryniec at ID360 ConferenceThe Center for Identity at the University of Texas at Austin held the first annual ID360 Conference this week. CSID was there  in support of our VP of sales Marc Ostryniec, who presented on how proactive credential monitoring can reduce the risk of fraud that is an inherent problem when employees mishandle company credentials or customers have poor password habits. People truly are the weakest link in any company’s security system.  

The most advanced security measures can be unraveled through everyday human error. In fact, some of the most recent security breaches began with employees simply opening an email containing a virus. But businesses can’t operate without humans, meaning proactive credit and security monitoring is crucial. Businesses that neglect to proactively monitor for security breaches or issues leave themselves open to a wide range of security threats that can impact their customers and ultimately, the bottom line.

Marc opened his presentation with this compelling statistic from Trusteer: 73 percent of consumers reuse their online banking login and password with nonfinancial websites. The reuse of login information increases the possibility that if one website gets hacked, other locations where its customers conduct business or interact online can also be accessed using that same information. In many cases, the stolen login information can even access a work database or server, leaving many businesses vulnerable without them realizing they are under attack.

For more information about proactive credential monitoring, read Marc’s conference paper. Read more about the ID360 Conference and Marc’s presentation in the Austin-American Statesman, and check out the #ID360Conference Twitter hashtag for key points from the event.

Data Privacy Day: Protect Your Company Data

By | January 31st, 2012|Uncategorized|

In honor of Data Privacy Day on January 28, initiated by the National Cyber Security Alliance, we have compiled a few simple best practices for businesses to protect and secure valuable data.

Password Changes

Encourage or require employees to regularly change passwords used for company servers, email and programs every 90 days. This will help protect company data in case of stolen or shared passwords.

Regular Backups

Regularly back up all company records to a secure, encrypted location separate from the original records (such as a third party server or data center). This will ensure that all records are maintained in their original form in case of erasure or breach. Encryption and security should be equally stressed for all data and copies.

Manage Company Details Online

Keep and manage proper archives of all online locations that have access to company information such as billing details. Employees often use company credit cards online to register for professional events, subscribe to Internet news sources or order printed materials. These online sources act as gatekeepers to company details like credit card numbers, and knowing exactly who has access to such details will help determine the appropriate steps in case one of these online sources is breached or misuses your information.

Manage Traveling Data

When employees travel for business—with company computers, hard drives and paperwork—they are putting company data at risk. See recent blog posts from our consumer security expert, John Sileo, about how to protect data while traveling for business: Part I and Part II.

Data Monitoring

Enlist an internal IT team to monitor data activity in case of unusual or suspicious incidents. Also make use of an external, professional data monitoring technology like CyberAgent to keep track of your company’s confidential information, as well as that of your customers. CyberAgent scours the Web for misuse of a range of identifiers and can monitor more thoroughly than a human team.

Prepare for a Breach

In this day and age, data breaches are considered inevitable. Prepare a plan in case of a data breach, and have it ready to deploy at any time. The plan should include technical steps (how will you secure the information?), employee outreach (how will you inform your employees, and what can they do to help?), customer outreach (how will you inform your customers, and how will you help them?), public outreach (why did the breach occur and what steps are you taking?) and next steps.

Tips for the Business Traveler: Part II

By | January 12th, 2012|Uncategorized|

By John Sileo, CSID consumer security expert

Identity theft rates skyrocket for travelers. As USA Today noted in a recent article about the topic:

Experts say business travelers are especially vulnerable because they increasingly rely on electronic devices that easily can be lost or hacked. Credant Technologies, a data-protection company, found that travelers have lost 11,000 mobile devices at the busiest U.S. airports this year, 37.5% of them laptops and 37.2% tablets or smartphones.

I recently outlined a number of tips to follow before leaving the office for business travel, such as back up all data on your devices and enable strong passwords. During your travels, though, is where the loss will occur. Stay smart and savvy while on the road—follow these tips to protect your identity and data while traveling:

Only use secure wireless connections: Avoid using free WiFi hotspots in cafes, airports and hotels to eliminate signal sniffing and wireless data theft. Make sure your IT department has enabled WEP wireless encryption on your device.

Lock it up: Most hotels have relatively secure safes in the rooms, so take advantage and lock up your devices when you do not have them by your side. If your laptop doesn’t fit in the safe, remove your hard drive from the device and lock it up. For an added level of protection, put the privacy sign on your hotel door handle at all times and opt out of hotel cleaning services.

Be smart: Use your common sense. Be careful with sensitive data and know where your devices are at all times (but do not leave your devices on a table or under the watch of a stranger at a conference or coffee shop.)

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

Tips for the Business Traveler: Part I

By | December 15th, 2011|Uncategorized|

By John Sileo, CSID consumer security expert

Data theft has serious implications for business travelers, including a high risk for identity theft. I have a personal experience with identity theft while traveling – it occurred during a trip to Orlando to, ironically, give a speech about avoiding identity theft. Read more about that experience in a recent USA Today article.

To protect your identity and data when traveling for business, consider following these tips before you leave the office:

Know the hot devices for theft: Laptops, smart phones and tablets.

Know where device theft occurs: Airports, hotel rooms, cars and cabs, commuter trains, conferences, off-site meetings, coffee shops, etc.

Leave it at home: Narrow down the amount of devices you bring on your trip. Leave any at home that you do not absolutely need. If you absolutely cannot leave your laptop, then…

Get a netbook for travel: Consider purchasing an inexpensive netbook (very small laptop) for travel, and only carry the files you need.

Encrypt your laptop hard drive: The data on your drive is no good if the thief can’t make any sense of it. For a very small investment you can install software on your laptop that makes it exceptionally difficult for a thief to access your private information. Encryption turns your data into a puzzle that only your password unlocks. If you are using a company laptop, check with your IT department to see if they can or have already done it for you.

Use strong passwords: Turn on password protection and lock your devices with strong alpha-numeric-symbol-upper-lower-case passwords. The longer the password, the better. Consider using a password protection program like 1Password, and avoid storing your passwords in an unsafe way (like in a spreadsheet or note on your device).

Back it up: Before you travel, back up all of your devices onto external hard drives, and secure the drives where you know they will go untouched (locked in a safe or filing cabinet in your office, locked in your home, etc.). This way, if anything happens to your data while traveling, you don’t have to worry about important files being lost. Also consider backing the files you need for your trip onto a thumb drive that you can keep with you at all times.

Carry less data: Take valuable files off your devices, and if your company uses an encrypted VPN connection, pull files off your corporate network once you are at your destination.

Enable remote tracking and wiping capabilities: There are various software applications for mobile devices that allow you to track and wipe your device in case it is ever lost or stolen. Some of these applications tell your device to take a picture of the user and send it to you via email, providing you with additional evidence of the finder or perpetrator. 

Enroll in ID & Data Breach Protection Plans: Enroll yourself in an identity protection program to ensure that you’re covered in the case that your identity is stolen while traveling. Also encourage your company to invest in data breach and fraud detection solutions to provide an extra layer of protection for important data, traveling or not. 

Stay tuned for a follow up post to this series—how to protect against identity theft once you’re on the road.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

Do You Know Who (Or What) Your Friends Are?

By | November 7th, 2011|Uncategorized|

With more than 800 million users worldwide, Facebook has become the defacto standard in social networking platforms.  One of its most important features, the ability to quickly and easily scan whether or not you know people by looking at common connections, has expanded networks across the entire world. You all know this already…  but how many of you know which of your friends (or your friends’ friends) are real people?

In a recent study conducted by the University of British Columbia in Vancouver, Canada, researchers attempted to demonstrate that Facebook could be easily penetrated for malicious purposes: collecting users’ data. The University of British Columbia experiment introduced 102 “socialbots” – effectively, simulated Facebook users complete with pictures, quotes, and status updates – to make friend requests, and then parlay those associations into deeper ties with their new friends’ connections.  The socialbots made random requests to Facebook users, and within six days of their introduction to the social networking site, had received acceptances from nearly 1,000 users.

In turn, the bots continued on in their endeavor to make new connections and began sending friend requests to the connections of their new “friends”, and the results appear to show that the new request recipients, seeing a mutual connection, accepted the request from a cyber-user: results show that requests were accepted 59.1 percent of the time.

Over the length of the experiment, the UCB socialbots collected valuable Personally Identifiable Information (PII), including date of birth, email address, and physical addresses, from more than 3,000 Facebook users, equating to approximately 250 GB of data. Because this data is highly marketable and potentially dangerous if in the wrong hands, if this were instituted by an organization other than a reputable university, untold damage could have been caused to thousands, if not millions, of people across the world. So, how do we protect ourselves against this, and if we fall for such an attempt, what is our recourse?

  1. Make sure you know who you are friending and accepting friend requests from. Ask yourself important questions: Do I know this person? If so, where have a I met them? If you don’t, and your basing your consideration on a mutual connection, how does my friend know this person? When in doubt, ask your friend.
  2. Know what personal information you want to share, and that which you don’t. Do you want everyone to know when your birthday is, if you’re married or single, your email address? Adjust your profiles and the information that your contacts can view and download as you see fit.
  3. You’ve made friends with a virtual contact. What about me is in the wrong hands? Find out what data has been compromised, and learn what you can do to protect yourself in the future and restore your identity. Invest in a comprehensive identity check, monitor your identity and online presence, and be vigilant about protecting your identity.
Load More Posts