Worried about the Russian hacker breach? Change your password.

By | August 8th, 2014|Uncategorized|

Breach_080814Earlier this week The New York Times reported Russian criminals had amassed 1.2 billion username and password combinations from companies across the globe. A breach of this magnitude can leave some consumers wondering if these massive breaches will ever stop and what, if anything, they can do to protect themselves.

At CSID, we see 70 to 80 companies breached every day. The availability of free malware online and information on how to carry out attacks has led to an explosion of these types of breaches. Unfortunately, this means they will not slow down or stop any time soon. This makes it more important than ever for consumers to protect their personal data. Here are a few best practices that can help you do so:

  • Good password habits are incredibly important. When you reuse a password on multiple sites, it means that all the bad guys have to do is steal one password to gain access to multiple personal accounts. To help ensure you password practices are up to snuff, consider the following:
    • Use a unique password for each account
    • If you don’t want to remember multiple passwords, use password management software
    • Turn on two-factor authentication for high-value sites like Gmail and Facebook
  • Any time a major breach occurs it is a good idea to change your passwords – even if you don’t have an account associated with the company breached. Be sure to stay informed as the details of the breach are released.
  • It is also important to make sure the devices you use are secure. If you update your passwords, but have malware on your device, that malware will steal your updated password. Keep your anti-virus software up-to-date.
  • Consider an identity protection service. These services can alert you if a credential like an email address, password or credit card number is stolen and give you the opportunity to react before damage can be done to your accounts or identity. This is important. The FTC estimates it takes an average of six months and 200 hours of work to fix a stolen identity.

Follow along for more tips and the latest on security news around the world by connecting with us on Twitter, Facebook and Tumblr.

2014 Verizon Threat Intelligence Report: A Snapshot of Results

By | April 30th, 2014|Uncategorized|

Verizon ReportWe love data here at CSID, and one of the things we look forward to each year is Verizon’s annual Data Breach Investigations Report. This annual report takes a look at the past year’s cyber security incidents and identifies trends, statistics and provides analysis. This year’s report looked at over 63,000 global security incidents from 2013 – an alarming number that underscores the myriad of cyber security challenges that consumers and businesses face. We recommend giving the report a look, but if you are pressed for time, here are a few observations from this year’s report that mirror some of the trends that we’ve been seeing here at CSID.

2013 was the year of Point-of-Sale system attacks.

The Verizon report looked at 198 total Point-of-Sale (POS) system incidents, all of which resulted in data loss. In previous years, POS system attacks were mostly confined to SMBs, and they still largely are. But the high profile, high impact breaches of Target and Niemen Marcus in late 2013 brought the vulnerabilities inherent in POS systems into the limelight. To learn more about how POS system breaches happen, check out this Huffington Post piece by CSID president, Joe Ross. Overall, POS breaches have been decreasing over the last several years, but a resurgence in RAM scraping malware and the popularity and success of the Target breach may change this trend in 2014. The FBI has warned retailers to prepare for more cyber attacks of this sort.

When it comes to security, humans are your weakest link.

We’ve said this before and we’ll say it again, if you have a human component to your security system (and most security systems do) that human is going to be the likeliest source of a breach. Verizon accounts for this in their “Miscellaneous Errors” section of the report and aptly states in their key findings “people screw up sometimes.” The most common miscellaneous error that resulted in lost data was misdelivery (44% of 16,554 analyzed incidents), which includes sending paper documents or emails to the wrong recipients. Misdelivery is followed by publishing errors (22%) and disposal errors (20%). Keeping human error in mind, some businesses we have spoken with over the past couple of years are operating under the assumption that employee and consumer credentials are already compromised and are taking proactive measures to mitigate the financial and reputation impact of these compromised credentials. Our ETI service offers a good solution for this approach.

Device theft and loss will gain importance as more businesses adopt BYOD.

This category is pretty self-explanatory – when a laptop or phone with sensitive information goes missing, that constitutes a data breach. While the loss or theft of devices isn’t really “cyber-y”, they do make up a large portion of the data loss incidents reported by businesses. This is especially true for the healthcare industry. In October 2013, Seton Hospital here in Austin, Texas had an unencrypted laptop stolen that held medical data for more than 5,000 patients. The type of data theft and loss holds a valuable lesson – when it comes to cyber security, we can’t forget the basics. Sensitive data must be stored and encrypted properly, businesses need to implement BYOD security procedures that can mitigate the impact of a lost device, and employees and consumers need to exercise common sense and not leave a laptop of phone aimlessly unattended or generally unsecured.

There is a lot more data and insight to be gleaned from this year’s report. Take a look and let us know what you found most interesting on Facebook or Twitter.

Four New Social Engineering Scams To Look Out For In 2014

By | April 25th, 2014|Uncategorized|

PhishingSymantec’s 2014 Internet Security Threat Report recently revealed that spear phishing campaigns increased 91 percent in 2013. In addition to the increased number of spear phishing* campaigns, cyber criminals are also using stronger phishing tactics, Stacy Collett at Network World reports.

Collett shared Chief Hacker at Social-Engineering.org Chris Hadnagy’s experience with spear-phishing. He has seen cyber criminals step up their social engineering game, especially among business employees:

“Groups are sending phishing emails with malicious attachments, which a cautious employee usually ignores. But then they’re following up with a phone call that says, ‘Hi, this is Bob in accounting. I just sent you an email with a spreadsheet. I just need you to open that up real quick and check it out.’ Those factors put together make you trust them and take that action. Social engineering tactics like these serve as the entryway to the latest internet scams,” Hadnagy said in Network World.

Collett outlined the top four social engineering scams to look out for in 2014:

  1. Phishing with ransomware
  2. Automated calls for credit card information
  3. Healthcare records for spear-phishing attacks
  4. Using funerals in phishing attempts

A few ways to help prevent phishing from occurring, according to Security Watch’s Abigail Wang, is by taking control of your personal information that is available on the web. Wang reports that “25 percent of Facebook users do not use privacy setting and 20 percent of social media users in general set their profile to public,” giving cyber criminals an increased chance of fooling you based on the information they know about you.

Have you fallen for a phishing attempt? How can individuals and businesses protect against phishing? Share your thoughts with us on Facebook and Twitter and take a look at our Tumblr for the latest security news stories.

*Spear phishing: an email that appears to be from an individual or business that you know, but in actuality comes from a cyber criminal.

Customer Alert: Heartbleed SSL Vulnerability

By | April 9th, 2014|Uncategorized|

heartbleedOn the morning of April 8, 2014, the OpenSSL community revealed a security vulnerability in recent versions of the OpenSSL software. Dubbed Heartbleed, the vulnerability poses a serious security concern because cyber criminals could exploit the vulnerability to expose site users’ Personally Identifiable Information (PII).

What does this mean, exactly?

OpenSSL is an open-source encryption technology used by a approximately 75% of web servers. This technology safeguards site visitors who are sharing PII and financial information to make a transaction. Sites that employ OpenSSL are typically indicated with a lock icon and live at an HTTPS address. In other words, an OpenSLL site may be at the core of your business, and you probably use sites that incorporate this technology daily.

How do I mitigate risk?

The only way for businesses to avoid Heartbleed is to upgrade their site with the latest, patched version of the OpenSSL software, which addresses the vulnerability.

CSID customers should be assured that CSID has done this to its servers, and strongly recommends that they take the same action and immediately renew their SSL Certificates used with CSID services. As an additional security precaution and due to the breadth of this vulnerability, CSID joins other security professionals in recommending that businesses patch any instances of OpenSSL in their environments, and renew any SSL certificates immediately.

Further details surrounding the Heartbleed vulnerability and its disclosure can be found here.

News Recap: Survey Shows Consumers Shun Brands After a Data Breach

By | April 4th, 2014|Uncategorized|

credit-cardA recent survey commissioned by Semafone and conducted by OnePoll revealed that most consumers do not want to do business with a company that experienced a data breach. Of the 2,000 men and women polled, more than 86 percent said they were “not very likely” or “not at all likely” to do business with a company that experienced a data breach involving credit or debit cards.

According to Information Age reporter Ben Rossi, CEO of Semafone Tim Critchley believes that this kind of reputational damage can seriously hurt businesses.

“The protection of card details is no longer simply a matter of best practice – the economic consequences of a failure to do so are potentially devastating for a business of any size,” Critchley said. “I can’t see how any organization can continue to ignore the increasingly loud demand from customers to keep personal data safe.”

In addition to the high percentage of consumers who would choose to shun brands who experienced a data breach involving credit and debit card information, Retail Times shared that more than 76 percent of people polled would not do business with an organization if they experienced a data breach that involved email addresses, 80 percent if the breach involved telephone numbers and 82 percent if they involved home addresses.

Reputational damage is an important factor to consider when it comes to business security practices. How concerned should organizations be about a damaged reputation after a data breach? How can businesses protect their brand’s reputation after a breach has occurred? Share your thoughts with us on Facebook and Twitter, and be sure to keep up with the latest security stories on our Tumblr.

Staying Cyber Secure During the 2014 Sochi Olympics

By | February 11th, 2014|Uncategorized|

Sochi 2013Last week NBC News experimented with cyber security in Russia to help visitors traveling to Sochi for the Olympics understand the cyber risks they may face. The news segment warned that travelers’ data could be exposed when using their devices in Russia, and the reporter showed how his data was hacked within minutes of using his smartphone and laptop.

This report has been under fire since it was published. Gizmodo reporter Robert Sorokanich writes, “NBC did a few questionable things in filing this report – namely, initiating download of an unknown .apk file on the smartphone, and neglecting to download updates on their fresh-out-of-box laptops… That certainly upped their chances of being hacked.” In fairness, Sorokanich continues, “those are the kinds of things unsavvy tech users do, and unsecured public Wi-Fi is still plenty risky.”

Mashable reporter Jason Abbruzzese also pointed out that these risks “are not exclusive to Russia. Visitors may see more malicious links in the average Olympic search result than in other countries, but any users clicking on suspicious sites are bound to end up with problems regardless of where they are.”

In short, the risks NBC highlighted are risks that consumers should be wary of, no matter where they are in the world. Whether in the United States, Russia, or another country, cyber criminals are savvy when it comes to identifying a device’s weaknesses, infiltrating your data and taking advantage of large-scale events, such as the Olympics, to maximize hacking success.

Travelers to Sochi should note, however, that laws pertaining to cyber monitoring do differ from the United States. The State Department issued a travel advisory that warned travelers “that Russian federal law permits the monitoring, retention and analysis of all data that traverses Russian communication networks, including Internet browsing, email messages, telephone calls, and fax transmissions,” reported U.S. News.

Here are three ways to protect yourself during the Olympics, whether you’re watching from home or abroad:

1. Make sure your devices do not auto-connect to public Wi-Fi.

When you connect to a public Wi-Fi spot, you’re giving cyber criminals a chance to capture your Internet history by tracking data via a man-in-the-middle attack. This can provide access to valuable accounts like your email and social networking profiles, which likely store sensitive data. Disable your smartphone’s auto-connect to Wi-Fi feature to help reduce this risk.

2. Connect to reputable sites to get Olympic coverage.

Phony sites that claim to stream Olympic coverage can actually harm your device and result in stolen data. Dave Kashi from The International Business Times reports that “harmful actors may create fake websites and domains that appear to host official Olympic news or coverage, which could be used to deliver malware to an end user upon visiting the site. Such sites are also known as drive-by downloads or watering holes.” Kashi provided a list of sites that provide credible Olympic coverage, including: NBC, NBCSN, MSNBC, USA Network, NBCOlympics.com and the Olympics’ Twitter, Facebook and Instagram accounts.

3. Lock mobile devices and install remote wipe apps.

In case of mobile theft or loss, keep a passcode on your smartphone to help delay identity thieves and cyber criminals from accessing sensitive data on your phone. You can also download apps for your iOS or Android device that allow you to remotely wipe your SD card and phone data in the event it is lost.

If you are abroad or plan on traveling abroad to visit Sochi for the Olympics, check out our past blog post: 10 Ways to Prevent Identity Theft While Traveling

What are some additional ways to protect your devices during this Olympic season? Let us know on Facebook or Twitter, and please be sure to stay up-to-date on the latest security news on our Tumblr.

News Recap: The Results Are In For 2013’s 25 Worst Passwords

By | January 24th, 2014|Uncategorized|

passwordsEvery year security firm Splashdata pulls the most common stolen passwords to create a list of the year’s worst passwords. The consensus is in for 2013, and “123456” has moved up a spot to be the most commonly used and guessed password of the year. Here’s a look at the worst passwords of 2012 for comparison.

Many of the passwords on this list can be easily guessed or cracked, putting users at risk of having their financial information or identity stolen. In fact, PC World reporter Jared Newman said that “weaker passwords are more susceptible to brute-force attacks, where hackers attempt to access accounts through rapid guessing. And when encrypted passwords are stolen, weaker ones are the first to fall to increasingly sophisticated cracking software.”

In addition to the typical “123456” and “password” passwords, there were a few on the list that were likely from recent breaches. Morgan Slain, CEO of SplashData, said in Time: “Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing.”

Here’s a look at SplashData’s top 25 worst passwords for 2013:

1. 123456

2. password

3. 12345678

4. qwerty

5. abc123

6. 123456789

7. 111111

8. 1234567

9. iloveyou

10. adobe123

11. 123123

12. admin

13. 1234567890

14. letmein

15. photoshop

16. 1234

17. monkey

18. shadow

19. sunshine

20. 12345

21. password1

22. princess

23. azerty

24. trustno1

25. 000000

Find out how to create more secure password habits from our on-demand webinar and check out consumer password habits in this infographic. Let us know what you think about this list on Twitter and Facebook, be sure to check out our Tumblr for the latest industry news stories, and please change your password if you’re using any of the above!

News Recap: Financial Loans – No Longer Just About Your Credit Score

By | January 17th, 2014|Uncategorized|

Loan BlogOnline reputation management has been a hot topic recently. The latest? Your social media activity could now keep you from getting a loan. Whether you’re an individual or small business, lenders can use your online credibility to judge your financial credibility.

Lisa Vaas of Naked Security reported on a recent Wall Street Journal piece about how the financial services industry has increasingly turned toward social media and even smartphone usage to evaluate loan applicants. Vaas writes, ”Many such institutions are giving customers the social-media once-over on an opt-in basis, often using the information as one more way to get credit to borrowers who might otherwise have difficulty getting a loan.” While this may now be an opt-in practice, experts do anticipate a more pervasive analysis of social media. Vaas quotes Moven Bank’s president, Alex Sion, “The data we have on customers via social networks says more about them than their FICO [credit-score rating]… You can make credit decisions based not on a faceless score, but on who you know.”

Alex Sherman of Inc. described how businesses that use social media can be impacted by this new trend? In a situation regarding a startup taking advantage of eBay or Amazon: “A snafu with a supplier caused delays on a number of orders and most of those customers left negative feedback on the transactions. The complaints begin to make your short-term review ranking plummet.” Sherman went on to explain how lenders could interpret your credibility based on that negative short-term ranking. Sherman concluded with the unfortunate truth that, despite your business’ desire to expand your market with social media, this issue is likely to extend beyond lenders and impact “potential vendors, service providers, customers, business partners, job seekers.”

Do you think online presence is a fair assessment tool for lenders to utilize? What steps should a business take in order to maintain their online reputation? Check out our recent webinar, whitepaper and infographic on Managing Online Reputation in a Digital World. And as always, let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: 2014 Security Predictions Roundup

By | December 5th, 2013|Uncategorized|

predictions picAs 2013 quickly comes to a close, the security industry has begun making predictions for coming threats and trends for 2014. Here’s a collection of five recurring 2014 security predictions.

1. BYOD will continue to grow – and cause risks – in the workplace

More and more businesses are adopting “bring your own device” (BYOD) practices and will continue to do so next year. Entrepreneur reporter Mikal E. Belicove found that 60 percent of businesses employ a BYOD strategy because “the efficiencies offered by a mobile work force are too great to pass up, and moving the cost of access to the employee is too juicy a cost savings to ignore.” What are the threats associated with a growing BYOD workforce? According to Help Net Security, the potential risks stem from “both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.”

2. Internet of Things moves from buzzword to security matter

ZDNet coins the Internet of Things (IoT) as 2013’s favorite buzz-phrase and believes that 2014 will be a time to evaluate how security plays into the IoT: “If 2013 was the year that the idea of the IoT (and many practical applications) went mainstream, then 2014 is likely to be the year when the security implications of equipping all manner of ‘things’ — from domestic refrigerators to key components of critical national infrastructure — with sensors and internet connections begin to hit home.” To circumvent security disasters from occurring amidst the IoT, Help Net Security suggests that the companies making the “things” should “continue to build security through communication and interoperability” and by “adopting a realistic, broad-based, collaborative approach to cyber security” with government departments and security professionals.

3. Hackers will want to destroy data, not collect it

In the past, cyber criminals have wanted to access information for profit, but over the course of 2013 a shift occurred. The 2013 IBM Cyber Security Intelligence Index report found a rise in the number of sabotage cases versus espionage. The reason? Because vulnerabilities within organizations often leave attackers with opportunities to cause damage. InformationWeek says “in 2014, organizations need to be concerned about nation-states and cybercriminals using a breach to destroy data.” Additionally, InformationWeek noted that ransomware will begin affecting small and medium sized businesses.

4. Cyber criminals will use social networks to infiltrate businesses

Social networking continues to expand into the business sector. This being the case, attackers will prey on businesses using social networks and high-level executives participating in business networking sites like LinkedIn to compromise organizations and gather intelligence, InformationWeek says. ZDNet, too, notes that social networking will be increasingly used in 2014 to “lure executives and compromise organizations via professional social networks.”

5. Attackers will look to the cloud for valuable data

Like the IoT, 2013 was an influential year for the cloud industry, but as more businesses continue to adopt cloud technology, hackers have and will continue to find ways to exploit cloud-stored data. To protect against cloud cybercrime, senior consultant at Windstream Kent Landry predicted in Help Net Security that “cloud providers will need to be certified in cyber security standards like NIST, PCI DSS compliance, STAR certifications, and other industry checkpoints. The security industry will flourish as organizations increase investment in protecting both their data and their customers with more advanced prevention software and training.”

What are your security predictions for 2014? Let us know on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Universities Become Cybersecurity Hubs

By | November 26th, 2013|Uncategorized|

university blogA number of universities are investing in the future of combating cybersecurity threats. From increased education for the public, to brand new majors that inspire cyber innovators, the nation’s universities are quickly becoming hubs for cybersecurity.

Cal Poly, for instance, announced a new initiative in cybersecurity education. Dark Reading reported, “the major new educational initiative encompasses a comprehensive and collaborative program that spans the polytechnic university and partners with public and private organizations. The goals of the program include educating thousands of students in cybersecurity awareness and readiness; producing experts in cyber technologies and systems, including many professionals who will serve the military and defense industry; and graduating cyber innovators who are prepared for advanced study and applied research in emerging cyber issues.”

Stephanie Hayes of the Tampa Bay Times outlined hopes for Florida’s cybersecurity hub, which is planned to be located at the University of South Florida in Tampa. Hayes quotes project leaders saying, “The new center would bring it all together. USF would offer a master’s degree in cybersecurity, as well as certificates in subjects such as cyberbehavior, cyberbullying and cybercrime.” Hayes reiterates the point, quoting USF Provost, Ralph Wilcox: “Students and faculty from all over could train and do research there… IT professionals from around the country could come for certifications. Tampa is central to big businesses, plus MacDill Air Force Base. And USF is home to a high number of student veterans.”

What else could our universities be doing to promote, develop and teach cybersecurity? Do you think education will be a strong enough deterrent against cybersecurity threats? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

And if you’re interested in how other types of organizations are stepping up to the plate when it comes to cybersecurity, see last week’s news recap about organizations within the financial industry.

Load More Posts