2014 Verizon Threat Intelligence Report: A Snapshot of Results

By | April 30th, 2014|Uncategorized|

Verizon ReportWe love data here at CSID, and one of the things we look forward to each year is Verizon’s annual Data Breach Investigations Report. This annual report takes a look at the past year’s cyber security incidents and identifies trends, statistics and provides analysis. This year’s report looked at over 63,000 global security incidents from 2013 – an alarming number that underscores the myriad of cyber security challenges that consumers and businesses face. We recommend giving the report a look, but if you are pressed for time, here are a few observations from this year’s report that mirror some of the trends that we’ve been seeing here at CSID.

2013 was the year of Point-of-Sale system attacks.

The Verizon report looked at 198 total Point-of-Sale (POS) system incidents, all of which resulted in data loss. In previous years, POS system attacks were mostly confined to SMBs, and they still largely are. But the high profile, high impact breaches of Target and Niemen Marcus in late 2013 brought the vulnerabilities inherent in POS systems into the limelight. To learn more about how POS system breaches happen, check out this Huffington Post piece by CSID president, Joe Ross. Overall, POS breaches have been decreasing over the last several years, but a resurgence in RAM scraping malware and the popularity and success of the Target breach may change this trend in 2014. The FBI has warned retailers to prepare for more cyber attacks of this sort.

When it comes to security, humans are your weakest link.

We’ve said this before and we’ll say it again, if you have a human component to your security system (and most security systems do) that human is going to be the likeliest source of a breach. Verizon accounts for this in their “Miscellaneous Errors” section of the report and aptly states in their key findings “people screw up sometimes.” The most common miscellaneous error that resulted in lost data was misdelivery (44% of 16,554 analyzed incidents), which includes sending paper documents or emails to the wrong recipients. Misdelivery is followed by publishing errors (22%) and disposal errors (20%). Keeping human error in mind, some businesses we have spoken with over the past couple of years are operating under the assumption that employee and consumer credentials are already compromised and are taking proactive measures to mitigate the financial and reputation impact of these compromised credentials. Our ETI service offers a good solution for this approach.

Device theft and loss will gain importance as more businesses adopt BYOD.

This category is pretty self-explanatory – when a laptop or phone with sensitive information goes missing, that constitutes a data breach. While the loss or theft of devices isn’t really “cyber-y”, they do make up a large portion of the data loss incidents reported by businesses. This is especially true for the healthcare industry. In October 2013, Seton Hospital here in Austin, Texas had an unencrypted laptop stolen that held medical data for more than 5,000 patients. The type of data theft and loss holds a valuable lesson – when it comes to cyber security, we can’t forget the basics. Sensitive data must be stored and encrypted properly, businesses need to implement BYOD security procedures that can mitigate the impact of a lost device, and employees and consumers need to exercise common sense and not leave a laptop of phone aimlessly unattended or generally unsecured.

There is a lot more data and insight to be gleaned from this year’s report. Take a look and let us know what you found most interesting on Facebook or Twitter.

‘Tis the Season: Secure Your Business’ Online Shop

By | November 14th, 2013|Uncategorized|

‘Tis the Season: Secure Your Business’ Online Shopholiday blog pic

Holiday season is just around the corner. Most people are aware that online holiday shopping opens up a number of security risks for consumers, and last year we outlined security tips for the online shopper during holiday seasons – but this year? Let’s tackle the issue from the business side.

Businesses with online shops are surely looking forward to the season, especially Cyber Monday, the Monday after Thanksgiving, during which they’ll likely see a huge boost in sales and popularity among their shoppers. But what about the security risks that come with managing an online shop? Consider these tips to keep your business – and your shoppers – secure this holiday season.

Keep your machines clean

Make sure your employees’ devices are using up-to-date software and are running the latest anti-virus technologies. Keeping your machines clean and running smoothly will help defend against internal viruses and malware.

Train everyone in security and privacy basics

Education is key. Teach your employees about the basics in security and privacy, including what types of customer information should be kept confidential. Also check that they are practicing best security practices internally, such as keeping strong passwords.

Create user accounts for each customer

Require that customers create individual user accounts. This will help you keep their information organized and secure on an internal level, while also adding an extra layer of security on the user’s side of the online shopping experience.

Encourage strong passwords

For these user accounts, require that your customers use strong passwords. Passwords should be long and feature a mix of letters, numbers and symbols. Ask that customers change their passwords at least on an annual basis.

Protect sensitive customer information

One of the most important tips in this list – protect your customers’ sensitive information. This includes their account credentials, their credit card information, their mailing address and any other information you acquire from them. Ensure that this information is all encrypted, or better yet, don’t house it internally at all. There are many trusted third party services to help manage such data.

Secure your site and provide advice for shoppers

Work with your IT team to secure your website – it should say HTTPS in front of the URL. Also consider reminding shoppers to confirm that they are using a secure Internet network prior to inputting any credit card information.

Are you prepared to run a secure online shop this holiday season? Do you have any tips to add? Let us know what you think! As always, join the conversation on Twitter and Facebook.

News Recap: Survey Finds College Students are Concerned About Online Privacy

By | September 20th, 2013|Uncategorized|

Blog picA recent survey by AnchorFree, online privacy and security firm, found that U.S. and U.K. students shared considerable insight regarding the concerns of their privacy online. The study revealed that most college students are, in fact, concerned about their online privacy – particularly as it relates to their future endeavors.

According to Ben Dipietro of the Wall Street Journal, the survey found that “14% of college students said they experience identity theft, 80% suspect their online activity is monitored by school officials and 79% think their online activities might compromise future job projects”. U.S. News reporter Samantha Gordon highlighted, “68% felt videos and photos posted during college could resurface later on in life and create unnecessary issues.”

While most reports show that students are concerned with online privacy, ZDNet quotes CEO of AnchorFree, David Gorodyansky, about why college students might be so concerned. Gorodyansky explains, “College students all over the world tend to be among the most mobile and digitally connected… On top of that they are more frequently targets of online hackers and identity thieves because of their limited credit and employment histories. It is critical that they take control of their personal information online.”

In your opinion, what can students do to better protect against ID theft and increase their online privacy? And how can they take control of their online reputations as they enter the workforce?

This topic will be part of our cyberSAFE Series discussion this Tuesday, 9/24, as we talk to experts in our free webinar, “Managing Online Reputation in a Digital World.” Reserve your spot here. And as always, join the conversation on Twitter and Facebook, and check out our Tumblr for the latest industry news stories.

Upcoming cyberSAFE Webinar: Managing Online Reputation

By | August 28th, 2013|Uncategorized|

CS_BlogPost_Image_OnlineReputation-09Professionals and businesses are becoming more dependent on the digital world, and managing our online reputations is an increasingly important and complex task. What you put online can impact everything from hiring decisions and employment, to a company’s reputation and security.

Recognizing the importance of this topic, we’re hosting a webinar in which experts will discuss online reputation management for businesses and their employees. Experts from a variety of perspectives will analyze the risks job seekers, employees and enterprises face when it comes to digital reputation management, and provide solutions to keep your online reputation safe. We will address:

  • How employers are utilizing social media channels to make employment decisions and monitor employee and business activity
  • The legal and privacy implications of this practice
  • How the information an employee shares online can put themselves and their employer at risk for identity and data theft
  • How an employee’s online reputation can affect their employer’s brand
  • Best practices for managing an online reputation
  • The opportunities that exist for businesses to address reputation management needs

Save a spot on your calendar, or go ahead and register here.  

Webinar: Managing Online Reputation in a Digital World
When: Tuesday, September 24, 2013 at 12 PM CDT
Cost: Free
Register: Click here
Speakers:
Bryan Hjelm, VP of Product and Marketing, CSID
Parry Aftab, Executive Director, Wired Safety
Jessica Miller-Merrell, HR Consultant and Writer, Blogging4Jobs
Neil Richards, Professor of Law, Washington University at St. Louis

This webinar is a part of CSID’s cyberSAFE Series. To learn more, see upcoming webinars or watch past webinars, visit the CSID webinars page. To suggest a webinar topic, inquire about participating in a webinar, or any other questions, contact CSID at csid@ink-pr.com

Back-to-School: Getting Online Reputations in Check

By | August 9th, 2013|Uncategorized|

schoolIt’s back-to-school time – the time of year that most people associate with buying pencils, books and laptops. But it may be time to start considering another topic when heading back to school: helping students check and manage their online presence.

Why? First of all – their futures could be at stake. Inappropriate online content about a young student could negatively impact their chances for getting into college and even a career. A whopping 91% of employers are vetting job candidates by scouring their social media profiles, looking at their online reputations, and so 74% of 18-34 year-olds find themselves deleting social media posts to avoid negative career impacts. And even more pressing for current students, 27% of college admissions officers admit to Googling prospective students, and 35% of them have found something that negatively impacted an applicant’s chances of getting into their school of choice.

Furthermore, the schools and companies that support these students should expect that the online actions their students take (posting content from within school walls, about teachers, using school computers, etc.) also affect their own reputations and cyber security. For instance, using social media sites on school computers puts the campus at risk for a potential data breach.

This is an issue that not only impacts high school students applying to college, or college students applying for jobs – it impacts students at any age. It’s the way of our digital age: when posting something online, we should expect that the content is available in the public sphere forever. When sending something to a friend over text or email, we should not be surprised if that content hits the Internet. This means that a photo of an 8-year-old boy that crosses the Internet today could potentially reach his first employer in his 20’s, and beyond.

Online reputation management should be a consideration from the start, and for all parties involved. Should we add the topic to our curriculums? Should school systems adopt and offer reputation management services and technologies to their students? Share your thoughts with us on Twitter and Facebook.

Managing Your Online Reputation

By | July 10th, 2013|Uncategorized|

reputationThe digital world is the real world. Our lives are so connected with the Internet that our online personas tell the world who we are as people, as professionals and as companies. This can be great – the Internet provides an outlet for us to share who we are, connect and grow relationships – but this can also be risky.

For better or for worse, our online reputations are increasingly under scrutiny. Reppler found that nearly 70% of hiring managers say they have rejected a candidate because of information found about the candidate on a social networking site. On the other hand, 68% say they have hired candidates because of what they found on a social networking site.

Why the scrutiny? An employee’s online reputation can make or break their career, a business opportunity or even a business. Too much personal information made public on the Internet can also put that employee – and potentially business – at risk for identity theft. It’s similar between universities and their prospective students, or agencies and their clients. Overall, managing an online reputation is an increasingly important and complex task.

For the next few months we will be addressing the topic of online reputation management with the hopes of giving businesses and professionals the tools and knowledge they need to keep their companies and careers running smoothly, and identities safe.

We’ll be hosting a webinar on the topic – keep an eye on our Resources page for more details. In the meantime, join our ongoing conversations on Twitter and Facebook.

Security Insights: Are you a “safe surfer”? How Crooks Steal Your Data

By | April 10th, 2013|Uncategorized|

internet_safetyDo you consider yourself a “safe surfer”? A “safe surfer” can be defined as someone who avoids the suspicious parts of the web, only downloads files that they are expecting, and one who inputs confidential data on only https sites. Even if you do practice these measures, you are still at risk. However, your level of risk is lower than someone who visits any website, downloads anything and everything, and inputs data into insecure websites.

How crooks hack legitimate websites to steal your data
Paul Ducklin of Sophos recently outlined this process in his article, “Anatomy of a phish – how crooks hack legitimate website to steal your details.” Here’s what he concluded:

Old school phishing is where cybercrooks lure you into logging in to your bank account on one of their websites. When you enter your personally identifiable information (PII), as you would on the bank’s real site, it gets uploaded to the crooks instead of to your bank. The idea, of course, is that they then use the credentials they just stole to start draining your account.

Many individuals have learned to take great care when banking online, and to check for “vital signs” of a scam before trusting a website with usernames and passwords. Phishers are now creating banking scams that are much more believable than the crude and misspelled emails and websites that were common a few years ago.

Many banks now have a closed cloud-style email service built into their Internet banking sites. The idea is that you’ll get into the habit of logging in securely to read important messages, rather than believing what arrives in insecure emails.

The bank will still send you emails, but they don’t contain any detail – they just give you an overview (e.g. “your statement is ready”), and advise you to read the full message on the secure site. What your bank won’t do is invite you to click a link to get to the secure site. They rightly leave you to find your own way to the banking portal, so you’re not at the mercy of the URL embedded in the email.

What the crooks are doing is relying on legitimate servers, owned by legitimate organizations and operated by unsuspecting sysadmins. The phishing email will contain part of an actual real URL that utilizes a redirect to take you off to the actual hacked site, sometimes this will be specified in the URL as an IP number rather than as a domain name.

Nevertheless, this phish didn’t take you to any sites that would have stood out, under normal circumstances, as part of the cybercriminal world. The crooks want to redirect your browser into harm’s way, and they want to use your servers to help them do so.

Be careful out there. And that applies whether you’re browsing or running an online business.

Read the full article on NakedSecurity.

How to protect yourself and your company
Below are some tips that you can follow in order to avoid phishing scams:

  • Only browse websites that are required to fulfill your job duties
  • Do not submit confidential data on insecure HTTP websites
  • Go directly to websites instead of being at the mercy of embedded URLS in emails
  • Only open attachments that you are expecting and from senders that you recognize
  • Pay attention to URLs – If you are unsure about one, be on the safe side and do not visit it
  • Never email confidential information – pass this information on through telephone
  • Never enter confidential information in a pop-up screen
  • Pay attention to your web browser warnings
  • Report suspicious activity to the Information Security Officer
  • Always be suspicious

Share your tips for protecting your business with us on Facebook and Twitter.

Industry News Recap: California’s Push for Citizen Data Access

By | April 4th, 2013|Uncategorized|

key_lockHot story of the week: California lawmaker, California Assembly Member Bonnie Lowenthal, introduced the “Right to Know Act 2013,” which would give citizens the right to see all the personal data companies have on them and with whom they’re sharing.

“Privacy and data ownership is a hot-button issue within the tech community,” said VentureBeat. “Companies ranging from giants like Facebook and Google to small e-commerce startups gather information about user activity and sell them to data brokers or advertising networks to create better-targeted advertising.”

Lowenthal wants California to move toward what the EU gives its citizens in terms of “habeas data” rights, i.e. the power to request one’s personal data from companies that hold it. “But California is also, of course, home to Silicon Valley,” said CNET. “And the giants of the Valley, with their large, almost limitless ability to lobby politicians, are surely paying attention to the legislative rumblings in their own backyard. After all, they’ve been keeping an eye on Europe.”

With your data being sold and re-targeted to you across the Internet, are you concerned with whom your data is being shared? If similar states jump on the bandwagon, would you support this type of bill? Do you think companies like Facebook can stay afloat if this law is passed? Let us know what you think in the comments section below or on Twitter and Facebook. Also, be sure to check out our Tumblr page for the latest industry news stories.

Industry News Recap: One Password Ring to Rule Them All

By | March 15th, 2013|Uncategorized|

password_ring1This past week, Google announced a novel idea for the future of passwords – a ring. Hardware authentication tokens aren’t a new concept, by any means, but Google thinks it’s time to bring this idea to a broader audience. Here’s a recap of the top news stories around this topic.

Geek.com said that “Google is [currently] testing a USB dongle…featuring an NFC chip that would potentially allow a user to kick start the login process by placing a phone or tablet within range.” They want to achieve the same success with a ring.

Meanwhile, MIT Technology Review reported that Google “first revealed its plans to put an end to password in an academic paper published online in January.” At RSA, a principal engineer at Google said “that using personal hardware to log in would remove the dangers of people reusing passwords or writing them down.”

So, what do you think about the future of passwords? Is Google on the right track to breaking the password code? Or would you just lose the ring? Let us know what you think on Twitter and Facebook. Also, be sure to check out our Tumblr page for the latest industry news stories.

Kids as Young as Two Have an Online History

By | February 27th, 2013|Uncategorized|

digital_footprintThis guest blog post comes from Russ Warner, CEO of ContentWatch – makers of parental control software, Net Nanny.

Remember when you brought your first date home? My siblings delighted in showing her embarrassing photos of me. Well, there isn’t much reason to pull out the ole photo album anymore. Most people can “friend” you or your family members online and or just find your public profile to see many pics or details you may have wanted to keep private.

This trend now affects everyone. In fact, one recent study said 92 percent of kids under the age of 2 already have a digital footprint. Kids that age are too young to post online by themselves of course, it’s their parents and/or siblings that have created their digital profile.

It starts with the ultrasound pic announcing pregnancy. Then you read live Tweets during birth, divulging the exact date and time of the baby’s birth. Once online, information cannot be easily removed.

As a child grows, the excited parents’ online friends will see updates about potty-training and funny first words. This happens years before baby even knows about social media sites.

What happens when the child becomes a teen and signs up for Facebook? Will his mom “tag” him in his ultrasound picture?

This is trend of openly sharing our lives online is new ground. Social media has only really been around for a few years. Today’s thirteen year-olds wouldn’t have had their ultrasound pics posted on Facebook, Tumblr or Instagram. But parents now upload personal information all the time.

There are many types of professionals who make a living finding and using your personal information. They range from identity thieves, hackers, private detectives, bounty hunters, and even skiptracers.

What’s a skiptracer? One of our Net Nanny Community fans, Carolynn Y, is a skiptracer. Her job is to find personal information, for any number of purposes. A skiptracer is similar to a private investigator.

Carolyn said: “I find people for a living; I find most people through their children who post their cell phone numbers on their open access Facebook pages. In fact, when I am trying to find someone, I go to Facebook and look for a person’s “young” relatives. They almost always have their privacy settings loose and they either post their number on their wall (especially when they get new ones) OR they post their numbers on their best friend’s posts. I find them there too.”

So what’s a proud parent to do? Should you share every detail about your kids online? Maybe. But you have to be very careful about what and with whom you share.

Two suggestions:

1) Invite trusted family and friends to a private blog, on the condition they never repost or share the details you share.

2) If you really need to post something on Facebook, post it to a select group of friends, not your entire friend list. Don’t make your profile public.

Based on what’s done today, this might sound paranoid. But, I believe it’s a sound practice.

These safety measures aren’t foolproof, of course. One unscrupulous friend can post or tag you in an embarrassing photo anytime. But it’s better than going down the path we are all on.

To read a related, somewhat frightening story (mostly fictional) that I shared previously, see the following article: Your Online Privacy (Or Lack Thereof). This discusses what might happen in the future when companies recruit new employees or insurance companies research customers. With thousands of details available online, a potential employee or customer can’t hide the facts about their life.

I work for Net Nanny and the opinions expressed here are my own.

Load More Posts