Protecting from Identity Theft? A good Start

Calendar November 12, 2009 | Posted by Dave

I apologize for delays in new post, business has been well keeping me busy.  2010 I hope to update more regularly.  Until here is an article I wrote for security magazine in 2008.  I hope you enjoy.

Protecting from Identity Theft? A Good Start

by Dave Chronister
April 1, 2008

Technology’s ever-growing importance is a mixed blessing.

On one hand, it keeps me employed, but many times I will find myself talking about “new threats” that aren’t really new, they are just finally coming to the public’s attention.

The issue “de jour” is identity theft, and, according to the general public, this never happened until the TJ Maxx break in. Am I the only one who watched Sandra Bullock in “The Net?” Granted this movie was a little far-fetched — I mean, come on, ordering a pizza online? But there we were in the mid-1990s watching a movie about a recluse woman whose identity was stolen in order to cover up a major conspiracy. Now, 13 years later, we live in a world where it seems the only data leak to worry about is consumer information.

Doesn’t a company with revolutionary ideas worry about corporate espionage and loss of trade secrets? Shouldn’t a publicly traded company need to ensure its financials are not released prematurely?

In reality, security professionals have to deal with data of different levels of security, much of which is unknown to even them. So while the rest of the world is focused on the little old ladies’ Social Security numbers, let’s look at the best strategies on keeping our sensitive information in our castle’s keep and maybe even use the identity theft hysteria to our advantage.

The decentralization of a company’s data stores and multiple facets of data retrieval have rendered the security strategy of building a bigger outside wall obsolete.  A silver-bullet solution will eventually become an Achilles’ tendon. Instead, you want to go for layers, defense in depth. Structure your security solutions to identify threats, guard against automated scans, and slow down and report possible intrusions. In the event of a successful attack, ensure containment and, if possible, identify the offenders of the data loss.

Let’s take a look at a few weapons that you may want to put in your arsenal.

First, there are network traffic analyzers — and we are not talking about your network administrator’s wire shark system. These analyzers will examine the content and determine if sensitive data may have been sent out to unauthorized recipients. Many traffic analyzers will even determine if information is being sent to correct destinations but over incorrect channels, say instant messaging or IM, or to the public network unencrypted.

The obvious concern with this technology would be the potential bottleneck that you would face even on a small network. Global Velocity, one of the newer companies in this realm, is about to release a hardware-based content analyzer that it claims can process 10gbps. The potential is a godsend, but it isn’t without limitations. It can only analyze clear text. Someone sending out binaries, say screen prints, or encrypted traffic, such as a virtual private network or VPN stream, would not be analyzed. It also only handles traffic heading out of your network to other networks either public or private.

This doesn’t address other avenues of “data escape,” such as mobile devices and USB keys. There are multiple solutions to this problem, from physical USB locks to software solutions, such as Devicewall’s Centennial, which can block various types of USB devices, such as MP3 players or PDAs, and provide a complete audit trail. Microsoft shops could even use network policies to lock USB ports.

Speaking of policies, let’s take a quick look at your greatest weapon and your worst enemy: The User.

Sometimes it may seem a better idea to give flamethrowers to your local Cub Scout troop than to depend on John Q. User to ensure the integrity of your data. No matter how much you secure your sensitive data, the simple fact is your employee will be retrieving and writing this data on a daily basis. You need to ensure your security awareness program prepares them to handle the various aspects of social engineering as well as prevent accidental data leaks. After all, hackers are targeting the secretaries, not the Certified Information Systems Security Professionals or CISSPs. Computer-based training and posters should be part of your program, not the entire program.

Finally, getting upper management’s buy-in to the cost of data protection in money and manhours can be a daunting task. The horror stories of other data breeches as well as the projected cost to a business for identity theft can be used as a case study during your presentation. If that doesn’t work, maybe you can bust out your VCR and hope Bullock’s stellar performance in “The Net” does.

http://www.securitymagazine.com/Articles/Feature_Article/BNP_GUID_9-5-2006_A_10000000000000298345

Category Categories: Best Practices, Original, compliance | Tag Tags: , , , | Comments 1 Comment »

Walmart Data Breach – By Employees

Calendar April 21, 2009 | Posted by Dave

Almost half of all malicous attacks are done by an internal entity.  Do your employees know how to protect their data?  Don’t guess, get security awareness training from Parameter (End Shameless Plug) :)

– Dave

 

Wal-Mart suffers breach in computer data
News
Monday, 20 April 2009 08:22
It has come to light that Wal-Mart has suffered a breach in its staff data system due to a former employee leaving their job with confidential records. The information is said to refer to 48,000 members of staff in the state of Illinois, America. Security of information has also been a source of several news stories here in the UK as govermnment ministers have accidentally leaked information through mishaps. The breach occurred in mid-2007 and has only just emerged in the media. The language of the documents exposed was generalised, projected and chain-wide, begging the question: how many people’s personal security has been compromised by this? Considering the chain employs 1.8 million members of staff, this is a large loss of personal information which may take the form of private co-ordinates, bank account details for payrolls, tax codes and details, etc.

The breach is feared to be more than localised and is being looked into by senior staff.

Category Categories: Best Practices, Recent News | Tag Tags: , , , , , , | Comments No Comments »

The twits tweeting on Twitter..

Calendar April 3, 2009 | Posted by Dave

So I know this post will be a very unpopular among many of my social marketing friends who feel that tweeter is the best thing since sliced bread.  I will admit while I find most technologies coming out today as fairly useful.  I could not find any useful purpose for twitter in my daily life.  Until Today….

Electronic Survellance

When you are trying to pull off an attack, any attack, the first thing you have to do is gain as much intelligence about your target as you can.  When performing a social engineering attack, we have to find as much information about our victim employees as   possible.  If I am going to successfully trick you into clicking an unsolicitated email, I must send you an email that will perk your interest.  Before, this involed scouring websites, forums, and social networking sites.  While these were very useful, it could be static, you were into cars 6 months ago, but now not so much.   The key to a successful social engineering based attack is simple – If you know enough information, the victim will never suspect you are an attacker.

So what is Twitter?  It is a micro blogger that only allows 140 characters at a time.  So people are forced to blog on very small timely subject.  From what they ate for breakfast to about current events, ”Tweets” are frequent and the subjects are far reaching.  This can be likened to a cyber glimpse into someone’s life.  And that is a dream for a malicous attacker.  If I as an attacker am trying to find information about you that I can use,  then twitter becomes a must read for me.  Granted it may seem like what song your listening to doesn’t seem like a security issue.  Remember, a successful social engineering attack conviences you I am someone harmless.  Sending an email from the Hannah Montanna fan club saying to join may not be a draw for alot of people, but if I find that employee who is Tweeting about Hannah Montana then I have found my ticket in.

The key to gathering successful intelligence is to first linking the employee’s business information to a personal identity.  Tweeter can again help.  If I am trying to find information on a  Dr. Jane Doe who is a chemical engineer.  I do a search for a Jane Doe on Twitter and I find a tweeter who is tweeting about working on a chemical molacule chances are I have found a match.  From there I would look at her handle and see if that handle is used anywhere else on the internet.

Tweeter to a Jailbird

Your employees are twittering, do you know what they are saying?  Have they said anything negative about your company?  Have they let out any company/trade secrets? I did a twitter search for Layoffs and check out some of these hits I found. (These are hits from within the last hour) 

“I can’t “publicly” confirm or deny any layoffs. You will see a press release soon on Q1 results with details contained therein. “
My co. offered 65 + 5 yrs. employees or 20 yr. employees a BUYOUT that sucks. Insulting offer. I sense layoffs are coming next.
“Just entered the ranks of the unemployed!!! Layoffs at *****! Couldn’t have come on a brighter, sunshiney-er day!!! “
“They have bhind scenes. So far I’m ok but they can’t cut too much from me. We knew layoffs in works. Fred always said he wouldn’t “
 

Most companies have a procedure in place to determine  what company information is release, when it is release, and who releases it.  I find it highly unlikely that these  tweets were approved by the company’s management as offical statements from the company.  Let’s think about other instances, is your company about ready to release a new offering that is secret right now?  Do you have an expected new offering that has some issue?  Were your financials not quite where they were expected? 

If your company is a publically traded company, Tweets of secret information could be seen as insider information.  At that point you better have a PDA that will survive 5-7 years (with good behavior :) ).

Plugging the holes

Again as with many security fixes it comes down to your end-user employees.  Security Awareness training and proper policies put in place.  Have policies that state what business information that should not be release by unauthorized employees under any form.  Make sure your employees know the risks of tweeting business information and ensure these policies are enforced.

Category Categories: Best Practices, compliance | Tag Tags: , , , , , , | Comments No Comments »

Red Flag Delayed

Calendar November 4, 2008 | Posted by Dave

In case you haven’t heard the FTC has delayed the deadline for implementation of the Red Flag Rules.  The deadline has been extended 6 months to May 1st 2009.  

The Red Flag rules require financial institutions and credit based corporations to develop and implement an identity theft prevention program.  

You can read more about the delay on the FTC website here http://www.ftc.gov/opa/2008/10/redflags.shtm

Parameter offers a great Security Awareness Training through our Hacker University.  Check out more information here.  http://www.parametersecurity.com/index.php/hacker-university

Category Categories: compliance | Tag Tags: , , , , , , , , , , , | Comments No Comments »