Posts

Equifax Data Breach Protection Tips

,

How to Protect Yourself from the Equifax Data Breach

Equifax, one of the three major consumer credit reporting agencies disclosed that hackers compromised Social Security and driver’s license numbers as well as names, birthdates, addresses and some credit cards on more than 143 million Americans. If you have a credit profile, you were probably affected.

Credit reporting companies collect and sell vast troves of consumer data from your buying habits to your credit worthiness, making this quite possibly the most destructive data security breach in history. By hacking Equifax, the criminals were able to get all of your personally identifying information in a one-stop shop. This is the third major cybersecurity breach at Equifax since 2015, demonstrating that they continue to place profits over consumer protection. Ultimately, their negligence will erode their margins, their credibility and their position as one of the big three.

But that isn’t your concern – your concern is protecting yourself and your family from the abuse of that stolen information that will happen over the next 3 years.

Minimize Your Risk from the Equifax Data Breach

  1. Assume that your identity has been compromised. Don’t take a chance that you are one of the very few adult American’s that aren’t affected. It’s not time to panic, it’s time to act.
  2. If you want to see the spin that Equifax is putting on the story, visit their website. Here’s how the story usually develops: 1. They announce the breach and say that fraud hasn’t been detected 2. A few days later when you aren’t paying attention, they retract that statement because fraud is happening, 3. Sometime after that they admit that more people, more identity and more fraud took place than originally thought. They encourage you to sign up for their free monitoring (which you should do), but it does nothing to actually prevent identity theft, it just might help you catch it when it happens.
  3. I recommend placing a verbal password on all of your bank accounts and credit cards so that criminals can’t use the information they have from the breach to socially engineer their way into your accounts. Call your banks and credit card companies and request a “call-in” password be placed on your account.
  4. Begin monitoring your bank, credit card and credit accounts on a regular basis. Consider watching this video and then setting up account alerts to make this process easier.
  5. Visit AnnualCreditReport.com to get your credit report from the three credit reporting bureaus to see if there are any newly established, fraudulent accounts set up. DON’T JUST CHECK EQUIFAX, AS THE CRIMINALS HAVE ENOUGH OF YOUR DATA TO ABUSE YOUR CREDIT THROUGH ALL THREE BUREAUS.
  6. MOST IMPORTANTLY, FREEZE YOUR CREDIT. The video above walks you through why this is such an important step. Some websites and cybersecurity experts will tell you to simply place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile, so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau. Equifax is being overwhelmed by requests, so be patient and keep trying. Even if it doesn’t happen today, you need to Freeze Your Credit!

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

John Sileo is an an award-winning author and keynote speaker on cybersecurity. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Trump Russia Investigation Update: Did Campaign HELP Russians Plot Disinformation Strategy?

Honestly, we don’t know yet. There was a time when our voting preferences, our political leanings, our policy choices were our own business. Now they are someone else’s business, quite literally. There are so many stories coming out about Donald Trump’s connections to and collusion with the Russians that it is getting hard to keep these accusations straight. Here’s the latest:

Trump Russia Investigation Update

The key word is help. As in, actively provide information that the Russians may not have been able to discover on their own. “Help” is not a synonym for encourage, appreciate or enjoy.

Without getting too political (because after all, this is a cyber security blog), here are the basics of the Trump-Russia Investigation from a cyber security perspective:

  1. The Trump campaign had possession of a huge amount of information about American voters from Cambridge Analytica, the data mining firm hired to help collect and use social media information to identify and persuade voters to vote (or not vote), through an activity known as political micro-targeting.
  2. Jared Kushner, the president’s son-in-law and now a senior adviser in the White House, was head of digital strategy during the campaign, meaning he was overseeing this effort to micro-target voters.
  3. The Russians unleashed bots, or robotic commands, that swept across the Internet and picked up fake news stories or harshly critical news stories about Hillary Clinton and disseminated them across the United States. By Election Day, these bots had delivered critical and phony news about the Democratic presidential nominee to the Twitter and Facebook accounts of millions of voters.
  4. Some investigators suspect the Russians micro-targeted voters in swing states, even in key precincts where Trump’s digital team and Republican operatives were spotting unexpected weakness in voter support for Hillary Clinton.

So the question is this: Did the Trump campaign, using what we assume to be lawfully-obtained micro-targeted voter intelligence, give access to the Russians so that they could point harmful disinformation campaigns at those vulnerable  jurisdictions?

Many top security analysts doubt Russian operatives could have independently “known where to specifically target … to which high-impact states and districts in those states.” As Virginia Sen. Mark Warner said recently, “I get the fact that the Russian intel services could figure out how to manipulate and use the bots. Whether they could know how to target states and levels of voters that the Democrats weren’t even aware (of) really raises some questions … How did they know to go to that level of detail in those kinds of jurisdictions?”

And that is Senator Mark Warner’s mistake – that the micro-targeting had to be so specific that it only hit potential Trump voters in certain jurisdictions. It did not. The campaigns could have been aimed at every person in that state, let alone the jurisdiction, only touching the opinions of those who were ready to hear the message. A phishing campaign isn’t sent only to those people in an organization most vulnerable to that type of social engineering – it is sent to everyone, and the most vulnerable are the only ones that respond. Similarly, it was good enough for Russia to cast their anti-Hillary message in the general vicinity of the target; there was no need for a bullseye to render the disinformation campaign to be effective. Those who received the message but were slightly outside of the voter profile or geographical jurisdiction simply recognized it for what it was, false news. The rest were unethically influenced.

But we don’t know yet if there is a connection between the micro-targeting big data purchased by the campaign and the Russian botnet disinformation attack.  We do know, however, that Russia attempted to influence the outcome of the election – and that is what we as cyber security experts, must focus on. 

Either way – collusion or not – the implications against our privacy (let alone the political ramifications of foreign entities influencing our election process) are huge. Remember, the Trump campaign had obtained this huge volume of information on every voter, maybe as much as 500 points of data from what kind of food do they eat to what are their attitudes about health care reform or climate change. And yes, I’m sure the Democrats had much of the same information and probably didn’t “play fair” either. The point is that we have gotten so far beyond just accepting that our personal information is readily available and easily manipulated that no one is even bringing up that part of the story.

We, America, have been lulled into allowing everyone else – corporations, our government, even foreign nations – to have more access to our data footprint than even we do. 

John Sileo is an an award-winning author and keynote speaker on cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Investigate Russian Hacking for Security, Not Politics (and get on with governing)

Our national security depends on cyber security, and Russian hacking threatens those defenses. Every day that I come to work, I see an erosion of traditional power structures at the hands of increasing cyber threats. The hacking of Yahoo by Russian operatives and the DNC are two such examples that have potentially shifted the balance of power from our marketplace and political sphere into the hands of Vladimir Putin, Russian cyber criminals and anyone piggybacking on their technology. Now that Roger Stone, an administration advisor, has admitted to contact with the DNC hacker (Guccifer 2.0), the ties are too direct to ignore. But we shouldn’t be doing this for purely political reasons, we should be doing it to clear our President and his administration of wrongdoing so that they can go on about governing the country and implementing their vision. 

If we don’t investigate the potential Russian hacking of the DNC with a thoroughness similar or better than the Yahoo hack, we are as much as admitting defeat in the cyber realm and simultaneously suggesting a coverup for political expediency. This isn’t about a single politician, this is about an entire political system. Cyber IS the new warfare, and we as a nation can acknowledge it now or after it is generally too late (which is what most corporations do). We don’t just need to get to the bottom of administration involvement, we need to get to the bottom of how Russian has inserted itself firmly in the midst of our democracy via hacking, trolling and kompromat (a Russian term for compromised materials, like hacked emails and tax records). 

Here are my recommendations for proceeding to have a neutral investigation of the charges so that we can clear our President and move on to discovering the source or our weakness: 

  1. Name a bipartisan select committee to investigate the alleged Russian hacking of our presidential election and President Trump’s ties to Russia. As they say, sunlight is the best disinfectant, and I’m certain that the administration has nothing to hide. But doing nothing sends exactly the opposite message – one of coverups and collusion for the sake of an election. 
  2. Since both Intelligence Committee Chairmen, Senator Burr and Representative Nunes, have close ties to President Trump, their involvement gives the appearance of bias. Taking a page from the book of Attorney General Sessions, both should recuse themselves from the investigation to eliminate all accusations of impropriety. 
  3. Appoint a well-respected Republican to chair the investigation so that it will be neutral, aggressive and fair. This is the only way to quiet the suspicion of corruption. Again, since the administration has nothing to fear, this is the only way to make the findings credible. To have colluded with Russia in any way would have been political suicide, so let’s prove this conversation false once and for all. 
  4. As part of it’s process, the committee would be wise to review Trump’s tax returns (in a confidential, non-public setting) to dispel any beliefs about his business or financial ties to Russia (of which he has assured us there are none) and extinguish two myths with a single stroke. 
  5. Commission an external, forensic cyber-penetration test to determine where the weaknesses lie within our cyber security so that loopholes can be closed before the next attack. This MUST be an external audit because there is too much at stake to leave this to governmental IT teams just trying to keep their jobs. Like students grading their own papers without oversight, unscrutinized self-assessments are necessarily faulty assessments. 

The end game of this investigation should be apolitical and focused on righting the cyber weaknesses inherent in our national cyber infrastructure.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Panama Papers a Lesson in Cyber Security

Whether data breach or insider leak, Panama Papers Cyber Security lessons still the same.

By now, you’ve heard about the leaked papers from a Panamanian law firm implicating world leaders, sports figures and celebrities alike in a scheme to shelter massive wealth in off-shore corporations (if not, see the NYTimes summary below for relevant links). At this point it is still unclear whether the 11.5 million records were obtained through hacking or leaked from someone inside of the Panamanian law firm.

But from a cyber security perspective, the lessons are nearly identical either way. At issue here is the massive centralization of data that makes either breach or leakage not only inevitable, but rather convenient. World leaders and executives alike must have a sense of deja vu from the leakage of the NSA documents by Edward Snowden several years ago. From a security perspective, it is baffling in both cases that one individual would have access to such a trove of data. This suggests that the records were not properly segmented, encrypted or subjected to user-level access permissions.

Now, it’s possible that the administrator in charge of the law firm’s computer network facilitated the breach (remember, someone with SysAdmin access always has the keys to everything when it comes to data), but I highly doubt it, as this is easily monitored and punishable. We may never know exactly how this breach transpired, but there are several lessons you can absolutely take from the Panama Papers:

  1. Segmentation. If the critical data inside of your organization is not segmented or divided across different digital locations, it’s like keeping all of your gold under the same mattress.
  2. Encryption. In the event that the Panama Papers were obtained by a hacker, this suggests that the data was not properly encrypted to keep out prying eyes. Most businesses still only have a partial encryption strategy on their data (either at rest or in transit) and this lack of an end-to-end encryption solution is what dooms them to breach.
  3. User-Level Permissions. We don’t know how the Panama Papers were accessed, but if we learn from Edward Snowden, the amount of global digital access you give to your employees makes a huge difference. A contractor like Snowden probably should have never had permission to access so much information across such a wide spectrum. He was only a contractor – imagine what a true insider could have accessed.
  4. Monitoring. Any organization that has implemented a secure firewall can monitor how much data is leaving their servers. More sophisticated software lets many companies know exactly what data is leaving the premises and exactly who is responsible. But both of these cases require human intervention to read the warning signs and take action. Target knew that their POS system was being breached, but no one acted on the red flags.

It’s too late for Mossack Fonseca to go back and right these cyber security wrongs. For you, it’s not too late.

Panama Papers Quoted Directly from the NYTimes.com:

The leaks from the Panamanian law firm, Mossack Fonseca, involve more than 11.5 million documents, nearly 215,000 companies and 14,153 clients of the firm, according to the German newspaper Süddeutsche Zeitung, which got the information and shared it with some other media outlets and the International Consortium of Investigative Journalists, a nonprofit group.

They began reporting Sunday on the leaks, now known as the Panama Papers, which have implicated a range of politicians, celebrities and sports figures, including close associates of President Vladimir V. Putin of Russia, President Petro O. Poroshenko of Ukraine, Prime Minister Nawaz Sharif of Pakistan, current and former members of China’s ruling Politburo and FIFA, the worldwide association for soccer.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Ransomware: Cyber Security Expert’s Next Big Threat

Ransomware: A Vital Course on the Next Big Cyber Threat

Ransomware is pretty much exactly what it sounds like: it holds your computer or mobile phone hostage and blackmails you into paying a ransom. It is a type of malware that prevents or limits users from accessing their system and forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back.

It’s been around since about 2005, but earlier this year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims.

Crowti (also known as Cryptowall), and FakeBsod are currently the two most prevalent ransomware families. These two families were detected on more than 850,000 PCs running Microsoft security software between June and November 2015. Another to take note of is known as Fessleak, which attacks Adobe Flash flaws. It is a “malvertising” trend that pushes fileless exploit into memory and uses local system files to extract and write malware to disk from memory.

How Ransomware Paralyzes Your Computing

There are different types of ransomware. However, all of them will prevent you from using your computer normally, and they will all ask you to do something (pay a ransom) before you gain access to your data. Ransomware will:

  • Lock your desktop or smartphone and change the password or PIN code
  • Encrypt important files so you can’t use them (photos, taxes, financials, My Documents, etc.)
  • Restrict your access to management or system tools (that would allow you to clean the computer)
  • Disable input devices like your mouse and keyboard
  • Stop certain apps from running (like your anti-virus software)
  • Use your webcam to take a picture of you and display it on screen or on a social network
  • Display offensive or embarrassing images
  • Play an audio file to scare you (i.e. “The FBI has blocked your computer for a violation of Federal law.”)

Common Ransomware Demands

  • Generally they demand money in order to unlock your system. Usually, they demand payment through an anonymous payment system like Bitcoin or Green Dot cards, and promise to give you the key if you pay the ransom in time (for example, $17,000 to be paid within 72 hours was the demand given to the Hollywood Presbyterian Hospital, which had all of it’s life-critical medical records frozen)
  • Sometimes the ransomware shows a “warning from the software company” telling you that you need to buy a new license to unlock your system. Other times, ransomware will claim you have done something illegal with your computer, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your computer and files.

How to Prevent Ransomware Blackmail

The best way to avoid downloading malware is to practice good computer security habits:

  • Create an offsite backup of your files. Seriously, right now. And make it automatic, so that it happens at least once a day. An external hard drive is one option, but be sure to disconnect it from the computer when you are not actively backing up files. If your back-up device is connected to your computer when ransomware strikes, the program will try to encrypt those files, too. If you have a secure cloud back service that encrypts your files before sending, consider using that as an offsite backup.
  • Don’t click on links or open attachments in an email unless you know who sent it and what it is. Instead type the URL of the site you want directly into your browser. Then log in to your account, or navigate to the information you need.
  • Make sure your software is up-to-date.
  • Don’t download software from untrusted sources.
  • Minimize “drive-by” downloads by making sure your browser’s security setting is high enough to detect unauthorized downloads. For example, use at least the “medium” setting in Internet Explorer.
  • Don’t open “double extension” files. Sometimes hackers try to make files look harmless by using .pdf or .jpeg in the file name. It might look like this: not_malware.pdf.exe. This file is NOT a PDF file. It’s an EXE file, and the double extension means it’s probably a virus.
  • Install and use an up-to-date antivirus solution.
  • Ensure you have smart screen (in Internet Explorer) turned on.
  • Have a pop-up blocker running in your web browser.

If you Become a Victim of Ransomware

  • Stop work! TURN OFF YOUR COMPUTER! Shut down your entire network, if possible until help arrives. You can do this by turning off your switches or routers inside of your premises. Ask your IT professional before taking this step if you think that you might be interrupting service.
  • Contact an IT Security firm that can visit your office (or home) in person. Handling this type of problem over the internet is not advised, as it could exacerbate your problem.
  • If you have an offsite backup of your data, have the IT Security firm reinstall your backup and clean it of any ransomware before putting the data and computers back on the network.
  • Alert other people on your network, as any work completed after infection will be overwritten when the backup is restored.

There is conflicting advice regarding paying ransom. Truly, there is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again. Paying the ransom could also make you a target for more malware. On the other hand, if you have not backed up your files, you may have little choice. Almost 90% of the companies that we have studied as victims of ransomware end up paying the ransom to have their systems unlocked – but only about 50% of them ever receive the unlocking code promised. It’s a gamble, but if you don’t have an off-site backup, it’s probably one you are going to need to take.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Apple vs FBI: Why the iPhone Backdoor is a Necessary Fight

Apple vs FBI: Building a backdoor into the iPhone is like burning the haystack… 

I’ve been asked almost 100 times since Apple rejected the FBI’s request to break into the iPhone of the San Bernadino killers which side I support. I am a firm believer that the most complex problems (this is one of them) deserve the simplest explanations. Here is the simplest way that I can walk you through the argument:

  • If your immediate response, like many, is to side with Apple – “Don’t hack into your own operating system, it set’s a bad precedent” – then you have a good strong natural reflex when it comes to privacy. But don’t stop your thinking after your first reaction or thought, as it might be incomplete, because…
  • This is an intricate and nuanced balance between 1) personal privacy (don’t allow Apple or the FBI access into this particular phone), 2) public privacy (once Apple makes an exception for this case, the FBI (or Apple) could potentially open the iPhone in all cases), 3) security (by building in a backdoor for legitimate purposes, you will be opening it for hackers as well) and 4) national security (without access to this info, other terrorists might go undetected).
  • If it were your family member that had been murdered, you would probably agree that law enforcement should have every tool at their disposal to track down the murderers or criminals, and privacy be damned. You would also note that…
  • There are thousands of precedents for the FBI to obtain search warrants into suspects homes, emails, phone calls and the like. Ask yourself why this request is any different.
  • It’s a slippery slope. First the iPhone, then your encrypted password protection software, private Facebook history – you name it. The FBI’s solution is roughly the equivalent of giving the government a key to every home in America and letting them decide when to use it. By applying a broad brush stroke (build a backdoor into the security of every iPhone) when a fine-tipped pencil would be more than adequate (learning more about a single case – the San Bernardino killers and their connections), you forever  lose control of the master key. As was put so eloquently in an article by Wired (I cite this particular article because I agree with it), “Apple is not being asked to unlock an iPhone; it’s being asked to create software that would help the FBI unlock it.” To me, those are two completely different requests.
  • A backdoor would give law enforcement an additional tool to solve tens or hundreds of crimes, but in the meantime endangering the data of nearly a billion users. If Apple complies, what happens when China asks Apple to unlock a phone based on the earlier precedent – does Apple hand over information that could lead to political persecution? In other words…

Building a backdoor into the iPhone is the equivalent of burning the haystack to find a needle. You simply have to ask yourself honestly if the needle is worth the ashes. 

5 Possible Solutions in the Apple vs. FBI iPhone Backdoor Case

  1. Let it go. Sometimes you don’t have all of the evidence in a criminal case. Whether the murder weapon cannot be found or the iPhone data cannot be obtained, the case is resolved in other ways. The NSA (as exposed by Edward Snowden) has done nothing to engender our trust in government organizations collecting and using data on American citizens. They abused their powers of data collection in that case, so we all wonder why it would be any different in this case.
  2. Stop pretending that Apple can build a one-time backdoor. Encryption doesn’t work that way. Security doesn’t work that way. The minute you tinker, the entire house of cards falls and exposure becomes the rule, not the exception. If the information on the phone is important enough, at least admit you are willing to put the data of a billion people at risk.
  3. Upgrade your hackers at the FBI. I’ve had several white-hats hackers suggest that the iPhone can be cracked. Hackers are sometimes a cocky bunch (that’s what makes them good, by the way), but I’ve seen them hack almost every device possible with a creativity that would make Picasso proud, so I wouldn’t put it past them.
  4. Take this conversation off line. Ultimately, I think this question will be decided in back rooms where the public doesn’t get to see the answer (we are, in fact, a representative democracy where much of what happens does so behind closed doors). And frankly, I think it should be. There is too little awareness of the complexities we are dealing with here, and the emotional responses that we all have are only getting in the way.
  5. Do something, Congress! There are thousands of similar cases to be decided in the future and very little in the way of legislation to guide the way. Most of the laws being quoted in this case go back a half a century. Congress should catch up with technology and set some guidelines and oversight on the privacy vs. security question. We are a smart enough society to allow for gray areas in between a media that immortalizes black and white.

I believe that Apple is doing the right thing in standing their ground an not creating a system-wide backdoor into the iPhone. I also believe that the FBI is doing the right thing in trying to obtain every piece of information they can to resolve a past or future crime. This should not include a systemic hack of the iPhone or any computer system. The strength of our democracy is in the tension that exists between those two stances and the system of checks and balances that keep either position from being extreme.

I guarantee you that there is a way to set down the paint brush and pick up the pencil – to create a solution that impacts one phone, not millions – and that it is possible to balance public privacy with national security. It may not pertain to this particular case, but it will to all of those future cases waiting to happen. In the end, isn’t that what we all want? If you agree, write your Congressperson and ask them create laws that address the current privacy/security confusion.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Cyber Security Expert Asks: What is the Weakest Link in your Cyber Security Plan?

When the finance chief of a London hedge fund got an urgent phone call about possible fraud on a Friday afternoon just as he was preparing to leave work, he honestly thought he was doing the right thing by giving the caller the information requested. Wouldn’t any decent CFO want to stop fraud if it was in his power to do so? That way, he could rest easy for the weekend, knowing he had saved the company from damage. Imagine the feeling in the pit of his stomach when he turned on his computer Monday morning to find that 742,668 pounds ($1.2 million) was missing!

That’s what happened to Thomas Meston of Fortelus Capital Management LLP in December of 2013. He received a phone call from someone claiming to be from Coutts, the London-based hedge fund’s bank, and the caller warned him there may have been fraudulent activity on the account. Meston was reluctant, but agreed to use the bank’s smart card security system to generate codes for the caller to cancel 15 suspicious payments.

Instead the caller used the codes to divert funds into other accounts. Meston lost his job and, to add insult to injury, is being sued by the fund for breach of duty to protect its assets.

It’s a sad case of firms too often seeing cyber security as a technical issue and not recognizing the risk of employees being targeted, as supported by a report from the Bank of England last week that called cyber crime a growing threat to financial stability.

And such “Friday afternoon scams” are not uncommon. Zurich Insurance Group Ltd warned in May that law firms also were targeted by fraudsters impersonating bank staff that asked for access to accounts, often late on a Friday.

“People are always the weakest link,” said Jason Ferdinand, a director at Coventry University who runs the U.K.’s first cyber security MBA course. Employees “often assume that they do not have to think about security because a machine or software is doing it for them.”

In my business as a speaker on Cyber Security, Corporate Fraud and Identity Theft, the initial phone call from clients often revolves around wanting someone who can protect the company. My response is, “Then let me train the people”. If I can train them to pay attention to what I call the “Hogwash” response, I know that is the greatest line of defense between the company and fraudsters.

So, again I ask, what is the weakest link in your cyber security plan? Answer—any human being who works for your company! It just depends on who wants to do the right thing and happens to answer the phone or get that email asking for a quick decision under pressure. If you’re looking for entertaining training that targets the human factor, we’re here to help!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Data Breach Experts to Board of Directors: Wake the Hell Up

Despite deluge of stolen PII, data breach experts see little change in corporate security behavior

The results of a Ponemon Institute survey commissioned by defense contractor Raytheon suggest that the massive attention generated by recent data breaches have failed “to move the needle” in changing behaviors and attitudes toward information security at many companies.

One of my most trusted sources of information about data breach is Larry Ponemon of the Ponemon Institute. Larry’s data is unbiased, no nonsense and reliable, even though his work is occasionally commissioned by interested parties (like Raytheon). And supported by studies from other data breach experts, we are all screaming at your organization to WAKE THE HELL UP! I rarely use statistics (and only occasional but fully-justified swearing) in my keynote presentations (because I don’t fancy sleeping audiences — or lawsuits), but today I’m going to BOMBARD you with them. Use whichever stat you think will best shock your “head-in-the-scorching-sand” executive out of the destructive malaise that might lead you into an Anthem-like, Sony-style, Target-worthy data breach:

  • Many executives still appear to view a data breach as something that only happens to others (I call this the Arrogance Effect). Further, of the respondents commenting on their senior leaders…
  • 66% DO NOT perceive cybersecurity as a strategic priority
  • 78% HAVE NOT briefed their Board of Directors on their cyber security strategy over the past 12 months
  • 53% of organizations fail to take appropriate steps to comply with leading cyber security standards
  • Only 10% make their information security department responsible for granting access rights. So who controls the other 90%?
  • Despite the risks posed by insiders, 49% have no policies for assigning privileged user access
  • 57% fail to do a background check before assigning privileged credentials

If you haven’t had enough… more from PricewaterhouseCoopers

  • The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% from 2013.
  • That’s the equivalent of 117,339 incoming attacks per day, every day.
  • The compound annual growth rate (CAGR) of detected security incidents has increased 66% year over year since 2009 (and that’s only the incidents detected and reported)
  • Crimes caused by internal actors are often more costly or damaging than compromises perpetrated by external groups. Yet many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.
  • 65% of top offenders of insider crimes are current and former employees and most of the rest are contractors & consultants

And here’s the kicker for every data breach expert…

  • As incidents are rapidly rising, security spending is falling.
  • Investments in information security budgets declined 4% over 2013.
  • Small organizations, in particular, are not spending on security: Companies with revenues less than $100 million reduced security investments by 20% over 2013.
  • Many organizations have not yet elevated information security to a Board-level discussion. Fewer than half (42%) of respondents said their board actively participates in overall security strategy.
  • Barely 25% said their boards were involved in reviewing current security and privacy risks to the their organizations.

Believe it or not, in spite of the rash of massive data breaches, very few Chief Information Security Officers (CISOs) directly report to the CEO (Just 14% in the Raytheon survey).

Before the Target data breach, they had never hired a CISO. Obviously before the breach happened it wasn’t important to them either. That was a costly oversight that they will pay for in years to come as the poster child of cyber security data breach.

John Sileo is an an award-winning author and keynote speaker on keeping your organization from becoming the next data breach headline. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

12 Days to a Safe Christmas!

As part of Checks Unlimited?s Fraud Prevention Education series we are privileged to provide important information to help reduce your risk of RFID and Identity Fraud. For a Limited Time, SAVE 30% OFF RFID Products! Use code: RFID

Checks Unlimited • PO Box 19000 • Colorado Springs, CO 80935-9000

Checks Unlimited values and respects your privacy. Visit www.ChecksUnlimited.com/Privacy.aspx to view our privacy policy. This is an automated message; replies will not be read. To contact Checks Unlimited Customer Service Department, please send an email to general@support.checksunlimited.com

CU5FRAUD14
Sileo.com Checks Unlimited Home Sileo.com Checks Unlimited Home Page Prevent Holiday Identity Theft It?s Beginning to Look a Lot Like Christmas- at the Mall! Stopping Hackers When You?re Shopping on Wi-Fi Holiday Shopping Quiz ? Is Credit or Debit Smarter? Don?t Tell Facebook You Won?t Be Home for the Holidays Don?t Let the Grinch Steal Your Party! It?s a Wonderful Life?Let?s Keep it That Way What to Give the Person Who has Everything (& Wants to Keep it!) I?m getting Nuttin? (But Scams) for Christmas Beware the Phony Santa Claus Comin? to Town  Is that Holiday Email Really a Lump of Coal? Holiday Security Tips All Wrapped up Together

 

Ebola & Cybergeddon: Why the Novelty Could Kill You

What does cybergeddon have to do with ebola?

In 2014 Ebola has claimed over 4,000 lives in Western Africa and caused ONE death (of a person who contracted the disease in Africa) in the United States. Many Americans are in a proper panic about it and it continues to be front page news.  In typical fashion, we have found something to worry about while conveniently ignoring other, “less sensational” but more critical topics:

  • According to the CDC, Influenza kills about 3,000 people in this country in a good year (1986-1987) and up to nearly 50,000 in a bad one (2003-2004).  Yet during the 2013-2014 flu season, only 46 percent of Americans received vaccinations against influenza.
  • Seat belts have saved an estimated 255,000 lives since 1975.  Yet each year more than 50 percent of people killed in car crashes were not wearing a seat belt.
  • There are more than 3.5 million cases of skin cancer and it is responsible for almost 10,000 deaths yearly.  Yet take a look around on any summer day at the Americans who continue to ignore warnings to use sunscreen and hats and proudly show off their tans. (Or in the winter for those who continue to maintain their tans through tanning beds even though more people develop skin cancer because of tanning than develop lung cancer because of smoking.)

I could go on with examples of drunk driving, deaths from firearms, forgoing childhood immunizations, the American diet…

None of this is meant to lessen the horrible crisis of Ebola. We can and should pour our resources into stopping the spread of this disease, especially in Africa, where the problem is of catastrophic proportion. But one must ask, why are we not doing more to stop the things we KNOW are a REAL threat to us, when we have all the knowledge and tools to prevent them?

Our gravest health threats are those that we understand, but fail to take proper action against.

And the very same is true for cyber security and impending cybergedddon (complete destruction due to a cyber event). We focus on electronic pickpocketing because it’s novel, and forget that the same credit card that in a rare case might be scanned by a $1,000 piece of equipment should a thief manage to get within several inches of our wallet, is the same card that we already hand over to complete strangers many times per week. Corporations spend millions on software to detect digital intrusion, but don’t have the budget to train employees on how to use it properly. 

The solution lies not in stopping electronic pickpocketing, but in utilizing 15-year-old technology that has been in place for decades in most developed countries (chip and pin technology, which Apple is finally mainstreaming). In cyber security, the old problems are still the biggest problems: poor passwords, unwise link clicking, something-for-nothing scams, outdated operating systems, anti-virus and mission-critical applications, and most of all, human training that would bore drying paint to tears. If cybergeddon occurs, it will be because we focused on the shiny bits rather than the substance.

Stop looking at what is gaining attention in the media, and start looking at the weak spots inside of your organization that will more quickly cure your cyber security problem.

 

John Sileo is a cyber security expert who focuses the human side of the equation. John specializes in making security entertaining for keynote audiences, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.