Category Archives: responsibility

Protect your Black Monday shopping with a quick tune-up

I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program running on their computer at all times.

[updated December 1, 2012]
Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

If you are not sure whether your anti-virus software is working (or if you computer even has anti-virus software), you may wish to download and run Microsoft Security Essentials. This is a free anti-virus program from Microsoft. While some professionals may argue that this is not as effective as any of the commercial brands of anti-virus software (Sophos, Symantec, McAfeeTrend Micro, Panda, etc), it’s better than having nothing at all.

December 1, 2012 Update: Microsoft Security Essentials has lost its certification as being an effective anti-virus program. Full test results available here in an easy to read chart. Note the absence of the “AVTest Certified” logo next to Microsoft Security Essentials.

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

Open Networking is a violation of the LinkedIn terms and conditions

Bookmark This (opens in new window)

It really irks me when I see people on LinkedIn who connect with anyone who is willing to accept a connection.  This is a blatant violation of the intentions – and the terms and conditions – of LinkedIn.

I connect only with people I know. I am VERY hesitant to connect with people who are promiscuous linkers, because I do not have any way to know which people in *their* network are trustworthy.

Today I saw a posting on a LinkedIn group that read,

“Lets expand our network together. Open Networker Accepting All Invitations.”

I responded,

“In my own opinion this violates the LinkedIn terms and conditions. And I’m surprised to hear this from a CISSP and CISA who is supposed to uphold two different codes of ethics that require honesty in all professional dealings.

In LinkedIn, we are supposed to connect only with people that we *know*, NOT with everyone who will push a button. The LinkedIn Terms and Conditions, section 3, reads:

‘The purpose of LinkedIn is to provide a service to facilitate professional networking among users throughout the world. It is intended that users only connect to other users WHO THEY CURRENTLY KNOW and seek to further develop a professional relationship with those users.’ (emphasis mine)

How can you reconcile your requirement to abide by the LinkedIn terms and conditions, your statement, “Open Network Accepting All Invitations” and your codes of ethics that require you to respect laws, regulations, and rules?

As security professionals, we are supposed to lead by example. Otherwise, how are we supposed to expect others to do so if we PUBLICLY and brazenly violate them ourselves. Doing so compromises our ability to be effective in our professional work.”

The LinkedIn terms and conditions also says:

“Any other use of LinkedIn (such as seeking to connect to someone a user does not know or to use LinkedIn as a means of generating revenue through the sale of contacts or information to others) IS STRICTLY PROHIBITED AND A VIOLATION OF THIS AGREEMENT.”

Can this be any more clear?

Integrity and intellectual property

Bookmark This (opens in new window)

On some of my mailing lists I have seen messages recently that suggest that persons are willing to send and receive copyright materials.

Exercise extreme caution when offering or accepting study materials that are not in their *original* form. If you transmit or receive electronic (or paper) copies of copyright materials such as study guides or study questions, there is a good chance that both the sender and receiver are breaking international copyright laws, which is both a crime as well as a violation of the ISACA Code of Ethics.

Sending or accepting such materials also compromises your personal and professional integrity. This will make you ineffective as IT audit professionals and leaders. See these two articles for more information:

Personal integrity: the keystone in an infosec career

A call for character and integrity

The road of higher integrity is not always the easy road. Taking the path of high integrity requires sacrifice and it is often difficult. You will, however, be a better person for it, both personally and professionally. And your conscience will allow you to sleep at night!

ETrade teaching its customers to respond to phishing scams

ETrade is teaching its users to respond to phishing scams. I am an ETrade customer, and last week they sent me the message below.

ETrade isn’t helping its customers by sending messages like this, because it makes it all the more difficult for customers to distinguish genuine messages from phony ones.

* * *

Thu Mar 13 14:48:00 2008 – Account Service Fee
Dear PETER ,

Account #: XXXX-nnnn

On 03/26/08, your E*TRADE Securities account will be charged a $40 Account Service Fee (ASF) (https://us.etrade.com/e/t/estation/pricing?id=XXXXXXXX).
If your account does not have enough funds to pay for the fee, E*TRADE Securities may sell securities in your account to cover the charge.
If you have questions about your account, call 1-800-ETRADE-1 (1-800-387-2331) or send a secure e-mail through the Help Center (https://us.etrade.com/e/t/estation/help?id=1203000000). (To call from outside of the U.S., dial +1-678-624-6210).
Learn how to avoid incurring an Account Service Fee (https://us.etrade.com/e/t/estation/pricing?id=XXXXXXX)

Review all the ways you can deposit money (https://us.etrade.com/e/t/estation/help?id=XXXXXXXXXXX)
PLEASE READ THE IMPORTANT DISCLOSURES BELOW
The E*TRADE FINANCIAL family of companies provides financial services that include trading, investing, cash management, and lending.
Securities products and services are offered by E*TRADE Securities LLC, Member FINRA(http://www.finra.org/)/SIPC(http://www.sipc.org/).

(c) 2008 E*TRADE FINANCIAL Corp. All rights reserved. The information contained in this Smart Alert is subject to the Smart Alerts Terms and Conditions (https://us.etrade.com/e/t/estation/help?id=XXXXXXXX). We cannot respond to e-mails sent to this mailbox. If you have questions, please contact us through the Online Service Center (https://us.etrade.com/e/t/accounts/servicecenterhome).

* * *

What security professionals can learn from Eliot Spitzer

Bookmark This (opens in new window)

Eliot Spitzer, the [soon-to-be-former] governor of New York State has resigned due to his being involved in a highly publicized sex scandal.

Corporate security professionals, time to sit up and take notice. I’m talking to CISSPs, CISAs, CISMs, and those in positions of ISO, ISSO, CISO, as well as Manager / Director / VP of IT Security.

As I have opined before, we are obliged to lead our organizations by example, in terms of prescribing and demonstrating desired behavior of employees on the protection of all corporate assets, including information. Leading by example means working transparently, of working every hour as though others are watching.

Eliot Spitzer gave in to his carnal desires and indulged in prostitution because he thought that he could keep it hidden. But behavior is like pouring water onto a sponge: for a time the sponge will soak up the water, keeping its presence hidden; eventually, however, the water – like the illicit behavior – will overflow and be impossible to hide. But like a frog in boiling water, Gov. Spitzer probably indulged in small ways at first, but proceeded slowly until he was no longer in control of his behavior / addiction.

Security professionals, there are steps that you can take to avoid falling into a trap of undesired behavior:

1. Be accountable. Pick two or more peers with whom you can meet every week to discuss your activities. These individuals must be trustworthy and themselves above reproach.

2. When you feel the tug of undesired behavior, confide in these accountability partners. Then, listen to their advice; if it is sound, heed it.

3. When you partake in undesired behavior, confess it to your accountability partners. Listen to their counsel; if they are loyal and have personal integrity, they will not chastise you for your behavior but instead help you to get back onto the right track.

4. Keep no secrets. Tell your accountability partners everything that you do. Keep nothing back. Share even the deep recesses of your “thought life” – which is the kernel of future behavior.

While it will be convenient to select accountability partners from the workplace, you should not choose your superiors or your staff. Instead I recommend that you choose individuals in your organization who you do not work with routinely or, better yet, choose individuals who do not work in your organization.

You can only be accountable to others when you allow yourself to be accountable to you.

Some principles of behavior:

A. If you were an outsider and would judge or criticize your own behavior, spend more time seriously considering what you are doing, and get yourself onto a path of change.

B. Do not be afraid to ask for help.

C. Learn to forgive yourself for your mistakes.

D. Do not give up.

There is an old saying: “There is no such thing as a complete failure; they can always be used as a bad example.” Gov. Spitzer may be a bad example today, but his example should help others to be introspective and re-examine their own behavior.

Remember the security professional codes of ethics:

(ISC)²
ISACA
ASIS
CTIN
ISSA
GIAC
InfraGard
SANS
NCISS

Other postings:

CIA Triad also the basis for our ethical behavior

A call for character and integrity

Principles that guide the Christian security professional

Personal integrity the keystone in an information security career

Integrity begins within: security pros lead by example (Computerworld)

U.S. state cell phone laws

Bookmark This (opens in new window)

I ran across a nice web site that lists cell phone laws for all 50 U.S. states. The site is maintained by the Governers’ Highway Safety Association, so I’ll presume that they’ll keep it reasonably up to date. Legislation passed by my state last week is already on the site.

I’ve got my bluetooth headset already, and I use voice-activated dialing or speed dialing to avoid distractions while driving.

http://www.ghsa.org/html/stateinfo/laws/cellphone_laws.html

Americans must take personal responsibility to curb identity theft

Bookmark This (opens in new window)

I have been thinking a lot about identity theft as I’ve covered the massive TJX security breach this year. I have recently reported that the size of the breach has increased from its original 47 million cards to 94 million cards, which is nearly one card per U.S. household.

The TJX breach certainly is a high-watermark breach, but it’s nowhere near the only one, nor the only big security breach. To get an idea of just how many security breaches there have been and where they have occurred, the Privacy Rights Clearinghouse has chronicled a history of security breaches here.

The credit issuing and reporting system in the U.S. is out of control. Rather, it might be more accurate to say that the credit system has not institutionalized changes to reflect changing risks in the Internet era. The factors that have led to the epidemic of data security breaches include:

  • The proliferation of financial and private information in banking, merchant, service provider, and consumer information systems
  • The exuberance with which creditors grant credit to consumers
  • The lack of controls to ensure that the person requesting credit is actually who they claim to be

If we just sit around and wait for the government to fix this, we’ll all be robbed blind first. We must take some action on our own, now, until the credit system introduces effective controls on its own. I recommend you take these measures to protect yourself.

  1. Set up a fraud alert with one or more of the three credit bureaus (Experian, TransUnion, Equifax). This will alert you to any changes in your credit file.
  2. Examine your credit report carefully at least once per year.
  3. Close credit accounts that you no longer use.
  4. Consider getting your mail at a PO Box or a Private Mail Box (PMB), to reduce the possibility of mail theft.
  5. Reduce or discontinue your use of credit.
  6. Pay cash. Whenever you are paying with a credit or debit card, you are leaving information behind that can be used to commit fraudulent transactions.
  7. Double-lock your banking and credit information in your home and place of business. In other words, put all documents containing private and financial information in a safe or locked room within your home or business.

While it is true that all of these measure take time and money, they take far less of each than the effort required to clear your credit if you fall victim to identity theft.

We have been victims ourselves. My wife’s driver’s license was stolen, and it was subsequently used to write bad checks in her name. My credit card number (and name+billing address) was stolen from employees at a shipping company, and over $2,500 in fraudulent transactions charged against my debit card. Neither resulted in a wide scale identity theft against us, but they could have had we not taken action quickly.

Don’t wait for someone else to fix this for you.