Cyber Security Predictions for 2016

Happy New Year - My thoughts on Cybersecurity predictions/trends for 2016


1. The Internet of Things (IOT) will increasingly be exploited by hackers. With more and more products including cars, refrigerators, coffee makers, televisions, smart watches, webcams, copy machines, toys and even medical devices being connected to the Internet, the IOT will become a prime target for hackers to exploit in many ways.


2. Ransomware, whereby hackers take control of the data in their victims' computers, encrypt the data and threaten to destroy the data unless the victims pay a ransom has evolved into a bigger problem than many people may be aware of because many of the victims of ransomware do not report the attacks out of a concern as to adverse publicity. Companies of all sorts and governmental agencies have become victims of ransomware. The sophistication of the malware used as ransomware makes this a tremendous threat. In addition, while in the past ransomware has been used primarily for financial extortion, it can be expected that terrorists and others may use this malware purely to attack a target and destroy its data without any financial purpose.

3. As more and more data migrates to the cloud, hackers will focus their attention on exfilterating data from the cloud. As so often is the case, the cloud may be more vulnerable due to the security measures used by the people and companies using the cloud rather than inherent security weaknesses in the companies providing cloud services.

4. ISIS and other terrorist groups will attempt to conduct cyberwarfare including trying to attack vulnerable computer connected infrastructure including energy facilities.

5. Spear phishing, the primary method for implanting malware in the computers targeted by hackers will become more and more difficult to identify as hackers are able to harvest personal information from both public sources and stolen private sources to make their spear phishing emails appear legitimate. In particular, social media will provide tremendous amounts of personal information that will be exploited by identity thieves and scammers to tailor spear phishing emails and scams to their victims.

6. Small and medium size businesses will become increasingly targeted for data breaches that can be exploited for purposes of identity theft as they become perceived as the low hanging fruit for cybercriminals. Its not  a matter of how but when the hackers will breach your network.

7. The creation and sale by sophisticated cybercriminals of Exploit Kits, which are software which can be used by relatively unsophisticated cybercriminals to identify vulnerabilities in computer systems that can then be exploited by malware will increase.

8. Although in the wake of the massive data breach at the Office of Personnel Management (OPM) the federal government has made a concerted effort to increase computer security, the problem is too big and the government is too cumbersome to make the dramatic across the board changes necessary to prevent another major and embarrassing data breach at one or more federal agencies.

9. As more and more people do large amounts of their financial dealings on their smartphones, these devices will increasingly be targeted by identity thieves seeking to exploit vulnerabilities in the Android systems and Apple's iOS. Hackers will also take advantage of smartphone users failing to use basic security precautions such as having a complex password for their smartphones or failing to install and continually update anti-virus and anti-malware software.

10. The financial system will come under increased attack in creative ways such as stealing "insider" information and using it to profit through stock trading. Pump and dump schemes will be done on a large scale based on stolen data identifying vulnerable victims. Banks worldwide will continue to be targeted by criminals attacking not just particular accounts, but the accounting systems of the banks to make their crimes more difficult to recognize.

11. The health care industry will remain the largest segment of the economy to be victimized by data breaches both because, as an industry, it does not provide sufficient data security and because the sale of medical insurance information on the black market is more lucrative than selling stolen credit and debit card information. Medical identity theft is not only the most costly for its individual victims to recover from, but also presents a potentially deadly threat when the identity thief's medical information becomes intermingled with the medical identity theft victim's medical records.

12. Although data breaches have not been discovered at major retailers during this holiday shopping season that does not meant that they have not occurred. It only means that they have not yet been discovered. You can expect that in 2016 we will learn about major retailers whose credit and debit card processing equipment has already been hacked.

13. The computers of the candidates for President of the United States present too tempting a target to a wide range of hackers from those merely looking to embarrass a candidate to those seeking financial information about political contributions. Expect one or more candidates to have their campaigns' computers hacked.

As scary as this baker's dozen of predictions and warnings may be, there are many things we can do to increase our own personal cybersecurity. I will discuss those in my first column of the new year.

Malware-Driven Card Breach at Hyatt Hotels

Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.

Hyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”

As of September 30, 2015, Chicago-based Hyatt’s worldwide portfolio included 627 properties in 52 countries.  Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.

Cyber Security Awareness Month

In honor of Cyber Security month I wanted to offer tips to help you keep your customer and business data safe.

1. Use strong passwords and employ additional authentication. You should require, unique passwords for employees, and that they can change them at least every 90 days. Consider a multifactor authentication scheme to add an additional layer of security. "Password1" is still the most commonly used password in the business setting.

2. Make security a priority for employees. Create well-defined security policies and best practices for your business, including appropriate Internet guidelines. Establish penalties for violating company cyber security policies, and update employees regularly on possible security issues. Be transparent with how cyber security affects your business.

3. Keep physical access to computers and servers secure. Ensure unauthorized individuals don’t use business computers by putting physical controls in place, i.e. away from customers. Require individual logins for employees, and lock up laptops when unattended. If you have a public computer for customers to use, put it on a separate, guest network

4. Limit install and admin authority on all systems. Make sure your operating system has its firewall enabled or install one yourself—they’re available free online. If you do business from home or have employees that do, create a policy to ensure the same for those connections. Records being compromised by external hacking have significantly increased from roughly 49 million in 2013 to 121 million and counting in 2015.

5. Secure your Wi-Fi. Make sure any Wi-Fi network that employees use for work is encrypted and secure. If you offer free Wi-Fi to customers, keep a separate network for the public and one for your business, and set up the business connection so that the SSID (network name) isn’t broadcast. Create and change passwords for both frequently, or tie them to the same username and password combination that employees use to log into their computers.

6. Update software regularly. Ensure your security software, Internet browser, and operating system are up to date to limit the possibility of security breaches; the majority of security breaches happen on outdated software. Consider setting programs to auto-update (preferably after business hours) if the option is available.

7. Define strong policies for mobile devices. If you or your employees are going to access sensitive data from mobile devices, ensure you have a strong policy around mobile access in place, including password protection for the device, data encryption, security apps, and reporting procedures for lost or stolen devices.

8. Limit employee access to sensitive data. Ensure employees are only allowed access to data essential for the duties of their job, and limit universal access to key personnel. Log all access to data and analyze those logs for strange behavior.

9. Keep important business data backed up. Regularly back up important business data and information, including documents, spreadsheets, databases, financial information, HR info, and accounting information. Install a scheme for automatic backup or perform a backup at least weekly, storing information offsite or in the cloud.

10. Purge or encrypt sensitive data. Purge customer credit card numbers and, expiration dates, and daily, and never store CVV2, PINs, PIN Blocks, or full track data codes daily. Maintain only the minimal data required for charge-backs and refunds.

11. Keep payment systems up-to-date and isolated. Ensure your credit and debit card readers are EMV-compliant, and work with your processing vendor and bank to ensure trusted anti-fraud systems and practices are in place. Isolate payment systems from less secure programs, i.e. don’t process payments and surf the Internet on the same machine.

12. Ensure a secure connection with TLS authentication. To abate customer fears about transaction security, make sure your ecommerce platform includes a strong Transport Layer Security (TLS) authentication scheme, such as Extended Validation, to authenticate the identity of your business while encrypting data in transit. Include prominently displayed trust signals (security seal) so customers know they’re safe shopping on your site.

13. Use multiple layers of security. Employ a firewall, then ensure contact forms, user registration and logins, and search queries are protected with extra layers of security to make sure your ecommerce site is protected from application-level cyber attacks like SQL injections and cross-site scripting.

New Malware Threat a Warning to Banks, Customers and ATMs

Beware Cash-Out Attacks, Banking Trojans Via Malvertising and POS Memory-Scraping Malware.

The new warnings center on three types of unrelated malicious code. For starters, malware has been spotted in the wild that is being used to drain cash from ATMs in Mexico, although security researchers warn that it could go global. The Shifu banking Trojan, meanwhile, has moved beyond Japan and is now being used to target customers of four U.K. banks. Finally, the notorious Neutrino crimeware has gotten an upgrade, allowing it to scrape POS device memory and steal payment-card data.

Cash-Out Attacks: GreenDispenser Malware

The newly spotted ATM cash-out malware has been dubbed "GreenDispenser," by cybersecurity firm Proofpoint, which says that while it has only seen the malware used to "cash out" ATMs in Mexico, the malicious code could soon spread to other countries "GreenDispenser provides an attacker [with] the ability to walk up to an infected ATM and drain its cash vault," Proofpoint security researcher Thoufique Haq says in a blog post. "When installed, GreenDispenser may display an 'out of service' message on the ATM, but attackers who enter the correct PIN codes can then drain the ATM's cash vault and erase GreenDispenser using a deep-delete process, leaving little if any trace of how the ATM was robbed." A deep delete in this case means that the malware not only deletes itself, but also employs Microsoft's sdelete to make it much more difficult for any malware-related bits and bytes to be recovered via later digital forensic analysis.

The malware resembles the PadPin - a.k.a. Tyupkin - ATM malware that first surfaced in March 2014, and which could be used to make an ATM dispense all of its money, in what's known as a "jackpotting" or cash-out attack, Proofpoint says, adding that it believes that installing the malware requires physical access to an ATM. Like PadPin, GreenDispenser is designed to interact with a set of standard programming interfaces, or APIs, that are built into most ATM host computers and components, known as XFS - which stands for "extensions for financial services"

Malvertising Attacks Now Serve Shifu Banking Trojan

The banking malware known as Shifu - after the Japanese word for thief - has returned, and is no longer just targeting Japanese banks. In a Sept. 25 blog post, the French researcher who maintains the Malware Don't Need Coffee blog, who goes by the name Kafeine, warns that in recent days, the malware has been spotted targeting four U.K. banks: Bank of Scotland, Halifax, Lloyds Bank and TSB. To date, it's not clear how many banking customers' systems may have been infected with the malware.

In August, IBM reported that it first saw Shifu being used for in-the-wild attacks, beginning at least in April. But Kafeine says that after cross-referencing his findings on Sept. 24 with security researchers at Fox-IT and Dell SecureWorks, they found that collectively they had been tracking Shifu since September 2014. "We were using a 'non public' name to talk about it," Kafeine reports.

In the United Kingdom, Shifu is being spread via malvertising attacks, Kafeine says. To date, it's not clear if these attacks are part of a campaign that has successfully served malicious advertising via multiple popular sites, including dating sites Plenty of Fish and Match.com

Neutrino Malware Targets POS Devices

Meanwhile, upgraded Neutrino - a.k.a. Kasidet - crimeware toolkit malware is also now targeting POS devices, report researchers RonJay Caragay and Michael Marcos at information security firm Trend Micro. Previously, the crimeware toolkit - which competes with Angler - was known in part for its ability to facilitate distributed denial of service attacks.

In a Sept. 24 blog post, Trend Micro says that new research has found that Neutrino version 2.9, which debuted in March, included for the first time the ability to steal credit card details - by "scraping" the RAM of infected devices, via a feature referred to as "ccsearch." But in July, it says, a cracked edition of version 3.6 of Neutrino - which had previously only been available via cybercrime markets, for a price - was leaked onto underground forums, meaning it is now available for free.

Trend Micro - which is headquartered in Japan - reports that based on data gathered from its users' antivirus software, the greatest number of recent Neutrino infections have been seen in Japan, followed by the United Kingdom, Taiwan, France and the United States. It warns that it saw a 1,288 percent spike in related malware detections between May and June, even before the malware became available for free in July. Neutrino, the security firm says, is designed to infect Windows systems via removable drives and network folders, and gives attackers the ability to use capture keystrokes and screenshots from infected systems, copy clipboard data, launch a remote shell, launch DDoS attacks, as well as steal data from POS device memory.

"Upgrading old malware to include POS RAM-scraping capabilities is a new technique in the threat landscape, but it's not surprising, given how lucrative stolen payment card data is," Trend Micro says. Furthermore, the release of the cracked, free version of Neutrino continues to lower the barriers to entry for payment-card-seeking criminals. "Scoring this tool is basically finding a valuable tool in a bargain bin and ending up not having to even pay for it," Trend Micro says

FFIEC Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool was released June 30, 2015.  The Assessment is designed to help financial institutions and regulators determine the inherent risk exposure to a cybersecurity attack, and measure “Cybersecurity Maturity.”  Designed for financial institutions of all sizes, the Assessment incorporates concepts and principles contained in the FFIEC IT Examination Handbook.  Core documents include an overview for Chief Executive Officers and the Board of Directors, User Guide, Inherent Risk Assessment, and Cybersecurity Maturity evaluation.  Additional information and documentation is located at following link: http://www.ffiec.gov/cyberassessmenttool.htm 

 

There are two parts to the Assessment designed to help management evaluate inherent risk, measure security preparedness, and identify gaps in controls:

 

• FFIEC Cyber Inherent Risk Profile – this document assists determining your risk exposure to cybersecurity attack, based on the ‘risk that the institution’s activities, services, and products pose to the institution.’ 
   
• FFIEC Cyber Mapped to FFIEC Handbook – this document assists in determining your current state of cybersecurity preparedness represented by maturity levels across five domains.  This document helps determine whether your institution has adequate controls to prevent and respond to a cybersecurity attack.

 

The Assessment is designed for use by institutions of all sizes, and provides a straight-forward and adaptable approach.  By reviewing the inherent risk and maturity levels across all of the domains, the FFIEC states that management can determine whether the bank’s maturity levels are appropriate in relation to its risks. If not, the bank may take action either to reduce the risk or increase the level of maturity.

 

While the use of the Assessment is optional for institutions, examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.  Examiners will begin using the Assessment in late 2015. Additional information can be found on the OCC website: www.occ.treas.gov

 

Solution

The severity and impact of cyber threats have changed the landscape in which financial institutions of all sizes and complexities operate.  Breaches of customer data, credit card information, employee and customer authentication credentials, etc., are becoming more commonplace.  It is critical that financial institutions maintain a formal process for managing cyber risks that informs management and boards of directors.  The Cybersecurity Assessment Tool is designed to support and enhance the following elements of an institution’s overall cybersecurity risk management program:

 

• Identify, measure, mitigate and monitor risks
• Develop risk management processes commensurate with your institution’s level of risk and complexity
• Align IT strategy with business strategy and account for how risks will be managed both now and in the future
• Create a governance process to ensure ongoing awareness and accountability

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations

Systems Affected


Microsoft Windows Systems, Adobe Flash Player, and Linux


Overview


Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description

US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact

Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution

Phishing Mitigation and Response Recommendations

• Implement perimeter blocks for known threat indicators:
• Email server or email security gateway filters for email indicators
• Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
• DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
• Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
• Identify recipients and possible infected systems:
• Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes)
• Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
• Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.
• Review anti-virus (AV) logs for alerts associated with the malware.  AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
• Scan systems for host-level indicators of the related malware (e.g., YARA signatures)

• For systems that may be infected:
• Capture live memory of potentially infected systems for analysis
• Take forensic images of potentially infected systems for analysis
• Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)
• Report incidents, with as much detail as possible, to the NCCIC.

Educate Your Users


Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:

• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.  Be particularly wary of compressed or ZIP file attachments.
• Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).
• Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.

Basic Cyber Hygiene


Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners:

• Privilege control (i.e., minimize administrative or superuser privileges)
• Application whitelisting / software execution control (by file or location)
• System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
• Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
• Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
• Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)

Further Information


For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References

• Executive Order 13636: Cybersecurity Framework
• US-CERT Security Tip: Handling Destructive Malware

ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies

Ten Risky Security Practices to Avoid

Introduction

You are a problem. You are a risk to your employer. The actions you take and the activities you perform at work, online, and even in your personal life put your employer at risk. You need to know how you are a security risk to the organization and what you can do to reduce or eliminate those risks. In this paper, I discuss ten common risky behaviors that typical workers engage in and what you can do to avoid being the weakest link in your company.

1.   Accessing the Spam Folder

It has become fairly standard to have a spam or junk filter operating on your email. Unfortunately, if you can still access messages placed in the spam or junk folders, then no security improvement has been achieved. A security solution would allow you to read the plain-text contents of a spam message but not execute any enclosed scripts, not open any attachments, and not visit any offered hyperlinks. However, this is rarely the case. So, you can avoid being a risk to your organization by staying out of the spam folder. If you have to look in the spam folder, then only look at the list of messages showing the subject lines. If you think there is a valid message in the spam   folder, then reach out to your technical support team to inquire about the best procedure to follow to retrieve  the message. Keep in mind, you could be wrong and the message really is a problem.

2.    Delaying Updates and Patches

Updates and patches are an important part of security management. Most organizations perform testing on newly released updates before pushing them out to the production network. If your environment gives you the option to delay updates, then you should choose to let the updates install immediately. Yes, save and close your work but try not to delay the installation. Within hours of a patch release, hackers have examined the flaws it aims to correct and have written exploits to take advantage of those systems that do not have the update applied. Since your IT staff has already spent days or weeks evaluating new updates, any further delay to installing the updates keeps your system at risk for a longer period of time.

           3.          Opening Email Attachments

Email remains one of the primary means by which malware is distributed. Through the use of social engineering techniques, hackers craft messages encouraging or tricking you into opening the attachment. Malware can even come from those whom you trust, as their systems may have been compromised and used to send out harmful messages to everyone in their address book. Even well intentioned users might unintentionally send a malware infected file. It is always best to avoid sending or receiving files by email. If you receive an attachment that you believe is valuable and important, send a message back to the sender to confirm they sent the file intentionally. You can also recommend that a file-sharing service be used instead. By not opening attachments, your system will be infected by malware less often.

4.            Using Portable Drives

Portable drives are often very convenient, but that convenience comes at a cost. Any portable drive can become infected with malware and then spread that infection to each new machine in which it is connected. Use a file- sharing service instead of a portable drive to avoid spreading malware across multiple systems. Another related problem can occur if you use a personal device to move company documents between business systems. Even after you delete the files off the drive, data remnants may allow the recovery of those files. If you lose the device, anyone with a data recovery tool (such as Pandora Recovery) can regain access to recently deleted files. So, don't use portable drives and you will avoid these two risks.

5.           Bypassing Company Firewall Filters

Surfing the Internet from your work computer can be very frustrating, especially when the company implements strict domain, site, and content filters. It is in your best interest to abide by the company restrictions on company equipment. While it may be possible and easy to bypass such filters with tunneling tools, anonymous proxies, and VPN services—you should not do that. Don't be the employee that violates the Acceptable Use and Internet Policy and place the company at risk from malware infection or hacker intrusion. Use either a personal device with your own Internet connection through your wireless carrier or wait until you return home. Playing by the Internet rules of the organization will reduce your risk.

6.           Posting Company Information on Social Networks

Many of us use social networks as our primary means of interaction and communication with friends, family, and peers. However, it is easy to forget that much of what occurs on a social network is public, rather than private. Many forget this and assume no one but their online buddies will see their snide remarks or crass statements about their employer. Others even post company private information or proprietary materials to social networks. This is a serious violation of ethics and likely several laws. It’s in your best interest to act responsibly on social networks. Don't post anything on a social network that you don't want your boss, co-workers, and family to see. A great rule to follow is: "If you can't say something nice, then don't say anything at all." Posting company secrets to a social network is a fast way to unemployment and possibly a lawsuit. Use social networks to discuss your extraordinary children and your obsession with a TV show. This will reduce the risk you cause your employer.

7.          Linking Your Mobile Phone to Company Computers

It may seem silly to forbid you to connect your mobile device, such as a smart phone or tablet, to your work computer; especially when all you are intending to do is charge the device. The problem is that the cable you are using to make that charging connection almost always supports data exchange as well. This causes your mobile device to appear as a storage device to the computer. Thus, malware can infect the company computer from your mobile device and confidential company documents could be copied to your mobile device. These are both serious violations. Even worse issues arise if you use your mobile phone to provide your work computer with an alternate and unfiltered Internet connection. This process is often known as tethering when using a cable but it also can be accomplished via Bluetooth and Wi-Fi. Always limit your work computer's Internet access to that which is provided and secured by the organization. If you must charge your device at work, bring a charging adapter and plug it into a standard power outlet. In fact, keeping such a charger at work and ready to use will reduce the temptation to connect your mobile device to the company equipment.

 

Another issue related to mobile devices is using them on the company network. If your organization allows personal devices to be connected to the company network, then be sure to read, understand, and follow the company's mobile device policy (often known as the BYOD [bring your own device] policy). If having your personal device on the company network does not give you an advantage to getting your work tasks accomplished, then don't do it. You will be less of a risk to the organization if you keep your personal device away from the company network. If you are able to access your company's email across your wireless provider's Internet link, then often times there are few other benefits to being on the company's internal private network.

8.            Installing Unapproved Software on Your Workstation

If your organization does not have a strict end-user policy in which your account is secured, you may be able to install or launch software that was not provided by the IT staff. If this is the case for your organization, take every precaution to prevent installing or running any application on your work computer until to get approval from the IT staff. The most secure situation would allow only pre-approved applications to execute. This concept (known as whitelisting) ensures that unknown and unapproved software is not allowed to execute. Some organizations only partially implement this restriction by allowing stand-alone software to run, but not allowing software to be installed. This is only a minor security improvement above having no restrictions at all. Whatever your organization's security stance is on this issue, you want to avoid being the user that brings malware or allows hacker instruction through the act of running or installing unapproved software.

9.           Accessing File Exchange Services for Non-Work Purposes

For many of us, the Internet connection at work is significantly faster and more reliable compared to our home connection. It is tempting to use the company's Internet link to download large files or a large volume of smaller files so that it saves us time at home. Whether syncing a music library, downloading legally purchased entertainment content, or accessing pirated material, it is always a bad decision to use company equipment for personal activities. First, while you might have the legal right to have possession of the media you purchased on any device you own—the company does not. Copies of your files on the company equipment can be viewed as a copyright and/or license violation. Second, if the content is pirated or the status of the content is unknown, the company's Internet service provider may detect the data transfer and issue copyright violation warnings or disconnect the service completely. Third, you will likely need to connect a personal portable drive to a work computer in order to transfer to your downloaded data so you can bring it home. Just a few points back, I clearly indicated how this is a risk you need to avoid. So, take the high road and don't use the company's Internet link to download personal files.

10.           Believing Everything Online Is True

"There's a sucker born every minute" is a phrase likely spoken by David Hannum about P.T. Barnum. The original context was in relation to crowds continuing to pay to see a spectacle even after it was proven to be false and a hoax. This phrase continues to be applicable in relation to content viewed online. Too many people blindly   believe anything and everything posted online, especially if they see it through a social network or discover it in relation to an online entity they know. It is important to realize that most of the content on a social network and most other sites is crafted to attract eyeballs and drive wallets, rather than to distribute facts and truth. You need to see the Internet as a source of information, not as a source of fact.

In the last few years we have seen a significant rise in the occurrence of money stealing scams, identity theft, spear phishing attacks, viral marketing campaigns, propaganda, and worse. We have seen the stock market take a nose dive due to a false tweet about the president being injured. We have seen news agencies repeat a tweet for hours as a fact, only later to discover it was a hoax. All too often organizations attempting to make a buck will craft false and misleading information about their product or service.

It is up to you to be skeptical about anything you read online. Take the time to investigate the source of the information. Try to find corroborating or refuting independent sources, both online and offline. If you are unable to determine that something is clearly true, then delay your response and any other investment and avoid re- posting the item. Wait three days and then check again. Don't get caught up in the mob; don't follow along with the masses; don't make any knee-jerk reaction/response. Be patient, be thoughtful, and be reserved. You'll be glad you did.

In relation to your organization, when someone attempts to contact you outside of the normal means used at work, be cautious. If you normally talk with a client over the phone but they are now using your personal email  or posting to your Facebook page, don't immediately believe it is the real entity. If asked to give details of an order, a product, a press release, an element of research and development, or whatever—if it is not your job/department/responsibility and you are unable to establish solid verification of their identity—then stop responding to the unknown outsider. Report the incident to your security staff and ask for instructions on how to proceed. Most companies have a communications policy, so be sure to read, understand, and follow that policy. Be vigilant and don't believe everything you see online. All of these tips will help you from bringing larger risks to bear against your organization.

Conclusion

Most of the time, the reason a worker is a risk to the organization is because they don’t know the company rules and thus are unable to follow them. It is always your responsibility to read and understand all of the policies and procedures relevant to you and your job. Company security policies were written to protect the company and  their employees. Thus, knowing these policies and abiding by those guidelines will keep the company more secure and reduce the chance that a security violation will be traced back to you.