Third party / vendor management - due diligence standards

Third Party Due Diligence Standards

Things every organization should look at when conducting initial or annual due diligence on a vendor/client.

 

The third party’s controls must either meet or exceed the defined controls required by PCI and meet GLBA compliance.

 

The GLBA safeguard rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. An Information Security Plan must make use of the following:

 

• Administrative safeguards, such as employee oversight and training;
• Physical safeguards, such as restricted access to hardware and disaster recovery plans;
• Technical safeguards, such as firewalls, encryption, access controls and secure computer networks.

 

Safeguards must be implemented in proportion to the scope of and risk to the institution and the information it handles. Furthermore, the safeguards rule requires that an employee oversees the development and coordination of security in the institution.

 

The following areas should be reviewed during the due diligence process.

 

Incident Response

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a process that should be followed when an incident occurs.

 

• The incident response document should include the following:
• Define an incident response team with assigned roles and responsibilities
• Categorize or identify what types of detected activities require incidence response
• Define incident response investigation and validation requirements. For example all administrative and/or privileged activities must be logged including date, time, activity performed and any suspect information identified.
• Define evidence gathering and handling techniques that will be used as part of the response activity
• Define a containment strategy and who has the authority to make critical or business impacting decisions when a breach occurred. Time is critical waiting for executive approval could be costly.
• Define requirements for who must be contacted, and within what time period should that contact occur when reporting a compromise or breach.
• Include requirements to use an association approved forensics vendor listed or referenced within the document
• Reference the creation of a formal incident report. Include historical tracking, training and lessons learned.
• Include a schedule for the plan to be practiced and reviewed.
• Assign responsibility for creating and distributing security incident response and escalation procedures.

 

Information Security

A security policy is a document that states in writing how your organization protects the company’s physical and logical information technology assets. A security policy is often considered to be a “living document”, meaning that the document is never finished but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, a procedure for evaluating the effectiveness of the security policy, and steps taken to ensure that necessary corrections will be made.

 

The Information Security Policy should include the following:

• Define access controls for device management (routers, firewalls and switches)
• Define roles and responsibilities
• Define the process followed for user creation and modifications
• Define the process for removing/disabling user accounts immediately upon termination
• Define the requirements that all employees and contractors sign an acceptable use policy
• Define the requirements that all employees and contractors sign non-disclosure agreements regarding confidential information
• Define server hardening procedures
• Define system patching procedures and schedules
• Define logging requirements for all critical systems as well as review retention requirements
• Define authentication requirements
• Define a formal access approval process
• Define the requirements that criminal background checks are performed on employees
• Define the frequency for penetration tests and location of documented results
• Define anti-virus standards including actions to be taken when a virus is detected
• Define the risk management program
• Categorize data based on sensitivity
• Define due diligence preformed on third parties
• Define data encryption requirements
• Define encryption key management requirements
• Define remote access procedures
• Define a log and  firewall review schedule
• Define automated alerts on security, logging and monitoring systems
• Define security awareness training is performed annually
• Define data retention and destruction procedures
• Define how visitors are identified and logged
• Define data center environmental controls
• Define how facility entry points are secured including the use of cameras to monitor sensitive areas, a definition of the retention plan for these videos
• Is wireless being utilized, define strong authentication and encryption that is in place for mobile devices
• Define the process for the inventory and review for all computer equipment maintained

Business Continuity

Business continuity describes the processes and procedures an organization has in place to ensure that essential functions will continue during and after a disaster. Business contingency planning seeks to prevent interruption of mission-critical services and to recover as swiftly and smoothly as possible. A document review and update should occur at least annually or as systems are modified and/or enhanced.

 

• The business continuity plan should include the following:
• Include a risk analysis or reference to  risk assessment in the document
• Include a Business Impact Analysis in the document
• Define redundant processes that are in place to continue business
• Define roles for all crisis management team members
• Define cross-training in the plan
• Define the BC/DR testing, including the frequency of the test (at least annually) and make sure the results are documented
• Define communication responsibilities for clients and staff
• Document the locations covered by the plan, including data center locations
• Document that backup recovery testing occurs annually

 

Change Control

Change control is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into a system or undoing changes made by other users or software. The goals of a change control procedure usually include minimal disruption of services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.

 

• The change control procedure should include the following:
• Define how infrastructure and software changes are documented and formally approved
• Define the user acceptance testing process
• Define how changes are tested in a separate user acceptance testing (UAT) environment prior to implementing into production
• Define documented back out procedures required for changes
• Define segregation of duties
• Define change release cycles
• Define the process for emergency changes

 

Risk Assessments

An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage IT systems, but as an essential management function of the organization.

 

Risk assessments are an important part of assessing your organizations controls and overall security.

 

The risk assessment should include the following:

• Clearly defined process for accessing and scoring the threat likelihood, business impact, controls in place and residual risk of effectiveness of the control.  If the residual risk score exceeds the defined acceptable risk level a plan for remediation including proposed additional controls needed should be included.
• Assessments should include all methods of handling customer information including;
  • Access, Collections, Storage, Use, Transmission and Disposal

 

Following publications can be used to assist in the development of the program.

http://csrc.nist.org/publications/nistpubs/800-30/sp800-30.pdf

http://www.gao.gov/special.pubs/ai99139.pdf

 

CVV/PIN Generation Policy (Processors only)

Section 3.2 of the PCI DSS standards spells out specific requirements for CVV and PIN generation. CVV and PIN are some of the items that cannot be stored and must always be generated. The CVV/PIN generation policy should include:

• Describe the equipment and methodologies used to ensure PINs are kept secure
• Define the key creation and key management procedures
• Define how are keys conveyed and/or transmitted
• Define the process used to administer keys
• Define the process used for key loading to hosts and PIN entry devices
• Define how unauthorized key usage is prevented or detected
• Define the manner in which equipment used to process PINs are keys are managed
• Define key storage and management procedures
• Define if PINs or CVV/CVV2s are stored anywhere on the network and how we detect if they were or ensure they are not in the future

 

SSAE16

The following information and controls should be included in this document.

• An Information Security Policy exists and has been approved by an appropriate level of executive management
• Procedures exist and are followed to authenticate all users of a system (both internal and external) to support the existence of transactions
• Procedures exist and are followed relating to the timely action of requesting, establishing and issuing user accounts
• Procedures exist and are followed relating to the timely action of suspending and/or changing user accounts
• A control process exists and is followed to periodically review and confirm access rights
• IT security staff monitors and logs security activity at the operating system, application and database levels and identified security violations are reported to senior management
• Access to facilities is restricted to authorized personnel and requires appropriate identification and authorization.
• Request for program changes, system changes and maintenance (including changes to system software) are standardized, logged, approved and documented and subject to formal change management procedures
• Emergency change requests are documented and subject to formal change management procedures
• Controls are in place to restrict migration of programs to production by authorized individuals only
• The organization has a system development life cycle (SDLC) methodology, which includes security and processing integrity requirements for the organization.
• Post-implementation reviews are performed to verify controls are operating effectively
• A testing strategy is developed and followed for all significant changes in applications
• The organization has policies and procedures regarding computer operations which is periodically reviewed, updated and approved by management
• Management protects sensitive information – logically and physically, in storage and during transmission – against unauthorized access or modification
• Management has implemented a strategy for critical backup of data and programs
• The restoration of information is periodically tested

 

 

 

News of the day

These are important news updates everyone should know. Thanks to Brian Krebs and info risk today for the stories.

Serious 'GHOST' Flaw Puts Linux at Risk
US-CERT Warns: Linux Patches Are Available, Update Now

Article can be read here: GHOST flaw in Linux


FBI: Businesses Lost $215M to Email Scams


Article can be read here: http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/

When Should I Use Credit and When Should I Use Debit When Shopping?

The million dollar question everyone including myself have an opinion on. Here is my two cents. 

When you have the option to use debit or credit, you're probably using a debit card, or a card issued by a bank, backed by your checking account, but also with a Visa or MasterCard logo on it. Depending on what you pick, different things happen when the payment is processed:

When you select debit: You enter your PIN and the funds are deducted from your bank account immediately. If they're unavailable, the bank has the option—depending on your agreement with them—to pay the charge and hit you with an insufficient funds fee, or to decline the charge. To the merchant, this transaction is as close to cash as you can get without using bills and coins, and offers them more forgiving transaction fees than credit cards.

When you select credit: The transaction requires a signature, and is processed by the credit card company. The funds may or may not be immediately deducted from your bank account, depending on how the retailer handles their transactions. Some stores "batch" their credit transactions and send them in at the end of the day. Depending on the bank, using credit instead of debit can offer you some anti-fraud protection that credit cards offer (more on that a little later). This isn't universal though, so you should check with your bank to be sure. Finally, to the merchant, processing a transaction as credit usually involves a credit card transaction fee to the major issuers, like Visa and MasterCard.

If you are shopping in a small business or a locally owned shop, you may want to use your card as debit (or just pay with cash) instead of credit so they don't have to get hit with that credit processing fee. At the same time however, signing for your purchase as credit can give you some of the anti-fraud protection and delay the charge hitting your account—depending on the bank. Wells Fargo Bank, for example, considers debit transactions "online" and deducts them immediately, while credit transactions are "offline" and offer protection by Visa before they're processed.

There are pros and cons to each, and now that you know the difference at the cash register, let's talk about when you should use credit cards (or tap credit) and when you should go for debit instead.

When You Should Debit Cards or Credit Cards for Your Purchases

Debit and credit are handled differently when it's time to make the purchase, but before you even get to the register or click "check out" when you're shopping online, there are more differences you should be aware of. To be up-front, in almost all cases there are benefits to using credit cards that debit or cash simply don't provide, but you have to decide whether or not those benefits are worth using a credit card (and accepting the financial issues that come with it; eg. debt, interest, etc). Here's how to tell when you're better off using which:

When Credit Is the Best Option

If you're shopping online. Credit cards are by far your safest option when shopping online, both because the credit card issuers watch for fraudulent charges. If you detect fraud yourself you can dispute a charge and get it reversed quickly, thanks to credit card issuers' "zero liability" policies. You're never liable for unauthorized charges, unlike debit transactions, which are the same as cash (and are protected in some cases, but that varies from bank to bank).

If you're making large purchases or electronics purchases. Most credit cards offer their own warranty protection for your purchases just for using a credit card for the transaction. Some of those warranties go beyond what's offered by the manufacturer, and offer you extra coverage, which is really useful for electronics, appliances, or other large purchases. Of course, before you buy, read up on the manufacturer's warranty and the return policy of the store.

If you're traveling or are on vacation. If you're away from home, the added anti-fraud protection offered by credit cards can be essential if someone steals your card number or you accidentally use a shady ATM in some tourist trap, designed to harvest card data. With a credit card, you can put a stop to it without being liable for the charges (if the credit card company doesn't detect it first). Similarly, using your card for travel may open up perks to you, like discounts on rental cars, frequent flyer miles, or cash back on purchases. Finally, many hotels, airlines, and other travel companies only use credit cards for reservations and bookings. If you use debit, they may put a massive hold on your account, which can be inconvenient if you need to spend your money.

Our friends at Credit Karma have some more cases where credit beats out debit, like when you're using a rewards card or a card that offers you perks for purchases, and if you're trying to repair your credit after bankruptcy or foreclosure.

However, in both of those cases (and all others, frankly), you should be sure that the financial risks associated with credit cards are worth the benefits you'll get. A few hundred points won't make much difference if you're carrying interest on a pair of movie tickets. Make sure you pay off those credit cards at the end of the month every month, or at least pay off the transactions you charge up in order to get your rewards.

When Debit Is the Best Option

If the other party needs to be paid immediately. Since debit transactions are handled almost instantaneously, they're also the fastest method of payment. If you're swiping your card and speed is an issue, debit is the best option.

When you've automated your finances and are on a budget. The beauty of automating your finances is that you can carry a debit card that's specifically for your personal or luxury purchases. You can use it as much as you like, as long as you're within your budget, and if you go out of your budget, that's it—the card won't work anymore. Bright side: you won't incur overdraft fees, and you won't pay interest on the drinks you had at the bar on Friday night, which overall will keep you better financial health.

If you're watching your finances, or recovering from poor money management habits. Credit cards aren't for everyone. They're a tool—a powerful tool—but like any tool, they're good for some people and bad for others. If you have a hard time managing your money or living within your means, you may be better off leaving the credit card at home entirely and finding a bank that offers a zero liability policy on your debit account, so you're protected from fraudulent transactions. That way you can budget, spend only what you have, and still be protected in case someone steals your card number and PIN.

If you want the best exchange rate on foreign currency. Credit cards can be better for flat transactions abroad, but if you need actual currency in a country that's not your own, your best bet is to use your debit card and hit the ATM. When you do, you generally get the "wholesale" exchange rate, which is reserved for interbank purchases, and superior to the exchange rate you'd get on your account statement if you just swiped your plastic.

We have to point out again that since debit is essentially the same as cash, you have to check with your bank to make sure you have anti-fraud protection, and any transactions you don't authorize or want to dispute will be refunded to you. Many banks only offer zero liability policies if you swipe your debit card like credit—if you don't, it's same as cash, and if you're double-billed for example, you have to contact the retailer to get it straightened out (which can suck if you were traveling or the retailer was a bar or restaurant), or file a lengthy dispute—during which you're out the money you're arguing over.

---

Depending on the circumstances, credit can be a much more powerful and flexible option than debit. You're protected from identity theft, your purchases can be protected from defects and failures, and disputes are handled quickly without you having to pay up just to get your money back. However, credit cards are still credit, and you're in debt for the purchases you make. You pay interest on them, and not being able to handle your credit wisely can lead to serious financial problems. Sometimes it can be better to not spend at all unless you have the money to spend—in which case debit (and cash) are better options.

In either case, choose the option that's best for you in the situation's we've described. Think carefully about how you manage your money, and how well you handle credit. The answer for you may not be the answer for someone else—but at least you'll know the answer.

 

Over 700 Million People Taking Steps to Avoid NSA Surveillance

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."
The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users -- which is not everybody -- who have heard of him. So it's much less than 39%.)
Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)
Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world.
It's probably true that most of those people took steps that didn't make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It's probably even true that some of those people didn't take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.
Name another news story that has caused over ten percent of the world's population to change their behavior in the past year? Cory Doctorow is right: we have reached "peak indifference to surveillance." From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.
Related: a recent Pew Research Internet Project survey on Americans' perceptions of privacy, commented on by Ben Wittes.


This essay previously appeared on Lawfare.

12 Step Security Program - BE SAFE

Good security advice can be hard to find. Lots of security experts offer help, but not all of their tips are accurate or up-to-date, and many address PC security only. So even if you follow their advice, you may be more vulnerable than you think. That's where we come in. We've assembled a dozen simple but essential tips--a 12-step security program--to keep your PC, smartphone, gadgets, and identity safe. The steps are practical and fairly easy to perform, so you can strengthen your security without losing your mind in the process.

1. Use virtual credit card numbers to shop online
You have good reason to be nervous when using your credit card number to shop online. After all, you may know little or nothing about the company you're buying from, and your credit card information is at risk of being comprom­ised in a data breach. Using a virtual credit card number is one way to make your Internet shopping excursions more secure.


Essentially a wrapper for your regular credit card or debit card account, a virtual card number is good for one use only. When you use the virtual number, the bank that supplied it charges your purchase to your regular credit or debit card, but hackers never gain access to the underlying credit card information.


Various financial institutions maintain some sort of virtual credit card program. Bank of America, for instance, offers a ShopSafe service, and Discover has a similar service built around what it calls a Secure Online Account Number. Check with your bank or card issuer to see what options are available. Alternatively, consider Shop Shield, a virtual card number service that you can use with any credit card or checking account.


2. Secure your Wi-Fi
Is your Wi-Fi network at home password-protected? If not, it should be. You might not care if your neighbors use your Wi-Fi connection to surf the Web, but someone with more sinister motives could take advantage of your generosity (and lack of protection) to gain access to data stored on your home PCs.


The easiest way to guard against Wi-Fi interlopers is to encrypt your Wi-Fi network. Afterward you'll have to enter a password whenever you connect to your Wi-Fi network, but that's a small price to pay for improved security. Most Wi-Fi routers support WEP, WPA, and WPA2 encryption standards. Be sure to use either the WPA or WPA2 encryption settings, which provide a much higher level of security than WEP encryption.


Another safeguard is to set your router not to broadcast the SSID (your network's name).
With SSID broadcasting disabled, your wireless network won't be visible to computers nearby, and only people who specifically know your network's name will be able to find it. The procedure for locking down your Wi-Fi will vary depending on your router's model and manufacturer. Check the router's documentation for instructions.

3 Encrypt Your Hard Drives

Hard drives and USB flash drives are treasure troves of personal data. They're also among the most common sources of data leaks. If you lose a flash drive, external hard drive, or laptop containing sensitive personal information, you will be at risk. Fortunately, en­­crypting your hard drive can give your data an extra layer of protection be­­yond setting up a system password. Encryption will conceal your drive's data and make accessing the files almost im­­possible for anyone who does not know your encryption password.

The Ultimate and Business editions of Windows 7 and Vista come with BitLocker, a tool that lets you encrypt your entire hard drive. If you don't have the Ultimate or Business version, another alternative is to use TrueCrypt, a free, open-source tool that can encrypt your entire disk, a portion of a disk, or an external drive. For its part, Mac OS X includes FileVault, a tool for encrypting your Mac's home folder; Lion, the next major Mac OS X release on the horizon, will be able to encrypt a whole hard drive.

Another option is to buy external hard drives and flash drives equipped with en­­cryption tools. Some of these drives have built-in fingerprint readers for additional security. See "Secure Flash Drives Lock Down Your Data" for more about secure flash-drive options.

4. Keep Your Software Up-to-Date

One of the simplest but most important security precautions you should take is to keep your PC's software up-to-date. I'm not talking exclusively about Windows here: Adobe, Apple, Mozilla, and other software makers periodically release fixes for various bugs and security flaws. Cybercriminals commonly exploit known vulnerabilities, and Adobe Reader is a constant target of such assaults.

Not infrequently, the latest version of a popular program introduces entirely new security features. For example, Adobe Reader X, the newest version of the company's PDF reader, uses something called Protected Mode to shut down malware attacks. If you still use an earlier version of Adobe Reader, you aren't benefiting from Reader X's security enhancements.

Most major commercial software packages come with some sort of automatic updating feature that will inform you when a new update is available. Don't ignore these messages; install updates as soon as you can when you're prompted to do so. It's a little bit of a hassle, but it can prevent major headaches later on.

5. Upgrade to the latest antivirus software
If you're running antivirus software from two or three years ago, you should up­­grade to the most recent version, even if you still receive up-to-date malware signature files for the older edition. The underlying technology for antivirus software has im­­proved significantly in recent years.

To detect threats, antivirus products today don't rely solely on the traditional signature files (regularly updated files that identify the latest malware). They also use heuristic techniques to de­­tect and block infections that no one has seen yet. Given how frequently new viruses crop up in the wild, the ability to protect against unknown malware is critical.

6. Lock down your smartphone
If you use your smartphone the way I use mine, your handset probably contains lots of personal information--e-mail addresses, photos, phone contacts, Facebook and Twitter apps, and the like. That accumulation of valuable data makes smartphones a tempting target for thieves and cybercriminals, which is why the smartphone is shaping up as the next big security battleground.

Android phones are already being hit with Trojan horses and other types of malware, and security experts agree that mobile malware is still in its infancy. Worse, many users don't think of their phones as computers (though that's what the devices are), so they don't take the same security precautions they would with a PC. If you haven't downloaded a security app for your Android phone, you should. Most smartphone security apps are free, and it's far better to have one and never need it than to get caught off-guard and exposed without one.

If you have an Android phone, the first app you should install on it is an antivirus program. Besides scanning for malware, mobile antivirus apps may support such features as a remote wipe (so you can securely remove all data stored on the phone if you lose it), GPS tracking (for locating your phone if you misplace it), and SMS spam blocking.

Our favorite freebie in this category is the Lookout Mobile Security app. Lookout scans your phone for existing malware threats and automatically scans any new applications you install on your handset. Other popular antivirus apps, available for a subscription fee, are Symantec's Norton Mobile Security (beta version), AVG's Antivirus Pro, and McAfee's Wave­Secure.

Because Apple's App Store takes a more restrictive approach to apps offered for sale there, iPhone owners generally don't have to worry as much about malware, though it's always possible for something to slip through the cracks. Apple hasn't allowed any proper antivirus applications into the App Store, either, but you do have some security options.

One is a device tracking and remote-wipe service from Apple called Find My iPhone. It comes as part of Apple's paid MobileMe service ($99 per year), but Apple also offers it to any iPhone, iPad, or iPod Touch owner, free of charge. With Find My iPhone, you can lock and remotely delete data stored on your iPhone, track the device via GPS, remotely set a passcode, and display an on-screen message with an alarm sound (so you can find it if you misplace it around your house or office).

One more tip: When choosing a mobile antivirus program, it's safest to stick with well-known brands. Otherwise, you risk getting infected by malware disguised as an antivirus app.


7. Install a link-checker plug-in
Security threats may lurk in seemingly innocuous Web pages. Le­­gitimate sites may get hacked, cybercriminals game search engines to make sure that their infected pages come up in searches for hot topics (a technique known as "search engine poisoning"), and seemingly safe sites may harbor malware. Although you have no way to guard against these attacks completely, using a link checker can help protect you from many of them.

Link-checker tools typically show small badges next to links in search results and elsewhere to indicate whether a site is trustworthy, dangerous, or questionable. Many such tools also add a status indicator to your browser's toolbar to signal the presence of any problems with the site that you're currently visiting.

Various options are available: AVG LinkScanner, McAfee SiteAdvisor, Symantec Norton Safe Web Lite, and Web of Trust are all available for free. Many security suites come with a link scanner, too.


8. Don't neglect physical security
A thief can snatch an unattended laptop from a desk and walk away in a matter of seconds. And a thief who has your laptop may have access to your files and personal information. A notebook lock won't prevent someone from cutting the cable, but it can deter crimes of opportunity.

Kensington is probably best-known for its notebook locks; it offers an array of locks for laptops and desktops. Targus is a second vendor that specializes in laptop security gear, including one lock that sounds an alarm when someone tries to pick up the attached laptop or cut the lock cable.

Prying eyes are a common security hazard. To prevent unauthorized viewing of your data when you step away from your desk, always lock your screen before leaving your PC unattended. To do this, simply hold down the Windows key and type the letter L. This will bring up the lock screen. To get back to work, press Ctrl-Alt-Delete, and enter your login password at the prompt.

Another way to shield your screen is to install a privacy filter over the display. These filters fit directly on a monitor so other people can't peer over your shoulder and see what's on the screen. A privacy filter may be particularly useful if you work in an "open" office that lacks cubicle walls. Various companies sell these filters, including Targus, 3M, and Fellowes.

9. Make HTTPS your friend
When you're browsing the Web, protect yourself by using HTTPS (Hypertext Transfer Protocol Secure) whenever possible. HTTPS encrypts the connection between your PC and the Website you're visiting. Though HTTPS doesn't guarantee that a site is secure, it can help prevent other parties from hacking into the network and gaining access to your account.

Many sites use HTTPS by default: When you purchase an item online or log in to online banking, for instance, your browser will probably connect to the site via HTTPS automatically. But you can go one step further by enabling HTTPS on Facebook, Twitter, and Gmail.

To use Facebook's HTTPS feature, log in to Facebook and click Account in the upper-right corner. Select Account Settings from the drop-down menu, and look for ‘Account Security' on the resulting page. Under the Account Security heading, click Change, check the box next to Browse Facebook on a secure connection (https) whenever possible, and click Save.

For Twitter, first log in to your account. If you're using the new Twitter interface, click your account name in the upper-right part of the screen, and select settings. (If you're still using the old Twitter interface, click the Settings link in the upper right of the window.) From there, scroll down to the bottom of the resulting page, check the box next to Always use HTTPS, and click Save.

To enable HTTPS on Gmail, log in to your account, click the gear icon in the upper-right corner, and select Mail Settings from the drop-down menu. Next, under the Browser Connection heading, select the button labeled Always use https. When you're all set, scroll to the bottom of the page and click Save Changes. To learn more about Gmail security, visit Google's Gmail Security Checklist page.


10. Avoid public computers and Wi-Fi
As convenient as free Wi-Fi and publicly available computers may be at, say, a public library or café, using them can leave you and your personal information exposed. Public computers might be infected with spyware and other types of malware designed to track your movements online and harvest your passwords.

The same is true of open Wi-Fi networks. Cyberthieves may set up rogue Wi-Fi networks that look legitimate (for instance, one may be named for the café that you're visiting) but enable the crooks to collect your personal information. Even legitimate open Wi-Fi networks may leave you vulnerable. For an example, look no further than the Firesheep plug-in for Firefox, which allows just about anyone to hijack log-in sessions for various social networks.

Sometimes, you may have no choice but to use a public computer or Wi-Fi network. When you do, don't use it to check your e-mail or social network accounts, conduct online banking, or perform any other action that entails logging in to a site. If you have access to a VPN, use it.


11. Be password smart
You probably know already that using obvious or easy-to-discover passwords like "password" or your pet's name is a bad idea. But how can you make your passwords significantly more secure?

First, you need to use a different long, strong password for each account. Hackers often attempt to break into accounts by employing a "dictionary attack," which involves using words straight from the dictionary to guess your password. So don't use standard words as your passwords; instead, try creating them from a combination of letters, numbers, and symbols. And don't simply replace letters in a word with a symbol (for example, using the @ symbol in place of an A); it's too common a trick. You can also strengthen your passwords by using a mix of lowercase and capital letters.

Basically, the more complex a password is, the better. But try to use something that you'll be able to remember--a mnemonic of some sort that incorporates various alphanumeric symbols--and that nobody but you would know.

Remembering multiple passwords can be a challenge, which is why many people find that a good password manager is indispensable. KeePass is a good, free password-management option that works on Windows and Mac OS X systems.

12. Check your credit report each year
Unfortunately, even if you do everything right, bad guys might still succeed in stealing your identity. After all, you can control who has access to your personal information, but you can't control how well a company that you do business with secures its personal-data records.

Nevertheless, you can limit the damage that would result from undetected identity theft by checking your credit report regularly. Periodically checking your credit report is a good way to make sure that no one has opened credit card or bank accounts under your name.

If you are a U.S. citizen, you're entitled to receive one free credit report every 12 months from each of the three major credit agencies--Equifax, Experian, and TransUnion--via AnnualCreditReport.com. The service will let you examine and print out your credit report for free, but if you want to obtain your actual credit score, you'll have to pay for it. Since your freebie credit report is just a once-a-year affair, it's a good idea to insert a reminder in your calendar to check in again with AnnualCreditReport.com in 12 months.

Does authority have any limits

The next time you call for assistance because the Internet service in your home is not working, the 'technician' who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- ­when he shows up at your door, impersonating a technician­ -- let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have 'consented' to an intrusive search of your home."
This chilling scenario is the first paragraph of a motion to suppress evidence gathered by the police in exactly this manner, from a hotel room. Unbelievably, this isn't a story from some totalitarian government on the other side of an ocean. This happened in the United States, and by the FBI. Eventually -- I'm sure there will be appeals -- higher U.S. courts will decide whether this sort of practice is legal. If it is, the county will slide even further into a society where the police have even more unchecked power than they already possess.
The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.
The FBI claims that their actions are no different from any conventional sting operation. For example, an undercover policeman can legitimately look around and report on what he sees when he invited into a suspect's home under the pretext of trying to buy drugs. But there are two very important differences: one of consent, and the other of trust. The former is easier to see in this specific instance, but the latter is much more important for society.
You can't give consent to something you don't know and understand. The FBI agents did not enter the hotel room under the pretext of making an illegal bet. They entered under a false pretext, and relied on that for consent of their true mission. That makes things different. The occupants of the hotel room didn't realize who they were giving access to, and they didn't know their intentions. The FBI knew this would be a problem. According to the New York Times, "a federal prosecutor had initially warned the agents not to use trickery because of the 'consent issue.' In fact, a previous ruse by agents had failed when a person in one of the rooms refused to let them in." Claiming that a person granting an Internet technician access is consenting to a police search makes no sense, and is no different than one of those "click through" Internet license agreements that you didn't read saying one thing and while meaning another. It's not consent in any meaningful sense of the term.
Far more important is the matter of trust. Trust is central to how a society functions. No one, not even the most hardened survivalists who live in backwoods log cabins, can do everything by themselves. Humans need help from each other, and most of us need a lot of help from each other. And that requires trust. Many Americans' homes, for example, are filled with systems that require outside technical expertise when they break: phone, cable, Internet, power, heat, water. Citizens need to trust each other enough to give them access to their hotel rooms, their homes, their cars, their person. Americans simply can't live any other way.
It cannot be that every time someone allows one of those technicians into our homes they are consenting to a police search. Again from the motion to suppress: "Our lives cannot be private -- ­and our personal relationships intimate­ -- if each physical connection that links our homes to the outside world doubles as a ready-made excuse for the government to conduct a secret, suspicionless, warrantless search." The resultant breakdown in trust would be catastrophic. People would not be able to get the assistance they need. Legitimate servicemen would find it much harder to do their job. Everyone would suffer.
It all comes back to the warrant. Through warrants, Americans legitimately grant the police an incredible level of access into our personal lives. This is a reasonable choice because the police need this access in order to solve crimes. But to protect ordinary citizens, the law requires the police to go before a neutral third party and convince them that they have a legitimate reason to demand that access. That neutral third party, a judge, then issues the warrant when he or she is convinced. This check on the police's power is for Americans' security, and is an important part of the Constitution.
In recent years, the FBI has been pushing the boundaries of its warrantless investigative powers in disturbing and dangerous ways. It collects phone-call records of millions of innocent people. It uses hacking tools against unknown individuals without warrants. It impersonates legitimate news sites. If the lower court sanctions this particular FBI subterfuge, the matter needs to be taken up -- ­and reversed­ -- by the Supreme Court.


This essay previously appeared in The Atlantic.

Malware Based Credit Card Breach at Kmart

Sears Holding Co. late Friday said it recently discovered that point-of-sale registers at its Kmart stores were compromised by malicious software that stole customer credit and debit card information. The company says it has removed the malware from store registers and contained the breach, but that the investigation is ongoing.
“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”
According to those investigators, Brathwaite said, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems. Our IT teams quickly removed that malware, however we do believe that debit and credit card numbers have been compromised.”
Brathwaite stressed that the data stolen included only “track 2″ data from customer credit and debit cards, and did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information.
However, he acknowledged that the information stolen would allow thieves to create counterfeit copies of the stolen cards. So far, he said, Sears has no indication that the cards are yet being fraudulently used.
Sears said it has no indication that any Sears, Roebuck customers were impacted, and that the malware infected the payment data systems at Kmart stores only.
More on this developing story as updates become available. For now, see this notice on Kmart’s home page.


Thank you to Brian Krebs for keeping us informed on all of these breaches....

Some Tips to Protect against Identity Theft

1. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED"; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.

1.     2. When you order your checks, don't list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.

2.     3. Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.

3.     4.Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Store    those photo copies in a secure place and refresh it when you change cards.

10 tips for spotting a phishing email

Phishing emails insinuate themselves into inboxes year-round, but the holidays bring out a rash of new scams. Help your users spot "fishy" emails.  Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of different things that you can look for. This article lists ten.

1. The message contains a mismatched URL

One of the first things that I recommend checking in a suspicious email message is the integrity of any embedded URLs. Often times the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over top of the URL, you will see the actual hyperlinked address (at least that’s how it works in Outlook). If the hyperlinked address is different from the address that is displayed. then the message is probably fraudulent or malicious.

2. URLs contain a misleading domain name

Often times people that launch phishing scams depend on their victims not knowing how the DNS naming structure for domains works. It is the last part of a domain name that is the most telling.

For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right hand side). Conversely, brienposey.com.maliciousdomai.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name, not the right.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

3. The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, legality, and a number of other things. As such, if a message is filled with poor grammar or spelling mistakes it probably didn’t come from a major corporation’s legal department.

To give you a rather amusing example, I received an email message a few weeks ago that was supposedly from one of the large real estate companies. However, the body of the email merely said, “Me buy house fast”. Obviously, that email was not legit.

I’ll concede that this particular message was more of a spam than a phishing message, but the same basic principle applies to phishing emails as well.

4. The message asks for personal information

No matter how official an email message might look, it is always a bad sign if the message asks for personal information. Your bank doesn’t need you to send them your account number. They already know what it is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5. The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That saying holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, then the message is probably a scam. After all, why would a Nigerian prince that you have never heard of contact you to help him smuggle money out of his country?

6. You didn’t initiate the action

Just yesterday I received an email message informing me that I had won the lottery!!!! The only problem is that I never bought a lottery ticket. If you get a message informing you that you have won a contest that you did not enter then you can bet that the message is a scam.

7. You are asked to send money to cover expenses

One telltale sign of a phishing E-mail is that you will eventually be asked for money. You might not get hit up for cash in the initial message, but sooner or later a phishing artist will likely ask for money to cover expenses, taxes, fees, or something like that. If that happens, then you can bet that it’s a scam.

8. The message makes unrealistic threats

Although most of the phishing scams seem to try to trick people into giving up cash or sensitive information by promising the victim instant riches, other phishing artists try to use intimidation to scare the victim into giving up information. If a message makes unrealistic threats then the message is probably a scam. Let me give you an example.

About ten years ago, I received a very official looking letter that was allegedly from US Bank. Everything in the letter seemed completely legit except for one thing. The letter said that my account had been compromised and that if I did not submit a form (which asked for my account number) along with two forms of picture ID then my account would be canceled and my assets seized.

I’m not a lawyer, but I’m pretty sure that it’s illegal for a bank to close your account and seize your assets simply because you didn’t respond to an email message.

The amusing part however, was that the only account that I had with US Bank was a car lease. There were no deposits to seize because I did not have a checking or savings account with the bank.

9. The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes phishing artists will send messages claiming to have come from a law enforcement agency, the IRS, the FBI, or just about anything else that could scare the average law abiding citizen.

I can’t tell you how government agencies work outside of the United States. In America however, government agencies do not normally use email as the initial point of contact. That isn’t to say that law enforcement and other government agencies do not use email – they do. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion (at least that hasn’t been my experience).

10. Something just doesn’t look right

In Las Vegas casino security teams are taught to look for anything that JDLR (as they call it). The idea is that if something just doesn’t look right, then there is probably a good reason why. This same principle almost always applies to email messages. If you receive a message that seems suspicious then it is usually in your best interest to avoid acting on the message.

Fake Cell Phone Towers Across the US

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be IMSI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used security software that's part of CryptoPhone from the German company GSMK. And in both cases, we don't know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can't regulate who gets to use it. The FBI has been protecting Stingray like it's an enormous secret, but it's not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security.

Home Depot information

Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record.

The disclosure, the first real information about the damage from a data breach that was initially disclosed on Krebs Website, also sought to assure customers that the malware used in the breach has been eliminated from its U.S. and Canadian store networks.

“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the company said via press release (PDF). “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”

That “enhanced payment protection,” the company said, involves new payment security protection “that locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”