Healthcare will see a substantial increase of data stealing attacks

According to the Identity Theft Resource Center, healthcare data accounted for 43 percent of major data breaches reported in 20131. Medical records and patient data are logical targets for cybercriminals. Healthcare records hold a treasure trove of data that is valuable to an attacker. No other single type of record contains as much Personally Identifiable Information (PII) that can be used in a multitude of different follow-up attacks and various types of fraud.

Healthcare records not only contain vital information on the identity of an individual (name, address, social security) but also often link to financial and insurance information. Access to PII allows an attacker to commit identity fraud, while the financial information can lead to financial exploitation. This is a logical and profitable secondary attack area for cybercriminals who have already dealt in stolen credit card data.

Healthcare professionals are also at risk. Often, they have an increased tendency to try and get around IT security policies in order to better serve their patients. In a medical emergency, the stakes couldn’t be higher. When a doctor or nurse needs access to computing resources or data because a patient’s health is at risk, IT policy takes a back seat to the patient’s health. In the heat of the moment, such behavior can lead to increased risk to cyber threats or insecure access and storage of sensitive information.

This is also occurring in a healthcare environment that is still undergoing a transformation to digital and electronic records. While there has been a huge political push to move to electronic health care records, hospital and medical care security (especially in smaller offices) has not yet caught up to the challenge of protecting this valuable patient data. As a result, targeted cyber-attacks against healthcare organizations.                   

Will continue their rapid rise in frequency and success.

3 Persistent Security Myths

I have this Friend, and you probably know someone like this too—the one that is always sending forwards even though you asked them to stop 10 years ago, and even though you’ve told them that forwarded messages can present safety risks online.
Besides the fact that netiquette has been well established and widely understood for years, and these friends (or relatives) are being impolite by spamming you, the more important fact is the messages also present a security risk, for individuals as well as organizations.
After the most recent forwarded link, I mentioned to my Friend that I hoped she had good security software. Her response: “My friend sent this to me. It’s a valid clip/link and virus free.”
And I just had to shake my head at the security fallacies in those brief statements. I hate to be the smart-ass of the family who tries to lecture or educate the less tech-savvy, but I also don’t want to see my relatives fall victim to dumb social engineering scams. Now, this particular link probably was virus-free and safe enough, but when someone continually sends links and forwards, I start to worry they don’t know how to stay safe online.
So, what’s a conscientious security professional or blogger to do?
I’d love to hear your approaches and comments on this topic. For now, I’m going to try breaking down the myths that seem to persist, and see if I can think of a way to quietly explain the issue.


1. “My friend sent this to me.”
Of course you trust your friend, but that doesn’t make it safe to always trust the links they send out. First, the link could contain a virus or malware that your friend doesn’t know about either. Say your friend’s coming down with a cold, but doesn’t know it yet. You both share a drink at a café—two days later, you both get sick because your friend passed the cold on to you. Same idea.
In computers, it’s even more dangerous, because you may never know you’re sick. Spyware, for example, is designed to watch what you do and send information to the hackers about your online behavior, or even about your passwords. Malware can install itself on your computer without your even knowing. Many people get infected with software that forms a network with other computers, called a botnet. When the hacker contacts all those computers, they can be activated and do whatever he wants—like send messages from your computer to your friends.
These hackers don’t want your or friends to know you’ve been hacked. Your computer might just slow down a few hours a day…because it’s being used secretly by someone else. They can change your security settings, see your passwords, or even corrupt your files and shut down your computer without your permission.
If your password information is stolen, hackers can access your accounts and send forwarded links and emails to your friends without your even knowing. Those messages can contain more malware that installs on your friends’ computers, or spreads through your accounts.
Of course we trust our friends. But that doesn’t mean that our friends won’t have problems online, or that they won’t get infected.


2. “It’s a valid clip/link.”
Images, documents, and all sorts of valid files are used to send viruses and malware to users. The most popular are PDFs and Microsoft Office documents lately, but picture and video files can also be suspect—and for many years it was images most of all that were most dangerous. The link might contain something useful, entertaining, or even work-related. Just because the link works and does what you expect it to, doesn’t mean that it’s safe. It could also contain other problematic files– while you’re being entertained or even learning a fun factoid, something bad might be happening in the background…


3. “And it’s virus-free.”
Again, just because it works and your friend sent it, you can’t assume it’s virus free.
First, did you scan it for viruses? If your scanner says it’s virus-free, how well do you trust your scanner? Many well known and popular anti-virus programs, even if they’re mostly reliable, can’t pick up every infection. Additionally, viruses aren’t the only problems you have to worry about online.
Everyone—hey, even MAC users—should get themselves a good anti-virus/malware program and check regularly for updates. But it’s also good to keep in mind that even the best program won’t always protect you. The best defense is being careful about what you click, and what the source is.

Third party / vendor management - due diligence standards

Third Party Due Diligence Standards

Things every organization should look at when conducting initial or annual due diligence on a vendor/client.

 

The third party’s controls must either meet or exceed the defined controls required by PCI and meet GLBA compliance.

 

The GLBA safeguard rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. An Information Security Plan must make use of the following:

 

• Administrative safeguards, such as employee oversight and training;
• Physical safeguards, such as restricted access to hardware and disaster recovery plans;
• Technical safeguards, such as firewalls, encryption, access controls and secure computer networks.

 

Safeguards must be implemented in proportion to the scope of and risk to the institution and the information it handles. Furthermore, the safeguards rule requires that an employee oversees the development and coordination of security in the institution.

 

The following areas should be reviewed during the due diligence process.

 

Incident Response

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a process that should be followed when an incident occurs.

 

• The incident response document should include the following:
• Define an incident response team with assigned roles and responsibilities
• Categorize or identify what types of detected activities require incidence response
• Define incident response investigation and validation requirements. For example all administrative and/or privileged activities must be logged including date, time, activity performed and any suspect information identified.
• Define evidence gathering and handling techniques that will be used as part of the response activity
• Define a containment strategy and who has the authority to make critical or business impacting decisions when a breach occurred. Time is critical waiting for executive approval could be costly.
• Define requirements for who must be contacted, and within what time period should that contact occur when reporting a compromise or breach.
• Include requirements to use an association approved forensics vendor listed or referenced within the document
• Reference the creation of a formal incident report. Include historical tracking, training and lessons learned.
• Include a schedule for the plan to be practiced and reviewed.
• Assign responsibility for creating and distributing security incident response and escalation procedures.

 

Information Security

A security policy is a document that states in writing how your organization protects the company’s physical and logical information technology assets. A security policy is often considered to be a “living document”, meaning that the document is never finished but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, a procedure for evaluating the effectiveness of the security policy, and steps taken to ensure that necessary corrections will be made.

 

The Information Security Policy should include the following:

• Define access controls for device management (routers, firewalls and switches)
• Define roles and responsibilities
• Define the process followed for user creation and modifications
• Define the process for removing/disabling user accounts immediately upon termination
• Define the requirements that all employees and contractors sign an acceptable use policy
• Define the requirements that all employees and contractors sign non-disclosure agreements regarding confidential information
• Define server hardening procedures
• Define system patching procedures and schedules
• Define logging requirements for all critical systems as well as review retention requirements
• Define authentication requirements
• Define a formal access approval process
• Define the requirements that criminal background checks are performed on employees
• Define the frequency for penetration tests and location of documented results
• Define anti-virus standards including actions to be taken when a virus is detected
• Define the risk management program
• Categorize data based on sensitivity
• Define due diligence preformed on third parties
• Define data encryption requirements
• Define encryption key management requirements
• Define remote access procedures
• Define a log and  firewall review schedule
• Define automated alerts on security, logging and monitoring systems
• Define security awareness training is performed annually
• Define data retention and destruction procedures
• Define how visitors are identified and logged
• Define data center environmental controls
• Define how facility entry points are secured including the use of cameras to monitor sensitive areas, a definition of the retention plan for these videos
• Is wireless being utilized, define strong authentication and encryption that is in place for mobile devices
• Define the process for the inventory and review for all computer equipment maintained

Business Continuity

Business continuity describes the processes and procedures an organization has in place to ensure that essential functions will continue during and after a disaster. Business contingency planning seeks to prevent interruption of mission-critical services and to recover as swiftly and smoothly as possible. A document review and update should occur at least annually or as systems are modified and/or enhanced.

 

• The business continuity plan should include the following:
• Include a risk analysis or reference to  risk assessment in the document
• Include a Business Impact Analysis in the document
• Define redundant processes that are in place to continue business
• Define roles for all crisis management team members
• Define cross-training in the plan
• Define the BC/DR testing, including the frequency of the test (at least annually) and make sure the results are documented
• Define communication responsibilities for clients and staff
• Document the locations covered by the plan, including data center locations
• Document that backup recovery testing occurs annually

 

Change Control

Change control is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into a system or undoing changes made by other users or software. The goals of a change control procedure usually include minimal disruption of services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.

 

• The change control procedure should include the following:
• Define how infrastructure and software changes are documented and formally approved
• Define the user acceptance testing process
• Define how changes are tested in a separate user acceptance testing (UAT) environment prior to implementing into production
• Define documented back out procedures required for changes
• Define segregation of duties
• Define change release cycles
• Define the process for emergency changes

 

Risk Assessments

An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage IT systems, but as an essential management function of the organization.

 

Risk assessments are an important part of assessing your organizations controls and overall security.

 

The risk assessment should include the following:

• Clearly defined process for accessing and scoring the threat likelihood, business impact, controls in place and residual risk of effectiveness of the control.  If the residual risk score exceeds the defined acceptable risk level a plan for remediation including proposed additional controls needed should be included.
• Assessments should include all methods of handling customer information including;
  • Access, Collections, Storage, Use, Transmission and Disposal

 

Following publications can be used to assist in the development of the program.

http://csrc.nist.org/publications/nistpubs/800-30/sp800-30.pdf

http://www.gao.gov/special.pubs/ai99139.pdf

 

CVV/PIN Generation Policy (Processors only)

Section 3.2 of the PCI DSS standards spells out specific requirements for CVV and PIN generation. CVV and PIN are some of the items that cannot be stored and must always be generated. The CVV/PIN generation policy should include:

• Describe the equipment and methodologies used to ensure PINs are kept secure
• Define the key creation and key management procedures
• Define how are keys conveyed and/or transmitted
• Define the process used to administer keys
• Define the process used for key loading to hosts and PIN entry devices
• Define how unauthorized key usage is prevented or detected
• Define the manner in which equipment used to process PINs are keys are managed
• Define key storage and management procedures
• Define if PINs or CVV/CVV2s are stored anywhere on the network and how we detect if they were or ensure they are not in the future

 

SSAE16

The following information and controls should be included in this document.

• An Information Security Policy exists and has been approved by an appropriate level of executive management
• Procedures exist and are followed to authenticate all users of a system (both internal and external) to support the existence of transactions
• Procedures exist and are followed relating to the timely action of requesting, establishing and issuing user accounts
• Procedures exist and are followed relating to the timely action of suspending and/or changing user accounts
• A control process exists and is followed to periodically review and confirm access rights
• IT security staff monitors and logs security activity at the operating system, application and database levels and identified security violations are reported to senior management
• Access to facilities is restricted to authorized personnel and requires appropriate identification and authorization.
• Request for program changes, system changes and maintenance (including changes to system software) are standardized, logged, approved and documented and subject to formal change management procedures
• Emergency change requests are documented and subject to formal change management procedures
• Controls are in place to restrict migration of programs to production by authorized individuals only
• The organization has a system development life cycle (SDLC) methodology, which includes security and processing integrity requirements for the organization.
• Post-implementation reviews are performed to verify controls are operating effectively
• A testing strategy is developed and followed for all significant changes in applications
• The organization has policies and procedures regarding computer operations which is periodically reviewed, updated and approved by management
• Management protects sensitive information – logically and physically, in storage and during transmission – against unauthorized access or modification
• Management has implemented a strategy for critical backup of data and programs
• The restoration of information is periodically tested

 

 

 

News of the day

These are important news updates everyone should know. Thanks to Brian Krebs and info risk today for the stories.

Serious 'GHOST' Flaw Puts Linux at Risk
US-CERT Warns: Linux Patches Are Available, Update Now

Article can be read here: GHOST flaw in Linux


FBI: Businesses Lost $215M to Email Scams


Article can be read here: http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/

When Should I Use Credit and When Should I Use Debit When Shopping?

The million dollar question everyone including myself have an opinion on. Here is my two cents. 

When you have the option to use debit or credit, you're probably using a debit card, or a card issued by a bank, backed by your checking account, but also with a Visa or MasterCard logo on it. Depending on what you pick, different things happen when the payment is processed:

When you select debit: You enter your PIN and the funds are deducted from your bank account immediately. If they're unavailable, the bank has the option—depending on your agreement with them—to pay the charge and hit you with an insufficient funds fee, or to decline the charge. To the merchant, this transaction is as close to cash as you can get without using bills and coins, and offers them more forgiving transaction fees than credit cards.

When you select credit: The transaction requires a signature, and is processed by the credit card company. The funds may or may not be immediately deducted from your bank account, depending on how the retailer handles their transactions. Some stores "batch" their credit transactions and send them in at the end of the day. Depending on the bank, using credit instead of debit can offer you some anti-fraud protection that credit cards offer (more on that a little later). This isn't universal though, so you should check with your bank to be sure. Finally, to the merchant, processing a transaction as credit usually involves a credit card transaction fee to the major issuers, like Visa and MasterCard.

If you are shopping in a small business or a locally owned shop, you may want to use your card as debit (or just pay with cash) instead of credit so they don't have to get hit with that credit processing fee. At the same time however, signing for your purchase as credit can give you some of the anti-fraud protection and delay the charge hitting your account—depending on the bank. Wells Fargo Bank, for example, considers debit transactions "online" and deducts them immediately, while credit transactions are "offline" and offer protection by Visa before they're processed.

There are pros and cons to each, and now that you know the difference at the cash register, let's talk about when you should use credit cards (or tap credit) and when you should go for debit instead.

When You Should Debit Cards or Credit Cards for Your Purchases

Debit and credit are handled differently when it's time to make the purchase, but before you even get to the register or click "check out" when you're shopping online, there are more differences you should be aware of. To be up-front, in almost all cases there are benefits to using credit cards that debit or cash simply don't provide, but you have to decide whether or not those benefits are worth using a credit card (and accepting the financial issues that come with it; eg. debt, interest, etc). Here's how to tell when you're better off using which:

When Credit Is the Best Option

If you're shopping online. Credit cards are by far your safest option when shopping online, both because the credit card issuers watch for fraudulent charges. If you detect fraud yourself you can dispute a charge and get it reversed quickly, thanks to credit card issuers' "zero liability" policies. You're never liable for unauthorized charges, unlike debit transactions, which are the same as cash (and are protected in some cases, but that varies from bank to bank).

If you're making large purchases or electronics purchases. Most credit cards offer their own warranty protection for your purchases just for using a credit card for the transaction. Some of those warranties go beyond what's offered by the manufacturer, and offer you extra coverage, which is really useful for electronics, appliances, or other large purchases. Of course, before you buy, read up on the manufacturer's warranty and the return policy of the store.

If you're traveling or are on vacation. If you're away from home, the added anti-fraud protection offered by credit cards can be essential if someone steals your card number or you accidentally use a shady ATM in some tourist trap, designed to harvest card data. With a credit card, you can put a stop to it without being liable for the charges (if the credit card company doesn't detect it first). Similarly, using your card for travel may open up perks to you, like discounts on rental cars, frequent flyer miles, or cash back on purchases. Finally, many hotels, airlines, and other travel companies only use credit cards for reservations and bookings. If you use debit, they may put a massive hold on your account, which can be inconvenient if you need to spend your money.

Our friends at Credit Karma have some more cases where credit beats out debit, like when you're using a rewards card or a card that offers you perks for purchases, and if you're trying to repair your credit after bankruptcy or foreclosure.

However, in both of those cases (and all others, frankly), you should be sure that the financial risks associated with credit cards are worth the benefits you'll get. A few hundred points won't make much difference if you're carrying interest on a pair of movie tickets. Make sure you pay off those credit cards at the end of the month every month, or at least pay off the transactions you charge up in order to get your rewards.

When Debit Is the Best Option

If the other party needs to be paid immediately. Since debit transactions are handled almost instantaneously, they're also the fastest method of payment. If you're swiping your card and speed is an issue, debit is the best option.

When you've automated your finances and are on a budget. The beauty of automating your finances is that you can carry a debit card that's specifically for your personal or luxury purchases. You can use it as much as you like, as long as you're within your budget, and if you go out of your budget, that's it—the card won't work anymore. Bright side: you won't incur overdraft fees, and you won't pay interest on the drinks you had at the bar on Friday night, which overall will keep you better financial health.

If you're watching your finances, or recovering from poor money management habits. Credit cards aren't for everyone. They're a tool—a powerful tool—but like any tool, they're good for some people and bad for others. If you have a hard time managing your money or living within your means, you may be better off leaving the credit card at home entirely and finding a bank that offers a zero liability policy on your debit account, so you're protected from fraudulent transactions. That way you can budget, spend only what you have, and still be protected in case someone steals your card number and PIN.

If you want the best exchange rate on foreign currency. Credit cards can be better for flat transactions abroad, but if you need actual currency in a country that's not your own, your best bet is to use your debit card and hit the ATM. When you do, you generally get the "wholesale" exchange rate, which is reserved for interbank purchases, and superior to the exchange rate you'd get on your account statement if you just swiped your plastic.

We have to point out again that since debit is essentially the same as cash, you have to check with your bank to make sure you have anti-fraud protection, and any transactions you don't authorize or want to dispute will be refunded to you. Many banks only offer zero liability policies if you swipe your debit card like credit—if you don't, it's same as cash, and if you're double-billed for example, you have to contact the retailer to get it straightened out (which can suck if you were traveling or the retailer was a bar or restaurant), or file a lengthy dispute—during which you're out the money you're arguing over.

---

Depending on the circumstances, credit can be a much more powerful and flexible option than debit. You're protected from identity theft, your purchases can be protected from defects and failures, and disputes are handled quickly without you having to pay up just to get your money back. However, credit cards are still credit, and you're in debt for the purchases you make. You pay interest on them, and not being able to handle your credit wisely can lead to serious financial problems. Sometimes it can be better to not spend at all unless you have the money to spend—in which case debit (and cash) are better options.

In either case, choose the option that's best for you in the situation's we've described. Think carefully about how you manage your money, and how well you handle credit. The answer for you may not be the answer for someone else—but at least you'll know the answer.

 

Over 700 Million People Taking Steps to Avoid NSA Surveillance

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."
The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users -- which is not everybody -- who have heard of him. So it's much less than 39%.)
Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)
Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world.
It's probably true that most of those people took steps that didn't make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It's probably even true that some of those people didn't take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.
Name another news story that has caused over ten percent of the world's population to change their behavior in the past year? Cory Doctorow is right: we have reached "peak indifference to surveillance." From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.
Related: a recent Pew Research Internet Project survey on Americans' perceptions of privacy, commented on by Ben Wittes.


This essay previously appeared on Lawfare.

12 Step Security Program - BE SAFE

Good security advice can be hard to find. Lots of security experts offer help, but not all of their tips are accurate or up-to-date, and many address PC security only. So even if you follow their advice, you may be more vulnerable than you think. That's where we come in. We've assembled a dozen simple but essential tips--a 12-step security program--to keep your PC, smartphone, gadgets, and identity safe. The steps are practical and fairly easy to perform, so you can strengthen your security without losing your mind in the process.

1. Use virtual credit card numbers to shop online
You have good reason to be nervous when using your credit card number to shop online. After all, you may know little or nothing about the company you're buying from, and your credit card information is at risk of being comprom­ised in a data breach. Using a virtual credit card number is one way to make your Internet shopping excursions more secure.


Essentially a wrapper for your regular credit card or debit card account, a virtual card number is good for one use only. When you use the virtual number, the bank that supplied it charges your purchase to your regular credit or debit card, but hackers never gain access to the underlying credit card information.


Various financial institutions maintain some sort of virtual credit card program. Bank of America, for instance, offers a ShopSafe service, and Discover has a similar service built around what it calls a Secure Online Account Number. Check with your bank or card issuer to see what options are available. Alternatively, consider Shop Shield, a virtual card number service that you can use with any credit card or checking account.


2. Secure your Wi-Fi
Is your Wi-Fi network at home password-protected? If not, it should be. You might not care if your neighbors use your Wi-Fi connection to surf the Web, but someone with more sinister motives could take advantage of your generosity (and lack of protection) to gain access to data stored on your home PCs.


The easiest way to guard against Wi-Fi interlopers is to encrypt your Wi-Fi network. Afterward you'll have to enter a password whenever you connect to your Wi-Fi network, but that's a small price to pay for improved security. Most Wi-Fi routers support WEP, WPA, and WPA2 encryption standards. Be sure to use either the WPA or WPA2 encryption settings, which provide a much higher level of security than WEP encryption.


Another safeguard is to set your router not to broadcast the SSID (your network's name).
With SSID broadcasting disabled, your wireless network won't be visible to computers nearby, and only people who specifically know your network's name will be able to find it. The procedure for locking down your Wi-Fi will vary depending on your router's model and manufacturer. Check the router's documentation for instructions.

3 Encrypt Your Hard Drives

Hard drives and USB flash drives are treasure troves of personal data. They're also among the most common sources of data leaks. If you lose a flash drive, external hard drive, or laptop containing sensitive personal information, you will be at risk. Fortunately, en­­crypting your hard drive can give your data an extra layer of protection be­­yond setting up a system password. Encryption will conceal your drive's data and make accessing the files almost im­­possible for anyone who does not know your encryption password.

The Ultimate and Business editions of Windows 7 and Vista come with BitLocker, a tool that lets you encrypt your entire hard drive. If you don't have the Ultimate or Business version, another alternative is to use TrueCrypt, a free, open-source tool that can encrypt your entire disk, a portion of a disk, or an external drive. For its part, Mac OS X includes FileVault, a tool for encrypting your Mac's home folder; Lion, the next major Mac OS X release on the horizon, will be able to encrypt a whole hard drive.

Another option is to buy external hard drives and flash drives equipped with en­­cryption tools. Some of these drives have built-in fingerprint readers for additional security. See "Secure Flash Drives Lock Down Your Data" for more about secure flash-drive options.

4. Keep Your Software Up-to-Date

One of the simplest but most important security precautions you should take is to keep your PC's software up-to-date. I'm not talking exclusively about Windows here: Adobe, Apple, Mozilla, and other software makers periodically release fixes for various bugs and security flaws. Cybercriminals commonly exploit known vulnerabilities, and Adobe Reader is a constant target of such assaults.

Not infrequently, the latest version of a popular program introduces entirely new security features. For example, Adobe Reader X, the newest version of the company's PDF reader, uses something called Protected Mode to shut down malware attacks. If you still use an earlier version of Adobe Reader, you aren't benefiting from Reader X's security enhancements.

Most major commercial software packages come with some sort of automatic updating feature that will inform you when a new update is available. Don't ignore these messages; install updates as soon as you can when you're prompted to do so. It's a little bit of a hassle, but it can prevent major headaches later on.

5. Upgrade to the latest antivirus software
If you're running antivirus software from two or three years ago, you should up­­grade to the most recent version, even if you still receive up-to-date malware signature files for the older edition. The underlying technology for antivirus software has im­­proved significantly in recent years.

To detect threats, antivirus products today don't rely solely on the traditional signature files (regularly updated files that identify the latest malware). They also use heuristic techniques to de­­tect and block infections that no one has seen yet. Given how frequently new viruses crop up in the wild, the ability to protect against unknown malware is critical.

6. Lock down your smartphone
If you use your smartphone the way I use mine, your handset probably contains lots of personal information--e-mail addresses, photos, phone contacts, Facebook and Twitter apps, and the like. That accumulation of valuable data makes smartphones a tempting target for thieves and cybercriminals, which is why the smartphone is shaping up as the next big security battleground.

Android phones are already being hit with Trojan horses and other types of malware, and security experts agree that mobile malware is still in its infancy. Worse, many users don't think of their phones as computers (though that's what the devices are), so they don't take the same security precautions they would with a PC. If you haven't downloaded a security app for your Android phone, you should. Most smartphone security apps are free, and it's far better to have one and never need it than to get caught off-guard and exposed without one.

If you have an Android phone, the first app you should install on it is an antivirus program. Besides scanning for malware, mobile antivirus apps may support such features as a remote wipe (so you can securely remove all data stored on the phone if you lose it), GPS tracking (for locating your phone if you misplace it), and SMS spam blocking.

Our favorite freebie in this category is the Lookout Mobile Security app. Lookout scans your phone for existing malware threats and automatically scans any new applications you install on your handset. Other popular antivirus apps, available for a subscription fee, are Symantec's Norton Mobile Security (beta version), AVG's Antivirus Pro, and McAfee's Wave­Secure.

Because Apple's App Store takes a more restrictive approach to apps offered for sale there, iPhone owners generally don't have to worry as much about malware, though it's always possible for something to slip through the cracks. Apple hasn't allowed any proper antivirus applications into the App Store, either, but you do have some security options.

One is a device tracking and remote-wipe service from Apple called Find My iPhone. It comes as part of Apple's paid MobileMe service ($99 per year), but Apple also offers it to any iPhone, iPad, or iPod Touch owner, free of charge. With Find My iPhone, you can lock and remotely delete data stored on your iPhone, track the device via GPS, remotely set a passcode, and display an on-screen message with an alarm sound (so you can find it if you misplace it around your house or office).

One more tip: When choosing a mobile antivirus program, it's safest to stick with well-known brands. Otherwise, you risk getting infected by malware disguised as an antivirus app.


7. Install a link-checker plug-in
Security threats may lurk in seemingly innocuous Web pages. Le­­gitimate sites may get hacked, cybercriminals game search engines to make sure that their infected pages come up in searches for hot topics (a technique known as "search engine poisoning"), and seemingly safe sites may harbor malware. Although you have no way to guard against these attacks completely, using a link checker can help protect you from many of them.

Link-checker tools typically show small badges next to links in search results and elsewhere to indicate whether a site is trustworthy, dangerous, or questionable. Many such tools also add a status indicator to your browser's toolbar to signal the presence of any problems with the site that you're currently visiting.

Various options are available: AVG LinkScanner, McAfee SiteAdvisor, Symantec Norton Safe Web Lite, and Web of Trust are all available for free. Many security suites come with a link scanner, too.


8. Don't neglect physical security
A thief can snatch an unattended laptop from a desk and walk away in a matter of seconds. And a thief who has your laptop may have access to your files and personal information. A notebook lock won't prevent someone from cutting the cable, but it can deter crimes of opportunity.

Kensington is probably best-known for its notebook locks; it offers an array of locks for laptops and desktops. Targus is a second vendor that specializes in laptop security gear, including one lock that sounds an alarm when someone tries to pick up the attached laptop or cut the lock cable.

Prying eyes are a common security hazard. To prevent unauthorized viewing of your data when you step away from your desk, always lock your screen before leaving your PC unattended. To do this, simply hold down the Windows key and type the letter L. This will bring up the lock screen. To get back to work, press Ctrl-Alt-Delete, and enter your login password at the prompt.

Another way to shield your screen is to install a privacy filter over the display. These filters fit directly on a monitor so other people can't peer over your shoulder and see what's on the screen. A privacy filter may be particularly useful if you work in an "open" office that lacks cubicle walls. Various companies sell these filters, including Targus, 3M, and Fellowes.

9. Make HTTPS your friend
When you're browsing the Web, protect yourself by using HTTPS (Hypertext Transfer Protocol Secure) whenever possible. HTTPS encrypts the connection between your PC and the Website you're visiting. Though HTTPS doesn't guarantee that a site is secure, it can help prevent other parties from hacking into the network and gaining access to your account.

Many sites use HTTPS by default: When you purchase an item online or log in to online banking, for instance, your browser will probably connect to the site via HTTPS automatically. But you can go one step further by enabling HTTPS on Facebook, Twitter, and Gmail.

To use Facebook's HTTPS feature, log in to Facebook and click Account in the upper-right corner. Select Account Settings from the drop-down menu, and look for ‘Account Security' on the resulting page. Under the Account Security heading, click Change, check the box next to Browse Facebook on a secure connection (https) whenever possible, and click Save.

For Twitter, first log in to your account. If you're using the new Twitter interface, click your account name in the upper-right part of the screen, and select settings. (If you're still using the old Twitter interface, click the Settings link in the upper right of the window.) From there, scroll down to the bottom of the resulting page, check the box next to Always use HTTPS, and click Save.

To enable HTTPS on Gmail, log in to your account, click the gear icon in the upper-right corner, and select Mail Settings from the drop-down menu. Next, under the Browser Connection heading, select the button labeled Always use https. When you're all set, scroll to the bottom of the page and click Save Changes. To learn more about Gmail security, visit Google's Gmail Security Checklist page.


10. Avoid public computers and Wi-Fi
As convenient as free Wi-Fi and publicly available computers may be at, say, a public library or café, using them can leave you and your personal information exposed. Public computers might be infected with spyware and other types of malware designed to track your movements online and harvest your passwords.

The same is true of open Wi-Fi networks. Cyberthieves may set up rogue Wi-Fi networks that look legitimate (for instance, one may be named for the café that you're visiting) but enable the crooks to collect your personal information. Even legitimate open Wi-Fi networks may leave you vulnerable. For an example, look no further than the Firesheep plug-in for Firefox, which allows just about anyone to hijack log-in sessions for various social networks.

Sometimes, you may have no choice but to use a public computer or Wi-Fi network. When you do, don't use it to check your e-mail or social network accounts, conduct online banking, or perform any other action that entails logging in to a site. If you have access to a VPN, use it.


11. Be password smart
You probably know already that using obvious or easy-to-discover passwords like "password" or your pet's name is a bad idea. But how can you make your passwords significantly more secure?

First, you need to use a different long, strong password for each account. Hackers often attempt to break into accounts by employing a "dictionary attack," which involves using words straight from the dictionary to guess your password. So don't use standard words as your passwords; instead, try creating them from a combination of letters, numbers, and symbols. And don't simply replace letters in a word with a symbol (for example, using the @ symbol in place of an A); it's too common a trick. You can also strengthen your passwords by using a mix of lowercase and capital letters.

Basically, the more complex a password is, the better. But try to use something that you'll be able to remember--a mnemonic of some sort that incorporates various alphanumeric symbols--and that nobody but you would know.

Remembering multiple passwords can be a challenge, which is why many people find that a good password manager is indispensable. KeePass is a good, free password-management option that works on Windows and Mac OS X systems.

12. Check your credit report each year
Unfortunately, even if you do everything right, bad guys might still succeed in stealing your identity. After all, you can control who has access to your personal information, but you can't control how well a company that you do business with secures its personal-data records.

Nevertheless, you can limit the damage that would result from undetected identity theft by checking your credit report regularly. Periodically checking your credit report is a good way to make sure that no one has opened credit card or bank accounts under your name.

If you are a U.S. citizen, you're entitled to receive one free credit report every 12 months from each of the three major credit agencies--Equifax, Experian, and TransUnion--via AnnualCreditReport.com. The service will let you examine and print out your credit report for free, but if you want to obtain your actual credit score, you'll have to pay for it. Since your freebie credit report is just a once-a-year affair, it's a good idea to insert a reminder in your calendar to check in again with AnnualCreditReport.com in 12 months.