December 23, 2014

Security News: News you can use

December 20, 2014

Holiday OPSEC Poems

Here are a couple of holiday OPSEC poems I have seen circulating around over the years. I've never seen an author name associated with them so I can't really credit any particular person. Keep these rhymes in mind to remember OPSEC this season.

The week before Christmas

‘Twas the week before Christmas,
and all through the neighborhood,
thieves were out prowling,
they were looking for goods!
Uncollected newspapers
and grass two feet high -
Indicators the owner was not home,
and this caught the thief’s eye,
Now their home is empty,
the rooms are all bare,
If only they had remembered,
to be OPSEC Aware!


OPSEC and Ham

Sam I am.
Do you like OPSEC and ham?
I do not get it, Sam I am.
I do not get OPSEC and ham.
We must use it here and there.
We must use it everywhere.

You CAN share it in a car.
But you CANNOT in a bar.
You CANNOT share it in a text.
You CANNOT share it at the PX.
You CAN say it in your house.
But should NOT tell a random spouse.

You CAN say it in the shower.
But do NOT go sharing at happy hour.
DON'T make the security officer sweat.
DON'T post it on the internet.
You CANNOT share it in a tweet.
That would not be very sweet.

Beware of Facebook too!
It's tempting to let your feelings through.
You Cannot tell it to a friend.
NOT even at the very end.
It is a privilege to know a date.
DON'T tell ANYONE or they may be late!

Oh, I get it, Sam I am.
Now I get OPSEC and ham!
I will not tell anyone.
I will keep hushed until they're done!
I will not tell him or her.
I will not tell my dog with fur.
I will not tell my child's teacher.
I will not tell any creature.
Thank you, THANK YOU, Sam I am.

December 18, 2014

Happy Blog Birthday

It's that time of year.
This month Security Checks Matter hits the three year mark! Throw cyber confetti and pass the birthday cake. I thought I should do something special to mark this special occasion. Some blogs do give aways. Unfortunately, I really don't have anything to give except security advice, which I've been giving away all year. I know! We can reflect on how far we've come baby! :)

Reflecting upon the past three years, I can see how the blog steadily matured and continues to grow. Slow and steady can win the race, just ask the turtle from that old children's fable. Granted I don't have the millions of followers I had in my grand vision when I first started out on this trek, but then again, security never was the popular kid. Enough with the pity party!

The important thing is to take steps towards improvement.

Goal Review
One of my goals for the year was to maintain viewership at or above 400 per month.  Not only did I maintain it, I crushed it. I accredited this to maintaining social media presence (mainly Google +, Facebook, and Twitter), submitting to StumbleUpon, and leveraging SEO (especially in photo properties).

My other goal was to post at least twice a month. Success! Granted, there were a couple of months, that is all I posted, but there were other months of multiple posts.

Milestones
Besides reaching my goals, I reached some important milestones.
  • Reached 100th blog post and still posting. 
  • Security Poster Library with over 500 security posters became the most popular destination here. I'm hoping it is security officers looking to add variety to their security awareness programs.

Top 10 posts of 2014. About half-way through the year, I posted a mid-year review to conduct a check on the blog's performance for the year. During that post, we looked at the top five posts for 2014. Some of the posts picked up more views, while others lagged, and one didn't even make it to the end of year top ten.

10) 4 FREE Security Awareness Resources. This year I started providing tips and suggestions for security professionals to grow their own organic security awareness program using free resources. One major complaint most security officers give for not investing into an awareness and training program is a lack of a budget. With four free resources (no catch!), you can still build a viable program.

9) Thieves break into cars using unknown device. This article highlights the growing threat of car prowlers breaking into vehicles using an electronic device that targets the car's keyless entry. An interesting note, most of the car prowlers are not looking to steal your vehicle, rather they're searching for the contents within. 

8) Security posters of a bygone era. 2014 marks the 70th anniversary of the World War II Ally D-Day landing. To commemorate the anniversary, I gathered up some iconic security posters from the era.

7) Army uses TSP in phishing awareness. Early in 2014, an Army command used the Thrift Savings Program (TSP) as the topic in a phishing awareness exercise. Unfortunately, the exercise didn't go as according to plan.

6) Personal Security Measures. In this article, I provide some personal travel security measures I use as a woman in the security field. These easy to follow tips can help you stay safe and secure when planning any travel.

5) Experian Data Breach. Earlier this year, the major credit reporting bureau was part of an investigation involving selling people's credit information to a known identity thief.

4) 7 Home Security Tips for Summer. This article provides some helpful tips in securing your home while you go away for the summer.

3) SF 701 Instruction. Posted back in September without trying to market it, the post quickly picked up viewership. I find it rather odd due to the fact this topic belongs to a niche market.

2) Stupid on Social Media. When looking back on 2014, we'll see a bunch of stories about the idiots posting on social media making headlines. This post highlights a few cases.

1) SF 702 Security Container Check. Since this topic has such a niche audience, I am shocked that this became the most viewed post of 2014. Over the year, it became my most popular post of all time. I guess niche markets need material too.

2015 Goals.
Hold steady with two posts per months and keep views above 1,000. I'll continue to throw in a mix of advice for security professionals to grow their own organic security program, as well as tips for individuals to keep themselves secure throughout the new year. I'll will try to capitalize upon the niche market making its way to my little corner of the Internet. Another focus area for the upcoming year is to develop "evergreen" articles. No, I'm talking about trees here. I'm referring to timeless articles that can be reused throughout the year without appearing dated.

Let's hope 2015 brings even more joy, hope, safety, and security.

November 15, 2014

Cyber Monday Security

online shopping security tips

Year after year, Cyber Monday and general online holiday shopping have grown in popularity. You can easily understand why when you think about the convenience of shopping in the comfort of your home in pajamas instead of fighting traffic and long lines to shop at brick-and-mortar stores. However, after the major Target data breach during last year's shopping season along with later stories of other major retailers being hacked, consumers may want to look at adopting security measures to reduce the risk of becoming a future identity theft victim.

Here are some online shopping tips to keep you safe and cyber-crooks at bay during this shopping season.
  • Conduct independent research on sellers. Before entering your personal information on a website, check them out at the Better Business Bureau site to see if they're reputable company. If possible, read reviews by previous buyers to learn how they rate their experience. 

  • Shop on a computer instead of smartphone. Computers have antivirus, spam filters, firewalls, and other software to provide layers of security to alert you to risky sites and protect you from malware. Most smartphones lack this capability, which leave you vulnerable. 

  • Use trusted Interent connection and devices. Using unknown connection points, such as public Wi-Fi hotspots, easily leaves your information exposed to hackers. Unknown devices may have malware, keystroke recorders, or other malicious items hackers use in attempt to obtain sensitive personal information from unsuspecting people. Use only trusted, password protected connection points and devices.

  • Keep your anti-virus, spam filter, and software updated. Routinely companies release updates in attempt to address newly discovered vulnerabilities that hackers try to exploit. Make sure your computer has all the latest updates to keep you safe. Some anti-virus have an Internet add on that alerts you to the safety of the website. While this may slow down Internet searches by a few second, it is a minor time investment in security.

  • Google (as in the verb, not the noun) web address instead of typing in the address bar. Scammers often use similar or common misspellings of legitimate business sites to set up fake sites, which look very authentic. Search engines attempt to correct typos and direct you to the legitimate business website.

  • Use secure sites. The "https://" or a closed yellow padlock displayed at the bottom of the screen are your clues.

  • Use credit instead of debit cards. The federal Fair Credit Billing Act provides credit card consumers more protection than debit card users. Additionally, the debit card is directly tied to your bank account, so you're giving potential cyber thieves direct access to your money.

  • Use a separate card for online shopping. I recommend using a credit card with a low credit limit to be designated for online shopping. Some also use a debit card tied to a separate account  with limited amount of funds specifically used for online shopping. These options reduces your personal risk should the card accidentally become compromised. 

  • Change passwords. Online businesses often store your credit card and mailing information in your online account for convenience. Ensure you change the passwords to these accounts frequently (i.e. every 90 days), make them rather complex, and don't use the same password as your major online accounts such as Facebook or online banking. Read our The commonly common password to learn our password tips.

  • Protect your personal information. Pay attention to the privacy notice to see how the site would use the information you provide. If it is missing, that is your red flag that the site would use your information for other reasons, and you should have second thoughts about doing business with them.

  • Don't fall for high-pressure tactics. Scammers are notorious for using high pressure sale tactics, such as a "limited time only," "only a few in stock," or "buy now." Some legitimate businesses may use these taglines as well, but remember it is your money, you're in control, and it is okay to walk away if it is not something you need. If the deal is too good to be true, it probably is. 

  • Keep receipts and check credit card/bank statements. While it may be painful to look at how much you spent, checking your statement is important to spot fraudulent charges early. Compare the charges listed in your statement against your receipts. Scrub your statements for unauthorized charges and report them immediately. 


References:
ADT (2014). Black Friday and Cyber Monday 2014: Your safe shopping list. Retrieved from http://www.adtsecurity.com/black-friday-and-cyber-monday/

Cyber Monday Deals(n.d.).  Cyber Monday calls for extra security vigilance. Retrieved from http://www.1cybermondaydeals.com/cyber-monday-calls-extra-security-vigilance/ 

Junker, N. (27 November 2013). So many shoes, so little security: Your guide to Cyber Monday. Identity Theft Resource Center (ITRC). Retrieved from http://www.idtheftcenter.org/Cybersecurity/so-many-shoes-so-little-security-your-guide-to-cyber-monday.html
Mulpuru, S. (25 November 2013). US online holiday retail sales to reach $78.7B. Forbes. Retrieved fromhttp://www.forbes.com/sites/forrester/2013/11/25/us-online-holiday-retail-sales-to-reach-78-7b/

Tresbesch, L. (27 November 2013). Top 8 tips for holiday shopping online (part II). Better Business Bureau. Retrieved from http://www.bbb.org/blog/2013/11/top-8-tips-for-holiday-shopping-online-part-ii/ 
Vancouver Island Better Business Bureau (26 November 2013). BBB offers advice to Black Friday and Cyber Monday shoppers.  Retrieved from http://vi.bbb.org/article/BBB-Offers-Advice-to-Black-Friday-and-Cyber-Monday-Shoppers-44806 


Enhanced by Zemanta

November 12, 2014

Car prowlers turn identity thieves: 4 tips in protecting yourself

This month prosecutors charged three prolific car prowlers in King County, WA with four counts of identity theft. The trio are suspected of being behind a rash of car break-ins near parks over the past four months. It is not uncommon for vehicle break-ins to lead to other crimes such as fraud and identity theft.

In case you think this may be an isolated incident, here are two other recent examples. A woman recently arrested is suspected of being behind a six month car prowling spree in North Spokane, WA. This little spree netted her over 20 theft-related charges, which includes 13 charges of second degree identity theft. Across the Washington State border into Idaho,  members of the 'Felony Lane' gang were caught trying to cash fraudulent checks using identification documents stolen from vehicles in the local area. 


What are the thieves going after?

Typically they look for unattended backpacks, wallets, purses and any documents left in parked cars.  They are after any sensitive information they could use to steal somebody's identity to open lines of credit and obtain quick cash before being discovered. The aftermath can take an identity theft victims years to clean up and recover from. While high-tech cyber-heist reports surrounding identity theft garner media attention, successful identity thieves often resort to low-tech means such as vehicle break-ins.

What can you do to reduce your risk of becoming a victim of a car prowler-identity thief? Fortunately there are simple security tips you can use to protect yourself.

Four Tips to Protect Yourself.

-Don't use your car as a storage area. Cars are meant to be driven, not to be used as storage units. Take all valuables, to include paperwork with sensitive personal information, out of your vehicle when you park. 

-Don't leave items in plain view. If you do opt to store items in your vehicle, do not leave them in plain view. Stow them under the seat or in the trunk. This goes for empty backpacks, luggage, or anything that may appear to contain valuables. Most crimes like this are crimes of opportunity, and the criminals are only going to hit where they think they can score a pay off. By removing the temptation, you decrease the likelihood of your car being burglarized. It is best to hide these items prior to parking, since many car prowlers watch parking lots for potential victims.

-Lock your car. This tip seems rather simple, but I cannot tell you how many reports I've read where the thief broke into an unlocked car. This only begs the question, is it really considered breaking an entry if the entry was not locked? Locking and securing your car includes rolling your windows all the way up. Do not make it easy for them; take the extra few seconds to make sure your car is locked. 

-Be visible. Criminals will strike when they think the risk of getting caught is low. Park in areas where it is hard for them to hide such as in well lit, high pedestrian traffic areas. When possible use secure garages. Avoid parking on isolated streets.

If possible, you could try going with the Trunk Monkey anti-auto theft system.
(Note: This is my poor attempt at humor. The Trunk Monkey does not actually exist.)

References:
Brown, E., Effron, L, and Karlinsky, N. (23 October 2014). How to get away with identity theft. ABC News. Retrieved from http://abcnews.go.com/US/identity-theft/story?id=26385485 

KREM (26 October 2014). Woman arrested for rash of N. Spokane vehicle break-ins. KREM 2 CBS News. Spokane, WA. Retrieved from http://www.krem.com/story/news/local/spokane-county/2014/10/28/woman-arrested-for-rash-of-n-spokane-vehicle-prowling/18076669/ 

Pulkkinen, L. (9 November 2014). Prosecutor: Car-prowling trio hit dozens of cars at Seattle-area parks. Seattle PI, Seattle, WA. Retreived from http://www.seattlepi.com/local/article/Prosecutor-Car-prowling-trio-hit-dozens-of-cars-5881836.php#page-2 

Sowell, J. (24 October 2014). 'Felony lane' gang of thieves strikes in Boise. Idaho Statesman. Retrieved from http://www.idahostatesman.com/2014/10/24/3446508_florida-identity-thieves-strike.html?rh=1 

November 6, 2014

Emergency Management: Where to get training and experience?

After the horrific incidents in the United States on September 11, 2001 and the deadly destruction left behind in the wake of Hurricane Katrina in 2005, emergency management became a primary focus in the homeland security arena. Is this just another buzzword? 

emergency management security checks matter posterNo, emergency management is not just another buzzword loosely thrown around. The two mentioned events were catalyst to major US Government reform and legislation strengthening emergency management requirements from federal to local levels.

What is emergency management?
Emergency management deals with the management of risk to protect life, minimize property loss, and limit environment damage. According to the Maine Emergency Management Agency's website, its mission is to protect "by coordinating and integrating all activities necessary to build, sustain, and improve the capability to mitigate against, prepare for, respond to, and recover from threatened or actual natural disasters, acts of terrorism, or other man-made disasters." (2008) At the basis of emergency management, it looks at protecting vital assets from a list of  varied threats and hazards that could likely strike, which sounds very similar to the primary purpose of security. Because of this connection, it is only natural that emergency management and security go hand and hand and become intertwined. The five pillars of emergency management (prevention, protection, mitigation, response, and recovery) often blend over to the principles of security (deter, detect, delay, and respond).

Within the past few years, more and more I see multiple security officer job announcements requiring some type emergency management background. This will likely to continue as businesses and government agencies look to streamline and reduce overhead expenses. If you are in the security field, it would be to your advantage to look at expanding your emergency management knowledge if you have not already. I highly encourage it.

Training opportunities. 
There are various of college and for-profit institutions offering emergency management training and certification, but paying for classes is not always necessary. Education does not always require money. If you already have a rather extensive security background, you may be able to expand your knowledge with the free online courses offered below. 
Experience
Where can you gain Emergency Management (EM) experience to go along with your training? Volunteering for the Red Cross provides a great opportunity for you to gain worthwhile experience while helping out and preparing your community. It sounds like a great win-win to me! Volunteer opportunities are a way to freely gain valuable experience to easily help boost your job resume.  Check out the Red Cross' website at http://www.redcross.org/support/volunteer to learn how you can connect to find valuable volunteer opportunities in your local area. This is the route I am taking in trying to expand my experience and to professionally develop myself. Since my current position will not provide me the opportunity, I looked to help out my local Red Cross chapter, which happened to be looking at revamping their disaster recovery and emergency management program. They are very thankful for any amount of time I give and I get to apply newly learned emergency management principles.  

References:
Emergency Management Institute (2013). IS-1.A: Emergency manager: An orientation to the position. Federal Emergency Management Agency. Retrieved from http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=IS-1.a

Maine Emergency Management Agency (2008) What is emergency management? Retrieved from https://www1.maine.gov/mema/about/mema_emdef.shtml 

November 2, 2014

Thanksgiving Security Poster

November is here, which means the Thanksgiving holidays will quickly be upon us. In this post, we have some Thanksgiving themed security posters that could be added to any security awareness program for some seasonal flair. 

security checks matter thanksgiving security poster





October 4, 2014

A case for security awareness

There are many circulating requirements for maintaining a security awareness and education program, particularly if you work under the National Industrial Security Program (NISPOM) or in any government organization (such as the Department of Defense). Unfortunately, many organizations, whether private or public sector, neglect to properly invest into this type of program. This often leads to an increased risk of future security breaches. Employee negligence through risky behavior is one of the main contributors to major data losses. In the Global State of Information Security Survey 2015, which surveyed over 9,700 executive level officers from 154 different countries, most respondents attributed the cause of most security incidents to employees. The survey report shows that security incidents increased by 66% year after year since 2009. The number of respondents who reported losses of $20 million or more doubled over the previous year. Large breaches can have significant financial repercussions through legal litigation, large fines, or worse. Potentially the implications for major breaches in public sector organizations could impact national security. 

Data breach stories.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated Skagit County, Washington government for a Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security breach. Skagit County is a small municipality in the Northwest with a population of less than 200,000. Electronic protected health information (ePHI) of over 1,500 individuals were accessed by unknown parties after the county accidentally moved ePHI to one of their publicly accessible servers. Many of the accessible files included protected health information concerning the testing and treatment of infectious diseases. Due to this accident, the Skagit County Government agreed to a $215,000 settlement and to work closely with HHS on correcting HIPAA compliance issues.  This is only one of many stories of costly breaches caused by negligence.

In 2011, attackers breached RSA's networks to access highly secure areas by targeting employees through a combination of social engineering with phishing. RSA is the security division of the EMC Corporation. The information gained from RSA was later used to mount attacks against major defense contractor Lockheed Martin. As a company specializing in security, this posed embarrassing. RSA had its networks accidentally breached through the human element. They estimated the breach cleanup cost them approximately $66 million.

These are only a couple of real life examples of costly breaches caused by negligence. 

Another worrisome trend from the report is that despite the security risk increase, many organizations hurt themselves further by opting to reduce security budgets and decrease fundamental protection practices such as awareness programs. You cannot reduce risk if you decrease the very items that address it. Employees do not intentionally create unnecessary risk, but often do so due to a simple lack of necessary awareness and training.  I am a firm believer that most people have good intentions, but simply lack the appropriate knowledge when it comes to security. How can you expect anybody to protect sensitive information they have been entrusted with if they were never properly trained? They cannot comply with policies and procedures that they do not know about. Your security program can only be as strong as your weakest link, which is all too often the human element. In the security arena, an ounce of prevention is worth far more than a pound of cure. 

"[A]wareness mitigates non-technical issues that technology can't...you will find that security awareness is one of the most reliable security measures available."
-Ira Winkler, President of the Internet Security Advisory Group and one of the most influential security professionals. 
 
Viable security awareness and education programs help develop a strong security culture that greatly helps in preventing breaches. If done correctly, it enhances the overall security program by empower your workforce to be security advocates. This is why there are so many regulations requiring one. Through awareness and education you impart the security knowledge the workforce needs to be an active component in your security program. 

A security awareness success story

In mid-2014, Computer World created a proactive awareness program in response to a developing Syrian Electronic Army (SEA) threat. The program detailed what employees should lookout for, what to expect, and how to respond to SEA's typical tactics. When employees began to receive the SEA spearphishing messages, they knew how to recognize it and reported in accordance with their training. The employees were able to prevent a computer breach because they were equipped with the right information.