What is your Smart Phone telling others and what can lose because of it?

It seems as though in modern society we as human beings cannot live a normal life without our smart phones. It is more than just phone calls and text messages; we need to be connected in multiple ways with multiple applications just to find our way through life. The key to this connectivity is Wi-Fi and Bluetooth.

Question: Is the Bluetooth and Wi-Fi service enabled and turned on even when you are not using it? Do you even know? If you are like most everyone the answer is YES. I know this from firsthand experience. When I find myself at an airport, mall or other location where there are a  large number of people gathered I like to check to see just what kind of information is flowing invisibly through the air. If you knew what I see you would be shocked which is why I am going to tell you all the fun stuff I see when I am out and about. Keep in mind that I am not one of the Bad Guys but if I were imagine what I could do.

BLUETOOTH on your phone is LEFT ON. Bluetooth is often left turned on because people want to be able to answer their phones hands free or listen to their music in the car or some other place. Guess what, your Bluetooth is not just a one way connection. By utilizing your open Bluetooth connection the bad guys can access your phone and the data that resides on it.

Wi-Fi on your phone is LEFT ON. Wi-Fi is often left turned on because people want to be able to access the Internet to check their mail, update Facebook and Twitter, shop or just watch YouTube videos. Guess what, your Wi-Fi is not just a one way connection. By utilizing your open Wi-Fi connection the bad guys can access your phone and the data that resides on it as well as see the data you are sending and receiving.

Imagine, all of your contacts, text messages, emails, pictures/videos, access to your bank accounts and all of your passwords all there for the taking simply because you chose to leave your Wi-Fi and or Bluetooth on when you did not need to. Your entire identity and finances are there for the taking

P.S. Bluetooth and Wi-Fi running also reduce the battery charge on your phone

Simple Security Mistakes People and Companies Make and how to Fix them! Installment #3

This is the third installment in this new series of Posts Titled Simple Security Mistakes People and Companies Make and how to Fix them!  I will explain the several common simple information security mistakes made by both organizations and individuals. I will also explain the typical reasons why these mistakes are made, why they pose a rather large risk and how simple it is to resolve them. Please note that correcting these mistakes cost little or no money to correct. I will break down each numbered mistake/task with a number followed by a (H) for home users and an (O) for organizations. I hope this first installment proves both educational and lends to your safe computing:

1.       (H) PROBLEM – Are you running anti-Virus software on your computer? Is the Anti-Virus software configured to update on a regular schedule (Preferably at least once a day) and is there a regular schedule set up for scanning your entire computer? If the answer is yes than you are ahead of most. There are many reasons why computer owners install Anti-Virus software on their computers, here are some of my favorites: I cannot afford the cost, I do not used a Windows based PC, I have a Mac and Macs do not get infected, I run Linux and it is secure. I love all of those reasons, they give the individuals a since of “everything is ok” when in reality most people are in trouble and do not even know it. SO WHO CARES RIGHT? Well I do. Every compromised computer that is on the Internet poses a risk to every other computer, not to mention your own personal privacy and finances. GUESS WHAT the reasons for not installing Anti-Virus software on your computer are pure MYTHS. There are several Anti-Virus software packages that are free for personal use (just make sure to download it from a reputable source). While it is true that Mac’s (Apple computers) have had less infections than Microsoft based PCs that does not mean that your APPLE computer is safe. THE ONLY REASON APPLE HAS NOT HAD AS MANY INFECTION INCIDENTS IS BECAUSE FOR YEARS PCs HAVE OUT NUMBERED APPLE’S. Well that is not the case any longer. Apple based computers are not any more secure from infections than any other computer operating system. The same holds true for Linux based computers. SOLUTION – To protect your computer, its information, your privacy and your money install Anti-Virus software on to your computer and configure it to update daily and scan on a regular basis. Now this will not guarantee that you will not be hacked it will however reduce your exposure significantly.

2.       (O) PROBLEM - Look around your organization. How many of your Desktops and servers do not have Anti-Virus software installed? How about installed but not being updated or not reporting to a central console? Is your network infected? How do you know if your Anti-Virus enterprise software system is not running correctly? Even better, how many of your computers and or servers do not run Anti-Virus software because some admin or developer says that the computer is too slow or will not work correctly with Anti-Virus installed? Is it due to lack of resources, belief that it is not a priority, believing the admins or developers who  lack the motivation to create the necessary exceptions when Anti-Virus software interferes with some of the computers functions,  or just not knowing any better? As mentioned above in the home user section the bad guys (those who would steal harm or disrupt your business count on your lack of fully functioning Anti-Virus software to compromise your computer and network systems As such WHEN a breach occurs at your organization and it is discovered that your organizations computer and networking systems are not fully protected by Anti-Virus software and that the bad guy used a known infected file type (a file that a AV signature already exists to                        address (remediate) the vulnerability  your organization will not only be subject to civil damages and fines but may also be subject to Felony Criminal negligence charges as well. YEP! People from your organization could do jail time, typically executives. SOLUTION – As a business manager(s)/owner(s) make excuses for not mandating that all of their information systems Have up to date Anti-Virus software installed and configured. Do not expose your employees, customers and shareholders by ignoring this simple task. Failure to do so will result in your organization being compromised and may even land you in jail.

Simple Security Mistakes People and Companies Make and how to Fix them! Installment #2

This is the second installment in this new series of Posts Titled Simple Security Mistakes People and Companies Make and how to Fix them!  I will explain the several common simple information security mistakes made by both organizations and individuals. I will also explain the typical reasons why these mistakes are made, why they pose a rather large risk and how simple it is to resolve them. Please note that correcting these mistakes cost little or no money to correct. I will break down each numbered mistake/task with a number followed by a (H) for home users and an (O) for organizations. I hope this first installment proves both educational and lends to your safe computing:

11.       (H) PROBLEM - When you first purchase a Microsoft based computer and begin the setup process at some point you are asked if you want to enable automatic updates (or Patches) along with a particular time for those updates to download and install automatically. There are many reasons why computer owners do not turn on this function ranging from not understanding the need all the way to the very short inconvenience that comes about once a month causing a longer time to shut down/reboot or start your computer. As it turns out, those very patches recommended by the software maker are designed to fix known bugs (vulnerabilities) with in the software. SO WHO CARES RIGHT? Well the bad people on the internet do. Furthermore they most of the time they count on your unwillingness or unknowingness about updating your software to compromise your computer for financial or other nefarious purposes. The Bugs (vulnerabilities) that those patches fix are not corrections that you will even notice, they do not make your computer easier or harder to use. Instead they stop the bad guys from using those vulnerabilities/exploits from take control of your computer. This does not only apply to Microsoft based software, if you use any APPLE or LINUX products updates and patching on a regular schedule is just as important SOLUTION – To protect your computer, its information, your privacy and your money either set your computer to automatically download and install updates at least once a month and if that is not possible do it manually on a monthly basis. Now this will not guarantee that you will not be hacked it will however reduce your exposure significantly.

22.       (O) PROBLEM - Look around your organization. How many of your Desktops and servers have not been patched in the past month. How about the past two months….Three Months…. Ever? Is it due to lack of resources, belief that it is not a priority or just not knowing any better? As mentioned above in the home user section “those very patches recommended by the software maker are designed to fix known bugs (vulnerabilities) with in the software”. The bad guys (those who would steal harm or disrupt your business count on your lack of OS and APP patching to compromise your computer and network systems. Here is a little known fact or at a fact that many business leaders have created a sense of denial about: Patching Operating systems and applications is considered “Generally Accepted Best Practices” worldwide. As such WHEN a breach occurs at your organization and it is discovered that your organizations computer and networking systems have not been patched in a reasonable amount of time and that the bad guy used an exploit that was addressed (remediated) by an already distributed patch your organization will not only be subject to civil damages and fines but may also be subject to Felony Criminal negligence charges as well. YEP! People from your organization could do jail time, typically executives. SOLUTION – As a business manager(s)/owner(s) make excuses for not mandating that all of their information systems be currently patched it becomes part of the organizational culture. There really is no excuse though, many systems can be patched with little or no expense and even can be automated. Do not expose your employees, customers and shareholders by ignoring this simple task. Failure to do so will result in your organization being compromised and may even land you in jail.

Simple Security Mistakes People and Companies Make and how to Fix them! Installment #1

Simple Security Mistakes People and Companies Make and how to Fix them! Installment #1

Over the next several weeks in this new series of Posts Titled Simple Security Mistakes People and Companies Make and how to Fix them!  I will explain the several common simple information security mistakes made by both organizations and individuals. I will also explain the typical reasons why these mistakes are made, why they pose a rather large risk and how simple it is to resolve them. Please note that correcting these mistakes cost little or no money to correct. I will break down each numbered mistake/task with a number followed by a (H) for home users and an (O) for organizations. I hope this first installment proves both educational and lends to your safe computing:

1.       (H) PROBLEM - When you first purchase a computer and begin the setup process whether it is a Microsoft, Mac or Linux operating system among the first choices you have to make it to create a user account. Most people just chose their own name or something funny. The account that you just created is an account that has complete rights to do anything on the computer from changing system settings to loading programs.  The PROBLEM ARISES from the daily use of that account. If you go to a website, click on a link or open an email that is infected you are essentially giving that malicious software the same power that you have on your computer (which is full access). SOLUTION – Create the initial account and only use it when absolutely necessary. Create a second account for your daily use (surfing the web, checking emails, creating documents, playing games etc.) This limits the ability of many of the malicious software from infecting your computer. Only use the first account created (the one that has administrative permissions) to load or remove software and to change system settings.

2.       (O) PROBLEM - Look around your organization. How many of your employees have local Administrative rights to the organization’s workstation/laptops? Just a few special cases, most of your employees or is it as it is for many organizations in the all of your employees have local admin rights to the computers that they work on? Allowing this to occur and/or continue has serious ramifications of which your information security is just one of them. I addition to the problems outlined in #1 above, how are you keeping your organization from being exposed to the criminal and civil penalties associated with unlicensed software? How can your workstation patching schedule/platform accommodate vulnerable software in need of patching when you do not even know that it is installed?  It Cannot. The last question is: do all of your employees absolutely need/require local admin rights in order to perform their job functions? Only you can answer that but the generally accepted principles and practices of IT show that they do not. SOLUTION – As a business manager/owner spend the little extra effort locking down organizational workstations/laptops providing only the applications that are needed by each department and take away the employee end user’s admin rights to your computers. Now I know it is easier in the short term to get all of the needed applications to run properly by just granting local admin rights but with a little effort by your sys admins/helpdesk in staff configuring the OS and the APPs Admin rights are not needed. Most certainly there are some cases where local admin rights are absolutely necessary. Those cases typically involve your IT staff and quite often remote sales staff. Provide those staff members with 2 user accounts, one with local admin rights and one as a regular locked down user. There is absolutely no reason IT staff should be browsing the web, checking emails or creating documentation with an account that has local admin rights. Taking the time to do it right up front will always save you both time and money in the long run, not to mention drastically reduce the number of malware infections, configuration errors and overall risk exposure of you organization.

Where is your money and who did you give it too?

Spear Phishing is not really a new tactic used by those who want to separate you from your money. That being said huge profits are being made from such attacks. The beauty of these attacks is that the victims (YOU)  willingly give those bad guys the information needed to clean out your bank accounts and are not even aware of the fact that they have been ripped off until it is too late.

It all starts innocently enough (if you are not paying attention) you receive an email from your financial institution that may look like one of these:

Banks:

They cyber crooks use any number of other financial or commercial institutions also.

What do you do?

 Sadly many people read the email become nervous and follow the instructions provided in the email.

First please allow me to provide some basic information that can/will protect your finances:

1.       No financial institution or e commerce business will ever send an email to its customers (no matter how well written) that contains as part of the instructions a link for you to follow to correct the issue. If you do not believe me, next time you receive such an email, hover your curser (DO NOT CLICK ON THE LINK) over the link to reveal the real destination you would be.

2.       Sending your information by following a link can have devastating effects.

3.       If you are like many you will fall for the con and follow the link. Many times the cyber crooks are even nice enough to provide a web page from that link that will look exactly like the Bank or ecommerce site you expect.

4.       However, once you put your user ID and password and any other information that they request control of the money in those account(s) now belongs to the person who sent you the fake email

IF you have any doubt, DO NOT FOLLOW THE LINK BUT GO TO THE WEBSITE AS YOU NORMALLY WOULD AND FIND OUT DIRECTLY FROM THE INSITUTION IF THERE IS AN ISSUE AND IF SO, CORRECT IT FROM THERE.

I hope you enjoy this latest blog entry and more importantly I sincerely hope that it helps you stay connected to your money.

Until Next time,

Brad Boynton, CISSP

Former CISO at a US Based Medical Device Manufacturer

Redtide69@gmail.com

The true End Point is always located between the chair and the keyboard

Problem:

Many CISOs and Security vendors are talking more and more about End Point Protection. Large sums of money are being spent on various Software Suites, Appliances, and implementation of Security Policies to solve this problem. Yet are still exposed to attacks at the End Point. The reason organizations are still exposed to attacks at the End Point is because they are not looking towards the true End Point. The true End Point is always located between the chair and the keyboard.

Over all most organizations spend little time or money on protecting the enterprise from the true End Point. When they do it is most often at the time of hire. New employees and contractors are given a copy of the organizations security policy and asked to sign an agreement to follow it. Does anyone reading this article think that even 5% of them actually read and understand what they are signing?

Requiring users to take Computer based training (typically following the organizations Security Policies) only once (when hired) or even annually is not providing an even marginal return on the meager investment in such training. Some organizations are now even supplementing end user training with a 5 to 20 minute live and in person training. Even this usually amounts to a Power Point presentation of what not to do.

None of these tactics actually do much to protect the true End Point. A piece of paper to sign, CBT programs that user’s click through and in person training all have three things in common. They are ineffective, do little or nothing to change the behavior of the end user and most importantly they most end user’s are not able to actually relate to any of the information to begin with assuming they actually paid attention.

So what is the solution? Let me start by saying that it is not giving end users a list of what not to do in any of the above mention methods. Most end user’s know just enough about how to use a computing device to do their jobs and for entertainment/shopping purposes. The answer is not as difficult or as expensive as one might think. The key is effectively educating the end users.

Solutions:

What is the best way to effectively educate the end users and thus shore up the End Point?

To answer that question, I would like you to first ask yourself a simple question.  Which way do you learn more effectively, listening to an instructor who does little more then tell you what to do/not to do or listening to an instructor who makes the training session not only entertaining but also relates it in terms that you can understand and relate to?

A very small part of my current role is to give a pre-developed Power Point presentation that is….you guessed it, a corporate approved list of things not to do. Most of which are beyond the common non-IT person’s comprehension as to why and even what. The presentation as given to me by corporate management takes approximately 10 minutes to read to the audience of new hires. However, I have found that if I start the presentation with an introduction, a joke, and an apology for the list of do not do’s that I am about to present their attention begins to perk up. I also promise to not speak to them like an IT Security Geek and explain to them how my interests are not just with protecting the organization’s information but I am equally concerned with protecting information that belongs to each and every person in the room regardless as to whether it is work info or personal info. Even though the orientation training is mandatory and typically just tolerated by the new hires, I manage to get their full attention. From the moment I first open my mouth to the conclusion when I offer my email address to anyone in the audience that has a security concern either at work or at home the end users are fully engaged , entertained and most of all interested in learning about all that I have to say.

Issues surrounding Information Security like most other types of information only received once are more often than not forgotten after a period of time. For a relatively small investment Information Security can be kept in the forefront of the end users mind by keeping it current, interesting and entertaining. Rather than or in addition to an annual CBT provide in person training on an annual basis. Send out periodic news letters to all end users about current threats and how those threats can affect their own personal lives and bank accounts. There are several ways to make Security Awareness both interesting and fun, just think outside the box

If End Point protection is an important issue in your organization (as if it could not be) then a concerted effort must be spent on protecting the true End Point. Make it entertaining while keeping focus not only on the security of your organization but also on the personal security of the information for all of your end users. If done correctly everyone wins.

Brad Boynton, CISSP

Former CISO at a US based Medical Device Manufacturer

Redtide69@gmail.com