Inside the Gozi Bulletproof Hosting Facility: Nate Anderson at Ars Technica has a good story about how investigators tracked down “Virus,” the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, I’ve been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had. KrebsOnSecurity, January 25, 2013
Anonymous threatens Justice Department over hacktivist death: In anger over the recent death of an Internet activist who faced federal charges, hackers claiming to be from the group Anonymous threatened early Saturday to release sensitive information about the U.S. Department of Justice. CNN Tech, January 27, 2013
Backdoors Found in Barracuda Networks Gear: A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners. KrebsOnSecurity, January 24, 2013Researchers Warn: Mega’s New Encrypted Cloud Doesn’t Keep Its Megasecurity Promises: Kim Dotcom, like every smart founder of a startup in a crisis, is pivoting. Since his Mega empire of filesharing websites and financial assets were seized in an indictment over massive alleged copyright violations last year, he’s been working on a relaunch designed to transform the company’s reputation from a business focused on piracy to one focused on privacy-specifically, airtight encryption like no other storage site has ever offered. Forbes, January 21, 2013
WordPress Fixes 37 Bugs with Latest Update: WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.ThreatPost, January 25, 2013
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, Federal Register, January 25, 2013HIPAA omnibus and HITECH civil penalty changes: As healthcare organizations read up on the HIPAA omnibus rule, a significant consideration should be the potential civil penalties tied to the HITECH act that are now associated with the rule. Calculating penalties is no longer just a maximum of $100 per violation and $25,000 per year and can put a far bigger dent in a healthcare organization’s budget. HealthIT Security,January 23, 2013HIPAA Changes Could Create New Bureaucratic Burdens: Changes coming to the HIPAA Privacy and Security Rule mean added administrative work, and they could mean additional reporting, said Lisa Sotto, head of Hunton & Williams’ global privacy and data security practice in an interview with InformationWeek Healthcare. Information Week HealthCare, January 23, 2013
SCADA Security 2.0: Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. Dark Reading, January 24, 2013Supply Chain Uncertainties Complicate Security: Los Alamos National Laboratory’s move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. DarkReading, January 23, 2013
White House Announces ‘National Day of Civic Hacking’: Whether or not you have coding skills, the U.S. government asks you to roll up your sleeves in June and help solve the nation’s problems. CIO, January 24, 2013National Day of Civic Hacking: National Day of Civic Hacking is a national event that will take place June 1-2, 2013, in cities across the nation. The event will bring together citizens, software developers, and entrepreneurs from all over the nation to collaboratively create, build, and invent new solutions using publicly-released data, code and technology to solve challenges relevant to our neighborhoods, our cities, our states and our country. National Day of Civic Hacking will provide citizens an opportunity to do what is most quintessentially American: roll up our sleeves, get involved and work together to improve our society.
O’Malley floats $3 million tax credit pool to bolster cybersecurity in Maryland: Maryland is looking to build on the success of a biotechnology tax credit to bolster another industry here – cyber security. Gov. Martin O’Malley proposed in his fiscal 2014 budget a new cyber security tax credit that would set aside $3 million to encourage cyber security companies to expand or set up shop in Maryland.Washington Business Journal, January 24, 2013
Three Charged in Connection with ‘Gozi’ Trojan: Federal prosecutors today announced criminal charges against three men alleged to be responsible for creating and distributing the Gozi Trojan, an extremely sophisticated strain of malicious software that was sold to cyber crooks and was tailor-made to attack specific financial institutions targeted by each buyer. KrebsOnSecurity, January 23, 2013
Securing the Village-Events Calendar
ISC2-LA February Dinner Meeting; February 5, 2013: Email Bill Zajac at [email protected] for more information.
Cloud Security Alliance – Los Angeles Chapter; February 13, 2013: “Can encryption help alleviate concerns about moving to the cloud?” For more information and to register, go to meetup.com/LASC-CSA/.
ISSA-LA February Lunch Meeting; February 20, 2013. For more information and to register, visit ISSA-LA.
ISSA-LA March Dinner Meeting; March 20, 2013.NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013:SAVE THE DATE. Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator.
Weekend Vulnerability and Patch ReportThe following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Google Chrome: Google has released Chrome, version 24.0.1312.56. to fix at least 5highly critical vulnerabilities. Updates are available through the program or fromChrome’s website.
Linksys WRT54GL Wireless Router: Linksys has released and update to its WRT54GL Wireless Router. Update to firmware version 4.30.16 by downloading from the Linksys website.
Current Software Versions
Adobe Flash 11.5.502.146 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]
Adobe Flash 11.3.378.5 [Windows 8: IE]
Adobe Flash 11.5.502.146 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 18.0.1 [Windows]
Google Chrome 24.0.1312.56Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16466 [Windows 8: IE]
Java SE 7 Update 11 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Newly Announced Unpatched Vulnerabilities
For Your IT Department
Cisco Wireless LAN Controllers: Secunia reports vulnerabilities in multiple Cisco Wireless LAN Controllers. Apply applicable updates.
Google Web Toolkit: Secunia reports a vulnerability in Google’s Web Toolkit. Update to version 2.5 GA.
PDF-XChange Viewer: Secunia reports a highly critical vulnerability in PDF-XChange Viewer. Update to version 2.5 Build 208.0.
Sourcefire Snort: Secunia reports a moderately critical vulnerability in Sourcefire’s Snort. Update Snort rules to a version released on 2013-01-17 or later.
WordPress: Secunia reports at least 37 moderately critical vulnerabilities in WordPress. Update to version 3.5.1. There are also plugin vulnerabilities for updates.
If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
| Comments Off on Cyber Security News of the Week, January 27, 2013
Guest article by Jamie Yancy, United Western BANCORP
My Role as a CTO requires many talents and I believe the strongest of them is patience; your personality must be one that allows you to utilize this tool in conjunction with lots of others. Speaking the kings English is not enough to make you and your team successful you must also be a linguist with the ability to understand as well as be understood. Rather than just giving you a bullet list how about I tell you a story and you see how many skills you can identify?
I am the CTO for United Western BANCORP, a holding company of a 3billion dollar unitary thrift, a Trust company, a SBA lending group a small broker Dealer and several other financial companies or entities. The IT department headed by the CTO reports directly to the COO of the holding company but in addition the CTO position reports to the Board of Directors for the Bank and the Holding Company Board of Directors. In addition, each of the subsidiaries of the holding company is regulated by a government regulator. The Office of Thrift services, Texas Department of Banking, The Securities and exchange commission to name a few. We also had a compliance officer, internal audit group and accounting auditor. All of which have direct ties to IT. The IT group was 12 employees in Denver and 4 in Waco Texas at our Trust Company. Did I mention that we also had a records management group in Phoenix AZ? During my tenure at United Western this small exceptional IT group built seven branches for the Bank, maintained two and a ¼ datacenters and a Business continuity site. In March of 2006 the following report was given to the Board of Directors on the state of IT along with a very Aggressive 24 month plan to correct those issues:
Our review of the current state of IT is as follows, the overall IT Operation is much Unorganized the Infrastructure is out of date and poorly designed. We can find no evidence of IT policy or procedure and it has a very poor grade from the regulatory community. The experience level of the staff is entry level coupled with extremely poor morale. IT has a poor relationship with the business units a lack of oversight and management a very poor relationship with the OTS the Banks primary regulator due to mismanaged projects and the absence documentation. A new core back office is being purchased with little to no involvement or resources from IT. As the new CTO of this organization it was clear to me what had to be done and I presented the board of directors with a high level yet very specific 24month plan it included the following:
Bring in new talent, upgrade the infrastructure with critical systems having the priority, and implement a project management plan and a change control procedure to align the IT department with the goals of the company. Develop a partnership with the business units for successful implementation of new products. Create an environment of professionalism; promote team and individual responsibility while creating an enjoyable work environment for the organization.
This had to be accomplished within 24months but the overall transition had to be within 60 days. The approach We adapted was one of focus, every decision was developed around the following principals.
Availability – The ongoing availability of systems addresses the process, policies and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems
Integrity of data Systems – Systems and data integrity relate to the processes, policies and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability
Confidentiality of data/systems – Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
Accountability – Clear accountability involves the process, policies and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.
Assurance – Assurance addresses the processes, policies and control used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity confidentiality and accountability.
In order to execute this type of plan in this type of environment takes some creative involvement and constant communication of goals issues and concerns to the staff. I met with each person individually and in addition had weekly staff meetings that were focused on the projects of most importance. I asked only one thing from those employees that expressed interest in wanting to stay on board “Give me an opportunity to prove to you that this process works”. Not everyone wanted to buy into this new vision and so I used my first lifeline, phone a friend. I convinced a couple of highly respected people that I had worked with in the past to join me on this adventure and they did so with as much reluctance as I did. To make a long story with these additions to the staff members that also trusted me and stayed on for the adventure we built a team. And we accomplished our 24 month plan in 14 and we had a lot of fun on the way. Our next report to the board of Directors was filled with accomplishments and future scape, we not only carved 10 months off the original plan but we did it all within budget. In fact, we had a list of 46 overall accomplishments completed within the first 24 months including successful implementation of the new core processor for the bank.
We refreshed our infrastructure at a rate of 1/3 per year from the desktop out to the server farm. And we documented everything in fact we had a procedure on how to write procedures. IT was also responsible for IT Risk management and governance and Business continuity and disaster recovery. Because of this we developed the baseline documents and created committees with members from all the key business units and for each of these committees we assured that our policies and procedures were tested in real time drills. To accomplish this we developed an IT committee as well as a change control procedure that included any moves adds or changes to any portion of the infrastructure. All change controls were documented and needed the approval of the CTO prior to being started. This was truly a dynamic organization and the team was filled with true professionals. We had a posting once for a Telephone Technician and we received and reviewed 342 resumes and after four weeks my HR was concerned that we didn’t know what we were looking for. “342 candidates and no one fit your bill?” I gently explained to her that we were not just looking for skills but personality was even more important than skill. We are looking for a person that fits into the team environment we have created. Two days later we found that person.
The CTO is also responsible for the security of network, which included physical, logical and personnel security. We have a responsibility to each other to make sure that every member of the team is safe as well and the security of the information that our systems processed. We handled customer information on our systems and our customers trusted us to keep their information secure. So in every interview I asked the candidate to give me their wallet. And without looking in the wallet I placed it in my pocket and continued the interview. At the end of the interview I returned the wallet and explained our responsibility. As technology employees we are trusted with information that is personal and important to each individual our job and responsibility is to return it to them in the same state it was received. We don’t need to view it, understand it, change or modify it. We keep it secure and treat it as if it were our own. As CTO we become the reflection of our team and that reflection must be one of integrity!
As CTO we work with a number of companies that want to sell us goods and services and it is important that we establish a relationship that goes far beyond that of sales person and buyer. We must always assure that we are providing the best service and support for any product we introduce into our environment and this includes the stability of the company we are purchasing from not just the marketing of the product. Because of this we developed a Vendor Management procedure that established the ground rules for engagements. This procedure was thoughtful of the sales process but also look deeper into the organization. We included testing and review in the process to assure that service level agreements were being met and that we had the ability to get upgrades and maintenance as well as special promotion pricing when available. By implementing these procedures we are able to control cost and budget for events prior to them creating outages or unforeseen expenses. In addition we made sure that we included training for our staff in the cost of equipment so we could eliminate the concern of learning curves. The CTO is responsible for end user training and making sure we understand requirements and the business direction so we can best fit the technology to the need. I learned this from my time at Argonne National Laboratory. They named this process management by walking around, it’s a simple process you must first understand that everyone is your customer, and the best way to understand your customer is to visit them on a regular basis to assure your solution are the correct ones for the task at hand and to discuss things that can be enhanced to make the customer more successful. This procedure is not just for the CTO but it’s the attitude of the entire team. It also changes the perspective of IT from those guys that speak their own language and live in the dark only to be seen when there is a problem. Now IT becomes a partner in the business and is actively involved in the day to day operation as a solutions provider. Not only did the executive staff see and talk to the CTO they knew every member of the IT team and knew that when they asked a question or had a concern it would be addressed. From the cleaning crew to the president to the board of directors it’s our responsibility to listen until we understand and address until it’s no longer discussed.
So we built a team, we trained them, we empowered them, we exposed them to all levels of the company, now how do we keep them together? This was my favorite part of the job, as CTO we become involved we take a personal interest in each individual and their individual needs. We all work to develop a lifestyle for ourselves and our family and each of us have our own idea of what that is and this should never be taken for granted. Once you develop a level of Trust you work to keep it. As CTO it is vitally important that develop a personal bond that allows us to discuss anything. As professionals and members of a team we have to be able to discuss the difficult. We must be able to share the good news and the bad news and our opinion without the fear of judgment or belittlement. You have to know that I respect your opinion and I have to know that you Respect mine. So many wonderful things come out of sharing views and opinions and there are so many ways we can display our respect. Our team had Pot Lucks where each member had an opportunity to develop the theme and we did everything from Bacon to popcorn. We had lunch together and we tried all different types of food styles and themes. We played together sports, opera, concerts, card games, jokes in other words we got to know each other. We laughed together and we cried together. Success is not measured by how well you do in the good times it how well you handle the bad times. During an audit we detected some strange activity on our network and as we are attempting to meet deadlines for the regulators our resources were very thin remember this is a group of 12 handling what our peer group was handling with 30-46 employees. I left the meeting with the regulators to assist in the investigation of security issue and upon returning to my office I found that everyone from helpdesk to engineer was working on the issue, it was discovered that one of the auditors had an infected laptop. High Fives to the entire team and lots of embarrassment for the auditors.
We moved our infrastructure over a weekend, sixty plus servers twenty plus circuits and routers and switches etc. 48 hours to make sure all our business opened on Monday without a hitch. Not one member of the team slept during this move. Those that were not directly involved got involved and made sure the others had food and drink and support for the long days and nights. You see when it’s a critical time and you think your back is against the wall it’s refreshing to feel the hand of a team member on your shoulder asking what can I do to help !. On an individual level we were all from different backgrounds and on the surface had nothing in common outside of the work environment, but that all changed and we became stakeholders in something larger than our own wants and needs. Our motto was critical systems available at critical times. It was very obvious that we were the critical systems and we became redundant and resilient, that is true professionalism. We took what was a poorly designed infrastructure and took it forward to baseline and by using good vendor management practices our vendor assisted us with a major portion of the cost and training of our staff. Our executive team was always excited at budget time that we could maintain a current environment and cover those little green ghost within our planned budget. It really is about the people you have around you and when you get to that point where you trust them and they trust you there is no obstacle to success.
On this elite team we built, the entry level helpdesk employees became system administrators and then went on to become engineers and risk managers and Directors. Within 18 months the perception of IT went from below poor to excellent. My management by walking around became a cheering session for praise of the team and a productive time of true planning and sharing of Ideas for future projects. Employees from other departments wanted to be in IT the group that worked hard and played hard and did it together.
So I ask you what a CTO is.
The member of the team that is focused, patient, loyal and ready to put together whatever resources necessary to assure success for the overall goals of the business by putting people first and empowering them to excel to excellence!
Bank of America wanted to communicate more efficiently with its more than 300,000 associates around the world. They already understood that video messaging provided an effective, high-impact medium to their globally diverse associate population.
The company relied on a combination of a managed streaming service and a private satellite TV network to deliver video to its associates. Streaming provided a lower quality experience (primarily due to bandwidth restrictions) and offered minimal content security. The satellite solution addressed quality concerns, but couldn’t reach all the offices in many countries. It also did not allow for time zone differences, which made viewing times inconvenient at some locations. Neither solution had the ability to target content by line-of-business, geography or people groups, nor did they provide detailed viewership reporting.
Bank of America wanted a solution that was secure, highly scalable, and could deliver high-quality video directly to the associate’s desktop without creating network congestion. The challenge was to take their high-quality, proprietary video and provide the ability to target and securely deliver those videos over the corporate network.
Bank of America formed a team to investigate alternatives and quickly narrowed its focus to managed P2P solutions, over traditional solutions that required network upgrades or optimizations. A traditional solution would also require the network to be reevaluated every time new locations were added. Bank of America then worked with potential suppliers in a lab setting, putting solutions to the test for three months using real-world scenarios.
“Ignite provides a robust content delivery solution that fits our expanding use of video throughout the enterprise. From multi-city town hall events to highly produced marketing and leadership videos, Ignite can be leveraged across the company for our most demanding video content distribution needs.” – Gregg Moss, Senior Vice President, Enterprise Streaming Media Strategy
Bank of America went live with its Ignite implementation, branded Video-on-Demand, or VoD in the spring of 2008, with a 25,000 associate pilot project. Ignite is now deployed into production globally and is used primarily for leadership communications, marketing messages, and e- learning for approximately 136,000 employees. Their banking centers, Countrywide and Merrill Lynch business units will begin to come online later in 2009.
Bank of America’s first enterprise-wide delivery using VoD was a critical video message from their CEO. Viewership exceeded 60%, considerably higher than previous methods. In December of 2008, Bank of America targeted 17 videos to its associates, equaling 9 terabytes of data. These were delivered to 210,000 workstations, taking less than 24 hours to deliver, with no measurable impact on the corporate network.
Bank of America sees several advantages in the use of Video-on-Demand over the company’s legacy streaming platform, particularly in the area of reporting. VoD lets Bank of America track content delivery and monitor viewership by location, role, line-of-business, as well as several other organizational criteria.
Key results from Video-on-Demand using the Ignite solution:
Increased view rates of up to 80% compared to previous view rates of less then 10%.
Up to 50% survey response rate compared to previous rate of 20%.
Full screen, high quality video encoded at 1.5Mbps with ability to pause, rewind, and fast-forward functionality and no buffering. Their streaming video is encoded at approximately 200Kbps.
Ability to ‘push’ content directly to users’ desktops and provide the ability for offline viewing.
Improved practices for content creation, targeting and delivery based on survey feedback and reporting capabilities.
Branded corporate communications channel.
Bank of America can effectively target content to a predefined audience, receive metrics on viewership rates, as well as survey results. This valuable information provides critical insight into what types of messages and content work well and how targeting details can impact viewership. Gregg’s team leverages these metrics to counsel internal communications partners from Bank of America’s many lines of businesses on ways to improve the delivery of their messages and target them for more effective viewership.
Ignite worked closely with Bank of America to implement a sync mechanism inside their firewall and user authentication for multiuser PCs to address Bank of America’s stringent security requirements.
Bank of America is interested in leveraging Ignite’s capabilities for peer-to-peer live enterprise streaming and mobile delivery.
About Bank of America
Bank of America is one of the world’s largest financial institutions, serving individual consumers, small- and middle-market businesses and large corporations with a full range of banking, investing, asset management and other financial and risk management products and services. The company provides unmatched convenience in the United States, serving approximately 55 million consumer and small business relationships with more than 6,100 retail banking offices, more than 18,500 ATMs and award-winning online banking with nearly 30 million active users. Bank of America is among the world’s leading wealth management companies and is a global leader in corporate and investment banking and trading across a broad range of asset classes serving corporations, governments, institutions and individuals around the world. Bank of America offers industry-leading support to more than 4 million small business owners through a suite of innovative, easy-to-use online products and services. The company serves clients in more than 150 countries. Bank of America Corporation stock (NYSE: BAC) is a component of the Dow Jones Industrial Average and is listed on the New York Stock Exchange.
| Comments Off on Ignite Technologies – Case Study: Bank of America
Guest article by Jeremy Anderberg, Green House Data
The last couple years have seen incredible innovations in IT hardware and software security. Because of that, you’d think that security would start to be less of a problem for IT departments. Unfortunately, around 80% of data breaches are still the result of user error. This is not a problem that software upgrades can take care of. The good news, however, is that proper training and processes can make a huge difference for your company.
Here are 5 areas where you can improve the security of your sensitive information nearly overnight.
Look around any workplace environment and you’ll likely see stacks of papers piled on top of desks, and often times these piles are a bit more disorganized than we’d like to admit. Paper documents are still a part of business. In fact, the average American worker still use roughly 10,000 sheets of paper per year. That’s becoming less the case as we get more digital, but the necessity for paper in some instances is still present.
These stacks of papers lying on top of desks can pose a security threat. Whether it’s a possibly nosy coworker or a theft in the night, you may be at risk. Especially if you haven’t cleaned up in a while, there may be sensitive information hiding out that you don’t even remember. The solution, thankfully, is really quite simple. When you are done with a document that contains sensitive information, shred it ASAP. Don’t just leave it sitting around. If you have papers that need to be kept, at least lock them up in a file cabinet each night before leaving. It not only protects your company, but keeps your desk nice and tidy as well.
Logging On/Off Regularly
This is perhaps the easiest and quickest fix on this list. The simple act of logging off or shutting down your computer when you leave the office helps protect your data in the evening and through the night. This is a common enough practice. What we don’t often think about is logging off when go to the bathroom, take a 15-minute break, go out for lunch, etc. Especially in big companies, you may not know all the people working around you. And as history has too often shown, you sometimes can’t even trust those you do know. It’s much better to be safe than sorry. You may consider it a hassle to lock down your computer every time you leave your desk, but in reality, it doesn’t take more than 10-20 seconds of your time.
It seems like everyone knows that passwords are an easy target for hackers, but not many people do anything about it. Somehow we still all have some combination of a name/nickname along with a 4-digit birthdate. Hackers are too sophisticated to be stopped by “Fido0404”. A few password tips for you, and please, take these seriously.
Use something complex! It seems obvious, but it has to be said. The best password, as discovered by researchers this year, is actually a sentence. Come up with a sentence that you can remember easily, then transform that into a complex-looking password. For example: “The Alabama Crimson Tide football team won the 2013 BCS championship game.” Translate that to: TACTftwt13BCScg. It looks random and complex, but it’s something you can hopefully easily remember.
Change your computer password every 30 days. Many companies, and even operating systems, have this functionality built in. They often use 45-day cycles, but you can break the mold and make a note to change yours on the first of each month.
Don’t share with anyone. Again, this should be obvious, but it’s not. It’s not uncommon for a coworker to borrow a computer for a presentation or need something when someone is sick at home. The temptation is to just say, “Hey, what’s your password, I can take care of it.” Don’t do it! Always type in your password yourself. You just cannot be too cautious.
These little technological wonders have caused many headaches for CTOs and CIOs. They are incredibly small and portable, which makes them handy, but also susceptible to being lost, forgotten, and easily stolen. The best rule of thumb is to simply not keep sensitive documents on your zip drive. If it’s absolutely necessary, you can password protect and encrypt the documents to ensure that even if your device does go missing, you can have some piece of mind that the information on it won’t be compromised. Also be sure to go through the files on your drive on a regular basis. There’s a good chance you have some documents in there that don’t need to be, and you just haven’t gotten around to deleting them.
What can you do to make sure that your drive doesn’t get lost in the first place? Don’t lend it to coworkers outside of transferring files for a few minutes at a time. Keep it stored safely in a zipper pocket in a briefcase, or perhaps on your keychain to make sure that you know right where it is at all times, and would know immediately if it had been snatched. If you don’t need the zip drive for the evening, you can even leave it locked up in a desk drawer.
This one is tricky because it is so expansive and broad to cover in just a couple paragraphs, but there are a couple easy things you can do. The easiest way to make sure that your mobile device won’t be a boon on security for your company is to simply not use it for any work functions. Obviously that’s much easier said than done. There’s a chance, though, that some of your employees could either have a separate work cell phone/tablet, or just have the discipline to keep their email and other documents off their devices.
The rise in popularity of “Bring Your Own Device” (BYOD) policies should also be mentioned. Many companies nowadays are asking that employees use their own devices for work purposes and be reimbursed, versus simply supplying everyone with a smartphone upon hiring. With that, there is often a set of security guidelines to comply with. Make sure you are doing so and understand all the provisions what “What If” scenarios. In some cases, IT even has the ability to remotely wipe a phone of all data should be it compromised.
Having said all that, the easiest way to protect your phone is to simply password protect it. And again, shy away from birthdays or the obvious (you’d be amazed how many folks have “1234” as the password to get into the hallowed ground of their iPhone home screen). A truly random four-digit number will be best. Depending on your service provider, you can also have your phone tracked and remotely erased of data should it become lost or stolen. Check with your provider and get this service set-up for your business devices if you haven’t already.
Bonus Tip! Viral Content
This rule is just so easy to break, it’s almost unfair. We all know those emails we get from coworkers with headlines like “World’s Largest Rabbit!” and “Cat Does Double Backflip [Video]”. They are so easy to click on, and yes, sometimes even necessary for workplace sanity. The problem is that hackers and spammers will create links with these types of attractive headlines and inevitably get people to download viruses and other malware onto their computers. When you’re at work, it’s best to simply not click on any of those emails unless it’s from a coworker whose identity and email address you can be absolutely sure of. If there is even a tinge of doubt, just delete it. A few minutes of laughter is not worth the headache of a corrupted network.
Another great tool is onlinelinkscan.com. If you have any doubt about a link that a coworker or your dear Aunt Mabel sent you, go to that website, pop the link in, and it will scan for harmful content. You have no excuse for clicking bad links anymore!
With a few small and consistent changes to your everyday workplace habits, you can make sure that you are not the one to blame for a data breach.
Green House Data is a cloud hosting and colocation services provider with facilities across the country. With our totally secure services, you’ll never have to worry about the hardware/software aspect of data security again. To learn more visit our website at www.greenhousedata.com.
| Comments Off on Do Your Part To Protect Data