February 29, 2016

Remind yourself how smart thieves are

These stories about how thieves have used GPS, texting and our lax security habits have been circulating in insurance newsletters and blogs for a while. But […]
February 29, 2016

Try using due diligence risk to justify security

For the past several years, I've talked about how "fear or compliance" are often the best ways to help justify the need for security. It's not that I'm trying to convince my readers that security investment is needed in their organization by scaring them or threatening them... They know it is needed. The problem is that they have a hard time articulating the need to executives who have limited time to listen, a whole different mentality around risk and a need to watch the bottom line in the short term. Sometimes pointing out the worst case impacts (e.g. fear) or pointing to regulations (e.g. threats of penalties from non-compliance) are needed, but sometimes they aren't effective or appropriate. I recently had a conversation with an executive that gave me this idea, to focus on what I call Due Diligence Risk.
April 1, 2016

The security fairy isn't going to close your open vulnerabilities

If you have a feeling you should one day do some kind of check to see if you have anything from your network exposed on the Internet, you’re probably right. In fact, nobody else – including the security fairy – is going to do it for you. This goes for both home networks and businesses, although it’s probably a little more likely that employees of businesses may have installed things with severe vulnerabilities that management or the IT group doesn’t know about than people at home. But it does happen everywhere. In a recently documented case, the simple exposure of printer ports to the Internet led to a white supremacist being able to send racist messages to be printed on thousands of exposed printers over the Internet.
April 1, 2016

Three dumb routers are coming to a home network near you

If you're keen to use all the cool new gadgets that are coming on the market, but are wondering how you can protect your network from their inevitable vulnerabilities, I have a suggestion for you: Three Dumb Routers. First, I'll explain, in simple terms, what it takes to set this configuration up, and then I'll try to briefly explain why it is a good approach to protecting your network from the Internet of Things, assuming you really have your heart set on playing with these things, or at least showing them off.
April 29, 2016

Don't be too quick to pay extortion fees based on the threat of an attack

If you or your employer receives a threatening email saying that your website will be targeted with a Denial of Service Attack, don't be too quick to pay them to preempt the attack. A recent report by security firm CloudFlare disclosed that targeted victims appear to have paid as much as $100,000 USD based only on an email threat that was not credible, upon close analysis. It can be scary to receive such an email, but there are some clues that could help you determine if the threat is real or not.
May 1, 2016

3 reasons why teaching somebody to drive a car is easier than training employees to work securely

I love using analogies when explaining things to people. If we compare learning some common activity that we all understand, like training people to drive, with […]
May 12, 2016

The Teachable Moment: Finding your organization's current level of vulnerability to phishing attacks… for free.

Are Phishing Assessments Really a Thing? By now, you've probably heard that some organizations are using simulated phishing attacks on their employees. Is this a smart thing to do, or is it just the security team trying to scare people? Filling up employees' inboxes with even more malicious email may just sound cruel. But there's a very good reason for doing this.
May 30, 2016

Beware the ghosts of smart device owners – past and future

I haven’t been able to find a reliable source for this story, other than that it was recounted by Leo Laporte on the Security Now podcast episode #561. However, the scenario illustrates a couple of interesting risks from using Smart devices, where the devices may have been returned by an original purchaser, and then purchased by somebody else.
May 30, 2016

LinkedIn: Oops. Did we say you weren’t affected by that breach back in 2012?

If this sounds like old news, it actually is, but with a slight twist that you should think about. In 2012, LinkedIn was hacked, and password data for millions of the social network’s users was exposed. At the time, LinkedIn assessed the situation and made a public disclosure, as well as forcing millions of affected users to reset their passwords. However, they seem to have made an error in determining which accounts were actually at risk.
May 30, 2016

With a target as big as SWIFT, you’d expect them to be prepared for breaches originating from within trusted banks

If you were an attacker looking for the biggest financial return on your investment in evil criminal schemes, you would probably look at international banking transfer systems as being a nice, big target. In fact, a security investigation company revealed that at a number of banks connected to the Society for Worldwide Interbank Financial Transactions (SWIFT) network were recently targeted in massive fraud attacks. It may seem surprising, but the attackers were able to easily cover their tracks on the systems they accessed after submitting bogus transfer request messages.