Phishing for Mobile Users? They Are Taking the Bait
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on January 6th, 2011 Tags: Acceptable Use, Information Security, Mobile Security, Phishing, security awareness training, Smishing, Trusteer, Vishing
In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites.
Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information.
Why are mobile users more vulnerable?
- Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down.
- Size – the smaller screens of mobile devices can inadvertently hide clues that the e-mail contains false information or fraudulent web site links or URLs. Users on smart phones miss the basic signs of phishing emails like slightly tweaked URLs, hidden URLs behind links, poorly spelled e-mails, etc.
- View – many times the way e-mails are displayed is different on mobile devices. For example, on a BlackBerry, the “From” field may just include the name of the sender, but not the e-mail address.
The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites. One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc…right?
Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices?
Do your employees understand what phishing is? What about smishing and vishing?
Do they know how to recognize the signs of a phishing attempt?
Do they know where to report suspicious incidents and phishing e-mails?
What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?
It is critical for organizations to implement clearly defined policies for using mobile devices. It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis. A once-a-year general training program is not enough; employees need ongoing awareness reminders.
One recommendation I would make is to share this Trusteer study with your employees. Many of your users may have no idea of the potential risks they can encounter on their mobile phone. Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason.
No Comments
Email This Post
Does Information Equal Awareness?
Posted In Business Continuity, Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on November 18th, 2010
General Information
Personally Identifiable Information
Intelligence Information
Industry Information
Regulatory Information
Legal Information
Risk Information
Customer Information
Emergency Information
Competitive Information
Etc….
Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.
BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.
Lessons learned continue to reveal that just having information is not enough. Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.
And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.
For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:
- Did information exist that could have helped prevent the incident or mistake?
- Does my organization have a good way to turn information into situational awareness?
- Do all appropriate individuals have the ability to access confidential situational awareness?
- Does our incident reporting system just pass along information?
- Do our threat assessment and security teams have access to situational awareness?
- Do our decision makers and leaders have on-demand access to updated situational awareness?
No Comments
Email This Post
Preventing Data Breaches with Lessons Learned
Posted In Incident Reporting, Information Privacy, Information Security on November 15th, 2010 Tags: Data Breach, Incident Reporting, Security Awareness, VERIS, Verizon Business
Verizon Business has launched a free website for organizations to anonymously share details about their security breaches – sounds like a great lessons learned opportunity. This central reporting site will give victim organizations an overview of the cause and severity of the breach, as well as a way to measure their incidents against other incidents that have been reported.
Once an organization has submitted the details of their breach (demographics, incident classification, discovery, mitigation, impact, etc.), the site will compare it to the other incidents in the system and will show an organization how rare or common their data breach was.
If utilized as designed, this site could be an excellent resource for organizations to share lessons learned and help others prevent similar incidents. As we have seen over and over again:
- Many of the same mistakes are being made across organizations of all types and sizes
- Most incidents could have been prevented
By utilizing this site, as organizations can learn from the mistakes of others and ensure their organization has implemented appropriate and ongoing security measures, policies, procedures, awareness training, etc. to prevent an incident from occurring at their organization.
While I like the idea of this site, lots and lots of lessons learned already exist. So one of the key questions will continue to be…Will this site help organizations to actually implement lessons learned?
No Comments
Email This Post
Vishing, Smishing, Phishing and Wishing…
Posted In Information Privacy, Information Security, Risk Management on October 6th, 2010
Now that football season is rolling along at full speed, someone may need to throw a penalty flag for piling on in the financial sector!
As you know, I blogged earlier this week on several financial sector headlines and escalating challenges and now we learn that community banks and credit unions are being targeted by sophisticated vishing and smishing attacks.
But the lessons learned I want to discuss in this blog involve the consumers of financial institutions. Why are so many consumers falling for these social attacks such as vishing and smishing?
For those who are not familiar with the terms vishing and smishing… vishing attacks are phone-based using voice calls and smishing attacks are text-based… not to be confused with phishing attacks that are e-mail based.
Perhaps the best advice from the BankInfoSecurity article was the comment from Robert Siciliano, a McAfee security consultant and founder of http://www.idtheftsecurity.com/, saying constant and consistent consumer education is the only effective way to fight vishing and smishing.
Lessons learned show that most financial institutions are not delivering effective consumer education to keep up with constantly changing risks and threats.
Wishing that phishing and vishing and smishing will go away…
Unfortunately, it seems like most financial institutions are wishing consumers will educate themselves and the risks will go away. But when you read between the lines and look at what the bad guys are doing with phishing, vishing, smishing and keyloggers, there is a game changer opportunity for financial institutions. The financial institutions that take a futuristic approach delivering constant and consistent consumer education to their customers on an ongoing basis – and I don’t mean fliers in statements or web site banners – will build more trust, more accountability and more customers than those that don’t.
No Comments
Email This Post
Financial Sector Challenges Keep Coming…
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on October 5th, 2010 Tags: Consumer Financial Protection Bureau, credit card fraud, credit union bailout, FINCEN
How will these new challenges impact your community? And your organization?
If you have you been watching financial sector headlines recently, bad news and challenges seem to keep coming for financial leaders and their organizations. And we have all learned that when the financial sector is affected, all sectors will see and feel some impact.
Credit unions are now in line for their bailout.
According to CNN Money article, bank fees are like game of Whac-a-Mole…the minute some bank fees are banned, a whole new set of bank fees pop up.
http://money.cnn.com/2010/09/24/pf/new_bank_fees/index.htm?hpt=T2
FINCEN proposes mass new wire transfer reporting requirements that could represent a massive burden on banks and money services businesses to report international wire transfers to the government.
http://www.fincen.gov/news_room/nr/html/20100927.html
In Michigan, the Office of Financial and Insurance Regulation ordered a shutdown of a “business” that were actually scammers posing as a legitimate credit union in order to obtain information used in identity theft.
http://blogs.bankinfosecurity.com/posts.php?postID=725
Credit card fraud continues to go global and losses continue to mount.
The Consumer Financial Protection Bureau is coming…how will it affect your business?
The bad news: Many of these challenges are out of your control.
The good news: Organizations can control the postitive impact they have on their community, their customers and their employees.
So for all the organization leaders – financial, government, schools, healthcare, faith-based and others…Is your organization ready to take the lead in your community?
No Comments
Email This Post
Is Your Janitor Cleaning Out Your Sensitive Information?
Posted In Incident Reporting, Information Privacy, Information Security, Risk Management on September 30th, 2010 Tags: Data Breach, Information Security, Security, Security Awareness, third-party risks
One of my last blogs discussed the risks of third-party contractors and their responsibilities for protecting information. This blog will address yet another third-party risk – your janitors.
A janitor was recently arrested for removing boxes of records from a Southern California health care clinic. Interested only in getting money for the paper, the janitor sold 14 boxes of patient records to a recycling center for $40. This janitor was not interested in identity theft, but the next one might be…
In an earlier case, a janitor stole personal information from patient files at a Chicago hospital, participating in an identity theft ring that affected more than 250 patients.
Is your organization addressing risks with the cleaning crew?
1) Do you know your cleaning crew? 
2) Do they have a good reputation?
3) Have all janitors and other crew members signed off on your organization’s policies for protecting information?
4) Are you monitoring their activity on an ongoing basis?
5) Are you limiting access to secured systems?
6) Do they understand the consequences for mishandling sensitive information?
7) Are suspicious incidents (missing papers, back-up devices, etc.) reported to the appropriate personnel?
Organizations should also ensure employees are protecting sensitive information with simple best practices for the office:
1) Don’t leave sensitive files/information on your desk
2) Properly dispose of/shred sensitive information. Don’t just toss documents in garbage cans or recycling bins.
3) Lock and secure file cabinets containing patient information.
How is your organization addressing risks with third-party contractors?
No Comments
Email This Post
Social Engineering: Need $11K?… Just Ask a Wal-Mart Employee
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on September 24th, 2010 Tags: Security Awareness, Social Engineering, wal-mart
In a recent incident, a man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards. The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked.
This is a great lesson learned to share with your employees (and third-parties). Do your employees understand your organization’s policies on providing/protecting information in different situations?
The Wal-Mart caller did not give the associate any reason to believe he was really from the IT department…do your employees understand authentication procedures and passwords?
The Wal-Mart caller did not explain why the IT department was making the request…would your employees be suspicious? Would they know how and where to report the suspicious caller to the appropriate personnel?
Do your employees understand how to protect sensitive information or would they willingly provide information over the phone in the spirit of good customer service?
Do your employees participate in ongoing situational awareness training? Are you updating your employees as new social engineering techniques, risks, and threats change?
Have your employees acknowledged their individual roles and responsibilities in case of a lawsuit or termination?
Even if your IT department has the most sophisticated and expensive technology solutions in the world, all of it can be bypassed if your employees fall for simple social engineering scams.
Are you educating your employees on best practices for protecting information?
No Comments
Email This Post
Are Financial Institutions Ready for CFPB?
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on September 21st, 2010 Tags: ABA, CFPB, Compliance, Consumer Financial Protection Bureau, Consumer Protection, Elizabeth Warren, NAFCU
As of Friday September 17th, Elizabeth Warren was appointed as special advisor to oversee the creation of the new Consumer Financial Protection Bureau (CFPB).
As outlined in the legislation, the CFPB’s purpose is to implement and enforce federal consumer law to ensure that markets are fair, transparent and competitive. The CFPB has also been described a watchdog to protect consumers in their dealings with financial institutions.
Consumer protection is important and I think most everyone would agree that consumer protection is a good idea. But lessons learned lead me to ask a few questions:
Are financial institutions aware of and ready for the new consumer laws?
How will the CFPB enforce the new consumer laws and how soon will CFPB begin enforcing the laws?
According to a Reuters article, Ms. Warren has until July 2011 to get the new agency up and running. So it will be interesting to watch and learn how the agency intends to ensure consumer protection, ensure markets are fair, transparent and competitive.
Of course the financial sector is not too thrilled about adding more regulations, the NAFCU has long opposed the new consumer protection agency and the ABA released a news release earlier this year that said the law will result in more than 5,000 pages of new regulation for traditional banks.
As regulations continue to mount, have financial institutions built an environment of compliance that is efficient, scalable and ready for the new consumer protection laws?
Are financial institutions ready and prepared for additional examinations with audit-ready and legal-ready documentation?
Are financial institutions ready to take building trust with consumers to a new level?
Now that the CFPB is off and running, perhaps there is a better question…..
Could the new consumer protection agency create an opportunity for some financial institutions to gain a competitive advantage by connecting the dots with consumers more effectively?
No Comments
Email This Post
Third-Parties and the Protection of Sensitive Information: Is Your Organization Lacking Contractual Assurances?
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management, Uncategorized on September 17th, 2010 Tags: contractor agreements, Data Breach, GAO, Information Security, third-party breaches
A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information.
GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information.
In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers. Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company will face the resulting lawsuits, reputational damages, fines, etc. Outsourcers, consultants, contractors and business partners were responsible for almost half of the data breach incidents in 2008 and recent incidents show third-party gaps are mounting.
It is critical for organizations to require third-parties to be aware of, understand and acknowledge their responsibilities for protecting all types of information. Organizations should:
- Train contractors on best practices for protecting information
- Require contractors to sign non-disclosure agreements
- Require contractors to review and acknowledge organization-specific policies and procedures
- Require contractors to review ongoing updates as risks, challenges, requirements change
- Track all contractor agreements with legal-ready and audit-ready documentation
Lessons learned have shown that third-party data breaches will continue to occur if organizations do not change their status quo processes and connect the dots with third-parties more effectively.
How are you addressing your third-party relationships today?
Have your business partners, contractors, etc. signed off on your organization’s policies and procedures?
Do they understand their individual roles and responsibilities for protecting your customer / sensitive information?
No Comments
Email This Post
Dissemination Trap vs. Implementing/Building and Maintaining
Posted In Human Resources, Incident Reporting, Information Security, Risk Management on September 10th, 2010 Tags: advanced persistent threat, CIO Insight, dennis mccafferty, enterprise security
Dennis McCafferty of CIO Insight recently did a two part overview on Enterprise Security Risks and in part 2 he talked about the hottest security catch phrase of 2010 – Advanced Persistent Threat (APT).
According to the overview, an Advanced Persistent Threat is an insidious attack by a well-funded, state-sponsored intelligence organization. The overview goes on to describe how APT attackers are more patient than a bored Gen Y hacker or financially motivated crook. They are willing to slowly gather information and data from multiple sources and social media sites and then execute a targeted, social-engineering attack on their terms.
Are bad guys out-thinking the good guys….again? Yes, but if the good guys are paying attention to lessons learned, they would know the key to defeating the APT risk (and numerous other escalating risks) is not falling into the dissemination trap.
Most organizations fall victim to the dissemination trap because they are simply disseminating policies, procedures, general training, best practices, regulatory requirements and etc. using binders, e-mails, memos, intranets, portals and shared drives. The article correctly points out that every employee and endpoint is a potential point of entry yet organizations and their leaders continue to believe that dissemination of documents and general training is enough. The bad guys know this too, which is why APT and thousands of other risks and new attacks target your employees, contractors, vendors, consultants, temps and etc.
Implementation is not dissemination. Implementation is building environments of security awareness, situational awareness, risk awareness, accountability, compliance, preparedness, legal defensibility, trust and others…and it must be maintained ongoing to keep up with the bad guys.
Are you keeping up or falling into the dissemination trap?
No Comments
Email This Post
