About Us | Contact Us
View Cart

Three Quick Ways to Protect Yourself

By Dan Hadaway | Wednesday, March 25, 2015 - Leave a Comment

A Vigilize post . . .


Meant for awareness training, feel free to steal for your own awareness content!


I have a Client who is big on helping his users “in their personal life.”  He has learned that you can get a user’s attention by talking about their home computer systems, smartphone woes, etc. and then take advantage of that attention to teach certain “governance fundamentals.”  And it’s not hard to come across fodder for this . . . just describe what you do in your own personal practices and share that with your team.  This particular CIO has an intense level of respect from those in his C-suite, so I of course listen closely to what is working for him!

And in the spirit of his approach, possibly as an example but maybe as a template, I offer this article.

There are some things I do out of habit that, when I was purchasing tickets today (Bulls v Pacers), I realized might be something most people do not realize they can do to protect themselves on-line.  So, I have written the following as a Vigilize Post, meaning that you are welcome to customize it to your own needs:

Target.  Home Depot.  Sony.  Anthem.  Wow!

Are you worried about a hack somewhere causing you grief?  Here are three things I do to protect myself on-line:

  1. Lower the impact of a breach:  When easy, remove the information you would not want discovered in a breach.  For example, I buy tickets for events maybe five times per year.  After I have downloaded the tickets, I go back into “My Account” and delete the credit card information.  Now, let’s not have a false sense of security . . . . whether or not my credit card is still available to hackers is still up to practices at the provider.  But there is a BETTER chance that removing my credit card will mean that, if the ticket company gets breached, the bad guys can not get my credit card number.  Or maybe they’ll get somebody else’s credit card before my bank has protected my card.
  2. Change credit card numbers:  Yes, when there is a huge breach, like the breaches at Target or Home Depot, banks will proactively change my credit card number.  But how about the thousands of businesses who would never know if they were breached?  Because most small businesses may not yet be equipped to know, there is a chance they are being breached without even realizing it.  So, at least once per year, I call the number on the back of each of my credit cards to request a new card, with a new account number.  It’s like changing your password . . . . only in this case the risk mitigation is very high!  This does cause a need to update the card number at those sites where “auto-renewal” has been agreed to.  While this may seem like a pain, we have caught several sites wanting to use our credit card where we didn’t realize we were in an “auto-renewal” situation.
  3. Use strong passwords or DON’T use the site.  When logging into your site, if you are NOT allowed to use passwords with the following six factors:

    A) Upper case text
    B) Lower case text
    C) Numbers
    D) Special Characters
    E) At least 8 characters long
    F) No dictionary words

then there is a very high chance that the maintainers of the site (and the applications which serve the site) are NOT adequately protecting information.  I do not use sites that disallow strong passwords, with one exception:  The website for my Chase Mastercard does not allow the use of strong passwords.

Controls Don’t Always Make Sense:

Remember our discussion about how sometimes controls simply don’t work out as intended, and that’s why we need management to help us identify when we are NOT enforcing policies, procedures, etc?

Well . . . . and this may seem like rationalization . . . . but because changing credit cards is not as simple as “just find another site,” and because I can’t just “not use the site” because somebody else would be able to log in as me, I had no choice but to use the site.  I could have returned to “paper statements,” but that didn’t change the fact that there was a website with weak authentication into my account.

So I looked for what we all “mitigating controls.”  What else can be done to lower risk?

In other words, if you ARE going to use a site that does not allow strong passwords, find ways to lower the risk.  For Chase, I could not just take my credit card number out . . . . the site was ABOUT my credit card number.  But I did find out they offered additional authentication controls.  So for Chase, I changed the settings on the site to ALWAYS require a One Time Password, which at least overcame the issue of somebody being able to easily guess my password.

Is Chase secure?  No.  They are given a big giant pass by their examiners, in my opinion.  If one of my small banks were to not allow strong passwords on their on-line banking site, we’d find it in our audit, and the bank regulators would make them change it.  But Chase?  That’s a different story . . . . probably for a different article!

But back to the question:  Is Chase Secure?  My answer is flat out NO.  And that’s because I am a firm believer that NOBODY is secure.  Some sites may be MORE secure than others, but you should proceed as if NO SITE is secure.  And thus, the above suggestions.

——–

I’m sure some of you are planning to remove the last few paragraphs!  I guess it all depends on your audience!  But you get the point, let’s start telling our users how we protect ourselves, and use the opportunity (and their attention) to teach some information security fundamentals.

And . . . . regarding those tickets . . . . the Pacers won!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Note:  When we post an article as a “Vigilize Post” the intention is to give you material you can use in your own awareness training, if you are a Client of ours.  Feel free to cut, paste, modify, change . . . do whatever is necessary to get the message out!   


same_strip_012513


 

Latest News
    Our Lead Non-Technical Auditor takes a look at the new AIO Guidance… Architecture, Infrastructure, and Operations (AIO) is the latest booklet released by the Federal Financial Institutions Examination Council (FFIEC) in their line of  IT Examination Handbooks. It is an update to their 2004 Operations booklet and, as the name implies, expands into the areas […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Many organizations still fail to consider the unique risks posed by cloud computing… An article review. Last month thousands of Western Digital MyCloud device owners learned about the risks of cloud-based solutions the hard way: their data had been wiped remotely due to a flaw in the internet-facing component of their external hard drives. While […]
    infotex does not use Kaseya… We are protecting our Clients! Another blog post meant to inspire thought about IT Governance . . . . To all infotex managed security service Clients: As you may be aware there was a large ransomware attack recently that leveraged a remote management tool called Kaseya that is used by many […]
    While we’re not a news service, we often use current events to comment on trends and our services. This blog is intended to get people thinking about topics and trends in Technology Risk Management, through our article reviews, as well as through original blog articles about current events and our MSSP services (such as our […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS Dan Hadaway and Sara Fultz co-wrote an article in the Spring 2021 issue of the Ohio Record, the Official Magazine of the Ohio Bankers League.  Find out on page 20 and 21 of the magazine how tabletop testing strengthens bank cybersecurity. You can read the article here! […]
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    After the large number of high-profile breaches in the recent months, it is easy to become disconcerted about how to prevent such things from happening to your Bank. The answer to preventing a breach is a very complex one. infotex will explore this with you! The heightened level of awareness and extra protective tendencies that […]
    A follow-up on Dan’s 2008 Password Manifesto On the NIST Publication on Digital Identity Guidelines Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . In June 2017, NIST released a special publication on digital identity, NIST SP 800-63, that is starting to get the attention […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]