About Us | Contact Us
View Cart

Three Quick Ways to Protect Yourself

By Dan Hadaway | Wednesday, March 25, 2015 - Leave a Comment

A Vigilize post . . .


Meant for awareness training, feel free to steal for your own awareness content!


I have a Client who is big on helping his users “in their personal life.”  He has learned that you can get a user’s attention by talking about their home computer systems, smartphone woes, etc. and then take advantage of that attention to teach certain “governance fundamentals.”  And it’s not hard to come across fodder for this . . . just describe what you do in your own personal practices and share that with your team.  This particular CIO has an intense level of respect from those in his C-suite, so I of course listen closely to what is working for him!

And in the spirit of his approach, possibly as an example but maybe as a template, I offer this article.

There are some things I do out of habit that, when I was purchasing tickets today (Bulls v Pacers), I realized might be something most people do not realize they can do to protect themselves on-line.  So, I have written the following as a Vigilize Post, meaning that you are welcome to customize it to your own needs:

Target.  Home Depot.  Sony.  Anthem.  Wow!

Are you worried about a hack somewhere causing you grief?  Here are three things I do to protect myself on-line:

  1. Lower the impact of a breach:  When easy, remove the information you would not want discovered in a breach.  For example, I buy tickets for events maybe five times per year.  After I have downloaded the tickets, I go back into “My Account” and delete the credit card information.  Now, let’s not have a false sense of security . . . . whether or not my credit card is still available to hackers is still up to practices at the provider.  But there is a BETTER chance that removing my credit card will mean that, if the ticket company gets breached, the bad guys can not get my credit card number.  Or maybe they’ll get somebody else’s credit card before my bank has protected my card.
  2. Change credit card numbers:  Yes, when there is a huge breach, like the breaches at Target or Home Depot, banks will proactively change my credit card number.  But how about the thousands of businesses who would never know if they were breached?  Because most small businesses may not yet be equipped to know, there is a chance they are being breached without even realizing it.  So, at least once per year, I call the number on the back of each of my credit cards to request a new card, with a new account number.  It’s like changing your password . . . . only in this case the risk mitigation is very high!  This does cause a need to update the card number at those sites where “auto-renewal” has been agreed to.  While this may seem like a pain, we have caught several sites wanting to use our credit card where we didn’t realize we were in an “auto-renewal” situation.
  3. Use strong passwords or DON’T use the site.  When logging into your site, if you are NOT allowed to use passwords with the following six factors:

    A) Upper case text
    B) Lower case text
    C) Numbers
    D) Special Characters
    E) At least 8 characters long
    F) No dictionary words

then there is a very high chance that the maintainers of the site (and the applications which serve the site) are NOT adequately protecting information.  I do not use sites that disallow strong passwords, with one exception:  The website for my Chase Mastercard does not allow the use of strong passwords.

Controls Don’t Always Make Sense:

Remember our discussion about how sometimes controls simply don’t work out as intended, and that’s why we need management to help us identify when we are NOT enforcing policies, procedures, etc?

Well . . . . and this may seem like rationalization . . . . but because changing credit cards is not as simple as “just find another site,” and because I can’t just “not use the site” because somebody else would be able to log in as me, I had no choice but to use the site.  I could have returned to “paper statements,” but that didn’t change the fact that there was a website with weak authentication into my account.

So I looked for what we all “mitigating controls.”  What else can be done to lower risk?

In other words, if you ARE going to use a site that does not allow strong passwords, find ways to lower the risk.  For Chase, I could not just take my credit card number out . . . . the site was ABOUT my credit card number.  But I did find out they offered additional authentication controls.  So for Chase, I changed the settings on the site to ALWAYS require a One Time Password, which at least overcame the issue of somebody being able to easily guess my password.

Is Chase secure?  No.  They are given a big giant pass by their examiners, in my opinion.  If one of my small banks were to not allow strong passwords on their on-line banking site, we’d find it in our audit, and the bank regulators would make them change it.  But Chase?  That’s a different story . . . . probably for a different article!

But back to the question:  Is Chase Secure?  My answer is flat out NO.  And that’s because I am a firm believer that NOBODY is secure.  Some sites may be MORE secure than others, but you should proceed as if NO SITE is secure.  And thus, the above suggestions.

——–

I’m sure some of you are planning to remove the last few paragraphs!  I guess it all depends on your audience!  But you get the point, let’s start telling our users how we protect ourselves, and use the opportunity (and their attention) to teach some information security fundamentals.

And . . . . regarding those tickets . . . . the Pacers won!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Note:  When we post an article as a “Vigilize Post” the intention is to give you material you can use in your own awareness training, if you are a Client of ours.  Feel free to cut, paste, modify, change . . . do whatever is necessary to get the message out!   


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    President Biden recently signed a bill tasking the agency with evaluating the unique risks that schools face… An article review. Taking note of the unique challenges educational institutions face in securing their networks, President Biden has signed a bill into law directing the Cybersecurity and Infrastructure Security Agency (CISA) to look into ways that they can […]
    Thanks for being interested in our Technology Planning Webinars! This year‘s annual update to our annual Technology Planning webinar will include a panel discussion, a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent conferences as well as the impact of the AIO […]
    Welcome Cybersecurity Conference Attendees! Thanks for joining us for the Cybersecurity Conference today! We have created this page for you to have access to the deliverables from Dan’s talk.  
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]