About Us | Contact Us
View Cart

Three Quick Ways to Protect Yourself

By Dan Hadaway | Wednesday, March 25, 2015 - Leave a Comment

A Vigilize post . . .


Meant for awareness training, feel free to steal for your own awareness content!


I have a Client who is big on helping his users “in their personal life.”  He has learned that you can get a user’s attention by talking about their home computer systems, smartphone woes, etc. and then take advantage of that attention to teach certain “governance fundamentals.”  And it’s not hard to come across fodder for this . . . just describe what you do in your own personal practices and share that with your team.  This particular CIO has an intense level of respect from those in his C-suite, so I of course listen closely to what is working for him!

And in the spirit of his approach, possibly as an example but maybe as a template, I offer this article.

There are some things I do out of habit that, when I was purchasing tickets today (Bulls v Pacers), I realized might be something most people do not realize they can do to protect themselves on-line.  So, I have written the following as a Vigilize Post, meaning that you are welcome to customize it to your own needs:

Target.  Home Depot.  Sony.  Anthem.  Wow!

Are you worried about a hack somewhere causing you grief?  Here are three things I do to protect myself on-line:

  1. Lower the impact of a breach:  When easy, remove the information you would not want discovered in a breach.  For example, I buy tickets for events maybe five times per year.  After I have downloaded the tickets, I go back into “My Account” and delete the credit card information.  Now, let’s not have a false sense of security . . . . whether or not my credit card is still available to hackers is still up to practices at the provider.  But there is a BETTER chance that removing my credit card will mean that, if the ticket company gets breached, the bad guys can not get my credit card number.  Or maybe they’ll get somebody else’s credit card before my bank has protected my card.
  2. Change credit card numbers:  Yes, when there is a huge breach, like the breaches at Target or Home Depot, banks will proactively change my credit card number.  But how about the thousands of businesses who would never know if they were breached?  Because most small businesses may not yet be equipped to know, there is a chance they are being breached without even realizing it.  So, at least once per year, I call the number on the back of each of my credit cards to request a new card, with a new account number.  It’s like changing your password . . . . only in this case the risk mitigation is very high!  This does cause a need to update the card number at those sites where “auto-renewal” has been agreed to.  While this may seem like a pain, we have caught several sites wanting to use our credit card where we didn’t realize we were in an “auto-renewal” situation.
  3. Use strong passwords or DON’T use the site.  When logging into your site, if you are NOT allowed to use passwords with the following six factors:

    A) Upper case text
    B) Lower case text
    C) Numbers
    D) Special Characters
    E) At least 8 characters long
    F) No dictionary words

then there is a very high chance that the maintainers of the site (and the applications which serve the site) are NOT adequately protecting information.  I do not use sites that disallow strong passwords, with one exception:  The website for my Chase Mastercard does not allow the use of strong passwords.

Controls Don’t Always Make Sense:

Remember our discussion about how sometimes controls simply don’t work out as intended, and that’s why we need management to help us identify when we are NOT enforcing policies, procedures, etc?

Well . . . . and this may seem like rationalization . . . . but because changing credit cards is not as simple as “just find another site,” and because I can’t just “not use the site” because somebody else would be able to log in as me, I had no choice but to use the site.  I could have returned to “paper statements,” but that didn’t change the fact that there was a website with weak authentication into my account.

So I looked for what we all “mitigating controls.”  What else can be done to lower risk?

In other words, if you ARE going to use a site that does not allow strong passwords, find ways to lower the risk.  For Chase, I could not just take my credit card number out . . . . the site was ABOUT my credit card number.  But I did find out they offered additional authentication controls.  So for Chase, I changed the settings on the site to ALWAYS require a One Time Password, which at least overcame the issue of somebody being able to easily guess my password.

Is Chase secure?  No.  They are given a big giant pass by their examiners, in my opinion.  If one of my small banks were to not allow strong passwords on their on-line banking site, we’d find it in our audit, and the bank regulators would make them change it.  But Chase?  That’s a different story . . . . probably for a different article!

But back to the question:  Is Chase Secure?  My answer is flat out NO.  And that’s because I am a firm believer that NOBODY is secure.  Some sites may be MORE secure than others, but you should proceed as if NO SITE is secure.  And thus, the above suggestions.

——–

I’m sure some of you are planning to remove the last few paragraphs!  I guess it all depends on your audience!  But you get the point, let’s start telling our users how we protect ourselves, and use the opportunity (and their attention) to teach some information security fundamentals.

And . . . . regarding those tickets . . . . the Pacers won!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Note:  When we post an article as a “Vigilize Post” the intention is to give you material you can use in your own awareness training, if you are a Client of ours.  Feel free to cut, paste, modify, change . . . do whatever is necessary to get the message out!   


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]