A Vigilize post . . .
Meant for awareness training, feel free to steal for your own awareness content!
I have a Client who is big on helping his users “in their personal life.” He has learned that you can get a user’s attention by talking about their home computer systems, smartphone woes, etc. and then take advantage of that attention to teach certain “governance fundamentals.” And it’s not hard to come across fodder for this . . . just describe what you do in your own personal practices and share that with your team. This particular CIO has an intense level of respect from those in his C-suite, so I of course listen closely to what is working for him!
And in the spirit of his approach, possibly as an example but maybe as a template, I offer this article.
There are some things I do out of habit that, when I was purchasing tickets today (Bulls v Pacers), I realized might be something most people do not realize they can do to protect themselves on-line. So, I have written the following as a Vigilize Post, meaning that you are welcome to customize it to your own needs:
Target. Home Depot. Sony. Anthem. Wow!
Are you worried about a hack somewhere causing you grief? Here are three things I do to protect myself on-line:
- Lower the impact of a breach: When easy, remove the information you would not want discovered in a breach. For example, I buy tickets for events maybe five times per year. After I have downloaded the tickets, I go back into “My Account” and delete the credit card information. Now, let’s not have a false sense of security . . . . whether or not my credit card is still available to hackers is still up to practices at the provider. But there is a BETTER chance that removing my credit card will mean that, if the ticket company gets breached, the bad guys can not get my credit card number. Or maybe they’ll get somebody else’s credit card before my bank has protected my card.
- Change credit card numbers: Yes, when there is a huge breach, like the breaches at Target or Home Depot, banks will proactively change my credit card number. But how about the thousands of businesses who would never know if they were breached? Because most small businesses may not yet be equipped to know, there is a chance they are being breached without even realizing it. So, at least once per year, I call the number on the back of each of my credit cards to request a new card, with a new account number. It’s like changing your password . . . . only in this case the risk mitigation is very high! This does cause a need to update the card number at those sites where “auto-renewal” has been agreed to. While this may seem like a pain, we have caught several sites wanting to use our credit card where we didn’t realize we were in an “auto-renewal” situation.
- Use strong passwords or DON’T use the site. When logging into your site, if you are NOT allowed to use passwords with the following six factors:
A) Upper case text
B) Lower case text
D) Special Characters
E) At least 8 characters long
F) No dictionary words
then there is a very high chance that the maintainers of the site (and the applications which serve the site) are NOT adequately protecting information. I do not use sites that disallow strong passwords, with one exception: The website for my Chase Mastercard does not allow the use of strong passwords.
Controls Don’t Always Make Sense:
Remember our discussion about how sometimes controls simply don’t work out as intended, and that’s why we need management to help us identify when we are NOT enforcing policies, procedures, etc?
Well . . . . and this may seem like rationalization . . . . but because changing credit cards is not as simple as “just find another site,” and because I can’t just “not use the site” because somebody else would be able to log in as me, I had no choice but to use the site. I could have returned to “paper statements,” but that didn’t change the fact that there was a website with weak authentication into my account.
So I looked for what we all “mitigating controls.” What else can be done to lower risk?
In other words, if you ARE going to use a site that does not allow strong passwords, find ways to lower the risk. For Chase, I could not just take my credit card number out . . . . the site was ABOUT my credit card number. But I did find out they offered additional authentication controls. So for Chase, I changed the settings on the site to ALWAYS require a One Time Password, which at least overcame the issue of somebody being able to easily guess my password.
Is Chase secure? No. They are given a big giant pass by their examiners, in my opinion. If one of my small banks were to not allow strong passwords on their on-line banking site, we’d find it in our audit, and the bank regulators would make them change it. But Chase? That’s a different story . . . . probably for a different article!
But back to the question: Is Chase Secure? My answer is flat out NO. And that’s because I am a firm believer that NOBODY is secure. Some sites may be MORE secure than others, but you should proceed as if NO SITE is secure. And thus, the above suggestions.
I’m sure some of you are planning to remove the last few paragraphs! I guess it all depends on your audience! But you get the point, let’s start telling our users how we protect ourselves, and use the opportunity (and their attention) to teach some information security fundamentals.
And . . . . regarding those tickets . . . . the Pacers won!
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Note: When we post an article as a “Vigilize Post” the intention is to give you material you can use in your own awareness training, if you are a Client of ours. Feel free to cut, paste, modify, change . . . do whatever is necessary to get the message out!