About Us | Contact Us
View Cart

Three Quick Ways to Protect Yourself

By Dan Hadaway | Wednesday, March 25, 2015 - Leave a Comment

A Vigilize post . . .


Meant for awareness training, feel free to steal for your own awareness content!


I have a Client who is big on helping his users “in their personal life.”  He has learned that you can get a user’s attention by talking about their home computer systems, smartphone woes, etc. and then take advantage of that attention to teach certain “governance fundamentals.”  And it’s not hard to come across fodder for this . . . just describe what you do in your own personal practices and share that with your team.  This particular CIO has an intense level of respect from those in his C-suite, so I of course listen closely to what is working for him!

And in the spirit of his approach, possibly as an example but maybe as a template, I offer this article.

There are some things I do out of habit that, when I was purchasing tickets today (Bulls v Pacers), I realized might be something most people do not realize they can do to protect themselves on-line.  So, I have written the following as a Vigilize Post, meaning that you are welcome to customize it to your own needs:

Target.  Home Depot.  Sony.  Anthem.  Wow!

Are you worried about a hack somewhere causing you grief?  Here are three things I do to protect myself on-line:

  1. Lower the impact of a breach:  When easy, remove the information you would not want discovered in a breach.  For example, I buy tickets for events maybe five times per year.  After I have downloaded the tickets, I go back into “My Account” and delete the credit card information.  Now, let’s not have a false sense of security . . . . whether or not my credit card is still available to hackers is still up to practices at the provider.  But there is a BETTER chance that removing my credit card will mean that, if the ticket company gets breached, the bad guys can not get my credit card number.  Or maybe they’ll get somebody else’s credit card before my bank has protected my card.
  2. Change credit card numbers:  Yes, when there is a huge breach, like the breaches at Target or Home Depot, banks will proactively change my credit card number.  But how about the thousands of businesses who would never know if they were breached?  Because most small businesses may not yet be equipped to know, there is a chance they are being breached without even realizing it.  So, at least once per year, I call the number on the back of each of my credit cards to request a new card, with a new account number.  It’s like changing your password . . . . only in this case the risk mitigation is very high!  This does cause a need to update the card number at those sites where “auto-renewal” has been agreed to.  While this may seem like a pain, we have caught several sites wanting to use our credit card where we didn’t realize we were in an “auto-renewal” situation.
  3. Use strong passwords or DON’T use the site.  When logging into your site, if you are NOT allowed to use passwords with the following six factors:

    A) Upper case text
    B) Lower case text
    C) Numbers
    D) Special Characters
    E) At least 8 characters long
    F) No dictionary words

then there is a very high chance that the maintainers of the site (and the applications which serve the site) are NOT adequately protecting information.  I do not use sites that disallow strong passwords, with one exception:  The website for my Chase Mastercard does not allow the use of strong passwords.

Controls Don’t Always Make Sense:

Remember our discussion about how sometimes controls simply don’t work out as intended, and that’s why we need management to help us identify when we are NOT enforcing policies, procedures, etc?

Well . . . . and this may seem like rationalization . . . . but because changing credit cards is not as simple as “just find another site,” and because I can’t just “not use the site” because somebody else would be able to log in as me, I had no choice but to use the site.  I could have returned to “paper statements,” but that didn’t change the fact that there was a website with weak authentication into my account.

So I looked for what we all “mitigating controls.”  What else can be done to lower risk?

In other words, if you ARE going to use a site that does not allow strong passwords, find ways to lower the risk.  For Chase, I could not just take my credit card number out . . . . the site was ABOUT my credit card number.  But I did find out they offered additional authentication controls.  So for Chase, I changed the settings on the site to ALWAYS require a One Time Password, which at least overcame the issue of somebody being able to easily guess my password.

Is Chase secure?  No.  They are given a big giant pass by their examiners, in my opinion.  If one of my small banks were to not allow strong passwords on their on-line banking site, we’d find it in our audit, and the bank regulators would make them change it.  But Chase?  That’s a different story . . . . probably for a different article!

But back to the question:  Is Chase Secure?  My answer is flat out NO.  And that’s because I am a firm believer that NOBODY is secure.  Some sites may be MORE secure than others, but you should proceed as if NO SITE is secure.  And thus, the above suggestions.

——–

I’m sure some of you are planning to remove the last few paragraphs!  I guess it all depends on your audience!  But you get the point, let’s start telling our users how we protect ourselves, and use the opportunity (and their attention) to teach some information security fundamentals.

And . . . . regarding those tickets . . . . the Pacers won!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Note:  When we post an article as a “Vigilize Post” the intention is to give you material you can use in your own awareness training, if you are a Client of ours.  Feel free to cut, paste, modify, change . . . do whatever is necessary to get the message out!   


same_strip_012513


 

Latest News
    A Webinar-Movie In 2018 the NCUA started reviewing credit unions with $1 billion or more in assets using a tool known as the Automated Cybersecurity Examination Tool, or ACET. The expansion to smaller credit unions is inevitable. In the new year, credit unions should now think about how they can come into compliance with the […]
    What are the top seven risks your board should know about in 2021? Since his first board presentation in 2000, when Dan presents audit reports to boards of directors, he also talks to the board about the top risks the institution is facing. Since 2006, Dan has been compiling a list of the “top seven […]
    It’s time for another workshop for the technical side of the community-bank. The infotex Team brings you all new topics for 2021! Topics that are jam packed with all the techno-babble that is often lost on management, but is music to the Bank IT Geek’s ears. Time for a workshop where we can turn off the […]
     A Timeline Update as of 02/22/21 An update to our Newest Employee’s FIRST Technical Article Another interim post-mortem review . . . . A Note About Updates: We have decided to leave the original article as it was originally posted and to update this post with any changes that have been made. You can see […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    A Webinar-Movie The 2020 annual webinar update on the subject will include a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent virtual conferences and regulator panels.
    The cybersecurity industry faces challenges, and some of them may involve your business… An article review. In a world where threats to your organization’s electronic assets are constantly emerging and evolving a cybersecurity insurance policy can help mitigate risk…but what kind of risk does the cybersecurity insurance industry face?  A new article in the Harvard […]
    A Timeline as of 01/24/2021 Our Newest Employee’s FIRST Technical Article Another interim post-mortem review . . . . A Note About Updates: We are leaving this article as is, but for any updates to the timeline, check the Autopsy of the SolarWinds Hack Timeline Update article!      – Vigilize Introduction: As the managing […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS FORUM AND CONFERENCE NEWS infotex is proud to announce that Dan Hadaway will be moderating a series of IT Forums for the Ohio Bankers League. “We are excited to continue fostering the relationship with the OBL to help educate and keep Risk Management at the forefront of […]
    Top 7 Trend Articles of 2021. . .  . . .For ISOs of Small Financial Institutions. Welcome to our annual T7 article:  a list of our favorite trend articles from the past year.  Our intent: help you organize your thoughts as your work through your strategic planning process.  We hope reviewing these articles will help you […]