Townsend Security Data Privacy Blog

How Attorneys Think About Credit Card Data Breaches

Posted by Patrick Townsend on May 16, 2016 1:58:00 PM

Those of us in the data security industry often wear technology blinders as we go about the business of trying to secure the sensitive data of the organizations we serve. Every organization has limited resources and it is hard to compete with line of business needs in terms of budget and human resources. It’s an ongoing struggle that comes with the territory.

Encryption Key Management Industry Perspectives and Trends eBook Of course, any organization that has suffered a severe data breach quickly changes its attitude towards investing in security. The internal attitudes at Target, Anthem and Sony are different today than they were in the past, and for good reasons.

For those who’ve not experienced a data breach, the organizational costs remain vague and theoretical. I thought you might like to read how an attorney views the impacts of a data breach that involves the loss of credit card information. David Zetoony, an attorney with the legal firm Bryan Cave, has written several white papers discussing aspects of security. These are very readable works and well worth the time. Even if you are not processing credit card payments, I think this article is relevant to the loss of any sensitive data.

Here is his paper on the impacts of a data breach involving credit cards.

There is a bonus section in this paper about cyber insurance. In my eBook on Key Management Trends and Predictions I mention Cyber Insurance as an evolving industry. This paper by David Zetoony delves much deeper into the issues related to Cyber Insurance. He provides some very practical advice on how to think about Cyber Insurance and how to evaluate potential coverage. If you are new to the topic, or if you’ve not reviewed your Cyber Insurance policy for more than a year, you need to read the second part of David’s paper.

Neither I nor Townsend Security has any relationship with David Zetoony and the legal firm of Bryan Cave. I stumbled on this David’s work and thought you might find this informative. For those of you making the case for increased security, you might consider sharing David’s paper with your management team and legal counsel.

Patrick

New Call-to-action

Topics: Data Security, Data Privacy, Business Risk

Getting Funding for Your Security Project: A Guide for the CISO

Posted by Luke Probasco on Apr 12, 2016 4:26:00 PM

CISOs often can have an arduous time getting budget. To top it off, they are tirelessly thinking about how to improve security programs, justify what they are currently doing, and getting the budget they need for next year. When it comes to improving budget, CISOs need to trade their technology hat with a colleague in the sales or marketing department.

eBook Turning a Blind Eye to Data Security When it boils down to it, a CISO is not technology provider, but rather business solution provider. This can sometimes be a hard realization to make. Especially after spending the first part of your career immersed deep in the technology weeds. For the new CISO, and even seasoned veterans, it can be a challenge to learn to sell and market your ideas (and get funding from) the various stakeholders within the company. It is imperative for the CISO to market and sell the security side of the house to the business at large to get what they need.

Speak Their Language
Not too long ago, the CISOs job was to walk to the C-suite and say, for example, “Hey, we need encryption and key management. Give me the budget and I will go make that happen.” Back in the day, they would usually get the money. Now it is more about building relationships and having a business problem to solve.

With times changing, now it is important to better understand what technologies the stakeholders are hearing about and how you can leverage their knowledge of current security events to bolster your security program. Many of the stories that in the past would have been exclusive to publications like CSO Online and Krebs on Security are now showing up in places like Forbes, Businessweek, and the Wall Street Journal – places where your stakeholders go to get information.

When we look at what is being covered by the mainstream media, it is stuff that security professionals have had to deal with for years, but was relatively unknown to the upper echelons of the company. When security admins talk about data breaches, they talk about SQL injections or the best practice for data protection and how to manage a database – IT vernacular.

It is important to remember that the executive team doesn’t speak your language. When they talk about someone impersonating the CEO via email and exposing W2 information, they don’t know that this is called a “phishing attack.” Security professionals know this, but that isn’t what they call it in USA Today. You have to understand how to make those connections and draw those lines for people.

Sell and Market Your Program
You will have an opportunity from time to time to engage stakeholders for 30-seconds to 2 minutes. When you have those chances for an interaction, you need to sell your program. You need to practice it and have it come across very natural and as you would normally talk. Some suggestions:

  • Talk about the great things that you are doing and that you want to do more of it
  • Make sure that they understand your successes
  • Don’t talk about stuff that doesn’t matter – that is not how you get a budget

It is also important to have various elevator pitches, depending on who you are going to be talking with. For example, if you have 30 seconds with a CIO or director, the pitch is going to be different for each one, because they care about different things. Remember, when you talk with them, it has to be about something that they care about. The secret to success is to sell your program and the services of your group. Don’t just talk about building a security kingdom, but rather business solutions.

Often, when you think about selling, you think about selling to the CFO or even the board. You don’t often think about it, but you do in fact have to sell to the SOC (Security Operations Center) manager or other teams or lines of business within the organization. You may not be asking them for funding, but you need to get them on board so that when you do go to whoever you need to make the big pitch to, they will have your back. It is a much easier sell when there is a choir of voices saying, “Yeah, this is what we think that we need. This is the solution that we want. We have already bought into the fact that this is what we need.” If you can get 3 or 4 other directors from different lines of business backing you, you will be much more successful at actually getting funding than if you were to say “This is what I think is needed” and the board replies “What does the SOC manager think?”

If your funders still need more convincing, compliance regulations can often help your cause. Regulations like PCI DSS and HIPAA (as well as others) are constantly evolving, going through review and update, and bringing in stronger language and more stringent security demands. PCI DSS, in particular, carries a big stick. Whether you love it or hate it, it can often get you what you need because your business has to comply if they want to take credit cards.

External audit findings can also help propel your security program forward. When they come back negative, business risk has been identified – and business risk speaks very loudly to the C-suite. It is in their charter to acknowledge business risks and take appropriate actions.

Finally, and unfortunately, there will be times that you are simply told “No, there just isn’t budget for _______.” But what you can do, because you are a smart CISO, is go into your backup pitch. Just because you didn’t hit a “grand slam” doesn’t mean that getting a “single” or a “walk” is out of the question. Your “walk” should be the absolute bare minimum needed to move your cause forward, at least a little. Even the guy that gets walked is going to score from time to time. If you can take a “walk” and deliver something with it, you are going to further gain the trust of your funders and establish a positive track record for delivering on time and on a budget.

Turning a Blind Eye to Data Security eBook

Topics: Data Security, security, Data Privacy

It Takes a Creative Mind to Stop a Devious Mind

Posted by Alex Bryan on May 22, 2015 9:13:00 AM

I recently watched a movie that really made me think about how the cryptographic landscape has evolved. Eighty years ago encryption was almost entirely the domain of military organizations. Now it is ingrained in nearly every business transaction that takes place every day. The average person hardly takes notice. Will strong encryption, secure key management, and complex passphrases be enough to stop attacks of future?

Data-Privacy-Ebook A Chink in the Armor

We can scarcely avoid them these days. The “smart phone” seems to have been the catalyst that blew our (at the very least my) cozy concept of privacy right out of the water. Most people trust that their data is secured by whatever cell service they use or by the social media site they frequent. Few people take responsibility for their own sensitive data management. Perhaps they do not feel there is a need, or perhaps they do not consider it sensitive.

I feel that this is not the right attitude. Consider, for instance, the webcam and mic. Fifteen years ago I needed to go to an electronics store to purchase a golf ball sized orb on a clip to use video chat, or spend upwards of $300 if I wanted to film my friends and I skiing. Those devices needed to be plugged in or turned on to work.

Now, just in my house alone, I have at least six HD cameras in the form of old smart-phones, laptops, and gaming devices. Most of those devices are always on by design, and vulnerable to breach. Suppose there was sensitive information within view of one of those cameras, even if it’s just a calendar. It’s worth thinking about, especially considering that today just about every device comes with an integrated camera. Video game systems can listen to our conversations and respond to verbal queues (and in some cases movement). Software can now turn speech into text accurately and reliably. Taking this into account, sensitive data now goes far beyond a credit card or social security number. Everything you say or do in your own home is now, quite possibly, sensitive data.

Rising to Meet Future Threats

Very soon the smartphone will be among the least of our worries. Things like computerized smart glasses, smart watches, and other smart appliances will start to invade our workplaces and homes. This raises a very real security concern when you think about it. All it would take is one compromised smartwatch to capture a password from a whiteboard. In fact it may not even be as sneaky as all that. I recently read a funny article that detailed three or four data security slips. In each of the instances there was a photo of an anchor with sensitive data such as a password in the shot behind them. These were photos deliberately taken without regard for what was captured in the shot. Responsibility for the photos falls on the photographer in that case.

That article did make me think though. Would crafty attackers be inclined to hack the cameras of personal devices? A smartphone that’s in your pocket most of the time might pose little threat, but what about a smart watch? Could a particularly determined attacker gain access to Database Administrators home appliances? What if they were able to learn of a passphrase or record business conversations by hacking an entertainment system? It would be worth the attempt if it meant the keys to the kingdom.

Surely you’ve implemented, or at the very least heard of the following security steps. These are the basics, the steps you take to prevent a conventional attack

  1. Deploy strong encryption wherever possible, and adopt a strong key management solution.
  2. Do not keep passwords written down, especially on whiteboards.
  3. Use strong passwords like phrases that include dashes, or numbers are great.
  4. Develop and enforce policies regarding security best practices on employee’s personal and home devices.

Finally, lets make the safe assumption that attackers are thinking outside of the box. It follows that we too must think creatively to stop data breaches. Now lets pretend that an attacker has hacked a smartwatch or webcam and acquired a password to your database. That attacker has just bypassed most of the security measures you’ve put in place. The only thing that will stop an attack at this stage is a strong two-factor authentication solution. If deployed on the breached system the attacker tries to enter the stolen passphrase. Instead of gaining access the screen displays an Alert. “A text message has been sent to your phone, please enter the 6 digit pin to continue”. Two Factor Authentication saves the day. As more and more digital devices flood the workplace the need for another line of defense become very real.

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Data Privacy

Three Cyber Crimes That Can Cripple You, and How to Prevent Them

Posted by Ken Mafli on Oct 9, 2014 9:51:00 AM

cyber security monthOctober is National Cyber Security Awareness Month. With so much being in the news with The Home Depot, Target, and the plethora of continued phishing and email scams - we wanted to bring a few vulnerabilities to light to remind everyone of cyber security best practices. Now keep in mind, cyber crimes are wide and varied, so covering all of them would be a monumental task. We just want to take the time to highlight three in order to get you moving toward a more secure posture. First up, The Debt Elimination Scam:

Debt Elimination

The “Its Too Good To Be True” Scheme
The Bad Actor: Seemingly legitimate websites that promote a virtually unknown but "legal" way to eliminate your mortgage loan or credit card debt.
The Pitch: For only about $2K, these "trained professionals" will eliminate your debt on your behalf. You don't have to lift a finger!
The Hook: In order for these honest folk to act on your behalf, you will need to give them all the particulars of your debt plus sign a power of attorney document authorizing them to enter into financial transactions on your behalf.
The Sinker: Once you have given them this information, you are only seconds away from them stealing your identity and racking up additional debt.

What You Can Do:

  • Only deal with businesses that you verify:
    • Do your research, make sure they have a physical address
    • Do they have a telephone number that you can call
  • Go online to the Better Business Bureau in your area:
    • Check their rating with the BBB
    • Check how long they have been in business
    • Do they have any outstanding issues with customers
  • Do not deal with anyone outside the U.S.
  • Do not deal with companies with only a P.O. Box
  • If it sounds too good to be true, it probably is.

To learn more about online or email scams, please visit: http://www.fbi.gov/scams-safety/fraud/internet_fraud

Malware

Death by Web or Email
Data SecurityThe Definition: Short for malicious software, it is used to either take down a computer, gain access by an unwanted party, or scrape data without your knowledge.
The Bad Actor: This can be anyone with ill intent. You can have anyone from your run-of-the-mill hacker, to corporate spy, to governmental intruder.
How They Gain Access: Normally this is done in two ways, email or web surfing. For emails, they commonly want you to download a picture or click a link - because either of those actions can contain a secret action of downloading the malware. Similarly, websites are constructed with links that will download malware with only one click.
What Do They Want: They may want to take down your computer with a virus, hold your data for ransom, steal your data, or spy on you.

What Can You Do:

  • Install anti-virus and anti-malware software and keep it up to data
  • Regularly scan your computer for malicious software
  • Immediately send all emails that you do not trust to the spam folder
  • Immediately surf away from websites that you think are suspicious or spammy

For this one, look no further than good ol' Wikipedia for more info: http://en.wikipedia.org/wiki/Malware

Thumbsucking

Cyber Security

Keep it Secret, Keep it Safe
The Definition: I know, this seems like a problem for toddlers, but this is a real issue for businesses as well. Thumbsucking is when someone uses a USB portable drive or "thumb drive" to download data without the data owner's consent.
The Bad Actor: This can be anyone from a corrupt office worker to an unwanted visitor to the business.
How They Gain Access: Since most USB ports are on the inside of firewalls and passwords, gaining access is only one connection away.
What Do They Want: They want your sensitive data. Anything that could be sold in the criminal underground or to a rival business is up for grabs.

What Can You Do:

  • Encrypt all sensitive data
  • Use proper key management for your encryption
  • Set clear policies for which devices are allowed in critical areas of the business
  • Have strict permissions as to who can access the data: 
    • Protect via password
    • Use two factor authentication

To learn more about the threats of thumbsucking, head on over to: http://www.csoonline.com/article/2119244/identity-theft-prevention/the-thumb-sucking-threat.html

What Should You Be Thinking Right Now
The threat landscape is changing. As the honest business and consumer becomes more tech savvy, so does the criminal. To paraphrase the oft-used quote, "eternal vigilance is the price of online freedom." More productivity and possibilities come with more risk. So follow these rules:

When is comes to online offers: If it is too good to be true, then probably it is.
When it comes to malware: Trust your gut, if it smells fishy, throw it back in the sea, quickly.
When it comes to data theft: Encrypt, encrypt, encrypt.

A special thanks to our friends at SingleHop for helping raising awareness about NCSAM.

eBook: Overcome Encryption Key Management Fears

Topics: Data Privacy

Target CEO Resigns Over Data Breach - Is Your Job at Risk?

Posted by Liz Townsend on May 12, 2014 2:12:00 PM

Your company may survive a data breach. Your job may not.

Data-Privacy-Ebook Just a few days ago Target announced that CEO Gregg Steinhafel would be stepping down in the wake of the massive data breach that exposed millions of customer credit and debit card numbers. This announcement came following the resignation of Target CIO, Beth Jacob, in March. While the consequences of a data breach are far reaching, few business leaders consider themselves in harm’s way. From this data breach, and many others, executives are beginning to realize that they have far more at risk than fines or a slap on the wrist.

At the end of the day, the responsibility for Governance, Risk Management, and Compliance as well as the protection of customers falls directly on the shoulders of the CEO and other accountable executives. Target is not the only organization to push out leadership in the wake of a breach. In 2012, a massive data breach of Utah Medicaid servers exposed personal information of 780,000 individuals, resulting in the resignation of the state Chief Information Officer (CIO) Steve Fletcher. Also in 2012, the South Carolina Department of Revenue (DOR) was hacked, resulting in the loss of 1.9 million social security numbers, and the South Carolina DOR director, Jim Etter, resigned as well. The Target breach resulted in the first resignation of a senior executive in a major corporation.

While risk management is directly incorporated into other daily activities such as financial transactions, as a whole, businesses have yet to fully adopt risk management practices in data security. The Target breach stands as an example of what can happen to business leaders when data security falls to the wayside, and these leaders should consider this breach a wake up call. Not only are lost jobs a major consequence of a data breach, extensive litigation also follows suit.

Business leaders now may be asking themselves how they can prevent a data breach. To avoid the costs of a data breach, a business leader can ask his or her IT security team these questions:

Are we using encryption everywhere our sensitive data is?

Sensitive data such as credit card numbers, financial data, email addresses, and passwords should be encrypted from the moment you received that data from your customer until the deletion of it from your database. An intelligent hacker will detect any holes in your encryption strategy and exploit them. If Target had been using proper encryption and encrypting customer cardholder data from the moment it entered the Point of Sale (POS) system, they never would have become a poster child for bad security, there never would have even been a story, and Gregg Steinhafel would likely still have his job.

Are we protecting our encryption keys?

While encryption is a major player in a strong data security solution, the success of your encryption relies heavily on how well you protect your encryption keys. What many business executives don’t know is that without an encryption key management solution, their IT administrators may be storing the encryption keys locally in a database alongside the encrypted data. This is a common practice for organizations who are encrypting, but don’t have a comprehensive security plan. Executives should understand that if a hacker gains control of the encryption keys, then they can “unlock” the encrypted data, and the encryption itself is rendered useless.

Are we using two factor authentication to prevent unwanted intruders from gaining access to our data?

Two factor authentication is becoming a widely popular method of ensuring that the person viewing your company’s sensitive data is authorized to do so. Usernames and passwords can be easy to steal, so two factor authentication requires the user to present a piece of information they have (such as a one-use code texted to their cell phone) along with the information they know (i.e. username and password).

Are we monitoring our IT technology with system logging software in order to catch malicious activity in real time?

Detecting suspicious activity on your servers is a critical step to preventing a breach, or preventing one from becoming much worse. With good system event monitoring tools, your IT administrators should be able to catch malicious activity in real time, and be notified if anything out of the ordinary occurs.

According to the 2014 Online Trust Alliance Data Protection & Breach Readiness Guide, of 500 breaches studied in 2013, 89% of them were preventable if proper controls and security best practices were used. Business leaders can play an active role in mitigating data breach risk by asking informed questions and becoming acquainted with basic security practices.

To learn more about the disconnect between executives and their IT teams, download the eBook: Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs.

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Data Privacy

Your IBM i May Have a Heartbleed Issue After All

Posted by Patrick Townsend on Apr 22, 2014 2:45:00 PM

A few days ago I noted here that the IBM i (AS/400) did not have a Heartbleed vulnerability, and I shared a link to an IBM statement about this. It looks like IBM got a little ahead of themselves. You need to be aware of the new IBM Heartbleed security advisory for Power Systems.

Data-Privacy-Ebook The advisory only applies to selected IBM i platforms, so be sure to read the entire advisory to understand if you are affected.

This advisory includes the Hardware Management Console (HMC) which is widely used by IBM i customers with multiple logical partitions (LPARs). Even if you use the HMC to manage a single LPAR, you are probably affected by this advisory. Almost everyone enables HMC terminal access services in such a way that they would be exposed to the Heartbleed vulnerability.

If you do have a vulnerable IBM i system, you should follow IBM’s advice and force your IBM i users to change their passwords. If you’ve already done this before applying the recommended updates, you should do it again (after you put on your teflon suit, of course).

Don’t forget to ask your third party vendors about any Heartbleed vulnerabilities in their software.

Townsend Security does not use the affected version of OpenSSL for TLS session security in any of its products, and is not affected by the Heartbleed vulnerability.

Patrick

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Data Privacy, IBM i, Data Breach

Heartbleed and the IBM i (AS/400)

Posted by Patrick Townsend on Apr 11, 2014 11:07:00 AM

The OpenSSL Heartbleed security vulnerability is arguably the biggest security exposure in the history of the Internet. While IBM i (AS/400, iSeries) customers may be somewhat isolated from the larger impacts of this vulnerability, there are good reasons not to take this event lightly.

Data-Privacy-Ebook First, a disclaimer: Only IBM can comment in a definitive way on any Heartbleed vulnerabilities in the IBM i. The following are my opinions based on several years of work on the platform.

[UPDATE: IBM has issued a Security Bulletin stating that the IBM i is not effected by CVE-2014-0160 (Heartbleed)]

The first important fact to know is that OpenSSL is not commonly used in traditional IBM i network applications. IBM has an SSL/TLS library named GSKit and a certificate management application named Digital Certificate Manager. The underlying secure TLS implementation is not based on OpenSSL for these IBM-supplied applications. They probably do not pose a security issue for IBM i customers.

IBM does use OpenSSL in some of their IBM i open source applications. For example, the SSH implementation on the IBM uses OpenSSL. On a V7R1 system I started an SSH session and looked at the output:

OpenSSH_4.7p1, OpenSSL 0.9.8m 25 Feb 2010OpenSSH_4.7p1, OpenSSL 0.9.8m 25 Feb 2010

As you can see in the first log message, OpenSSL version 0.9.8m is used in SSH. Fortunately this version of OpenSSL is not vulnerable to Heartbleed. You should check your implementations of SSH, Apache, Websphere, Perl, PHP, and other open source applications to verify that they do not use a version of OpenSSL with the Heartbleed vulnerability.

Most third party vendors use the IBM i SSL/TLS library for secure communications. These applications will not be vulnerable to this new Heartbleed issue. All of the Townsend Security applications are based on the IBM library and not on OpenSSL. However, there are third party IBM i applications that embed OpenSSL or which use the OpenSSL application in the PASE environment. You should immediately contact your application vendors to determine if there are any exposures in their applications.

It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

Once you know that your IBM i and all of your network services are patched or are not vulnerable to Heartbleed, you should immediately force a password change for all of your users. Don’t take a chance on missing this vulnerability at some point in your network infrastructure and exposing your IBM i data to loss.

Patrick

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Data Privacy, Data Breach

Heartbleed Vulnerability and Townsend Security Products

Posted by Patrick Townsend on Apr 10, 2014 10:59:00 AM

heartbleedSecurity researchers have discovered a vulnerability in certain versions of the very popular OpenSSL application that can lead to the loss of critical sensitive information. The vulnerability is called Heartbleed because if affects the TLS heartbeat function in secure, connections. Because OpenSSL is used by so many web applications, and because this vulnerability can be exploited, the severity is very high.

Townsend Security does not use the affected version of OpenSSL for TLS session security in any of its products, and is not affected by the Heartbleed vulnerability.

For more information about the Heartbleed security vulnerability and what you can do, please visit the following site:

http://heartbleed.com/

While Townsend Security applications are not subject to this vulnerability, it is very important that you address other applications that are vulnerable. The loss of sensitive information in one application can lead to the compromise of an otherwise unaffected application. For example, the loss of passwords in one application can lead to the compromise of another application if the same password is used. And personally identifiable information lost from one application can be used for fraudulent impersonation in another application or web service.

Patrick

Topics: Data Security, Data Privacy, Data Breach

NSA Influenced Encryption Algorithms

Posted by Patrick Townsend on Oct 4, 2013 11:43:00 AM

In light of the public revelations about the NSA’s attempt to weaken encryption standards including the random number generation standard named Dual_EC_DRBG (NIST Special Publication 800-90), and the recommendation by RSA Security to their customers to avoid using this algorithm, it is natural that our customers would ask if we are using this technology in our products.

Data-Privacy-Ebook I can confirm that we are NOT using this algorithm in any of our security products including our flagship enterprise key management solution, Alliance Key Manager. Further, the secure TLS connections for key retrieval and encryption services only allow 2048-bit RSA encryption. We do not allow the negotiation of other, potentially weak, connection methods. We implement strong cryptography in our solutions, we maintain all of the source code for our applications, our source code is independently reviewed by security professionals and cryptographers, and our solution is FIPS 140-2 validated by a NIST-certified testing laboratory. There are no known weaknesses in our encryption and key management applications and processes.

I am encouraged that NIST has opened a public review of the Dual_EC_DRBG standard and am fully confident that they will resolve any security issues that exist in the standard using an open, public review process.

I have full confidence in the security professionals at NIST. I have watched their work over many years, benefited from their guidance and diligence in the area of security, and consider them to be some of the most honorable, intelligent, and hard working members of the security community. We owe them the chance to do what they do best - review the standards, bring the best minds to the process, and publish credible and defensible standards.

Patrick

Topics: NIST, Data Privacy, Encryption Key Management

What is Social Engineering? Know the Signs and how to Prevent Attacks

Posted by Kyle Shelton on Sep 3, 2013 8:23:00 AM

What is “social engineering,” and how do you prevent malicious attacks such as phishing? I’m sure many of you have heard the term before, but you may not quite know what social engineering means. There are many forms of Social Engineering; however, when we talk about baiting, phishing, and tailgating we’re not talking about a fun weekend at the lake.

Data-Privacy-Ebook

When it comes to the realm of data security, ‘social engineering’ refers to using social means to gain entry into a system, building, or storage of information.

One example of social engineering you might remember from the movies is the scene in the  film “Hackers,” when the hero gains access to a TV station by tricking a security guard into revealing the phone number of an internal modem, which he then uses to take over the station. According to Kevin Mitnick, a reformed computer criminal turned security consultant, it is much easier to trick someone into giving a password for a system than to spend the effort to crack the system.

In our daily lives social engineering is a bit more subtle, but even more prevalent than what we see in the movies. For example, an attacker may wait outside of a secured door, waiting for an employee to enter, and either claim a lost or forgotten badge, or simply grab the door before it closes and walk in. This is known as ‘Tailgating’, and even though most people know what this is and how to prevent it, it is in our nature to be helpful and that makes us want to help a “New Employee” that looks lost.

Almost everybody has heard about someone receiving a legitimate looking email from a service such as a bank or utility, asking you to verify your information. This technique is called phishing. Most people are savvy enough to recognize this sort of thing (Unless you really do know a Saudi Prince that wants to give you $50,000) and either ignore it or report it to the institution being fraudulently represented. Unfortunately, this type of attack is still effective and many people are tricked into giving away access to their personal information.

Another type of Social Engineering attack is called quid pro quo. This is an attack where a hacker calls random numbers at a company claiming to be from technical support. Once they find a cooperative victim, they instruct them to install malware that then gives the attacker access to the internal network.

social engineeringPreventing Social Engineering attacks is difficult because prevention relies on individual knowledge of what these attacks look like. What is your company doing to prevent Social Engineering attacks?

Many companies today have policies in place that require account verification before any information is given out. This certainly helps stem the flow of unprotected information, but it is not a foolproof method.

In today’s business environment it is up to companies to properly train their employees in the countermeasures against Social Engineering, and up to the trained individual to remain vigilant in following safe practices and procedures regarding release of information. 

If your company needs to protect sensitive data such as credit card information, health information, or other personally identifiable information (PII), you should also make sure you have the correct network security in place as well as protecting sensitive data at the source using strong encryption and encryption key management.

DOWNLOAD eBOOK Turning a Blind Eye to Data Security

Topics: security, Data Privacy