[BreachExchange] Computer security: If you have to call the FBI, it’s too late

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 11 16:54:38 EST 2016


http://www.tennessean.com/story/money/tech/2016/03/11/computer-security-if-you-have-call-fbi-s-too-late/81613810/

Newsflash: The local FBI came to our office last week. Don’t worry — we
invited them. We wanted to make sure our team is completely up-to-date on
cybersecurity, so we can educate our clients to prevent security breaches.
It was great to hear it straight from the FBI, but our team wasn’t
surprised by what we heard.

Here are a few things that the local FBI and I would both tell you about
keeping your information secure:

The definition of insanity is doing the same thing again and expecting
different results.

The reason hacking continues is because we want it to be easy to get to our
own data. If it’s simple for you, it’s simple for a hacker to get into your
account, too. Until technology can make it both simple and secure, we have
to change our own behavior to protect our data.

You could go to Amazon right now and order books that teach you how to
hack. Does that give you pause? It’s not hard to be a hacker. But that also
means that we each have responsibility to protect our own systems — when we
throw up our hands and don’t go through much effort to be secure, the bad
guys win.

Hackers have come up with lots of ways to make money off our lack of
computer security, but here are two ways we can eliminate the risks with
good security procedures:

Shooting phish in a barrel

You have probably been exposed to phishing already. With phishing, you get
an email that appears to be from someone you trust, or from what appears to
be a credible source like your bank, but it asks for your username and
password, credit card or other account numbers. Don’t do it! And if they
ask you to wire money, stop immediately.

Often, you can find clues in the email. If it’s an unusual request, listen
to that little voice inside. Check the email address carefully, and roll
over any URLs to see the full address before you click. Don’t open an
attachment from this kind of email!

It’s always safer to call and talk to the person (and if it’s your bank,
look up the phone number yourself — don’t trust a phone number you see in a
suspicious email) to get the full story. Often, you’ll find it’s a scam.

Like Superman’s “c”ryptonite

If you have employees, you have a security threat. It’s that simple. You
can’t control every click on every email attachment, or every USB stick or
smart phone connected to your computers.

Have you heard of CryptoLocker? This ransomware spreads through a computer
and associated computer network via an email attachment, and it encrypts
your files. To free your data, you’re told to pay the hackers that created
the ransomware. (Recently, ransomware began spreading on Macs, so don’t
believe the adage that Macs don’t get hacked, either.)

Always:

- Stop, look and ask: Does this seem like an odd request, even if I know
who the sender seems to be?
- Back up critical data regularly.
- Create strong passwords. Use upper and lowercase letters, numbers and
symbols, and make them longer than eight characters.
- Use a separate password for every site.
- Use multi-factor authentication anywhere it’s offered.

Never:

- Connect USBs to any device or computer that has access to important
information.
- Back up personal cell phones and tablets to work computers.
- Store your password in a browser.
- Use the same password for email and social media.
- Send a username and password over Internet/data. Make a phone call if you
have to share a password.

Just remember the 6 Ps

So, in honor of my dad, who passed a couple of weeks ago, I’ll share his
all-time favorite tip: Remember the 6 Ps:  Proper Prior Planning Prevents
Poor Performance.

If you’re not planning and actively paying attention, you can easily fall
victim to a hack that can lead to identity theft, unintended disclosure of
intellectual property and dissemination of financial and personal
information about you, your employees, your employers and their clients and
vendors. Ouch. If the FBI has to get involved, you’re way too late and it
was a situation that you could have easily prevented.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160311/9d534e88/attachment.html>


More information about the BreachExchange mailing list