Tag Archives: IS trends

Holiday Season Security

The state of Washington Office of Cybersecurity has recently posted a good article related to information security and online shopping at http://cybersecurity.wa.gov/resources/security-tips/.  This is a good time of year for this kind of reminder as we all are taking advantage of the convenience and ease of shopping online.

It cannot be emphasized enough that we each must constantly take care with our private information, particularly financial information like bank accounts and credit cards, and particularly when using or accessing such information using mobile devices.

Don’t trust public computers or wireless networks (even the college’s public Wi-Fi network) to be secure enough for these kinds of transactions.  It is not difficult for a malicious actor to be able to intercept wireless signals as they pass between your phone and the most secure wireless access point, thus having access to obtain whatever information you type into your device.  This could include account numbers, user names, passwords and personal identification numbers (PIN).

Do your online shopping with a trusted wired connection as often as you can (not with public computers like in a library or college computer labs–you never know if the person using it before you compromised the machine).  If you must use a mobile device, like a phone or tablet, be certain to follow the OCS guidelines to make your shopping “trip” as uneventful as possible.

Safe Computing!

 

Seasonal Phishing

Did you know that Phishing has a season, just like real fishing?

Statistics show that during the year-end holiday period, malicious users are more successful with phishing attacks about holiday giving or shopping because they tailor their message to fit the hustle and bustle and activities of the season.

Here is a short videowhich reminds all of us not to let our guard down just because we are too busy or distracted to carefully scrutinize an e-mail advertises a sale or touches our heart.

Have a good holiday season, and Safe Computing!

Cybersecurity Awareness… or not?

An interesting exchange of opinions recently occurred between two of my favorite news sources related to information technology security.

Since we are still in the midst of a month declared by the federal government as “Cybersecurity Awareness Month” (see both https://www.dhs.gov/national-cyber-security-awareness-month and https://staysafeonline.org/ncsam/), which is an effort to increase security awareness among regular technology users, the disagreement is interesting.

The premise of “cybersecurity awareness” is that all computer users need to be trained to be more knowledgeable and to apply their experience, knowledge and expertise in making the use of modern technology more secure.  This is a worthy goal, I believe.

However, Bruce Schneier,  a highly respected security expert and author, persuasively argued recently that maybe the computing industry should be less focused on educating the user and more on fixing the current state of technology:

Stop Trying to Fix the User

I am sure that many technology users will agree that there are basic technology fixes that should happen!  However, Lance Spitzer, the training director for the Securing the Human of the SANS Institute and security blogger for Educause disagreed with Bruce’s emphasis on the technology:

Why Bruce is Wrong

The college’s Information Technology Services division does as much as can be done technically to ensure that all users have as safe a computing experience as they can on campus.  However, given the state of computing technology, solving IT security issues with technical solutions is never going to be enough to make them non-existent.

Every one of you, as users of college systems, are still an important part of a robust security solution, and your ability to recognize something is wrong often proves better than the best technology solution.

So in a way, both of these authors are correct:  There absolutely should be better, more secure technological ways of doing some of the everyday things we do with computers, like click a link or login, but until that exists, users need to be better trained and more aware of how to evaluate the risks inherent in technology use on a daily basis and to respond when they experience attacks by malicious users.

This  will continue to be an interesting discussion, I think…

Safe Computing!

Stop. Think. Connect

October is Cybersecurity Awareness Month, and in celebration, below are some links to the federal STOP.THINK.CONNECT organization’s tips & advice website and their general advice regarding online safety habits.

STOP.THINK.CONNECT is a good, lay-level website with lots of information and resources addressing some of the basic things that any of us can do, either at home or in the workplace, to help ourselves more securely use computers online.

These basic tips are available in multiple languages :

English, Spanish, Portuguese (Brazilian), Russian, French (Canadian),  and Japanese.

There are also safety tips for mobile devices.

Please take the time to review these basic tips and apply them both with your personal accounts to help prevent cyber-trouble for your cyber-self, and with your professional practices at work.

Other good sites related to your personal online accounts and internet use include:

https://www.lockdownyourlogin.com/

https://www.stopthinkconnect.org/campaigns/own-your-online-presence

https://www.stopthinkconnect.org/campaigns/keep-a-clean-machine-campaign

Safe Computing!

Password Security

I haven’t had much time recently to write here a lot, but there is an interesting story related to a data breach in the public sector that I thought would merit a few moments today (here is a link to a Wall Street Journal article about it ).

The basis for the story is that a number of DropBox (a popular cloud file storage site) account passwords have been published by some hackers.  However, the security for the DropBox site itself has NOT been compromised in any way…

So what happened?

It seems that the hackers were able to get into another unidentified website’s user database, which stored account names and password credentials for that site, then went down that list of credentials at the DropBox site.  They were subsequently able to access a number of DropBox accounts.   This ability to use a password stolen from one site to access another site occurred because the users used the same login name and password for their DropBox account that they used on the website that was compromised!

Knowing it would be difficult to get through the high levels of security that DropBox has in place, the hackers simply went to the less secure site and reused against DropBox the information they acquired there.  It wouldn’t surprise me if they actually did this a number of places.  They could have tried accessing Google or Microsoft or Yahoo or any other site they wanted.  The security issue is actually the REUSE by users of the same user names and passwords on different websites.

This illustrates one of the primary purposes behind most malicious attacks: the acquiring of credentials.  If a person with bad intent has actual login access to any given website, it doesn’t matter how much security that site has against direct attacks or hacking.  The bad guys are already in.

Bottom line:  never give away your login name and password, and don’t reuse passwords across multiple websites.  That is the ideal.

However, because it is difficult for all of us to keep track of lots and lots of passwords and to always use a different one for every purpose, at least be aware of what you are trying to protect and think about how to use more secure passwords at sites you wish to better protect.

For instance, you absolutely shouldn’t use the same password for very public places like Facebook or Twitter that you use for very private places like your bank or credit union site.

This applies to campus, as well.  The password you use when handling sensitive or protected college information shouldn’t be the same password you are using to sign up for a Groupon newsletter or to access personalized content on CNN.

 

Security Intelligence Report

Warning:  for serious information security buffs only!

Microsoft has recently published it most recent security intelligence report (152 pages!) on the current state of information security and exploitation trends in the world.  While it is not really intended for the casual computer user, it is fascinating reading if you are interested in diving a little deeper into the bigger information security picture.

There is a 21 page summary version and a 94 page worldwide threat assessment also posted on their Security Intelligence Report website, along with lots of links to other related information if you are bored and have an afternoon to kill…

Just think!  Some of us get to read this stuff every day!

ENJOY the beginning of summer this weekend.