Security Precautions to Take Following Citibank’s Second Reported Online Breach

 

Updated Feb. 4, 2012

 

Citibank’s acknowledgment that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

The bank’s May, 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

None of the reports I found pointed out that it was Citibank’s second reported major security issue in just 18 months. Soon after the bank’s first breach was reported, it seemed as though the security issue was buried. There weren’t any follow-up reports.

That’s when I wrote the column, How to Protect Yourself from the Internet Crime Wave, quoting Dr. Stan Stahl, a nationally known security expert based in Los Angeles.

Over the years, Dr. Stahl has been a valuable resource – some of the most-widely read Biz Coach columns have included his expert opinions, especially these three columns:

Our Mobile-Banking Warnings about Security Prove Prophetic

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

5 Safety Measures to Thwart Mounting Social-Network Attacks

A security expert I’m not, but I’ve learned from Dr. Stahl’s valuable insights.

In addition to the tips in the above columns – whether you’re a Citibank customer or not – I’d suggest immediately taking these defensive computer measures:

1. Change all log-in information. That means all banking, retail credit card and e-mail passwords and information.
2. Make certain that you don’t use the same password twice.
3. Install adequate firewall and anti-virus protection on your computer.
4. To limit your exposure, use the same computer for your financial information. Never use it for social media networking.
5. Review all privacy and policy information.
6. Avoid using your debit card online. At least personal credit cards offer liability protection under federal regulation. But business banking is not federally protected – it’s left up to individual banks, so check your bank’s policies regarding your company’s accounts.
7. Don’t conduct financial transactions over WIFI.
8. Don’t do mobile banking.
9. If you get an e-mail allegedly from your financial institution, act like an all-pro football defensive end. Prevent an end run. Assume it’s a fraud. If you must communicate with your financial institution, make a telephone call or a personal visit.
10. When doing your online banking, be sure to type in the financial institution’s Web address in your browser.
11. Regarding the security questions, be creative and don’t list the right answer, which might be obvious to any hacker who learned about your personal situation.
12. Check your financial accounts daily.
13. If your account is compromised, quickly take appropriate action.

For your company’s management controls, Dr. Stahl has previously recommended taking six precautions:

1. Don’t allow your employees to use your computers in social networking.
2. Establish a list of allowable web-sites.
3. Closely monitor your bank account.
4. Train employees in social engineering awareness.
5. Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
6. Strengthen your defenses.

Cybercriminals, I’m sad to say, are here to stay. Do your due diligence.

(Note: Dr. Stahl and I are fellow members of Consultants West, www.consultantswest.com, a roundtable of veteran management consultants.)

From the Coach’s Corner, here’s Dr. Stahl’s cyber security blog and his Web site.

“In a world in which the total of human knowledge is doubling about every ten years, our security can rest only on our ability to learn.”

- Nathaniel Branden

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

What You Really Need to Know to Stay Web Safe

An Internet security checklist from a noted expert

 

Updated Jan. 31, 2011

If you Google the keywords, “cyber security,” you’ll get thousands of search results. Internet security is a nightmare for business, the public sector and consumers. Unfortunately, published advice is well-intentioned, but often misses the mark. There’s no room for error in cyber security precautions.

A case-in-point: An advice article on Internet security at SeattlePI.com that caught my eye. Not because it contained great information, but the article didn’t seem to be on target. It was originally published in the San Francisco Chronicle.

David Perry, the global director of education for TrendMicro, was heavily quoted. Having written dozens of tech columns here, something seemed amiss. The article was certainly intended to be helpful, but it didn’t seem right.

Not to pick on reporter Casey Newton, but I was left wanting more and better information. It seemed to be nothing more than PR fluff for TrendMicro.

So, I sent the article to a nationally known security expert, Dr. Stan Stahl in Los Angeles (www.citadel-information.com). Does Dr. Stahl agree with Mr. Perry?

Here are his responses to the four points:

David Perry: “Make sure your computer isn’t infected already.”

Dr. Stahl: Yes. By all means scan. Even use Trend Micro’s HouseCall. But don’t be lulled into a false sense of security. Remember that the most serious attacks like 0-days and drive-bys are written to get past antivirus programs. That’s why we publish our “Weekend Vulnerability and Patch Management Report.”

David Perry: “Avoid exposing your credit number.”

Dr. Stahl: More important than this item 2 is to (i) always make sure you’re running https and not just http before entering your credit card info and (ii) if given the option, don’t let smaller retailers store  your credit card numbers [they're less likely to have proper security].

David Perry: “Use protection.” 

Dr. Stahl: Definitely use protection, but don’t forget to keep all your programs patched and run a good spam filter. That’s what makes this so misleading; it conveys the impression that running antivirus is enough. It’s not! Users can subscribe to our blog blog and update their computer in accordance with our “Weekend Vulnerability and Patch Management Report.”

David Perry: “Watch where you click.”

Dr. Stahl: Yes; never click a link in an email and always check the seller’s reputation. The part about buying from the manufacturer is bogus.

Dr. Stahl, thank you for your usual valuable insights.

(Note: I’ve known Dr. Stahl a long time and consider him the go-to security expert. He and I are also members of Consultants West, www.consultantswest.com, a roundtable of veteran consultants that meets in Los Angeles.)

From the Coach’s Corner, here’s an online safety checklist from Dr. Stahl:

Cybercriminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They have even begun selling stolen medical insurance information.

Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their control—the cyber-equivalent of Night of the Living Dead. These control programs make money for the cybercriminals by sending spam, displaying pop-up ads, and committing sophisticated computer crime.

Cybercriminals take control of your computer by exploiting four weaknesses:

1. Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
2. Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
3. Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
4. Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.

Defense Strategy 1: Keep Cybercriminals Off Your Computer

• Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java.
• Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
• Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system.  Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
• Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
• Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
• Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
• Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
• Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.

Defense Strategy 2: Be Careful With Your Financial Information On-Line

1. Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
2. Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
3. Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
4. Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).

Defense Strategy 3: Protect Your Information Away from Home

1. Keep your laptop with you at all times. Never leave it unattended in your car.
2. Keep WiFi and Bluetooth turned off except when you are using them.
3. Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe. You can get free encryption software at http://www.truecrypt.org/.
4. Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.

Defense Strategy 4: Watch Your Credit

1. Subscribe to a basic credit monitoring service (AAA California offers members a free service)
2. Regularly review your bank, credit card and investment accounts for fraudulent activity.

Defense Strategy 5: Better Safe Than Sorry

1. Always think about the information you are giving out.
2. When in doubt, don’t.
3. Stay up-to-date by reading our  blog.

“Security is always excessive until it’s not enough.”

-Robbie Sinclair

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complementary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Our Mobile-Banking Warnings about Security Prove Prophetic

 

 Updated Feb. 1, 2012

There’s another warning about mobile banking — even the American Bankers Association in this published report: “Why corporate mobile banking is scary.”

The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. 

‎Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first. Now, bankers are concerned about the dangers of corporate mobile banking. Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.

Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)

It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.

After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.

After more than a year had transpired I had, of course, forgotten about the incident.

Disturbing mobile-banking headline

Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”

Here’s an excerpt:

 You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.

Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.

Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)

“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded.

“Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”

Prior experience

Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”

“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”

He knows the challenges and expense that go into producing high-quality software.

“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”

Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl.  He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.

“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”

Response to mobile-banking marketer

As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:

“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”

Dr. Stahl’s bottom-line

“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”

Well said, Dr. Stahl. Thank you.

(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)

From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

“Once they get their hooks into you, you’re a dead pigeon.”
-Bud Abbott

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Are You Insured for Cyber Theft?

 

Aug. 30, 2010

On a regular basis, cybercriminals are creating hardship for businesses and consumers. A post by blogger Brian Krebs caught my eye – a Texas company is struggling to get its bank to pay for a $50,000 cyber theft.

“Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas,” wrote Mr. Krebs. “Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.”

Ostensibly, the comments in the deposition are locked up, but the lawyers maintain the bank is guilty of security incompetence and a lawsuit might be the next step.

Mr. Krebs quoted an attorney:

 “In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

The fraud apparently began on Aug. 20 last year when Hi-Line processed its $25,000 payroll, according to Gary Evans, the firm’s president.

“After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24,” explained Mr. Krebs. “Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password.”

Then, Mr. Evans sensed trouble.

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’” Mr. Krebs quoted Mr. Evans about his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Mr. Evans maintains the bank should have taken notice.

“Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches,” wrote Mr. Krebs. “He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.”

The blogger says Community Bank did not respond to his request for a comment, but its deposition claims the cybercriminals “had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.”

Mr. Krebs indicated the thieves pulled it off with the unknowing help of what are called money mules.

“Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix,” he wrote. “Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an ‘accounts payable’ position?”

Reported, Mr. Enlow received several fund deposits and was asked to forward the money.

“He then wired the money to individuals in Eastern Europe as instructed, he said,” Wrote Mr. Krebs.

“If the customer wants the bank to reimburse it for fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable…” says IT security expert Dr. Stan Stahl. “The result, all too often, is that the customer has little choice but to sue the bank.”

But Dr. Stahl says there are reasons for such victims to hope:

“There’s a very good chance the bank’s procedure’s fail the test of commercial reasonableness,” writes Dr. Stahl. “

But he adds the burden of proving a bank is at-fault is “huge.”

He says one solution is cyber theft insurance.

My counsel is due diligence by a top-notch security adviser, and to make sure you really know your bank.

From the Coach’s Corner, Dr. Stahl’s security blog: http://citadelonsecurity.blogspot.com/.

Is It Time to Educate CEOs about Threats from Cybercrime?

 

Updated Jan. 3, 2012

The movement to persuade senior executives on cyber-security dangers is slowly growing.

Indeed, two business professors – University of Virginia’s Tim Laseter and Dartmouth’s Eric Johnson – argue there’s “A Better Way to Battle Malware.” They successfully argue in the lengthy article that senior executives could implement production quality controls to conquer cyber security issues.

Indeed, there’s plenty of evidence that cybercriminal activity is flourishing. Every week we see the headlines about newly discovered sinistere events. But USA Today first reported in 2010 that many CEOs have been unaware about the dangers to their firms when it comes to Internet security.

Eighty-one percent of information-technology professionals believed that their companies’ senior managers still do not comprehend the need to take proactive steps to ward off security threats.

That’s according to a study of nearly 591 of IT pros. It was conducted by the Ponemon Institute for NetWitness. Not only did it involve opinions about CEOs, the same fears were attributed to a lack of understanding by government agencies.

In addition to the 81 percent concerning senior executives, the study reports other red flags:

• 83 percent indicated their organization has been a recent target of advanced threats
• 41 percent said they were frequently attacked

So, it’s time to check with go-to security expert Dr. Stan Stahl. Is it really possible that senior executives don’t fully comprehend IT security dangers?

“Our experience confirms the validity of these statistics,” believes Dr. Stahl. “The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.”

Commenting in his blog, Dr. Stahl is a widely known pioneer and consultant in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information-security professionals and practitioners.

“The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management,” he writes.

Indeed, the study also indicates 44 percent of attacks result in the theft of confidential information, and 45 percent of the cyber strikes result specifically in the “theft of intellectual property.”

“It’s to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program”, writes Dr Stahl. “Our objective is nothing less than to raise information security awareness.”

Of course, the association has local chapters in multiple cities; see www.issa.org.

Yes, it’s disappointing to know that senior executives are still in the dark. But IT pros can solve this problem. Here’s more: How CIOs Can Get More Respect in the C-Suite.

From the Coach’s Corner, this site’s Tech section contains many Biz Coach columns on cybersecurity with solutions from Dr. Stahl. (Note: I’m very familiar with Dr. Stahl’s expertise as we’re both members of Consultants West, www.consultantswest.com.)

For more on Dr. Stahl, see his Web site and his blog.

Resources links: Ponemon Institute, www.ponemon.org; and NetWitness, www.netwitness.com.

“Distrust and caution are the parents of security.”
-Benjamin Franklin

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complementary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

 

June 27, 2010

At first glance, the free WIFI service at Starbucks seems like a great idea for mobile professionals. Starbucks’ free Internet service is a response to growing competition – McDonald’s upgraded coffee offerings and free WIFI, which have proved to be popular in the economic downturn.

Starbucks announced the service effective July 1, 2010.

But the WIFI offering by Starbucks has prompted a security warning and checklist from a go-to Internet security guru, Dr. Stan Stahl of Citadel Information Group in Los Angeles. His commentary is entitled, “Free WIFI at Starbucks – Reminder of Cybersecurity Risk.”

“While most of the common risk is eavesdropping, one cannot overlook the risk of computer compromise,” writes Dr. Stahl.

His five security recommendations:

1. No online banking or other eCommerce
2. No e-mail  containing sensitive information except via an approved encrypted link from PC to Mail Server
3. Keep anti-virus or host intrusion software up-to-date
4. Make sure software patches are up-to-date
5. Use VPN (virtual private network) for access to office

Respectively, here are Dr. Stahl’s Web site and blog addresses: www.citadel-information.com, www.citadelonsecurity.blogspot.com.

From the Coach’s Corner, Dr. Stahl’s expertise is also quoted in these Biz Coach columns:

• How to Protect Yourself from the Internet Crime Wave
• Strategic Planning: List of Informative Web Sites
• Web Security Checklist and Warning about Mobile Banking
• 5 Safety Measures to Thwart Mounting Social-Network Attacks
• How China-Google Controversy Might Affect Business, Government Security

How China-Google Controversy Might Affect Business, Government Security

 

Updated 6:50 p.m. April 20, 2010

The security issue between China and Google appears to be taking on new ramifications – threatening proprietary information for business and government agencies, if they do business with the giant search engine.

When Google was hacked last year by cybercriminals in China, they stole a computer program that managed access to Google’s programs, according to a New York Times article Monday. In the past, Google has denied hackers were able to access personal information from Gmail accounts, but the search engine did not respond to The New York Times report.

“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. (www.citadel-information.com).

“While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority.

“Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.

As a management consultant, I wonder about two other questions:  What about the privacy of Google’s services and business and government agencies? Is the threat to Google’s business model more severe than first thought?

Google’s services for the private and public sectors are not limited to the following but they include:

•  AdSense is a platform for publishers to generate income by displaying a bevy of click-through advertisements, but Google requires sensitive information in order for publishers to receive payment. Google’s AdSense automatically inserts display and text ads, which are frequently changed.
• Google Analytics is a service that helps Web site owners to understand how they’re faring with visitors , such as how they reach your Web site and what they visit.
• AdWords is a sponsored links section. It’s the largest service of its kind and Google has the No. 1 market share.
• Merchant Center uploads product listings in for use in a variety of ways. They include AdWords ads, Google Search, Google Product Search, and Google Commerce Search.
• Checkout helps businesses increase sales by selling online.
• Website Optimizer, with access to sites, tests content in order for publishers to optimize the conversion rates of their visitors.

There are other Google services, but you get the idea.

The news article provided more alleged details that include Google’s “Gaia.” That’s Google’s stolen password system. Gaia is the Greek mythological goddess of earth. Gaia managed the entry to its services for the private and public sectors.

For more of the report’s details, see: Cyberattack on Google Said to Hit Password System

If The New York Times article is accurate, and my Biz Coach sense is that it is, businesses and public agencies doing business with Google might want to consider a security-needs assessment by a qualified expert. This is also a bigger threat to Google’s business model than we first believed. Google deserves support on this security issue.

(Disclosure: This site published Google public service messages.)

From the Coach’s Corner, in a new related development, BusinessWeek reports government criticism of Google in this article: Google Is Neglecting Online Privacy, Authorities Say

Also, worth reviewing are two Biz Coach columns regarding Internet security:

How to Protect Yourself from the Internet Crime Wave

Business 101 Lessons: Google vs. China’s Censors, Cybercriminals

Antivirus Company Names Most-Perilous Internet Cities

 

Updated March 23, 2010

In cyber-crime, Seattle has earned a distinction it’d rather not have – the No.1 riskiest online city. That’s according to Norton from Symantec. The antivirus company teamed up with research firm, Sperling’s BestPlaces, to determine the locales the deem the most-susceptible to Internet crime.

Maybe they are and maybe they’re not. A leading cyber-security expert, Dr. Stan Stahl, questions the data.

“While some of the factors used in assessing ‘risk’ would seem to appropriate, my bottom line was expressed best by G.K. Chesterton: ‘It’s not that they don’t know the answer. It’s that they don’t even know the question’,” says Dr. Stahl, a noted Internet security expert in Los Angeles (www.citadel-information.com).

A Norton press release states its list of cities was developed as a result of the cyber-attack data compiled by Norton and other factors. The top five: Seattle, Boston, Washington, D.C., San Francisco, and Raleigh.

The Norton data criterion includes these six categories:

1. The cyber-crimes data from Symantec Security Response:

• Number of malicious attacks
• Number of potential malware infections
• Number of spam zombies
• Number of bot infected computers
• Level of Internet access

2. Expenditures on computer hardware and software

3. Wireless hotspots

4. Broadband connectivity

5. Internet usage

6. Online purchases

Missing from this list, Dr. Stahl says, are things that would serve to mitigate risk, such as:

• Number of information systems security professionals in the city
• Average number of information security professionals per 1,000 computers and per company
• Percentage of computers who connect to hotspots using a VPN (virtual private network).
• Percentage of companies ISO27001 certified (ISO refers to international organization standardization)
• Numbers of CISSPs (certified information systems security professionals), CISMs (Certified Information Security Managers), etc.
• Percentage of businesses/homes with professionally managed firewalls

“By itself, expenditures may mean little or nothing since one large supercomputer can cost the same as zillions of P and actually lower risk,” explains Dr. Stahl. “There’s also the question of what ‘risk’ means when applied to a city, as opposed to an individual or an organization.”

So, it’s a question of what he calls “meaningful mathematics,” – everything is relative.

“My risk goes up or down as the total number of bot infected or spam zombie computers goes up or down; it doesn’t really matter if they happen to be in my own town or somewhere else [more or less true, but not quite since a bot net or spam zombie in Africa poses less of a risk than a bot net in America],” he adds. “In this situation, my risk is my risk; it doesn’t meaningfully transfer to my city.”

Norton’s list of the alleged most-vulnerable cities:

1. Seattle

2. Boston

3. Washington, D.C  

4. San Francisco

5. Raleigh

6. Atlanta

7. Minneapolis

8. Denver

9. Austin

10. Portland

11. Honolulu

12. Charlotte

13. Las Vegas

14. San Diego

15. Colorado Springs

16. Sacramento 

17. Pittsburg

18. Oakland

19. Nashville-Davidson

20. San Jose

21. Columbus

22. Dallas

23. Kansas City

24. New York

25. Indianapolis

26. Albuquerque

27. Miami

28. Omaha

29. Virginia Beach

30. Los Angeles

31. Cincinnati

32. Houston

33. St. Louis

34. Phoenix

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville

40. Tulsa

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson

45. Long Beach

46. Fort Worth

47. Fresno

48. Memphis

49. El Paso

50. Detroit

Again, based on the expertise of Dr. Stahl, if you live in one of the listed cities, you don’t necessarily have to worry. My thanks to him – he’s been very gracious with his analysis for many years.

From the Coach’s Corner, here are recent Biz Coach columns featuring his expert opinions:

• How to Protect Yourself from the Internet Crime Wave
• Strategic Planning: List of Informative Web Sites
• Web Security Checklist and Warning about Mobile Banking
• 5 Safety Measures to Thwart Mounting Social-Network Attacks

His security blog: http://citadelonsecurity.blogspot.com/

How to Protect Yourself from the Internet Crime Wave

Jan. 22, 2010

 

For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline was alarming.

The Wall Street Journal headline: “FBI Probes Hack at Citibank – Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach.”

The article on December 22, 2009 was the last we’ve seen about the Citibank situation. The reported multimillion dollar loss – a public relations nightmare for Citibank – has been hushed up.

Many online security experts say online fraud is skyrocketing and there are FBI warnings about online fraud and related scams.

Such cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

About three weeks after the Citibank report, online-banking warnings were issued by the American Bankers Association and FBI (“Cybercrooks stalk small businesses that bank online”). The warnings followed a wave of cybercrime afflicting small businesses, public-sector agencies, churches, schools, and other non-profits.

Cybercrime methods

Many crooks are using what are called “banking Trojans.” Here’s a typical case: “New Trojan Intercepts Online Banking Information – PC World.”

A cybersecurity expert, Dr. Stan Stahl, recently developed a plot line in another cybercrime issue, which is applicable to the banking scams.

“The plot line isn’t with Citibank but related to the recent web attack on Twitter that redirected users to the ‘Iranian Cyber Army.’ This same type of attack – stealing the UserID/password of Twitter DNS administrator and then changing the DNS to point to the Iranian Cyber Army – could be used to create a “cybercriminal-in-the-middle” attack against an eCommerce site,” he said.

Dr. Stahl further explained the cybercriminal is then able to steal a consumer’s sensitive credit-card information and seize control of the victim’s computer.

He is a widely known pioneer in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

“I feel the banks must bear a significant share of the responsibility because they have the knowledge of what’s happening yet, in my experience and based on what I’ve been told by people in law enforcement, they are not working the problem with their customers nor are they supporting law enforcement by sharing what they know,” said Dr. Stahl. “They strike me as wanting to pretend this isn’t a problem.”

It’s true insurance companies reimburse victims of cybercrime. But cybercrime is expensive.

A client once hired Dr. Stahl to investigate a $1 million loss from an online banking theft, and I reported the details in this column, “5 Safety Measures to Thwart Mounting Social-Network Attacks.” He says it resulted in an expensive legal struggle.

“The lawsuit I’m involved in, for example, is between two insurance companies; both will lose dollars regardless of how the suit turns out,” Dr. Stahl explained. “If the insurance companies made bank cooperation with law enforcement a policy requirement, we’d get a lot more cooperation and the insurance companies would have fewer claims to pay.”

He is also assertive in explaining his perspective on the Internet-security issue, Google vs. China.

“There is little in the Google story that the information security community didn’t already know except for the specific vulnerabilities that were exploited,” he said. “What is new – and important – is that now the world knows. For our business, it’s just one more example we can point to of how unsafe the internet is. Plus, because it’s Google, the cybercrime has been deconstructed more thoroughly than usual. Kudos to Google.”

Smartphone dangers

A published report, “BBC News – Cybercriminals revive old scams to target smartphones,” raises the specter about threats against mobile phones.

The BBC smartphone report prompts this question from Dr Stahl: “How long will it take until this type of malware is used to steal online bank credentials?”

Here are some of his tips to enhance your personal online security:

• Review all privacy and policy information.
• Use unique and hard to guess login information.
• Protect your computer.
• Check your account balance regularly.
• Pay using credit cards.
• Do not access your account from public locations.
• Verify email correspondence from bank.
• If your account is compromised, take swift action.

For your company’s management controls:

• Don’t allow your employees to use your computers in social networking.
• Establish a list of allowable web-sites.
• Closely monitor your bank account.
• Train employees in social engineering awareness.
• Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
• Strengthen your defenses.

(Note: I know Dr. Stahl well as a trusted expert, and I’ve interviewed him on multiple occasions. He and I are members of a roundtable of veteran consultants, Consultants West, www.consultantswest.com.)

Resource links:

• Dr. Stahl’s Web site – www.citadel-information.com.
• His blog – www.citadelonsecurity.blogspot.com

From the Coach’s Corner, here are additional security tips:

• If you’re a cyber victim, contact a noted security expert and authorities (How to Report E-Scams and Hoaxes to the FBI).
• If you want to help the victims in Haiti: “Only donate through the Red Cross or other well-established charity organizations,” said Dr. Stahl. Ignore all email solicitations. They could be fake and prudence requires that one assume they are. There are lots of known safe groups through which one can contribute; no reason to take a risk here.”

Strategic Planning: List of Informative Web Sites

 

Keywords have become the currency of the digital economy. They transmute into cash when you attract the right prospective customers to your Web site. In Internet searches, the right key words will also deliver the right data – saving you time and money while increasing revenue.

If you’re like most businesspeople, you have your favorite Web sites, which are often trade or profession-specific. You probably get great newsletters, too.

As Biz Coach, I enjoy hearing from many of the best strategists in the world and daily receive information from scores of sources on best-practices management and other topics. And some of my best feedback and questions come from readers who stumble across this column after searching for specific topics.

No one is able to accurately predict what the future holds for your business. But you can influence it, of course, by acting on the best information available. Your best bet for a crystal ball depends on whether you have a good awareness of human nature and developing trends throughout the nation and the globe.

If you need capital, here is some helpful information: “What No One Tells You about Raising Investment Capital.”

For information on mounting a business comeback, see “Step-by-Step Solutions for a Company Turnaround.”

What does the future hold generally for the economy and your business? Not to be a broken record, but in order to design a strategic plan to maximize your resources, you’ll want to complete a SWOT analysis to determine your strengths, weaknesses, opportunities and threats. But you’ll probably need answers from external sources.

For more on how to conduct a SWOT Analysis, visit: “Boeing, Airbus Rivalry: Lessons in Strategic Planning.”  

Once you conduct your SWOT you can start your strategic planning.

Here’s a potpourri of Web sites that provide some enlightening answers:

National Bureau of Economic Research. The private, nonprofit organization is a wealth of economic data that has been providing information regarding the workings of the economy since 1920. The organization does not predict recessions but is regarded as the authority on the nation’s economic health. You can sign up for daily updates on economic indicators at www.nber.org.

Federal Reserve outlook. Current information works best if you also have a sense of history. You can access the government’s current and historical data, including the last four decades at www.federalreserve.gov.

Data from 100 federal agencies. At www.fedstats.gov, you’ll be able to see the latest statistics from 100 government agencies concerning the big picture economy and your specific industry – topics range from agriculture to transportation. You can also see demographic data for every city.

Retail sales. Retail sales data is available at www.chainstoreage.com. This is helpful information as you finalize your product orders and plan your advertising dollars.

Housing. You can get wide-ranging clues from the National Association of Home Builders, www.nahb.com. Admittedly, it is designed to influence policy, but the site also has far-reaching data ranging from the housing industry to consumer-oriented home and remodeling information.

Airline and travel. Face time is important for selling to customers. But it is not fun if your flights are delayed or cancelled. There are at least four helpful travel sites: www.dot.gov, www.thetravelinsider.com, www.flightaware.com and www.flightstats.com.

Small business loans. The Small Business Administration, of course, provides loans to qualified small businesses.

Naturally, it is no secret that federal agencies can be a desirable target for small businesses. Federal agencies indeed are huge opportunities. But the Small Business Administration, www.sba.gov, confirms that federal agencies do not meet their quotas in contracting with small firms. For each agency, the quota is to award 23 percent of contracts to small business.

Here are the requirements: 5 percent to disadvantaged businesses; 5 percent to female-owned businesses; 3 percent to service-disabled veterans; and 3 percent to small firms in defined enterprise zones.

Newsletters of consulting firms. While many successful consulting firms charge for helpful studies in the form of newsletters, a substantial number are complementary, such as some from McKinsey & Company, www.mckinsey.com.

From the Coach’s Corner, Internet security and identity theft are huge threats. One of my favorite consultants in Internet security is Dr. Stan Stahl at www.citadel-information.com.

For up-to-date information on global security risks, here is his blog site: www.citadelonsecurity.blogspot.com.

Next Page »