Internet Criminals to Pose Bigger Threat than Terrorists – FBI

 

Feb. 4, 2012

The U.S. government along with state and local agencies, businesses and consumers should all heed ominous testimony before Congress. FBI Director Robert Mueller warned “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.”

That was his message to U.S. House Permanent Select Committee on Intelligence last week in discussing the importance of the Internet.

“The theft of intellectual property, the theft of research and development, the theft of the plans and programs of a corporation for the future, of all which are vulnerable to being exploited by attackers,” Mr. Mueller testified.

Mr. Mueller warned it’s imperative for the FBI and federal government to get more proficient in analyzing, gathering and sharing information. He also requested appropriate legislation.

Indeed, we see proof of his admonition in news headlines almost daily, which has prompted countless Biz Coach columns about cyber attacks with tips for Internet security.

The most-read Biz Coach topic of all time quoted Dr. Stan Stahl, a nationally recognized security expert, in using Starbucks’ WIFI? Security pro issues warning and security checklist. Also highly read is our mobile-banking warnings about security prove prophetic.

“In the last several weeks, we’ve seen successful distributed denial of service (DDoS) attacks against banks, governments, law enforcement and the entertainment industry,” said Dr. Stah in Los Angeles.

Don’t forget about healthcare. It’s vital to understand why many healthcare workers are responsible for an alarming trend: Medical ID theft. Here’s a lesson about passwords after the theft of 16,000+ UCLA patient records.

“We’ve seen Israeli and Palestinian cyber-vigilantes launch DDoS attacks against each other’s web sites,” he explained.

“What happens when radical organizations discover they can launch a DDoS attack against their enemies?” he asked. “We should not be surprised to see the Internet become a battleground in America’s culture wars.”

Key questions

Dr. Stahl recommends that all organizations answer four key questions:

1. Are we gathering the information we need to understand our cyber threat and the quality of our cyber defenses?
2. Are we effectively analyzing this information, using it to better secure our information?
3. Are we sharing it with the necessary parties?
4. In particular, is management getting the information they need to proactively manage information risk?

“One highly critical defensive measure, for example, is to rigorously keep software patched,” he added. One of the easiest ways for a cyber criminal to take control of a computer is to exploit a vulnerability in unpatched software.”

Dr. Stahl’s firm, Citadel Information Group, is regularly asked to help businesses.

“Patching needs to be on the weekly must-do list of every IT department and IT vendor,” he explained. “Yet, when we assess the patch levels of organizations, we are not surprised to often see more than 100 unpatched vulnerabilities on desktops.”

Questions for IT departments

To information technology departments, he poses these five questions:

1. Does IT gather vulnerability information?
2. Do they analyze it, taking appropriate action to keep vulnerabilities to a minimum?
3. Is it shared with senior management?
4. Does senior management know that IT must patch vulnerabilities to comply with laws like HIPAA HITECH or contractual obligations like the payment card industry’s data security standard?
5. Does senior management regularly monitor “weekly vulnerability trends?”

“Human nature being what it is, cyber crime and hacktivism will likely get worse before things get better,” he concluded. “While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy.”

Amen. You can keep yourself updated by subscribing to Dr. Stahl’s Weekend Patch and Vulnerability Report.

From the Coach’s Corner, here are more Internet security resource links:

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

5 Safety Measures to Thwart Mounting Social-Network Attacks

Security Precautions to Take Following Citibank’s Second Reported Online Breach

“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers…organizing your lives, staying in touch with people, being creative…if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.”

-Bill Gates

 

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today? 

 

New Cyber Attacks: Tips For Internet Security

 

Dec. 26, 2011 

Do you need more evidence to be diligent in using best practices for security on the Internet?

Christmas and Hanukah don’t matter to cybercriminals, as they don’t observe holidays. They’re working hard to disrupt lives and steal money.

Consider three examples:

1. As much as $1 million was reportedly stolen and given to charity after thousands of credit card numbers and other personal information were hacked from security think tank Stratfor by the furtive cyber group calling itself Anonymous. (Of course, all it did was hurt the charities because they had to expend valuable resources – time and money – in refunding money to the credit card holders.)

2. Bloomberg reported that commerce is active on criminal trading sites – as much as $3.50 is paid for each stolen credit card.

3. US-CERT reports that spear-phishing attacks have been launched on members of the United States Automobile Association (USAA). Cybercriminals are trying to trick USAA members into opening e-mails by using “Deposit Posted” in the subject line. The e-mails are designed to trick USAA members into opening attachments that contain malware. Once unleashed, the activated malware invades the victims’ computers searching for their sensitive personal information.

“Readers should remain on alert to keep safe from attacks by following the following three basic rules,” writes nationally recognized security expert, Dr. Stan Stahl of Citadel Information Group in Los Angeles.

His basic rules:

1. Do not open attachments in emails unless the email is expected. Do not click on links in unexpected emails. Attachments and links can be booby-trapped. When in doubt check with the sender.
2. Keep systems updated with the latest software versions.
3. Keep anti-malware solutions up-to-date. Consider moving to advanced host-based intrusion prevention.

You can sign up for his “Weekly Patch and Vulnerability Report” and his blog at Citadel-information.com.

Actually, Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study. So businesses need to be diligent, too. Is Your Business Prepared with Precautions and Response Philosophy?

(Note: I’m very familiar with Dr. Stahl’s expertise. He is a fellow member of Consultants West, Consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are more resource links:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records 

“You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”

-Daryl White

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Who Profits from Android’s Security Issues? Not Users.

 

Dec. 19, 2011 

Countless headlines detail the cyber dangers of Android-based devices, which is why 22 applications were taken off the market by Google. The operating system’s issues stemmed from malware infections. 

So who can benefit? Certainly it isn’t Android users. 

“We continue to advise readers to be very cautious in downloading Android applications,” wrote Dr. Stan Stahl on his blog. “Applications should be downloaded only from ‘official’ stores and only after they have been ‘vetted’ as legit,” wrote the nationally known security expert. 

Google removed the apps from its Android market after they fooled users into accepting hidden, fraudulent charges. 

The biggest operating-system competitor to Google’s Android: Apple’s iOS. 

Published reports indicate Microsoft is actively pursuing opportunities to capitalize on Android’s woes. 

Research in Motion (RIM) has its woes with Blackberry profitability. New products are slow to market. As RIM’s phones age and need to be replaced by business users, Apple’s products might become even more attractive in the corporate world. 

And if the vulnerabilities aren’t resolved, both Apple and Microsoft should be in a position to profit. 

From the Coach’s Corner, security resource links: 

New Cybercrime Serves as Warning to Take Defensive Precautions

Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft

Our Mobile-Banking Warnings about Security Prove Prophetic

“Distrust and caution are the parents of security.”

-Benjamin Franklin

 

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Risk Management – Picking the Best Cloud Storage Provider

 

Dec. 13, 2011

There’s been quite a buzz about using the cloud. Personally, I’m still not sold on using cloud services for many businesses. There have been too many problems, and I prefer to maintain controls to alleviate uncertainty in business. Not to mention one of the lessons I learned very early — when there’s a lot of hype like there is with the cloud — go slow with due diligence.

But if you feel you must go the cloud route, remember choosing the right cloud storage provider is a must for risk management.

You have a vast array of options. Cost is important, of course, but so are your company’s risk-management needs – just like the federal government.

It’s taken two years, but now the government has launched FedRamp, the federal risk and authorization program (FedRAMP). It established security standards for providing cloud services to the government. FedRAMP also provides agencies with monitoring tools to insure continuous compliance with security standards.

Those are important considerations.

So what about cloud risk-management for your business?

Here are basic questions to ask of your potential cloud provider:

1. If they’re a large provider, has the vendor been qualified by FedRAMP?
2. What is the company’s financial situation? According to federal data, there were 1,467,221 bankruptcies last year. Of which, 49,895 were business bankruptcies. Have a frank discussion with the supplier. Find out if they expect to gain or lose business in the next year. And ask about their cash flow, and for references regarding the status of their banking relationships.
3. What would be their total charges? Is it a flat fee? What are the additional costs for storing each gigabyte or for transferring data?
4. What about the security of their services, and what does their service level agreement (SLA) provide? Keep in mind commitments for performance and reliability, and what happens if they fail to perform according to the SLA.
5. What do they provide in the way of data availability each month? What will be the percentage of time you will be able to get into your data or add new data?
6. What do they provide in data transfer rates? Data storage is important, but so is your ability to rapidly transfer your data.
7. What level of data durability do they offer? That is the amount of potential data loss from data corruption.
8. Does the vendor provide data shuffle or bare metal service? This service is a hard copy backup. Will you be able to present a hard-drive data copy to the cloud or will you be able to retrieve a copy of your data?
9. What do they support in operating systems? Make certain they’re capable of working with all your operating systems.
10. What are their backup services? You’ll have problems if they simply backup your data. You’ll also want assurances that they will back up all your computer applications and operating system, and will provide virtual servers for crashed systems.

From the Coach’s Corner, here’s How Small Businesses Can Capitalize on Cyber Strategies for Profit.

“It’s not a faith in technology. It’s faith in people.”
-Steve Jobs

__________

Terry Corbell is a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

New Cybercrime Serves as Warning to Take Defensive Precautions

 

Nov. 14, 2011 

Cybercrime is only getting worse, as reported in two major stories in the past week.

In New York, six Estonians and one Russian were charged by authorities with cybercrimes on a massive scale. Victims include the National Aeronautics and Space Administration, other government agencies, businesses and 500,000 people. 

In the U.K., 13 people were sentenced to jail terms over their use of malware in banking fraud totaling 2.9 million British pounds, or $4.6 million. Hundreds of people were victimized. 

These stories are another lesson to take cybercrime seriously.

For best practices in thwarting cybercriminals, I always turn to nationally recognized security expert, Dr. Stan Stahl, of Citadel Information Group in Los Angeles.

His tips:

1. Keep systems patched with the latest updates. (His security blog, Weekend Vulnerability and Patch Report, lists major updates for software typically found in small offices and home computers.)
2. Run up-to-date anti-virus anti-malware software – or what is even better, a strong intrusion detection and prevention solution.
3. Use strong passwords for access to sites with sensitive information. Password length is more important than randomness; size matters. ‘2HelloPepper#’ is a much stronger password than “Ab$%16vF” plus it’s a lot easier to remember.

“Be extremely sensitive to social engineering attacks,” Dr. Stahl adds. “Don’t open email attachments or click on links in emails unless the email is from someone you know and is expected.”

For more of Dr. Stahl’s insights, visit his Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are more security strategies:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”

-Chris Pirillo

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records

 

Nov. 6, 2011

The personal information of 16,288 patients at UCLA’s network of hospitals and clinics are in the wrong hands following a burglary of a doctor. The information was on the computer hard drive stolen from a doctor’s home, according to an article in the The New York Times (U.C.L.A. Health System Warns About Stolen Records).

Medical records of the patients included addresses, birth dates and medical information covering July 2007 to July of this year.

The possible good news: The personal medical data was encrypted.

But the alarming news: A piece of paper containing the password was missing from the doctor’s home.

“Rule 1 is never write down passwords,” warns nationally known security expert Dr. Stan Stahl, of Citadel Information Group in Los Angeles. 

“Rule 2 is – if you’re going to break Rule 1 – do it securely,” he adds. 

“If you must write a password down, write it on a piece of paper the size of a credit card and keep it in your wallet with your credit cards and your driver’s license,” explains Dr. Stahl. “And just write the password: write ‘15Blah-blah-blah’ not ‘my laptop password is ‘15Blah-blah-blah’.” 

You can get more of Dr. Stahl’s insights on his security blog and his Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are additional cybersecurity tips:

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

-White House Cybersecurity Advisor, Richard Clarke

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

H.R. 1981 Is Well-Intentioned, But Would Big Brother Be Watching You?

 

Updated Feb. 1, 2012

The goal to protect children from Internet porn and predators is a worthy cause. However, for valid reasons, a bill in Congress designed to protect children is vehemently opposed by security experts and privacy activists.

Add me to the list. Why? With journalism experience concerned about upholding the principles of freedom and good government, the bill raises serious concerns.

The proposal also reminds me of salient principles in two famous books written by an English author, Eric Arthur Blair. Writing under a pen name, Mr. Blair lived from 1903 to 1950.

Among a myriad of honors after his passing, Time Magazine named one of Mr. Blair’s books among the 100-best English novels. In 1983, Mr. Blair made the cover of Time Magazine. The book is also No. 31 on the Modern Library list of best 20th century novels.

Mr. Blair was a strong advocate of freedom. During World War II, he also worked for BBC to combat the sinister propaganda emanating from Nazi Germany.

“Freedom is the right to tell people what they do not want to hear,” he wrote.

In his most-honored book, “Animal Farm: A Fairy Story,” the author’s allegorical novel told about the events leading to the era of Joseph Stalin and Communism.

In another noteworthy book, “Nineteen Eighty-Four,” he wrote a fictional account of an oligarchical dictatorship.

“Big Brother is watching you,” he would write.

The author’s pen name: George Orwell.

So in being mindful of the books’ themes and a career that includes being a government watchdog as a journalist, the prospect of this proposed federal legislation raises red flags.

The House of Representatives bill, H.R. 1981, would require Internet service providers to keep records of their customers for one year. The ultimate goal is to identify users via their IP addresses. Sponsors claim they want to protect children.

Privacy issue

Ordinarily, the goal of protecting children is a terrific idea. But the means to the end are unacceptable. Violating the privacy of Internet users is an abhorrent thought.

“The data retention mandate in this bill would treat every Internet user like a criminal and threaten the online privacy and free speech rights of every American, as lawmakers on both sides of the aisle have recognized,” says attorney Kevin Bankston of the Electronic Frontier Foundation in an article on Threatpost.com.

“Requiring Internet companies to redesign and reconfigure their systems to facilitate government surveillance of Americans’ expressive activities is simply un-American,” he adds. “Such a scheme would be as objectionable to our Founders as the requiring of licenses for printing presses or the banning of anonymous pamphlets.”

An ISP client told me such record-keeping costs would not adversely affect his firm.

“When investigators develop leads that might result in saving a child or apprehending a pedophile, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them,” Threatpost quotes Rep. Lamar Smith (R-TX), a bill sponsor.

“This bill requires ISPs to retain subscriber records, similar to records retained by telephone companies, to aid law enforcement officials in their fight against child sexual exploitation,” he adds.

Fortunately, not everyone in Congress agrees with Rep. Lamar, according to Threatpost.

“The problem arises when data retention is government mandated,” says Rep. Jim Sensenbrenner (R-Wisc.). “It is the government’s role to conduct criminal investigations through the established legal process, but it is not the role of government to mandate how private businesses arrange storage procedures independent of the legal process.

“Simply put, the decision to store data should be a business decision and not a government decision,” concludes Rep. Jim Sensenbrenner.

In Internet-security matters, I always check with arguably the nation’s leading authority, Dr. Stan Stahl (www.citadel-information.com).

“The devil is always in the details,” says Dr. Stahl. “I sure would like the ability to go back and find out who was at a particular IP address on a certain date and time when a client of mine received an email carrying the Zeus Trojan from that IP address.”

Questions arise

However, Dr. Stahl raises some questions: “Just how much pedophilia is there and exactly how is this going to control it? Is this a real problem or is this a candidate for budget cutting? Why one year? Why not 6 months? Or 18 months?  Is there anything more than a random guess as to why we’re doing this?

“All this law will do is drive all but the dumbest of them to simply cover their tracks through things like advanced tunneling, anonymization and encryption,” adds Dr. Stahl. “Survival, as always, will go to those who adapt.”

He, too, raises privacy concerns.

“Those of us old enough to remember the 60s can only hazard a guess as to the consequences of the government having the ability to track our every move on the Internet,” adds Dr. Stahl. “Americans have a deep history of not trusting government; not all of this is irrational.”

The debate seems to be in vain. Dr. Stahl says pedophiles already have a tool to stay under the radar. He cites an MIT article.

(Note: Dr. Stahl has been my go-to security expert since 1984. I was introduced to his expertise via our mutual membership in Consultants West, ww.consultantswest.com).

From the Coach’s Corner, here are two informative links:

Dr. Stahl’s security blog

Mr. Orwell’s iconic book: Nineteen Eighty-Four

“The only sure bulwark of continuing liberty is a government strong enough to protect the interests of the people, and a people strong enough and well enough informed to maintain its sovereign control over the government.”    

-Franklin D. Roosevelt

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Security Firm Warns About Historic Malware Levels

 

Updated Aug. 11, 2010

On a day when Microsoft issues a massive security update, McAfee publicizes its second-quarter date, which shows malware is permeating the Internet on mega scale, according to Website Magazine.

The magazine reports McAfee isolated six million malware cases in Q2 – that’s 10 million for the first half of 2010.

Microsoft’s security update included 14 security bulletins. Eight are designated as “critical” and six are deemed “important.” In all, there were 34 vulnerabilities in Microsoft Office, Microsoft Windows, Internet Explorer, Silverlight, Microsoft XML Core Services and Server Message Block.

“The most frequently used malware included threats on portable storage devices, fake anti-virus software, software specifically targeted at social media users, AutoRun malware and password-stealing Trojans,” writes Linc Wonham, Website Magazine’s associate editor. “McAfee reported that approximately 55,000 new pieces of malware appear every day around the world.”

He reports spam is down after peaking at almost 175 billion messages per day in Q3 2009.

“The most popular forms of spam in the U.S. were delivery status notifications or non-delivery receipt spam, which was also the case in Great Britain, China, Australia, Italy, Spain, Germany and Brazil. Argentina had the world’s highest number of different spam topics with 16, according to McAfee’s report,” he explains.

So, if Microsoft hasn’t updated your computers, get busy. For solutions on malware, see: What You Must Do to Combat the Malware Epidemic.

From the Coach’s Corner, if you want more tech-security information, search for the name, Dr. Stan Stahl, on this site. You’ll find voluminous, useful information.