69% of Consumers Worry about Security at Major Companies – Growth Opportunity for Small Business



Consumer worries over security, privacy and fraud from security breaches at major companies, such as Target and Neiman Marcus, are presenting opportunities for small businesses in online sales.

A study shows 69 percent of consumers were worried about the breaches as they started their 2014 holiday shopping. The survey was conducted by Web.com Group, Inc.

Sixty-five percent of respondents are more likely to shop at small business Web sites.

“Small businesses have an opportunity to think even more strategically about their online and digital presence through the lens of what value they can bring their customers – whether in the form of money, efficiency or security,” said David Brown, chairman and CEO of Web.com.

Mr. Brown’s recommendation is not surprising.

“In order to gain consumer confidence, small business owners have become more thoughtful and serious about managing their online presence and making the necessary security measures to keep their customers’ data safe,” he added.

Key findings:

— Persistent security breaches at “big box” retailers and large banks are motivating consumers to look to small businesses as a more likely destination this year.

— Small businesses are learning from the challenges that “big box” retailers are facing and taking steps to meet consumer demand for tighter online security and privacy controls this holiday season.

— Consumers desire more “wireless, mobile apps and services” from small businesses, and SBs are taking substantial steps to address these demands and increasingly focusing their attention on mobile marketing opportunities.

Small businesses that meet consumers’ expectations for online and mobile capabilities have a significant opportunity to drive consumers to their business, thereby improving their bottom line.

— SBs’ attitude and approach to doing business in digital channels is becoming more “professionalized.” Small businesses are beginning to invest in more sophisticated digital capabilities as well as in top notch security measures needed to deliver on what customers want and need today.

Web.com recommends small businesses assess their online, social and mobile activities and security: 

  1. Amp up direct customer communications with messages to reassure them that the security of your website/digital assets is a top priority: it’s well-maintained and monitored.
  1. Find a way to leverage the business assets of the physical world and translate them to the digital world.
  1. Take steps to become more accessible to your customers, as well as more professional and sophisticated with how your business offers products/services via the web and mobile.
  1. Hone your focus on mobile opportunities – consumers see the greatest value in the ‘local’ benefit combined with mobile accessibility and flexibility.
  1. As your business evolves, seek counsel and help from proven resources that can propel your business down the path of growth and success.

From the Coach’s Corner, related Biz Coach tips:

4 Strategies for CEOs to Win Their Cyber Security Tug of War — The cyber security tug of war is never ending even though chief executive officers and board members now get the importance of protecting their companies’ information assets. They’ve learned to fear cyber-security threats because they could lose their jobs. If this is all true, why then are there incessant, worldwide cyber attacks?

8 Basic Tips for Selecting the Right Web Hosting Company — If you want to grow or have plans for a complex Web site, hiring the right Web hosting company can be daunting. How do you find a hosting firm that’s reliable and is responsive to your needs? Don’t take the selection process for granted. You can suffer from any one of many unforeseen challenges.

Tips For Internet Security to Prepare you for New Cyber Attacks — Do you need more evidence to be diligent in using best practices for security on the Internet? According to a Web security study in 2013, Internet attacks have been impacting businesses, with the majority of them reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities.

Don’t Wait for Cyber Security Legislation that Affects Your Business — Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Passage or not, businesses should act on their own. It’s the right thing to do.

5 Strategies to Sell More from Your Web Site — Yes, Internet sales can be challenging. To paraphrase a line from the movie, “Field of Dreams,” it’s not always true that if you build it, they will come. There are many salient elements to keep in mind. Naturally, you need to attract visitors, convert them into customers, continually study your site’s visitors’ data, and keep fine-tuning your approach.

Tips to Avoid Advertising Scams Tricking You to Ask for Tech Support — Advertising scams that prey on Internet consumers have prompted four Internet companies to band together to fight the abuse. The scams use harmless-looking ads to trick consumers into using phony tech support that actually enable cybercriminals to invade the unsuspecting owners’ devices.

A thief who stole a calendar got twelve months.

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

The New Face of $1 Trillion in Cybercrime on Business – Account Takeovers, Credit Card Fraud



Business Web sites are facing an increasingly intense full-court press from cybercriminals – the aggregate cost of cybercrime annually, which includes prevention strategies, has exceeded $1 trillion.

Large-scale data breaches are savagely victimizing new accounts while account takeover attempts and credit card fraud has doubled, according to a fraud-data study in June 2013 .

A report by ThreatMetrix shows that Web fraud attacks endanger the full customer life-cycle: New account registration, authentication and payment transactions. ThreatMetrix (www.ThreatMetrix.com) is a provider of cybercrime prevention solutions. The study included the experiences of 9,000 the firm’s customers.

“Nearly one in every 10 new accounts opened online is done using a spoofed identity, and the incidence of account takeover attempts and online payments fraud have both doubled in a six-month period,” said Alisdair Faulkner, the ThreatMetrix chief products officer.

“Data breaches are imminent and given the increased sophistication of malware, organizations should assume that a material percentage of their customers and user accounts are either compromised or criminal and invest accordingly,” he added.

He said attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud. About 10 percent of online services originate from a cybercriminal.

New account registrations include applying for new lines of credit, creating a profile on a social networking site or marketplace and enrolling in an authentication scheme.

Mr. Faulkner said the most common form of stolen identities is by human or bot-generated fraud attacks directed through proxies and Virtual Private Networks (VPNs) intended to disguise the true origin of the attacker. These bypass IP address-based geo filter blacklists that also have the downside of unknowingly blocking legitimate visitors.

“The economic impact of these attacks varies by industry,” he added. “However, the common thread is that without automated visibility into the true device, persona, relationship and global behavior, the only alternative is additional verification roadblocks put in front of legitimate customers and extended review and hold-out periods.”

Payments Fraud

Payments fraud attempts, which include online credit card transactions and money transfers, increased from 3.1 percent to 6.4 percent over the six months ending in March 2013.

Mr. Faulkner explained the trends:

  • Sophisticated credit card cyber gangs adopting banking malware, normally used to hijack bank accounts, to steal full credit card information from customers as a fake verification step when attempting to log into a bank account
  • Increase in percentage of digital goods sold by ThreatMetrix customers that historically have a higher incidence of attack
  • The increased availability and adoption of free and commercial VPN services and the growing use of Platform-as-a-Service (PaaS) providers by cybercriminals to set up ad hoc tunneling protocols. VPNs are favored by cybercriminals because they are impervious to proxy piercing technologies and undetected by traditional IP proxy detection services.

Account Takeover

Based on data taken from October 2012 through March 2013, ThreatMetrix customers saw account takeover attempts nearly double (168 percent). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and Software-as-a-Service (SaaS) companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites.

ThreatMetrix has seen a rise in the sophistication of account takeover attempts using blended attacks to exploit companies that do not have an integrated solution for malware, device identification and bot protection.

They include:

  • Multi-stage malware exploits: Malware, typically using Man-in-the-Browser (MitB) Trojans, is used to extract login and setup verification credentials from a customer that is then used by a separate device or third party to avoid server-side MitB detection capabilities.
  • Multi-stage scripted attack exploits: Automated bot attacks test previously breached credentials from third-party sites, exploiting that many people reuse user names and passwords. After checking account balances or verifying whether an account has a stored credit card, a second attack is launched, typically done manually, to avoid any server-side bot detection.

Whew. So that’s more evidence that businesses need to be diligent in operating their Web sites and preparing with precautions and response philosophy.

Not only that, but most small businesses make you vulnerable to credit card fraud and identity theft.

From the Coach’s Corner, here are more IT resource links:

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

Richard Clarke

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.  

Security Needs Update: Russian Hackers Steal 1.2 Billion Passwords



About 1.2 billion Internet usernames and passwords from hundreds of thousands of Web sites and 500,000 e-mail addresses have been stolen by a Russian crime syndicate, according to an Aug. 5, 2014 report in The New York Times.

This should revive interest in the movement to eliminate passwords.

Google’s efforts in 2013 to make the Internet more secure by eliminating the use of passwords has already drawn praise from one of the nation’s leading authorities on digital security.

“The premise is indeed interesting and is most likely destined to become reality,” says Stan Stahl,Ph.D., at Citadel Information Group, www.citadel-information.com, in Los Angeles.

Published reports including “Google Prepares to Leave the Password Behind” in PC Magazine indicate Google wants to use “a tiny cryptographic USB card called a YubiKey with a modified version of Google Chrome.”

Google ostensibly wants to make a gadget available that would corroborate the identity of users on all machines from computers to mobile phones.

“Passwords are challenging and difficult for people,” acknowledges Dr. Stahl. “Strong passwords are hard to construct – in part because we do a lousy job of instruction.”

It can be a tedious process if you have a lot of passwords.

“Strong passwords are hard to remember,” says the security guru. “And when we need several of them, they become very are hard to manage.”

Feasible alternative

“Replacing passwords with authentication devices could have the positive benefit that both the web site and the user will be able to authenticate the other,” says Dr. Stahl.

“Right now, it’s often too easy for a fraudulent web site [set up by a cybercriminal to steal your information when you visit, for example] to look legitimate to an unsuspecting visitor,” he adds.

“Done right, an authentication device could authenticate the user to the site and the site to the user,” asserts Dr. Stahl.

But what if the device is lost or misplaced? Indeed, the PC article reports Google probably has a solution.

The search engine has “developed a Google-independent protocol that requires no special software to authenticate a security device. It even includes measures to prevent websites from tracking users via their security devices, and only requires that the user be running a browser that supports the protocol.”

The Google approach appears to be easier and more secure than passwords. However, don’t get complacent and start celebrating.

“…no technology – including technology that replaces passwords – is a silver bullet in the fight against cybercrime,” cautions Dr. Stahl.

“A cyber criminal who takes control of the computer you use to access your bank account will have your access to that bank account, whether you gain access through a password or through an authentication device,” he adds.

From the Coach’s Corner, visit Dr. Stahl’s informative security blog, where you can sign up for his complimentary security updates.

More of Dr. Stahl’s expert opinions:

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

5 Safety Measures to Thwart Mounting Social-Network Attacks  — An epidemic of social-networking attacks represents unprecedented dangers to companies. Here’s how a Facebook user cost her company a $1 million loss.

Who Profits from Android’s Security Issues? Not Users — Countless headlines detail the cyber dangers of Android-based devices. It has to do with the apps.

Cyber Security Legislation that Affects Your Business — A data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Actually, you should take the enclosed precautions even if the law doesn’t pass.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor.

 “Criminals should be punished, not fed pastries.”

-Lemony Snicket

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Internet Criminals Pose Bigger Threat than Terrorists – FBI



Feb. 4, 2012 –


Web security study has found the vast majority of organizations that allow employees to freely access the Web are experiencing high rates of malware threats, including phishing attacks, spyware, keyloggers and hacked passwords.

Web-borne attacks are impacting businesses, with the majority of them reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities.

Little wonder the U.S. government along with state and local agencies, businesses and consumers should all heed ominous testimony before Congress. Then-FBI Director Robert Mueller warned “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.”

That was his January 2012 message to U.S. House Permanent Select Committee on Intelligence  in discussing the importance of the Internet.

“The theft of intellectual property, the theft of research and development, the theft of the plans and programs of a corporation for the future, of all which are vulnerable to being exploited by attackers,” Mr. Mueller testified.

Mr. Mueller warned it’s imperative for the FBI and federal government to get more proficient in analyzing, gathering and sharing information. He also requested appropriate legislation.

Indeed, we see proof of his admonition in news headlines almost daily, which has prompted countless Biz Coach articles about cyber attacks with tips for Internet security.

WIFI warning

The most-read Biz Coach article of all time quoted Stan Stahl, Ph.d., a nationally recognized security expert, in using Starbucks’ WIFI, a security pro issues warning and security checklist.

Also highly read is our mobile-banking warnings about security prove prophetic.

Don’t forget about healthcare. It’s vital to understand why many healthcare workers are responsible for an alarming trend: Medical ID theft.

Here’s a lesson about passwords after the theft of 16,000+ UCLA patient records.

“We’ve seen Israeli and Palestinian cyber-vigilantes launch DDoS attacks against each other’s web sites,” he explained.

“What happens when radical organizations discover they can launch a DDoS attack against their enemies?” he asked. “We should not be surprised to see the Internet become a battleground in America’s culture wars.”

Stan Stahl on Bloomberg

Key questions for organizations

Dr. Stahl recommends that all organizations answer four key questions:

  1. Are we gathering the information we need to understand our cyber threat and the quality of our cyber defenses?
  2. Are we effectively analyzing this information, using it to better secure our information?
  3. Are we sharing it with the necessary parties?
  4. In particular, is management getting the information they need to proactively manage information risk?

“One highly critical defensive measure, for example, is to rigorously keep software patched,” he added. One of the easiest ways for a cyber criminal to take control of a computer is to exploit a vulnerability in unpatched software.”

Dr. Stahl’s firm, Citadel Information Group, is regularly asked to help businesses.

“Patching needs to be on the weekly must-do list of every IT department and IT vendor,” he explained. “Yet, when we assess the patch levels of organizations, we are not surprised to often see more than 100 unpatched vulnerabilities on desktops.”

Questions for IT departments

To information technology departments, he poses these five questions:

  1. Does IT gather vulnerability information?
  2. Do they analyze it, taking appropriate action to keep vulnerabilities to a minimum?
  3. Is it shared with senior management?
  4. Does senior management know that IT must patch vulnerabilities to comply with laws like HIPAA HITECH or contractual obligations like the payment card industry’s data security standard?
  5. Does senior management regularly monitor “weekly vulnerability trends?”

“Human nature being what it is, cyber crime and hacktivism will likely get worse before things get better,” he concluded. “While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy.”

Amen. You can keep yourself updated by subscribing to Dr. Stahl’s Weekend Patch and Vulnerability Report.

From the Coach’s Corner, here are more Internet security resource links:

Don’t Wait for Cyber Security Legislation that Affects Your Business — Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Passage or not, businesses should act on their own. It’s the right thing to do.

5 Safety Measures to Thwart Mounting Social-Network Attacks — Sally, the accounting manager of a medium-sized business, regularly checked her Facebook account while at work. One day she received an e-mail. The e-mail said that a long-lost friend, Bob, had added her as a friend in Facebook. By clicking on the e-mail link, Sally cost her employer nearly $1 million.

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers…organizing your lives, staying in touch with people, being creative…if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.”

-Bill Gates

 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

More Cybercrime Serves as Warning to Take Defensive Precautions



Cybercrime is only getting worse. Every week there are revelations about hackers.

From both sides of the Atlantic Ocean, here are some examples of countless crimes:

Countless consumers were affected when hackers invaded grocery chain Albertson’s in 2014. Authorities including the Secret Service are investigating the hacking of retailer Target in 2013 — hackers stole credit and debit card data from 40 million customers.

ID-10064688 chanpipatIn New York, six Estonians and one Russian were charged in November 2011 by authorities with cybercrimes on a massive scale.

Victims include the National Aeronautics and Space Administration, other government agencies, businesses and 500,000 people. 

In the U.K., 13 people were sentenced to jail terms over their use of malware in banking fraud totaling 2.9 million British pounds, or $4.6 million. Hundreds of people were victimized. 

These stories are another lesson to take cybercrime seriously.

For best practices in thwarting cybercriminals, I always turn to nationally recognized security expert, Stan Stahl, Ph.d., of Citadel Information Group in Los Angeles.

His tips:

1. Keep systems patched with the latest updates. (His security blog, Weekend Vulnerability and Patch Report, lists major updates for software typically found in small offices and home computers.)

2. Run up-to-date anti-virus anti-malware software – or what is even better, a strong intrusion detection and prevention solution.

3. Use strong passwords for access to sites with sensitive information. Password length is more important than randomness; size matters. ‘2HelloPepper#’ is a much stronger password than “Ab$%16vF” plus it’s a lot easier to remember.

“Be extremely sensitive to social engineering attacks,” Dr. Stahl adds. “Don’t open email attachments or click on links in emails unless the email is from someone you know and is expected.”

Indeed, we see proof of his admonition in news headlines almost daily, which has prompted countless Biz Coach articles about cyber attacks with tips for Internet security.

WIFI warning

The most-read Biz Coach article of all time quoted Dr. Stahl about using Starbucks’ WIFI.

Also highly read is our mobile-banking warnings about security prove prophetic.

Don’t forget about healthcare. It’s vital to understand why many healthcare workers are responsible for an alarming trend: Medical ID theft.

For more of Dr. Stahl’s insights, visit his Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are more security strategies:

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor. The information was on the computer hard drive stolen from a doctor’s home, according to an article in the The New York Times (UCLA Health System Warns About Stolen Records). Medical records of the patients included addresses, birth dates and medical information covering July 2007 to July 2011.

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft — A whopping 79 percent of companies in the U.S. and U.K. experienced Web-borne attacks, according to data released in 2013. These incidents continue to represent a significant threat to corporate brands. Results from a Web security study show that almost all of the Web security administrators agreed that Web browsing is a serious malware risk to their companies.

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy? — Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Passage or not, businesses should act on their own. It’s the right thing to do. The “Data Security and Breach Notification Act of 2012″ died in committee and was re-introduced as S. 1193 again in June 2013 but has stalled.

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. If you’ve got an iPhone, get busy. Apple continues to have bugs and security issues. Apple was forced to release an update just a few days after the rollout of its iOS 8 in late Sept. 2014.

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”

-Chris Pirillo

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry. 

Photo by chanpipat at www.freedigitalphotos.net

Security Precautions to Take Following Citibank’s Second Reported Online Breach


Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

The bank’s May 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

None of the reports I found pointed out that it was Citibank’s second reported major security issue in just 18 months.

Soon after the bank’s first breach was reported, it seemed as though the security issue was buried. There weren’t any follow-up reports.

That’s when I wrote the column, How to Protect Yourself from the Internet Crime Wave, quoting Stan Stahl, Ph.D.

He’s a nationally known security expert based in Los Angeles.

Over the years, Dr. Stahl has been a valuable resource – some of the most-widely read Biz Coach articles have included his expert opinions.

Here are the three most read articles:

A security expert I’m not, but I’ve learned from Dr. Stahl’s valuable insights.

Advice for bank customers

In addition to the tips in the above columns – whether you’re a Citibank customer or not – I’d suggest immediately taking these defensive computer measures:

  1. Change all log-in information. That means all banking, retail credit card and e-mail passwords and information.
  2. Make certain that you don’t use the same password twice.
  3. Install adequate firewall and anti-virus protection on your computer.
  4. To limit your exposure, use the same computer for your financial information. Never use it for social media networking.
  5. Review all privacy and policy information.
  6. Avoid using your debit card online. At least personal credit cards offer liability protection under federal regulation. But business banking is not federally protected – it’s left up to individual banks, so check your bank’s policies regarding your company’s accounts.
  7. Don’t conduct financial transactions over WIFI.
  8. Don’t do mobile banking.
  9. If you get an e-mail allegedly from your financial institution, act like an all-pro football defensive end. Prevent an end run. Assume it’s a fraud. If you must communicate with your financial institution, make a telephone call or a personal visit.
  10. When doing your online banking, be sure to type in the financial institution’s Web address in your browser.
  11. Regarding the security questions, be creative and don’t list the right answer, which might be obvious to any hacker who learned about your personal situation.
  12. Check your financial accounts daily.
  13. If your account is compromised, quickly take appropriate action.

Business strategies

For your company’s management controls, Dr. Stahl has previously recommended taking six precautions:

  1. Don’t allow your employees to use your computers in social networking.
  2. Establish a list of allowable web-sites.
  3. Closely monitor your bank account.
  4. Train employees in social engineering awareness.
  5. Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
  6. Strengthen your defenses.

Cybercriminals, I’m sad to say, are here to stay. Do your due diligence.

From the Coach’s Corner, here’s Dr. Stahl’s  Web site.

“In a world in which the total of human knowledge is doubling about every ten years, our security can rest only on our ability to learn.”

– Nathaniel Branden


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry. 






Security Checklist: What You Really Need to Know to Stay Web Safe



If you Google the keywords, “cyber security,” you’ll get thousands of search results. Internet security is a nightmare for business, the public sector and consumers. Unfortunately, published advice is well-intentioned, but often misses the mark.

There’s no room for error in cyber security precautions. It isn’t as simple as getting a watch dog to provide Internet security.

ID-100101762 Stuart MilesA case-in-point:

An advice article on Internet security at SeattlePI.com that caught my eye. Not because it contained great information, but the article didn’t seem to be on target.

It featured the opinions of David Perry, the global director of education for TrendMicro. Having written dozens of tech columns here, something seemed amiss. The article was certainly intended to be helpful, but it didn’t seem right.

Not to pick on reporter Casey Newton, but I was left wanting more and better information. It seemed to be nothing more than PR fluff for TrendMicro.

So, I sent the article to a nationally known security expert, Stan Stahl, Ph.D., in Los Angeles (www.citadel-information.com). Does Dr. Stahl agree with Mr. Perry?
Here are his responses to the four points:

David Perry:“Make sure your computer isn’t infected already.”

Dr. Stahl: Yes. By all means scan. Even use Trend Micro’s HouseCall. But don’t be lulled into a false sense of security. Remember that the most serious attacks like 0-days and drive-bys are written to get past antivirus programs.

That’s why we publish our “Weekend Vulnerability and Patch Management Report.”        

David Perry: “Avoid exposing your credit number.”

Dr. Stahl: More important than this item 2 is to (i) always make sure you’re running https and not just http before entering your credit card info and (ii) if given the option, don’t let smaller retailers store  your credit card numbers [they’re less likely to have proper security].

David Perry: Use protection.” 

stan-stahl

Dr. Stan Stahl

Dr. Stahl: Definitely use protection, but don’t forget to keep all your programs patched and run a good spam filter. That’s what makes this so misleading; it conveys the impression that running antivirus is enough. It’s not! Users can subscribe to our blog and update their computer in accordance with our “Weekend Vulnerability and Patch Management Report.”

David Perry: Watch where you click.”

Dr. Stahl: Yes; never click a link in an email and always check the seller’s reputation. The part about buying from the manufacturer is bogus.

Dr. Stahl, thank you for your usual valuable insights.

(Note: I’ve known Dr. Stahl a long time and consider him the go-to security expert. He and I have been members of Consultants West, www.consultantswest.com, a roundtable of veteran consultants that meets in Los Angeles.)

From the Coach’s Corner, here’s an online safety checklist from Dr. Stahl:

Cybercriminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They have even begun selling stolen medical insurance information.

Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their controlthe cyber-equivalent of Night of the Living Dead. These control programs make money for the cybercriminals by sending spam, displaying pop-up ads, and committing sophisticated computer crime.

Cybercriminals take control of your computer by exploiting four weaknesses:

  1. Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
  2. Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
  3. Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
  4. Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.

Defense Strategy 1: Keep Cybercriminals Off Your Computer

  • Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java.
  • Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
  • Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system.  Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
  • Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
  • Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
  • Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
  • Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
  • Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.

Defense Strategy 2: Be Careful With Your Financial Information On-Line

  1. Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
  2. Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
  3. Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
  4. Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).

“Security is always excessive until it’s not enough.”

-Robbie Sinclair

Defense Strategy 3: Protect Your Information Away from Home

  1. Keep your laptop with you at all times. Never leave it unattended in your car.
  2. Keep WiFi and Bluetooth turned off except when you are using them.
  3. Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe. You can get free encryption software at http://www.truecrypt.org/.
  4. Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.

Defense Strategy 4: Watch Your Credit

  1. Subscribe to a basic credit monitoring service (AAA California offers members a free service)
  2. Regularly review your bank, credit card and investment accounts for fraudulent activity.

Defense Strategy 5: Better Safe Than Sorry

  1. Always think about the information you are giving out.
  2. When in doubt, don’t.
  3. Stay up-to-date by reading our  blog.

From the Coach’s Corner, more articles featuring the expertise of Dr. Stahl:

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Another massive theft of thousands of medical records prompts these tips on passwords from Dr. Stan Stahl, a nationally recognized security expert.

What Your Company Can Do to Combat the Malware Epidemic — The nation’s leading Internet security expert, Dr. Stan Stahl, agrees with McAfee that an epidemic of malware has been unleashed on the Web, and he provides solutions.

Using Starbucks’ WIFI? Expert Issues Warning, Security Checklist — The WIFI offering by Starbucks has prompted a security warning and checklist from a go-to Internet security guru, Dr. Stan Stahl.

Security Expert Warns about Using App that Emails Money — A service by a company called Square Inc. will allow you to e-mail money to your friends free-of-charge. But an IT security expert issues a warning.

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. If you’ve got an iPhone, get busy. Apple continues to have bugs and security issues.

“Security is always excessive until it’s not enough.”

-Robbie Sinclair

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Image courtesy of Stuart Miles www.freedigitalphotos.net


BYOD, Mobile-Banking Warnings about Security Prove Prophetic



With businesses allowing BYOD and the escalating malware abuse, cybercriminals are so successful in invading smartphones, it’s leading to a security services industry totaling $1.88 billion.

File:ABI Research logo.svgThat’s the finding in an ABI Research 2013 report.

BYOD is the acronym for bring your own  device. In trying save money, many businesses mistakenly allow workers to use their own cell phones in their duties at work. (See Do BYOD Headaches Outweigh Benefits? Yes.)

Furthermore, a government task force has warned mobile users about a another malware threat.

IC3 LogoThe Internet Crime Complaint Center (IC3) warns the  malware is especially dangerous for Androids. The malware that tricks Android users are called Loozfon and FinFisher, and IC3 issued security tips for users.

Nervous bankers

In addition, there’s another warning about mobile banking — even the American Bankers Association in this published report: Why corporate mobile banking is scary.”

The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. 

‎Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first.

So now, bankers are concerned about the dangers of corporate mobile banking.

Stern warning

Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.

Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)

It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.

After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.

After more than a year had transpired I had, of course, forgotten about the incident.

Disturbing mobile-banking headline

Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”

Here’s an excerpt:

 You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.

Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.

Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)

“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded. “Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”

Prior experience

Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”

“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”

He knows the challenges and expense that go into producing high-quality software.

“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”

Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl.  He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.

“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”

Response to mobile-banking marketer

As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:

“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”

Dr. Stahl’s bottom-line

“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”

Well said, Dr. Stahl. Thank you.

(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)

From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

“Once they get their hooks into you, you’re a dead pigeon.”
-Bud Abbott


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





Is Your Business Insured for Cyber Theft? No? Read this!



On a regular basis, cybercriminals are creating hardship for businesses and consumers. Have you heard the story about a Texas company that was struggling to get its bank to pay for a $50,000 cyber theft?

You will want to hear about it, if you own a business. An August 2010 post by security blogger Brian Krebs will shock you.

“Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas,” wrote Mr. Krebs.

profits-618373_1280“Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line,” he explained.

Ostensibly, the comments in the deposition are locked up, but the lawyers maintain the bank is guilty of security incompetence and a lawsuit was probably the next step.

Attorney comments

“In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

The fraud apparently began when Hi-Line processed its $25,000 payroll, according to Gary Evans, the firm’s president.

“After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24,” explained Mr. Krebs.

“Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password,” he added.

Senses trouble

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’”

Mr. Krebs quoted Mr. Evans about his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Bank should have taken notice?

“Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches,” wrote Mr. Krebs. “He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.”

The blogger says Community Bank did not respond to his request for a comment, but its deposition claims the cybercriminals “had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.”

Money mules

Mr. Krebs indicated the thieves pulled it off with the unknowing help of what are called money mules.

“Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix,” he wrote. “Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an ‘accounts payable’ position?”

Reported, Mr. Enlow received several fund deposits and was asked to forward the money.

“He then wired the money to individuals in Eastern Europe as instructed, he said,” Wrote Mr. Krebs.

Burden of proof

“If the customer wants the bank to reimburse it for fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable…” says IT security expert Stan Stahl, Ph.D. (http://citadelonsecurity.blogspot.com).

“The result, all too often, is that the customer has little choice but to sue the bank,” he adds.

But Dr. Stahl says there are reasons for such victims to hope:

“There’s a very good chance the bank’s procedure’s fail the test of commercial reasonableness,” writes Dr. Stahl. “

But he adds the burden of proving a bank is at-fault is “huge.”

He says one solution is cyber theft insurance.

He’s right, of course. My counsel is also to perform due diligence by a top-notch security advisor, and to make sure you really know your bank.

From the Coach’s Corner, here are related security tips:

Small Business Tips to Protect Your Bank Accounts – Imagine for a moment. You’re sitting at your desk enjoying a second cup of morning coffee. Then, your phone rings. It’s a call from your bank to discuss possible fraud.

The New Face of $1 Trillion in Cybercrime on Business – Account Takeovers, Credit Card Fraud –   Business Web sites are facing an increasingly intense full-court press from cybercriminals – the aggregate cost of cybercrime annually, which includes prevention strategies, has exceeded $1 trillion.

Strategies for Retailers to Prevent E-Commerce Fraud –   Merchants are certainly aware of online fraud and 65 percent are trying to fight it, but their efforts aren’t working according to a study.

“Privacy is not for the passive.”

-Jeffrey Rosen


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.




Using Starbucks’ WIFI? Expert Issues Warning, Security Checklist



At first glance, the free WIFI service at Starbucks seems like a great idea for mobile professionals. Starbucks’ free Internet service was a response to growing competition.

McDonald’s upgraded coffee offerings and free WIFI, which have proved to be popular since the economic downturn. Starbucks launched its WIFI on July 1, 2010.

But the WIFI offering by Starbucks prompted a security warning and checklist from a go-to Internet security guru, Stan Stahl, Ph.D., of Citadel Information Group in Los Angeles.

   Stan Stahl, Ph.D. — www.citadel-information.com

His commentary was entitled, “Free WIFI at Starbucks – Reminder of Cybersecurity Risk.”

“While most of the common risk is eavesdropping, one cannot overlook the risk of computer compromise,” writes Dr. Stahl.

His five security recommendations:

1. No online banking or other eCommerce

2. No e-mail  containing sensitive information except via an approved encrypted link from PC to Mail Server

3. Keep anti-virus or host intrusion software up-to-date

4. Make sure software patches are up-to-date

5. Use VPN (virtual private network) for access to your office

Respectively, here are Dr. Stahl’s Web site and blog addresses: www.citadel-information.com, www.citadelonsecurity.blogspot.com.

From the Coach’s Corner, Dr. Stahl’s expertise is also quoted in these Biz Coach articles:

How to Protect Your Bank Account from the Internet Crime Wave — For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline about Internet crime was alarming.

Strategic Planning: List of Informative Web Sites — Knowledge is power – if you use it. Here are informative Web sites to help you develop a strategic plan.

Web Security Checklist and Warning about Mobile Banking — Here is an online security checklist and a stern warning about using mobile online services at your bank or credit union.

5 Safety Measures to Thwart Mounting Social-Network Attacks — An epidemic of social-networking attacks represents unprecedented dangers to companies. Here’s how a Facebook user cost her company a $1 million loss.

How China-Google Controversy Might Affect Business, Government Security — More fireworks between China and Google. But this time it’s from Chinese state media aimed at Google, Apple, Yahoo, Microsoft, Cisco Systems and Facebook. The Chinese journalists want the government to “to punish severely the pawns” of the U.S. government. The tech firms are accused of spying on China.

“You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”

-Daryl White

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Next Page »

Seattle business consultant Terry Corbell provides high-performance management services and strategies.