security Archives - Foster Institute

Should You Trust Cloud Storage?

Mike Foster — Thu, 03 Oct 2013 06:00:03 +0000

iCloud, SkyDrive, DropBox, etc. – Are they secure? How do you know how much to trust “the cloud?” Here are the answers…

In most cases, when any service gets breached, they step up their security. One of the biggest reasons that services provide tight security is because they know their reputation depends on it. If they do suffer a breach, they might become more secure that anyone else – at least for a while.

Do this:

Any data that is non-sensitive in any way, feel completely confident using any of the “cloud” services. This is both for convenience (so you can share between devices and share with people outside of your organization) and or “backup” or archival purposes.

Any data that you deem as slightly sensitive, but the consequences of a breach would be minimal, store that information in the cloud too. When you are making your decision, assume there is a 10% chance that this data will be exposed while in the cloud. In reality, the chance of exposure is probably significantly less than 1%, at least from a technology standpoint. I want you to be overly cautious when you choose what not to put into the cloud. User and Employee error is also an important factor to consider.

For an added protection: Encrypt the files and data before you put it into the cloud. If you use a service to backup your computer to the cloud, make positive to set the proper settings to encrypt those backups.

For your most sensitive data, store it only on computers that you have direct control over. Do not store any data in the cloud if the loss of the data would be devastating to you, your business, or your customers who trust you with their sensitive information. Period.

The key to knowing what to (and what not to) put into the cloud is to categorize your data and consider risks vs. benefits. Cloud storage can save you time, money, and provide added functionality. Make informed decisions about what to store there.

The post Should You Trust Cloud Storage? appeared first on Foster Institute.

Viruses on Macs? Really?

Mike Foster — Thu, 03 May 2012 04:00:31 +0000

Really. Two recent outbreaks have Mac users thinking about whether they need to consider more security.

Early in April 2012, the Flashback Trojan infected an estimated 500,000 Mac computers. If you think your Mac may be infected, visit the link below to determine if it is and find step-by-step instructions to fix the problem: www.senki.org/check-your-mac-now-are-you-one-of-the-500000/

Flashback takes advantage of a problem in Java. Another virus named Sabpub came out shortly after Flashback and Sabpub exploits the same problem.

How do you protect yourself? Patch Java on your system—or remove it all together. Among others, use some of the same tried and true defenses:

Update your OS. Click on the apple symbol in the top left-hand corner of your screen and choose update.
Update your applications. Some of the most attacked are Java, Adobe Flash, and Adobe Reader.
Be careful what attachments you open and links you click on.
Be aware that you are at risk for what is known as a “drive-by-download.” Most attacks involve tricking a trusting user. The attackers become more cunning each time.
Anti-virus tools are getting better and better for Macs—especially now that the market demand is increasing.

Please post your comments on this blog.

The post Viruses on Macs? Really? appeared first on Foster Institute.

Be sure to enable device tracking on your mobile devices

Mike Foster — Thu, 29 Dec 2011 04:00:45 +0000

Someone stole my iPad. In November I realized my iPad was suddenly missing. Apple’s Find My iPhone showed the device to be in a parking lot just outside of a transportation company’s main office —I used the transportation service late the night before.

I phoned the company and they said they would have the iPad in the front office waiting to be picked up.

There was no sensitive data on the iPad, just in case something like this ever happened. Security features are enabled anyway.

When I arrived hours later the receptionist said they hadn’t heard anything about any missing devices. I checked and now Find my iPhone showed the device’s location to be about 30 miles away, complete with an address and a satellite view of a residence.

I asked if they had any idea why my iPad would be at such and such address. The helpful person at the desk said, “Can you wait a moment? I need to call the owner of my company.”

I was told that the address was that of an employee whom they’d had other problems with before. They informed me that, after the phone call, the owner had actually driven to the home, recovered the iPad, and terminated the person on the spot. Hopefully the owner isn’t the kind of terminator that Arnold Schwarzenegger portrayed in the Sci-Fi movie. I told them not to fire the guy—maybe he is just trying to feed his family and losing his job wouldn’t help him. It was just nice to know I’d have the iPad back soon.

Your device can tell you, “I’ll be back!” with that thick German accent, “Ahl be bock!”

Turn on a locating service for your device today.

Please post your comments on this blog.

The post Be sure to enable device tracking on your mobile devices appeared first on Foster Institute.

A surprising way employees steal from you

Mike Foster — Thu, 17 Mar 2011 04:00:00 +0000

Our CSI and physical security auditor knows that one of the most common ways employees steal from businesses is to throw something valuable in the trash.

Then, at night, they come retrieve the information or items from the garbage. They may be stealing office equipment, your products, or other physical objects. Additionally, they may steal copies of your invoices, work orders, client lists, and intellectual property.

They drop this in the trash and nobody really notices. Even when they come back to retrieve the goods from the trash, nobody pays much attention then either.

Watch the garbage practices at your organization!

Please post your comment on this blog.

The post A surprising way employees steal from you appeared first on Foster Institute.

The importance of physical security audits

Mike Foster — Thu, 10 Mar 2011 04:00:02 +0000

In addition to IT security audits, many organizations are also required to perform physical security audits as well.

It is easy to understand why physical security audits are required since, even if your IT security is wonderful, a burglar could easily break into a facility and steal intellectual property, products, and a number of items that could lead to a loss in your credibility.

Physical security even includes examining how prepared you are from major weather incidents to becoming prepared if someone comes into your organization with a gun. Locks are examined, practices of your team members, security policies, security alarm response time, and the effectiveness of video security CCTV cameras. Even the lighting around your building at night is important to have examined. Physical security auditors frequently have more than 200 checkpoints to examine so you can feel more confident that you are prepared.

The more prepared you are, including both IT and physical security, the better you will survive, and hopefully protect against, a breach of some kind. Not only that, you may be required by regulations to be audited for physical security.

Please post your comments on this blog.

The post The importance of physical security audits appeared first on Foster Institute.

Is total IT security possible?

Mike Foster — Thu, 15 Jul 2010 04:00:31 +0000

A participant at one of my presentations this year requested I tell them how to achieve, verbatim, “Total protection from employees able to reach or steal client data from work or home.”

Let’s see—the only way I can think of is to never share any client data with your employees—ever. Even without computers, if an employee is privy to client data, they may “steal” that and use it for other purposes.

The goal is to protect private client data—and you may choose to never enter that into a computer system your employees can access—or never enter it into a computer at all.

If your employees do want to access client data, and you just do not want the employees to be able to easily take large amounts of information, the challenges increase dramatically. Even so, the possibilities are closer than you may realize. Thanks to application delivery and virtualization technologies, you can allow employees to work from home, or the office, without having information stay resident on their computer. You can also restrict them from being able to:

Save to a local drive
Print information
Copy and paste outside your protected space
Or otherwise retain any information

However, there is little to stop an e-savvy employee from using a digital camera to take a screenshot, or using a yellow sticky note to write down someone’s credit card information or social security number. At least these kinds of activities take “time,” so you are restricting the speed of stealing data.

For what technology cannot solve, your corporate legal advisors can step in. They can help you with non-disclosure agreements, acceptable usage policies, and other agreements for your workers to sign. The key point here is that these do not necessarily prevent the theft, but they do provide you some recourse if the employee is ever caught.

There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know someone who does offer IT security insurance.

In some organizations, prevention is crucial. Once the data gets out, the organization may be damaged beyond repair.

To prevent an employee from e-mailing themselves a client list, there are Data Loss Prevention DLP tools available in the world. They watch for suspicious behavior and can quarantine such messages before sending them out. That delay gives the responsible person in your organization the opportunity to stop the data before it leaves.

There are other strategies as well:

Provide people with only the information they need to know. A good book full of these examples is Blind Man’s Bluff: The Untold Story of American Submarine Espionage by Sherry Sontag and Christopher Drew.
Rotate employees through specific duties so their time to do harm is limited.
Force employees to take mandatory vacations during which time illegal behaviors may be detected.
Have a separation of duties such that it would be difficult for one employee to commit fraud all by themselves.

While “total protection” may result in your employees not being able to function, there are strategies that can provide you with both productivity and security.

Please post your comments on the blog.

The post Is total IT security possible? appeared first on Foster Institute.

Thieves preying on your social media

Mike Foster — Thu, 15 Apr 2010 04:00:03 +0000

ABC’s Good Morning America recently posted a video about a woman whose home was robbed after she announced on Facebook that she was leaving her home to go to a concert.

You can watch the short video on this story. Keep in mind that more and more social media tools are offering a service, sometimes turned on by default without your knowledge, to broadcast your GPS position.

Choose your friends online wisely. Watch two videos that demonstrate this principle:

For suggestions on how to be safe online using social media, visit www.learntobesafeonline.com

The post Thieves preying on your social media appeared first on Foster Institute.

Windows 7 is scheduled for release – should you switch?

Mike Foster — Thu, 08 Oct 2009 04:00:23 +0000

Windows 7 is officially scheduled to be released on October 22. There are several ways you can try Windows 7 today if you want to use it. Visit www.microsoft.com for details. Should you switch?

I am running Windows 7 on two of my machines and am impressed so far. This seems to be what I expected from Vista finally delivered.

More Power: One of the biggest reasons I want to let go of XP and move to Windows 7 is that the 64-bit version of Windows 7 can take advantage of more memory and processing power, and it seems the drivers are catching up better than in the 64-bit version of XP.

More Security: Eventually, and likely even out of the box, Windows 7 will be more secure. Poor old XP was released when most of us would use our telephone modem (remember those screeching sounds?) to connect to the Internet whenever we wanted to browse the web or use e-mail. It is time for the new generation of operating system.

So should you switch ASAP? Yes, on one or two computers. No, definitely not for the entire office until you thoroughly test one or two computers first to be sure they will be stable with all of the applications your office uses. Then, after that, you will probably want to start upgrading all of your machines.

The post Windows 7 is scheduled for release – should you switch? appeared first on Foster Institute.

Understand more about identity theft

Mike Foster — Thu, 20 Aug 2009 04:00:47 +0000

Watch NBC Dateline’s video, “To Catch an Identity Thief, ” with no commercials: http://www.msnbc.msn.com/id/17805134/ns/dateline_nbc-to_catch_an_id_thief/. Scroll down and look on the right hand column for “Videos: Part 1 – watch the entire episode” and “Videos: Part 2 – watch the entire episode”

The post Understand more about identity theft appeared first on Foster Institute.

How do you stop users from stealing your data?

Mike Foster — Thu, 05 Mar 2009 04:00:42 +0000

Business owners and corporate executives often complain that they cannot control data once they trust their end users with it. Furthermore, regulations are requiring that organizations ensure their data is secure.

There are documented problems of employees “taking data home to work on it” and then they lose their memory stick, hard drive, or laptop and the data falls into the wrong hands. Other employees copy data and send it to competitors. In addition, often, users unwittingly send out private information through insecure channels.

For example, if you stop users from being able to plug in USB memory sticks and portable hard drives, they will burn the data to CD’s or DVD’s. If you stop them from using CD’s and DVD’s, they will e-mail the information to themselves. If you stop them from e-mailing the information through your server, they will get a web mail account and use that to e-mail the data. If you manage to block sending data through webmail, they will find a remote access tool that allows them to transfer files to a remote computer. And so on – it seems that “plugging the holes” is next to impossible.

This is where Data Loss Prevention tools come into play. They restrict users from intentionally, and even unintentionally, sending out private information through any means.

These systems monitor to detect and prevent sensitive information from leaving your organization through any means. If you approve for some users to use removable media such as an external hard drive or USB memory stick, the media can be automatically encrypted without the user knowing what to do. Some software will even stop users from using the “print screen” option to steal data that way.

When a user unintentionally attempts to copy data, a window pops up explaining that their attempt was blocked and why. This helps educate users about what is and what is not acceptable. This kind of real-time feedback can also generate logs for managers who are looking for trends in employee behavior.

If your organization has intellectual property, private information, or falls within government regulations, it is time to talk to your IT professionals about implementing data loss prevention technology.

The post How do you stop users from stealing your data? appeared first on Foster Institute.