Category Archives: Security Awareness

Social Networks and Personal Information

0
Filed under Security Awareness

<%image(20080219-linkedin.jpg|137|43|LinkedIn)%>

Good post over at GNUCITIZEN today. They talk about how easy it would be for a hacker to social engineer their way into LinkedIn connections to get information about a potential business target, possibly even your company or business.

Social networking in general is very popular with security minded and non-security minded people. I use LinkedIn as well as many other security professionals because of the obvious career benefits. Even a gray hat/black hat hacker can use LinkedIn to further a legitimate career in the corporate world by getting a LinkedIn connection by doing a project for Hackers for Charity. It’s all about what you perceive your “personal risk” is associated with using a site like LinkedIn. The benefit may outweigh the risk in your case. Here are a few tips that you can do to help “minimize” your personal information exposure:

1. Do not make your LinkedIn profile public
2. Only accept connections from people you know and/or have personally worked with.

For example, if you own your own business you may want a public profile available to generate business. Again, this all depends on your personal risk assessment of your personal information.

Awareness and Social Engineering

0
Filed under Security Awareness

Good blog posts over at Episteme and Andy’s blog about employee awareness and social engineering. Teaching your employees not to trust people is a tall request that’s for sure! Most businesses are built by having employees trust each other…like Andy mentions, you have to teach them to “trust, but verify”.

I conduct social engineering tests on a regular basis and I can tell you from personal experience that it is just too easy to bypass security controls by talking your way in by coming up with a real good scenario. You will find that employees want to be helpful, almost too helpful at times…holding the door open for you so you don’t have to badge in, or giving complete strangers login credentials to applications are just a few examples. All it takes is someone with enough guts to look and play the part of a fellow employee to take advantage of human kindness that we all posses.

One thing that I advocate is to test your own employees. This does two things. First, it allows management to get an idea of how bad it really is! Seriously, once executive management sees the problem the easier it will be to communicate the issue with executive support. Secondly, it raises awareness with your employees..even if you target just a small segment of your employees. I would bet that the next time you conducted a social engineering exercise on that same segment, you would have different results. People always seem to remember when they were duped by someone else. Don’t forget that word about a social engineering “test” that was conducted spreads throughout the environment by word of mouth…all of this can be an advantage on the awareness front.

How do you test your own employees? Very carefully! Seriously, there may be many political boundaries that you will have to overcome which is all dependent on your company culture. Start with a small segment..like your own department if you are in Information Security! Yes, test your own people…you might be surprised by the results. A very low impact method to start with is to conduct a simple “phishing” simulation. Setup a simple web server and send out emails with embedded links to the web server you just configured. Track the results by parsing out the web server log of who clicked on the link. Strip out the IP’s so the results are anonymous in your report. You can then put together a quick awareness piece showing the high level statistics sent to everyone you targeted. Simple and effective.

UK’s Biggest Data Breach Ever: HMRC

Filed under Security Awareness

As I am sure all of you are already aware…the UK recently had their biggest data breach ever. 25 million (close to half of the population in the UK) personal records which include names of children, the equivalent of the SSN in the US, address, and certain bank info. Interesting read about this incident over at IT Security Expert who was personally affected by this HMRC breach (actually this is the second time for him now). I personally feel just like he does as I had my personal information (SSN and more) compromised by the US government twice this year already. I recently just received my “one year” of free credit monitoring from a third-party service. I could blog about how worthless one year of this service is (one year is not enough by the way) and the problems I have already had with this service but I will leave that for later. Not sure if the UK government will give them the same type of service but I hope it is a hell of a lot better then when the US government has given out.

Sad how you as a citizen of a country could do everything you can to protect your identity. We buy shredders, check our credit reports, etc…but it’s the government of your country (who you assume to trust the most) who loses your personal data and all you get is one crappy year of credit monitoring service.