Scammers, hackers, and identity thieves are looking to steal your personal information – and your money. But there are steps you can take to protect yourself, like keeping your computer software up-to-date and giving out your personal information only when you have a good reason.

Use Security Software That Updates Automatically
The bad guys constantly develop new ways to attack your computer, so your security software must be up-to-date to protect against the latest threats. Most security software can update automatically; set yours to do so. You can find free security software from well-known companies. Also, set your operating system and web browser to update automatically.

If you let your operating system, web browser, or security software get out-of-date, criminals could sneak their bad programs – malware – onto your computer and use it to secretly break into other computers, send spam, or spy on your online activities. There are steps you can take to detect and get rid of malware.

Don’t buy security software in response to unexpected pop-up messages or emails, especially messages that claim to have scanned your computer and found malware. Scammers send messages like these to try to get you to buy worthless software, or worse, to “break and enter” your computer.

Treat Your Personal Information Like Cash
Don’t hand it out to just anyone. Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. So every time you are asked for your personal information – whether in a web form, an email, a text, or a phone message – think about whether you can really trust the request. In an effort to steal your information, scammers will do everything they can to appear trustworthy. Learn more about scammers who phish for your personal information.

Check Out Companies to Find out Who You’re Really Dealing With
When you’re online, a little research can save you a lot of money. If you see an ad or an offer that looks good to you, take a moment to check out the company behind it. Type the company or product name into your favorite search engine with terms like “review,” “complaint,” or “scam.” If you find bad reviews, you’ll have to decide if the offer is worth the risk. If you can’t find contact information for the company, take your business elsewhere.

Don’t assume that an ad you see on a reputable site is trustworthy. The fact that a site features an ad for another site doesn’t mean that it endorses the advertised site, or is even familiar with it.

Give Personal Information Over Encrypted Websites Only
If you’re shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server. To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure).

Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, the entire account could be vulnerable. Look for https on every page of the site you’re on, not just where you sign in.

Protect Your Passwords
Here are a few principles for creating strong passwords and keeping them safe:

The longer the password, the tougher it is to crack. Use at least 10 characters; 12 is ideal for most home users.
Mix letters, numbers, and special characters. Try to be unpredictable – don’t use your name, birth-date, or common “dictionary” words.
Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.
Don’t share passwords on the phone, in texts or by email. Legitimate companies will not send you messages asking for your password. If you get such a message, it’s probably a scam.
Keep your passwords in a secure place, out of plain sight.
Back Up Your Files
No system is completely secure. Copy important files onto a removable disc or an external hard drive, and store it in a safe place. If your computer is compromised, you’ll still have access to your files.

Phishing is a scam in which you receive a fraudulent e-mail designed to steal your identity or personal information, such as credit card numbers, bank account numbers, debit card PINs, and account passwords. The e-mail may state that your account has been compromised or that one of your accounts was charged incorrectly. The email will instruct you to click on a link in the e-mail or reply with your bank account number to confirm your identity or verify your account. The e-mail may even threaten to disable your account, if you don’t reply, but don’t believe it.

Legitimate companies never ask for your password or account number via e-mail. If you receive a phishing e-mail there are several actions you should take:

Don’t click on any links in the e-mail. They can contain a virus that can harm your computer. Even if links in the e-mail say the name of the company, don’t trust them. They may redirect to a fraudulent website.
Don’t reply to the e-mail itself. Instead forward the e-mail to the Federal Trade Commission at spam@uce.gov.
If you believe that the e-mail is valid, contact the company using the phone numbers listed on your statements, on the company’s website, or in the phone book. Tell the customer service representative about the e-mail and ask if your account has been compromised. You can also contact the company online by typing the company’s web address directly into the address bar; never use the links to provided in the e-mail.
If you clicked on any links in the phishing e-mail or replied with the requested personal information, Contact the company directly to let them know about the email and ask to have fraud alerts placed on your accounts, have new credit cards issued, or set new passwords.
Vishing

Similar to phishing, vishing scammers also seek to get you to provide your personal information. However, vishing scams use the phone to make their requests, instead of e-mail. You may be directed to call a phone number to verify an account or to reactivate a debit or credit card. If you have received one of these calls, report it to the Internet Crime Complaint Center.

Let’s talk about CyberSmart Privacy….

From the youngest to the oldest person in society, the idea of private data in an interconnected world is nearly obsolete. Regulatory bodies like HIPAA, PCI, NIST and others have worked hard to generate standards and policies to guide companies in the protection of your private, personally identifiable data.  And then the matter how many standards we have to protect us our own worst enemy is still ourselves.

I’m going to put together an example of a generic person and I’d like for you to think about what kinds of information can be gained publicly about this person based on just a couple of factors.

Here comes Jane with her Samsung S7 phone, iPad mini, iPod and Beats headphones, some books and a small bag, with her wallet. In Jane’s wallet she has an iTunes card, a bank debit card, some cash and a few frequent shopper cards from various stores.

No without thinking about any criminal activity let’s think about what kind of information Jane is giving away for free about herself.

I’ll start with the iTunes card…. It seems innocent enough and we know Apple cares about our privacy but within iTunes card she has linked an account, where she listens to music, makes purchases of books, podcasts and songs. She’s leaving tracks of metadata behind so that Apple knows her preferences for music and books and will soon begin suggesting new items based on the data they aggregate from her. Beyond that, they also know how often she listens to certain songs, or how often she logs into iTunes, on what days and what times of day…. you’d be surprised how much data the iTunes card can collect on a person, with an associated account.  They will also track what device or computer you used to log into their site, any payment information you have stored for transactions…. This is what we think about when we talk about big data…. And even just the iTunes account Jane is handing over so much personal information….

So let’s get a little more generic, data collected from our retailer from
a customer sometimes is used to market new products and services to that customer and sometimes the retailer will take that information and sell it to partners and other retailers. Sometimes a retailer main take note that you’ve used a visa card for a transaction and they will correlate your data with other visa card users, maybe getting better demographics.

When you think about it big data is everywhere and you are contributing to the metrics that can be used for and against you…. Which makes your personally identifiable information less than private…

I will let you ponder on this, the next time I will begin to dive deeper into becoming CyberSmart with your private, personally identifiable information.

I agree with Gartner when they say ” IAM (Identity & Access management) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.”  This practice area is crucial to the maturity of an enterprise’s security posture.

Here are six Identity and Access Management Terms, that in my career I have come across more often than not, being mis-used.  To help you be more clear and accurate, I will define the terms here, then you too, can listen for where these terms are misused in away that makes them seem interchangeable.

Identity – The means by which an Entity can consistently and comprehensively be identified as unique.

Identifier – The means by which an Identity can cryptographically asserted, usually using public-key technology.

Entity – Discrete types that will have identity, these are users, devices, code, organizations and agents.

Entitlement – The process of mapping privileges (access to an application or its data) to identities and the related attributes.

Persona – Identity plus the particular attributes that provide context to the environment the entity is operating within.

Attributes – Facets of an Identity.

After roughly 20 years of blogging, it was time for the archives to move from the live blog, to the archives. Out with the old, in with the new, well sort-of.  I’ve had this black and orange theme up in the past, I think it is a bit easier on your eyes, for reading.  After staring at screens all day, everyday…a few headaches later, yes, the black-grey background gives me a break….maybe you too?  We will try it out for a bit, let me know your thoughts on the colors, theme..and content of course.

…and yes, I can create my own pages, themes, etc….but, I love to try out other’s designs, test the open-source, get to know more than just what I am capable of…afterall, this is what I help businesses to do, stop focusing on building websites, unless that is your business.  I shift my focus to the content of the blog, delegate the website to CyberChimps and WebHero, my trusted partners.

SECaaS, more commonly known as Security as a Service may be in the cloud, or more traditionally be hosted within the customer’s premises.  When you here this term used, people are talking broadly about how companies that have deployed hybrid and traditional enterprise networks using cloud-based services are viewing securing their data in the cloud.

Some of the advantages to SECaaS are the same essential characteristics know to cloud computing overall: Broad Network Access, Rapid Elasticity, Measured Service, ON-Demand Self Service and Resource Pooling.

Resource Pooling – This is where you should focus on the multi-tenancy aspect, whether on premises, or in the cloud.  We are talking about shared infrastructure, sometimes with your own subsidiaries, business units and customers, or with your competitor, adversary, or another noisy-neighbor.  With resource pooling, you can also focus on more actionable intelligence through mining data from many customers and in-house research to provide context to intelligence.  With SECaaS, you’ll gain more access to security professionals, gaining the advantage in 24×7 coverage, aggregating other’s knowledge…all without your company being in the recruiting business, in most cases.

While we focus on advantages and risks in SECaaS and resource pooling while gaining access to many security professionals, it is not a substitute for having your own internal risk management and security professionals.  No one will know the context of your business, or understand your systems and pertinent threats better than your own people.  Always keep in mind, you will not be able to outsource accountability, ever.

Bottom line, resource pooling adds diversity while being more than an outsourcing model for security management within SECaaS, it is an essential component in secure business resiliency and continuity when we also pay close attention to the new risk landscape these benefits present.  Using resource pooling can save time and money allowing your organization to transfer saved resources back into your core competencies.

While you navigate the security landscape in the cloud and begin to meet the various security professionals and tools they are vending, always keep a few experts with tools in your own toolbox for context.  Your internal experts will best be able to help navigate which security tools are worthwhile from the “snake-oil”.

That’s it for Resource Pooling in SECaaS, remember to ponder multi-tenancy in your risk evaluations and keep your own internal security experts close at hand when aggregating the new security intelligence you will have at your finger tips.  The world of BigData has come to security  intelligence and it is very easy to become overwhelmed.

Big Data, it’s everywhere….your local stores have replaced marketing departments with key-chain attached frequent shopper loyalty cards…cards that use an ID number to track what you purchase.  These stores install cameras, not so much for surveillance of shoplifters, but to watch shoppers….collect data on what you look at, what you walk by, what grabs your attention…  It’s in our cars, on the street, in stores, in our homes….big data collection is just about everywhere….collecting, storing, aggregating and learning everything about us.  In the beginning, big data is loaded with garbage, so the metrics it produces are messy. Picture the ads, you surf the internet, provided by your cabletv provider.  You’ve made some recent purchases, or rather “searched for items, for a friend or relative.  You had a guest over who watched a particular genre of TV programming….you notice the ads on your PC are reflective of someone else’s interests, not your own.  You clean out your internet “cookies”, tempfiles…you clear out your history and privacy from YOUR PC.  You can’t erase, or clean out the big data your ISP has collected on your household.  Your Credit Card Company, your bank, your email provider, your public utility and more, they are all collecting and aggregating data about your habits, to form a picture of you.

So let me ask….and I don’t know the answer….but let me ask anyway.  When you are looking at a new job, interviewing…is the prospective new employer tapping into the Big Data engine, to get a picture of who you are, your shopping habits, your TV viewing habits, where you drive, etc.  Are they tapping into the metrics of you, to determine if you are right for the job?  What does Big Data say about you, is it accurate, is it more accurate than your personal view of yourself?  What are we being judged on?

Something to think about….

This morning’s Biztech magazine’s article is worth the read, if you’re a small business owner.  Too often, it is large corporations that focus on InfoSec, where a small business can be a prime target for hackers.  Here, Mark covers the very basics, know your risk, hack yourself, perform a gap analysis to learn about where you need to tighten up controls on data and then he links you to some free tools to get you on your way.

http://www.biztechmagazine.com/article/2016/03/small-business-it-security-save-money-save-face