Don't Implement Information Security Measures Aimlessly

     With all the hoopla about the various recent data breaches organizations may be rushing into planning and implementing additional security measures in an effort to prevent their organization from becoming the next major data breach victim.  Their intentions are good; however, before they go rushing into implementing additional security measures they should really ask themselves if the perceived risk is critical enough to warrant implementing additional information security measures.  I say perceived risk because many of those organizations may be implementing measures based off their or someone else’s best judgment.

     Organizations should not be implementing information security measures based on a hunch or best guess.  Doing so could result in wasted resources and actual information security issues not being addressed.  Instead organizations should be making informed decisions on how to address risk.  Making an informed decision will greatly enhance resource management and ensure the security issues creating the most risk are addressed before the low risk security issues.

      The best way to ensure an organization’s senior management has the information required to make an informed decision is to conduct a risk assessment.  In all actuality, organizations should have a risk management program that conducts regular risk assessments.  If they don’t have one then they should consider implementing one immediately.  Regardless of having or not having a risk management program, an organization should base their information security decisions off of the finding in a risk assessment.

      There are many different methods that could be used to conduct a risk assessment.  A risk management team can use an industry accepted or peer reviewed method such as the Factor Analysis of Information Risk (FAIR), the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), Information Systems Audit and Control Association’s (ISACA) Risk IT Framework, International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27005, etc.  Using an industry accepted or peer reviewed method will give the organization’s senior management assurance that they are looking at an accurate depiction of the organization’s risk and give them the ability to make an informed decision on how to address it.

      Information security is an issue on the minds’ of many organizations.  Since it is a concern many may be haphazardly implanting information security measures and wasting valuable resources, time, and money.  To prevent the unnecessary waste, organizations should implement a risk management program, if not already done, and conduct routine risk assessments.  The informed decisions made from the information provided in a risk assessment will ensure resources are properly allocated and reduce the chances of the organization experiencing a data breach or other information security related scams.

Validate Before Relinquishing Information

There is news about identity theft and data breaches almost daily.  Protective measures to adopt and implement normally accompany the reports.  The protective measures provided often consist of password security, document shredding, utilizing antivirus software, etc.  They are all great protective measures to implement, however, one thing that always seems to be missing from the list of protective measures are measures to protect against scammers that choose a more direct approach to carrying out their malicious intentions.

The direct approach is targeted at the weakest link in any security program.  That weakest link is people.  Scammers will often try to obtain information to carry out their plan or obtain access to unauthorized areas by simply developing a scenario and carrying it out in order to persuade a target to release information or comply with whatever request solicited.  This type of attack is referred to as pretexting (Hadnagy, 2011, p. 78).

Pretexting can be complex and involve hours upon hours or research and preparation.  It can also be simple and still be very effective.  Pretexting will often involve the scammer taking on a different identity.  When a scammer takes on a different identity they can just say they are someone they are not over the phone or they can act and dress like someone else.  For example, a scammer may call a target and claim they are someone from with a utility company or they may obtain a utility company’s uniform and make face-to-face contact with the target.

People generally trust other people and when a scammer can take advantage of that and combine it with other tools then they are usually effective at getting most people to do what they ask them to do, especially if the scammer develops a strong plan and rehearses it.  It is scary stuff and you are probably thinking about never being able to trust another person ever again.  That is not the intent of this post.  The intent is to make you aware of the attack method and to practice the following when confronted by someone you just met that is asking you for information:

1. Follow your organization’s policies and procedures for relinquishing information.

2. Verify the person’s identity

3. If it just does not feel right then reframe from relinquishing any information and report the incident to the proper authorities immediately.

References

Hadnagy, C. (2011). Social engineering: The art of human hacking. Indianapolis, IN: Wiley

A Child's Identity Can Be Stolen Too

The other night I had an interesting conversation about identity theft with some friends.  As usual, they expressed their concern about protecting their identity and described everything they do to protect it.  To protect their identity they do the usual stuff like shredding all of their documents with personally identifiable information, not carry their social security card in their wallet, and use a firewall, anti-virus, and spyware protection to protect their home computer.  The measures they implement are great methods to lessen their chances of identity theft, however, something else of interest came out of the conversation.  My one friend wanted to know what he could do to protect his children’s identity.  I had to be honest with him so I told him I never thought about that.  In the end, I told him to implement the same measures for them as he does for himself.

I don’t think my recommendation to him was that far off, but it got me thinking about scams directed at children.  The whole thing compelled me to do a little research on in it.  What I found out was that child identify theft occurs once out of every twelve incidents (Another Ally Joins Battle Against ID Theft, retrieved 23 June 2014).  The scary part about the whole thing is the occurrence of child identity theft is continuing to increase.

So why would someone want to steal a child’s identity?  Well, a child does not have a tarnished credit record.  More than likely they do not even have a credit record.  Thus, they have a clean credit history and a credit lender may be more willing to open an account on someone that does not have a credit history versus someone that has a bad credit history (Bortz, 2013, Identity Theft: Why Your Child May Be in Danger).  Another reason children are a more attractive target to identity thieves is the chances of their malicious activity being discovered is far less than it would be if they stole an adult’s identity.  In all actuality, a child may not know their identity has been stolen until they are well into their teens and apply for a car loan or some other type of credit.

Now that all of you with children are probably a little concerned about the security of your child or children’s identity, you will be happy to know that protecting their identity is not all that hard.  You basically protect their identity the same way as you would your own.  To protect their identity you should consider adhering to the following security measures:

• Reframe from carrying anything containing their personal information in your wallet or purse.

• Properly destroy any paperwork containing their personally identifiable information on it that is no longer need.

• Order free credit report and examine it for suspicious activity

When their old enough to understand, talk them about protecting their personal information and let them know it is okay to not provide their personal information (i.e. date of birth and social security number) to someone when prompted to.

It is evident that no one is safe from scams designed to steal a person’s identity.  Scammers will do anything they can think of to achieve their goal even if it means stealing a child’s identity.  Therefore, use the recommendations about to protect your identity and if you have children, to protect their identity.

References

Another ally joins battle against ID theft. (n.d.). Retrieved June 23, 2014, from http://www.scambusters.org/idtheft.html

Bortz, D. (2013, February 5). Identity theft: Why your child may be in danger. Retrieved June 23, 2014, from http://money.usnews.com/money/personal-finance/articles/2013/02/05/identity-theft-why-your-child-may-be-in-danger

To bank online or to not bank online?

Let's face it,  the word about protecting your personal information is out and people are starting to pay a little more attention to the activities they conduct involving their personal information.  However, is it really practical to stop conducting those convenient activities, such as online banking, just to protect your personal and / or financial information?

Online banking gives most customers the ability to pay bills online, check the balance of their account, and transfer funds between accounts.  Customers also have the ability to access their account at any time and from anywhere there is an Internet connection.

Online banking is very convenient and I am not about to give it up.  Does that mean I am not protecting my personal and financial information?  Absolutely not because I closely monitor my accounts and have implemented measures to protect them.

I monitor my accounts by logging into them daily to check the balance and verify transactions that have occurred.  I have also elected to receive emails from my financial institutions containing my account balances and identifying the transactions that have occurred since the last notification they sent.  Last, I have made it a priority to review account statements as soon as I receive them.

The measures I have implemented to protect my personal and financial information when conducting online banking are: change account passwords regularly, never provide anyone with information pertaining to my account unless I initiate the contact, never use a public computer to access my accounts, and ensure my computer has firewall, spyware blocker, and updated anti-virus software installed.

There is no guarantee that the aforementioned monitoring techniques and security measures will completely protect your bank account from scammers.  However, the monitoring techniques will give you the assurance that your account is safe for the time being and the security measures will make it more difficult for a scammer to obtain your valuable information.