Facebook Twitter Gplus RSS
formats

Google Me on the Web, is it any good?

by in Google, Identity theft, Security Policy, Slider, Web Security

Google has a new feature in their dashboard, “Me on the Web“. The pitch is that it will help your protect your identity.  The Huffington Post did a write up of it here, http://www.huffingtonpost.com/2011/06/16/google-me-on-the-web_n_877996.html Google ‘Me On The Web’ Tool Promises To Help You Manage Your Online Identity. “Your online identity is determined not only by what you post, but also by what others post about you — whether a mention in a blog post, a photo tag or a reply to a public status update,” Google explained in a blog post. But what is it really all about?

At first glance it seems to be just an interface to Google Alerts (www.google.com/alerts).  I use google alerts for all kinds of key word searches, (my name included). In this screen shot you can see what the interface looks like for Me on the Web

Google me on the web

Nothing terrible exciting here. The advice they give you about managing your online reputation is particularly bland. “If you find content online–say, your telephone number or an embarrassing photo of you–that you don’t want to appear online, first determine whether you or someone else controls the content. For example, if the photo you want to hide is part of your Picasa account, you can simply change your photo visibility settings If, however, the unwanted content resides on a site or page you don’t control, you can follow our tips on removing personal information from the web and removing a page from Google’s search results

There really isnt anything proactive or defensive about this “new tool”. But setting up appropriate alerts is definitely a must in the online world.

For some really intersting tracking of online activity, check out SocialMention.com

Gary Bahadur

CEO KRAA Security

www.kraasecurity.com

Social Media Security

Network Risk Assessment

New book coming soon “Securing the Clicks: Network Security in the age of Social Media” http://www.amazon.com/Securing-Clicks-Network-Security-Social/dp/0071769056/ref=sr_1_1?ie=UTF8&s=books&qid=1308343778&sr=8-1

 

Enhanced by Zemanta
 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Ignorance is far from bliss with a Global Supply Chain

by in Compliance, Global Disaster, Global Incident Map, SCRM, Supplier Security, Supply Chain Risk Management, Suppply Chain Management

In this time of global financial insecurity, large scale companies are stretching further and further across the planet in order to reduce costs and remain competitive. But this strategy brings with it risks. The pressure on a global company’s supply chain is simply immense, with operations stretching across whole continents and handfuls of countries, variables are introduced that can be incredibly hard to track. A company need a global supply chain risk management process.

With supply chain infrastructures running the length of the planet, how is it possible for a company to know what is happening at any given time and at any given point within its chain? A supply chain is only as strong as its weakest link, and in this fragile economic state, global operations rely on their supply chain management to bring together all the disparate elements into a smooth churning synergy. But how does a company’s supply chain cope with all the challenges that these variables produce?

Global companies face challenges on all fronts regarding the pressures of supply chain on an international scale. With head offices say in New York, and a production arm in China or Pakistan, the most obvious challenge faced by a global company is one of distance. But what specific challenges does this kind of distance throw up?

Like a fog, distance can cloud vision, and block out or at the least delay information – and to a supply chain, information is money. A global company, with its head offices in the West, is going to be unaware, at least for a time, of the state of its supply chain in the event of localised flooding or civil unrest. The supply chain may not even be aware that the issue even exists until severe damage has been caused. Even if the factory was untouched by such a disaster, what about the infrastructure – roads, airports and harbours? Large scale emergencies create questions and uncertainty for those on the ground, never mind those in large corner offices in Manhattan.

The problem is not just limited to natural disasters or weather systems. Civil and political unrest can cause chaos to even a healthy supply chain. Then there are epidemics and pandemics, such as the H1N1 flu, which have the potential to grind a whole economy to a sudden and shuddering halt. These situations can cause utter chaos to those present, but the real danger to a global companies supply chain is more subtle than this chaos… it is ignorance.

Ignorance to a crisis is the arch enemy to a supply chain. It may be a cliché but it is true – knowledge is power, or in this case, money – and even the most solid supply chain can crumble through nothing more than a little ignorance. Even if contingency plans were made, the delay in being aware enough of the crisis to implement the contingency can cause severe flow problems.

To an extent, these challenges can all be overcome or circumvented by good planning and a world class supply chain management system but only if they are aware of the crisis. It is this knowledge gap – between the event happening, and feedback working its way all the way across the planet to head office, that can make or break a company’s financial position. It is not the event itself, cataclysmic as it may be, but it is ignorance to the event that is the killer for supply chain. How can you overcome a challenge that you are blind to?

The secondary challenge faced by a global operations supply chain management is one of local knowledge and experience. Civil and political unrest, for example, can seem to strike as suddenly and as unexpectedly as forked lightening to the outsider. Yet to those who live on the inside of that country, the sense of radical change or shift in power can almost be sensed. There is something about being on the inside that gives one the ability to more accurately predict, and therefore to prepare for this kind of change.

It is this preparation that is key to the success of any supply chain. Sensing and predicting the event or crisis, allows for contingency plans to be drawn up and/or implemented. These are essential for the reduction of downtime, and for shipping dates to be met. Contingency plans, if acted upon swiftly enough, can really protect the integrity of the supply chain. The key to this swift acting, once again, is information. Factories in neighbouring countries can be actively tooling up as the sense of political unrest grows in another, with one factory primed to take over as soon as trouble rears its ugly head.

Of course, not everything can be predicted, and some events, such as the recent volcanic ash cloud over Europe, can catch everyone by surprise. But the majority of incidents, problems and challenges faced by the supply chain of any global company can be pre-empted, predicted and planned for. But a contingency plan is only as strong and useful as the information that brings about its implementation. It is this information that will determine the success of a supply chain management system when disaster strikes, as it surely will, given enough time.

 

Related articles
Enhanced by Zemanta
 
Tags: ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Pleasant Grove man sentenced to 6 years in federal prison for role in prescription fraud case

by in Government Security, Hacking News, HIPAA, Identity theft, Security Assesment, Security Policy

The Birmingham news (http://blog.al.com/spotnews/2011/05/pleasant_grove_man_sentenced_t.html)  reported that a Pleasant Grove man received six years in prison for HIPAA violations. Included in his crimes was aggravated identity theft and disclosures. These violate the HIPAA regulations.

Identity theft with regards to healthcare information is on the rise. There is a lot of value in stealing an identity to get healthcare. If you could do that for someone under 18, then you might have several years before they actually notice. Kids generally do not need to check their credit ratings until they get that first credit card in college. BY then the thief could have racked up a lot of charges on that identity.

Using healthcare access can allow the thief access to drugs which are then resold. In this case the thief used the stolen identity to cause the prescription drug plan to pay for $72,746 in drugs.

The Obama Administration announced a cyber security plan recently. Does it take into account the rise in identity theft? Are government agencies actively trying to find solutions? So far the answer seems to be No.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

Related articles
Enhanced by Zemanta
 
Tags: , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Whitehouse has released a cybersecurity plan

by in Compliance, Government Security, Identity theft, Security Policy, Web 2.0
Seal of the United States Department of Homela...

Image via Wikipedia

The Whitehouse has release a cybersecurity plan.  “White House Cybersecurity Plan: What You Need To Know” (http://www.huffingtonpost.com/2011/05/12/white-houses-cybersecurity-plan_n_861382.html). Perhaps the administration is finally waking up to the need.

According to the press release they say  “Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority. When the President released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” The Administration has since taken significant steps to better protect America against cyber threats. As part of that work, it has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated.”

There are a couple of key elements to the proposed legislation:

Protecting the American People

  1. National Data Breach Reporting. Proposal to help businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements. (I personally do not think we will have 1 national privacy policy anytime soon. States rights!!)
  2. Penalties for Computer Criminals. Clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure

Protecting our Nation’s Critical Infrastructure

  1. Voluntary Government Assistance to Industry, States, and Local Government. Proposal to enable DHS to quickly help a private-sector company, state, or local government in a breach
  2. Voluntary Information Sharing with Industry, States, and Local Government.  Proposal to help entities share information. ( Sure ATT will share information with Sprint and Bank of America will share information with the government)
  3. Critical Infrastructure Cybersecurity Plans. Proposal to enable transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.(Thats way to vague)

Protecting Federal Government Computers and Networks

  1. Management. Update the Federal Information Security Management Act (FISMA) and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks. (They definitely need this now!).
  2. Personnel. Recruit and retain highly-qualified cybersecurity professionals. (With reduced funding for education, we will probably have to recruit from China)
  3. Intrusion Prevention Systems. Implement better IDS systems. (Imagine having to read all the log files from all the government agencies, need to outsource this effort)
  4. Data Centers. Embrace Cloud Computing. (if you use cloud computing, you will rely on Facebook for your security requirements?)

New Framework to Protect Individuals’ Privacy and Civil Liberties

The Administration does propose protecting civil liberties. Can the plan be any worse that everyone giving away all their information anyway on Facebook, Twitter, LinkedIn etc?

Related articles
Enhanced by Zemanta
 
Tags: , , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Geo-tagging photos can lead to cyberstalkers finding you

by in Corporate Stupidity, Hacking News, malware, Security Policy, Social Media, Social network, Web Security
Facebook logo

Image via Wikipedia

When you take a photo of yourself in your house and then post it via Facebook or twitpic, you assume that no one will really know where you are taking that picture. Well, you may be wrong. Social media security is in a very nascent development stage. There are a number of theats already to social media such as malicious applications in Facebook or trojans in shortened URLs that the average user does not know about or where to turn to for advice.

A new threat could be giving up your location when you post a picture from inside your house. A team of scientists dicovered that with some smartphones, a user’s latitude and longitude can be attached tothe picture you post in the metadata. That’s pretty scary. See the news story ” Tips to Turn Off Geo-Tagging on Your Cell Phone”  (http://abcnews.go.com/Technology/celebrity-stalking-online-photos-videos-give-location/story?id=11443038) “Many people are not aware of the fact that there are geotags in photos and videos,” said Gerald Friedland, one of the scientists.

A website that has been setup to show the dangers of this capability is www.icanstalku.com. So what can you do about this? Do you want to be stalked?  ON the IPhone, go to Settings, General, then Location Services and disable the applications you do not want to use Geo-tagging, such as Camera.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

888-572-2911

Related articles
Enhanced by Zemanta
 
Tags: , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Facebook’s new security features and the Zuckerberg hacking incident

by in Compliance, Corporate Stupidity, Hacking News, Identity theft, Security Policy, Social Media, Web Security

This past week was eventful for Facebook and for Mark Zuckerberg. The Facebook page was hacked as first reported by Techcrunch ““Let The Hacking Begin” Declares Person Who Hacked Zuckerberg’s Facebook Fan Page”  (http://techcrunch.com/2011/01/25/zuckerberg-fan-page-hack/) . The message left on the page was:

“Let the hacking begin. If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011”

Facebook then said it was a “bug” as reported by the BBC “Facebook blames bug for Zuckerberg ‘hacking’” (http://www.bbc.co.uk/news/technology-12286377). Well I guess they can speak to Microsoft about “bugs” and letting their software be hackable. Not much more was explained.

One other interesting event that was also news with Facebook was the launch of their encrypted login process as reported by the Huffingtonpost “What Facebook’s New Security Features Mean For You”. This has actually been around for a while but not published. What does this mean? Well when you go to Facebook.com now, just go to https://www.facebook.com.  The “https” will allow you to have your login encrypted so the guy sitting next to you in Starbuck and capture your traffic on the wireless network and steal your login ID and password by running Firesheep or other sniffing program. You can also do this with many social networking sites even though they do not publicize it.

To turn on this feature automatically go to “Accounts” -> “Account Setting” -> “Account Security” -> “Change” and select “Browse Facebook on a secure connection (https) whenever possible”. If you have never played with the Privacy Setting you should probably check those out as well. Stop sharing everything about yourself with “Everyone”!

Facebook privacy settings

Facebook privacy settings

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Related articles
Enhanced by Zemanta
 
Tags: , , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

The Dangers of Employee Social Media Usage

by in Security Assesment, Security Policy, Social Media, Social network, Web Security

Employers are constantly hearing of social media this and social media that. When your employees go on break or eat lunch, they are usually on their cell phones talking. But, now there are also applications on phones like Facebook, Twitter, FourSquare and others where an employee can actually send photo uploads while being mobile and even post to Facebook automatically. Are employees using social media securely?

Does your company have anything in place for protecting confidentiality through social media usage? Do you have a Social Media Security Policy? Employees sign agreements when joining the company but did the business cover disclosing things like pictures or private conversations and even meeting information via Google Buzz or Facebook? What about brand new products being developed that are trade secrets?

If your employees are online working to do their job and Facebook, MySpace, or gaming sites like Pogo are not blocked, how do you know they are doing their work 100% of the time? Just because their production numbers look great, doesn’t mean they are not slacking. Have you done a Social Media Security Assessment?

It is becoming an epidemic in the work force with employees breaking rules and ultimately being fired every day. If security monitoring technologies are in place you could possibly sue the former employee but your trade secrets are gone and so might be your reputation. If an employee is bad-mouthing your company and tells everyone to not buy or shop with you, there goes your business immediately.

You can make a legal policy for employees to sign when they start their job that they will not talk, disclose, or say anything bad about the company on social media sites. If businesses do not step up soon and do something it can be a total free for all!

Here are a few interesting facts to consider. One out of every ten employees admitted overriding their job’s security system so they could access restricted sites. In 2009, 24% of eight hundred employers surveyed said they had to discipline an employee for using social media sites. Another study showed 8% of employees were terminated for accessing Facebook out of two hundred businesses polled. Twenty eight thousand people were polled in the United Kingdom at the beginning of 2010 and a whopping 87% said they can do what they want; it is their right to do so.

It is now believed that social networking will replace email by 2014 as the main way to communicate for 20% of all business owners or users. Is your company prepared for Secure Social Media?

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Tips to Avoid Confidentiality Issues When Using Social Networking Media

by in HIPAA, Security Policy, Social Media, Social network

Social media sites have gained popularity in the past ten years as a medium to keep in contact with loved ones, business associates and friends. However, there can be drawbacks to the usage of said media when one is employed in certain career fields, such as the healthcare industry. Utilizing social media networks can inadvertently give way to the sharing of confidential patient information with people that may not have a need to know which would then cause the company to violate HIPAA Security Rule compliance.

Social media applications are not just a part of one’s personal lifestyle; this has also become incorporated in the corporate climate. Many places use these applications for marketing, file sharing, communication, and employee recruitment. While these applications can open up a great many doors of communication, some type of guidance or governance is necessary. Because banning the use of such sites is most likely unenforceable or impractical, a hospital or other such entity that must shield private information should at least ask or force their employees to adhere to some Social Media Policy guidelines.

For instance, when utilizing social networking sites, one should use separate passwords for the different sites, as an individual can easily hack all of one’s accounts if they know the one password. A security breach of one account could snowball. Passwords should be complex and change every 90 days. Accessing social media sites should be over SSL and only from trusted network connections, not coffee shops especially for business purposes!

In the case of company documents or patient information, if it isn’t found on the company’s web page it probably should not be posted elsewhere. There are sites that exude a feeling of privacy and security, but are far from it. Allowing one’s corporate information security team to determine what sites are acceptable is the best option.

Another thing one should not do is post his or her own identifying information publicly, such as date of birth, his or her social security number, or an employee ID number. If a site requires this information, 1) it is most likely not a reputable site, and/or 2) one could make something up or ensure that it is not going to be displayed in a profile that will be public.

Some information may not be considered confidential; yet not posting these items to public social media sites is probably a good idea. This can include anything from rumors, to purchases the company plans on making, anything about the technology one’s company uses or will use, and any projects the individual may be working on.

So in one’s personal endeavors, it is most beneficial to all involved if confidential information, or information that could be considered secret, stays out of the hands of the public. Follow practical posting guidelines and do not share more information than is necessary in corporate social media activities.


Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Enhanced by Zemanta
 
Tags: , , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Social Media Warfare: Are you attacking or defending?

by in antivirus, Compliance, Entrepreneur, Phishing, Risk Assessment, Security Assesment, Security Policy, Social Media, Social network, Web 2.0, Web Security
Image representing Facebook as depicted in Cru...
Image via CrunchBase

Is there such a thing as Social Media Warfare? We have had cyber warfare going on for years now. So it should be an obvious “YES” that Social Media warfare exists. But is that true?  To get to a full blown war opposing sides go through an escalation process. Where are we in this process? From a pure cyber warfare perspective, we are in world war three, many opposing sides, lots of new and improved weapons, completely escalating attacks and no end in sight. Companies are used to conducting vulnerability management and risk assessment. This new war will require new tactics and defense strategies.

I think we have seen the first skirmishes of the war. It started with all the spammers morphing their tools into Facebook and Twitter hacking. Then moving into phishing. Then into negative attacks on your reputation by disgruntled customers and competitors. So what is the progression of this coming war? Is there a similarity to how “normal” cyber  warfare started? But why is this war inevitable?

The attack vectors in the Social Media War are probably categorized into personal use and corporate use. If these are the assets that needs to be protected, we can then figure out how the assets will be attacked, how will the enemies do reconnaissance, what alliances will be formed and what should be the defense strategies and weapons for defense.

The progression of of this war will follow different patterns and there is probably no end in sight.

Action Personal Corporate
Skirmish Home users receiving spam and phishing attacks and scams Corporate users seeing more phishing attacks, attackers going through Linkedin profiles
Protest Actions Users might complain to attorney generals, or write nasty messages about Microsoft Adobe or Apple security weaknesses The IT department is inundated with help desk calls. Companies have the ability to complain to ISPs or event countries about originating attacks.
Negotiations There really isn’t anyone to negotiate with. Writing on your Facebook wall will not do a darn thing. Companies definitely do not want to negotiate. But will see blackmail more and more.
Failed Negotiations The home user is bascially screwed anyway. Succumbing to blackmail will only lead down a bad path.
Declaration of War This is a defacto state with the home user. They are at war whether they know it or not. Companies have to take a proactive approach to security versus reactive. Anticipate the next types of attacks and have a budget to address it.
Launch Attacks and Defend More defend, get your anti-spyware, antivirus, personal firewalls and encryption up to speed. But after that, understand how attackers use Social Media. Spend massive amounts of money on understanding how so fight in the Social media landscape, security hardware and software are not enough.
Allies Join the War The home user can only rely on the Social media companies for basic security. Their will be more collaboration between companies and governments. Perhaps together they have a fighting chance. Regulations are also going to force changes.
Years of Conflict – Never Ending Whats the next thing after Facebook and Twitter? Whatever it is will have its own security challenges. But by that time the home user will probably have given out every bit of personal information on all the Social Media venues anyway. A company can only rely on the right process to secure their social media usage. As technologies change and new sites go live, a good process and social media security policy is all you can rely on.
Winner The ISP, they get to sell bandwidth. The VCs who fund companies like Facebook and Twitter.

I will get into more tactics in the coming war in future posts.

Gary Bahadur

CEO KRAA Security,  baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Related articles by Zemanta
Enhanced by Zemanta
 
Tags: , , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
formats

Building a Social Media Policy

by in Compliance, Could Computing, Entrepreneur, Risk Assessment, Security Assesment, Security Policy, Social Media, Social network
Social Media Buzz
Image by ivanpw via Flickr

Social Media Policy

Social Media has become part of the user community several years ago. Today we have social media in the corporate environment. The main problem we have is how social media has evolved. It has been a bottom up approach. By bottom up I mean that the consumer has determined how to use a technology and the corporation is playing catch up. But the social norms that are appropriate for a consumer “product” are not appropriate in a corporate environment.    

 

Social media usage is being retrofitted into the corporate environment. But the consumer is already used to using social media in an insecure, “information must be free” manner. Employees who have been used to giving up all their information in places such as Facebook and Twitter must now be retrained to use social media in a whole different manner to meet corporate standards. (Assuming we have a corporate standard for social media security)  
But what is a corporate standard for using social media in an appropriate fashion that does not put the company at risk? Corporations have not made a concerted effort to define that secure social media strategy, or even a strategy for training their employees in the “correct” use of social media.

 

Social Media Policy Infrastructure

What is a good starting point for implementing a social media policy? Here is a basic guideline.   
1) Define a policy – You cannot assume employees will do the right thing without guidance. You already have things like Expense Policies, Acceptable Use Policies, Internet Use Policies. Write a basic guideline. What’s in that guideline will vary from company to company.  

 2) Information Classification – You have to explicitly define what information can be shared and what information should not be Tweeted, FaceBooked, BlibbedBlabbaded (I made that up)about. If your employees do not know how valuable information is that you cannot blame them for inadvertently being sucked into the blogosphere. (I am not sure blogosphere is yet a word, but who cares)3) Keep It professional – If you allow your employees to Socialize (that a word with any meaning here?) information about your company, you have to give them standards to follow. Things like cursing, grammar mistakes, casual conversation style discussions might not be the image you want to portray when discussing anything related to your company.

4) Tracking and Monitoring – If you are going to have a policy for anything, you have to have a mechanism for tracking compliance, reporting on activity and have consequences for breaking that policy. How much tweets that are over the line makes you bring an employee before HR? What is a firing Facebook picture offense?

This is a very abbreviated start. In later posts I will define more aspects of a social media policy. But let’s get the conversation started about the necessity for this as a standard policy in every organization, both large and small.

Related articles by Zemanta

 

Enhanced by Zemanta
 
Tags: , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
© 2012 KRAA Security LLC, Call 888-572-2911
credit