Information Security Tips from Westfield Insurance: Physical Security

19 posts categorized "Physical Security"

Work Out the Bugs in Your Information Security

A free eBook on Information Security from the Westfield Insurance InfoSec Blog Team

In today’s global economy, the sharing of information has become essential to business transactions. From providing information through online billing, or managing multiple passwords for various platforms and operating systems, the world of business has become more sophisticated than ever before.

Just in the last decade, organizations have seen a dramatic conversion to digital information storage. Regardless of how your company stores customer or employee information, rules of privacy and security apply.

With increasing effectiveness, hackers are able to acquire sensitive information from your office, computers, servers, mobile devices and the like. That’s why it’s vital that your business implement basic security measures to help protect sensitive information trusted to your company and its employees.
Whether it’s the personal information of your employees or sensitive client information, your business needs to proactively take steps to eliminate unnecessary security exposures.

Introducing the Westfield Insurance eBook: Work Out the Bugs in Your Information Security.

Why an Information Security eBook?

In 2004, Westfield Insurance started publishing internal tips and reminders about computer and personal security to help serve as a reminder to employees about company-specific policies, as well as the importance of protecting their personal information.

After seeing the success of this approach, we expanded the distribution to include our network of independent agents and colleagues. In 2008, we officially launched the InfoSec blog, authored by members of our IT-Risk, Security and Compliance team.

Since that time, the blog has offered our readers tips on how to best protect private information from risks such as password and system hacking, spamming, tailgating and more.

Download our free eBook

We’d love to hear your feedback. Please comment below!

Westfield Insurance on 08 March 2011 | Permalink | Comments (0)

Securing Mobile: When a Phone is as Powerful as a Laptop

There seems to be a disconnect between want and need with respect to smartphones and information protection. Securing mobile is a “downer” along at least two main axes of mobile phone interaction: convenience and cost.

If your phone is as powerful as your laptop; meaning the operating system, the peripherals and the applications on your phone are as – or are more - sophisticated than those of your laptop then shouldn’t the security measures that protect the contents be similar? The real question here is, if you’re using your phone to process the same information as your laptop, then we have to ask – how can one justify not securing it to the same degree as your laptop?

My opinion is that the only logical answer is yes. For an increasing number of functions, phones are replacing laptops. I believe that there are ways to secure mobile phones to the same standard as laptops while minimizing the inevitable inconveniences and extra cost. The solutions require thoughtful re-evaluation and sensible compromise. Rather than slapping the old products from the laptop onto the smartphone, we should look at it as a qualitatively different platform.

Drawbacks to Treating a Smartphone like a “Small Laptop”

Here’s an example of when it may be typical to treat a smartphone as a “small laptop”.

Many companies now use URL filtering perimeter systems, such as WebSense, to prevent employees from accidentally going to infected websites. When an employee uses their laptop outside the company network, you may tell them they must “VPN into” the network before using the web. (This way, once the VPN tunnel is established, their browsing goes through the URL filter.)

It is possible to treat the smartphone like a laptop in this scenario, because there are VPN clients that work as well as the laptop version. Employees could be told to “VPN into” the corporate network before web surfing on their smartphone.

However, there are drawbacks: a) VPN clients take a fair amount of computational horsepower to run, and b) from a network architecture and management standpoint, why tunnel all that traffic from every mobile browser into the corporate core in order to turn around and go back out to the Internet?

Rather than treating the smartphone like a laptop, the solution may be to change how your URL filter works. So perhaps, instead of bringing the traffic to the filter, bring the filter to the traffic! Put the URL filter on the Internet, and everyone’s computer (smartphone or laptop) can get to it from everywhere. Companies such as WebSense and zScaler advocates and vendors of such solutions.

Speaking of changing the place where the processing happens – how about using another ancient solution? How about moving where the applications run and so, where the information is processed? I am speaking here of just using the phone as a window into the corporate computing environment. This is déjà vu all over again, the fat client/thin client debate of the 1990s – the Unix X Window system and Citrix ICA. The fact is that this class of “collapsed data center” solution, which once suffered complaints about bandwidth and server capacity issues has become increasingly viable not increasingly outdated. Since the days of the mainframe terminal sessions, the thin client paradigm was always attractive from cost, administrative and data security perspectives. Now the protocols for computing in the data center core and transmitting just the display have become more efficient and bandwidth has come down in price. Similarly, multi-core servers with dozens of gigabytes of RAM are the rule not the exception. This makes it very attractive indeed to just load the thin client app onto the smartphone and have it connect securely to the core to process corporate information which is also on the core. If the organization wants people to be able to drag and drop files or query results from the core within apps that run on the endpoint – then the endpoint needs heavy securing as described above. But if the thin client is set up so that information cannot be transferred from the core to the endpoint then one has a lot less to worry about in terms of “information leakage.” The “drag and drop” tradeoff being that the information the employee wants to transmit to their smartphone is not directly usable by other apps on their smartphone that make them more productive (e.g., transferring an address to the smartphones contact management system or its GPS app).

So where does this leave us? I think, for now, the choice is between:

a. Smartphones with powerful processors and awe-inspiring local apps and local corporate data loaded down with classical malware protections like encrypted file systems, anti-virus, URL filtering, anti-spam, personal firewalling (local or in the cloud)

b. Collapsed data center where the employees log into a virtual desktop running on a big server and all the employee ever has on their smartphone is a thin interface to corporate data on a far-away desktop

The convenience trade-off is clear – I would much prefer to be able to download a spreadsheet to the app on my phone and then hop on a plane and “play with the numbers” versus having to be on the network and constrained by my company's standard spreadsheet program.

Cost wise, the price of buying and administering standalone smartphones with high performance client software on them is much higher risk and less cost-effective than standing up a big server with desktop OS licenses, a few licenses for each app and issuing a thin client for each employee’s corporate or privately owned smartphone, laptop or desktop.

Is there is a happy medium? What do you think?

Next time we’ll discuss modifications to these paradigms that may remove some of the downsides to both, namely, data centers in the cloud and always connected mobile networking.

----------------------------

Some links to others thinking about the same topics:

http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/Mobile-Devices-May-Pose-Greatest-Threat-to-Confidential-Information-New-ISACA-White-Paper.aspx

http://isc.sans.edu/diary.html?storyid=9787

----------------------------

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

John Brady on 18 November 2010 | Permalink | Comments (0)

Smartphones are great, but are they secure?

Something I've noticed over the past month is the tremendous amount of smartphones in use, whether at the grocery store, or in a local coffee shop. These devices are really pretty amazing, even playing some of the most high definition games on a simple little phone. I saw someone swipe their shopping card at the register the other day, I sure could use that. Up until the most recent series of smartphones, most people didn't really have the ability to store information other than contacts or small pictures on their phones. But now, the opportunities are endless. Most have browsing history available, pictures, videos, stored passwords, emails, and the list goes on and on, what's next? credit cards?

So what are people doing to ensure the sensitivity of the information stored on these devices remains sensitive?

The short answer is very little. I haven't come across many smartphones with a password set, and the memory card has only become increasingly easier to get at. Next time you have a few minutes (please not while driving your car), take a look at the security settings available to you.

Ensure you have a password on the device .
Review your application settings, do any applications have permissions to send information to the internet about you?
Check on your internet browser settings, paying special attention to your identity and privacy options.
Review the media (pictures, videos, text logs) that you keep on the device.
Check into solutions that will send a remote wipe to your device, in case its lost.
Know how to contact your provider to report the device lost or stolen as soon as possible.

Share your ideas for keeping smartphones and other mobile devices secure!

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 16 September 2010 | Permalink | Comments (0)

Sir, May I See Your Drivers License

I was reading some of the ever increasing material relating to identity theft and ran across an article that I wanted to share. Apparently there has been a sharp increase of fraudulent identification being given to police and state troopers when they are pulling people over in traffic stops and at driver’s license examination stations.

http://www.daytondailynews.com/news/ohio-news/ohio-highway-patrol-id-theft-increase-alarming-858936.html

Imagine getting a speeding ticket in the mail or having your auto insurance go up because someone falsely used your information when they were pulled over or committed a crime.

I wonder if the police will ever consider making drivers licenses into a multi-factor credential similar to how ATM cards work. With ATM cards, you have to have the card and know a PIN number in order to use it. That way when you presented your drivers license you would have to tell the policeman something that he could check to ensure that you were really you. I am sure that this approach could be easily bypassed as well.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust

Bill Murray on 23 August 2010 | Permalink | Comments (0)

Shredded documents can be unshredded

Shredding is the ultimate defense, right? Once it's shredded, it's gone!

No longer. It was always vulnerable if your attacker had the shredded chaff and plenty of free time. Think of the shredded embassy documents from the Iranian Hostage crisis of 1979. Those students reconstructed the pages with nothing more than scotch tape and patience. More recently, methamphetamine users have been hired by identity theft ringleaders to do the same thing.

Bill Wilson of the Big I recently found a number of services which make the "unshredding" problem much more manageable. In the Enron case, the government hired ChurchStreet Technology to scan the chaff, then used computer algorithms to piece the documents together. They claim to take the recovery time from hundreds of hours down to mere minutes. It's expensive but not terribly complicated. And your trash is in the public domain - anyone can take it back out of the dumpster without breaking any laws.

So how do you fully protect your waste paper from those ID thieves with too much time on their hands?

If you're still using a strip-cut shredder, get rid of it now. Upgrade to a cross-cut that chops the paper into very small bits of chaff.
Feed your pages into the shredder vertically, that is, with the words perpendicular to the shredder blades.
Don't have unusual-colored paper. Or if you do, shred enough of it that it can't be easily picked out. The rule in the army used to be no less than 20 sheets of any given paper type in each shred "lot".
Stir the chaff before disposal. A careful attacker could exploit the fact that pieces from the same document tend to come out of the shredder close to each other and remain so in the waste bag. A few quick stirs can randomize the chaff and make reconstruction much harder.
Send the chaff to a paper recycler. Even the best reconstructors can't bring a page back after it's been turned into new paper pulp. Of course, you have to be sure that your waste isn't intercepted before it hits the recycler but there are several bonded shredding companies that will do that for you.

How much is enough? It depends on who's out to get you. For most home users and small businesses, one and two are probably enough. If you really have something to hide, consider three and four and look into five when your shredding contract comes up for renewal. Find the right balance, remembering that identity theft is real but that most of us are not dealing with DoD nuclear secrets.

Bill Wilson publishes a bi-weekly newsletter filled with useful information including a technology column in almost every issue. His target audience is an independent insurance agent but many of his topics are applicable to any small business owner. If you're not subscribed already, I recommend looking them up.

Mike Rossander on 28 September 2009 | Permalink | Comments (0) | TrackBack (0)

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines. The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken. The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money. This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats.

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008. New patches are being released all the time. I guarantee viruses and worms will be written to exploit them.

Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer. We hear this all the time. Are you doing it?

Don't download and run pirated software or software that does illegal things. This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

Be suspicious of everything. And even more so if someone or something is trying to help you or give you something for free. Nothing is free. Come on, you know that don’t you?

The bottom line is simple. Protect the information on your computer the same as you would protect your physical property. Lock your doors and windows. Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars. Change your locks if you think that someone has been inside your house. Don't accept (or seek out) stolen property. If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible.

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions. Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Bill Murray on 31 March 2009 | Permalink | Comments (1) | TrackBack (0)

Security mistakes you can fix cheap

Budgets are tight everywhere this year. It's tempting to put off investing in security because "we just can't afford it now." That's a risky strategy at any time but worse, it's largely an unnecessary attitude. There are many things you can do to improve your security posture that don't cost cash. They do cost your time and attention, though. Make fixing these common mistakes a priority.

Walk around your office some night and see how many people keep their passwords on sticky notes right on the computer monitor. Keeping track of passwords is hard. But writing them down and leaving them out for every casual visitor or after-hours maintenance person to see is inexcusable.
While you're walking around, see how many people left sensitive documents on their desks. Make sure that sensitive documents, especially including anything with an SSN or Drivers License Number on it, is put away at night. If you absolutely can't implement a clean desk policy in your office, at least flip over the top page in the stack to reduce the temptation to snoop.
If you allow the use of thumbdrives in your environment, make sure you watch for them, too. Thumbdrives are high risk devices - very easy to steal.
Make sure people keep their access cards with them at all times. Access cards are your credentials. If they fall into the wrong hands, the bad guy effectively is you. He/she can do anything you can do and you will get the blame. Access cards should be protected as carefully as the data they protect. (And, by the way, neither under your keyboard or in the top right drawer of your desk is a safe place to keep them. Thieves know to look there.)
Prevent tailgating and make sure your visitors are escorted. Challenge unknown people - politely but directly. Don't assume that just because a person is in your area that they have a right to be there.
Remember the fax and the printer. Countless sensitive documents get overlooked and often forgotten or lost when we send them to the printer. Make sure you have internal control and that documents get picked up immediately.

based in part on a CSO Online article

Blog changes

In other news, this will be my last tip for a while. Westfield has asked me to take on some new responsibilities within our Legal department so some of the other members of the Information Security team will be stepping up to the publication of these tips. Writing the tips has been a lot of fun. I hope they have been helpful to you. Stay safe.

Mike Rossander on 27 January 2009 | Permalink | Comments (0) | TrackBack (0)

Stolen laptops

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It's not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don't think you've ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee's practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don't give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet - out of sight, out of mind. Don't assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don't just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You'd never be that careless at home. Don't let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it's time to ask for your free copy of your credit report from the next agency.

Mike Rossander on 03 November 2008 | Permalink | Comments (0) | TrackBack (0)

Cover up your documents

How many people have access to your desk when you're not around?

I assume that your co-workers are basically good people. If they weren't, you wouldn't have hired them in the first place. Does that mean you know everything about them? Or would you be like so many on the news commenting after the fact that he/she "seemed like such a nice person"? It would be a wonderful world if we could trust every person we met. Unfortunately, even good people can fall prey to temptation.

You also need to worry about the people you didn't hire. If you're like most small offices, the landlord's cleaning staff, contractors, visitors and many other outsiders have some degree of access to your space. And you generally have few assurances about who they are, what background checks were run or what supervision they receive.

You have to assume that people you can't know have access to your space when you're not around. Most of them are good people. Do what you can to help those honest people stay honest.

Always turn off your computer at night. Don't just lock the screen. If your IT team has set it up properly, extra protections will kick in when you shut the computer all the way down.
If you have a laptop, lock up it in a desk drawer at night. Laptops, PDAs and mobile phones are high-theft devices. Don't make it easy for the thief.
If you have enough space, put away your paper files at night. Lock them in a desk drawer or filing cabinet. Even if the cabinet doesn't lock, it will at least be more obvious when an unauthorized person is snooping though the files. It's harder to tell when someone is snooping through the papers on top of your desk as they are "cleaning" it.
If you can't lock the papers up, at least put a cover sheet or blank page on the top of the pile to protect the confidential information from casual oversight.
Make sure you collect papers off faxes and printers as soon as possible. Don't leave them exposed to guests and others walking the halls.
If you see something suspicious, call for help. If you have an internal security team, make sure everyone in the office knows how to contact them both during and after normal business hours. If your office's immediate action drill is "call the police", make sure they know how to do that, too.

Mike Rossander on 29 September 2008 | Permalink | Comments (0) | TrackBack (0)

Safe vacationing (encore tip)

It's hard to believe that it's almost Memorial Day and that people will start leaving for summer vacations soon. Please take appropriate precautions both before you leave and while you're on your vacation to reduce your risk of fraud and identity theft.

Before you leave:

Clean out your wallet.
- Use traveler's checks or credit cards for payment. Leave your checkbook at home.
- Leave your debit card(s) at home. Under federal law, your liability is limited if your credit card is misused. If your debit card is stolen, you could lose all the money in your checking account.
- Take an ATM card that does not have debit card privileges. Your bank should be able to issue you an "ATM only" card.
- Never carry your Social Security card in your wallet.
- Leave any unneeded credit cards and any other unnecessary documents at home.
Photocopy your wallet and keep the copy in a safe place. If your wallet is stolen, the copies will tell you who to call to get your cards canceled. Note: If you will be gone for a long time, consider leaving a copy with someone you trust who can help you cancel the cards while you're still on the road.
Stop your newspaper delivery and have the Post Office hold your mail (or ask a trusted neighbor to collect them for you). The bills and account statements in your unlocked mailbox are a goldmine for an identity thief. And the packages and newspapers piling up on your front step are a sure sign to a burglar that you are away.

While on your vacation:

Don't leave your wallet, passport or any identifying documents in your hotel room unattended. Use the hotel safe if it's available.
Keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.
Guard your credit card receipts and rental car agreements, especially if they contain your full credit card number or driver's license number.
Use ATMs at banks or credit unions and which are in well-lit areas.
If you are taking your laptop with you, be very careful when using it for on-line banking and other password-protected services, especially if you are connecting to a wireless hotspot.
Be equally cautious of cyber-cafes and other public-access internet facilities. Anyone could have left a keystroke logger on the machine in order to capture your ID and password.

By the way, there will be no InfoSec Tip next week. Have a safe holiday.

Mike Rossander on 19 May 2008 | Permalink | Comments (0) | TrackBack (0)

"Hi. How can I help you?"

If you're in a business, train your team to ask strangers "Hi. How can I help you?"

The wording of the question is important. "Can I help you?" gives the person the opportunity to say "no." The word "how" quietly forces the person to state a purpose. If he/she is unable to answer this question easily, that is a tip-off that the person could be up to no good. Be polite and personable but don't let strangers go unchallenged.

Make sure you teach your team what to do when someone strikes them as suspicious. If the person claims to have forgotten an ID badge, have him/her escorted to your main entrance to be properly signed in. Likewise, if the person claims to be law enforcement, escort him/her to your Security Office so that credentials can be verified. Remember, badges can be faked.

based in part on a CSO Online column

Mike Rossander on 28 April 2008 | Permalink | Comments (0) | TrackBack (0)

What to do when you lose your wallet

My brother-in-law had his wallet stolen over the weekend. In the interest of learning from the misfortunes of others, here are some things to think about.

Never, never, never carry your Social Security card in your wallet.
Photocopy your wallet about once a year. Lay the contents out on a copier (front and back) so you have a record of all the cards and contact numbers.
Only carry the cards that you use on a regular basis. Leave the rest in a safe place at home. If you have bills set up to auto-pay by credit card, use a card that you leave home. Otherwise, you'll have to change all those accounts when the card is cancelled.
When your wallet is lost or stolen, immediately call the financial institutions and start canceling the cards that were lost.
Call the three credit reporting agencies and put a fraud alert on your account. Consider putting a credit freeze on your account. (A fraud alert is free but must be renewed in 90 days. A credit freeze will typically cost $10 and requires extra effort to have lifted when you want to apply for credit legitimately but it provides somewhat better protection.)
If you haven't reviewed your credit report lately, do it now. Follow the instructions at annualcreditreport.com.

Police advise men to keep the wallet in their front trouser pocket, not a jacket pocket and definitely not a rear pocket. Police advise women to keep their purse with them and to carry it on their strong-hand side (if you're right-handed, carry it on your right shoulder).

If you're traveling, keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

Mike Rossander on 21 April 2008 | Permalink | Comments (0) | TrackBack (0)

Tailgaters are a danger to everyone

No, I'm not talking about the Browns fans drinking in the parking lot. I'm not even talking about the road-ragers who think that we'll drive differently just because they're close enough to read the fine print on your license plate renewal sticker.

The tailgaters we need to worry about at work are the neatly-dressed people who quietly walk up behind us and expect us to politely hold the door even though they have no right to be in our building. Tailgating is the art of acting like you belong and of using social pressure to convince people to ignore their own rules and policies. Tailgaters practice coming up behind you with just the right balance of professionalism and distractedness so that you believe that they belong. Good tailgaters come prepared with a plausible excuse why you should "be a nice guy" and break the rules – "It's raining ", "My arms are full", "I forgot it in my desk last night", etc. There is no way to identify a scammer just by looking at him or her.

Tailgaters represent a real risk for your organization. Once in the building, they can steal information, compromise systems or worse. If the intruder is a disgruntled claimant, a former employee or a significant other, they could be attempting to get into the building for violent reasons.

Whatever your entry control procedures are, you should have a strict "no tailgating" policy. Do not let staff hold the door for anyone until you are sure that they are authorized to be in the area. If your building uses security badges and someone tries to follow you through a controlled door, demand to see their badge. If they are a visitor, politely escort them to your main entrance and get them properly signed in. (You do have a Visitor's Log, of course. If not, here's a template you can use. Visitor Logs are surprisingly effective at deflecting these criminals to other, easier targets.)

You also need to know what your office's emergency reaction plan is before someone forces their way in. Know who to call and how to report the breach. Don't put yourself in harm's way but do not allow the intruder to wander your halls unchallenged.

Mike Rossander on 26 November 2007 | Permalink | Comments (0) | TrackBack (0)

VIP Cons

Recently, four Westfield folks went into Cleveland together for a Cavalier's game. As they pulled into the arena's parking garage, they noticed that several of the parking spaces had been marked off with traffic cones. One of the parking attendants removed one of the cones and waved them into a very close parking spot on the same level as the pedestrian bridge to the game. They assumed that it was some sort of VIP treatment that came with their tickets. They locked coats and purses in the trunk, then went in to enjoy the game.

Over the next three days, all four reported that their corporate credit cards had been used for fraudulent transactions. Police believe that the car was "marked" by a confederate working as a parking attendant based on the make of their car and their professional appearance. He waved them into the "VIP spot" so his confederate would know which cars to target. The criminals either picked the lock of the car with a slim-jim and popped the trunk from the inside or recorded the electromagnetic code of the trunk's remote so they could open the trunk themselves.

When the four people each checked their wallets, only these corporate credit cards had been stolen. Personal cards, personal checks and cash were untouched. It's human nature to pay more attention to our personal accounts than to a faceless corporation's account. Intelligent criminal exploit that trait and selectively target who and what to steal so they can go undetected as long as possible.

The bank did an excellent job of handling the fraudulent transactions but we all pay when the criminals get away. It is extremely unlikely even with this evidence that criminals will be caught or prosecuted. Sometimes the best we can do is to avoid being targets in the first place.

If someone's offering you a service that seems too good to be true, it probably is. Be extra cautious (and a little bit suspicious) when someone is giving you unexpected special treatment.
Keep your valuables with you whenever possible.
Watch your credit card accounts (personal and corporate) carefully.
Always lock your vehicle.

Mike Rossander on 23 April 2007 | Permalink | Comments (0) | TrackBack (0)

How do you get rid of an old computer?

It's time for spring cleaning and you finally want to get rid of that old computer that's been gathering dust for so long. What will you do with the old one? You can't just give it away or sell it. There are thieves who specialize in buying used computers on eBay just to search them for private or financial information before reselling them.

Even if you remembered to delete your files, the data is not really gone yet. (When you delete a file in Windows, all that really happens is that the file information is removed from the computer's "table-of-contents". The data is still on the hard-drive and will stay there until Windows decides that it needs to overwrite that particular space with a new file. That can take months or years.) Even re-formatting the hard-drive does not sufficiently wipe the data. You might hide it from a casual hacker that way but a determined attacker using the latest techniques will be able to reconstruct your hidden information. Read this PC World article for more.

You also can't just put the old hardware out on the curb with the weekly trash. Even if it doesn't get taken from your trash by some passerby, there are hazardous materials within most of the devices that should be properly disposed of. Here are some steps you should take:

Make a couple of backup copies of important data and programs by writing the files to CDs.
Use one of the free or relatively inexpensive software programs available that will write over the data on the hard drive. This ensures that no one will be able to access your personal information later even if they try to use data-restoration software. Click here for a review of several common programs.
If you can, donate or recycle the equipment. Computer manufacturers often have suggestions on their websites (see for example, Dell or HP) and may even offer free pick-up and will work with local agencies in order to donate or recycle the equipment. You can also look for local donation sites at websites such as Earth 911. Finally, many counties offer computer hardware drop-off locations at their hazardous waste collection and recycling sites (e.g., Medina, and Summit counties) .

Note: Several donation programs ask that you not delete the operating system or software from your computer, arguing that schools can't afford to replace the software. This is in general untrue. Most schools, like most corporations, buy "site licenses" and can reinstall the operating system at a fixed, discounted rate. If you do want to donate the software along with the hardware, give them the original installation disks and let them install the software themselves. Always wipe the drive before you donate it.

Mike Rossander on 02 April 2007 | Permalink | Comments (0) | TrackBack (0)

No Tailgating

My mother taught me to be polite and always hold the door for strangers. Those early lessons are hard to ignore, especially when the weather is bad. It is very hard to tell a coworker "no" and force them to walk around to the main entrance of the building in the rain or snow. Unfortunately, in today's world of identity theft, litigation and physical violence, those polite habits are increasingly a threat to the safety and security of our coworkers and customers. Imagine the risks if you let someone in who does not belong here. With unescorted access to our building, an intruder could pick up enough information to commit identity theft against our customers on a massive scale. Or worse, the intruder could be coming in with malicious intent toward a fellow employee.

Every company needs have a policy about visitors and needs to enforce a strict "no tailgating" policy. Visitors should always be signed in and out of your facility and should always be escorted while in any non-public part of your facility. If a customer or other important visitor comes to the wrong door, politely greet them and then tactfully escort them to the correct entrance so they can be signed in.

Employees and contractors should be required to show their authentication every time they enter the building. Do not hold the door for anyone and please do not expect someone to hold the door for you. This is an essential part of security discipline.

If someone does follow you into a non-public part of your building and/or refuses to show their ID badge, immediately go to the nearest phone and call your local Security contact. Give them your name, location and a description of the intruder. The borders between information security and physical security are increasingly blurry. These days, security is everyone's job.

Mike Rossander on 12 February 2007 | Permalink | Comments (0) | TrackBack (0)

Photocopy your wallet

If your wallet is ever lost or stolen, you need to immediately contact the issuers of all the credit cards and identity documents and begin the process of getting new cards.

About once a year, lay out the contents of your wallet on a photocopier. Copy both the front and back so you have a record of all the card numbers and phone numbers.

Be sure to keep the copy in a very safe place. When you make a new sheet, be sure to shred the old one so it can not be misused.

File a police report immediately in the jurisdiction where your credit cards or wallet were stolen. Do not wait until you return home. Promptly calling the police shows to the credit providers that you were diligent and will be the first step toward their investigation.

Consider calling the three national credit-reporting agencies to place a fraud alert on your name and social security number. That will make it a bit harder for the thief to open new accounts in your name.

If you are traveling, keep your identity document (passport or drivers license) separate from your wallet. You should also carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

Mike Rossander on 22 January 2007 | Permalink | Comments (0) | TrackBack (0)

Private information on cell phones

The average cell phone has a life expectancy of 18 months. What happens to all your personal information when you upgrade your phone? In too many cases, that personal information gets passed along to the next user.

Personal information can include:

stored phone numbers and addresses	usually not much of a worry
records of calls made or received	not a problem unless you've been talking to someone that you wouldn't want your spouse or employer to know about
pictures	again, may not be a problem depending on what kind of pictures you took
copies of text messages sent and received	often a serious privacy issue
the speed-dial setting for your voicemail with both the access number and password	potentially very serious

This is not an all-inclusive list. Modern phones also include calendars, memo pads, to do lists and other applications, all of which you might have used and which might have personal or business information that should be kept private.

Most phones include a delete function but independent reviews of those delete functions show them to be mostly pretty poor. Good hackers can undelete the information on most common cell phones with only a little specialized equipment and knowledge. To protect your privacy:

Treat a phone's text message service with the same caution that you use for unsecured email. Be especially professional in your use of text messaging.
Make sure that your old information is really gone before giving the phone to a friend, family member, charity or try to sell it online. (If all else fails, a 2½ lb sledge hammer does a very reliable job of making the data unreadable – but it won't be worth much when you're done.)

For additional information and a real-life scenario, read this recent story from CNN.com.

Mike Rossander on 11 September 2006 | Permalink | Comments (0) | TrackBack (0)

ATM Skimmers

Some thieves use a tactic called ATM skimming to steal your card number and PIN. While this tactic has been used for several years in large cities and tourist areas, there is some evidence that the tactic is now being used more in smaller areas.

ATM skimming depends on a device that clips onto the outside of the ATM and sits on top of the cardslot. The device is camouflaged to look like a normal part of the ATM. When you insert your card, the skimmer reads the magnetic strip as it goes past into the regular ATM card reader. The skimmer does not interfere with the operation of the ATM.

The thief will often also put up a small camera positioned to watch your hand as you enter your PIN. The camera might be camouflaged as a brochure holder. These devices often have built-in antennae to send the numbers wirelessly to the thief's computer in a nearby car.

See this Snopes.com article for pictures of an ATM skimmer in place.

Banks regularly check their ATMs for these devices but if you see something suspicious, you should call the Bank immediately. If your bank offers a "smart card" (a card with an embedded chip), those are currently secure from most skimmer attacks. Regardless, you should always monitor your bank statement carefully to make sure that all the transactions on it are really yours.

Mike Rossander on 21 August 2006 | Permalink | Comments (0) | TrackBack (0)

Information Security Tips from Westfield Insurance

Search

About

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites