19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.

com

Article: Cyber-Security Strategies Proactively mitigating sound strategies to protect yourself and your family
In honor of October, Cyber Security Month By D Kennedy, 2013 Some folks take cyber security very seriously, and others do not. However, as society moves into a digital era, its becoming increasingly important that everyone realizes the need for [at least some] security. Like locking the doors on your home, cyber-security is an important part of our everyday lives. In this article, well address the realities of security problems involved with modern day technology (why security is important) and how to follow simple strategies (for individuals and businesses alike), to help ensure your information is protected. THE REALITIES In 2005 I was helping a client to clean out their emails one at a time (a long and laborious process) when I came across an email they had sent to a business partner asking to transfer millions of dollars, giving their bank account and routing number. Until that point, I had never actually seen this done (although I knew it really happened). There have been countless times that I have come into homes, and businesses (of every size and scale), and found unsecured, wireless routers, sharing an internet link for anyone who was close enough. I have worked with numerous people who have had their email accounts compromised, trying to undo the damage from impersonation. The lessons learned identity and financial theft, security breaches, and information loss are all very real attacks that happen to people each and every day. Theres a reason that doors are built with locks and technology with passwords! The number and cost of these attacks is astounding: Human errors and systems glitches caused nearly two-thirds of data breaches globally in 2012, while malicious or criminal attacks are the most costly everywhere at an average of $157 per compromised record. (Ponemon Institute and Symantec, 2013) Malicious attacks (defined as a combination of hacking and insider theft) accounted for nearly 47 percent of the recorded breaches in 2012 in the United States. Hacking attacks were responsible for more than one-third (33.8 percent) of the data breaches recorded. (Privacy Rights Clearinghouse, 2012) Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. More than 232.4 million identities

Cyber-Security Strategies

Page 1

19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.com were exposed overall during 2011. Deliberate breaches mainly targeted customer-related information, primarily because it can be used for fraud. (Symantec, 2012) Total number of records containing sensitive personal information involved in security breaches in the United States is 608,087,870 in 3,763 data breaches since January 2005. (Privacy Rights Clearinghouse, 2012) In 2012, the Identity Theft Resource Center (ITRC) documented 447 breaches in the United States, exposing 17,317,184 records. In the first half of 2013, there have [so far] been 255 incidents, exposing 6,207,297 records. (Identity Theft Resource Center, 2013) Through 2016, the financial impact of cybercrime will grow 10 percent per year due to the continuing discovery of new vulnerabilities. (Gartner, 2011) The average value of a lost laptop is $250,000 and the data breach costs represent 80 percent of the total cost of a lost laptop compared to two percent for replacing the computer. (Ponemon Institute and Intel Corp., 2010) (updated) SOURCES OF DATA LOSS AND HOW TO DEAL WITH THEM EMAIL SECURITY Security breaches with emails come in many different forms. A common mistake is failing to take the time to send an email properly. An important rule to follow is the Double Check rule (double check before you send). Make sure you pay attention when responding to or sending new emails. Take a few seconds to double check the recipient list before you send out an email. Personally, and with my clientele, I have witnessed emails sent with carbon copies to a large number of people that were never intended to receive it; it turned out to be personally embarrassing and in more frequently than you would imagine, it has cost workers their jobs (due to the security breach of confidentiality). Guard the information you send. The simple plan is not to transmit passwords, account numbers, insurance numbers, social security numbers, phone numbers, addresses and other personally identifying and important information. Ask yourself: Can you write the information down on a sheet of paper and just as easily hand it to the person you were going to email? Can you call the other person and read the information over the phone? Can you use a secured system (such as video conferencing service such as Skype), or a collaboration website, sharing a desktop or a file? Even though data can be hijacked in transmission, using an alternate method to share vital information is an ounce of prevention that could result in far more than a pound of cure. While the advance technology/information age has resulted in a society of conveniences and a need to move faster, no convenience is worth the devastating losses that can occur. Email is also an integral part of business operations in todays cyber-age. Email provides rapid deployment of information, productive communications and effective document sharing. Most

Cyber-Security Strategies

Page 2

19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.com companies have a tag line below their signature that works as a disclaimer for transmitted information, for example: This e-mail message and any files transmitted with it are confidential and intended solely for the use of the individual(s) or entity(ies) to whom they are addressed . It may also be privileged or otherwise protected by work product immunity or other legal rules; disclosure, copying, disseminating or performing any other similar act may infringe on copyright or any other legal rights. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information or any of its attachments, or similar act is strictly prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system and please confirm that it has been entirely removed from your email account and computer system. While such a tag line is good, its only effective retroactively (after the fact), when pursuing legal recourse for a devastating security breach. Secured company file sharing or collaboration servers, online collaboration and similar methods for document sharing prevents company files from being lost in cyber-space. .: If you are running a small business and managing your accounts online, youd be wise to expect a similar attack on your own accounts and prepare accordingly, (Krebs, 2013). Develop IT Communication policies that restrict sensitive data. Perform physical accounting checks and keep an eye on the flow of data and finances. A proactive strategy designed to minimize the threat and makes it more difficult for criminals can make it easier for you. SOCIAL MEDIA Facebook, Myspace, Twitter and other systems may provide for additional social interaction that folks enjoy using, but like so many other technologies, it has integrated so quickly into our society that the responsibility and maturity needed to handle it properly is lacking. Anything that is put online photos, addresses, phone numbers, names, anything is information that can be harmful to you and your family. Posting the names of schools, events, plans (such as vacations), and updating your status opens you up to vulnerability for malicious attack. Identity thieves will use your details to assume your identity, commit fraud and other crimes under your name, and even victimize the people in your network (Mali, 2013). In 2012, around 12.6 million people became victims of identity theft. It takes years to undo the damage and harm to finances, reputations, and for a select few, criminal accusations that arise from such fraud. But, its not just identity theft that is an issue. Criminals actually use social media sites to determine when people are going on vacation, when theyll be home, who their friends and family are and what they own. Social Media must be handled with even greater care than interpersonal interaction because you cannot see who is on the other end of a connection. While its fine to use social media to share thoughts and ideas and discuss topics, its not a place to tell people where you are or what youre doing. For people with children, social media is much more than just a threat to your identity and possessions, but it could spell a lot more trouble. Theres nothing wrong with checking in on what our kids are doing and making sure that they

Cyber-Security Strategies

Page 3

19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.com (being that they have yet to experience the world and all the dangers, abuses and manipulations out there), are not being taken advantage of in the online community. Unless your business relies on social media or you are the webmaster (designer) for the company, nobody should be on social media websites on work computers. Its fine if youre okay with employees and staff having an option for a wireless network (secured away from your business network) to connect their own devices to, just make sure it stays separated. Properly used I.T. strategies with routers and firewalls can more readily provide strategies to block social media sites and protect your computers. CELL PHONES Smart phones are fun, stylish and have become a status symbol in todays world, but they too, have rapidly infiltrated our world without much opportunity for the public to understand all of the risks. From text messaging to sending pictures, your phone is a veritable source of live-streaming information about you! How many times have you (or someone youve known) sent a text only to realize you sent it to the wrong person? For a while, Samsung mobile users were continuously sending messages to the wrong recipients until eventually, they realized that they were pushing the correct recipient, but the phones software had a glitch. In 2011, Google reported the bug and their effort to fix it (Solomon, 2011); yet, the problem continues to persist. These are not isolated incidents. What if you were sending a social security number to a family member and accidentally sent it to an identity thief? Even worse than that would be sending a picture or personal message to a loved one only to have it end up in the hands of a malicious user who posts it online. Cell phones provide a unique feature that allows us to get around these problems: voice phone calls. While software glitches sometimes prevent us from knowing the message is going to the wrong place (although, much like email, taking a second to check the recipient list will help), when it comes to sensitive data, a phone call is the ounce of prevention that can save lifetimes of humiliation and hurt. Businesses and cell phones are an odd mix. Some businesses restrict employees from having their cell phones during work hours (although they may rely on these employees having cell phone access outside of work using their personal phones), while others want employees at access at all times. Whatever your companys preference, if you permit employees to access any company files, emails or other systems with their cell phones (company issued or personal), your I.T. staff should provide you with written policies for securing, tracking and maintaining cell phones. Of course, the most frustrating aspect of a salespersons job is surrendering the cell phone to the I.T. department for upgrades, but with all the great deals on the market today, investing in a swappable-spare phone can provide immediate solutions. PORTABLE MEDIA Its common for companies to restrict external flash drives from coming indoors or to have equipment checked in at departure. While this is inconvenient for those folks who want to take their work home, tablets, laptops and other media still roam free. Users connect their portable devices to any wireless network they can find, such as public wi-fi at airports. But, whats worse than having your company

Cyber-Security Strategies

Page 4

19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.com information being transmitted across a public wi-fi system at an international airport? Actually there is something worse Having employees use their laptops and phone in public, talking out loud, entering passwords that can be video recorded with cell phones and so on. These are not creative hacking techniques they are common place, malicious activities that are increasing with every passing day. Simple solutions such as portable encryption keys, wireless air cards and other, company-owned technology will keep your sales force moving without letting your data move into the wrong hands. But, this goes for individuals, too: Despite hiring an in-house security expert or an outsoured IT consultant, seventy-seven percent of organizations have experienced data loss in the past year. The most frequent cause of data loss was stolen or lost equipment like laptops, smartphones and flash drives. In fact, according to Dell, 49% of data breaches were due to lost or stolen laptops or devices such USB flash drives. In fact, insecure mobile devices was third on the list of root causes for lost data, preceded only by network attacks. (Cagen, 2011) Recently, more than 20,000 students in the Boston Public School system had their data compromised when the districts ID card vendor, Plastic Card Systems, lost a flash drive (Boston Public Schools, 2013). The simple mistake of misplacing a small, portable drive can mean the difference between finding yourself (and/or your company), the victim of a malicious attack, or not. Using a device that can be remotely wiped is an invaluable tool in protecting your information. Cell phones, wirelessly connected tablets or laptops, and other such devices can provide that service. While there may be a cost attached, if youre going to travel and carry extremely valuable and personal information the cost is nothing compared to the loss. PASSWORDS Computers provide us with wonderful opportunities to digitize endless streams of data and more rapidly access our information. One of the most basic securities for these systems are passwords. All too often, people write down their passwords on the devices they have secured, or use familiar terms that can be discerned by the most simple of minds. Recently, I worked with highly dangerous, portable equipment capable of producing life threatening levels of x-rays. While my job entailed accessing its data, both the use of the machine and data access were protected by a four-digit pin. Unfortunately, the owner had left and we were unable to access the extremely vital data needed to complete a project. Upon contact, the owner gave us only one clue he had never changed the password and didnt remember what it was, telling us to go ahead and try whatever we needed to do. Using deductive reasoning and strategies or rather, taking a wild shot in the dark, I tried the most likely of all default passwords: 12.3.4; and guess what? It worked! Sadly, I now had access to not only the data we needed, but the data from other companies (which, as an I.T. professional, I had an obligation to protect and secure) and even access to the devices operations.

Cyber-Security Strategies

Page 5

19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.com From your wireless router to your pc, from your firewalls to your cell phones, and from your social media apps to your email: you need to use the password option. Like having to unlock your front door when you come home, it may not be convenient because you want the information, fast! But, its more inconvenient when you set it down and walk away without it, knowing that you were on your banks website and access to your account was up and available on the screen. And, like having different keys for different locks, passwords need to be unique. Use different passwords for different systems. Using a strategy of developing familiar password terms makes diversification a lot easier. Individuals should not be using the names of their children, pets, or loved ones. Businesses should have I.T. policies that require strict password settings using alphanumeric characters, mixing capitals, numbers, letters and even the occasional symbols (such as exclamation points, dashes, etc.). There are excellent strategies for complex passwords (that can be used by individuals and businesses alike) that you can easily find with a search online, such as GCNs recommendations in their article: Our picks for the best password strategies (McCaney, 2010). And, for both individuals and businesses alike change your password. Depending on the value of your information, you can go from weekly to monthly password changes. For some folks, changing passwords once every few months works (although this is never recommended for businesses). And, write your passwords down in a safe location, locked up, and away from the device they secure. Be strategic and creative. The more creative you are the more difficult it is for hackers to steal your information. CONCLUSION We all want to enjoy the speed and productivity of this new, cyber era. We live in a culture (especially in America), believing that these things wont happen to us personally but they do. Not taking action is setting yourself up to be a victim, and while there may be a criminal to blame youll also be left blaming yourself. There is a middle ground. You can enjoy the technology and still enjoy the safety that can easily, and inexpensively be used right along with it. The key to success is in habituation. Human beings are creatures of habit. Change is difficult for us. But, once weve adapted to a change (which typically happens very quickly), we become faster at it, better at doing it, and pretty soon, dont even notice were doing it. So, make sure your computer equipment has a password and is locked. Make sure you update and change your passwords frequently. Dont use emails to send identifying or revealing personal or financial information. Social media is fine, but use it responsibly. And, dont carry around portable devices with all of your personal information without making sure you can quickly and securely wipe it clean. Before long, youll be typing in passwords like a pro, your equipment will run faster and better than ever, and youll have the sense of security that will make your experience in this cyber age far more enjoyable than without it. Individuals can also consult with a local I.T. specialist in their area to review the status of their security while businesses can consult with Systems Analyst (such as myself), and for a reasonable rate, obtain a thorough review and analysis of the state of their security (as an outside consultant or part of a full-time I.T. staff) to add to that piece of mind. While there is no 100% foolproof system, an ounce of prevention is well worth the gigabytes of cure!!

Cyber-Security Strategies

Page 6

19719 Nugget Ave, Bend, OR 97702 541-390-5971 M3ktodayinc@gmail.com Daniel Kennedy is a Systems Analyst and Technology Specialist with a degree in Computer Information Science Technology and holds certifications from multiple sources for computer support, training, network support and security.

Works Cited Go online and learn more:

Boston Public Schools. (2013, Aug 12). BPS changes student ID badges to prevent unauthorized use after vendor loses drive containing image files. Retrieved from News: http://www.bostonpublicschools.org/view/bps-changes-student-id-badges-preventunauthorized-use-after-vendor-loses-drive-containing-imag Cagen, Y. (2011, Aug 2). Your IT consultant says your data is safe. Statistics say otherwise . Retrieved from Small Business Cloud Computing : http://info.isutility.com/bid/62507/Your-IT-consultantsays-your-data-is-safe-Statistics-say-otherwise Gartner. (2011). Gartner Top Predictions for 2012: Control Slips Away. Identity Theft Resource Center. (2013). ITRC Breach Report. Krebs. (2013, Apr). Washington Hospital Hit By $1.03 Million Cyberheist. Retrieved from Krebs on Secutiry: http://krebsonsecurity.com/2013/04/wash-hospital-hit-by-1-03-million-cyberheist/ Mali, J. (2013, August 26). Social Media: ID Theft, Scams and How to Prevent Becoming a Victim. Retrieved from SitePro News: http://www.sitepronews.com/2013/08/26/social-media-id-theftscams-and-how-to-prevent-becoming-a-victim/ McCaney, K. (2010, May 25). Revealed: Our picks for the best password strategies. Retrieved from Password-ideas-winner: http://gcn.com/Articles/2010/05/25/Password-ideaswinner.aspx?Page=1 Ponemon Institute and Intel Corp. (2010). The Billion Dollar Lost Laptop Study. Ponemon Institute and Symantec. (2013). 2013 Cost of a Data Breach: Global Analysis. Retrieved from http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon2013&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jun_worldwide_C ostofaDataBreach Privacy Rights Clearinghouse. (2012). A Chronology of Data Breaches. Solomon, K. (2011, Jan 7). Google Solves problem of Android texts going astray. Retrieved from TechRadar: News: http://www.techradar.com/us/news/phone-and-communications/mobilephones/google-solves-problem-of-android-texts-going-astray-920189 Symantec. (2012). Internet Security Threat Report Volume 17.

Cyber-Security Strategies

Page 7