InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
How a digital copier can become a treasure trove for an identity thief, because they have a hard drive which permanently store all images which have been digitally printed, scanned, faxed, emailed or copied on that printer. Storing images on the hard drive can be a huge threat to the security of an organization and a serious breach to the privacy law when these printers need maintenance, needed to be returned at end of a lease period or simply retired without erasing the data from the hard drive.
Due diligence of erasing the data before an identity thief gets their paws on it is squarely falls on the shoulder of the organization who owns the digital printer.
As we all know that credit card frauds are on the rise and crooks are utilizing more advanced techniques to acquire credit card information. In these circumstances anyone can lose their private and credit card information to crooks. Individual due diligence is necessary to protect credit card information and below are few measures which can help to protect it.
– At least once a year (or preferably every 6 months) report each one of your cards missing, so that your credit card company would issue you a new card. This is because often crooks steal credit card info but they wait to collect many (at least a million) before they sell them and this process typically takes a year (according to FBI) so most of the times your credit card info may be compromised but you don’t know about it until the crook sells it to a buyer and then in a matter of 1-2 weeks you get hit by tons of purchases and before you know it you credit card is maxed and you are stuck with proving it wasn’t you.
– Sign up with www.LifeLock.com, instead of the many identity theft programs that your bank offers. This program costs about $80-$100 a year (similar in cost to what banks like Chase and WFB offer) but this program TRULY covers all the costs of when your identity is stolen and cards are maxed. They do by far MORE than the other programs that banks offer and they cover all the costs that you may incur (including replacing your PC that maybe infected with a virus).
– If anyone calls you (from Visa, MC, AmEx or any credit card company) and told you anything like your credit card has been used, stolen, etc, get their telephone number and tell them you will call them back before you say ANYTHING to them. And then call the 800 number on the back of your card and verify that the phone number they gave you is indeed a valid number. Do NOT give anything, specially the 3 digit off the back of your card to anyone who calls you.
– As always, do NOT enter your ATM card PIN into any email.
– Do NOT open any emails from anyone that you do NOT know. If you do, and there is a .pdf file is attached, make sure it makes sense that the sender has sent you this file otherwise do NOT open the .pdf file. Many viruses are embedded in .pdf files (Not pictures or txt files, just .pdf)
– If you do on-line banking (as we all do) do NOT do bill payment or if you do then once a day check the balance in your account. Also, if possible contact your bank and BAN any WIRE TRANSFERs from your account. Tons, tons of wire transfer fraud has happened during the past year or two and people have LOST THEIR MONEY, the banks have NO obligation to repay even if you can prove you didn’t do the transfer. They say that your computer was hacked and that is YOUR fault not theirs. Check your bank account balances DAILY as with wire transfer you have 24 hours (in most cases) to reverse it but if it is gone then your money is GONE and you may never be able to collect it back.
– NEVER give your laptop for repair or upgrades to anyone that you do NOT know really well. Once your laptop or computer is in the hands of a crook he can install spyware and other programs that will go into the core of your PC and nothing, as in NOT EVEN FORMATTING YOUR HARD DISK, can get rid of the virus or spyware. Your only option is to throw away your PC and buy a new one.
– When online, if you happen to go to a website that had many different items on it; such as “Sarah Palin’s info”, “Earthquake victims”, “Las Vegas Deals”, etc. DO NOT open any files or documents (don’t click on them). These websites are put together by very smart crooks who want to attract people so they have a variety of info posted but each article has a virus/spyware loaded in it and if you click on it the virus will be loaded into your PC and from that point on they can monitor your keyboard entries, even the screens you look at. Avoid any website that has an unusual or strange collection of info on them.
– Have one credit card with a low limit ($1000-$2000) only for use on internet purchases.
– Have another card with even a lower limit ($500) only for use in Gas stations. Gas stations have the highest rate of fraud because the pumps have Readers/Pin pads in them that are really old and do NOT have any security feature in them. So have a very low limit card only for use in Gas stations.
– Have one/more high limit cards that you only use when you purchase something that you SIGN for, and always check your statements at the end of the month.
Richard Clarke’s credentials are well established, having been a national security advisor to presidents of both parties
“The major shock about the mischievous WikiLeaks—even more than the individual headline items—is that it dramatizes how vulnerable we still are. Digitization has made it easier than ever to penetrate messages and download vast volumes of information. Our information systems have become the most aggressively targeted in the world. Each year, attacks increase in severity, frequency, and sophistication. On July 4, 2009, for instance there was an assault on U.S. government sites—including the White House—as well as the New York Stock Exchange and Nasdaq. There were similar attacks that month on websites in South Korea. In 2008, our classified networks, which we thought were inviolable, were penetrated. Three young hackers managed to steal 170 million credit-card numbers before the ringleader was arrested in 2008.”
From Publishers Weekly
“On today’s battlefields computers play a major role, controlling targeting systems, relaying critical intelligence information, and managing logistics. And, like their civilian counter-parts, defense computers are susceptible to hacking. In September 2007, Israeli cyber warriors “blinded” Syrian anti-aircraft installations, allowing Israeli planes to bomb a suspected nuclear weapons manufacturing facility (Syrian computers were hacked and reprogrammed to display an empty sky). One of the first known cyber attacks against an independent nation was a Russian DDOS (Deliberate Denial of Service) on Estonia. Since it can rarely be traced directly back to the source, the DDOS has become a common form of attack, with Russia, China, North Korea, the U.S., and virtually every other country in possession of a formidable military having launched low-level DDOS assaults. Analysts across the globe are well aware that any future large-scale conflict will include cyber warfare as part of a combined arms effort. Clarke and Knake argue that today’s leaders, though more computer savvy than ever, may still be ignorant of the cyber threats facing their national security.”
WASHINGTON — It will take several more years for the government to fully install high-tech systems to block computer intrusions, a drawn-out timeline that enables criminals to become more adept at stealing sensitive data, experts say.
As the Department of Homeland Security moves methodically to pare down and secure the approximately 2,400 network connections used every day by millions of federal workers around the world, experts suggest that technology already may be passing them by.
The department that’s responsible for securing government systems other than military sites is slowly moving all the government’s Internet and e-mail traffic into secure networks that eventually will be guarded by intrusion detection and prevention programs. The networks are known as Einstein 2 and Einstein 3.
Progress has been slow, however. Officials are trying to complete complex contracts with network vendors, work out technology issues and address privacy concerns involving how the monitoring will affect employees and public citizens.
The WikiLeaks release of more than a quarter-million sensitive diplomatic documents underscores the massive challenge ahead, as Homeland Security labors to build protections for all of the other, potentially more vulnerable U.S. agencies.
“This is a continuing arms race and we’re still way behind,” said Stewart Baker, former Homeland Security undersecretary for policy.
The WikiLeaks breach affected the government’s classified military network and was as much a personnel gap as a technological failure.
Officials believe the sensitive documents were stolen from secure Pentagon computer networks by an Army intelligence analyst who downloaded them onto a CD.
The changes sought by Homeland Security on the government’s non-military computers would be wider and more systemic than the immediate improvements ordered recently by the Departments of Defense and State as a result of the WikiLeaks releases.
Those changes included improving the monitoring of computer usage and making it harder to move material onto a portable computer flash drive or CD.
Fraud-related losses rose 20 percent to $1.7 billion in the past year, Kroll study says
Incidence of theft of information and electronic data at global companies has overtaken physical theft for the first time, according to a study released yesterday.
According to the latest edition of the Kroll Annual Global Fraud Report, the amount lost by businesses to fraud rose from $1.4 million to $1.7 million per $1 billion of sales in the past 12 months — an increase of more than 20 percent.
The findings are the result of a study commissioned by Kroll and conducted by the Economist Intelligence Unit, which surveyed more than 800 senior executives worldwide.
The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.
The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.
But in a case of “physician, heal thyself,” the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).
“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.
Einstein, the government’s intrusion-detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java and some Microsoft applications.
In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.
“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.
In an appendix to the report, which is dated Aug. 18, the division wrote that it has patched its systems since the audit was conducted.
DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented “a software management tool that will automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities.”
The Department of Homeland Security is quietly creating teams of experts charged with assessing the cyber security needs of power plants in the U.S. The question is why the secrecy? When plants vulnerabilities are known facts in both security and hacker communities, perhaps it is time to pay attention or impossible to ignore anymore even by DHS.
By Jaikumar Vijayan
The Department of Homeland Security (DHS) is quietly creating specialized teams of experts to test industrial control systems at U.S power plants for cybersecurity weaknesses, according to a report published today by the Associate Press.
According to the Associate Press report, DHS has so far created four teams to conduct such assessments, according to Sean McGurk, director of control system security. McGurk told the news service that 10 teams are expected to be in the field next year as the program’s annual budget grows from $10 million to $15 million.
