Security Awareness and Additional Tips

FBI ALERT ON PAYROLL DIVERSION FRAUD SCHEMES

Recently FBI issued an alert warning that “cybercriminals are targeting the online payroll accounts of employees in a variety of industries.”  Once a cybercriminal has obtained an employee’s login credentials, direct deposit information is changed and redirected to an account controlled by the cybercriminal.

Read More from ic3.gov

LOCAL ADMINISTRATIVE RIGHTS

Looking to dramatically increase your protection from viruses and malware?

Last year, removing local administrator rights would have protected against over 90% of critical vulnerabilities in Microsoft Windows operating systems. Vulnerabilities in most third party software, such as Java and Adobe products, are also mitigated by restricting users from running as an administrator of the machine.

When a user is running as a local admin of their machine, they can install or remove software, and make system changes with nothing to stop them.

People usually encounter software vulnerabilities through seemingly normal activity, like browsing a web page or clicking a link in an email. If there happens to be a malicious link, and the user has complete control of the system, a vulnerability can be exploited to install malware. If the user doesn’t have local admin rights and the ability to install software, the exploit fails.

So why do people still run with local administrative rights? More than likely, a program they are running thinks it needs the rights to operate. The truth is, most applications can operate without administrative rights with a little work to assign proper directory permissions or other system tweaks. The good news here is that Microsoft has come a long way with security in their operating systems and has made it much easier to run as a normal user. Thus, software companies have had to code their products to operate better in this environment, so most modern software “just works” with limited user rights.

SECURE YOUR BACKUPS

Imagine what kind of information someone would have if they “found” a tape or hard drive with your backups! Your backups are your crown jewels, so protecting your off-site backups from authorized access is critical.

• Make sure you encrypt every offsite backup. This includes tapes, hard drives, and online “cloud” backup services. All modern backup solutions and services should make this easy to accomplish. If yours does not, consider an alternative solution or service that does.
• Since encryption is like a lock, it needs a key. Make sure the password you use for the key is complex. Make sure the key is available when and where you need it. Don’t just store the key at the main site. If your keys were only stored in the place that just burned down, you won’t be recovering. If the keys change, you must document that change to ensure that access to the data is possible after many years. An encrypted backup without a key is as good as no backup at all.
• Test your restoration process. Encryption can complicate restoration, so frequent test restores are crucial to validating your ability to recovering data.
• Don’t forget physical security! Keep your off-site backups away from common areas, preferably in a safe. Extra points for a fire-proof solution.

If data is at rest and not under your immediate control, it should be encrypted and physically secured. Once lost, unencrypted tape can be the start of an avalanche of problems for you and your customers.

CLOUD STORAGE SECURITY

Recent news of celebrities’ private photos being stolen can expose (no pun intended) some pitfalls in how smartphones and “The Cloud” often work together. When you put all the media hype aside, this “hack” was a simple matter of the attackers either guessing, bruteforcing or getting the targets to give away passwords on their iCloud accounts. Because their iPhones were backing up to the iCloud service, this meant that all of the victim’s data, including pictures, were accessible.

Smartphones backing up to online cloud storage is not just an Apple feature. Android phones can do this as well, either to Google or to a carrier’s own cloud storage service. Often in the excitement of getting a new phone, we simply rush through the initial setup and accept when it offers to backup your data for you... after all, why would having backups be bad, right? Here are some tips on protecting your privacy:

1. Pay attention to prompts when setting up your phone. If it is going to backup, where is your data going, and how is it protected and accessed? If all that is needed is your email address and a password to retrieve your data from anywhere in the world, you should think twice.
2. If you do use a cloud storage service, use the strongest authentication process possible. Not just a username and password. Choose a strong password (at least 15 characters) and utilize any additional options, such as one-time password (OTP) features, like a texted pin code. It may be a pain to log into, but keep in mind the value of the data you are storing.
3. When setting up the security questions on your account, remember that a lot of these answers can be guessed or found out with some digging. If the security questions have answers that others could find out, consider using bogus answers only you would know.
4. Remember that your phone collects and stores an enormous amount of information about you, your habits and your life. Both advertisers and attackers know this. Pay attention to what apps you install and what permissions they ask for and why.
5. Lastly, just a word of advice. Taking naked pictures of yourself using a phone where most apps, even games like Angry Birds, state they can have direct access to your media files may not be the best idea.