You may have heard the news of a recent phishing scam that resulted in usernames and passwords of Hotmail, Gmail, AOL, and Yahoo! users being posted to Websites across the Internet. These types of scams can typically be avoided with some good advice and good old critical thinking.
Phishing, by Wikipedia's definition, refers to the "fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card information by masquerading as a trustworthy entity in an electronic communication." The following tips can help you avoid becoming victim to these types of scams.
1. Your usernames and passwords are the keys to your Banking sites, Email, and Online Retailers. Use strong passwords, or passwords containing at least 7 characters, using upper case, lower case, numbers, and symbols. Don't use the same passwords for sites containing sensitive information. Change your passwords often. If you have trouble remembering all of your passwords, consider a password manager. Often you are asked to provide additional personal information when creating accounts. This information is used to authenticate you in the event that you lose your password. Typically, the information given is less secure than the password. Provide information that only you would know the answer to. All of your friends know your pet's name and the street you grew up on, so don't use them.
2. Be careful of what you click on. I know that blinking advertisements promising free money are appealing, but in reality, no one is going to give you anything free. Don't click on it! Be very wary when you receive an email requesting personal information or asking you to confirm information. The email may look legitimate, as most phishing scams now do. Most online companies make it their policy to never ask you for passwords or personal information. If you are unsure, contact the company directly. Use known contact information; do not use the phone numbers or email addresses on the questionable site. Check past bills, statements, or the main Website for this information.
3. When logging onto a site requiring a password, credit card information, social security numbers, etc., look for secure sites. The URL of a secure site will begin with HTTPS. You will also notice a padlock either next to the address bar on in the status bar of the browser. Pay attention to the URL of a website. Malicious sites will use URLs that look almost identical to the real URL.
4. Use Anti-Virus, firewalls, anti-malware, and spam filters. Although, these will not protect you from every scam out there, they do prevent most from even hitting your Inbox. Also, take advantage of the anti-phishing capabilities in your browsers. When this is enabled, all sites you visit are checked against known phishing sites and will prevent you from browsing to them.
So what do you do if you think you have fallen victim to a scam? Report it immediately! Contact your financial institutions, immediately change passwords, look for signs of identity theft, and possibly even report it to the Police.
Company Information Kept Confidential?
In this economy ‘downsizing' is a common term used in companies today. When you let an employee go, what are you letting walk out the door with them? The answer to that is, more than you think. Do you have a policy for employee dismissals? If the answer is no, GET ONE. If the answer is yes, the next question is...do you enforce it? If not, then START!
In a survey conducted by the Ponemon Institute, LLC, an alarming 61% of employees who were negative about their place of employment in 2008 took data with them when they left. To put that into perspective, there were 945 employees surveyed who left their job (either voluntarily or involuntarily). That is 576 people who walked out with information!!!! That doesn't even count the 26% of employees who actually liked their company who walked with information. 24% of those surveyed could still access their company's network for a while after they left.
Now, as a business owner, you are thinking...."We do a good job of protecting our company and our client's information", but what if every business owner was thinking the same thing? Remember, YOU ARE THE CLIENT at some of these places. Are they letting your information be taken for a ride...literally....right out the door with a terminated employee? Pretty scary, huh? Makes you want to do a little more as a business owner to protect your clients so that other businesses might step up and protect you.
"What are a few things I can do?" Glad you asked....
- 1. Secure confidential information prior to the layoff or termination. Employees should not have access to proprietary information pending a layoff.
- 2. Review Confidentiality Agreement that a new hire signs when hired and make sure that consequences are clearly defined.
- 3. Review Separation Agreements to make sure that consequences are clearly defined
- 4. Create a checklist of all necessary steps to take before and after the termination/layoff
- 5. Conduct an Exit Interview with each employee and provide a list of information that they are allowed to take with them and what must stay behind. Show them the signed Confidentiality Agreement they signed as a new hire and the consequences for violating it.
Studies have found that when companies conducted exit interview there was a 40% reduction in the loss of confidentiality.
This might be a good topic for your next management meeting, huh?
I read an article recently about IT security and desired targets for intrusions to steal data. Unsurprisingly, it was reported that databases that are the prime targets, go figure. What was surprising was the report that administrators managing the database are making the same common mistakes which enhance the chances of the intrusion in succeeding. These mistakes are not malicious, but from lack of knowledge. I check out some other sites about this topic and found several lists of common security lapses on databases. Most of these are common sense action items. I have found it is good to review the basics periodically as we all tend to develop habits which may blind us to the obvious.
The weak point in any security is the passwords used. This is true across all realms of the IT world. Be it the default password was never changed, the password is not complex enough, or the passwords for higher level access are known by too many people. Password management and complexity are key to this security issue. Change the password and make it complex. Maybe even use a passphrase, easy to remember and harder to crack.
User privileges and training:
Make sure the people who are accessing the database are doing it with the correct privileges and roles. People who have too much access can do greater damage unintentionally then they would have with just enough access. Training the people who interface with the database is another important step. This isn't just the find-this-data-here type of training, but preventive training. Take the time to educate the staff on best practices in use of the data and in data security.
Critical patch updates:
Patch updates to both the database code and the OS for the server the database is sitting on are key. Having set up a development environment to test the patch deployment on a dev database server is even better.
Keeping your antivirus updates are as important as the critical updates for the database and OS. Keep the definitions up to date = keep the viruses off the server. Also make sure that the Anti-virus applications are scanning the right areas on the server. I have gone into servers and found some directories purposely skipped by the system scans to reduce errors in the event log, not good at all.
The database should be a stand alone server:
Ideally you want your database to be its own server. This is good practice for both performance and security. When you host other applications on the same server as the database, you are sharing that applications security flaws and issues with the database. This will increase the success of a malicious attack against your database. This is a common issue with the push to save money and space in server rooms today both from pressures to be green and the slashing of IT budgets.
Enforcing and reviewing security policies:
Setting up the security policy is easy. It is the enforcing and auditing the policy that gets to be hard. You have to keep the policy current and review its use both on the system and what the users do. By reviewing the policy you will find issues before they become bigger issues.
Audit the server:
Be aware of what is happening to the database server, review the event logs, check the database logs, and the anti-virus logs. The biggest issues on a server can start from a simple and fixable issue. Seeing a username repeatedly getting a failed log in event will tell you someone is running a dictionary attack against your database server. It is better to find the issue early on and address it before data loss or down time.
As I said in the beginning, most of these are all common sense action items. I suspect any lapses on the above could be from "I will fix that later" and later keeps getting pushed back. By addressing these simple issues you can save yourself bigger issues later.