|
Other Interesting Stories...
|
As a CEO, how would you do when faced with some challenging security situations? Here's a game that lets you find out.
Trend Micro has developed a great "security management decision simulation game" called "Targeted Attack: The Game". This is a great piece of work that lets you try your hand at balancing risks, security and budgets. I really like how this choose your own adventure game was produced, with real actors. I highly recommend it for anyone trying to explain the importance of security management to executives, or just to understand what it's like to balance business objectives against security risks. Read More...
|
Can a bank be sued by a hospital over a cyber-heist?
You bet they can. In this story, a hospital sued their bank to get money back that was stolen by hackers as a result of a bank error. Read More... |
Computer-Based Training is a quick and cost-effective way to educate staff.
Most managers responsible for security training don't have the time to develop training content themselves. The Streetwise Security Awareness Program's off-the-shelf intranet training solution has been proven to help organizations educate staff on information security risks, while addressing compliance requirements.
Give me a call at 613-693-0997 if you'd like to discuss your situation and how it can be addressed through a CBT. (I've also delivered solutions for Records Management and SOC2 compliance.)
Learn about Streetwise Security Awareness Training
|
Stay Connected
|
| Security educators and entrepreneurs... |
I've got ideas and plans for creating new security assessment and education products for businesses and individuals. If you'd like to collaborate and get more things done faster, please contact me. We may be able to work together.
- Scott
|
|
 |
|
Welcome to Issue #7 of the Streetwise Security News.
It still seems a long way from sailing season here in the Great White North. I have a running bet with my family that "the snow will always be gone by the end of March". Sometimes I can still win the bet if there are a few patches of snow under the shade of some trees. But this year, something is just keeping us in a deep freeze. At least I'm getting more work done, since I don't have the urge to go out for a walk.
So, I'm trying to figure out how I can run my security assessment and training projects from an island in the Mediterranean, where I can sail any day I want. Maybe some day...
We're well into 2015, and as I suspected, there are more sad stories of security breaches. As usual, I won't try to cover them all in this newsletter. But I do try to pick a good variety of interesting stories, and provide you with some insights and tips on how you or your employer can avoid these kinds of risks.
See the list of topics on the left for a quick view of this issue's stories and content.
If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis. |
| | Lac Deschenes - Ottawa River from BYC |
Cheers,
Scott Wright
|
|
Your location has been shared HOW MANY times? Nudge, nudge!...
|
 If your devices could tell you how often they share your location (or other information) with third parties, do you think it would affect how you use mobile devices? Some subject of a research project got a real shock when they learned the truth during the study.
According to the article I read from Bob Sullivan on credit.com, the reaction was visceral when one of the subjects was told that his location had been shared 4,186 times: "Are you kidding me? It felt like I'm being followed by my own phone. It was scary. That number is too high." Most of us, it seems, have no idea what our devices are doing behind our backs. It doesn't surprise me, really. People are very trusting, and your mobile phone is YOUR device. Why shouldn't you trust it?
But what's more interesting to me about this study is the fact that they gave people an easy way to check their privacy settings and monitor their device's sharing activities. They provided what are called "Privacy Nudges" - little updates to let people know how many times their devices had shared their location recently.
Just as we might expect, when people actually get a glimpse of what's happening, most of them take actions that show they really do care about their privacy. By the end of the study, as a result of the privacy nudges, people had tightened up their privacy settings, and checked their devices' sharing stats more often.
To me, this is a very good thing. I'd like to find out more about the app they installed on the subjects' phones to let them manage their sharing more closely. Hopefully this will become a feature of all mobile phones.
Until then, do check your privacy settings on your mobile devices and your social networking accounts.
|
Terminology - "Oversharing"
| |
Oversharing:
The tendancy of an individual to post too much - or sometimes, literally everything - about themselves, their jobs, or what they are doing at every possible moment.
For some, it seems like an addiction. But really, do you care about what your friends have every day for breakfast, or how many times last night's chili came back on them?
(Example: Canadian singer/songwriter Jann Arden posts the same thing on Instagram every day she's at home: a new picture of her dog on the same road... every day! Why?)
But aside from the annoyance factor, oversharing represents a real vulnerability to personal data, as well as corporate information systems. Attackers love to find people who overshare, so they can learn about their victims' habits, and even what they might have used as a password or security questions. (Please revisit the January issue that has the Jimmy Fallon street interviews with people to ask them what their passwords are. Just go to the Archives link at the top of this newsletter.)
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
Scott's Recent Blog Posts
|
Here's a recent extract from my Security Views blog...
 Just a quick thought after this week's air crash in France, in which the co-pilot locked the pilot out of the cockpit and intentionally crashed the plane into the mountains. In this case, security worked too well.
|
Social Media Security
|
 In Episode #40 of the Social Media Security Podcast, Tom Eston and I discuss the following stories... - A victim in a car accident is using data from her FitBit wearable fitness monitor as evidence of the harm done by the accident. Good idea?
- Echosec - The creepy tool for searching on social media posts geographically (discussed in last month's SSN newsletter)
- An interview with somebody who shares their experience in almost becoming a victim of a Facebook scam. Some important things to remember that will keep you safe.
- More Facebook privacy tips
... and more. The Social Media Security Podcast can be found here, or you can subscribe to every episode on iTunes by searching for "Social Media Security Podcast".
|
Pinterest Pic of the Month
|
OK. Maybe this is a harsh thing to tell your friends, but how will they ever learn if you don't?
|
A Cyber Security Challenge Question
|
 Which of the following posts would NOT be called "oversharing"?:
a) I just found a great article on how to create strong passwords. http://.....
b) That was a boring client meeting. 2 hours I'll never get back... Anybody want to go for sushi?
c) I hate when my boss insists that I submit a FedEx order just before the shipping deadline.
d) Maltesers are sooooo good! But if I eat another one, I think I'm going to explode.
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - For added privacy, use multiple, email addresses when registering for multiple free services from Google, Yahoo, or other free web portal tools.
|
|
 As you may know, free web portals like Google, Yahoo, Bing and others offer more than just free search and email services. You can access calendars, discussion forums and even video and photo hosting sites, all from one provider. (If I go to google.com/dashboard when I am logged in to any Google service, I see a list of about 13 different services like Gmail, Google Play, etc. Several are shown on the right for one account I own. The number you see may depend on which services you have registered for at Google.) This may seem like a great convenience, but if you knew how much information is tracked and cross-referenced across these services, you may start to get a little creeped out. So, I like to break the chain. For example, if you know that Youtube is owned by Google, you might choose to register on Youtube with a different email address than you do for Google calendar. Unfortunately, sometimes when you log in to one, you will find that you're logged in to the other. So you may have to log out of the account you were logged in to, and log in as a different user for the other service. I have found that when using a tablet, such as an iPad, I can log in to Google when surfing with the browser, and log in to the Youtube app with a different account. The advantage in doing this is that Google doesn't get to cross reference my interests in videos against my email content, which they also know a lot about. By breaking the chain, some may say I'm losing the value of integrated services that these companies provide. But I know why they want to have me using all their services, and I don't really see a great loss of value in breaking their chain. I still value my privacy a little more than having instant access to everything under the same umbrella.
|
A Data breach story: NYPD officer caught searching private citizens' personal information
|
 Government organizations such as healthcare and law enforcement are supposed to be held to a high standard when it comes to protecting the personal information of citizens. So, it's sad that we learned this month of a New York City police officer who was caught accessing personal information of private citizens for his own personal gain.
It turns out this guy was using hidden cameras and other devices to capture login information from other officers who had access to data about citizens for which he wasn't authorized. He used the information he found to solicit people involved in traffic accidents and infractions to provide 100% guarantees that he could obtain a successful outcome in their case, in return for a percentage of the amount of the money saved.
He was eventually caught, but not before he had run 6,400 queries on private citizens' information. This just goes to show that we always need to be on the lookout for people who may have ulterior motives. Sadly, you can't just assume that everyone you work with is trustworthy.
You can read more about this NYPD insider case HERE. |
Answer to the Cyber Security Challenge Question (from above)
|
Question - Which of the following posts would NOT be called "oversharing":
Answer: (a) I just found a great article on how to create strong passwords. http://...
While some of the other answers may have a low annoyance factor, there's still too much information. What if the client saw your post about holding a boring meeting? Or what if an attacker just learned that your shipper is FedEx, and you have a habit of making last-minute orders? These are potential vulnerabilities. And while YOU may not personally care about strong passwords, at least the person posting is trying to be helpful to others.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
|
|
