Breach Fatigue: Don't Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

Breach Fatigue: Don’t Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

You Have a Case of Identity Theft!

Identity Theft

It’s the hot topic in the news, blogs, books, and more, identity theft and security! We are all susceptible to identity theft from the individual user to the largest corporation.

 

Author Steve Weisman has been speaking on Identity Security for years, including his blog Scamicide and in his books The Truth About Avoiding Scams and Identity Theft Alert: 10 Rules You Must Follow. The most recent breach, the Community Heath System, is one that Weisman covers in his blog entry Community Health Systems and the Chinese hacker. By now we all know the characters in the story, hacker wants sensitive data, companies have budgets and time restraints, and users want usability. In his blog post, “Community Health Systems Data Breach Update”, Weisman wisely states, “It has been said that the price of liberty is eternal vigilance and that is also important in maintaining your own personal security.  People who did not change their passwords following the Heartbleed security flaw first being uncovered should take this as a wake up call to do so now.” I concur!

 

(read on to learn how you can make a difference)

 

Weisman goes on to give some great examples on how to protect credit and to watch for fraud. But we all know that that is not where the story ends. Weisman states the grim truth that “it is not unusual for hackings and data breaches to remain undiscovered for significant periods of time.  This data breach may be the first major data breach connected to Community Health Systems, but it is most likely not going to be the last.” Sadly, he is most likely correct.

 

Organizations and companies need to transition to stronger authentication; one way they can do this is with a usable authentication solution. Why usable? Well, let’s not forget one of the main characters in this story, the user. Users want usability when it comes to identity security and logging into their accounts, and there are many solutions that are rising to the occasion to provide both security and usability to organizations. PortalGuard is one solution that brings usable Two-factor Authentication to the table with printable OTPs, SMS, and PassiveKey.

 

So there is no doubt that security needs to be increased and usability cannot be forgotten, but what can you do as an individual to increase authentication security within the organizations that you use on a daily bases? Well, I am glad you asked. I just happen to have the perfect site that was promoted on newyorktimes.com in Ron Lieber’s article A Two-step Plan to Stop Hackers.  Twofactorauth.org allows you to send a tweet requesting that organizations and apps that are housing your personal information support two-factor. (you may now cheer and applaud) Find out if your favorite app is using Two-factor or take it into your own hands to tell them to support Two-factor.

 

Weisman ends his blog post reminding us that “you are only as safe as the places that hold your personal information and some of them have poor security.” How true that is, and how slow many are at implementing the necessary steps to secure our personal and private data. In conclusion, you have really two choices as a user.

 

Cut out all technology from your life and keep your savings under your mattress

OR

Make smart identity choices and request that those that are housing your personal information implement a usable, two-factor solution.

More Compromised Students and Faculty

butlerlogoblue

Recently, there was yet another security breach at a college campus. This time the victim was Butler University, where a hacker accessed over 160,000 records for current, past students and faculty. The information stolen was the typical pertinent information that is stolen in this type of breach.

Names, Social Security numbers, date of birth, and bank account information.

The announcement of this breach comes due to an identity theft investigation that came from California law enforcement. The perpetrator that was caught possessed a flash drive that contained all of the data stolen from Butler University. Through the work of a third party investigator, it was uncovered that the information was stolen by remote hackers who accessed the Universities network between November 2013 and May 2014.

When will all of this craziness stop and people take security seriously?

I find it interesting that there is not more of an outcry from the general public to make sure that organizations are protecting their information. It used to be that colleges and universities were less likely to get attacked, since students typically do not have any credit in general. However, this year we have seen two other colleges in the spring and a high school earlier this summer.

There are schools, like Dalton State College and Clermont Northeastern School District, that have taken a serious look at this problem and addressed it by partnering with PortalGuard to deploy a two-factor authentication solution. By adding a two-factor authentication solution to their environment, they are able to ensure that the end-user is who they claim to be and not an imposter or hacker. This type of authentication can also deter man-in-the-middle attacks as well.

 

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365

 

vide_snap

BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:

 

-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication

 

With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”

 

Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.

 

PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

Honesty is the Best Policy: Passwords, IT Security Professionals, and Llamas!

Toothbrush

 

Well, the truth is that many organizations are just not enforcing the basics of Password Best Policies (PBP), never mind investing and enforcing stronger identity security. With much emphasis on ROI, the truth is IT Security Professionals make the dangerous decision to purchase the minimal authentication solution just to have “something” in place. And the truth about Llamas is never tick-off a Llama; they spit when provoked or threatened!

 

Passwords are precious things and have lost their importance in the eyes of the public. According to Teri Robison’s article, Study: Security pros still grappling with lax password policies, on SC magazine, “respondents to Lieberman Software’s ‘2014 Information Security Survey’ saying that they can still access systems at a previous place of employment by using old credentials. Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.” A good place to start would be PBP, but sadly, Robison states that the 2014 Information Security Survey reports “quite a few respondents — nearly one in four — say their organizations don’t change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.” This is staggering, and I believe there is a Llama spitting somewhere right now.

 

Also in the article, Robison quotes Lieberman stating, “’it’s astonishingly common’ in corporate and government networks for the administrator passwords . . . ‘to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records.’” It goes without saying this is an unacceptable policy . . . anywhere!

 

With all the breaches in security you would think the lesson would be learned indirectly and companies would prioritize authentication security . But truth be told, Robison also quotes Lieberman stating, “a breach ups interest in investing in security, but not for long . . . with a ‘half-life mentality’ companies loosen the purse strings in the wake of a data breach, ‘diminishing back to basic security after a few months,’” a sad truth to be sure.

 

In closing, it is a no brainer that Passwords must be stronger and PBP awareness shared, IT Security Professionals must invest in a solution that increases ROI, and stronger security means commitment!

 

So go ahead! Invest . . . the Llamas won’t mind.

 

 

 

Source:

http://www.scmagazine.com/study-security-pros-still-grappling-with-lax-password-policies/article/348888/2/

How to Mend a Broken Heart: The Heartbleed Bug and what you need to know to protect yourself

broken heart

 

The news broke this week that the Heartbleed Bug had attacked an undetermined amount of websites and their users worldwide. At this time it would seem that a large number of people are affected, however, the magnitude of this Bug may not be made clear for some time. Last year, the Adobe breach  numbers grew drastically as time moved forward.

So what is the Heartbleed Bug?

The researchers who uncovered the problem describe the Bug as a serious flaw within OpenSSL.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Currently affected sites:

Some of the popular websites that have been listed as vulnerable include the following:

-Yahoo.com

-Imgur.com

-Flickr.com

-Okcupid.com

Click here for a full list.

How you can protect yourself.

There a couple of different steps you can take to proactively protect yourself. The first step would be to change your passwords on all of the effected sites that are listed above. It would also be good practice to change all of your passwords in general, just to play it safe. The other, more drastic option would be to avoid using the identified sites entirely. However, this may not be a possible option if you are an active member of the sites affected.

Although many websites do not require password resets to occur on a regular basis, the authentication experts at PortalGuard highly recommend changing your password every 90 days. If you take this simple action, it can possibly save you from a lot of frustration and heartache.

Two More Colleges Exposed: Indiana University and North Dakota University

collegeThere seems to be a rise lately in the number of campuses that are being subject to data breaches. Today it was brought to light that North Dakota University’s database was compromised exposing around 300K current and former student’s information along with some of their staff as well. Last week, Indiana University informed nearly 146,000 recent graduates and students that their seven-campus data system had accidentally exposed.

This news comes on the heels of the recent University of Maryland breach that effected over 300,000 students, staff, and faculty.

Indiana University

In the case of the Indiana University breach, the accidental exposure to the general public was carried out via three automated search engine web crawlers and was apparently indexed three times over the past year.

The exposed information included all of the needed information to steal a person’s identity easily, including names, addresses, and social security numbers.  This data was all being contained in an unsecure location that was easily accessed by the data-mining applications.

The three web crawlers have not been identified at the time of this article, but the University noted that the actions were carried out in a non-malicious way, by regular search engine web crawlers. The good news to report is, no servers or systems were compromised during this data mining.

Education Link Banner

James Kennedy, the school’s Associate Vice President of Student Services and Systems said; “This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote…”

“At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”

North Dakota University

North Dakota University came forth with news that nearly 300K current students, former students, and faculty may be at risk due to a recent hacking. The effected student’s and faculty’s personal information, including names and social security numbers, were exposed during the breach.

North Dakota University came forth with a notification for all that were possibly impacted on their website this past Wednesday. Their IT service provider, Core Technology Services, had been tipped off about the intrusion on February 7, with the initial intrusion taking place back in October of 2013. It would appear that the attack was made by using compromised credentials that had been obtained by an unauthorized user. Once this discovery was made they immediately shut down the affected server.

The tipster in this case was actually a victim of identity fraud rooting back to the breach.

What is this world coming to?

Back twenty years ago, data breaches did happen; people would steal files from offices or files would mysteriously go missing. Fast forward to current day; with so much of our personal information being held on networks, it is now easier for thieves to steal your personal data without even being on the same continent.

This is why it is now more important than ever to make sure that you are doing everything to protect your network from an attack.

One of the best ways to defend your campus against these types of attacks is to deploy a two-factor authentication solution. This would prevent a user’s credentials from being stolen because there would be a required one-time password needed in order to access the account. This one-time password could be provided a number of secure ways including sending a text-message to a preregistered cell phone.

Many colleges and universities trust their sensitive information to be protected via a web portal that can only be accessed by authorized users. These entry points need to be protected by strong authentication, which more and more campuses are trusting to the authentication experts at PortalGuard.

Sources:

http://www.scmagazine.com/north-dakota-university-system-hacked-roughly-300k-impacted/article/337181/?DCMP=EMC-SCUS_Newswire&spMailingID=8110983&spUserID=Nzc0OTgzMDQ3NzMS1&spJobID=260600201&spReportId=MjYwNjAwMjAxS0

http://www.scmagazine.com/web-crawlers-tap-data-put-about-146k-indiana-univ-students-at-risk/article/336198/

Price vs Cost: One Man's Opinion

Dollar_symbol

With the economic state of the country, you always hear folks talking about the price of an item or how much it cost them. Being in the security industry and a home owner, I can identify with the struggles that come with sticking to a budget and finding a solution.

However, with security it can truly be a gamble that all too often plays out in a negative way. One comparison we threw around a lot here in the office is a home security system. You constantly see on the news or hear from others stories about homes being robbed and the uneasy feeling of violation that comes with it. It makes you think about yourself, your home, and that could happen to me!

But then your subconscious says those famous last words, “It can’t happen to me.”

Sadly, this is the approach a lot of businesses can take on the stance of cyber security too. Recently, we have all seen the public spectacle that comes with being hacked and the consequences associated with cutting corners on security. In a couple of previous articles, I know that I have touched on this topic in previous articles, but we still hear of companies being breached.

This brings me to my point; when looking at a solution, sometimes we look for the cheapest fix and do not think any further than the price tag associated with the item. But let’s say you don’t even make it that far, you ignore the problem and hope it does not get worse. Then when you go to make the repair, it costs far more money than just addressing the problem from the start. To combat these types of situations, many companies that are working with a tight budget turn to the affordable authentication that PortalGuard offers.  

So when faced with the complex decision of price versus the cost, it is always best to consider the big picture and the cost or consequence of all that could happen if you are not proactive in preventing security breaches.