Security Awareness Training

Hackers don’t always try to break into computer systems through the Internet, or by using malicious software (malware) in email attachments. If they can gain physical access to computers, there’s often a simpler way.

Several public libraries in the UK have reported finding keyloggers attached to the back of PCs. These devices, which look a lot like normal USB flash drives, monitor the keystrokes – including usernames and passwords – of all users of the PCs. So, if you used one of these PCs to access your bank account, your Facebook profile, or your email, your identity might have been compromised.

Hardware keyloggers are very small and, unless you look carefully at the back of the computer – and know exactly what you’re looking for – they can be almost impossible to detect. Here’s an example:

Continue reading →

Another reminder – as if we needed it – that smart phones and mobile devices are increasingly the targets for hackers.

This time, it’s an iPhone issue. German researchers claim to be able to steal passwords stored on a locked Apple iPhone in just six minutes … without cracking the iPhone’s passcode.

Read more in this post on the Sophos blog: VIDEO: How to steal passwords from a locked iPhone

The FTC has posted a useful guide to “medical identity theft” for health care providers and insurers.

Medical identity theft occurs when someone obtains health care services e.g. treatment, prescription drugs … using the identity of someone else, or when they use another person’s identity to submit false bills. The guide – Medical Identity Theft: FAQs for Health Care Providers and Health Plans – covers:

• red flags that might indicate a problem,
• advice on responding to incidents, and
• how to help your patients avoid identity theft.

Another useful resource is the FTC’s Facts for Consumers: Medical Identity Theft – a brochure in PDF format which can be made available to your patients.

Cloud computing is filled with buzzwords and, for many people, fear of the unknown. And a lot has been made of the security risks that might result from cloud computing. However, for many organizations (especially small businesses and non-profits), judicious use of cloud computing applications can have significant security benefits.

This article from PC World – What Cloud Computing Means For the Real World – is an excellent overview of some of the benefits that you can reap by replacing insecure practices commonly found in the workplace.

Further Reading: You can find out more about cloud computing security through the resources available at the Cloud Security Alliance.

The FBI recently issued a warning about malware included in email attachments responding to online job postings. They quote the case of a US business that lost more than $150,000 after an employee opened an attachment that had been sent in response to a job posting. Malware embedded in the attachment, a variant of the ZeuS/Zbot Trojan, then allowed the attacker to obtain the credentials of the person who was authorized to conduct online banking financial transactions within the company.

Continue reading →

Even if you don’t issue your staff with smart phones, and you prohibit them from storing sensitive data on them, they’re still very likely to use them to exchange emails and to talk about about business matters.

This short post from CSO Online – ShmooCon 2011: Your Android’s dirty little secret – is a useful reminder that everyone needs to be wary of 3rd party applications for smart phones, and also to be generally aware that smart phones are really just hand-held computers and thus subject to most of the security threats that PCs are exposed to. And it’s not limited to Android-based phones – iPhones and Blackberries are also vulnerable.

Whether or not you officially support smart phone use by your staff, smart phone security is a topic that you really must include in your security awareness training.