Thursday, October 22, 2009
The Ins & Outs of Cyber Theft Prevention
By Steve Lee, Managing Partner of Steve Lee & Associates
www.stevelee.com
October is National Cyber Security Awareness Month and a recently issued IBM X-Force 2009 Mid-Year Trend and Risk Report describes the current Internet climate as "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape." However, despite these findings, the Internet will remain a vital channel for most businesses. So, how can you help create a safer and more secure online environment for your business and its customers?
With the expertise of Stan Stahl, CEO of Citadel Information Security (www.citadel-information.com), Steve Lee & Associates has worked with businesses to help mitigate, investigate and prosecute cyber crime.
Selected trends in online theft: These days, online banking hacks are the cornerstone of cyber theft committed against small and medium-sized businesses. Cybercriminals target business’ bank accounts and have focused their efforts on pilfering money from company demand-deposit accounts. McAfee, a leading security-software company estimates that in 2008, companies around the world lost more than $1 trillion to cybercrime.
Email phishing scams have become highly targeted as well. The attacks are delivered against users by name and can appear deceptively familiar and credible because they may include portions of the user’s password.
Trojans are delivered to unsuspecting small, middle-sized and large organizations through email purportedly from social or business networking sites and even from the IRS. One click and the hackers can access company bank accounts and use money mules to quickly siphon significant amounts of money out of the company’s account.
It’s important to remember that theses cyber crooks, also known as ‘black hats’, have the technological upper hand. Malware development has accelerated far beyond anti-virus and patch development. By the time ameliorative patches are available to detect or pre-empt the malware, hackers have deployed Trojans, viruses, worms, rootkits and spyware that may be several generations beyond the latest, published fix. (NOTE: for more information on malware development, see Brian Krebs’ The Washington Post column “Security Fix” at http://voices.washingtonpost.com/securityfix/)
Think your business’ bank account is protected by “second-factor authentication?” Well, think again. While second-factor authentication is touted by banks as a truly secure solution, it is not. Unfortunately, the awful truth is that no widely utilized online banking solution can guarantee 100% security. Multi-factor authentication is only slightly more robust than single-factor (i.e., user name and password) authentication. Even so, there are ways to help keep your money as safe as possible. Consider the following steps:
To maintain a safer computer infrastructure, your company’s management must consistently address cyber theft by implementing and continuously improving controls and processes:
1. Use a dedicated PC for online banking that is not used for any other transactions. If this sounds like a nuisance, just consider the inconvenience of losing hundreds of thousands or millions of dollars and then having to bring suit against your bank in an effort to recover your money. Remember, the bank will maintain that they are utilizing reasonable security practices. And by currently standards: they may be right. The onus will be on your business to prove your case.
2. Make a plan for breach disclosure. Most states, in addition to the District of Columbia , have laws governing "breach disclosure." You may be required to notify consumers if you have reason to believe that there has been a compromise of private consumer information. Insurance industry reports suggest that "breach notification costs" exceed $200 for every person that has to be notified.
3. Explore obtaining breach notification insurance as well as cyber insurance.
4. Establish usage rules like administrative privileges, subnet access, download permissions and acceptable applications. Invest in monitoring systems and enforce the rules.
Once a company protocol is mandated, these procedures must be communicated to employees. Employees need regular, albeit brief, training to help them recognize the red flags of cyber crime. In addition, regular upkeep and modernization of your security infrastructure is critical to preventing cyber theft:
1. Stay current with patches. That means Flash, Adobe, Java and other programs on your company’s computers in addition to Windows patches.
2. Invest in intrusion detection and intrusion prevention solutions. Don’t be penny wise and dollar foolish; a managed service may be your best bet. Yes, they cost more than off-the shelf anti-virus programs. You can be certain that you will never get more value out of software or a service than what you paid! Think about that the next time you decide to use freeware (also known as “unsupportedware”.)
3. Review your banking transactions frequently.
4. All social networking sites must be isolated from the corporate computing environment. They are for your employee’s and your home machine or a dedicated machine at your office that is off your corporate network.
Be mindful of Stan Stahl’s cyber security dictum: “Trust no one.”
www.stevelee.com
October is National Cyber Security Awareness Month and a recently issued IBM X-Force 2009 Mid-Year Trend and Risk Report describes the current Internet climate as "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape." However, despite these findings, the Internet will remain a vital channel for most businesses. So, how can you help create a safer and more secure online environment for your business and its customers?
With the expertise of Stan Stahl, CEO of Citadel Information Security (www.citadel-information.com), Steve Lee & Associates has worked with businesses to help mitigate, investigate and prosecute cyber crime.
Selected trends in online theft: These days, online banking hacks are the cornerstone of cyber theft committed against small and medium-sized businesses. Cybercriminals target business’ bank accounts and have focused their efforts on pilfering money from company demand-deposit accounts. McAfee, a leading security-software company estimates that in 2008, companies around the world lost more than $1 trillion to cybercrime.
Email phishing scams have become highly targeted as well. The attacks are delivered against users by name and can appear deceptively familiar and credible because they may include portions of the user’s password.
Trojans are delivered to unsuspecting small, middle-sized and large organizations through email purportedly from social or business networking sites and even from the IRS. One click and the hackers can access company bank accounts and use money mules to quickly siphon significant amounts of money out of the company’s account.
It’s important to remember that theses cyber crooks, also known as ‘black hats’, have the technological upper hand. Malware development has accelerated far beyond anti-virus and patch development. By the time ameliorative patches are available to detect or pre-empt the malware, hackers have deployed Trojans, viruses, worms, rootkits and spyware that may be several generations beyond the latest, published fix. (NOTE: for more information on malware development, see Brian Krebs’ The Washington Post column “Security Fix” at http://voices.washingtonpost.com/securityfix/)
Think your business’ bank account is protected by “second-factor authentication?” Well, think again. While second-factor authentication is touted by banks as a truly secure solution, it is not. Unfortunately, the awful truth is that no widely utilized online banking solution can guarantee 100% security. Multi-factor authentication is only slightly more robust than single-factor (i.e., user name and password) authentication. Even so, there are ways to help keep your money as safe as possible. Consider the following steps:
To maintain a safer computer infrastructure, your company’s management must consistently address cyber theft by implementing and continuously improving controls and processes:
1. Use a dedicated PC for online banking that is not used for any other transactions. If this sounds like a nuisance, just consider the inconvenience of losing hundreds of thousands or millions of dollars and then having to bring suit against your bank in an effort to recover your money. Remember, the bank will maintain that they are utilizing reasonable security practices. And by currently standards: they may be right. The onus will be on your business to prove your case.
2. Make a plan for breach disclosure. Most states, in addition to the District of Columbia , have laws governing "breach disclosure." You may be required to notify consumers if you have reason to believe that there has been a compromise of private consumer information. Insurance industry reports suggest that "breach notification costs" exceed $200 for every person that has to be notified.
3. Explore obtaining breach notification insurance as well as cyber insurance.
4. Establish usage rules like administrative privileges, subnet access, download permissions and acceptable applications. Invest in monitoring systems and enforce the rules.
Once a company protocol is mandated, these procedures must be communicated to employees. Employees need regular, albeit brief, training to help them recognize the red flags of cyber crime. In addition, regular upkeep and modernization of your security infrastructure is critical to preventing cyber theft:
1. Stay current with patches. That means Flash, Adobe, Java and other programs on your company’s computers in addition to Windows patches.
2. Invest in intrusion detection and intrusion prevention solutions. Don’t be penny wise and dollar foolish; a managed service may be your best bet. Yes, they cost more than off-the shelf anti-virus programs. You can be certain that you will never get more value out of software or a service than what you paid! Think about that the next time you decide to use freeware (also known as “unsupportedware”.)
3. Review your banking transactions frequently.
4. All social networking sites must be isolated from the corporate computing environment. They are for your employee’s and your home machine or a dedicated machine at your office that is off your corporate network.
Be mindful of Stan Stahl’s cyber security dictum: “Trust no one.”
Roman Polanski: Celebrity Criminal and Justice Evader No More
By Steve Lee, Managing Director, Steve Lee & Associates
www.stevelee.com
www.stevelee.com
October 22, 2009…The clash among Los Angeles County authorities, French political and cultural figures, and celebrities over the arrest and extradition of Roman Polanski threatens to eclipse justice in this infamous matter. This cross-border ruckus reminds us that the American criminal justice system has a long memory and a longer arm – even when it comes to “players” on the world stage.
Yes, international authorities have devoted tremendous resources over decades to Polanksi’s case. That’s in part because he is a public figure. There’s no question that individuals of lesser stature evade the law, and these matters don’t prompt petitions or make news. Given Polanski’s visibility in the global entertainment and cultural community and the notoriety of his crime, officials would be hard pressed to diminish their efforts. All the more so after Polanski essentially thumbed his nose at the Los Angeles Country District Attorney’s office and the Superior Court. It appears that Polanski was offered a “sweetheart” deal and declined to consider it.
Yet Polanski’s celebrity also served to bolster his ability to evade law enforcement. The facts and circumstances around the original court proceedings in the late 1970s indicate there was a good chance that Polanski would have spent a minimal amount of time – if any – in jail. If he did, he likely would have served time at a minimum security facility and received the kind of gentle treatment often reserved for celebrities and white collar criminals.
Mr. Polanski has led a privileged life. There is no doubt that he is a talented man and has made measurable contributions to his chosen art form. He is well loved and revered by many in the film industry and some have been vocal in his defense.
Polanski’s victim is now an adult and has indicated that she would prefer the case be concluded. According to reports in Time Magazine, she has indicated that she does not wish to testify against Mr. Polanski.
Despite all these factors in Mr. Polanski’s favor, the facts are what they are. Polanski was booked on charges of rape, suspicion of sodomy, child molestation, and furnishing dangerous drugs to a minor. He was indicted on drug and rape charges. He entered a guilty plea to having unlawful sex with a minor and then he fled the jurisdiction.
What is at play here is the Fugitive Disentitlement Doctrine, which asserts that a court will not determine the merits of a claim made by a fugitive because any potential enforcement against the fugitive is impractical. Polanski wants the statutory rape charge dropped, but he refuses to return to deal with American justice. Presumably his concern is that the Court in 2009 may not find that his claims of judicial misconduct in the 1970s are well founded. The risk for Polanski is that if the Court found his claims without merit, he would be treated as a self-admittedly guilty sex offender in custody.
Today, tougher scrutiny of standards of celebrity justice coupled with a fervent distaste for and intolerance of child abuse might make prosecutors less willing to cut the kind of deal that was available to Polanski in the 1970s. Perhaps it is that change in the criminal justice climate that makes Mr. Polanski and his attorneys wary of a return to California. Attitudes change, but the reality of the acts that were performed does not. If they were criminal then, and they are criminal now, then justice needs to prevail.
We must be mindful that it is the individual that goes on trial for his or her acts, not the artist for his or her art.
Subscribe to:
Posts (Atom)