Thursday, October 29, 2015

Separation is a useful strategy (in today’s always-on, ever-connected world)

Today’s guest blog comes from John Everson, Director of Information Security at DISH Network.

Separation, containerization and segmentation are all tried and true security tactics in fields such as IT and accounting, but the principles are just as critical for consumers in their everyday lives. As technology continues to blend, and more and more of our information is stored online, this separation can seem difficult to accomplish. Here are a few ways you can protect your privacy and increase your security posture.

Browsers 
Use a separate Internet browser or “private browsing” for online finances. 
  • You wouldn't believe how much information about you is made available via a web browser, especially a browser that has been customized with an add-on tool bar or plug-in. In addition, many of the sites that you visit on a regular basis are interconnected with tens, if not hundreds, of other sites that are able to track and correlate your activity using online identifiers. For a better understanding of this, check out the “disconnect.me” web site (please note that this is not an endorsement of the company or their services, but they do some cool stuff). 
  • Consider using a different Internet browser for working on online finances (banking, bill pay, credit card sites, etc.) versus the browser you use for everything else (email, social, shopping, browsing, etc.). Alternatively, you could use “private browsing” or “incognito mode” for working on finances. Either way, if you do use a separate/dedicated browser for financial activities, make sure you don’t have any add-ons or tool bars enabled for that browser since these services have direct access to your browsing information.
Credit Cards 
Use different credit cards for different types of purchases.
  • Credit cards help isolate the funds in your bank account from the merchants that are selling you goods and services. Credit cards also offer fraud protection, a grace period, and in many cases, rewards (free money if you pay off the balance every cycle). On a side note, debit cards generally don’t offer the same benefits, and I usually advise people to use credit cards versus debit cards when making any purchase.
  • Credit cards make shopping online easy and convenient. But that ease-of-use extends to anyone who has your card information (including those who steal it). Consequently, consider using a different card for different types of purchases. For example, I generally do all of my online shopping on a specific credit card. I do not use this credit card for in-person purchases, and I have another (separate) card that I use to pay utilities and regular monthly services (e.g. electricity, water, DISH, etc.). 
  • Using different credit cards for different types of purchases allows me to better track and manage my expenses. For example, an online purchase made on my in-person card would be an immediate red flag.
Online Accounts
Use personal accounts for personal use, business accounts for work.
  • As more and more applications are moving to “the cloud,” we are starting to see personal and business lines blur. Many of the web applications (e.g. Facebook and Dropbox) that were created for casual or personal use are now being used in businesses.
  • This is a reality, but businesses and employees should take caution. Using a personal account to conduct business can put the business at risk as personal accounts are controlled by individuals and not by the company. In other words, the company may not have visibility or control of these accounts, so they may not know that an account even exists, much less how the account/service is being used. Under certain situations, this could result in data loss for the company and potential legal exposure for both the company and the individual. 
  • And a word of caution: Did you know that you may be assigning ownership of information to the service provider when you upload information into their application? You would be surprised by what is in the terms of service of many web applications (e.g. Prezi).
  • At the end of the day, people should use business accounts (and services) for business and personal accounts/services for personal use. Don’t mix business with personal use and don’t register for a new web application or service without the appropriate approvals from your employer.
Credentials
Don’t use your work information (e.g. username, password, email address) when signing up for personal services.
  • This one might be the most obvious, but let’s look at a good example of “why not?” When website hackers leaked data from the Ashley Madison breach, data-crunching firm Dadaviz revealed the top ten companies who had email accounts registered with the dating site designed for married individuals. It’s perhaps a top ten list companies don’t want to be on. While data analysts suggested taking the figures with a grain of salt, as a third of all Ashley Madison accounts are fake, it’s still an example of risk to a business simply by people signing up for a personal site with a business email account.
  • It’s a good practice to only use work usernames, passwords and email addresses with employer-approved web applications, sites and services.
The items above are just a few areas that you should be aware of. There are many more out there so keep checking this blog for more tricks and treats in the future. In the meantime, be safe and think before you act.

John Everson is the Director of Information Security at DISH Network. DISH is headquartered in Englewood, Colo., and provides television, phone and broadband services in the United States. Sling TV is part of the DISH family of services.

Friday, October 9, 2015

Cybersecurity Smarts (VIDEO BLOG!): Mobile Safety

Today's CyberSecurity Smarts blog is our first ever VIDEO BLOG, with mobile device security tips from Daniel Teyf, our Application and Database Security Architect. Watch it below, or view it on YouTube here.



Video Transcript: Daniel Teyf, Applications and Database Security Architect.

Today we're going to talk about the mobile device any in particular, any brand and the security that comes along with it.

Updating Your Device
A device like this also has an operating system, which manages all the components of the device, and with programs that run on it. It's important to make sure you update your device's operating system on a regular basis. Different vendors will handle this differently:
  • Apple has the ability to directly target your phone and send you an update
  • Android does it through the service provider
  • Microsoft offers updates directly from the Microsoft cloud
Encrypting Your Device
The iPhone, for the most part, is already encrypted. But it's important to make sure that you have a PIN on there. On the Android, you set up a PIN (called a screen lock) in your settings, and then further into the settings you will see the security tab with an option to encrypt the phone. It's highly recommended that you encrypt your phone so that if you lose it, that information is harder to get at.

Turn Off Your WiFi
Let's not forget what happens when we connect our phone on our home WiFi. The first time around, your have to find your network. It shows you all of the available networks to connect with, and then your phone's got it memorized. The next time you are at home your phone automatically connects to that network again. The same thing goes for your work network, or the coffee shops that you visit. Anywhere you go after that your phone tries to see if those same networks are available. How does it see? Knock, knock, knock. It sends the network name, the SSID, out to see if anyone is going to respond to it. 

What's interesting is sitting at a hotel, and putting up a wireless receiver, you can see all of these phones running around trying to connect to various networks and they are sending out the network name. You can almost build a profile about which people have relations do they work together, do they visit the same coffee shops, do they live together, etc.

Lesson to be learned: If you are not connecting to the WiFi at a location, simply turn it off.

Thursday, October 1, 2015

It's Cybersecurity Awareness Month, and you're terrified.

Image via Flickr
Terrified by the latest hacks, identity thieving, and online scams? Are you just realizing that "password123" was probably not the best choice for a password? Shaking in the corner wondering if some odd man on the other side of the world is chasing down Beanie Babies with your credit card number? Don't worry; everyone is. The Internet can be a dangerous place, and there’s a lot to remember when using it.

Last year wasn't easy on anyone. Corporate giants Sony Pictures, eBay, Jimmy John’s, JP Morgan Chase, and Home Depot just to name a few were all hacked hard. The world got the big wake up call that no enterprise, regardless of the size of security investment, is immune to attack. Attackers’ weapons are advancing daily, technology keeps changing, and businesses are in a constant state of evolution — requiring rapid response and preventative tools to protect ourselves.

On average, there are more than 1.5 million victims of cybercrime across the globe every day (seriously, every day), and most of them could have avoided the attack if they were more educated on cybersecurity. Here in Colorado, our teams defend against approximately 8.4 million cybersecurity events every day (seriously, every day!).

Which is why today has special significance for us it’s Oct. 1, the official start of National Cybersecurity Awareness Month. It's a month-long opportunity to create awareness about hackers and their techniques, and to let people know how they can protect themselves.

So use October to learn something new about cybersecurity: We'll be posting cybersecurity tips, facts, Q&As, and video blogs by experts with the hashtag #CoCyberHelp across social media, and you can also browse our website resources at colorado.gov/cybersecurity/help.

Hot cybersecurity subjects include:
  • Staying clear of those pesky phishing scams: Sigh. We are all so tired of these. These little scammers are constantly evolving to avoid detection, and can be quite the trickster to avoid. Learn what they are, how to protect yourself, and what to do if you get tricked.
  • Ensuring your home computer is not screaming "Hack me!": Use a firewall, scan for viruses, scan for spyware, and stay up-to-date. Computer updates often take care of known vulnerabilities in your computer, but you need to educate yourself (use strong passwords and then laugh at people who don't, know what scams to watch out for, stay abreast of latest tech news), secure your home network and mobile connection, and back up your most important information.
  • Keeping your beloved kids safe online: The really scary stuff right? Trying to protect those we love is enough to stress anyone out. Communication is key to knowing when they are encountering dangers, read our blog and get familiar with as much as you can.
  • Not leaving a trail of breadcrumbs for the bad guys when traveling: Back up files, update security software and clear your browser history before you leave for your trip, plus learn what to do while on the road, and what to check for when you get home. 
  • Things to think about to ensure better security when carrying or using your mobile phone. Did you know that your mobile phone is always looking for a wireless network to connect to? Have you ever thought about what that might reveal about you, and how someone may be able to impersonate the network(s) your phone is seeking, to steal the data on your phone? 
Obsessed with cybersecurity? We are too. Learn what the State of Colorado is doing by reading Secure Colorado — the state’s award-winning, multi‐year security strategy.

Debbi Blyth: Chief Information Security Officer. Colorado native (almost!), beach lover, deep sea diver, Sunday school teacher. I'm the queen of keeping Colorado safe online. Find me on Twitter at @debbiblyth.