Tag: infosec

Tips for Staying #CyberSecure While Shopping Online for #CyberMonday

Posted on by Shawn E. Tuma

Cybercriminals need shopping money for the Holidays and one of their favorite times to get yours is when you are shopping on #CyberMonday.

Use these tips to help stay #cybersecure while shopping online for #CyberMonday and at any other time:

  1. Credit or debit? Use credit cards, not debit cards, for your online shopping. Debit cards are tied directly to your bank account so if there is a problem, your money is gone. With credit cards, it is borrowed money, plus, if you have a problem with the merchant or order, the credit card company can act as your intermediary in the dispute. If possible, have one credit card that is used solely for online shopping in case you need to cancel it.
  2. Secure Internet connection. When shopping online, it is best to avoid free WiFi or other forms of open WiFi in public locations. When you are out, it is best to use your own data plan or, if you must use public WiFi, use a VPN to help minimize the risk of having your information stolen.
  3. Credible merchants. Only shop at online merchants that are credible and well-established. Anyone can put up a website in a short amount of time, make sure you know you’re dealing with a trusted merchant with a history of doing business.
  4. Scams – too good to be true (merchants). Be wary of deals that seem too good to be true and do not get too greedy because if a “deal” seems that good, it almost certainly is and the person behind the scam is either outright stealing your money or they are trying to steal your information.
  5. Saving information with merchant. While it is more convenient to save your personal information and payment information with the merchant, doing so also means that information is now stored in their database and can be compromised. It is best to not save your information with merchants.
  6. Scams – too good to be true (click here). Be wary of emails or social media posts that advertise deals that seem too good to be true and then tell you to “click here” on a link to see more information. Those are usually phishing emails that are designed for the sole purpose of getting you to click the link so they can either steal your information or deposit malware on your device. Cybercriminals can perfectly clone emails from legitimate merchants such as FedEx, PayPal, Amazon, and others so just because the email looks legit doesn’t mean it is — don’t click on the links!
  7. Scams — the sad story. While not limited to online shopping, a close relative to the “too good to be true” scam are the scams that play on your sympathy and generosity during the Holidays. An example of these is chain emails that tell of a tragedy that has befallen people and asks for donations. Criminals know how to play on our sympathies and use our emotions to manipulate us into doing things we would never do otherwise, such as sending money because someone asked for it in an email or social media post. Unless you know the people first hand, do not let your emotions overtake your judgment and stick with reputable charitable organizations with an established history.
  8. Good Cyber Hygiene. Whether for shopping on #CyberMonday or otherwise, it is best to always use good #CyberHygiene to protect yourself online. Here is a free Checklist for Good Cyber Hygiene.

For more discussion of these tips for staying safe while shopping online see 5 tips for Avoiding the Cyber Grinch this Cyber Monday! and Cyber Monday: Online safety tips from a cybersecurity expert.

SEE ALSO

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Lost Unencrypted USB of Heathrow Airport Security Files Exemplifies Poor Cyber Hygiene

Posted on by Shawn E. Tuma

Basic cyber hygiene has been a hot topic in cybersecurity, and for good reason. Most of the incidents that impact companies start with failures of basic cyber hygiene, not the super-sophisticated stuff of the movies. See Start with Cybersecurity Basics: Confirmed by Verizon’s 2016 Data Breach Report.

One of the most fundamental rules of cyber hygiene is to encrypt sensitive data–especially when such data is going to be stored on a portable device such as a USB drive! See Checklist for Good Cyber Hygiene.

Now we have learned that a USB memory stick containing the highest level of security secrets for the UK’s Heathrow airport was found lying in the street, unencrypted. The sensitive nature of the information contained on the USB is alarming, as revealed in Heathrow Probe After ‘Security Files Found on USB Stick’.

We do not know if this was sloppiness by those at Heathrow or if someone was stealing this information and placed it on the USB and then lost it. Consider each scenario:

  1. Assuming it was the former, because portable USB devices are so easily lost, if such devices are used in your organization you must ensure that the devices or the data stored on them are adequately encrypted.
  2. Assuming it was the latter, because USB devices are such an effective tool for data theft, many organizations are blocking the use of USB devices on their computer systems altogether.

 

3 Legal Points for InfoSec Teams to Consider Before an Incident

Posted on by Shawn E. Tuma

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).

 

FUD and Voting Machine Hacking: An Important Point and Important Lesson

Posted on by Shawn E. Tuma

This morning I am doing radio interviews as a Fox News Radio contributor. My topic? The DEFCON Voting Village demonstration of hacking voting machines that have been, or may currently be, used in US elections. Here are a couple of the news stories if you are unfamiliar: Hacking a US electronic voting booth takes less than 90 minutes | New Scientist and To Fix Voting Machines, Hackers Tear Them Apart | Wired

With all of the talk about hacking or rigging elections, this is a great topic to pique people’s interest for a radio interview but it can also generate a great deal of FUD. And, I really do not like FUD because it detracts from the real issues and lessons that we can learn from situations. So, there is one very important point and one very important lesson that I have tried to make during these interviews and that I hope will rise above the FUD:

IMPORTANT POINT: The voting machines used in this example were obtained from eBay and government auctions because they had been decommissioned. This means they were old. Unfortunately, some had been used in recent elections — which is a big problem — but generally speaking, we’re talking about outdated technology.

IMPORTANT LESSON: Voting machines are computers and, while (IMO) no computer will be secure they can certainly be more secure. We must be vigilant about the security of the voting machines and other election infrastructure that we use in our voting process and demand that current, state of the art equipment be used, where security is baked in from the outset and is continuously maintained as an ongoing process, from now on until further notice.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

OCR Issues Cyberattack Response Checklist and Infographic

Posted on by Shawn E. Tuma

The United States Department of Health and Human Services’ Office for Civil Rights has just issued a checklist and infographic to aid healthcare organizations and their vendors in quickly responding to cyberattacks in compliance with HIPAA requirements.