The IT Security Attaché

Good day to you,

As a Technology and IT Security professional services organization that has been an advocate for the enhancement of Technology and IT Security education, training, awareness and development for our people, we have taken the next step in creating a Community Security Network Operations Center “CSNOC” to further enhance this goal. Our CSNOC will help to provide more safety and security through technological advancement resources to secure the systems in our communities through a managed service infrastructure. This will allow the effective configuration, value and use of today’s latest and greatest technologies for the residents, consumer and business users. Leveraging the cloud technologies of today’s leading providers, we have been testing and building test pilots across our communities with great successes and are now ready for full deployment.

Our CSNOC will provide 24hrs technical support for all members systems which covers laptops, workstations, servers, tablets, mobile devices and other networked technologies with on and offline viral, malicious, intrusion detection and prevention and web content security. Our coverage of these technologies and solutions will remove the managing of yearly renewal submissions, product updates, learning, configuration and deployment from the users as our secure relations teams are always monitoring and working with our security development partners to ensure that we are staying on top of the latest updates, optimizations, configurations and settings so that we are always standing by our promise of creating a utopia of computer security for all no matter where you are using them.

We are very excited about this new service model offering as it speaks to our constant vigilance in creating a bigger, better and more converged security model for communities. Now our communities can be more securely connected and safe with the watchful eyes of our security experts team at the helm of this new era of technological advancements.

You can follow our CSNOC’s updates and development on Twitter here http://twitter.com/SISFIs_CSNOC

Thank you very much and have a great day. We apprecilove your patronage and look forward to serving you more.

~Brett A. Scudder~
President/Chairman ~ SISFI ~ The Scudder’s InfoTech SecuriCity Foundation | http://sisfi.org
President/CEO/Chairman/Founder/Security Architect – ~TITSSN ~The IT Security Suite Network~ | http://titssn.net
The IT Security Attaché | http://theitsecurityattache.com
SISFI/TITSSN’s Technology / IT Security Social Network | http://titssn.org

Event Title: TITSSN in association with the SQPA (Southern Queens Park Association) invites you to a FREE Technology and IT Security Forum

Description:  An invitation to: Parents, Students, Administrators, Teachers, Business Professionals, Business Owners

You’re invited to an evening of awareness, training, networking and collaboration which will feature a look at some of today’s top technologies and the varied features and functionalities they present. We will focus on educating and making you aware of these technologies and how to use them safely and stay secure. You are at risk and resistance is futile. If there are any particular technology (hardware/software) that you’re interested in learning about, please feel free to ask, we may be able to facilitate getting more information/resources or help on it for you.

Food and refreshments will be provided.

Free 1 year subscription for anti-virus/anti-malware for every attendee

Guest speaker/presenter – Mr. Brett A. Scudder – President/Chairman of SISFI and TITSSN

Featured Topics:

- Understanding the impacts of the internet and technology in the business place and home

- PC/Internet Security guidance and best practices for adults and children

- Identity Theft Prevention and Protection

- Understanding your Privacy and the laws

- Instant Messaging threats and prevention

- Social Networking privacy, safety, security and its impacts and effects

- Why am I at risk in this new era. Can I avoid/resist it?

- How to protect against viruses and malicious codes (Spyware/Malware/Trojans/Worms/Ransomeware)

- Mobile devices (cell phones, PDA’s, iPhones, Smartphones) security/risks and best practices

Please RSVP to Brett.Scudder@titssn.net or (718) 928-9731

We look forward to seeing and having you with us for a great session.

Event Date/Time: Wednesday, April 7, 2010 from 6:30 pm to 9:00 pm

Host(s): TITSSN, SQPA and SISFI

Location: Roy Wilkins Park, 177-01 Baisley Blvd., Jamaica, NY, 11434

Event Type: Community Empowerment

Location: Queens, NYC, USA

Sponsor(s): The Scudder’s InfoTech SecuriCity Foundation and TITSSN

So here I was caught up in another messaging discussion and the use of online mail services. I don’t mind having a discussion on mail security but when it comes to infrastructure people tend to think I over extend the value and need, do I?

~Brett A. Scudder~

Good day to you,

On May 1^st 2009, TITSSN answered the call of providing a converged resource to address the needed online training, education, awareness and resources of the technology and security issues and challenges facing us today for tomorrow. As leaders in this field we understand the challenges being faced in dealing with the day to day management, learning and happenings of these threats and their impacts. While countries, companies and organizations are falling victims to these attacks, industries are suffering through the loss of revenue, privacy and productivity, and people are feeling and seeing the real effects of the real world we live in where the internet brings us together as a global connected network filled with valuable resources and resistance is futile, it is everywhere and is not going away.

We are still not seeing enough being done to educate people across the board and make them aware of these issues and their true impacts and so we’re taking the network to a higher level towards this initiative.

IT Security is a people problem, not an industry one and as such must be addressed effectively and accordingly.

So it is for this reason that we choose to build a social community to address these things together and to provide the training, education and awareness by the people who can speak of and about them at all levels, those who develop them, those who sell and support them, those who are out in the field fighting the good fight to prevent, mitigate and stop the growing rates of infections and compromises and those who want to learn more about being safer and secure together in one place. This is a work in progress and as we grow, so we’ll learn and so we’ll adjust to the need for changes. This is what we do on a daily basis as TITSSN continues to deliver its messages of security education, training and awareness now for a more secure future. We will be moving our operations into the social network immediately to help enhance the collaborative values, resources and functionalities.

The IT Security Suite Network’s Technology / IT Security Social Network is a place where people come together to create a vibrant, resourceful, strategic and secure social atmosphere of networking, training, education, awareness and collaboration for, on and about technology and securing them.

We invite you to participate in the full functions and features of our network as we build on it to enhance its values and mission for the future. We ask that you share the word with your associates, friends, peers and everyone that is interested in the world of security and being more comfortable and secure in it. This network is specifically geared towards technology, IT Security and everything in and about it.

The focus of this social network is to build greater education, awareness and provide the services and support needed to maintain the secure presence and stability of all infrastructures (homes, businesses (all sizes and types), schools, churches, etc) for all. Everyone is affected at all levels and so we must cultivate an open concerted atmosphere to address issues effectively.  We look forward to your participation in this effort as a leader, contributor, reader, advisor or just a member wanting to learn more. Please adhere to the policies and rules of the network so that all may find a common group to collaborate in.

The networks address is http://titssn.org.

Features include:

Real-time chats

Blogging

Audio/Video/Text IM

Discussion groups

Polls

Events calendar

Products/Solutions recommendations

Featured products, people, service providers

Our own publications (recommendations, best practices, guides, reports, findings and educational info)

And much more.

Discussions and groups that are up and running:

Application Security – developing secure applications and standards

Breach Notification Laws – country/state laws

Business to Business IT Security “BtBITS” – businesses protecting each other’s interests

Cloud Computing/Security – Issues, concerns, development, education and awareness

Computer Forensics – Data and Network

Cybersecurity – myths, issues, concerns, development, education and awareness

CyberWar – on, about, awareness, information, collaboration

Data Security – securing the data/information

DCITSUG – Washington DC IT Security Users Group

Emergency Security Response Program “ESRP”

Endpoint Security – What are they, why they are vulnerable and how to protect them

Hacking Unleashed – Ethical/Unethical – the world of hacking

I-CON Science and Technology Conference

Identity Theft – prevention, support and solutions

Incident Response – What happens when something goes wrong/bad?

IT/Security things/issues that make you paranoid

IT Security Best Practices – General

IT Security Facts and Myths

IT Security Leaders

IT Security Requests and Support

IT Security Service Providers ~ITSSP~

IT Security Training and Development – General

IT Security in our educational institutions – curriculum upgrade

Microsoft Small Business Server Security – Securing the server and components

Mobile Security – securing the mobile users/devices and they data they host

Managed Security Services Providers “MSSP”

NYeWin – New York Enterprise Windows Users Group

NYITSUG – New York IT Security Users Group

NYSBS – New York Small Business Server Users Group

Online Security – Securing your online experience

OWASP – Open Web Application Security Project

PAITSUG – Pennsylvania IT Security Users Group

PC Security at home

Perimeter Security – securing the perimeter

Physical Security – a critical part of your security model

Ready Rockaway – Disaster/Emergency Preparedness

Small Business IT Security – securing the small businesses

SPEAK – Security Professionals Engaged in Advanced Knowledge

Social Networkers United – the future belongs to us

Social Networking – security, trends, myths and best practices

TITSSN’s Adopt an Institution Program – ~AaIP~

TITSSN’s Code of Honor – Advocates for the future of professional Messaging

TITSSN’s Code of Honor – Advocates for the future of IT Security Education and Awareness

TITSSN’s ENGAGED ~ENabling Greater Awareness, Growth and Educational Development~

TITSSN’s General Network Members

TITSSN’s IT Security Community Outreach Program ~COP~

TITSSN’s IT Security Scholarship Program ~ITSSP~

TITSSN’s Secure Medical Protection Program ~SMPP~

TITSSN’s Secure Mobile Professionals Network ~SMPN~

TITSSN’s Secure Minds Initiative

TITSSN’s Small Medium Business IT Security Summit ~SMBITSS~

TITSSN’s Windows 7/Vista SP2/Windows Server 2008 SP2 Testing and Development Group

The Compliance Suite (Regulatory/Non Regulatory)

The Framsyn Initiative

The IT Security Threats Landscape ~TITSTL~

The Privacy Suite – it’s all about privacy

Viral Outbreaks – containment, response, prevention

Viral, Spyware, Malware Detection and Removal – the growing trends

Voices of IT Security

Wireless Security

Government Security Mandates, Protocols, Policies and Response

US – CERT – United States Computer Emergency Readiness Team

US – CIA – Central Intelligence Agency

US – DHS – Department of Homeland Security

US – FBI – Federal Bureau of Investigation

US – NSA – National Security Agency

These are just a few of the topics, issues and groups that are available as we start off on this journey together and when you join us, you too can add to what is there if there is something of interest that is missing.

We look forward to your support and we know this will be of great value for you.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché

Greetings,

I am working on my monthly online webcast for April about the Web 2.0 infrastructure in preparation for the upcoming v.3.0. The drastic growth of the Web 2.0 infrastructure caught many people off guard as they jumped into it not knowing what was involved and the issues associated with it. It also created many new threat vectors many of which are still not under control today as the increase of threats/attacks specifically targeting this infrastructure is growing as rapidly as the number of people using it.

The recent Conficker issues have delayed my presentation for this month as I had to be helping out in various organizations to deal with it and so I will be doing it on the 27^th.

This presentation will address the present state of the Web 2.0 infrastructure, features, privacy (yes or no), pros, cons and the security concerns associated with it. It will also provide guidance on how to stay private and secure while maximizing the full potentials of the features and capabilities of it. More importantly, I will address the upcoming Web 3.0 realm and why resistance is futile and how can and will you be secured within its realm. Lots of good stuff so please mark this on your calendars and the meeting info will be posted soon.

My May session will be on the Breach Notification Laws and I will have a legal expert joining as a co-host to address this in more legal terms. More details will be provided soon.

This is just one of the ways in which TITSSN and the IT Security Attaché are trying to enhance the education and awareness of these technology/security issues to the general public. All are invited to join.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché | http://theitsecurityattache.com  | Blogs http://theitsecurityattache.com/blogs

President/CEO/Chairman/Founder/Security Architect

~TITSSN ~The IT Security Suite Network~ | http://titssn.net | TITSSN’s Blogs http://titssn.net/blogs

Greetings,

It’s that time of the year again and now I have more of a challenge this year as I have more systems to refresh. Every 2-3 months I do a complete system wipe and rebuild of my primary systems (now 16) to give them a clean start and a fresh look and feel. During the year I test so many products and solutions from the industry and once I have tested and like something, it gets added to my approved applications list and is allowed to be installed on my primary systems. It also give me a fresh build as I get rid of old install files or hidden threats that may have been left behind and now the system breathes and runs much better.

These are different from my test boxes that I may refresh daily, weekly or after a few months depending on what i’m testing on it and the period needed to properly deal with it.

As a senior executive on various committees, boards and teams, I take my security practices very seriously as a compromise on my end could lead to mass messaging or some kind of threat coming from my network which could lead to serious issues for my recipients. I am very vigilant about keeping the best of best practices for my organizations infrastructure with regular reviews and updates. As a security professional responsible for numerous organizations infrastructure, I practice these steps to protect myself and those who I collaborate with and the responsibility to protect the people and data in them. One can never be too cautious in this time and age of new and emerging technology and threats and so I try to stay on the cutting edge of the security issues.

So it is that time and my first refresh of which I am somewhat happy for as i’m getting ready to move most of my Vista boxes over to Windows 7. I have been playing around with some new products and solutions and will be moving over to them during this refresh cycle. The timing of this new Conficker worm couldn’t be any worse (or maybe better) as i’m refreshing between March 31st-April 1st. I’m also rolling out a hot new UTM ~Unified Threat Management~ device today as well and I look forward to its protective features and enhancements.

So away I go to start prepping for my refresh and trying to keep up on this Conficker issue which has set me back a day in my schedule.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

Good day to you,

It’s that time of the year again and I-CON is here in all its glory, fan filled excitement and awesomeness. TITSSN endorses the I-CON Science and Technology Conference which is in its 28^th year, and attracting over 6000 fans from across the country by supporting its need for getting the needed contents and information out to its attendees. This year’s event will be hosted at the campus of Suffolk County Community College in Brentwood Long Island and TITSSN will be there in full swing to address the IT Security Threats Landscape in various panel discussions, workshops and open sessions. Mr. David Carlos, CEO of David Carlos Managed Information Architects and I, the IT Security Attaché, will be representing TITSSN and covering topics such as:

Cyber-Crime (Fri, Marriott, 8:30pm)

How the world of Cyber-Criminals operate – the botnets, the spam, the hackers, etc. Motivations, methods, tools (try to avoid actually teaching people to be cyber-criminals).

Military Technology (Fri, SCCC, 10pm)

General discussion of new developments in offense and defense for the military.  Ray guns, unmanned aircraft, robots, nanotech, psychological warfare, medical advances – and when some of these (more benign) things may be seen outside the military environment

Things That Make You Paranoid (Sat, Marriott, 11:30) Last year, this apparently started off with about 10 minutes of doomsday events and quickly morphed into privacy and security panel.  Description from last year: Protecting yourself in an increasing hostile technological environment. Why the OS sometimes doesn’t matter, new attack vectors (e.g. cell phones), other things to make you paranoid.

Privacy and Security (Sat, SCCC, 12:00)

Maintaining your privacy and the security of your personal information when everything is online.  Implications of Obama’s plans for electronic medical records.  The penalties and how they are and ARE NOT enforced for various violations.  The pros and cons of sharing/storing your medical and other information with services like Google Health.  Should you mind targeted marketing based on data web sites and loyalty programs generate?

The Security Illusion (Sat, SCCC, 5pm) How technology is used to provide a perception of security from terrorism and the technologies that exist that COULD ACTUALLY DO IT.

Supercomputing (Sat, SCCC, 6pm)

Overview and discussion of the various methods of building a supercomputer and how they work.

Security 101 (Sat, SCCC, 6pm) Conficker and the new world of security threats. Addressing today’s IT Security Threats Landscape and its effects on people

Will HAL Dream? (Sat, SCCC, 21:00)

General discussion of artificial intelligence – from SkyNet (Terminator) to the HAL9000 to Data (from Star Trek) – how close are we, will it take over the world, and how to stop it if it tries to.

Security 102 (Sun, SCCC, 1:30pm) Your biggest security concerns. Are they valid or just myths? Protecting your computers and network from those concerns.

NASA Today (Sun, SCCC, 14:00)

Discussion of NASA’s current publicly known goals, how they should be changed, improved, or re-prioritized.

Global Warming Myths and Facts (Sun, Marriott, 4pm) Discussion of global warming myths, facts, and (potentially) debate. 

Discussion could include perspectives that global warming is not happening and/or is actually progressing in a potentially “natural” way that would happen even without human activity.

This is a fun filled and educational event for the entire family and those who are serious games, anime, sci-fi, mystery and the works addicts. Different sessions, workshops, films, and activities take you through the day and into the early hours of the morning.

TITSSN would like to say a special thank you to Mr. Lee Wilbur, Director of Information Technology and Science and Technology Track Leader at I-CON and member of TITSSN for this opportunity to be a part of the event and accepting our contributions to it. We will continue to work with him and endorse the event in any way we can. Next year we will try to have more people representing the organization to help cover more IT/technology sessions.

For those who will be at CON, see you there.

More info about I-CON can be found on their website here http://iconsf.org.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché | http://theitsecurityattache.com  | Blogs http://theitsecurityattache.com/blogs

President/CEO/Chairman/Founder/Security Architect

~TITSSN ~The IT Security Suite Network~ | http://titssn.net | TITSSN’s Blogs http://titssn.net/blogs

Brett.Scudder@titssn.net (877) 539-8614 / (718) 928-6516

We are Security – your Security – our Security – IT Security. Our Security is Safe and Secure.

A Managed Security Services/Value Added Resellers Provider (MSS/VAR-P)

My LinkedIn profile – http://www.linkedin.com/in/titssn | TITSSN’s IT Security Forum Board http://titssn.net/forum

Follow me on Twitter http://twitter.com/TITSSN | Facebook http://www.facebook.com/people/Brett-A-Scudder/1161704997

Good day to you,

Here is another education and awareness question in my series on the use of your social security number today.

Ever since the financial crisis has begun (which isn’t just today, look 18 months back), more and more people have been trying to avert the issues and impacts of the job losses and downturn in the economic trends. For this reason, they have been opening themselves up to more “risky business” opportunities/ventures in the name of finding a job or making some quick money to pay the bills and put food on the table. This is a bad sign of worse things to come for these people and by us taking a look at this now we can help educate others.

As more people are jobless the use of the internet increases, it takes away the human face-to-face elements that would help to validate the business or offerings/opportunities. More job sites/opportunities offering the hopes of new jobs/loans with a request for signing up with personal/private info is only a fraction of the bigger issues.

This has lead to an increase in identity theft and the loss of people’s personal/private information that trickles down to the core of our lives. As the economy will get worse before it gets better and more “rescue” opportunities/offers are being circulated, one can only imagine the dramatic increase in phishing and social engineering scams that will come about as a result of the new stimulus package and government initiatives. Sometimes we give up this information because we don’t know how/where/where to do so and then it becomes an after the fact issue. We will address the identity theft education and awareness issues later.

So, let us take a concerted look at when/where/who should I give my social security number to and why, and what are the impacts of doing so.

Are there any protective laws in place for it?

Your thoughts/feedback/input.

Thank you and have a great day,

~Brett A. Scudder~
The IT Security Attaché

More answers on LinkedIn here http://www.linkedin.com/answers/using-linkedIn/ULI/417629-3071950

Good day to you,

When I see an article like this I tend to sit back and go wow, where have I been living and what have I been seeing/hearing or, am I in denial to the truth. I have always said that we, the people in the field who live and die working in the field, have always seen thing different from the people in these high level positions and is why they fail to implement the proper things needed because there is in synergy between us and them.

It’s like a cop on the street who has to deal with the everyday violence and issues but he’s able to quell them and bring peace in his areas because he’s know and knows how to deal with people. While these issues are real and happening everyday they don’t get reported back to the precinct and so the captain (or seniors) thinks all is well and can say that there district is not violent nor has issues like anywhere else. It’s not that you don’t have issues, you’re just not getting the info about them because they are not critical enough to report in or cause a major stir. Yet, unchecked, the high profile ones are added to the statistics and generate facts.

They don’t come down to our neck of the woods and talk with us to see what is “really going on” in the world, instead, they use statistics that is published by some agency or group. Well, I must be in denial because I truly see this as a growing problem and have talked with parent/student alike who have been victimized online to the point that it affects their offline experience/life.

So, before I get carried away in myself and this issue (as it really upsets me), i’d like to throw this out to this professional’s network to get your real professional insight/thoughts on the report of the report.

http://www.nytimes.com/2009/01/14/technology/internet/14cyberweb.html

Thank you and have a great day,

~Brett A. Scudder~

More answers on LinkedIn here http://www.linkedin.com/answers/using-linkedIn/ULI/398900-3071950

A serious state of security – The loss of one’s private information and its effects
Reposted from my forum post on June 21st 2006

Over the past year we have seen a tremendous growth in the proliferation of threats and attacks aimed at the human intelligence level. These threats have been growing at an alarming rate and it is surely due to a lack of knowledge and awareness of the general public. Gone are the days when we have to worry about viruses, worms and hacking being a major pain and something we all feared, now the phishing scams and social engineering methods has become the primary household name showing its nasty head to consumers and businesses alike. It is only through knowledge and awareness of these issues that we will beat these methods of infection and propagation.

While talking to people on a daily basis, it is very clear that the general public tends to shun a blind eye to these issues and thinks that it will not and cannot affect them as individuals. While this is surely not the case and is one of the (if not the) main reasons why these high profile and very cunning methods of human attacks are so much a high risk, people simply do not take these threats seriously today and I will try to shed some light on these issues as i’ve done so over the past few years.

Over the past 2 years we have seen and heard more and more about “phishing” and what it is and the methods of attacks. While consulting with the FBI’s cybercrime division and talking to them about the ways in which they address these issues, they have been overwhelmed by people who have fallen victims of these scams and it’s just a matter of simple common sense. A “phishing attack” can only be successful if the intended recipient is not aware of such a scam or is tempted by the “too good to be true” offer presented.

Why would someone want to invest millions of dollars in you and you’ve never met them, never heard of nor seen anything about them and they throw these millions at you with a mere $25,000 investment on your part. Surely that would catch the attention of anyone looking to get past that life of always being broke or always wanting to take their lives to the next level but was always financially strapped down or stressed out.

Ask yourself, why is the president of such a major organization or country want me of all people to do business with and for them and not have to commit to any signed agreements stating the terms and conditions of the deal.

Why is this major financial institution located in some far region of the world choose me to be the one to work this deal for them, this surely seems odd and should be a cause for concern but yet still, unchecked, they buy into the scam and get burnt. Some people have invested thousands of money into these false deals and it’s after the fact that they realize the severity of their doing.

Common sense should have stepped up and said hey, wait a minute, do I know these guys, what do they want with me and why are they asking me for this payment to buy into such a sweet deal, hmmm, this is suspect.

Instead, the opposite happens and you see the $25,000 vs. the millions that are presented in the offer. Hell yea, of course it’s human nature to see the vastness of the offer vs. the small percentage of the buy in payment. If someone came to me right here and now with that very same offer and I knew of and about them i’d do my lil research and then by all means i’m almost sure i’d buy into it. But this is far from the case. You will not find a phish that extravagant locally or nationally because there are so many ways that you can look into that situation to know if it’s legit or not, sometimes the deal is so sweet and looks so good and even after researching it it’s still a hoax, so what do you do.

Do not get suckered by these offers and these too good to be true deals.

We need to think about these things and weigh in on the validity and chance it takes to make such a move.

I’ve seen too many people burned by this and it’s always the same story over and over. The FBI gets so many of these cases that they have to tackle them in bulk due to how many they are.

So, what is “phishing” and why is it so prevalent today with such high success levels?

Phishing is a method of deception by means of appealing to the human intelligence by presenting something of value that is not legitimate or true.

I’m sure everyone by now has gotten some kind of email from financial institution stating that their account need to be verified or updated and that they need to log into the server to do so. When logging into what you think is the financial institutions server you’re actually logging into somewhere else or someone else’s server. This being the case your information is now in the hands of someone other than yourself who can use it for any means necessary and thus you’re just been “phished”.

So that’s in essence the real overview and look on the phishing scene.

Next we have the social engineering techniques which are very similar to “phishing” but can also come in the physical form.

Someone comes to your place of business and tells you they are the CEO of the company from headquarters in DC and they are here to meet with the rest of the management team and they need access to your network, infrastructure or office. This normally gets people arouse due to the fact that he/she is the CEO and you don’t want to mess with that person or else, so this person comes in under false pretenses and gains the access to internal private and confidential business information and property that should never be given out to anyone outside of the company. By the time you catch a with what is going on that person has gathered all the needed information and left with it, now that information is being circulated on the internet and your company is being sued and dragged through the legal system for that reason.

Who is to be blamed?
What went wrong?
Could this be avoided, if so, how?

These are valid questions to a real life issue that happens on a daily basis. A helpdesk representative gets a phone call from someone claiming to be the CTO or CIO or some other C-level executive of the company. He is traveling and for some reason cannot log into the network and so he’s calling the helpdesk to have them unlock his account and help him through the log in process. The helpdesk individual knows the name of the executive and so tries to validate the credentials that person is using to gain access to the network. If this is a person that has done his homework he may know the login name but not the password and so he most certainly tell the helpdesk support rep the login info but states that he can’t remember his password. Now the helpdesk person feels this info is good because the login username is correct and so that person should be who they are and so he/she proceeds to ask for some additional information such as full name, address, last 4 digits of the social security number or the employees unique company ID #.

All these information can be had by various means and so this is nothing for a person performing a social engineering attack to gain access to. So validating all the info the helpdesk rep now changes the password and helps the user to gain access to the network and its resources. Being a C-Level executive you can just imagine the access and information available to he/she once they are logged in and authenticated on the network.

I’ve seen organizations where the helpdesk gets so scared when a C-level executive calls in with a support issue that they just need the name and some info in order to quickly expedite the support issue and get that person on the way. This is wrong and presents many critical vulnerabilities and should be addressed immediately.

Social engineering like phishing can be stopped and mitigated by user awareness and knowledge. Policies, practices and measures can and should be put in place to offset these methods of attacks. Companies should spend more time going over scenarios like these in order to get the support people alert and proactive to these issues.

Identity Theft

Wow, now this is a growing issue that is even a bigger problem due to the arrogance of users thinking they are not affected nor will they be affected by this issue.  Most of the victims i’ve spoken to had no clue they were victims of such an attack until years after when the person who did the wrongs simply missed a payment or 2 and now you’re caught smack dead in the middle of the scheme of things. At that point it is already too late because you have been victimized for years and now that you’ve found out about it is way too late, the damage has been done. The most unfortunate part about the Identity theft issue is the fact that the information will still remain on your credit for the full term of the cycle and you have to hope to God that the person was keeping up on their payments and so the credit standing was good.

I recently met a lady that just found out that she was the victim of an identity theft scam after years of being used by someone else, fortunately for her that person was keeping up to date and current on the payments and so that was generating good things for her report. How she came to find out about the theft is one of the credit card companies called her asking to make payment arrangements for a past due balance she had and when she continued to deny the claims she came to find out the sad truth about the whole situation. There was a car, an apartment, credit cards and other things in her name and she had no idea about it.

Let me tell you how bad this can get and for how long you can be screwed by such a nasty issue, yet still, there are simply ways for protecting yourself from things like this. These days with the privacy issues and concerns surrounding the selling and use of your private information it is so easy to find or get information on or about you on the internet that it’s not even funny. Don’t worry about the information, worry about the use and abuse of it. It’s like worrying about doing online shopping and using your bankcard and credit card online when the banks all have that very same information online and that’s where the accounts were opened and are kept.

I recommend a credit monitoring service for you, your spouse, your children (yes, your children as well) and anyone with a valid social security number. These credit monitoring services do a very good job of keeping you alerted and updated on any happenings with your social security number and credit. I personally use Credit Expert and I have found them to be very good, very quick to alert and very detailed as to who, what , where, why and when anything affects my social security number and credit. I highly recommend the service which is a yearly fee but it is very much worth it and should be looked into.

When you think about the long term effects and heartaches that presents itself from a identity theft case the yearly fee associated with these services is well worth it. Go get it NOW. There are quite a few good ones available but they differ in offers and benefits. With Credit Expert I get a free credit report every 30 days if I want it, I can log in and have a look at what is on my credit, who I have credit with (if any), what are my reported balances and the contact information for the creditor. I have found this to be a very valuable and needed resource and I recommend it.

How can my identity be gained, lost or acquired?

There are more ways to lose your identity than it is to prevent it from being lost, as I said before, don’t worry about losing it, worry about the use and abuse of it. Someone having your private information such as your employer, a company that you did business with, a place you went to apply for a job and had to fill out an application form that had all your info, a utility company that you had to subscribe to for their service, so many ways of giving your information out, don’t worry about the info, worry about the use or abuse.

I remember seeing an article in 2005 where a nursing assistant had a patient in the hospital and he though the guy was going to die and so he took the patients information and started using it, he got credit cards and other things in the name of the patient and was doing good until the patient didn’t die and so after coming out of the hospital a few months later the patient started to see strange things and collection notices coming to him. After contacting the authorities and turning the matter over to them and they conducted an investigation they found out it was the nursing assistant, wow.

Don’t worry about the information, worry about the use and abuse.

I had started writing this article a few months ago after seeing what happened with that patient due to the theft from the nursing aid but with all the things that were going on I was just consumed in consulting issues with people who were affected or became so afraid of these issues that they don’t even want to face the reality of it.

I am sure by now everyone has heard about the data loss issue of the 26 million U.S. VA members which has sparked a whole sleuth of privacy issues, regulations and laws at the highest levels. This should not have come as a surprise to people because over the past year we have seen data breaches and identity theft problems at the highest levels of government and business. Everyday there is a new breach reported from some major financial institution or organization and with that comes the fears about what will happen next. The biggest problem with this is, how long ago did the theft/loss actually occur?

You’re being advised of the breach now but how long ago did it happen and to what extent of breach did the victim actually get. While that is the bad part of the situation the better part that saves us from the real effects of these issues is the alerting and monitoring services like Credit Expert, True Credit, Equifax and the other credit bureaus. They will alert you of any possible use of your social security number way before the company that was breached discloses the loss of the data depending on the use of the information that was lost. In some breach cases the information is never used but it’s better to be safe than sorry. I implore you to look into these services for yourselves as the time from alert to major impact on your credit is just a matter of you stopping the issue.

My next look at this issue will go into the methods of securing your data that in the event of data loss it is secured.

A few articles of reference.
IRS Laptop Lost With Data on 291 People
Laptop theft compromises Hotels.com customer data
VA data loss could prompt federal privacy law
VA to Recall All Agency Laptops
Personal data on millions of U.S. veterans stolen
Phishing scam uses PayPal secure servers
Trojan horse captured data on 2,300 Oregon taxpayers from infected gov’t
PC
Congress to Look at NSA Database of US Phone Calls

And I leave you with one of my favorite security quote as of lately, Don’t fear IT, Fear the “G” (Google)

~Brett A. Scudder~
The IT Security Attaché