Student Guest Post – Ysa Love-Rowland

Posted on June 9, 2020June 9, 2020 by Douglas Rausch

From time to time we highlight student blog posts centered around a variety of cybersecurity topics. Today we welcome a new contributor, Ysa Love-Rowland.

Sextortion, Bitcoin and Fraud

Sounds like a new age version of ‘Sex, Lies and Videotapes’ except this isn’t a movie. This is real life. I should know; I am one of the people they tried to target. Click on the link below to read more about the new sextortion scam that is going around and what YOU can do if you are targeted as well.

https://www.blufitblog.com/post/10-2-sextortion-the-scammers-are-at-it-again

Online Safety Tips

Ron Woerner presenting three-part series

Posted on April 28, 2020April 28, 2020 by Douglas Rausch

Cybersecurity Instructor Ron Woerner is presenting a three part on-line safety series, Protect Yourself and Your Family in this Crazy Online World. Co-sponsored by the Better Business Bureau and AARP Nebraska, Ron will have sessions on safe online communications (May 12th), cyber safety 101 (May 14th), and internet scans and frauds (May 19). Morning and evening sessions will be presented.

More information and register at AARP Nebraska, or BBB.

Online Safety Tips, Security Education

BBB Cybersecurity Program: Learn How to Protect Your Organization From Phishing Attacks

Posted on October 9, 2018August 30, 2021 by Douglas Rausch

The Better Business Bureau (BBB) Foundation and its partners present a FREE cybersecurity program for businesses that will provide education on how to protect your business from phishing attacks. It features our own Gary Sparks and Karla Carter.

Learn How to Protect Your Organization From Phishing Attacks!
Topics:

What is Phishing/How Does Your Company Protect Its Information
The Social Enginneering of Phishing Scams
Combating Phishing Attacks in Larger Organizations and Financial Institutes

When: Wednesday, October 31, 2018
Time: 8:30 am – 11:00 am
* 8:30 am – 9:00 am Registration and Breakfast
* 9:00 am – 11:00 am Keynote/Breakout Sessions

Where: Metropolitan Community College – For Omaha Campus Building 24 (5370 N 30th St Omaha, NE)

Learn more and register at https://lnkd.in/dUMebHb

Concepts, Online Safety Tips, Security Management

Loose Lips Might Sink Ships

Posted on February 13, 2015July 25, 2018 by Ron Woerner

Are you watching what you are telling your neighbors? Do you guard information in your care to make sure only those people with a need to know can see it? Hopefully, you’re not accidentally letting any secrets slip. It could be disastrous if confidential information got out to your competitors. It could hurt your sales, your stock price and your reputation.

It happens in a variety of ways: accidental disclosure, carelessness in storage and protection, and corporate espionage. Many times, it happens because people are not always conscious about how they handle sensitive information. Employees are often the greatest threat in the compromise of sensitive information.

Following the simple steps below will help assure your ship is not sunk by loose lips:

1. Know your information. Is the information you handle sensitive or confidential? What would be the damage if it gets out to the public or one of our competitors?

2. Label sensitive, proprietary or confidential information. You may know that the information is sensitive, but do your co-workers? This is solved by labeling the document or data source as confidential.

3.Stop and think before doing anything with the information. You should be conscious on how you use the information and where you store it. Don’t share it with someone who doesn’t need to know.

4. Protect sensitive, proprietary or confidential information. This is a separate article by itself. In general here are some things you can do:

Place it in a secure location (not the public folder or even your laptop hard drive).
Better yet, don’t store a copy outside of a protected area. Your PCs hard drives are neither secure nor protected. If you don’t need a copy of a document, then don’t keep it on your computer.
Don’t send it to an outside email address unless absolutely necessary.
Encrypt it (using a tool like Microsoft Bitlocker)
Remove any extra copies of sensitive documents. Maintain originals in a secure location and get rid of all other copies.

5. Ask for help. Work with your security department. If you are the security department, ask for help from others.

6. Be on the lookout. Inform security if you find sensitive information that you shouldn’t be able to see. It’s not to get someone else in trouble, but to protect your company. Security should collaborate with the originator to ensure its proper protection.

These may seem like simple ideas, but they are still overlooked. A little time in security now can save many headaches later.

Concepts, Online Safety Tips

Stop the Insanity – Use Multifactor Authentication

Posted on May 29, 2014July 25, 2018 by Ron Woerner

Albert Einstein defined insanity as, “doing the same thing over and over again and expecting different results.” Isn’t that exactly where we are today with passwords? We keep using the same method for protecting ourselves online, but it’s not working. How many times this year have you had to change your password because of a breach?
Well let’s see… There was the heartbleed bug forcing users to change passwords on numerous sites… Michels… AutoNation… Spotify… and now eBay… All in the last 4-5 months.

This is a royal pain for anyone, but especially the uninformed user. Many use the same password across sites. When there’s a breach, they receive a notification to change their password. But it’s not only for that one site/service. It’s for all of the others where they used that same password. Now, this poor user needs to remember which sites had that same password. Then they need to go to that site, find where they change their password and enter a new one. It’s a lot of work. Oh, and “Who wants my account anyway?”… Let’s be honest, most people won’t go through the trouble…

The bottom line is that PASSWORDS SUCK! There’s just no other way to say it. They’ve sucked for years, but yet they’re still the major form for authenticating ourselves online. They’re cheap and easy for both the user and the service provider.
Yet time and time again, we see they’re not safe. Passwords alone don’t provide the level of protection needed on the world wild web.

There is hope! Many online sites are now providing multi-factor authentication. This allows users to easily secure their accounts using with the standby password (something you know) tied to a second factor: something you have (a physical token, chip, fob, or phone), something you are (your voice or fingerprint) or somewhere you are (your home location). Adding this second factor provides you with added security and will save you the hassle of having to change your password when the security is invariably breached on the site.

StopThinkConnect (http://stopthinkconnect.org/) has made it very easy for users to learn more. They’re new site (http://stopthinkconnect.org/campaigns/details/?id=460) and campaign “Two Steps Ahead: Protecting Your Digital Life” provides a single place to learn how to enable two-factor authentication. But Wait! There’s more!* This one site has links to many other popular sites (e.g., Google, Outlook, Facebook, Tumblr, Twitter, etc.) where you can easily setup two-factor authentication. It’s easy and convenient right from this one site.

UPDATE: There’s one other site you need to be aware of: http://twofactorauth.org/. It’s a crowdsourced site started by a researcher from Iowa State University. It’s a comprehensive list of what websites and services use 2-Factor Authentication (2FA) and which ones don’t.

Please, help stop the insanity. Take the time to set up two-factor authentication. Share this with others. Let’s move together to a more secure tomorrow.

*Sorry, if I sound like a infomercial. It really is a great site.

Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

Posted on March 12, 2014August 30, 2021 by Ron Woerner

The RSA 2014 Conference took place in San Francisco February 24-28. It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees. I had the privilege to attend (and lead a CISO panel). While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events. Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference. The industry is finally realizing it’s about the humans and people will always be the weakest security link

“@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones. @SocEngineerInc

@humanhacker @SocEngineerInc showing stats from http://hackmageddon.com. Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.” He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010). Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see http://en.wikipedia.org/wiki/Calculus_of_negligence …).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

“@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage http://bit.ly/1ffzuMY
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance:

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see http://bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Online Safety Tips

Protecting Yourself in an Insecure Cyberworld

Posted on January 16, 2014August 30, 2021 by Ron Woerner

A friend of mine recently asked for 5 quick tips for people to protect themselves from cyberfraud and identity theft. While there are many great ideas out there on the sites listed below, here are the five I promote:

Watch your credit card. When paying with a credit or debit card, pay attention to who has it and where it’s going. It’s easy for the waiter/waitress or cashier to steal the information when they take it out of your sight. Most identity theft occurs with the physical card and not online.
Keep track of your charges. Know each time you spend money especially with credit and debit cards. This will make the next steps easier when you check your statements. You won’t need to rely on your memory as much (“What’s this charge?” and “Did I make it?”). While this is mostly important for payments made by credit or debit card, it also applies to cash.
Pay attention to your statements. At least once a month, go through all of your bank and credit card statements to ensure all transactions are credible. It’s so easy to get lazy and neglect reviewing what’s being charged in your name. With electronic statements, you can do this multiple times a month. This allows you to catch potential problems earlier.
Be careful when using public wi-fi. It’s a great convenience that so many places allow us to connect to the Internet using their free wi-fi. Keep in mind though that it’s like yelling in public; it’s not secret. Malicious hackers can “sniff” the airwaves and steal your information. I don’t recommend using public wi-fi for anything sensitive.
Use strong passwords and keep them safe. Passwords are our keys to our identity and personal data. Choose and use the wisely. Don’t use the same password for all websites. That’s the same as having the same key for your house, car, office, safe, etc. Use different passwords especially for sensitive areas like your financial institutions. Microsoft has a good, online password checker to help you select strong passwords.

Below are some of the websites* and resources you can use to learn more about keeping yourself and your family safe online:

FTC – Consumer site: http://www.consumer.ftc.gov/topics/protecting-your-identity
IRS: http://www.irs.gov/uac/Identity-Protection-Tips
Microsoft – Safety & Security Center: http://www.microsoft.com/security/default.aspx

What tips or sites do you have? Please share using the comments.

* These sites are not associated with Bellevue University. They are provided for your reference. Use at your own risk.

Human Aspects, Online Safety Tips, Security Education, Security Management

Security for the Real World – Password Policies

Posted on January 13, 2014August 30, 2021 by Ron Woerner

Passwords suck. They always have; they always will. But we’re stuck with them. They are the cheapest and easiest means of user authentication.

With passwords, come the ubiquitous password policies. This post addresses two of them seen at most organizations*:
1. Thou shalt not share they password.
2. Thou shalt not write down thy password.

* “Thou shalt” isn’t usually used in policies. I’m using it for effect.

There are many problems with these rules. First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force. Second, they are often violated by the top echelon in the company. How many CEO’s share their account with their admin? Are you going to tell the CEO that he’s violating the company policy? That’s a CLM (Career Limiting Move) if you ask me.

Rules like the ones above are to protect the organization, not the employee. They cannot be enforced, except when something bad happens. Then, the enforcer can point to the policy and report the violation. I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.

Here’s the key to making those policies work: make the user responsible for his/her account. The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.” This puts the onus on the user. If someone gains unauthorized access to the user’s account because he/she didn’t follow the rules, then the user is accountable. They are guilty until they can prove themselves innocent. If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.

With so many passwords to remember, people need to write them down. Telling people not to just isn’t realistic. Some use a password vault application. Others use a piece of paper. Both are fine as long as it’s rigorously protected. It’s fine for people to write down their passwords as long as they store it in a very safe location. My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment. I’m fine with it, since I may need it one day as her power of attorney. Her apartment is in a secure facility, so the risk is minimal. There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.

That’s what it comes down to: understanding RISK and establishing Accountability. What are the risks associated with the actions? Who’s responsible? Answer those and you make a cognitive decision that’s both realistic and enforceable.

Human Aspects, Online Safety Tips, Security Education

Happy Safer Internet Day

Posted on February 7, 2012 by Ron Woerner

Tuesday, February 7, 2012 is Safer Internet Day (SID). It’s an international event organized to promote safer and more responsible use of online technology and mobile phones, especially amongst the younger generation. We have so many netizens who are unaware of the dangers in the new Internet age. The only solution is constant and consistent education.

Some of the statistics provided on the website are telling:

26 per cent of children report having a public social networking profile.
Children of all ages are lacking digital skills –confidence is often not matched by skill!
12 per cent of European 9-16 year olds say they have been bothered or upset by something on the internet…
…however, 56 per cent of parents whose child has received nasty or hurtful messages online are not aware of this.
One in eight parents don’t seem to mediate their children’s online activities…
…while 56 per cent of parents take positive steps such as suggesting to their children how to behave towards others online.
44 per cent of children think that parental mediation limits what they do online, 11 per cent say it limits their activities a lot.

One aspect that I find fascinating is that this is a global problem. Kids worldwide are encountering the same problems that we see here in the United States. Wesites like SaferInternetDay.org and StaySafeOnline.org provide a large amount of useful information to help folks be secure online. It’s all free and readily available for anyone who wants it.

It’s great to see a worldwide effort like this. I just wonder how we can better spread the word and educate not only our kids, but everyone.

Concepts, Online Safety Tips

Internet is still vulnerable to cyber-criminals

Posted on February 7, 2012August 30, 2021 by Jim Lewis

William Slater is a student in the Bellevue University M.S. in Cybersecurity program. He is quoted in the San Francisco Chronicle’s web site in a recent column by James Temple on Internet security and Mark Bowden’s book “Worm: The First Digital World War.”

Read the whole article here: Internet is still vulnerable to cyber-criminals

Center for Cybersecurity Education