January 23, 2012 by Carsen
Are you prepared to tell over 24 million customers there was a security breach at your organization?
You probably heard of the recent cyber attack involving Zappos who had over 24 million customer accounts possibly compromised. After reading their email sent to Zappos’ employees and customers in response to the situation, I found a few items interesting and important to point out.
Zappos did a great job in making sure the employees were aware of the situation and communicated exactly what they would be telling their customers in response. This is important to ensure when customers call or email, employees know what was sent to the customer and what they should suggest to do in order to protect their information.
In the email to the customers, I thought it was great Zappos said that not only should the account holders change their Zappos password but also any other account in which the same or similar password is used.
Security experts agree that you should never use the same or similar password for multiple accounts for this very reason. If someone accesses one account, it is much easier to access your other accounts if they have the same or similar password.
Furthermore, Zappos told customers that the database storing critical credit card and payment information was not affected or accessed, but items such as the customer’s name, email address, billing and shipping address, phone number and the last four digits of the credit card number may have been compromised.
You may not have personally identifiable information (PII) for 24 million contacts... but it’s just as important to safeguard ten customer’s PII as it is ten million. Regardless of industry or sector, it is important for all organizations to understand what needs to be done to protect PII as well as report and respond to a breach if one occurs.
For one way to protect yourself, ask us about our newest PII Training course. Notifying those whose PII information was compromised is vital, and failure to act on this situation can lead to many legal issues. It’s much better, however, to avoid the breach in the first place. It is important to understand your risks, how you can prevent an incident and how you plan to respond if an issue were to occur.
Check out the other courses in our compliance library here
Read the email Zappos wrote in response to the attack here
January 10, 2012 by Carsen
Adobe has warned of a vulnerability in Adobe Reader on Windows through which your system could be attacked.
According to Adobe, a critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.
“This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing,” posted on Adobe’s security bulletin.
While this information could directly effect you, and I hope you take the needed precautions to make sure it doesn’t, this brings up an even greater point. You never know when and how an attack will happen, and you need to keep up-to-date on security news and information.
To stay updated and read more about these issues on Adobe’s sites:
Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.
To find out how we can help you promote a secure environment and reduce the risk of a breach, ask about our security awareness programs. For more information click here: Security Awareness. You can also reach us at [email protected] or 1-866-245-5224
January 05, 2012 by Carsen
Cisco recently announced that according to their global study, seven out of 10 young employees frequently ignore IT policies, and one in four is a victim of identity theft before the age of 30.
What does this say about a new generation of employees?
They need to understand the purpose of IT policies and the importance of these policies for both the organization and the individual. On-demand access to information is an essential part of this generation’s lives, and according to Cisco, these employees will do what they must to access the Internet, even if it compromises their company or their own security. This includes using or sharing their neighbors' wireless connections to save money on their own service or going to random businesses and accessing their connections.
While the use of others’ Internet may save some money, it comes at the expense of security. These same laptops used at Internet cafes and with the neighbor’s Wi-Fi are used to update business files and contact employees and clients. This opens the door for an organizational compromise with the use of unprotected Internet access.
This report supports why I believe on-demand security awareness training is vital for an organization. This generation needs to be aware of the risks and the measures needed to prevent a security compromise.
I know a college student who told me her university will insert students’ USB devices, left behind by accident in the computer lab, into one of their computers to see if the student’s name is on the device. The student is then notified via email that the device has been found. Students then re-enter them into their computers.
I see several concerns here. First, how does the university know the USB left behind is not a trap? This is placing university information at risk. Second, how does the student know someone did not take the USB while it was left behind and compromise the security of it? Then when they put it in their computers, a virus is downloaded. This generation seems to trust that no one would do such a thing until it’s too late. While this can be seen as a college policy flaw, it can also be a reason why these students go into the professional world without a security conscious mindset.
They’ve been educated in their craft, but now they need to be educated in Security Awareness. Young professionals are a huge asset to an organization, and offering Security Awareness Training to them and showing them the importance of IT policies will enhance their professional development as well as their secure performance in your organization.