Be Mindful - Does Mobile Apps Respect Your Privacy?

'Stickybeak' Apps Threaten User Privacy 

Not surprisingly, a new report has found mobile apps are failing to provide users with basic privacy protections.

The report's authors put the failures they detected into three basic categories. Sixty percent of the apps they studied either:

• Did not disclose how they used personal information
• Required the user to give up an excessive amount of personal data
• Communicated privacy policies in type too small to be read on a phone's screen

As the Wall Street Journal points out in this blog post, it's not currently required for apps to have a privacy policy. However, we may soon see changes in this area of the law, especially where health apps are concerned. Currently, there are more than 100,000 health-related apps just available via smartphones.

Be mindful of any app that does not include a privacy policy, and train yourself not to just hit "Accept" on those data-gathering permission requests that pop up after you download a new one.

You should absolutely understand what you are being asked to give up to take advantage of the app. Is it worth it?

Facebook’s Browser-spying Campaign

Facebook using the browsing data of its members to target the ads of its advertising partners

The Facebook used by billions is sharing its users' online behavior in ways it previously said we could opt out of. 

As Venture Beat reports, anytime a Facebook user visits a site with a "Like" button (any site, not just a Facebook page), that visit is stored by Facebook and used to better target the ads of its advertising partners. No need for the user to actually click the Like button. The page visit is enough to trigger the storage of user data.

I actually tested this by visiting several types of websites I've never visited before. Low and behold, I started seeing ads for associated items on my Facebook page.

There are a few tools that allow you to block sites like Facebook from inserting tracking code into your browser. Learn about them here. 

Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Quick Round-up of Some of the Latest Tricks and Traps

Beware of new scams and privacy pitfalls

New ways to fool people out of their money, information and identities pop up nearly every day. Here's a quick round up of some of the latest tricks and traps:

New Scam Targets Homeless: Fraudsters pay homeless people to take out cell phone contracts in their names. The fraudsters keep the phones, rack up the bills and then sell the phones, ruining the homeless person's credit.

Getty Images Allows Free Embedding, but at What Cost to Privacy? People can embed images in their sites for free, so long as they use the provided embed code and iframe. Because of the scope of Gettys' reach, this may allow the company to correlate more information about a user's browsing history than any single site could. Just another reminder that nothing's truly free in this world!

Human Error Tops Ponemon Patient Data Security Study Threats: 75 percent of healthcare organizations view employee negligence as the greatest data breach threat. This result underscores the importance of good security and privacy controls (and excellent employee training!) in healthcare environments. This extends to medical device manufacturers, who often work off very old technology software and continue to insist that controls are too cost-prohibitive.

The Data Brokers - Selling Your Personal Information: 60 Minutes' Steve Kroft recently reported on his investigation of the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight.

Why You Need Security Strategy and How to Develop one?

Some questions we need to address before we embark on Information Security Improvement journey!

Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.

When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. The best way to make a start is by doing SWOT analysis: Strengths, Weaknesses, Opportunities and Threats. 

Strengths
Look within your organisation. There are bound to be some really good things happening when it comes to Information Security. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.

Weaknesses
Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?

Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?

Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.

If that’s the case in your business, look for ways to alter that culture.

Opportunities
Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your Information Security right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery. It’s also a great way to further the professional development of your staff.

If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.

Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.

Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.

Threats
Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?

These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.

• So, when was the last time you reviewed your security policy?
• Does it take into account new security mitigation techniques?
• Have you adjusted the skills in your business to manage changing attack methods?
• Is security a once-a-year audit activity?

Internet of Things is Creeping into the Average Lives of Consumers

Internet of Things Gone Wild

Thanks to rapid innovation, our lives are getting easier. But there is a price to be paid. The Internet of Things is creeping into the average lives of consumers in unexpected ways, creating new vulnerabilities even in what was once the safety of our own homes.

There’s the report late last week from California-based security firm Proofpoint uncovering the first proven Internet of Things-based attack that hijacked such smart household equipment as home routers, smart TVs, and even one unsuspecting and apparently innocent refrigerator to generate spam. The attack, which took place between December 23 and January 6, generated over 750,000 “malicious email communications” and involved over 100,000 “everyday consumer gadgets.”

Each of the below developments has been built to automatically collect data about users and send that data to others. The developers insist this data is being used to enhance the consumer experience in some way; but what they don't often reveal is all the ways that data is being used to help them make money or achieve some other objective.

Take a look at these examples and think twice before you volunteer your personal information by purchasing one of these "smart" products.

• LG markets a fridge that sends a text when the milk runs out, and this article says experts have long warned such a gadget is an attractive "soft target" for hackers. In fact, in one recent attack on 100,000 smart gadgets, 750,000 spam emails were sent to their owners.
  
• Google's smart contact lenses check in and report on your health, monitoring things like gluclose levels in your tears. One commenter's question was intended to be sarcastic, but in every joke there is a grain of truth. He asked: Will it send the wearer's glucose levels directly to the NSA or does that only happen after the contact lens syncs with Google's cloud? The fact is, if the lenses can report glucose levels, it is also technically possible to program them to report on many other types of activities, as well as more of your body contents and characteristics.
  
• Wearables devices monitor physical activity and connect wirelessly to online services charged with collecting data on the wearer. If insurance companies were able to collect and use this data for their underwriting purposes (which now let employers charge employees different health insurance rates based on whether they exercise, eat right or make healthy choices), these devices could spell disaster for insurance costs... not to mention the potential impacts if employers, potential employers, family members, etc. obtain the data.    
  
• Video baby monitors send signals far and wide. To test the vulnerability of these smart gadgets, a Miami TV reporter attached one of these baby-monitor receivers to the dashboard of his car. In just a few minutes, he was able to pick up images of babies and bedrooms. Traditional audio montiors are vulnerable, as well. During the summer of 2013, ABC News reported on a Houston couple who heard cursing and lewd remarks coming from their 2-year-old's baby monitor. It had been hacked.
  
• A clip-on camera takes a still image every 30 seconds in an effort to "record your life." How often have you come across a photo of yourself that if taken out of context could cause others to jump to the wrong conclusion (college days, anyone)? Worse, what happens when someone with a clip-on camera enters a public restroom or locker room and takes pictures of people (or children) in various stages of undress?

Four "Basic" Ways To Protect Company Data

Breach at Target appears to have started with a malware-infected email!

Target Corp. and other large retailers have made the news due to data breaches, but businesses of all sizes need to make sure they have up-to-date policies and procedures to protect private data.

The breaches at Target highlight how important it is for organizations to know how secure their networks are?

Here are four measures businesses should take to ensure their data stays private.

• One obvious way is to make sure your business' security software is up to date and working "to make sure you don't leave holes in your technology.

• Do you have policies and procedures in place for how employees interact with the business' server and network? Such measures include making sure employees have strong passwords for their computers and other devices, keeping their machines updated with the latest anti-virus protection and providing them with general awareness on things to watch out for, such as phishing messages (scams that ask people to give out personal information or prompt a person to click on a link that will infect their computer with malware).

• Make sure that employees have safeguards on the personal devices they use to connect to the company's network.

• Don't forget security measures for paper records.

Cybersecurity in the age of "Surveillance"

How to assure that your network and its data are being guarded by a trusted partner?

The collection of information generated from the online activities of citizens, by both private and public interests, has become so widespread and pervasive that it has prompted several social commentators to label today’s digital-defined culture as “The Surveillance Age.”

The fact that nearly every sovereign state with the means is conducting high-tech surveillance programs, a practice that is considered by most to be integral to national security and ensuring the safety of the state and its citizens. For many observers, the most disconcerting component of the recently exposed data-collection activities of the National Security Agency was tied to multiple U.S. companies may have cooperated in the surveillance activities.

The possibility that trusted businesses could be leaving digital backdoors through which sensitive information could slip has cast a chill across both consumer and professional market sectors. This issue is not for us to speculate here; however, given the interest it has attracted, it would be valuable to share some fundamental information about mobile security, as well as some guidance to assure that your network and its data are being guarded by a trusted partner.

A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization. Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy

It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. To gain a deeper understanding of encryption requires an introduction to a few esoteric cryptography terms. One of those terms is entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a very high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios. 

Any discussion related to digital intrusion or surveillance has to include spyware, which is a form of malware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. 

Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users.

The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization are being stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property and other sensitive information.

Security in this environment cannot be an afterthought. It must be built in at every layer -- hardware, software, and network infrastructure -- to ensure end-to-end protection. With the stakes so high in “The Surveillance Age,” it’s imperative that you demand "confidentiality & integrity" commitment from every partner you trust with your information.

Did you get an email from Target?

Are you one of the roughly 70 million people who got an email from Target last week about the store's mega security breach? If so, be careful.

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.

Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.

The Target emails went to customers whose personal information was in the Target database. Cyber thieves penetrated the records during the holiday shopping season breach discovered last month and stole info like names, phone numbers and email addresses. The full extent of the hacking is still under investigation.

In the meantime, here's what to do if you see an email from Target pop up in your inbox.

If you've already opened the email: Target has posted a copy of the email it sent out online. So go here to make sure the email you opened, the address it came from, and the link you clicked all matches up.

If it doesn't match, and especially if you clicked a link to an external website and entered personal information, you need to take action quickly.

First, get a copy of your credit report, check your bank and credit card activity on a daily basis and call the credit reporting agencies to tell them what happened. You can ask to have a fraud alert placed on your account, meaning it will be flagged to lenders if someone attempts to open credit in your name.

If you're really worried, you can request a credit freeze, which prohibits any credit from being extended under your name. But that's a big step because you will have to go through the process of undoing this whenever you need credit again.

If you entered a credit card or debit card number, reach out to those institutions to warn them of potential fraud as well.

If you haven't opened the email: To avoid any chance of a virus or of falling prey to a potential scam, it is  recommended to go directly to Target's website to view the letter you believe has landed in your inbox -- since even opening a fraudulent email could lead malware to be installed on your computer. And if you do open the email, don't click on any links.

All other correspondence from Target can be found here. The retailer emphasizes that it will never email a consumer and ask for personal information like a Social Security number or credit card information.

But it's not just emails claiming to be from Target that customers need to worry about.

If your personal information was compromised in the breach, that means scammers could contact you pretending to be anyone -- like another retailer.

PCI DSS 3.0 – What's New?

Infographic - Summary of the Changes from PCI DSS 2.0 to 3.0

Last month, the PCI Security Standards Council (PCI SSC) officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and auditors will understand how the new mandates will impact organizations.

The effective date of the version 3.0 of the standard will be on January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to move to the new standard, and some of the changes will continue to be best practices for several more months (until June 1, 2015).

Here’s what has changed:

10 defenses against smartphone theft

Thieves see mobile phones as easy cash. Take these 10 steps to defend yourself

10) Use security applications

Android phones and iPhones both come with security software. But that doesn't mean the software is active, or that third-party software might not help even more. If you have an Android phone, make sure you're using Android Device Manager or a third-party security software such as Lookout Security & Antivirus. If you have an iPhone, make sure Find My iPhone has been set up and activated.

9) Use a strong password

Too many people just give up when it comes to passwords, access codes, and PINs. They pick something such as "password" or "qwerty" or "1234." Raise the level of your game: Come up with a functional password generation recipe, then apply it to your devices and websites. You don't need a password manager. This is not rocket science.

8) Keep phone data handy

Write down your phone model number, serial number, and International Mobile Equipment Identifier (IMEI). If your phone gets stolen, you'll want these numbers (along with your mobile carrier's support phone number) to help your carrier place your IMEI number on the GSMA IMEI blacklist. You can find your IMEI number in most phone settings menus by dialing *#06#, or by checking the battery compartment, if accessible.

7) Be aware of your surroundings

We've all seen them. People who meander down the sidewalk, staring at their phones, forcing others to take evasive action to avoid a collision. People chatting on phones oblivious to those nearby. People who set their phones down on cafe tables or on public transit seats. People who let their phones dangle from purse or pocket. Don't be one of these people.

6) React quickly if your phone is stolen

Report the theft to the local police. This will allow police to check websites that might be trying to unload your stolen phone and will provide you with a police report in case you want to make an insurance claim. Report the theft to your mobile carrier, so your phone service can be suspended and the phone's identifier can be blacklisted. Activate any applicable security software such as Find My iPhone or Lookout. You might also want to change your phone and app passwords, in case the thief was able to login and access some of the services you use through stored passwords. If you're really lucky, your phone's security software will help you recover your device.

5) Choose your phone to match your security expertise

Google executive chairman Eric Schmidt recently insisted that Android phones are more secure than Apple's iPhone. That might be true if you're talking about recent-model Android phones with the Android 4.4 "KitKat" operating system. But security experts scoff at Schmidt's claim. The reality is that the majority of mobile malware affects Android devices.

In August, the FBI and DHS issued a report that found 79 percent of mobile malware affected Android devices, 19 percent affected Symbian devices, and less than 1 percent affected BlackBerry, iOS, or Windows Phone devices. Android's troubles largely arise from the fact that as many as 44 percent of Android users worldwide rely on Android versions 2.3.3 to 2.3.7, which have known vulnerabilities.

So although it's possible to run Android securely, it requires more diligence. Choose BlackBerry, iOS, or Windows Phone if you don't want to be proactive about security. Choose Android if you require the flexibility of a more-open ecosystem and are comfortable with the responsibility.

4) Choose your WiFi network carefully

Just because a WiFi network is visible and accessible doesn't mean it's safe. Use secure WiFi networks when possible. When there's no other option, avoid doing anything that involves authentication if you can. You never know who might be listening or intercepting unprotected network traffic.

3) Choose your apps and websites carefully

User behavior represents a major source of insecurity. If you can avoid downloading sketchy apps and visiting suspect websites, you will reduce your chances of acquiring malware. Security firm Trend Micro says it has analyzed 3.7 million Android apps and updates, and found 18 percent to be malicious, with an additional 13 percent categorized as high risk. Almost half of the malicious apps (46 percent) were acquired from Google Play, the company says.

2) Don't buy phone insurance

If the mobile carriers really are fighting pre-installed security software to sustain revenue from insurance premiums, you can fight back by refusing to participate. Carrying your expensive smartphone without an insurance net should also encourage you to guard your phone more carefully. Of course, you'll be wishing you had insurance when your phone slips from your pocket and fracture lines spread across the touchscreen.

1) Leave your phone at home

It's easier said than done. But you can't lose what you don't have. Shocking though it may be, people used to get by without mobile phones. Try it once in while, if only to highlight your device addiction.

Kaspersky Lab 2013 Global Corporate IT Security Risks

34% of respondents ranked protection from incidents as the top priority

Kaspersky Lab, in partnership with research company B2B International, conducts regular surveys focusing on the key IT security issues and cyber threats which worry businesses.

The survey aimed to find out what representatives of these companies thought of corporate security solutions, to ascertain their level of knowledge about cyber threats, what cyber security related problems they most often face, how they address these problems and what they expect in the future.

2013 Kaspersky Lab and B2B International survey results provided below reflect the opinions of companies on key issues related to the security of the corporate IT infrastructure.

They also reflect the changes that have taken place since the previous two studies. Comparing current and historical data helps to identify and analyze existing trends in this area, ultimately creating a complete and, we believe, objective picture of the threat landscape, as well as future problems and trends affecting corporate IT security.

Main Findings

According to the survey results, one of the major problems facing businesses is the creation of a clear IT infrastructure development strategy with an information security strategy at its heart.

Companies are increasingly determined to secure their IT infrastructure in the light of increasing numbers of incidents – and significant financial losses associated with them. The main findings of the survey are:

• Maintaining information security is the main issue faced by a company’s IT management.
• In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents.
• A serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000.
• A successful targeted attack on a large company can cost it $2.4 million in direct financial losses and additional costs.
• For a medium-sized or small company, a targeted attack can mean about $92,000 in damages – almost twice as much as an average attack.
• A significant proportion of incidents resulting in the loss of valuable data were internal, caused by issues such as unclosed vulnerabilities in software used by the company, intentional or negligent actions of employees or the loss or theft of mobile devices.
• Personal mobile devices used for work-related purposes remain one of the main hazards for businesses: 65% of those surveyed saw a threat in the Bring Your Own Device policy.
• Information leaks committed using mobile devices – intentionally or accidentally – constitute the main internal threat that companies are concerned about for the future.

For the full report in PDF format, click here.

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.

Summary

Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.

Basic Tips To Protect Mobile Device

Mobile owners should pay attention to mobile device safety!

Mobile communication has never been this cool, from the traditional SMS and call features, we can now enjoy desktop experience via smartphones and tablets. However, aside from the health risks associated with excessive use of cell phones, the advent of mobile internet has raised the risks too.

It is common that most of us protect the hardware and exterior of our phones, but do not exert enough effort to protect the OS and contents of our phone from hackers, and strangers who can get hold of our misplaced or stolen smartphones.

Allow me to share with you some tips I thought will give basic protection so private photos or videos, debit/credit card credentials, and other private information will not be at the mercy of other people.

• Use password to open your phone, make a purchase and open a file (if available). The inconvenience it’ll bring is nothing compared to the risk involved.
• If available, activate the “find my phone feature” of your phone.
• If available, activate the feature that can remotely erase contents, or reset of your phone.
• If available, activate a “kids safety feature” of your phone- this will prevent your kids from accessing apps that are not kid appropriate, or accidentally altering the configuration of your phone or erase some data.
• If available, use an anti-virus solution for your phone
• Take precaution when connecting to public hotspots.
• Do not click links attached to an email, direct messages, or status updates in your timeline. Verify first w/ the sender. These links normally downloads a malware or give permission to hackers.

As a general safety reminder, do remember that the currency we use to pay for the “free” apps and games we download are the information associated w/ our account- these may include our location and contacts. Please read carefully the privacy policy and terms of service for each app.

How Much Information You Are Leaving Online?

Do you ever feel like you're being followed?

Perhaps that's because you are. While it may not be the boogeyman who's hot on your trail, there are many groups of watchers who have made it their business to know as much about you as possible.

Each day, we are tracked by the 'smart' systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail).

How comprehensive profiles Google is capable of building based on all the information we voluntarily share?

How valuable your online information is to burglars?

Notice all they can get off of *your* social network sites...and those of your friends, family and co-workers. Be aware of what you put out there!

For those of you in charge of or influencing your company privacy policies, consider how you are gathering and sharing your customers' data. Are you doing so in a manner that is transparent and compliant?

Beta Bot: A New Trend in Cyber-Attacks

Beta Bot Malware Blocks Users Anti-Virus Programs

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat. The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords.

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3. "This is a good demonstration of how fraudsters' methods are evolving constantly. They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so.

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI.

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack. If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

BYOD, Corporate-Owned or Hybrid Environments?

BYOD: Problem in the reality is smaller than it seems!

Companies nowadays wrestle with the decision of whether to give employees the freedom to use personal mobile devices to access corporate data, or issue secure, mobile devices.

The main issue of the BYOD concept is to deal with corporate control and user privacy and usually at the end of the day this concept can cost to the company more than buying corporate-owned mobile devices. You also have to deal with different OS versions, installed applications, rooted devices, etc. They are some great MDM out there, but no one can deal with the diversity world of mobile devices.

BYOD, Corporate-Owned or Hybrid Environments? That depends of the “type” of business you do, but the best way to start is to limit the access to the resources from mobile devices to those who they really need them. In this way at the end of the day you will find out, that the problem in the reality is smaller than it seem at the moment.

An interesting article about the cost, efficiency, productivity, risk and security implications of BYOD, Corporate-Owned and Hybrid Environments can be found on the following link http://goo.gl/7g0LL3.

10 easyways to reduce security headaches in a BYOD world

How you can improve security "Old School style" in a BYOD World?

Security is a huge concern when it comes to BYOD. Here are several steps you can take to protect your network and keep your organization's data safe. 

You're about to officially allow Bring Your Own Device (BYOD) in your organization. Understandably, you're concerned with the security of your network and data. With all those unknown variables entering the mix, how will you safeguard your company and keep sensitive data from falling into the wrong hands?

To put your mind at ease, you need to tackle BYOD with an eye toward security. This means policies and plans must be put into place. With BYOD, you can't always think in the same way you do with standard networking. Here are 10 ideas that might help you get through this transition.

1: Secure your data
Before you allow any non-company devices onto your network, you need to make sure your data is secure. This should go without saying, but if you have sensitive data on open shares, you're asking for trouble. Every network administrator must know the company's data is secure. But if you are about to open the floodgates to BYOD, this must be a priority.

2: Tighten your network security
Just as you've secured your data, you must make sure your network security is rock solid. Do not rely on Windows Firewall to secure your data -- you need to deploy an actual, dedicated device (such as SonicWALL, Cisco, or Fortinet) to handle network security. Pay close attention to making sure the outside world is carefully locked out of your network. With all of those new devices coming in -- and the possible security holes they can create -- you must make sure you have a solid network security plan in place.

3: Implement a BYOD antivirus/anti-malware policy
Any device running an operating system that is susceptible to viruses must be running a company-approved antivirus solution. For devices that do not run a vulnerable platform (Android, IOS, Linux), make sure those users are not passing along suspect files to fellow workers (or customers). To that end, you can still require these users to install and use an antivirus solution to check all outgoing files for signs of infection.

4: Mandate encryption
If your BYOD users will be sharing data from outside your secured LAN, you should require them to use some form of encryption. This might mean any application that stores data on the device will require its own password to gain access to that data (this is on top of the device password). Also, if users are storing company passwords on the device, those passwords must be protected under a layer of encryption.

5: Take advantage of mobile application management (MAM)
You have to know what applications are being used on your network. This doesn't mean you have to prevent users from accessing Facebook or playing games (that's your call, of course). But you must make sure any application being used isn't a threat to the security of your company data. Some devices, like Android, allow you to side-load applications, so any application not on the Google Play Store can be installed. You want to make sure one of your employees isn't inadvertently letting a sniffer or port scanner loose on your network.

6: Require apps like Divide
There are apps out there, like Divide, that do a great job of placing a barrier between your personal and work data. In fact, Divide provides completely separate desktops, so the user can make no mistake. Gaining access to the business side of Divide requires a password -- as well as simply knowing how to gain access to that (mostly) obfuscated desktop.

7: Require multi-layered password protection

You must require all devices to be password protected. But just having a single password to gain access to the device isn't enough. Any application, folder, or file that houses company data must also be password protected. Though it might be an inconvenience, the more password protection those mobile devices have, the safer your data will be. At the same time, you should make sure that users do NOT have passwords (such as those for company VPNs) stored on the machine, unless they are stored in an application that requires encrypted password to open.

8: Implement company-wide phone wipe

If your users want BYOD, they have to be willing to sign on to a plan that gives you the power to wipe their phone if it's lost or stolen. Though this should be the case with every user (not just those using their devices for work), many don't see the value in making sure their sensitive data can be easily deleted if the phone winds up in the wrong hands.

9: Require use of company wireless when on premise

You know some users will "forget" to connect to your wireless network when they arrive. You do not want them doing business on their carrier network. Make sure all users understand that if they are to use their device on premises, they must use your wireless network. Not only will this help secure your company data, it will allow you to better monitor and control what goes on.

10: Limit device support

If you open your company up to BYOD, you are within your rights to limit that policy to certain devices. Say you only want to open this up to tablets that do not have a carrier (so they are limited to Wi-Fi only) or to a single platform. By doing this, you not only make your job easier, you help keep your company network/data more secure.

The Biggest Threat To Enterprise Is The Thumb Drive

How did Iranian nuclear facilities was destroyed? With a thumb drive. And how did Snowden allegedly smuggle out the blueprints to the NSA? With a thumb drive.

No, it wasn't by some ultra secretive means of super-complex cyber code writing and cloud encryption by which good ol' Eddy breached America's security in arguably the most secure compound on the planet — nope — he simply walked in with a thumb drive, downloaded the NSA, and walked out.

Carl Weinschenk of IT Business Times breaks down how bad a threat flash drives can be:

The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo.

The Washington Times breaks down the threat further by reminding everyone that a "number of commercially available programs can switch off the USB port of every computer on the network."

NSA officials “were laying down on their job if they didn’t disable the USB port,” an unnamed government IT the specialist told the Washington Times, referring to the small socket on the side of a computer where thumb drives are plugged in.

Organizations, whether they're public or private, have had difficulty enforcing Bring Your Own Device security measures now for a number of years. Certainly there are places in government buildings where there are NO recording devices or storage devices allowed under ANY circumstances.

Regardless, Snowden managed to get one in and get one out.

Hackers can control almost all Android phones

NINETY-nine per cent of all Android devices are vulnerable to hacking or being completely taken over remotely by cyber criminals

This is the claim of a study by BlueBox security, a mobile security company which claims it has discovered a flaw in the operating system of almost all Google phones and tablets (which runs on the operating system Android) that allows hackers to modify its code in a way that "turns any legitimate application into a malicious Trojan" virus.

The company claims this vulnerability exists on any Android phone or tablet released over the last four years, affecting approximately 900 million devices.

According to the researchers the issue is central to Google's open source operating system and so far only one device has been patched.

The way it works:

Rather than creating a malicious app, cyber criminals wait for legitimate apps to be approved for sale and then go in and modify the code after and create an exploit that allows them to take over people's phones via the app.

This flaw would allow hackers to access your passwords, credit card information, emails, any information you store on your phone.

So what can I do about this?

• Do not allow apps from unkown sources. To do this go to Settings, Security and untick "allow unknown sources".
  
• It's recommended that users update their operating system to the latest version.
  
• if you have any apps which store your personal information such as credit card or PayPal information (like eBay, Amazon or Etsy), you should remove this information immediately.
  
• Remove any personal information from your phone (do you have your credit card pin stored in your notes?