Be Mindful - Does Mobile Apps Respect Your Privacy?

'Stickybeak' Apps Threaten User Privacy 

Not surprisingly, a new report has found mobile apps are failing to provide users with basic privacy protections.

The report's authors put the failures they detected into three basic categories. Sixty percent of the apps they studied either:

• Did not disclose how they used personal information
• Required the user to give up an excessive amount of personal data
• Communicated privacy policies in type too small to be read on a phone's screen

As the Wall Street Journal points out in this blog post, it's not currently required for apps to have a privacy policy. However, we may soon see changes in this area of the law, especially where health apps are concerned. Currently, there are more than 100,000 health-related apps just available via smartphones.

Be mindful of any app that does not include a privacy policy, and train yourself not to just hit "Accept" on those data-gathering permission requests that pop up after you download a new one.

You should absolutely understand what you are being asked to give up to take advantage of the app. Is it worth it?

Facebook’s Browser-spying Campaign

Facebook using the browsing data of its members to target the ads of its advertising partners

The Facebook used by billions is sharing its users' online behavior in ways it previously said we could opt out of. 

As Venture Beat reports, anytime a Facebook user visits a site with a "Like" button (any site, not just a Facebook page), that visit is stored by Facebook and used to better target the ads of its advertising partners. No need for the user to actually click the Like button. The page visit is enough to trigger the storage of user data.

I actually tested this by visiting several types of websites I've never visited before. Low and behold, I started seeing ads for associated items on my Facebook page.

There are a few tools that allow you to block sites like Facebook from inserting tracking code into your browser. Learn about them here. 

Video Footages: ATM Skimming!

Be on the lookout for these four tricks and traps

A Handy Way to Foil ATM Skimmer Scams - Thieves continue to place hidden cameras at ATMs to surreptitiously record customers entering their PINs. This previously reported way to stop from being a victim still works against the hidden cameras.

Basic Security for Personal Cloud Storage

Avoid using Personal Cloud Storage for confidential/sensitive data

Dropbox and other file-storage and sharing applications like it are incredibly helpful to business travelers. Not having to lug along a laptop or risk misplacing a thumb drive certainly add to the enjoyment of time away from the office.

However, these applications do come with some risks. This is especially true when users generate links to share information with others. Several basic flaws within Box and Dropbox specifically allow the shared documents to be viewed by third parties.

It comes down to this: Many people do not take basic security steps, even when communicating highly sensitive information. Worse, they may even mix their personal communications and information with confidential workplace data.

For its part, Dropbox disabled all access to public links and created a patch to keep shared links from becoming public. However, this is the third security breach for Dropbox in as many years, so diligence on the site and others like it has to be considered among users.

When considering a file-sharing service site, follow these rules of thumb:

1. Use a strong password.
2. Encrypt files in storage ("files at rest").
3. Encrypt files sent to and obtained from the site ("files in motion").
4. Look for a third-party security and privacy audit or some other validation that the site truly is secure.
5. Do an online search to see if the service has been breached in the past year or two.
6. Make sure that you can completely remove all files from the site when you stop using it.

Infographic - 78% of Organizations Experienced a Data Breach in the Past 2 Years

Cybercriminals steal $1 billion every year from small and medium-sized businesses in the U.S. and Europe

The folks at Imprima have compiled this infographic, complete with facts about data loss and data breaches in the small business community.

Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Quick Round-up of Some of the Latest Tricks and Traps

Beware of new scams and privacy pitfalls

New ways to fool people out of their money, information and identities pop up nearly every day. Here's a quick round up of some of the latest tricks and traps:

New Scam Targets Homeless: Fraudsters pay homeless people to take out cell phone contracts in their names. The fraudsters keep the phones, rack up the bills and then sell the phones, ruining the homeless person's credit.

Getty Images Allows Free Embedding, but at What Cost to Privacy? People can embed images in their sites for free, so long as they use the provided embed code and iframe. Because of the scope of Gettys' reach, this may allow the company to correlate more information about a user's browsing history than any single site could. Just another reminder that nothing's truly free in this world!

Human Error Tops Ponemon Patient Data Security Study Threats: 75 percent of healthcare organizations view employee negligence as the greatest data breach threat. This result underscores the importance of good security and privacy controls (and excellent employee training!) in healthcare environments. This extends to medical device manufacturers, who often work off very old technology software and continue to insist that controls are too cost-prohibitive.

The Data Brokers - Selling Your Personal Information: 60 Minutes' Steve Kroft recently reported on his investigation of the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight.

WARNING! Your Flash Player may be out of date.

Adobe Flash Malware driven by infected "Router" The Moon Malware

Few days ago, I started to receive a pop-message "WARNING! Your Flash Player may be out of date". Please update to Continue., when I was trying to access websites like Facebook, YouTube, Google, etc.

If you're receiving a similar message then continue to read but make sure you don't click on anything nor try to update the flash player from the pop-window. You may check your current version of the "Adobe Flash Player" by visiting "Adobe" official website. If you're using Google Chrome browser, it already includes Adobe Flash Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.

You will also notice that the same message is poping-up on all the devices which are connected to the same router (mobile phones, laptops etc.).

Now even the dumbest person should know it is not coming from computer but from the network which means your router is infected. It's commonly happening with Linksys, Asus and few other manufacturers.

How to fix this?

• Reset your router (by holding down the reset button under the router for 6 seconds). Note after restart all your ISP settings will be lost.
• Configure your router again with the ISP settings (username and password also required).
• Clear your browsers cache and pop-up message will not appear again.

Refer here for some basic tips on hardening your router to avoid such things happening again.

USB Attacks Need Physical Access Right? Not Any More

Exploiting USB Driver vulnerabilities

NCC Group Research Director Andy Davis presented 'USB Attacks Need Physical Access Right? Not Any More...' at this year's BlackHat Asia in Singapore.

Due to recent advances in a number of remote technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

It's an interesting research, refer here to download the paper and learn more about USB Bugs.

How secure is "Dropbox"?

Basic Overview and Awareness to Secure Your DropBox Account!

What's Dropbox?

Dropbox is a free and extremely easy-to-use tool for sharing files, photos, and videos, and syncing them among your devices. You can also use Dropbox to back up files and access them from other computers and devices (including smartphones and tablets), with dedicated apps for each device you own running Android, Mac Linux, Blackberry or iOS platform.

Dropbox is especially good for backing up your files online, although the biggest barriers to this are the size of your backups. You get 2GB free with Dropbox, or you can choose 100GB, 200GB, or 500GB with a monthly fee. There are also business plans that start at 1TB for five users. You’ll just have to make sure that the files you want backed up live in the Dropbox folder.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is Dropbox "Safe" to use?

The move on hosted services like Dropbox storage site raises questions about what cloud users can and should do to keep their information and data secure and compliant.

Cloud security drew attention in 2012 with Dropbox’s admission that usernames and passwords stolen from other websites had been used to sign into a small number of its accounts.

A Dropbox employee had used the same password for all his accounts, including his work account with access to sensitive data. When that password was stolen elsewhere, the attacker discovered that it could be used against Dropbox.

This was a powerful reminder that users should rely on different passwords for each secure site and service.

Also, VentureBeat reported that the Dropbox iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.

What Encryption does Dropbox use?

Dropbox claims:

At Dropbox, the security of your data is our highest priority. We have a dedicated security team using the best tools and engineering practices available to build and maintain Dropbox, and you can rest assured that we’ve implemented multiple levels of security to protect and back up your files. You can also take advantage of two-step verification, a login authentication feature which you can enable to add another layer of security to your account.

When it comes to encryption methods Dropbox use, they state that:

• Dropbox uses modern encryption methods to both transfer and store your data.
• Secure Sockets Layer (SSL) and AES-256 bit encryption.
• Dropbox website and client software are constantly being hardened to enhance security and protect against attacks.
• Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps, such as those listed here.
• Public files are only viewable by people who have a link to the file(s).

Dropbox uses Amazon’s Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon’s data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.

How to Secure your Dropbox account?

Popular cloud storage service Dropbox, had a history of security problems, ranging from compromised accounts to allowing access to every Dropbox account without requiring password.

When and if you decide to use cloud services like Dropbox, the following three basic steps can help you protect your data:

• Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
  
• Use application controls to block or allow particular applications, either for the entire company or for specific group.
  
• Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronised, you have full control of the safety of your data.You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else . Should your web key go missing for some reason—maybe the user simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.

How to secure your Dropbox account?

• Enable Two-Step Verification - With two-step verification enabled, you’ll have to enter both your password and a security code from your mobile phone whenever you sign into the Dropbox website or add a new device to your account. Even if someone else knows your Dropbox password, they won’t be able to log In without the time-sensitive code from your phone.
  
• Unlink devices you don’t use and view web sessions.
  
• Get email notifications - Ensure email notifications are enabled so you’ll receive emails when new devices and apps connect to your account.
  
• Manage linked Applications – Third-party apps often require full access to your Dropbox account, and the app retains access even if you stop using it. If the app itself is compromised or starts behaving maliciously in the future, it will be able to do damage.
  
• Don’t reuse your passwords – You should use a unique password for your Dropbox account, one that you haven’t used for any other services.
  
• Encrypt your Dropbox files – To protect yourself and ensure your sensitive files remain secure, you can encrypt the files you store in your Dropbox account. To access the encrypted files, you’ll need to know the encryption password – anyone without the encryption key will only see random, jumbled nonsense data.

What You May Need to Know about Your Smart TVs & Phones

Smart appliances may be too smart for our own good!

Take smart TVs, for instance. As this article illustrates, some of these new appliances are particularly vulnerable to hackers. Once compromised, the TVs allow access to account information, including login credentials (which owners may use for access to more than just their smart-TV account). Even scarier, hackers could gain access to front-facing cameras to see everything happening in the room where the TV is connected. Instead of you watching your favorite program, criminals may be watching you!   

As many people get new smartphones for holiday gifts, they will be tempted to sell their old devices. If you're one of them, keep this story, reported by a Virginia ABC affiliate, in mind.

McAfee online security expert Robert Siciliano did a little experiment; he purchased 30 different devices from craigslist, including laptops, notebooks, iPads and smartphones. "I asked every single person if they re-installed the operating system or reformatted the drive, and they all said yes," Siciliano said. "On more than half of the devices, I found enough information to steal identities or, in some cases, even get people into trouble." 

The takeaway? Be mindful that erasing your personal data from your devices requires more than a delete button.

Here's a good resource  for learning how to sufficiently wipe your smartphones, tablets, computers and more before handing them off to a stranger. 

Reminder: To Whom are You Really Emailing?

Confirm the email address before you hit send!

Nowadays, it's not uncommon for people to have multiple email addresses. Some people even belong to group email accounts in which an email sent to one address is actually received and potentially read by multiple people.

Before you hit send, be sure you know exactly where your email message is headed. Even when you're replying or forwarding, take the extra moment to hover your mouse over the address in the "To" field to be sure it's going to the intended address.

If you find yourself making this mistake often, consider changing email clients. Gmail, for instance, is notorious for allowing this recipient confusion. Gmail users should also be aware that Google has copies of and access to all email sent using its system. Mr. Snowden provided some proof of that.

Businesses especially should always use a proprietary domain for their email (not Gmail, Yahoo, etc., and certainly not a social email address, like those from Facebook). Business owners should always ensure their email provider follows good security practices (e.g., not storing any email on their servers after it is delivered to the client destination).

XSS For Managers

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a type of vulnerability which is very widespread and allows an attacker to insert malicious code (JavaScript) into your web browser via the use of a vulnerable web application. The attacker can deliver their malicious code in a number of different ways.

They can trick you into clicking on a link (Reflected XSS), or wait for you to visit a page which already has the malicious code embedded into it (Stored or Persistent XSS).

That annoying pop-up box with the number 1 in it? That's just a way that some people visually prove that their JavaScript (XSS) has been run. But don't let that lousy pop-up box fool you, there is a lot more to XSS than that!

What can hackers do with XSS?

• A hacker may be able to steal your 'cookies' and login to the application as if they were you!
• They may be able to redirect you to a malicious web site without you knowing in an attempt to trick you into giving away sensitive information such as your bank details.
• They could add fake login pages to the vulnerable application to trick you into giving them your username and password.
• They could even use XSS to bypass other security measures which are built into the application and your web browser to protect you.
• The possibilities are almost limitless. Take over your webcam? Yep! Listen in on your computer's microphone?

For advanced attacks see the The Browser Exploitation Framework (BeEF) tool.

Who's been hacked using XSS?

• The Apache Foundation, the creators and maintainers of one of the most popular web server software on the Internet had their servers compromised by an initial XSS attack.
• An XSS attack on the official forum of the popular Linux Operating System, Ubuntu, allowed the attackers to download the usernames, email addresses and passwords for 1.82 million of their users.
• XSS attacks typically target the application's users and their local networks; however, as seen in the examples above, when those users are administrative users the application's web servers are also at risk.
• XSS vulnerabilities are discovered within Facebook, Yahoo, Google, Twitter and other high profile websites on a daily basis by independent security researchers participating in bug bounties.

Here is a list of other hacks using XSS -https://www.google.com/fusiontables/DataSource?snapid=S1158702BBoV

What can I do to protect myself against XSS?

• Make sure that your web browser is kept up to date and that it has all of its security features enabled, such as Cross-Site Scripting (XSS) filtering. If your particular browser does not have an XSS filter, like Firefox, then you can download an XSS filter add-on called NoScript.
• Be careful about what links you click on. A link may look harmless enough, but may contain malicious XSS payloads.
• Log out of web sites when you are finished with them, this makes it harder for hackers to steal your 'cookies'.

The technical bit! What can I do to protect my web application against XSS?

• Cross-Site Scripting occurs when untrusted input is output to a page without first being sanitised and/or properly encoded. For example, if a user supplies their username to login and then you display that username without sanitising and/or encoding it, what happens if the username contains HTML characters?
  
  The web browser will not be able to tell the difference between the user's username and what is the page's valid HTML. Data (the username) is being mixed with code (the HTML)! This could allow a user to login with a username that contains malicious JavaScript and have it execute in the browser within the context of your web application.
  
• Make sure that you sanitise the username before using it, for example, if users should only have alpha numeric characters in their usernames then enforce this with input sanitisation. Use a whitelist! Compare the username against known goods instead of known bads.
  
• Use the right encoding! If the username is going to be used within HTML, then HTML encode all of the username's characters.
  
  This way the browser will know what is meant to be rendered as HTML and what is not. It's not all about HTML encoding though! You must encode for the right output 'context'. See the links below for further information.
  
• Scan your applications for XSS issues. There are many automated web application security scanners which can detect XSS issues in web applications. You could try giving the Open Source OWASP ZAP a go.
  
• Set your session cookies with the HttpOnly flag. This tells the browser that the cookie should not be accessed by JavaScript, helping protect your users from having their sessions stolen.
  
• A HTTP header called Content Security Policy (CSP) can be set by the web server to tell the web browser what and where JavaScript is allowed to be executed from. It uses a whitelist!
  
• Finally, why not install a Web Application Firewall (WAF) such as the Open Source mod_security! A WAF will give your application that extra layer of defence to defend against those attackers but should be used in a defense in depth scenario and not as the only solution as bypasses are found often.

Where can I find further information?

The two types of XSS mentioned on this page (Reflected and Stored) are not the only two! We have only touched upon the subject here. Want to find out more?

The Open Web Application Security Project (OWASP) is a great resource for all things related to the security of web applications. Check out their wiki article on XSS or their XSS Prevention Cheat Sheet. For information on other types of web application vulnerabilities take a look at the OWASP Top 10.

PhishMe: Popular holiday-themed phishing attacks

Most common Holiday-Themed Phishing Attacks

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns. However, which tactics should you train your employees look out for?

Below, PhishMe has pulled together a list of the most common holiday-themed phishing attacks:

Holiday e-card: Who doesn’t love to receive a nice holiday greeting? But is that link to an e-card actually from your co-worker, manager, HR department, etc. or is it something sinister? Emails that appear to be holiday e-cards are a simple and effective phishing tactic every holiday season.

Holiday party info/registration: The company holiday party is always a much anticipated event, and The Wall Street Journal estimates 9 out of 10 companies will throw some kind of holiday party this year. That means lots of organizations will send out email invitations, so spoofed invitations present another great holiday-themed opportunity for attackers crafting phishing emails.

Travel notifications: AAA estimated that 93.3 million people traveled more than 50 miles from home during the end of December last year, and that means airlines will be sending out plenty of flight change/confirmation emails. We have seen some pretty realistic phishing emails that spoof the types of emails airlines commonly send to passengers, and an email warning of major itinerary changes will certainly grab the attention of an employee eager to get home for the holidays.

The view the full post and the rest of the holiday phishing scams please click here.

PCI DSS 3.0 – What's New?

Infographic - Summary of the Changes from PCI DSS 2.0 to 3.0

Last month, the PCI Security Standards Council (PCI SSC) officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and auditors will understand how the new mandates will impact organizations.

The effective date of the version 3.0 of the standard will be on January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to move to the new standard, and some of the changes will continue to be best practices for several more months (until June 1, 2015).

Here’s what has changed:

10 defenses against smartphone theft

Thieves see mobile phones as easy cash. Take these 10 steps to defend yourself

10) Use security applications

Android phones and iPhones both come with security software. But that doesn't mean the software is active, or that third-party software might not help even more. If you have an Android phone, make sure you're using Android Device Manager or a third-party security software such as Lookout Security & Antivirus. If you have an iPhone, make sure Find My iPhone has been set up and activated.

9) Use a strong password

Too many people just give up when it comes to passwords, access codes, and PINs. They pick something such as "password" or "qwerty" or "1234." Raise the level of your game: Come up with a functional password generation recipe, then apply it to your devices and websites. You don't need a password manager. This is not rocket science.

8) Keep phone data handy

Write down your phone model number, serial number, and International Mobile Equipment Identifier (IMEI). If your phone gets stolen, you'll want these numbers (along with your mobile carrier's support phone number) to help your carrier place your IMEI number on the GSMA IMEI blacklist. You can find your IMEI number in most phone settings menus by dialing *#06#, or by checking the battery compartment, if accessible.

7) Be aware of your surroundings

We've all seen them. People who meander down the sidewalk, staring at their phones, forcing others to take evasive action to avoid a collision. People chatting on phones oblivious to those nearby. People who set their phones down on cafe tables or on public transit seats. People who let their phones dangle from purse or pocket. Don't be one of these people.

6) React quickly if your phone is stolen

Report the theft to the local police. This will allow police to check websites that might be trying to unload your stolen phone and will provide you with a police report in case you want to make an insurance claim. Report the theft to your mobile carrier, so your phone service can be suspended and the phone's identifier can be blacklisted. Activate any applicable security software such as Find My iPhone or Lookout. You might also want to change your phone and app passwords, in case the thief was able to login and access some of the services you use through stored passwords. If you're really lucky, your phone's security software will help you recover your device.

5) Choose your phone to match your security expertise

Google executive chairman Eric Schmidt recently insisted that Android phones are more secure than Apple's iPhone. That might be true if you're talking about recent-model Android phones with the Android 4.4 "KitKat" operating system. But security experts scoff at Schmidt's claim. The reality is that the majority of mobile malware affects Android devices.

In August, the FBI and DHS issued a report that found 79 percent of mobile malware affected Android devices, 19 percent affected Symbian devices, and less than 1 percent affected BlackBerry, iOS, or Windows Phone devices. Android's troubles largely arise from the fact that as many as 44 percent of Android users worldwide rely on Android versions 2.3.3 to 2.3.7, which have known vulnerabilities.

So although it's possible to run Android securely, it requires more diligence. Choose BlackBerry, iOS, or Windows Phone if you don't want to be proactive about security. Choose Android if you require the flexibility of a more-open ecosystem and are comfortable with the responsibility.

4) Choose your WiFi network carefully

Just because a WiFi network is visible and accessible doesn't mean it's safe. Use secure WiFi networks when possible. When there's no other option, avoid doing anything that involves authentication if you can. You never know who might be listening or intercepting unprotected network traffic.

3) Choose your apps and websites carefully

User behavior represents a major source of insecurity. If you can avoid downloading sketchy apps and visiting suspect websites, you will reduce your chances of acquiring malware. Security firm Trend Micro says it has analyzed 3.7 million Android apps and updates, and found 18 percent to be malicious, with an additional 13 percent categorized as high risk. Almost half of the malicious apps (46 percent) were acquired from Google Play, the company says.

2) Don't buy phone insurance

If the mobile carriers really are fighting pre-installed security software to sustain revenue from insurance premiums, you can fight back by refusing to participate. Carrying your expensive smartphone without an insurance net should also encourage you to guard your phone more carefully. Of course, you'll be wishing you had insurance when your phone slips from your pocket and fracture lines spread across the touchscreen.

1) Leave your phone at home

It's easier said than done. But you can't lose what you don't have. Shocking though it may be, people used to get by without mobile phones. Try it once in while, if only to highlight your device addiction.

4 Easy Steps To Protect Your Identity

Four major areas of your daily life that are frequently used as gateways into your private data, Protect those areas!

It's no secret that the damage caused by a single identity fraud event can take years to fix. Many consumers don't even discover they have been affected until months after the attack occurs. In fact, identity fraud is the fastest growing crime in the world, costing billions of dollars annually.

So what should we do? The ubiquity and anonymity of the Internet, coupled with old-fashioned method of stealing identity via "dumpster-diving" makes this problem unmanageable for average folks, right? Wrong. 

There are four major areas of your daily life that are frequently used as gateways into your private data. Paying attention to them can help you stay safe from the bad guys. 

Tactic #1: Guard Your Mail. 

Pay attention to your physical mailbox to reduce the chance of being victimized. The mail system has been vulnerable since the days of wagon trains and stage-coaches.

Action Steps:
1) Never use the red flag on your mailbox. It notifies potential thieves that there may be something of value left unattended in the box.

2) Lock your mailbox if possible. Fraudsters look for checks, parcels and other valuables in unattended mailboxes.

3) Place your outgoing mail in a mailbox inside post offices whenever possible. Outdoor mailboxes are magnets for mail thieves and mischief-makers.

Tactic #2: Guard Your Unique Personal Information. 

Your personal data points are often referred to by the acronym SNAPD, which stands for SSN, Name, Address, Phone, and Date of birth. Our SNAPD elements are the "coins of the realm" in the financial underworld and your Social Security Number (SSN) is the Holy Grail.

Action Steps:

1) Never share your SSN, name, address, phone numbers, or date of birth with others unless absolutely necessary.

2) Only share your SNAPD information when it is mandatory. Healthcare, government and financial services organizations will often require these details, but you would be amazed how little NPPI (Non-Public Personal Information) you can share without causing a fuss.

3) Paper shredders are crucial. All SNAPD info (at home and in the office) should be disposed of in a nice cross-cut shredder.

Tactic #3: Guard Your Payment Tools. 

You would never think of leaving any significant amount of cash out in the open and unguarded, so why leave your checks, credit or debit cards exposed? Check fraud is an old yet extremely prevalent practice. Credit and debit cards look similar but are governed by different laws, responsibilities, and remedies. It should be obvious that your debit card puts your immediate personal assets at risk as opposed to the risks associated with credit card fraud. 

Action Steps: 

1) Guard your checkbook, credit, and debit cards and closely examine your monthly statement for unauthorized charges (even tiny ones). By promptly reporting any discrepancies, your financial institution can help investigate, minimize or correct any damage done.

2) Regularly review your credit report.

Tactic #4: Protect Your Computer(s). 

Apply protection controls to not only your desktop, notebook or tablet device, but also your smartphone. According to a study from the Pew Research Center's Internet & American Life Project, 56% of Americans now own a smartphone, a new demographic referred to as "The Mobile Majority". 

Action Steps: 

1) Install and frequently update anti-virus, anti-malware protection for all devices including smartphones.

2) Create passwords with at least 9 alphanumeric digits, and change them every 6 months. Consider using encryption on all your devices.

3) Exercise good data privacy habits by locking your devices, surfing and downloading safely, and guarding the physical security of each machine.

Take Time To Understand Free Tools Before You Use Them

Free tools and technologies can deliver real value, Yet they also can present risks!

URL shortening services, for example, are fantastic, especially for those of us who love to share our knowledge and findings inside social networks. Yet they can very easily, and often do, hide a nefarious attack.

Another Free Tool to Use with Caution

Be sure to check the security of shortened URLs before clicking them. One service you may consider is urlxray.com.

How To Stop Your Face From Appearing in Ads?

Imagine Your Face in Google Ads

When it comes to developers of popular free tools, Google is king. Yet the tradeoffs for using tools like YouTube, Gmail and Google+ are becoming clearer. For instance, starting November 11, Google will be able to include Google+ users' faces, names and comments in ads. Configured as a default, the policy is one that users must opt out of if they do not want their images projected in marketing messages.

Here's exactly how to stop your face from appearing in what are being called "adver-dorsements" (at least for now, until Google+ changes again):

• Navigate to Shared Endorsements in Google+ settings.
• Uncheck the box next to "Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads."

Understand that this will not stop your network from being able to see those companies and brands that you have liked (or in Google+ language, plus-one'd).

If this makes you uncomfortable, simply stop hitting +1 and do not leave any reviews on Google products.  

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.

Summary

Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.