Facebook’s Browser-spying Campaign

Facebook using the browsing data of its members to target the ads of its advertising partners

The Facebook used by billions is sharing its users' online behavior in ways it previously said we could opt out of. 

As Venture Beat reports, anytime a Facebook user visits a site with a "Like" button (any site, not just a Facebook page), that visit is stored by Facebook and used to better target the ads of its advertising partners. No need for the user to actually click the Like button. The page visit is enough to trigger the storage of user data.

I actually tested this by visiting several types of websites I've never visited before. Low and behold, I started seeing ads for associated items on my Facebook page.

There are a few tools that allow you to block sites like Facebook from inserting tracking code into your browser. Learn about them here. 

WARNING! Your Flash Player may be out of date.

Adobe Flash Malware driven by infected "Router" The Moon Malware

Few days ago, I started to receive a pop-message "WARNING! Your Flash Player may be out of date". Please update to Continue., when I was trying to access websites like Facebook, YouTube, Google, etc.

If you're receiving a similar message then continue to read but make sure you don't click on anything nor try to update the flash player from the pop-window. You may check your current version of the "Adobe Flash Player" by visiting "Adobe" official website. If you're using Google Chrome browser, it already includes Adobe Flash Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.

You will also notice that the same message is poping-up on all the devices which are connected to the same router (mobile phones, laptops etc.).

Now even the dumbest person should know it is not coming from computer but from the network which means your router is infected. It's commonly happening with Linksys, Asus and few other manufacturers.

How to fix this?

• Reset your router (by holding down the reset button under the router for 6 seconds). Note after restart all your ISP settings will be lost.
• Configure your router again with the ISP settings (username and password also required).
• Clear your browsers cache and pop-up message will not appear again.

Refer here for some basic tips on hardening your router to avoid such things happening again.

Basic Tips To Protect Mobile Device

Mobile owners should pay attention to mobile device safety!

Mobile communication has never been this cool, from the traditional SMS and call features, we can now enjoy desktop experience via smartphones and tablets. However, aside from the health risks associated with excessive use of cell phones, the advent of mobile internet has raised the risks too.

It is common that most of us protect the hardware and exterior of our phones, but do not exert enough effort to protect the OS and contents of our phone from hackers, and strangers who can get hold of our misplaced or stolen smartphones.

Allow me to share with you some tips I thought will give basic protection so private photos or videos, debit/credit card credentials, and other private information will not be at the mercy of other people.

• Use password to open your phone, make a purchase and open a file (if available). The inconvenience it’ll bring is nothing compared to the risk involved.
• If available, activate the “find my phone feature” of your phone.
• If available, activate the feature that can remotely erase contents, or reset of your phone.
• If available, activate a “kids safety feature” of your phone- this will prevent your kids from accessing apps that are not kid appropriate, or accidentally altering the configuration of your phone or erase some data.
• If available, use an anti-virus solution for your phone
• Take precaution when connecting to public hotspots.
• Do not click links attached to an email, direct messages, or status updates in your timeline. Verify first w/ the sender. These links normally downloads a malware or give permission to hackers.

As a general safety reminder, do remember that the currency we use to pay for the “free” apps and games we download are the information associated w/ our account- these may include our location and contacts. Please read carefully the privacy policy and terms of service for each app.

How Much Information You Are Leaving Online?

Do you ever feel like you're being followed?

Perhaps that's because you are. While it may not be the boogeyman who's hot on your trail, there are many groups of watchers who have made it their business to know as much about you as possible.

Each day, we are tracked by the 'smart' systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail).

How comprehensive profiles Google is capable of building based on all the information we voluntarily share?

How valuable your online information is to burglars?

Notice all they can get off of *your* social network sites...and those of your friends, family and co-workers. Be aware of what you put out there!

For those of you in charge of or influencing your company privacy policies, consider how you are gathering and sharing your customers' data. Are you doing so in a manner that is transparent and compliant?

Scam Of The Week: Ransomware Uses Child Porn Threat

Cybercriminals have cooked up a new way to blackmail people!

Getting caught viewing child porn is a huge deal and instantly makes you an outcast in most western countries. Cybercriminals have cooked up a new way to blackmail people out of their money, both inside and outside the office.

The ransomware family is called Revoyem (aka Dirty Decrypt) and uses the worst possible strategy to get people to pay up. It starts at a porn site that you have landed on, either on purpose or by accident. Then you are redirected by a malicious ad to an actual child porn themed page with very disturbing images. But while you are there, your PC gets infected with the Styx malware dropper which downloads ransomware and your computer gets locked.

The lock screen again shows disturbing images and now accuses you of watching child porn and what the penalties are. However, here comes your friendly ransomware to the rescue. Just pay the fine and you will not be prosecuted. They tell you to use either MoneyPak or PaysafeCard.

The attack is seen in the U.S., Canada and several Western European countries, is translated for each territory and uses the correct government law enforcement agency as a threat. This looks very much like an Eastern European Cybermafia operation.

WHAT TO DO: In an office environment, call the helpdesk and they will treat this as malware and remove it. At the house, call the police and file a complaint. It is likely the Police already know about it. 

Also take the PC to an expert and get the malware removed. And stay away from unsafe areas on the Internet like gambling and porn sites! Here is how the lock screen looks:

5 Quick Lessons on Privacy

Privacy Matters - How Easily Someone Could Hack Into Your Life?

Being diligent about your personal privacy is a learned behavior. Often the best way to practice is to take a closer look at the every-day activities in which you and your friends, colleagues and family members take part. 

Below are some quick-hit resources that serve as good reminders of the privacy threats we are exposed to each day.

• A Quick Guide to YouTube Privacy 
• The Financial Dangers of Retailer Prepaid Cards
• Why Your WiFi May Be On, Even When It's Off
• Ramifications of Hacking a Friend's Facebook Account (not that you would do that anyway, right?)
• Just How Hackable Your Life Really Is (infographic)

10 easyways to reduce security headaches in a BYOD world

How you can improve security "Old School style" in a BYOD World?

Security is a huge concern when it comes to BYOD. Here are several steps you can take to protect your network and keep your organization's data safe. 

You're about to officially allow Bring Your Own Device (BYOD) in your organization. Understandably, you're concerned with the security of your network and data. With all those unknown variables entering the mix, how will you safeguard your company and keep sensitive data from falling into the wrong hands?

To put your mind at ease, you need to tackle BYOD with an eye toward security. This means policies and plans must be put into place. With BYOD, you can't always think in the same way you do with standard networking. Here are 10 ideas that might help you get through this transition.

1: Secure your data
Before you allow any non-company devices onto your network, you need to make sure your data is secure. This should go without saying, but if you have sensitive data on open shares, you're asking for trouble. Every network administrator must know the company's data is secure. But if you are about to open the floodgates to BYOD, this must be a priority.

2: Tighten your network security
Just as you've secured your data, you must make sure your network security is rock solid. Do not rely on Windows Firewall to secure your data -- you need to deploy an actual, dedicated device (such as SonicWALL, Cisco, or Fortinet) to handle network security. Pay close attention to making sure the outside world is carefully locked out of your network. With all of those new devices coming in -- and the possible security holes they can create -- you must make sure you have a solid network security plan in place.

3: Implement a BYOD antivirus/anti-malware policy
Any device running an operating system that is susceptible to viruses must be running a company-approved antivirus solution. For devices that do not run a vulnerable platform (Android, IOS, Linux), make sure those users are not passing along suspect files to fellow workers (or customers). To that end, you can still require these users to install and use an antivirus solution to check all outgoing files for signs of infection.

4: Mandate encryption
If your BYOD users will be sharing data from outside your secured LAN, you should require them to use some form of encryption. This might mean any application that stores data on the device will require its own password to gain access to that data (this is on top of the device password). Also, if users are storing company passwords on the device, those passwords must be protected under a layer of encryption.

5: Take advantage of mobile application management (MAM)
You have to know what applications are being used on your network. This doesn't mean you have to prevent users from accessing Facebook or playing games (that's your call, of course). But you must make sure any application being used isn't a threat to the security of your company data. Some devices, like Android, allow you to side-load applications, so any application not on the Google Play Store can be installed. You want to make sure one of your employees isn't inadvertently letting a sniffer or port scanner loose on your network.

6: Require apps like Divide
There are apps out there, like Divide, that do a great job of placing a barrier between your personal and work data. In fact, Divide provides completely separate desktops, so the user can make no mistake. Gaining access to the business side of Divide requires a password -- as well as simply knowing how to gain access to that (mostly) obfuscated desktop.

7: Require multi-layered password protection

You must require all devices to be password protected. But just having a single password to gain access to the device isn't enough. Any application, folder, or file that houses company data must also be password protected. Though it might be an inconvenience, the more password protection those mobile devices have, the safer your data will be. At the same time, you should make sure that users do NOT have passwords (such as those for company VPNs) stored on the machine, unless they are stored in an application that requires encrypted password to open.

8: Implement company-wide phone wipe

If your users want BYOD, they have to be willing to sign on to a plan that gives you the power to wipe their phone if it's lost or stolen. Though this should be the case with every user (not just those using their devices for work), many don't see the value in making sure their sensitive data can be easily deleted if the phone winds up in the wrong hands.

9: Require use of company wireless when on premise

You know some users will "forget" to connect to your wireless network when they arrive. You do not want them doing business on their carrier network. Make sure all users understand that if they are to use their device on premises, they must use your wireless network. Not only will this help secure your company data, it will allow you to better monitor and control what goes on.

10: Limit device support

If you open your company up to BYOD, you are within your rights to limit that policy to certain devices. Say you only want to open this up to tablets that do not have a carrier (so they are limited to Wi-Fi only) or to a single platform. By doing this, you not only make your job easier, you help keep your company network/data more secure.

Scam Of The Week: "Held For Ransom"

Your Computer Has Been Locked

I would like to alert your users that a particularly effective scam is growing by leaps and bounds recently. It's not new, but it's bursting into mainline cybercrime these last few weeks. The scam takes over the full screen of the PC, stating that the FBI has locked that PC until a fine is paid. The PC may look locked down, but it was a cyber criminal who did that, not the Feds.

What to do: Do NOT PAY

This is malware on the PC. Treat it like malware and clean that system. The bad guys have found this is a scam that works really well for them. Scared PC users are often willing to pay hundreds of dollars to avoid getting in hot water with the FBI.

More than $5 million per year is extorted from victims. If it's a PC in the office, call IT. If it's a PC at the house, here is a video from security company Symantec how to remove this for free: http://www.youtube.com/watch?v=_dKBXeoLIFo.

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud, sponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

• Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  
• Only 19% said their organization knew how much regulated data was on mobile devices.
  
• Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  
• 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  
• Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  
• In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
   
2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
   
3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
   
4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
   
5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
   
2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
   
3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
   
4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Beware of Gumtree Scam: Scammer Targeted More Than 300 People on the Gumtree

Reports have emerged of series of scams, affecting people across Australia with similar scams on Gumtree

A male scam artist searches the wanted advertisements on site and then contacts the poster to say he has the item they are seeking.

The man then asks where the buyer lives and states he also lives nearby, but is working interstate so is unable to drop the goods off in person. Once the money is transferred to his account he ceases contact.

The scams have involved the attempted purchase of goods including mobile phones, iPads, electronic tablets and gift cards from stores including Coles, Myer and JB Hifi.

Reports of online scams can be made to the Australian Competition and Consumer Commission via www.scamwatch.gov.au or your specific country scamwatch website.

SCAM Alert: Puppy Scams & Business Executive Scams

NEVER send money or give credit card or online account details to anyone you do not know and trust.

Almost everyone will be approached by a scammer at some stage. Some scams are very easy to spot while other scams may appear to be genuine offers or bargains. Scams can even take place without you doing anything at all.

Two scams have been identified prominent and needs awareness are:

(1) The “Puppy Scam” which is aimed at the dog lover, has been around for many years and appears to be rising again.

(2) The “Business Executive Scam” looks to victimize businesses in both Canada and the United States of America.

The Puppy Scam Method of Solicitation: Purebred dogs are offered at lower than normal prices. Straight forward ads are placed in free on-line sales sites like Gumtree, Craigslist and community web pages. The use of standard Newspapers ads has also been identified.

A twist to the scam also sees the seller leaving countries to do a ‘Christian Mission’ in other country. They must sell their dog because of their commitment to this mission where they will be helping people less fortunate. Although mobile phones have been used mainly the communication is done through an email address.

Victim Remittances: The use of money service businesses (MSB) is the primary method the fraudster uses to collect victim funds. Once the price is confirmed and the original payment is made the victim can expect many more communications from the fraudsters because the victim has to pay the “certified Transportation Company”, the “out of country tax”, the “Anti-terrorist fee” or the “verification of vaccination fee” just to name a few.

Additional emails will follow until the complainant finally realizes they are a victim and will never get a dog. Most of the destinations of the MSB transfers are West African nations including Nigeria, Ghana and Cameroon.

Refer here and here for more information.

The Business Executive Scam Fraudsters are researching companies on-line via company websites. To make this scam work, the fraudsters need to identify a company executive (IE CEO, President, manager, owner) as well as an email address to the accounting department. Once identified the fraudster creates an email address using the free emails of Yahoo, MSN or Google. The email address will be for instance “The executives name@ Yahoo.com”.

A message will be emailed to the accounting department advising that the executive is working at home or off-site and the executive has identified an outstanding payment that needs to be made ASAP.

The Executive instructs that a payment be made, generally in the amount of 25,000 to 80,000 dollars to an identified person and bank account.

Bank accounts associated to this fraud have been identified across North America thanks to the efforts of the complainants and the banks. Currently the victimization rate is very low but it has the potential for high dollar loss. Identified bank accounts require prompt action.

Refer here to learn more types of Business Executive Scams.

Do You Need an Anti-Virus for MAC?

It's unlikely you'll ever run into malware for the Mac

But you may still want to consider an antivirus tool anyway—if not to protect yourself, but to protect your Windows-using friends from any malware you may inadvertently send their way.

If you agree, Sophos Anti-Virus for Mac maybe the best choice, and it's free.

Many of you may choose to use nothing, but you need to consider that malware is starting to become a bit more prevalent on the Mac, and even the safest browsing habits don't protect you completely. 

Sophos Anti-Virus for Mac

Platform: OS X (10.4+) 
Price: Free
Download: Click here

Features

• Compact, easy-to-use interface that can be used for custom on-demand scans of files, folders, and drives, or scheduled, periodic full scans of your Mac.
  
• Also scans files on your Mac for known Windows malware, trojans, and viruses, and deletes or quarantines them so you don't risk spreading them to someone else via network share, USB drive, or email.
  
• Deletes or quarantines known threats, gives you the option to quarantine anything suspicious that may be a new threat or dangerous file.
  
• Runs quietly in the background, scanning emails, downloads, and any other files on access, stopping you from opening them before they can do any harm.
  
• Light on system resources while running in the background.
  
• Installs like any other Mac application, and uninstalls just as easily—no complicated packages or components to manage or configure.
  
• Sophos' "Live Antivirus" feature updates your app the moment new threats are detected or found in the wild. The feature also performs real-time lookups to see if files accessed are in the SophosLabs database, even if they're unfamiliar to the app.
  
• Supports OS X up to 10.8 and back to 10.4, and is completely free for all versions.

Reputation Is A New Target For Cyber-Attacks

How organizations can protect their credibility in the midst of an incident?

Organizations have to equip themselves much better to deal with this whole attack on reputation. The Information Security forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area which is a high area of interest for attackers.

Word of a cyber-attack spreads fast these days and that viral impact can be a major issue. Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit. 

The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is. 

To ensure they can respond effectively, organizations need to have clear ways of collaborating internally. They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.

Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk because "it's very real."

Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. The Information Security Forum advises that one of the key things that was noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly.

The Information Security Forum has that criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that.

It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.

Are Personal Password Database Sites Safe & Secure?

Basic tips & techniques for your daily password management!

Earlier this month, there was an expert on a popular U.S. morning news show advising people to use personal password database sites to keep track of their passwords. I couldn't disagree more.

While I commend the expert for advising people to use multiple, diverse and difficult-to-guess passwords for their different online accounts, I do not believe storing these passwords in the cloud is the best idea.

Here are four password-keeper services I saw recently being promoted for use within this Payment Systems post. Here are my thoughts on each of the four: 

KeePass: If you want to use this service, use it with a USB instead of Dropbox, which has had some security breaches in the past year. Although Dropbox recently announced improved security, I still don't want to entrust my passwords to a cloud service of any kind (Keep in mind lots of folks working for the cloud service have access to the info, simply as a matter of supporting the service.)

1Password: I'm leery. If someone else gets my computer, will the service's web integration allow them to access all my accounts? I pass on 1Password. 

LastPass and RoboForm: Many security folks approve of LastPass and RoboForm. Indeed, the services have been around for a few years. But I do not like the lack of information about how they secure their sites. I would not use these services, as they are cloud-based, and I simply do not want to share my passwords with others in this way. If you want to use them for managing the passwords for your websites with non-sensitive information, that's an option. However, keep your banking and other financial passwords with you and don't share with an online site.

It continues to be important to have multiple and varied passwords. At a minimum, your social networking passwords should be vastly different from your financial and banking passwords.

As for how to keep a record of these sites, if you don't want to use a password management service like KeePass to store your passwords on your own devices, try an encrypted Excel file, or even a good old-fashioned notebook that you keep locked away.

These alternatives may not be high-tech, but given the password management cloud services sites' vulnerabilities, it's much safer right now than relying on cloud-based services, which are major targets for hackers.

Sex Tape Scam Featuring Rihanna and `His’ Boyfriend Hits Facebook

Popular celebrities used by cyber-criminals for hoaxes and fraud

BEWARE! Facebook users are being hit by yet another alleged sex tape featuring Rihanna, one of the most popular celebrities used by cyber-criminals for hoaxes and fraud on the social network.

This time, the scam alleges the American singer was caught with `his boyfriend’ [sic] during sexy times.

Check out how the #scam works and how to protect your Facebook account here: http://bit.ly/Rihanna_Sex_Tape_Scam

Need To Invest Time In Facebook Privacy

An Embarrassment is Coming

If they don't invest the time in reviewing the information that's been published about them, Facebook users are in for a potentially embarrassing surprise. That's because Facebook is working toward making more of its content searchable with its Graphs Search feature. 

What will be searchable? All the information (personal, professional, pictorial) you post, and that other Facebook users post about you. Additionally, your likes, and in many cases simply the websites you've visited that have hooks back into Facebook, will be searchable.

This article explains it well, and in it, writer Meghan Kelly gives one of the best analogies for Facebook I have read:

Facebook is like a safe containing a ton of your personal information - which you've purposefully and willfully cracked with an axe.

Beyond searching for what's already out there about you, commit to practicing good social etiquette. Don't "check in" your friends for them (without their knowledge!), post pictures of them they may not appreciate or tag them to one of your posts without their permission. Even the tamest of details may cause trouble for them, not to mention, trouble for your relationship. 

Tips for IT Security Auditing

How to effectively conduct IT Security Audit?

As an information security professional, it is your responsibility to protect and sustain the enterprise’s information assets from all types of threats. One way to enhance the security posture of your enterprise is to leverage the expertise of a security auditor to help find and fix the worst problems in your security infrastructure.

You may be thinking, “Why would I want to invite a security auditor to help me find my greatest weaknesses?” No one relishes an audit—which often seems to involve people poking around and looking for holes in the network or systems. 

However, a thoroughly conducted audit, with appropriate risk-based scoping, can keep you from having to report to your management or board that a data breach happened on your watch.

In most enterprises, the information security and audit functions are involved with protection and sustainment of important organizational assets. The information security function has the primary responsibility for establishing and maintaining a cost-effective and robust security program.

The audit function, whether internal or external, provides an independent review and analysis of the program. Here are some considerations for participating in and preparing for an IT security audit:

• Remember that audits are opportunities to improve the security program, not a personal indictment of security practices. Taking the initiative to request a thorough audit of your security shows management that you are willing to do what is best for the enterprise. It can also help you get additional budget to address serious areas of risk.
  
• Receive from the audit team an audit plan outlining the purpose, scope and approach to the audit. If you are the requestor of the audit, you have an opportunity to provide input on what areas of focus you think are most at risk.
  
• Conduct a review of the current security policies, standards and guidelines, and make sure you understand how those policies are implemented in operation. Often, there are conflicts in the way policies are implemented, especially when relying on technology alone, and an audit can pinpoint the gaps.
  
• Collect, document and organize the procedures and processes that your staff follows to perform their duties. You may find that lack of consistency in performing the processes results in unacceptable variance in the way that certain security controls are implemented.

Security audits should not be limited to technology testing, penetration testing or exploiting vulnerabilities, but should provide an accurate analysis of the risk areas that pose the most danger to the enterprise. A thorough security audit is about regular and consistent validation and verification that the security program is effective in doing what it is designed to do: protect and sustain the enterprise’s critical assets.

Source: ISACA

It's your responsibility to protect your data on Facebook!

Marketers are Dying for Your Facebook Data

...and Facebook wants to help them get it. In fact, the social network giant -- now under pressure from stockholders to produce revenue -- has developed new functionality designed to help advertisers better find you on Facebook.

So long as you have voluntarily given your phone number or email address to a company, that company can now use it as a means for searching and locating you on Facebook.

Be sure to check and update your settings on Facebook (and other social sites), as new functionality is added frequently, threatening your assumption of privacy online. Speaking of Facebook, be sure you are aware of another change that could result in having your emails sent to Facebook.

In June, Facebook changed everyone's email address visibility settings to hide the email addresses we purposefully shared with friends, leaving just @facebook.com addresses.

For folks who did not change this back, and for folks using the new iPhones, running iOS 6, this could result in having the preferred email addresses being replaced by @facebook.com addresses...and having sensitive information saved to the Facebook systems (a far-from-secure system to keep email messages). 

See more about it here.

Facebook applications are not always safe!

Apps Dressing Up as Innocent Fun

Many people mistakenly believe that any application found on Facebook has been vetted by Facebook, and is therefore safe. False.

As this article on Facecrooks points out, anyone can create an app for publication on Facebook. Facebook users are also guilty of clicking through the permission screen, potentially missing key information on how the application's developers plan to access their Facebook information (for those that actually provide such information).

Take the time to read these screens thoroughly before clicking OK. If an app does not provide information about how they will use your information, then don't download; it's just not worth the potential problems, no matter how yummy fun the app sounds.

How much you care about your privacy?

Apps Come Back to Haunt You

Can you count your apps on one hand? Two? As smartphones have found their way into more pockets and purses, the tendency to become "app happy" has struck more than one consumer.

Often folks will download an app, input their personal information, allow it to track and store their locations, purchase behaviors -- heck, even account numbers -- and then forget all about it. Meanwhile, the application is running in the background gathering (and potentially sharing with third parties) the private and personal details of their lives.

Have you set an app to auto-broadcast your location to a social network? Here's hoping you remember that before you arrive at the amusement park on a "sick day." Does that pizza place auto-fill your credit card number when you order a pie online? That's one lucky thief who gets a hold of your smartphone. Make it a practice to review your apps often.

A good time to do this is now; delete the ones you are not using. A friend of mine was surprised to find she had accumulated over 200! Then, check again whenever you have an app ask you to download an update.

As those notices come in, don't just ask yourself if you'd like to update (which is an important step, as many apps improve their security and privacy standards with these updates); also ask yourself if that's truly an app you need to have on your smartphone, laptop or any other type of computing device you use.