Security Suggestions – The Cloud and Your Data

Posted on 1, Oct | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

The CloudI am often asked to discuss IT and data security as it relates to storing data on the Cloud. Nine out of ten times I am asked two inevitable questions: “What is the Cloud?” and “Where is the Cloud?”. Hopefully I will answer these questions as I discuss ways to keep your data secure on the Cloud.

There are a number of services that allow you to store data on their servers. Examples of these for an individual or a small business are Dropbox, Sharefile, Google Mail, iCloud, Google Drive, Office 365, and many more. These services quite often are automatically connected to you by your smartphone, iPhone, laptop and/or your desktop computer once you initially login. Think about using your phone – you don’t have to type in a password to get your Gmail each time. As long as you can access the email app on your phone, you’re in. This is because you have instructed the app to trust your smartphone as a conduit to get your Gmail. This goes for almost any mail account you access from your device.

Go one step further and consider that you may have an account with Dropbox, Office 365, or Sharefile. The same concept applies – you have instructed the app to trust your smartphone as a conduit. To make matters worse, if you have these accounts available on your laptop or desktop they too are accessible without typing in a password once you have initially logged in. This is most often the case because we have instructed the app to remember our password.

Now that we understand – to just a small degree – what the Cloud is as it relates to most users and what as individuals we may have on the Cloud, let’s discuss how to keep it secure. First, don’t store sensitive information in the Cloud. I am not talking about using the online version of TurboTax, for example. I am referring to storing birth certificates, passports, and other scanned documents with sensitive information. There is nothing wrong with a safe deposit box for items like these.

Don’t use the same password for every account and change passwords regularly. I believe that password security is such an important issue I could write an entire topic on it. By using the same password for email, banking, computer login, online purchases, social media sites, and other activities, you jeopardize the security of all of your accounts if just one gets hacked. Hackers are smart enough to know that if your password to “website.com” is 12345678 and your user name to “website.com” is user@gmail.com, they will try and login to the Gmail account with the password they have uncovered. You should choose a random password and change it at least every 90 days if not sooner.

Consider reading the terms of service or user agreements to find out how the service works. This is very important if you intend to take advantage of a free 30-day trial. It is possible you will not have access to the data after 30 days without paying for the service. Think about encrypting your data or utilizing a service that includes encryption with data storage.

These are just a few suggestions for securing your data on the Cloud, and this is only a starting point.
I am not suggesting that no one should use the Cloud for storing data. For the most part, everyone who uses a computer, smartphone, or tablet is using the Cloud already. The Cloud can be an efficient way to centralize and share data with authorized users. I am suggesting you use it wisely, securely, and with the knowledge that you have done everything possible to protect the data you put on the Cloud.

Continue reading

Security Assessment at Appalachian State University

Posted on 30, May | Posted by RMA

The specific objective of this project was to provide the University with a “snapshot” of the existing security program in place at the BB Dougherty Administration Building, any gaps in the program, and potential responses to the gaps identified. Security policy, procedures, systems and organization were examined for level of technology, appropriate application, and the efficiency and effectiveness of deployment. Consultants prepared specific recommendations to address the deficiencies or gaps identified. Recommendations addressed each threat/vulnerability in a practical and pragmatic manner.

Appalachian State University is nestled in the Blue Ridge Mountains of North Carolina. Appalachian State University offers a challenging academic environment, energetic campus life and breathtaking location. Appalachian combines the best attributes of a small liberal arts college with those of a large research university. Known for its value and affordability, Appalachian enrolls about 17,000 students and offers more than 150 undergraduate and graduate majors. Small classes and close interactions between faculty and students create a strong sense of community, which has become an Appalachian hallmark. Appalachian, located in Boone, N.C., is one of 16 universities in the University of North Carolina system.

Continue reading

Dana Frentz Attends IAHSS Annual General Meeting

Posted on 23, May | Posted by RMA

Dana Frentz attended the 46th IAHSS Annual General Meeting in San Diego, CA, May 18, 2014, through May 21, 2014. The meeting was held at The Hyatt La Jolla.

Speakers and topics included:

• Keynote Chris Van Gorder – Security Officer to Present Day CEO
• Russell Jones, PhD, CPP, CHPA – If Disney Ran Your Security Department
• William Koffel, P.E., FSEPE – What Is The Impact of NFPA 101-2012?
• Donna Palomba – Jane Doe No More
• Ben Scaglione, CPP, CHPA – How The Affordable Care Act Has Changed Security
• Howard Adams, PhD – Building High Performing Work Teams
• Howard Adams, PhD – Strategic Project Planning: Vision to Execution
• William Richter, RN – Active Shooters in Healthcare Setting
• Martin Williams – Conducted Electrical Weapons (CEWs) Within a Comprehensive Use of Force Model
• Kevin Tuohey – Facility Design and the Security Role
• Jeffery Young, CHPA – Consolidation: Security’s Contribution to Sustainable Healthcare Costs
• Roger Sheets, CHPA and Rocky Prosser – Managing Prisoners in a Healthcare Environment

The International Association for Healthcare Security and Safety, or IAHSS for short, is the only organization solely dedicated to professionals involved in managing and directing security and safety programs in healthcare institutions. IAHSS is comprised of security, law enforcement and safety individuals dedicated to the protection of healthcare facilities worldwide. IAHSS strives to combine public safety officer training with staff training, policies and technology to achieve the most secure hospital environments possible. Additionally, the IAHSS partners with government agencies and other organizations representing risk managers, emergency managers, engineers, architects, nurses, doctors and other healthcare stakeholders to further patient security and safety.

Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

RMA Presents Bring-Your-Own-Device Policies at RTP CFO Forum

Posted on 6, Sep | Posted by RMA

Chris Peterson and http://www.rmasecurity.com/about-rma/team-profiles/russell-w-gilmore/ presented BYOD (Bring Your Own Device): Issues and Implications for Companies at the September RTP CFO Forum. The program discussed security issues and considerations for companies when employees connect personal devices to the company network. What issues need to be considered to accommodate lawsuits, audits, and records requests? How can companies prepare for lost or stolen devices? What steps can and should be taken when terminating employees?

The RTP CFO Forum serves the greater Raleigh, Durham and Chapel Hill region, supporting over 200 senior financial executives. The Forum is designed to provide interactive networking and discussion of technical and strategic topics in an environment created exclusively for senior-level peers. CPE is provided on select topics.

The RTP CFO FORUM is scheduled for the first Friday of every month, from 7:30AM – 9:00AM. Attendance is limited to CFOs or senior financial professionals in similar positions. The RTP CFO Forum is sponsored by Hughes Pittman & Gupton, LLP.

Continue reading

Stealing on the Way Out

Posted on 12, Aug | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

Having to terminate an employee is never easy. To make the process even more difficult, consider the recent survey conducted by Harris Interactive on behalf of Courion which stated that 19% of employees age 18 to 34 would take company data with them if they knew they were about to be fired. Read the full story here.

Depending on the employee’s position at the company, the termination process could be quite cumbersome. Before terminating an employee, it is good to think about their role in the company and what they have access to or control over. Each situation is different and should not be handled in a cookie-cutter fashion. Terminating the IT manager will involve different issues than terminating a sales person.

What steps can you take to minimize risk? Strong policies and procedures are a good starting point. If an employee knows that severe repercussions may result for data theft, he or she may decide against the theft.

As we’ve said before, there are opportunities for companies to preserve data and protect themselves prior to the termination process or as part of the termination procedure itself (When Employees Leave Data Should Stay). When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

As a consultant, I have assisted in a number of terminations, and they are all different. Proper preparation and forethought will not only benefit the company but protect the employee as well.

Continue reading

Security in the Office – A Checklist

Posted on 30, Jul | Posted by Christine L. Peterson, CPP, ISP

  • Comply with and support your company’s safety and security program and regulations, and insist that others do the same.
  • Protect wallets, keys, purses, and other personal valuables on the job. This especially includes smartphones and tablets.
  • Challenge strangers in restricted areas. The best way to approach this is from a helpful perspective, such as “Can I help you?”
  • Do not discuss company affairs off the job.
  • When leaving the office, even for a short period of time, clean up and secure your work space, with special attention to confidential documents. Also provide for the protection of company equipment assigned to you.
  • If you handle money as a part of your job, insist on positive identification before you cash checks, and refuse obviously counterfeit or questionable currency.
  • If you work in a retail establishment or any other business, guard against shoplifting and employee theft within the frameworks of the law. To deter shoplifting, speak to all customers in your area. Be wary of bulky coats, large shopping bags, partially opened umbrellas, and folded newspapers. Know your company’s policy on dealing with shoplifters, and adhere to it.
  • Make certain your employer has clear and adequate guidelines for handling complaints of sexual harassment.
  • Retain security guards, because they provide a substantial deterrent to the criminal’s expectation of success.
Continue reading

NC companies’ secrets at risk, cyber terrorism experts say

Posted on 22, Jul | Posted by RMA

In this day and age, sometimes it is difficult to discern truth from fiction. Greg Baker is an expert in the area of cyber terrorism and a leader in developing public/private relationships that work. In the later years of his career with the FBI, he was the face of InfraGard North Carolina.

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.

We recommend this article on cyber terrorism and data theft. Both Greg Baker and Ryan Johnson provide good insight on the problem and steps that can be taken to lessen the possibility of your company becoming a victim of this costly crime. Take stock in what your company should do to enhance the security surrounding its sensitive and important data. Do some research and don’t be afraid to ask questions. It can be beneficial to have someone from the outside review and analyze the strengths and weaknesses of you company’s network and provide advice on what steps can be taken to secure your company network, systems, and data.

Whether a company works on classified contracts or not they are at risk of cyber terrorism. Most of the time, companies do not even realize that they may be a target. No one wants to find out that their systems have been compromised, but most either have or will be. How does your company address its cyber vulnerabilities?

Read the original article here.

Meat, tobacco, furniture and surgical products are just a few of the North Carolina exports booming in the Chinese market. North Carolina businesses’ secrets are also in high demand overseas, and cyber terrorism experts say many companies are not doing enough to fend off hackers.

Continue reading

Who’s Watching You?

Posted on 17, May | Posted by Emily Liner

Predators could be spying on you through your computer’s webcam. Criminals are now able to hack in and watch your every move – without you ever knowing it. Scary, right?

webcam

We’re all guilty of it: we use our computer, get distracted with something, and just walk away. We forget the computer is still on – and this is the key action criminals are counting on. Now they can access your webcam remotely, watching your most intimate moments from the kitchen to the privacy of your own bedroom. The worst part is, you may never even know.

Not only must we remain aware of our surroundings in public or walking through parking lots and decks, now we must stay vigilant in the privacy of our own home. Though there is little we as the public can do to fight crime against hacking, we are not completely helpless to this threat. The basics solutions are all ones we’ve heard before. Have good anti-virus software on your computer. Do not click any links in your email – especially the ones from “Facebook”. Because Facebook has so many users worldwide, it’s the perfect cover to trick people into thinking the link is legitimate.

The best advice is to learn more about webcam hacking to better understand the risks. Luckily, just like many other appliances and technology, there is a light or another indication that the device is on or in use. Watch your webcam light to know if it has been activated. When it is not in use, cover the lens. This physically stops hackers from watching and recording your activities.

Continue reading

What is Sextortion?

Posted on 19, Nov | Posted by Michael R. Longmire, MPA

text conversationSextortion refers to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion (Source: Wikipedia).

In recent months, we have been hired to assist clients who have made the mistake of hitting the send button and wishing there was some way to “get that photo back.” These cases normally involve men who for one reason or another engage in progressively suggestive text messaging or other digital communications with someone they believe to be an interested female, only later to find themselves paying to keep the communications from being circulated on the Internet or to friends and family members.

Typically, there is no actual intimate contact, and the request for money starts with a small loan sent through a coded Western Union payment. These amounts incrementally increase, as do the threats to expose the client’s indiscretions if the demands for payment are not met.

Federal and local law enforcement report an alarming increase in these criminal extortion cases, but find the victims unwilling to pursue criminal charges. More alarming are those cases where the victims are minors enticed in to actual sexual encounters with a pedophile who threaten them after posing as a peer interested in exchanging photos.

Successful investigations require the use of computer forensics, intelligence gathering, surveillance, and effective interviewing skills… and the greed of the suspect who will continue the sextortion until deterred.
Continue reading