This is a question that has no definitive answer. Essentially, the attackers are getting more and more sophisticated in just about every way you can imagine, and in ways you can't. The notion that data is now the currency of thieves, and that the world is so deeply entrenched in being networked (even your refrigerator can be connected) it's all so overwhelming to try to consider everything you might be doing to expose yourself.
What people often forget is that the bad guys aren't usually out for you. Instead, they are out for anyone they can get ahold of. Think of it in terms of sales campaigns where everyone in the country might get a flyer which offers a product. If you send out 300 million flyers, you only need a very small percentage in order to make out like bandit! The same principle applies to most of these attacks. The bad guys might scan huge segments of the internet to try to find a small percentage of holes that might help them get what they're looking for.
A quick list of attacks or vulnerabilities to help bad guys steal your personal information:
1. Dumpster diving
2. Worms/Viruses/other malware
3. Social engineering
4. Spam/phishing emails (think scammers)
The list above is ridiculously generalized and literally the tip of the iceberg, BUT they are by far the most common means of theft and really easy to secure.
Here are some things you can do to protect yourself (in order as listed above):
1. Shred everything! If your name is on it, shred it. Even if you name isn't on it, shred it! Cross-cut shredders can be bought just about anywhere (Wal-Mart, Best Buy, Staples, etc) and they do a great job to deter the common dumpster diver.
2. Worms/Viruses/Malware are essentially small applications that have been crafted by attackers to perform a specific function on your PC/iPhone/etc without you knowing about it. This is by far the trickiest part of keeping you data out of bad guys hands, because they are so damn clever anymore. Not only are the viruses designed to hide themselves and reproduce, they are made so often that a lot of anti virus vendors (Norton, McAfee, etc.) can hardly keep up with the volume. Despite the AV vendor struggles, make sure you have one of their products and keep it up to date and scan often for viruses often. Antivirus definitions are published regularly, so it may be in your best interest to set your AV software to auto update. Another good idea is to stay away from sketchy sites! Even legit websites can unknowingly spread a virus, but you can almost bank on the naughty sites to pilfer this stuff. Try to stay away from anything that offers a free download or free anything for that matter. You know the old saying...nothing is for free. I'll go much deeper into this subject another day.
3. Social engineering is basically the art of getting you to spill the beans. It's essentially the same thing as a con man, except it doesn't have to be like it is in the movies. No, instead it could be a casual conversation on a flight to Albuquerque where you might divulge where you grew up, went to high school, if you celebrated a birthday recently you might share your DOB. Those three elements alone are likely enough for me to start Googling around to fill in any blank spots to steal your identity. I know it seems ridiculous, but it really is that simple. Easier yet, these guys are trolling through Myspace, Facebook, and the like. Suppose you join a group in Facebook and the bad guy has made it a point to join every group he can find in Facebook. Once you join a group, your profile is available. Often times the profiles in Facebook, Myspace, etc. provide more than enough information to commit ID theft. Trim your profiles to include nothing meaningful. Your friends should already know your birthday ;) so keep it to yourself. Or share that info via an email instead of posting it for the world to see.
4. Spam/Phishing is usually easy to spot. We've all seen the Viagara, Colon cleanse, or "Claim your prize now" emails. Spammers, again, are trying to get even the smallest percentage of users to fall prey to their attack. Simply put, do not open/read/reply/forward any email you get that doesn't come DIRECTLY from a person you know and trust. Delete that garbage and don't look back. Also, if there is an attachment in the message and it isn't from a friend...delete it! Phishing is a little trickier as it appears to be legitimate. If you get an email about your Paypal, or bank, or any other business relationship you might have...take down any interesting info, and delete the email. do not respond. Instead, call them directly and ask what the deal is. Chances are, it was a phishing email in an effort to steal important data.
Surely there is a lot more that can be done, and needs to be done, but I'll write that up in separate posts, to try to keep people from falling asleep =D.
Till next time.
Wednesday, December 10, 2008
Monday, December 1, 2008
What's it about?
Welcome to Information Security with Merritt!
The goal of this blog is to provide news, tips, how-to's, discoveries, legislation, and general musings that might help you to understand what's at stake, and how to better secure your data.
This is really geeky stuff! I know that a lot of you either don't know or don't want to know the nuts and bolts of why things work the way they do. I assure you that I will do my best to make this blog simple and relevant to your everyday lives.
For those of you who might possibly be a bigger nerd than me, please contribute...or at least shoot me ideas or corrections via email!
A little about me. I come from an information security engineering background, where I have earned various information security and networking certifications. My day job includes performing security evaluations within US finance and insurance sectors leveraging various industry-standard techniques and methods. My reports are used to inform senior management of the risks (technical, administrative, physical or otherwise) as I perceive them, to help secure information assets (data).
I can't promise that everything I say will be true. I'll do my best to share good information, but I'm certain I don't know everything! I look forward to your feedback to help keep the information within this blog helpful and accurate.
I'll be back soon to publish my first article. See you then!
[with] Merritt
The goal of this blog is to provide news, tips, how-to's, discoveries, legislation, and general musings that might help you to understand what's at stake, and how to better secure your data.
This is really geeky stuff! I know that a lot of you either don't know or don't want to know the nuts and bolts of why things work the way they do. I assure you that I will do my best to make this blog simple and relevant to your everyday lives.
For those of you who might possibly be a bigger nerd than me, please contribute...or at least shoot me ideas or corrections via email!
A little about me. I come from an information security engineering background, where I have earned various information security and networking certifications. My day job includes performing security evaluations within US finance and insurance sectors leveraging various industry-standard techniques and methods. My reports are used to inform senior management of the risks (technical, administrative, physical or otherwise) as I perceive them, to help secure information assets (data).
I can't promise that everything I say will be true. I'll do my best to share good information, but I'm certain I don't know everything! I look forward to your feedback to help keep the information within this blog helpful and accurate.
I'll be back soon to publish my first article. See you then!
[with] Merritt
Subscribe to:
Posts (Atom)