Monthly Archives: September 2015

Don’t Make Me Beg

As a security professional, published author, and frequent speaker about information security, I’ve observed that there is a relatively consistent role that denial plays in all data breaches.  It begins long before there is ever any data stolen and persists well through the discovery and resolution of the breach.  In my heart of hearts, I do not believe this denial is a conscious decision, rooted in a lazy attitude about security, but rather that denial is the path of least resistance.

How do we change the tenor of the discussion around information security such that it is easier to choose action over inaction?  Or funding over non-funding?  Or staffing over non-staffing?

Many who have attempted to answer these questions have buried the reader in statistics and anecdotal stories about how inaction, non-funding or non-staffing has ultimately lead to an organizations’ public humiliation.  Let me take a different tack: begging.

Please, please, please!  Please take seriously the trust your company and customers have put in you to protect sensitive data.

Please employ column-based database encryption to protect my Social Security Number, credit card number and other private data.

Please implement east-west packet filtering to protect data centers from insider threats.

Please employ SIEM systems to help identify anomalous events on your data systems and infrastructure, so an attack can be properly identified.

Please prepare the procedures and plans necessary to efficiently and effectively respond to a data breach.

Please invest in vulnerability scanning and patch management systems to help keep your systems up to date, to prevent the exploitation of sensitive systems, or the lateral movement from non-sensitive systems to sensitive systems.

I make these pleas first as a consumer whose card data has been stolen on numerous occasions, and second as a security consultant charged with helping prevent and/or recover from the breaches that such a denial creates.

Never think you’re too small a target.  Never think you have nothing a hacker would want.  Never think that its impossible you could be targeted, or that you have been breached.

Denial is the mother of demise; take your charge seriously and don’t be in denial.

Corey Steele, Network and Security Engineer

Candy Crush Malware Isn’t So Sweet

It was Easter this year when my aunt warned me, “Don’t start playing Candy Crush. It will ruin your life.”  She spoke like she herself had hit bottom, but she clearly hadn’t.  I heeded her words of warning, and today I’m glad, because today I’m seeing reports that a malicious version of Candy Crush, Plants vs. Zombies, and Super Hero Adventure (among others) have made it into the Google Play Store. [1]

If, by chance, you fancy a game of Plants vs. Zombies or Candy Crush, and you recently installed it (or updated it), you would be well advised to uninstall it.  But how do you avoid malware on your mobile devices to begin with?

There’s good news and bad news about malware on mobile devices.  First, the bad news: statistically, you’re exponentially more likely to get malware on an Android phone than you are on an iOS device.  The good news: our friends at ESET have a very robust antivirus suite for Android devices. [2]

“But wait, there’s more!”

Not only is the ESET for Android product capable of identifying malicious apps on your mobile, it also boasts a host of features including antispam, anti-theft, personal data protection, and call/text screening filters.

“And all of this for the low, low price of $14.95!” [2]

Personally, I’ve been running ESET for Android for more than a year, and in that time it has saved me from installing either malicious software or software that would push ads to my device.  Hopefully, your success will be similar.  If you have ESET in your corporate environment, talk to your HPN Account Representative about options for licensing ESET for your company’s mobile devices and enjoy the same great protection on all your corporate end points.

Corey Steele, Network and Security Engineer