April 23, 2014

SF 702 Security Container Check Sheet

What is the Standard Form (SF) 702 Security Container Check Sheet?
If you deal with security containers (a.k.a. safes), you will likely need to deal with a SF 702. You post one for each container in a conspicuous location on the outside of the GSA approved container, vault door, or secure room. It is used to record who opens the container, closes the container, and does the check at the end of the day.

DoD Manual 5200.01, Vol. 3 mandates all Department of Defense services and agencies use the SF 702 to record security checks of all vaults, secure rooms, and safes. The SF 702 assists security officials with assessing container maintenance requirements based on usage, as well as help with security incident investigations. Also it is an inspectable item that you should get in the habit of filling out. It really isn't difficult to do once you know what is expected. If you remember the five points in the SF 702 Instructions you will be filling it like a pro in no time.
security container check sheet
How to fill out an SF 702 Security Container Check Sheet.
If you use a SF 702, then you will likely need a SF 701 as well. Check out our SF 701 Instructions post.

April 22, 2014

Child Blogging Security

Image from geralt
While filling a quiet, rainy day by clicking through various Internet postings, I stumbled upon Slap Dash Mom's 10 Reasons to Let Your Kids Blog. I often write about the dangers of posting too much information (on this blog and at my day job), so you can only imagine my initial shock to read this headline. Why would you let your young children blog?

Realizing I am what some consider paranoid, I read her entire post trying to keep an open mind. She numbered a few educational reasons (i.e. typing, reading, writing), as well as state it provides a creative outlet for children to explore. As somebody who started this blog to improve my writing skills, I understand the educational aspect. However, my main hesitation towards children blogging is my concern of sharing too much personal information online. Of course comments from the main article like this one below cement my concern.
"A day to day for kids is a blogging, it just need to be written on a diaries or websites."
Let me make one thing clear, diaries and websites are totally different. Diaries are great for working out inner thoughts and dialog, because the audience is limited. A child should have a diary or personal journal. Afterwards you have the option of destroying the diary entry with little to no consequences. Websites are public domain and open to the whole world. Plus, your entry lives on forever. Slap Dash's children had a website called "Watermelon Toilet." I say had a website because Internet searches bring up dead links for it and the domain appears to be open for purchase. Fortunately, the WayBack Machine archives the Internet to show us snap shots of websites in time and Watermelon Toilet is no exception. Things live on forever on the Internet!
Many people are lulled into a false sense of security as we type behind a computer screen in the comfort and safety of our own home. The Internet provides us the capability to reach a worldwide audience from the comfort of our couch. This is difficult for some adults to phantom, let alone a child. Before allowing children to blog, parents need to have the talk. That's right, the security talk!

Before the talk, some stats:
  • 56% of teens receive requests for personal information
  • 42% said they have posted personal information online
  • More than 29% of Internet-using children freely give out their home address, email address and other personal information online when asked.
Be careful about what information you place on the Internet. You can't just delete it afterwards. Things can go viral  and get out of hand very quickly. It could end up on the screen of somebody with ill-intent. I am not just talking about child predators, but identity thieves. Due to our ever-connected digital age, child identity theft has been on the rise. 
Prior to posting, parents should review the information and photos to see if it could be misused. Your job as a parent is to protect your child by balancing risks and growth opportunities. Carefully consider what is being posted. Would it create fodder for a potential bully or something else? Would this be something that could impact them 10-20 years from now (i.e. college admission, job)?

In 2012, Tertia Loebenberg Albertyn saw pictures of her children being used to scam people out of money. Scammers were using her online photos to create a hoax to con people into donating money.
As a parent, would you be willing to deal with scammers using your child images for cons? These are things you must consider when posting to the web. If you're not willing to deal with that, then you should not let your child blog.
Remind your children that the Internet is a public place that anybody with Internet access can read. Would they be embarrassed if somebody from school found it? If you're not willing to read it in front family members and strangers at a busy supermarket for everybody to hear, than you should not write it on a website.

What are your thoughts? Do you allow your minor child to blog? If so, what security precautions do you take? Please let me down in the comments.
About...Kid's Safety (2008). Loss of privacy. Retrieved from http://kids.getnetwise.org/safetyguide/danger/privacy
Ford, M. (28 May 2012). When photos of your children are used in an Internet hoax. BlogHer. Retrieved from http://www.blogher.com/when-photos-your-children-are-used-internet-hoax 
Ross, J. (30 August 2013). How to prevent child identity theft part one: How parents can help. Huffington Post. Retrieved from http://www.huffingtonpost.com/joe-ross/how-to-prevent-child-identity-theft_b_3843908.html 
Enhanced by Zemanta

April 12, 2014

Experian Data Breach

In general, the media has been quiet about an incident that potentially left records of 200 million Americans exposed to identity theft. Since it deals with one of the largest credit reporting bureau, Experian, it is slowly starting to build up momentum. The data breach is part of the court case dealing with Experian's 2012 acquisition of the California based data firm, Court Ventures.

Prior to the acquisition, Court Ventures had a information sharing contractual agreement with the company US Info Search. The agreement permitted these companies complete access to each others' database.

 Court Ventures sold a subscription access to the databases to Mr. Hieu Minh Ngo's online service catering to identity thieves. Mr. Ngo pretended to be an US-based private investigator to purchase unfettered database access paying with monthly overseas money wires from Singapore. From 2007 to February 2013, his identity theft business sold sensitive information (to include Social Security Numbers, driver's licenses) on more than 3 million Americans. In 2012, Experian became involved this fiasco by acquiring Court Ventures, along with its debts, liabilities, contracts (i.e. US Info Search), and customers (i.e. Mr. Ngo). While the breach started long before Experian's acquisition of Court Ventures, it continued on for 10 months after the purchase. It appears that Experian failed to do its "due diligence" in properly studying their purchase prior to the acquisition. You would think that a company portraying themselves as data breach and identity theft experts would question why a US based investigator uses overseas money wires for monthly payments.

Throughout this whole ordeal, Experian continues to stress that no Experian database was accessed, and they are a victim in this case. Granted, it appears US Info Search's database information was used through the third party contract agreement previously set up with CourtVentures. Technically, their database was not accessed, but for almost a year Experian accepted payment from the identity theft service. They profited while millions of Americans had their sensitive information turned over to identity thieves.
Under oath in front of a US Senate committee, Experian CEO Mr. Tony Hadley stated "we know who they are [the victims], and we're going to make sure they're protected." Yet there is squabbling between Experian and US Info Search on who is really responsible for notifying the affected consumers. At the time of this post, there appears to be little to no evidence that any of the true victims (you know the Americans who had their information sold to identity thieves?) were notified about the breach. The finger pointing between Experian and US Info Search continues, so this could potentially get ugly.
On a brighter note, both parties are cooperating with law enforcement agencies while this is being investigated. 
So what is an average person to do? Is it time to panic? No, let us not panic...not yet! Here are some precautionary steps you can take.
Security recommendations for potential victims.
- Continue to monitor your financial accounts for any unauthorized transactions. Immediately report any anomalies to your financial institution.

- Check your credit report. All Americans are legally entitled to an annual free copy of their credit report from the major credit bureaus. I recommend that you only access one every four months so you can monitor your credit throughout the year for FREE!
- Look into filing fraud alerts. You can file one for free every 90 days. Once you place an alert with one of the bureaus, they must legally notify the other ones.
- Military members may file an "Active Duty Military Alert." It acts similar to a fraud alert except it lasts up to a year. This is especially a great idea if you'll be deployed.
- If you're paranoid and do not plan on obtaining any new lines of credit in the near future, you could freeze your credit report. This primarily locks your credit file so others cannot access your credit history or score to open new accounts or lines of credit. You can temporarily lift the freeze by calling the credit bureau and providing your unique PIN. This is cheaper than most credit monitoring services, and practically achieves the desired effect. Fees vary by state; however, identity theft victims may be able to obtain this for free.

To place an alert or freeze click on TransUnionExperianEquifax, or Innovis.  

Dissent (8 April 2014). EXCLUSIVE: U.S. Info Search is responsible for notifying victims of breach, not us- Experian. Office of Inadequate Security: Your info, their screw-ups. Retrieved from http://www.databreaches.net/u-s-info-search-is-responsible-for-notifying-victims-of-breach-not-us-experian/ 
Howard, C. (10 April 2014). New data breach may impact 200 million Americans. Retrieved from http://www.clarkhoward.com/news/clark-howard/consumer-issues-id-theft/new-data-breaches-threatens-impact-200-million-ame/nfWrt/ 
Finkle, J. (4 April 2014). Experian enmeshed in litigation over business that was breached. Reuters. Retrieved from http://www.reuters.com/article/2014/04/04/us-experian-databreach-lawsuit-idUSBREA331HU20140404 
Krebs, B. (20 October 2013). Experian sold consumer data to ID theft service. Krebs on Security. Retrieved from http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/ 
Krebs, B. (5 April 2014). Fact-checking Experian's talking points. Krebs on Security. Retrieved from http://krebsonsecurity.com/2014/04/fact-checking-experians-talking-points/ 
Security Checks Matter (23 December 2011). Identity theft part IV: Additional protection measures. Retrieved from http://securitychecksmatter.blogspot.com/2011/12/identity-theft-part-iv.html 
Enhanced by Zemanta

April 9, 2014


Everybody across the Internet is vulnerable to this bug.  The Heartbleed bug is a vulnerability in the popular OpenSSL cryptographic software used to implement HTTPS encryption in websites, email servers, and applications. This is what many web applications use to securely transmit information. It's like leaving thieves the keys to the palace. Through this vulnerability hackers can clearly read a server's memory for encryption keys, usernames, passwords, emails, instant messages, credit card numbers, and other sensitive data. Some experts claim that this major vulnerability affects around two-thirds of the web servers. Even a major Web mail service, Yahoo Mail fell victim to this bug, but has since patched it.
The bug's official name is CVE-2014-0160, but that name is not very catchy. Experts dubbed it the Heartbleed, since it is a vulnerability in the OpenSSL's implementation of the heartbeat extension of the TLS.
According to Heartbleed.com 
"Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."
What should you do?
Checkout the Heartbleed test to see if a server is still using the vulnerable OpenSSL. You can also contact the server's customer service line (if available) to verify.
If it is still using this version, do not log into the account. Avoid logging into the site until you know it is safe.
If the server is good, immediately change your password, even if you have two-factor authentication enabled. Check out our "commonly common password" post on tips for setting a strong password.
Review all bank account and other financial statements for unknown charges, since this vulnerability impacts financial accounts as well. 

Aamoth, D. (2014 Apr 9) How to protect yours against the Heartbleed bug.TIME Magazine. Retrieved from http://time.com/55337/how-to-protect-yourself-against-the-heartbleed-bug/ 
Codenomicon. (2014 Apr) The Heartbleed bug. Retrieved from http://heartbleed.com/ 
Goodin, D. (2014 Apr 8). Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style. Ars technica. Retrieved from http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ 

Nieva, R. (2014 Apr 8). How to protect yourself from the 'Heartbleed' bug. CNET. Retrieved from http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/ 

April 3, 2014

Baseball related security posters

The temperatures are rising, and you can begin to see signs of spring. If you're a baseball fan then you know those signals mean baseball season is upon us. Sports metaphors provide great security posters, because both security and baseball require all team players' active participation in order to win! Mix up your security awareness program with some these old and newer baseball themed posters to entice the sports fan to be part of the winning security team.

Contact Security Today




Enhanced by Zemanta

April 1, 2014

Creating Real Security Awareness: Step 6, Execute

Put that plan into action!
Welcome to our Create Security Awareness series' seventh installment, step 6 execution. This is when you place your awareness material out there, however, you should first review the communication plan developed back during step four. Remember, the communication plan is the road map you came up with for getting your message across to your audience. It lays out what communication platforms you previously selected.

Now it's go time!

How short or long the awareness campaign is completely up to you. You can have it spread out over a week, month, or a quarter (three-month period). This is depended upon how much material you have, the workload, and how in-depth you want to get. Whatever length and intensity you choose, I recommend spreading the material throughout the campaign's time frame. You want to start and end on a high note with your best material, while having everything else sprinkled throughout the middle. Don't do a major blitz of information at the very beginning. You need to give your audience time to digest the information, and they do that best in chunks.

When in the execution phase, keep these things in mind.

1) Be consistent and stay on message. Have all material supporting one key concept.

2) Be adaptable and capitalize on opportunity. Other opportunities to present your message may become available. Sometimes you'll come across articles or other items that could easily supplement what you are trying to do. These are freebies to add diversity to your awareness campaign.

3) Create word-of-mouth buzz. When I start a campaign, I give the leadership an opportunity to review the material before distributing to the rest of the workforce. Typically they will see something they like and recommend it to others within the organization without me prompting them.

Even though the write up plan is short for step six, I find it takes up most of my energy. Placing information out there for public consumption can be draining.  Fortunately, there are various digital platforms that permit you to pre-load material and schedule releases. This helps you place part of the campaign on auto-pilot while you take care of other items. If you're using printed media (i.e. posters, handouts), try talking to facility managers, department administrators, or similar type positions about having them hand out or post material in their spaces. You would be surprised about how many people are willing to help out.

Articles in the series:
Enhanced by Zemanta