Using "Disposable" Email Accounts

Have you ever signed up for a newsletter only to then be spammed into oblivion by the newsletter authors and their various affiliations?  Ever receive a notice from your bank telling you that numerous attempts to access your account using your email address have occurred?  Do businesses ask you for your email address and you hesitantly give it to them only to receive an unending string of advertisements?

If so, you're not alone.  Our email addresses have become such a ubiquitous and even necessary part of our lives.  In fact, many of the entities with which we do business won't even let us sign up for their online services or give us an account unless we provide an email address.  Many people use their email address for everything these days, from online shopping accounts to bank accounts, to providing the email address to auto repair shops and department stores as a way to identify themselves in future business dealings.  Healthcare, investment, retirement planning, social security, and many others are all examples of where we willingly submit our email addresses to conduct business in our busy lives.

Email gives us a huge amount of convenience.  But giving our email address to all of these entities presents a huge security risk as well.  At the very least, our own email addresses can be the source of information for others to launch tons of unwanted junk emails, SPAM, PHISHING emails, and just plain clutter.  There are not only the obvious annoyance risks but some serious personal security risks as well.

Security Risks:

Many times, our email address is also our username for the various accounts that we create online.  If that is the case, then half of the credentials needed to log in are already known or easy to guess.  If someone can find out where we do your banking, our shopping (most people shop at Amazon these days), and access our healthcare information, they quite possible already have half of the information needed to access the account.  And since people are in the habit of using the same password for all of their accounts, if a bad guy gets into one account, the rest of the known accounts are easily accessible.  

Another problem is that people have gotten into the groove of using the same formats for both usernames and email addresses - first initial and last name.  Their email address is jsmith@someemail[.]com and their username for many accounts is also jsmith.  If a hacker tries and fails with an email address, they have a pretty easy guess at what the username might be.  Whether or not the bad guy gets into your account, this then opens the door for a wide variety of problems, including identity theft, having our bank accounts drained, or them going around and signing us up for a plethora of newsletters and other online accounts just for spite.

Recommendations:

Besides being annoying, a lot of SPAM email also contains phishing links and tactics or has embedded malware.  And many of the newsletters that we may sign up for only need our email address at sign up so that they can send a verification email to make sure we are a human (and not a bot).  They send the verification email with a link, we receive the email, click on the link to verify, and then that email is really never needed by that account again unless they want to send more SPAM.  So having said that, there are a number of recommendations that will help from having the main email address compromised or used for SPAM purposes: 

• Use as a "main" (primary) personal email address ONLY for emailing family and close associates.  Do not give this email address out freely.  Use this main email address to get notifications from top-tier accounts such as a bank, investment, health-care portals, and a few other critical accounts only as needed.
  
  
• Do NOT use your email address as the username for your top tier financial and health care accounts mentioned above if at all possible.  If they will give you a choice between an email address and a username to access the account, choose a username.  And then make the username complex.  Many people use their first initial and last name as a username.  That is way too easy to guess.  Instead, use something as complex and jumbled as you would a complex password.  For example, if my name is John Smith, instead of username jsmith  I might select a username like M@rtyM00s3!! with which to log in.
  
  
• Use two-factor authentication wherever possible.  Especially at banks and healthcare portals.  Most of those entities allow, and in fact, some now require two-factor authentication such as sending a PIN to your phone or sending a code to your email account that you will also enter at login.
  
  
• Get a secondary (tertiary, etc) email address from one of the free online email providers, such as Gmail, that you use to sign up for newsletters and online discussion forums.  When the spam gets to be too much, stop using that account.  But then your primary email address remains unaffected.
  
  
• Get a "disposable" email address from one of the providers mentioned in the videos listed in the resources below to use for the purposes of newsletter sign up and one-time verification.
  
• Under NO circumstances use your official or work email to sign up for your personal accounts.
  
• Do NOT use the same password for all of your different email addresses, and make your passwords for all of the accounts complex (at least 12 characters, a mixture of upper and lowercase letters, numbers, special characters, and NO dictionary words).  A robust password manager such as Dashlane or Roboform will help manage all of the various passwords.
  
  
• Do NOT use initials and names for your disposable or secondary email address that allows people to easily guess your full name.  If I am setting up a disposable email address for use in signing up for a newsletter or product notifications, instead of wflinn@disposableprovider.com, I might use nococyberguy43@disposableprovider.com.  The disposable email providers typically present you with a randomized email address - use that if you wish.

Email provides us with a great deal of convenience but can be a source of a great deal of risk and even annoyance.  Your primary email account should be guarded almost as closely as your bank account number.  It really is a shame that we have had to become so guarded about something as ubiquitous as an email address.  But more and more the bad guys are using our email addresses as yet another vehicle with which to exploit us, steal our identities, and drain our bank accounts.  But with a few simple measures, we can prevent these personal disasters and keep our information and accounts secure.


Resources:

Article: How to Create Disposable Email Addresses

YouTube Video:  How to create a disposable email address for website registration.

YouTube Video:  Disposable Email Addresses | Tech Bytes | Website of the Day

Cyber Security and Online Shopping

With the popularity of online shopping today, especially since everyone is staying home due to the pandemic, the importance of cybersecurity becomes even more essential to everyone. Shopping, even in the real world, involves money.  And where there is money, there are criminals ready to take advantage of unwitting people. Since much (most?) shopping is now happening in cyberspace, these criminals wasted no time in following the money trail straight to a valuable and highly exploitable target: online shoppers.

Online shopping became fashionable when people discovered one is free from stress and fatigue caused by crowds and traffic. There is also the convenience of searching whatever it is you want from your home, at your most convenient time and paying for it without waiting in line. All of these with just a few clicks of a mouse. 

How They Do It

The anonymity of the Internet and the ability to easily obtain easy to use exploitation tools provide an easy avenue for even unsophisticated or inexperienced cybercriminals to do their work. They can target online shoppers, fraudulently obtaining the information they can use for their own financial gains. Criminals use three common ways of attacking online shoppers.  These aren't the only methods to be sure, but the three below seem to be among the most common recurring avenues to exploit the unaware online shopper.

Unprotected Computers

Unprotected computers are an easy target for viruses and other malicious codes used by cybercriminals to gain access to the information inside it. On the other end, online vendors have to protect their computers, too, against attackers who may access their customer databases.

Fake Sites and Email Messages

In the virtual online world, a site (or an online store) can be faked by these criminals, with no one the wiser.   It isn't too difficult for them to get an email list of people who have shopped at a particular site and then send bogus emails to those shoppers.  These fake sites mimic the legitimate ones and inherit the business, at least until they are caught or noticed.  One way you can tell that these are fake sites is poorly worded language or improper formatting is seen in the email that they send you, the site descriptions, policy pages, and other parts of the website.

Playing on Consumer Emotion During Holidays or a Crisis
Charities have been misrepresented before, especially during natural disasters or holiday seasons where people pour in donation money and aid.  Holiday shopping seasons, especially those times closet to the holiday itself, allow the criminal to play on the consumer's sense of urgency in buying last-minute gifts.  Never click on a link sent to you in an email.  Always go to the charity's website by typing in their known good URL in the web browser address bar. 

What YOU Can Do - Cybersafety Measures

Maintaining an up-to-date anti-virus program, a firewall and anti-spyware is always the three-pronged first line of defense in cybersecurity. They protect you against viruses and Trojan horses that may steal or modify your data and make your computer vulnerable. Spyware may also give the attackers access to your data.

Update Your Web Browser

Browsers are the gateway between your computer and the Internet. They must be kept updated with the latest security patches and software versions.  Use automatic updates whenever possible that the operating programs and utilities are up to date.  Microsoft browsers will usually update each month during the regular patch cycle.  Browsers like Chrome and FireFox typically update when you open the browser after a new update has been released. 

It is likewise important to check the default settings of your computer and apply the highest level of security. This will preempt the attackers to use the default setting of the programs. This applies primarily to browsers, email clients, etc. because these are the connectors to the Internet. 

Only Visit Reputable Vendors

Cybercriminals are very good at mimicking the sites of legitimate vendors and make it appear genuine. You need to verify their legitimacy before supplying any information. Keep the phone numbers and the physical addresses of these vendors which you can use in case of problems.  Again - Never click on a link sent to you in an email.  Always go to the vendor's website by typing in their known good URL in the web browser address bar.

Personally,  I use Amazon for just about everything.   No, I don't work for Amazon, and this isn't a plug or endorsement for them.  It's just that many of the things that I buy aren't even available at my local stores, Amazon carries nearly every product that I can find elsewhere online, and having an account at Amazon decreases the need to create many accounts at the many other vendors online. 

Security Features and Privacy Policies

As always, passwords and other security features add protection, if correctly used. Never use the same username and password over and over for every site that you have an account.  A robust password management program can help you with this.  Check the site’s privacy policy before giving out personal or financial information. You have to understand how your information is stored and used. 

Encrypted Information

Make sure the information you give out is encrypted. To check if it is, see if it includes a URL that begins with "https:" instead of "http:" and a padlock icon. If the padlock is closed, the information is encrypted. Know where the padlock icon is located in your favorite browser because some attackers use fake padlock icons to trick users. 

Use your Credit Card

Credit card charges have laws that limit your liability in case of fraud. This may not be the case for your debit card. Because debit cards draw money directly from your bank account, unauthorized withdrawals could leave you penniless. Needless to say, a record of your purchases should be kept aside. Report any discrepancies immediately.

Don't Give Them Unnecessary Information
When you do create an account at a vendor's website and fill out your profile, don't feel obligated to give personal information above and beyond that which is needed for them to properly process your order.  For example, they may ask for your birthday, which is not needed to process your order, but to send you an email on your birthday to get you to shop there again.  And unless you actually want to receive a barrage of emails from them, be sure to uncheck the box saying that you want to receive email from them in the future.  This is one way to help alert you to suspicious emails claiming to be from that online vendor.  If you opted out, but then receive a bunch of emails from them, either they are violating the law, or a scammer is using that business's image to try to attack you.

Log Out!
Don't just close your browser, log out of your account and then close the web browser.  Logging out will close the open session, and if you have your browser set to delete cached sessions, closing the browser will delete all of your cached information.  This is particularly important if you are using public computers, such as those found at a library or "cyber cafe" type of setting.

Wrapping it all Up

Shopping online is truly a time-saving, hassle-free, and fun way of buying whatever you want on the Internet. The presence of the ubiquitous cybercriminals stalking at every cyber corner, however, necessitates the need for good cybersecurity and awareness practices as well.  Pay attention to links sent to you in email.  Ensure that you only visit reputable charities and online businesses.  Use your credit card instead of a debit card.  Use proper password security and ensure that you are only visiting encrypted websites.  These simple ways will help you stay safe online, and help to keep you from becoming of these cybercriminal activities.

Stay Safe!

Telephone Scammers - They've Got YOUR Number!

All of us have experienced the frustrating ordeal of receiving call after call every day from phone numbers that are either junk sales calls or outright scammers trying to get our information.  Some calls are just recordings that start the minute that your voice is detected.  Some are just dead silence and the "caller" hangs up after you answer.  Sometimes I will pick up the phone and just wait without saying a word.  No background noise or anything, just dead silence.  Then after several seconds, they hang up.

Most likely, the number calling you is spoofed - that is that the number that pops up on your caller ID is not the actual number calling you.  Ever notice that many of these calls are from your same area code?  There are several types of software and calling systems that can be used to do this.  In fact, many political organizations who set up phone banks to make calls for their candidates and issues set these up so that their callers can sit at home and make these calls without their home pr personal cell phone numbers being revealed.  Some uses are indeed legitimate.  But the ones that are legitimate at least spoof a number that belongs to a legitimate office number or designated extension for the organization from which they are calling.

Easy enough to deal with this situation:  Just don't answer if the number that pops up on caller ID is not in your contact list or looks funny.  If it is a legitimate call, they will leave a message and you can call them back.

But what if the number they are using IS in use?  What if the number they are using to robocall thousands of people is YOUR phone number?  Now all of a sudden, you are receiving huge numbers of angry calls and angry text messages telling you to stop calling them.  Now people are threatening YOU because they think you are trying to scam them or harass them.

How They Do It:

Often, they will have found your number simply by using a random number generator combined with an autodialer. They just plug in the area code and start calling. They then record which numbers result in someone answering the call. If the call is answered, that person’s number can be used to spoof the scammer’s ID.

What you can do:

Unfortunately, not much.  There is no way to block this, and there is no way to stop them from using your number in their scam campaign.  About all, you can do is notify your contacts, and then hope that the scammers will get tired of using your stolen number after enough people block your number on their phones.

• You can try to prevent this from happening in the first place by simply not answering calls that are not in your contact list or that don't look familiar.  If you are able, set it so that your voicemail will not answer until several rings - like 10.  You'll have to tell your contacts you did this and that they will have to be patient in order to leave a message.  This will hopefully result in your number not being flagged as answered and therefore they will not use your number as a spoof candidate.
• Report this to the Federal Communications Commission (FCC).  Even though they can't do anything about it, at least they will have a record of you making the complaint.

• If your number did get selected as a spoof candidate, change your voice message so that your incoming callers know that it is not YOU that called them.

“Hello, you have reached <your name>.  If you are calling with regards to <your desired info here>, please leave a message. However, if you have received a suspicious call and my number showed up on the caller ID, please note: this number is being used in a spoof/phone scam campaign whereby suspicious callers are calling you, and my number is showing up in the caller ID.  I am not the one who called you.  If you have received such a call, or get any calls like this in the future, do not follow their instructions and immediately hang up.  Please block this number from receiving further calls” 

• If it doesn't stop, you might have to change your number as a last resort and let all of your contacts know about the change - this can be a real headache. 

 Telephone scammers should all be strung up and made to endure medieval tortures as far as I'm concerned.  This is not a legitimate income source, in my opinion, and all they are doing is annoying people and making thousands of victims by their one simple act.

Be aware, be vigilant, and don't fall for the scams.

Resources Used in This Article:

https://www.techjunkie.com/phone-number-spoofed-what-to-do/

https://consumercomplaints.fcc.gov/hc/en-us

https://www.bbb.org/article/news-releases/16670-a-new-kind-of-phone-scam-neighbor-spoofing

https://turbofuture.com/cell-phones/Telemarketers-Are-Using-My-Number-How-I-Stopped-Them

Family Cyber Security

Keeping your family safe today takes on another additional front – online or the Net. The perils that you and your family face whenever anyone is online are just as dangerous as in real life. There simply is a need for cybersecurity to minimize, if not totally deflect, these dangers.    Cybersecurity is not just to protect you and your children from online dangers. It is also to ensure that your computer is safe and secure – from your children. By following some simple computer practices, these dangers can be lessened.   The usual safeguards may not be adequate. 

Children, by nature, are curious and inquisitive. They like to explore things and satisfy their natural need to know.  As parents, there is a delicate balance on how long the leash we give out to kids to satisfy their natural needs and the necessity to protect them from the outside world and from themselves.  A child out into the Net, either playing a game, researching materials for homework or a term paper can be potentially harmed. It would not be uncommon nowadays for your child to accidentally stumble into a porn site, be unknowingly redirected to malicious web pages that infect your computer, or inadvertently click a link that infects the computer with malware that erases your own computer’s files.  Mistakes like these happen and your child may not be aware of them. Or if they are, they may not inform you what happened for fear of punishment. 

Another fearsome threat is the ‘online predator’. There is an old saying that "on the Internet, no one knows you're a dog." Because of the Internet’s natural cover of anonymity, these people deceive and manipulate other online users to get what they want. Adults are also common victims of these people, and it follows that children are even more susceptible to their dangerous manipulative schemes.

The following are some suggested safeguards in implementing cybersecurity in the family.

Be involved with your children’s activities - There are some activities you can do with your kids that will in effect allow you to supervise their activities. If this is not possible, you can always monitor their computer use – which sites they visit, the activities they do online, etc. If they are using email and chat rooms, try to follow who they are corresponding with and whether they actually know them.

Rules and danger warnings - Children should be made aware of online dangers. They must be able to recognize suspicious behavior or activities from the Net.  Encourage them to ask if they are not certain about something.  Also, let them know matter-of-factly that you will be monitoring their computer for suspicious activity. 

This will help you set out boundaries on their computer use. Everything, of course, should be appropriate for their age, knowledge, and level of maturity. It is not the goal to scare them but to make them be alert and aware. This includes sites they are allowed to visit, programs they can use, and activities they can do.

Separate accounts and other controls - Today’s operating systems already carries the option of creating different user accounts on one computer. You can create separate accounts for them to protect your own files and data from being accidentally accessed, modified, or deleted.  

If you don’t have separate accounts, consider limiting the functionality of your browser (like remembering passwords, other information, etc.) to preclude accidental access.

It is also important to keep your anti-virus utility, firewalls, and other safeguards up to date and active.

Some browsers allow you to restrict viewing certain web sites and protect these settings with a password. (click Tools, select Internet Options, choose the Content tab, click Enable under Content Advisor, etc.) 

Some service providers also offer services that protect children who go online. They can help filter and block sites that are not suited to children. The Internet is also full of special programs for children’s protection. Check those that suit your needs best. 

Open communications and computers - Set your computer in an open area of the house where everyone can monitor anyone’s computer activities. It can deter children from doing things not allowed.

Most importantly, communication lines between all members of the family should be kept open. The children must know that they can approach their parents at any time about anything they see on the computer. 

The world has become a place of uncertainty, especially since people from virtually anywhere in the world can pose a threat just by getting you to click on a suspicious email link or link on a webpage.  Computer online safety is very important, not just for good cybersecurity best practices, but also for the family’s well-being as a whole.  Life comes at you fast.  Are you prepared?

IT Asset Management - An Overview

Having an asset management program to keep track of all of your hardware and software is a valuable part of your cybersecurity program, as well as giving you a way to help manage support costs and productivity.  You can quickly determine how broad your footprint is in terms of how many different hardware makes and models you need to support as well as knowing your risk exposure by knowing the numbers and types of vulnerabilities that are applicable to your environment and having accurate inventories of all of your hardware.  Likewise, you can determine licensing requirements and how many different types of vendor software patches and updates will apply to your environment by knowing what software is in your environment.  By having a centralized management program and automated toolsets, you will be able to quickly find out what you have in your organization.  A well-organized asset management program will then allow you to properly inventory and secure your devices, as well as determine costs and lifecycle replacement schedules as well.  If you do not know what you have, you do not know how to secure it.

This article will serve as a quick IT Asset Management primer which will discuss the need for having accurate inventories and variety of tools out there that will help you with both hardware and software asset management.  A centralized and well-organized management system has the added bonus of also serving as a vital part of your security suite. 

Hardware Asset Management:

Knowing where your hardware is located, knowing how many different makes and models of endpoints you have to support, and keeping track of equipment life-cycle maintenance are all vital aspects of a good hardware asset management program.  From a security standpoint, you need to know what is connecting to your network, what kind of traffic it is generating, and you need to know if what is on the network is being properly managed with all of the necessary security tools.  To help you properly manage all of these things, you need to keep an accurate inventory of your hardware.

Your hardware inventories should include the following:

• Machine name
• IP address
• Operating system
• Make
• Model
• Serial number
• Date purchased and/or provisioned
• Location (city, state, address, etc)
• Assigned user (if a workstation or mobile device)
• Administrator (if a server, router, switch, or another network component)
• Last Inventory Report Date
• Up/Down Status

Examples of Tools That Will Help with Hardware Asset Management:

• Tivoli Endpoint Manager (BigFix)
• SolarWinds
• MobileIron (for mobile devices)
• Microsoft System Center (SCCM)
• ForeScout CounterAct

Software Asset Management:

Having a software standards list is vital so that you can determine what software and applications you are allowing to operate in your environment, and will help keep track of licensing issues.  A few of the key issues with software in your environment are:

• Is the software safe and secure?
• Are there common vulnerabilities and exposures (CVEs) that can be quickly mapped to your software by your management tools?
• Are you preventing yourself from exposure to legal issues caused by using software that you are not paying for?
• Are you spending money on software that you don’t use?

To tackle these issues, start by developing a software standards document. Your software standards document should contain a list of operating systems for both workstations and servers, and which firmware is installed on all of your routers, switches, and other network devices.  Don’t forget cell phones, tablets, and other mobile devices.  Keep track of the latest smartphone operating system versions and which applications you are going to allow your users to install.  Make sure to include the minimum operating system version to use as a baseline to determine compatibility and compliance.  Then, list each type of standard software that every computer in your environment should be using.  For example, all workstations would have some sort of office productivity software suite, so you would list Microsoft Office 2016 as the minimum version that you would want on every machine.

Also list all security software that MUST be installed on each computer, such as antivirus clients, patching system agents, and any other security utilities that you decide for your computing environment.  Again – list minimum versions.  This will be a very dynamic document, so as you install new and updated versions, be sure to update the Software Standards document.

Keep an accurate inventory of your software.  This will help with licensing true-ups, and will also help you to determine compliance with minimum software version numbers as mentioned above. These inventories need to be updated periodically to ensure accurate counts.  Your inventories should include the following:

• Software title
• Software version
• Publisher or vendor
• Where installed (which computers)
• Software usage information (when installed, how often used, etc)

Examples of Tools That Will Help with Software Asset Management:

• Tivoli Endpoint Manager (BigFix)
• SolarWinds
• MobileIron (for mobile devices)
• Microsoft System Center (SCCM)
• Carbon Black Protection

A word on “prohibited software.”  Things like peer-to-peer file sharing (“bit-torrent” types of applications), and streaming applications can lead to your organization running afoul of licensing and copyright regulations by allowing your employees to download protected material and store on your network.  This makes YOU liable for any infringements that arise.  These types of software programs also eat up bandwidth and performance on your network as well as causing your employees to be distracted and less productive.  Remote access tools (RATs) can leave your network vulnerable, especially if you are using a wide variety of these tools instead of selecting and standardizing one or two tools that you can manage and keep secure.  Many of these types of software programs are not secure and will potentially leave you with critical security vulnerabilities on your network that can be easily exploited.  Things like stock trading applications, games, and video streaming applications can be distractions for employees, lead to reduced productivity, and even lead to employee misconduct issues.  Make sure that your employee acceptable use (rules of behavior) policies state what your employees are allowed to do on the job, and be sure to monitor software installations.

Having old, outdated, and unsupported versions of even non-prohibited software will leave you vulnerable to unmitigated vulnerabilities. For example, I remember doing vulnerability analysis of our environment a while back - right about the time that Adobe announced that they would no longer support Adobe Acrobat versions 11 and prior.  I pulled vulnerability reports of all of our machines that had these older versions and found out that one single instance of an unpatched Adobe Acrobat 11 on a single computer accounted for 76 vulnerability line items.  Multiply this by hundreds of computers, and we had several thousand HIGH severity vulnerabilities.  I outlined more examples of this phenomenon in my article earlier this year on Vulnerabilities and Patches.  The bottom line is that old and unsupported software can leave your organization vulnerable with no mitigation.

Asset Management Strategies:

There are a variety of tools out there that will help you with both hardware and software inventories and have the added bonus as serving as your centralized patching/software update solution. Tivoli Endpoint Manager (aka BigFix), for example, has an entire suite of tools that allow you to do hardware and software asset management, patch deployment, secure configuration compliance analysis, and vulnerability analysis.  “BigFix” also supports Windows, MAC, and Linux based operating system components.  Microsoft System Center (aka SCCM) also allows for centralized patch management as well as the hardware and software inventory capabilities, but only for Microsoft based operating system components.  In addition, to make, model, user name, iOS versions, and phone number, tools like MobileIron allow you to see which apps are installed.  Centralized mobile management systems also give you the ability to send “wipe” commands to delete all of the data on a device that is lost or stolen.

IBM Endpoint Manager for Software Use Analysis:

ForeScount/CounterAct is a tool that connects to a SPAN port on your core switches to see all of your network traffic and uses NMAP to survey your entire network infrastructure to locate any device that connects to your network.  CounterAct allows you to create policies to classify devices, look for software installations, and even alert you when software has been added or removed from your connected devices.

Tools like Carbon Black and Microsoft AppLocker will allow you to set policies on what software can and cannot be installed and executed, and will also provide a technical means of automatic policy enforcement.   Carbon Black gives a very accurate software inventory and has the ability to provide administrators with an easy way to automatically approve or block software applications.

Here are some resources that will give a pretty good overview of the IT Asset Management program:

• CIO Magazine - Best Practices in Hardware Asset Management:  https://www.cio.com/article/3077893/best-practices-in-hardware-asset-management.html
• ITIL Docs – Guidelines for IT Asset Management Policy Operations:  http://www.itil-docs.com/it-asset-management-policy-itil-asset-management/
• DHS Continuous Diagnostics and Mitigation (CDM) Program:  https://www.dhs.gov/cisa/cdm

Stay Safe by Raising Your Levels of Awareness

I know - not cybersecurity or tech-related, but September has been designated as National Preparedness Month, so with that, I will be putting a series of articles here this month to help you become and stay prepared in times of emergency.  By keeping you and your family prepared, you will then be able to help your neighbors and co-workers with their preparedness also.

During times of emergency, you can either choose to be proactive or reactive. The difference is that by being proactive, you are more in control of the situation. If you’re reactive like most people, your awareness level is low. Sudden acts of violence that seem to spring out of nowhere can take you by surprise because you’re unaware of what is going on around you. There are thousands of people who have been victims of thefts, rape, robberies, and murders – all because they weren’t aware of their surroundings. All preppers should remember this mantra – if you’re not looking for it, you won’t see it coming!

Look Out For Things That Seem Off:

The first step to raising your level of awareness is to look out for things that may seem amiss or out of the ordinary. During a time of crisis, crimes will skyrocket. Even during peacetime, criminals are constantly looking for an opportunity to strike and they want an easy victim. It’s going to be someone… but you don’t want it to be you. If you notice the same guy walking by the street outside your house several times and you’ve never seen him before, do alert law enforcement. Do not assume he’s a landscaper. Something is amiss, and you need to be proactive. He could be casing your house with intentions to break in at night. It’s better to err on the side of caution.

Risk Management:

People by nature are not violent. Most of them abhor confrontation and physical fights because they do not want to hurt someone or get hurt in the process. However, there are some people who do enjoy causing pain. They may have anger issues or be mentally unsound. Burying your head in the sand and thinking that Mahatma Gandhi’s non-violent style is the way to go, will probably mean that you could end up as a victim. If you’re on the road and someone cuts you off, getting into a physical altercation with them may be tempting, but it’s not the way to go. Stay calm. If you’re outside and a group of youths makes fun of you, do not approach them to ‘sort them out’… let it go and move on. The first rule of survival is to get away from a dangerous situation. If you’re in a bus late at night and someone who looks creepy gets on the bus, stay alert and be aware of what they’re up to without making direct eye contact. Do not bury your head in a magazine or glue your eyes to your mobile phone. They could attack you in an instant and catch you unaware. It has happened before, and it will happen again.

Walk Confidently:

Just making yourself look confident and like someone that is not to be ‘messed with’ is enough to put off most criminals. The man who walks upright and scans his surroundings confidently gives off the air that he can handle himself. Criminals will steer clear of him because he doesn’t seem like an easy target. The man who shuffles meekly to his car while clutching a newspaper under his arm as he balances his cup of coffee while trying to use his phone pinched against his ear with his shoulder as he opens the car door has the words ‘mugging victim’ written all over him. Act brave. Look tough and be alert… even if you’re quaking in your boots. Presentation really matters.

Teach Your Children Well:

Teach your children not to trust strangers. If someone calls the house pretending to do a survey and the kid answers the phone, they shouldn’t disclose if there’s no one at home. Or mention that their mother is busy doing the dishes at the moment and there is no other adult around. It could be someone planning to rob the house. The people that your kids meet on the internet can pose serious threats too. Be very aware of whom they’re chatting with online.

Don’t Be Too Trusting:

Last but not least, NEVER be too trusting. No good deed goes unpunished. The guy having car problems by the road may have accomplices who car-jack you the moment you step out to offer assistance. If you told a few of your neighbors that you’re storing food supplies in case of an emergency, they’ll probably laugh at your paranoia. However, when crisis strikes and there’s a food shortage in your area, guess who is the first person they’re going to think of approaching or robbing. Yup… it’s you. Be careful of what you tell others. There can be severe consequences.

To wrap it all up, just know that during a crisis, you need to be extra vigilant and aware of what’s going on around you. Stay alert and you’ll be much more likely to pick up on little things that just don’t seem right. Your gut instincts will guide you. Listen to them and you’ll probably be safe.

September: National Preparedness Month

When we hear people talk about "preparedness," we often think of having supplies for that natural disaster, bug-out bags, get-home bags, first-aid supplies, and plenty of water to get by for a few days.  In my own case, I'm a CERT Instructor, so it's natural for me to think about preparedness in terms of these types of things, being prepared to provide security for my home or workplace in case of a disaster, and training CERT teams to be ready to deploy on a search and rescue mission.  Yeah - I'm "that guy" who carries around first-aid kits, emergency tools, my bug-out (get home) bag, and all sorts of emergency roadside assistance tools everywhere I go.  Emergency preparedness in my world is all about not only making sure that I and my family are secure but then being able to help others.

But emergency preparedness is also an important aspect of information security and making sure that our business resources are protected as well.  Now would be a great time to review your system security plans and system documentation.  Make sure that your contingency plan and business continuity plans are up to date.  Update your organizational charts and ensure that all of your emergency contacts, including both internal POCs and your various vendor emergency contacts are up to date.

Updating your telework policies and agreements is also an important aspect of preparedness for the business environment.  Telework locations may serve as the alternative work site for employees who are displaced because of damage or complete loss of their primary office space.  Make sure that your employees are trained for proper storage and security of work-related documents and information.  Ensure that those who are eligible and desire to telework have the proper equipment and an environment at their telework location that is well suited for telework activities.

CISA (US-CERT) released their reminder about emergency preparedness month and has good information about all of the things that I mentioned above, plus some cybersecurity-related issues such as dealing with malware, ransomware, and malicious code, and protecting against identity theft.

• CISA (US-CERT): September is National Preparedness Month: Be Prepared, Not Scared
• Ready.Gov: Prepared, Not Scared
• Ready.Gov: Cybersecurity

Be sure to visit some of the companies with which I have an affiliate relationship to learn about the emergency preparedness products for us humans that I spoke of before.  Great products and a great way to support this blog.

Part of being well prepared for emergency situations at home is having a plan for financial stability.  Visit Jay Morrison Academy to find out about entrepreneurship, homeownership, credit repair, wealth building, and financial education!

Staying Prepared for Terrorist Threats

Continuing with this month's theme of September being "preparedness Month" there is no doubt that terrorist threats are an all too real part of our world now.  And there’s no denying the fact that terrorist incidents are on the rise. While people debate on social media over whether or not the government should use certain terms to describe terrorism, the truth of the matter is that many people are dying from terrorist attacks worldwide.   These attacks have become a very real possibility due to globalization, the influx of refugees, and many other factors.  As a preparedness enthusiast, one doesn’t have the luxury of debating how things should be. Instead, you should be looking at how things currently are and staying prepared for them.  There have been stabbings, shootings, bombings and even people driving vans into crowds hoping to do as much damage to innocent lives as possible. The goal is always to strike terror and fear in the hearts of people.

So, what do you do? Follow the tips below and stay prepared.

Be Alert and Aware… But Don’t Be Fearful:

While a certain degree of fear is to be expected, you shouldn’t let it paralyze you. During the 9/11 terror attacks, millions of people were scared and glued to their TV screens as they watched the same scenes of the Twin Towers repeatedly.  This is pointless and only serves to frighten you further. The first thing you should do is to be aware of your current situation.  There are a few factors that will determine if the area you live in could be a potential target for terrorists. Are you living near a transportation hub or an airport? Do you work in an embassy? Do you live or work close to prominent people?  All these factors will raise the risks of attacks that may affect you. Terrorists always want to cause as much damage as possible. They’ll not travel all the way to a farm in Idaho to bomb a house with two seniors sitting in it. Terrorists want to inflict maximum damage. Asses the threat level in your area.

Be Calm:

Terrorists have a few ways to do as much damage as possible. One method is to have a primary bomb that detonates and kills. Following that, they will have a secondary bomb that is only detonated when the first responders such as the police and medical teams arrive. So, this causes even more damage and panic.  When a bomb goes off, the first instinct for most people is to run away. The second instinct is to rush back in and help those affected within the blast radius. Do NOT make this mistake.  Let the professionals clear the area first. Once it is deemed safe, there will be ways you can volunteer your help.  Also note that if you’re in a high-rise building, do not go to your window to see what’s taking place outside. The force of the second blast may shatter your windows and send glass flying into your face. Always hunker down and plan your next course of action.

Expect Higher Security:

Whenever terrorist incidents occur, security in the area tightens and gets very rigorous. Make sure you have your ID and important documents with you.  Leave a little early for work to get through additional security measures in your building.  Be a part of the increased security measures by locking doors, and watching who closely follows you into doors that you have to badge into.

Besides these tips, you want to be generally aware of the people living around you, the people you work with, etc. Watch what they do, what countries they are from, what their views are, etc.  The more observant you are, the more signs you will pick up, and if something is amiss, you can always contact the authorities. Stay alert always.

____________________________________________

I have a new affiliate relationship with MyMedic, a company that specializes in first aid kits.  Everyone needs to have at least an Individual First Aid Kit (IFAK) with them at all times.  Whether out hiking, taking a trip in your car, or working in your office, you need to be prepared.  Check them out and see how they can help you with your first aid needs.

 

Back-to-School Cyber Safety

The Department of Homeland Security, US-CERT, has published its back-to-school "Cyber Safety for Students" guide.  Lots of great information for students and parents alike.  The guide includes the Stop.Think.Connect toolkit, information for staying safe online, information for keeping children safe online, and a wide variety of other information to keep you and your family safe.  Good cyber safety practices now will help to prevent headaches later. 

Social Security Phone Scams

One of the latest phone scams is from a caller claiming to be from the Social Security Administration (SSA) and that your social security number is being used for fraudulent activities.  They claim that your social security number has been suspended because of this activity and that you have to talk to them to straighten it out and have your number "un-suspended."  Well - for one thing - social security numbers do not ever get suspended.  In many cases, the actual SSA customer number is spoofed on the caller ID.  They want you to press "1" to connect to the SSA and straighten out the problem.  When you do so, of course, they will ask you to "verify" your personal information.  They don't actually have your information, but when you "verify" you provide them with your information and can it be used for their identity theft activities. I was curious one time, answered the call, and pressed "1" to connect. I was greeted by a recording in English saying that I would be connected to an SSA customer service representative but was then connected with a woman speaking Chinese.  Some of these scammers have left messages on my phone, and they too were in Chinese.

This video shows an interesting perspective of these phone scammers by showing the goings-on of a scam call center, some of the tools they use, and how they operate.

If you don't recognize a phone number, simply don't answer.  If it is a friend not in your contacts list or other legitimate callers, they will most likely leave a  message and you can call them back.  But be careful - these scammers, particularly the SSA scammers, often leave voice messages and give you a number to call back.  You can often tell that this is a scam caller, however, by the robot voice.  If you ever want to be sure, look up the legitimate customer number for the SSA or other business that you need to contact.  Then call that number instead of the number left in the voicemail.

Media Protection - How to Dispose of Electronic Media

The need for media protection doesn't stop at protecting your media and data at rest, in transit, and in use.  When disposing of any electronic media such as laptops, hard drives, phones, and portable storage, it is important to make sure that all information and data on the device is properly removed.  In fact, many other devices such as cameras may also contain sensitive data such as pictures or files.  Yes - I have heard of people using their digital cameras in a pinch on which to store files because they were using someone else's computer or a loaner, and forgot their flash drive and needed to save a document onto a remote device.  As explained in this video, US-CERT released a bulletin that explains how to properly dispose of these devices.

For more information: US-CERT Bulletin 18-005

Refuse to be a Victim: Avoid Phone and Email Scams

Several times a day, we seem to get bombarded with bogus emails wanting us to click on links for “great deals” or to see an “invoice” being sent to us by some unknown company that we have never done business with.  And then there are the phone calls that magically originate from our same area code that want us to buy something, donate money, or even try to tell us that our PC is infected and needs to be “cleaned.”  One that I have personally experienced a lot lately is that a voice message recording is actually left (since I never answer from numbers I don’t recognize), and it is: 

“Hi, it’s Rachel – hey I am just getting back to you about the business financing that we discussed…” 

Well, “Rachel” never referred to me by name, and I never discussed trying to obtain business financing with anyone.  It was most likely yet another robocall trying to drum up business for someone who does financing, and they leave the same message over and over regardless of who they are calling.

  

In the age of the cell phone and most everything being sent by email these days, we are at the mercy of techno-savvy salespeople and even scammers.  So, where do they get our phone number and email address, anyway?  

Much of this information is publicly available because we are all on a list with companies that we have done business with in the past, or maybe even signed up with them for information on a product.  Many of the online services that allow us to sign up for periodic information and news require us to submit our phone numbers and email addresses.  Some companies sell these lists to others because we are potential customers for similar products or services.  These lists are easily obtained by other people who want to sell us something, and unfortunately by people with nefarious purposes in mind.  Those with a more criminal intent got this information on the dark web as a result of a security breach where someone stole the information.  The thieves then sell this information to websites run by bad actors for the purposes of identity theft and other types of fraud.  The LinkedIn breach of 2012, for example, released 167 million email addresses and associated passwords to potential criminals.  Many social media breaches divulge phone numbers and email addresses. 

So what can we do?  Blocking phone numbers is like playing a game of whack-a-mole.  Most of the time, the number that shows up on our caller ID is spoofed (not the real number).  And the spoofed number that they use is constantly changed.  Many times they use a number in our specific calling area so that we will think it is someone local to us.  Our service providers can’t (and won’t) keep blocking all these numbers for us.  They won’t because it is a never-ending game that would tie up their resources.  And about email – the same thing applies here.  If we tried to block the email address ourselves, it is an endless game, and they will only email us again using a different address.  The good news there, though, is that many providers, and especially enterprise email administrators where we work, do have a way to detect large numbers of emails that are the same and match known malicious or scamming patterns, and they can set rules to block these.

It is frustrating to be sure.  But there are some things that we can all do to at least minimize the annoyances, and prevent from becoming a victim of the more sinister attempts to steal identities.

Refuse to be a Victim:

1. Ignore the Calls:  If you don’t recognize the phone number on your caller ID, and it turns out to be a legitimate caller, they will leave a message.  Even if it is a legitimate sales call and they do leave a message, then you can simply delete the message if you are not interested.  But just be aware that even the scam perpetrators will leave a message to try to get you to call them back and give information or do something with your computer to allow them to access your data.  Just use discernment when you listen to the messages.  If you don’t know who they are, don’t call back.
   
   
2. Do Not Click on Links in Emails:  Hover over the link with your mouse and see what web address is actually revealed.  If the address looks phishy (suspicious), then don’t click on it.  If the email claims to be from one of your providers, like your bank, utility services, or health care provider, then go to their known good web address yourself and log in.  Most of these services, in addition to sending you an email, have a message area when you log in with important information on which you need to act.
   
   
3. Don’t click on Advertising Links:  If you are on a website and the advertising content or the product interests you, do a web search and see what reputable businesses pop up.  Then go to their website on your own.  Many of these advertising links, in addition to redirecting you to another website, also install fake and useless pieces of software that you don’t need, and may even have malicious code.
   
   
4. Robust PC Security Scanning Suite:  Many internet service providers provide a free security suite that you can install.  In fact, these security suites are usually very robust and include such things as real-time antivirus scanning tools, personal firewall, add-ins to direct your searches to results listings that are verified to be safe, and even password managing utilities.  My provider offers its customers the Norton Security Suite which does all of the above and additionally has a constantly updated list of known bad websites that alert us if we or another process on the computer tires to redirect us to one of the known bad sites.
   
   
5. Go to the Known Reputable Web Address:  As mentioned previously, never use a link in an email to go to a website that you want to visit.  Always manually type in the known good web address of a business or service.  You can always bookmark the address, and then use your bookmark for future visits, not the email link. Use a reputable search engine, such as one provided by the software security suite mentioned above, to find the known good address of the reputable businesses and services that you are seeking.
   
   
6. Use a “Throw Away” Email Address:  Many news sites and social media sites require an email address in order to sign up.  Use a “throw-away” or what we often refer to as a “disposable” email address for these.  Keep your primary email address for use with family and friends, and organizations that you actually do frequent business with, such as your bank, health provider, and utility services.  All others, just use the disposable email address.  That way, your primary email stays junk and “spam” free and is less likely to be compromised.

Technology has given us a great many tools to stay informed, stay connected with loved ones, and be able to do our business quickly and efficiently.  But this technology has also given legitimate salespeople ways to bombard us more with their sales pitches, and the bad guys a way to more easily lure us into giving away information or even our identities.  But there are some simple and free (or very inexpensive) things that we can all do to use our technology safely and keep from becoming a victim.  Use your technology wisely, use discernment, and stay safe!

For more resources and tips, please visit:

• DHS Cyber Infrastructure Tips:  https://www.us-cert.gov/ncas/tips
• CenturyLink – Tips for Email Safety:  https://www.centurylink.com/home/help/internet/security/tips-for-email-safety.html
• Microsoft – Protect Yourself From Tech Support Scams:  https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams
• USAgov – Report Scams and Fraud:  https://www.usa.gov/stop-scams-frauds

Who Needs Cybersecurity?

While getting my morning coffee, I was asked an interesting question.  A gentleman noticed my “Cyber Security Services Division” hat and asked me if I really worked in cybersecurity.  I explained that I did and that I worked for the U.S. Department of Agriculture.  After some more discussion, he then asked me “Why does the U.S. Department of Agriculture need cybersecurity?”  The short answer to that question that I gave him is that since we are a government agency, we are required by law to have effective and continuously monitored security for our information systems under what is known as the Federal Information Systems Management Act (FISMA).

When many people think of the need for cybersecurity programs, the things seem to come to mind most often are large organizations who deal with financial/banking, healthcare, large retail that deals with credit card payments, and those with large industrial control systems.   There are various pieces of legislation and information security standards that these businesses must follow, or risk criminal and civil prosecution and penalties.  And the things that all of these large businesses have in common is that they deal with the information assurance principles of confidentiality, integrity, and availability, or what is often referred to as the C-I-A triad.  There are numerous privacy and business proprietary information issues (confidentiality), transaction and data accuracy issues (integrity), and service “up time” issues (availability).

In reality, though, the C-I-A triad of information assurance applies not only to large businesses, but small businesses and households as well.  EVERYBODY needs good security practices, including small businesses and even home users.  Cybersecurity is not just about following laws and staying out of the legal system.  The need for responsible and purposeful cybersecurity practices is about meeting an obligation to customers, employees, the business itself, and family members.   

As I often tell people, information security needs to be baked in, not sprinkled on.  What that means is that even small businesses need to think about good information security practices from the very first day of setting up the business, to the day the doors first open, and then all throughout the business’s existence.  Even home users should give some thought to using strong passwords for their personal accounts, practicing good email habits, such as NOT clicking on every link emailed to them without scrutiny, and securing their home WiFi routers.

Cybersecurity is for everyone, not just large enterprise networks with large IT and security budgets.  Implementing many security best practices are inexpensive.

If you are in Northern Colorado, contact me and ask about the various cybersecurity checklists and assessments that you can do, even at the small-business level, that will help you easily and inexpensively implement good practices, and keep your employees, customers, and even home users safer while online.