What's wrong with No Harm, No Foul when lost devices are recovered? (ScottWright) posted Mon May 13th 2013 @ 9:17 PM
I am always interested in hearing the opinions of the public, as well as those affected by security and privacy incidents. Recently, a USB drive that was lost by the Montfort Hospital in Ottawa was recovered. The hospital had already issued a breach notification to the 25,000 patients whose records were affected. One of the affected patients, Judith Lishman, wrote a letter to the editor of the Ottawa Citizen newspaper, explaining why she doesn't support a class action law suit that's being launched as a result of the breach. However, I think there's probably a good case for this law suit. Read More »
Is it fair to place Honey Sticks on employees' desks to see if they plug them in? (ScottWright) posted Tue May 7th 2013 @ 4:44 PM
In a recent discussion with an associate who ran his own Honey Stick Project (HSP) with USB drives in his organization, I learned that he chose to plant some of the intentionally lost devices literally on peoples' desks. This is a question I had considered years ago, when I dropped my first Honey Sticks. I even thought about dropping them in peoples' purses or bags. At first, I had thought that might be a little unfair to the employees. Perhaps they might not realize the device wasn't their own. After all, I can imagine many of us could have several devices, or maybe they were expecting to receive a device from somebody. Read More »
What's the difference between SMARTPHONE and USB Honey Stick Projects? (ScottWright) posted Thu April 25th 2013 @ 6:37 AM
While the approach may look similar, there is a subtle difference between conducting a Smartphone Honey Stick Project (HSP) and a USB HSP. Aside from the cost - a Smartphone project is obviously more expensive due to the cost of the devices - the main difference in how I've conducted these tests has to do with the difference between Threats and Vulnerabilities. Read More »
Top 10 reasons NOT to do security awareness training (ScottWright) posted Sun February 3rd 2013 @ 1:18 PM
In anticipation of the Government of Canada’s upcoming Security Awareness Week (Feb. 11-15, 2013), here are some possible reasons why organizations haven’t put a security awareness program in place.
1- We’re not a target – Many organizations don’t feel they are a target for today’s attackers, often because the feel they aren’t big enough to be noticed. There’s growing evidence that attackers no longer care how big you are. There are many reasons attackers might target your organization that you might not have considered. Check out the infographic produced by Brian Krebs and SANS. People need to be aware of how they might be targeted. Read More »
Meet Scott Wright and other security folk at COUNTERMEASURE 2012 Ottawa – October 25 and 26 (ScottWright) posted Sat September 29th 2012 @ 7:40 AM
This will be a well-rounded and fun two-day security conference in Ottawa on October 25 and 26. The program is full of interesting and respected thought leaders and practitioners. I will be presenting on “Security Awareness for Social Media in Business” at 9:30am on October 26. If you’re going to be in the area at that time, let me know and we can get together.
I expect there will be a good mix of business managers (both Government of Canada and private sector), as well as security researchers and experts in attendance.
Here’s a list of the topics being covered over the two days of the conference: Read More »
Current events are always good news for cybercriminals (DeanTurner) posted Sun September 9th 2012 @ 12:53 AM
Cybercriminals are crafty by nature and always looking to make a buck. So they are quick to take action when opportunity arises through current news and events. The month of July 2012 provided numerous such opportunities as the world’s focus turned to the 2012 London Olympics.
Predictably, Symantec’s most recent intelligence report found that the cyber underworld was working hard to exploit the global interest in the Summer Games. The report also found that spam and malicious websites increased slightly in July.
Symantec monitored twitter bots (that used Olympic-related trending topics to entice users), fake Olympic scandals (leading to websites that mimic YouTube – and ultimately play video’s that have nothing to do with the supposed scandal) and phishing attacks that used the rouse of a ‘free gift’ relating to London 2012 to spread malware and steal information.
Here are some examples of the Olympic-related spam: Read More »
Free paper for students to learn about risks in using the Social Internet and Social Media (ScottWright) posted Wed August 15th 2012 @ 6:45 AM
For most adults, the Internet has been changing our lives in many ways that seem hard to keep up with. However, our children seem to be immersed in the latest trends, and most of the time they show no signs of trepidation or caution when using these new tools. Is it just that they are naturally more astute and discerning about what is safe and what is "bogus"? Or are they just oblivious to the risks that most of us have learned to view with skepticism?
Many of the adults I teach are still scared to death of using Social Media sites such as Facebook, LinkedIn and Twitter. This is a natural instinct they've learned to use that can actually help them avoid the risks associated with encountering new and untested technologies and fads. But young people may not have had the benefit of experience in spending years working to build their savings, or even the subtle social graces that we have learned to navigate over the years.
With this in mind, and with another school year about to start, I have taken some of the lessons I've learned about using Social Media and created a 10-page paper that discusses the risks that face students in high school or in college, and am making it available for you to download HERE for free. Read More »
A Closer look at targeted attacks (DeanTurner) posted Fri August 10th 2012 @ 4:43 PM
Last time we talked about targeted attacks, and why the number of SMBs being targeted is increasing. Now, we’ll take a deeper dive into targeted attacks, and look at one particular attack on a company in the international aerospace industry. Read More »
Much ado about... targeted attacks? (DeanTurner) posted Sun July 22nd 2012 @ 8:48 AM
With targeted threats as Stuxnet, Duqu and Flamer dominating headlines for alleged nation-state attacks on foreign governments, it’s easy for a small Canadian business to assume that their organizations are just too small to be a target for cyber crime. In reality, that’s just not the case. Read More »
True story shows how scams on free classified sites will spoof PayPal for credibility (ScottWright) posted Wed June 20th 2012 @ 7:52 AM
If you might ever plan to sell something privately by advertising online, you need to be aware of the sneaky scams that bad guys are running these days. As I learned from the true story related to me below by a member of the Streetwise Security Zone community, they can be very slick; and what seems like a credible offer to purchase a vehicle or other high value item can quickly turn into a nightmare of stress and lost cash. One such scam now preys on sellers of items on sites like the free classified advertising site, Kijiji.
The tricks that make the scam work
The key elements that make this kind of scam work are:
1- The prospective “buyer” offers to pay the full asking price, or more, without any negotiation. They usually have a plausible story for why they are so interested in securing the item quickly. Sellers are always interested in getting full asking price. Read More »
|