Tag Archives: reddit

How to Shield Your Sensitive Data

Recent high-profile photo hacks have made headlines. In March, internet hackers targeted celebrities including Miley Cyrus, Emma Watson and Amanda Seyfried, resulting in the leak of intimate photos that were posted on sites such as 4chan and Reddit. Similarly, back in 2014 hacker Ryan Collins exposed nude photos and videos of several celebrities after obtaining them from iCloud accounts.

But celebrities aren’t the only ones vulnerable to hackers. Imagine if your organization’s C-level executives had sensitive information stored in their email or documents. Hackers could obtain proprietary information, causing financial nightmares and damaging your organization’s reputation.

See also: Cloud Apps Routinely Expose Sensitive Data  

Many enterprises fail to properly secure their email and documents from attacks, thinking that firewalls and traditional security solutions are sufficient. But without a security solution in place, the entire organization can be at risk if just one employee falls victim to a phishing attack. Some 91% of phishing hacks lead to content breaches that can snowball, causing you, your contacts and their contacts exponential harm.

What can be done to mitigate the possibility of data breaches?

Unstructured data

Each day, millions of corporate and government email users worldwide have candid conversations over email—whether between employees, supply chain partners or other external participants—sharing information that often is proprietary and mission-critical. And the volume of data in emails and documents is doubling each year.

This collaboration is crucial for today’s businesses, but maintaining privacy standards and document security can be challenging. To ensure productivity through collaboration, expedite projects and make timely decisions, employees are sharing unstructured data both inside and outside the firewall. Yet once the information is outside the firewall, it may not be protected. By establishing a secure environment that protects content inside and outside the organization, all parties can communicate freely via digital channels.

Rights management

There is an expected level of trust between you and your internal and external stakeholders that the information you are sharing is for their eyes alone. While there is no foolproof way to ensure that someone isn’t reading over your recipient’s shoulder, rights management is another way to enforce security permissions. This adds an extra layer of protection to emails, documents and photos even when opened by a permitted source. Content is protected from misuse while at rest, in transit and in use. And the ability to track and monitor for authorized use and attempts of unauthorized use of content can help ensure that data and intellectual property stay within the circle of trust.

Encryption

Encryption offers yet another layer of security for your information by making content only accessible to the devices and users with specified usage rights.

Data with encrypted in-use protection allows the authorized recipient to decrypt content by tethering to the specific device and user. This means that content in an authorized receipt could get hacked—but the hack could easily be mitigated.

See also: Forget Big Data; You Need Fast Data  

Bottom line: Breaches are an invasion of privacy whether you are a CEO, developer or celebrity. It’s imperative to ensure that no matter where your content travels or what device you use, at any point it is protected from getting into the wrong hands. Armed with the knowledge to ensure secure content collaboration whether inside or outside an enterprise network, you can avoid becoming the next headline.

This article originally appeared on ThirdCertainty. It was written by Erik Brown.

Why More Attacks Via IoT Are Inevitable

The massive distributed denial of service (DDoS) attack that cut consumers off from their favorite web haunts recently was the loudest warning yet that cyber criminals can be expected to take full advantage of gaping security flaws attendant to the Internet of Things (IoT).

For much of the day, on Friday, Oct. 21, it was not possible for most internet users to consistently access Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal.

Using malware, dubbed Mirai, an attacker had assembled a sprawling network of thousands of hacked CCTV video cameras and digital video recorders, then directed this IoT botnet to swamp the marquee web properties with waves of nuisance pings, thus blocking out legitimate visitors.

See also: Insurance and the Internet of Things  

Mirai is designed to take over lightweight BusyBox software widely used to control IoT devices. The source code for Mirai can be found online and is free for anyone to use. ThirdCertainty asked Justin Harvey, security consultant at Gigamon, and John Wu, CEO of security startup Gryphon, to flesh out the wider context and discuss the implications. The text has been edited for clarity and length:

ThirdCertainty: Why do you think these attackers went after BusyBox systems?

Wu: Because Busybox is lightweight; it’s used on most IoT devices that have limited memory and processing. Busybox is a utility with lots of useful commands.

Harvey: BusyBox is very standardized. It is highly used in the field, and it also runs Linux, so the internals are very straightforward and easy to duplicate in testing systems.

3C: How did the attacker locate so many vulnerable devices?

Wu: Standard IP scanning would identify the devices, and then the attacker could use the admin interface to install the malware. These devices had weak default passwords that allowed hackers to install Mirai.

Harvey: Cross mapping manufacturers with types of devices. Then using the website Shodan to get a list of open devices. Once they had the list of devices, they could create a massively parallel script to step through each and determine whether they used the version of the OS they wanted.

3C: How many devices did they need to control to carry out three waves of attacks over the course of 12 hours?

Harvey: 300,000 to 500,000.

 Wu: Probably a few hundred thousand devices. Because it’s distributed, there is no way to simply block all the IP addresses.

3C: Are there a lot of vulnerable devices still out there, ripe for attack?

Harvey: Yes! Shodan specializes in noting which devices are out there and which are open to the world. The devices used in this attack were but a small fraction of open or insecure IoT devices.

Wu: We don’t know exactly how many devices are still out there as sleeper bots. Mirai also is actively recruiting new bots. From what I understand, these IoT devices had open channels, and the users had practiced poor password protection for root access to install additional components.

3C: What do you expect attackers to focus on next?

Wu: I would expect the attacks to get larger and more sophisticated. Mirai also is working in the background to recruit more devices. The next attack may not be as public because they’ve already shown what the botnet network is capable of.

3C: What should individual consumers be most concerned about at this point?

Harvey: Consumers need better education on changing the default access and security controls of their IoT devices. Manufacturers need to take security seriously. Period. Congress needs to step in, conduct some hearings on IoT issues and perhaps regulate these devices.

 Wu: Consumers need to be concerned if their device is one of the devices already compromised or at risk of being compromised. They should contact the manufacturer to ask if a security patch is available. A simple solution would be to take the device offline, if it’s something you can live without.

3C: What is the most important thing company decision-makers need to understand?

Wu: If you are dependent on the internet for your revenue and business, you should be planning alternative communication channels. If DNS is critical to your business, you should look at backups to just one service provider. Let people know that, if email is down, you can still get business done over the phone.

Harvey: Businesses need to understand the implications to running IoT devices within their companies and question the business need for using IoT devices versus the convenience.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

This article originally appeared on ThirdCertainty.

No Vaccine for Social Media Theft

Whether you are new to college, single and dating or newly divorced (because you panicked and confessed when news of the Ashley Madison hack hit the media), I’ll bet there is at least one socially transmitted disease you haven’t started worrying about: identity theft.

If you use Facebook, you’re making easy work for identity thieves. The same goes for the whole cosmos of social media whether you favor Twitter, Instagram, Reddit, Pinterest, YouTube or LinkedIn or prefer to Tumblr your thoughts, preferences and predilections to anyone who cares to know what they are. The more you put out there in publicly viewable spaces, the more your personal identity mosaic is exposed. An identity thief’s day job is piecing together that mosaic into a passable, or usable, version of you: one that will get through the authentication process of financial, medical or governmental organizations.

The echo of another kind of disease here is intentional. Like the more widely known kind of STD, the socially transmitted diseases that fall under the rubric of identity-related crimes are contracted by unsafe personal information practices. Unlike the more familiar variety, where safety is taught in high school, tacked to college community boards and heralded by countless other media new and old, not as many people these days know how to stay as safe as possible from the threat of identity theft, especially online.

How to practice “safe social”:

  1. Don’t overshare. It’s okay to let the world know you’re on vacation so long as you have a great security system at home or you have a house sitter. Traditional trespassers use social media to know when houses are unguarded. It is far better to share the memory than report the experience as it’s unfolding.
  2. Be careful when posting pictures. While it’s fun to brag about a purchase—whether that be a diamond ring, a car or the smartest TV on the market, just be aware that anyone following you now knows where they can get your newest trophy or indulgence for free.
  3. Geotagging is for victims. There is no upside for you here. Companies like geotagging photos and other people-powered media assets because it gives them bankable information that could lead to future sales. Whether you are letting Twitter or Facebook or FourSquare narrowcast (or broadcast, depending on your privacy settings) your location, failure to disable location services on your device permits geotagging, which also gives thieves bankable info that could lead to future crimes.
  4. Know your privacy settings. Make sure you understand how your posts are being displayed or distributed by the social network you use. For instance, on Facebook you can set a post to “Public” or “Only Me,” with many choices in between.
  5. Lying is good. Facebook, especially, is a perfectly acceptable place to not be forthcoming about your age, hometown, place of employment or even the college you attended and what years you were there. Identity thieves comb social sites for information to complete dossiers of personally identifiable information that will allow them to correctly answer security questions and thus open new financial accounts or empty existing ones. If you don’t want to actively fabricate answers to these questions, just don’t fill out those parts of your profile.
  6. Beware of quizzes that require personally identifiable information. Make no mistake, your email address and name count.

There is no immunization

Unlike the other kind of STD, the socially transmitted disease of identity theft is not avoidable. There is no immunization, no safe way to avoid it—not even complete abstinence. There have been too many breaches with too much data for anyone but those living entirely off the grid to be completely safe. (And even still you can’t be sure.)

Your best bet, in my opinion, is a system detailed in my book (forthcoming in November). A key element to that approach is acceptance. Specifically, you need to come to terms with the fact that it’s no longer a question of “if” but “when” you will become a victim of at least one type, if not multiple types, of identity theft. Anyone who tells you that they can keep you from getting got is selling snake oil. In fact, they are running afoul of the Federal Trade Commission. There is no guarantee. There are, however, best practices.

THE THREE M’S

If you accept the basic premise that you are at risk for identity theft no matter what you do, here are some thoughts as to how you might stay as safe as possible. The good news may actually be that you are a seasoned and intelligent user of social media, because that means you already have several of the habits in place that you will need.

Minimize your exposure

The same strategies you can adopt to make yourself a harder-to-hit target on social media go for the rest of your life. Whether that means saying “no” when asked for your Social Security number, limiting the amount of sensitive personal information you provide to anyone who contacts you, making sure all your accounts (email, social networking, financial or retail) have different user names paired with unique, long and strong passwords, properly securing your computers and mobile devices or freezing your credit—there are a variety of things you can do to make your attackable surface smaller.

Monitor your accounts

If you use social media regularly, you are used to checking in on a regular basis—the Pew Research Center found that 70% of Facebook users check in daily, as did about half of Instagram users, and nearly 40% of Tweeps. The same behavior, applied to your financial life, may keep you from getting got … or help you undo or minimize the damage in case you do. Check your bank and credit card accounts daily. Other things you can do include signing up for free transactional monitoring alerts at your bank, credit union or credit card provider, or purchasing more sophisticated credit and noncredit monitoring programs.

Manage the damage

When the dark day comes that your daily practice of monitoring your credit or financial life yields a compromise, you need to get on it immediately by informing the institution of the account that is involved, as well as law enforcement and the fraud department of at least one credit reporting agency. Because many insurance companies, a number of financial services organizations and the human resources departments at a number of companies offer complimentary or low-cost identity theft assistance as a perk of your relationship with the institution, check to see if you are covered or, if not, how you can get covered. Resolution experts can greatly help you speed your way back to normalcy.

Identity theft is a permanent threat. The best way to stay safe is to change your behavior. The above tips are only some of the ways to do that. In the age of universal data vulnerability, practicing safe information hygiene is a must—lest you contract the one STD that may haunt you for the rest of your life.

4 Reasons Why Insurance Must Embrace Social Business in 2014

The past several years provide ample perspective on what it means to grow a business via social media, teaching us what works and, perhaps more importantly, what doesn’t. Early adopters are getting their social strategies down to a science; insurance companies commonly generate significant business value by enhancing existing customer relationships and expanding business  through social channels.

Research shows that the initial rush to get customers to simply “like” corporate pages on Facebook was misguided––“likes” for a brand have little value when compared with interactions between agents or reps and customers on an individual level through social media. Personal interactions can lead directly to sales, whereas a “like” rarely translates to dollars. Our own data at Hearsay Social supports this. One major insurance client shared that its agents who used social media to personally connect with customers and prospects had an average of greater than 20% more sales than those who don’t. Customer retention also improves drastically.

Based on our experiences working with numerous large, multi-line companies, I want to share four simple reasons why insurers need to become “social” businesses.

You will notice that these four principles have always applied to successful agencies and businesses; the communication channels are simply evolving.

1. To get found

Being “findable” used to require significant up-front marketing effort and spending. Agencies often invested heavily in ads, sponsorships, and prime real estate to be discovered and considered by prospects. But the way people research has fundamentally changed. Today’s buyers go online to research products or services before purchasing. Whether people are buying a book or a complex financial product, it’s safe to assume that digital research factors into the purchase process. Today, social media is one of the most powerful ways to help an agent or business get found. If a customer searches on Google, social media pages and profiles are typically at the top of their results.

Google Search Results
In this example, 3 of the top 4 results in a Google search for the name of a Thrivent Financial Advisor are for his social media pages, demonstrating how a social media presence greatly improves “findability.”

Additionally, with complex products like insurance or financial services, where the decision-maker relies on expert advice, they look for people whom their friends or colleagues recommend. Where one might have previously called friends and colleagues about where to take their business, people increasingly turn to social networks as the easiest way to find the right expert.

2. To grow networks

An extensive network has always been a key indicator of a good businessperson. Historically, new agents were trained to continually build and maintain strong personal networks. The same is true today, and the rise of social networks has made this entire process more efficient and powerful. Social networks online act just like shared connections in the physical world– online social networks provide the context, familiarity, and trust that allow good sales people to effectively establish a credible rapport to represent themselves and their brand.

Building and maintaining long-term personal relationships is also essential to gaining referrals and repeat sales. On social media, this means connecting with all your friends, colleagues, and business contacts from the offline world. Successful social sales representatives then use social media to connect with customers and continually engage before, during, and after a sales cycle.

3. To “hear” customers and start meetings warm

Listening to and understanding clients is a key characteristic that separates successful relationship managers from the pack. People share valuable information and buying signals on social networks, and gathering insights from posts makes it easy to identify and understand customer needs so that sales reps can truly go into meetings “warm.”

Hearsay Social Signals
Agents and reps can “hear” what is going on in their networks with Social Signals alerts that highlight key life events, such as weddings or new babies, that could be opportunities to reach out.

Companies that embrace social business provide their teams with powerful ways to pay attention to what’s going on with customers, which increases productivity. Information shared by consumers via social networks also helps relationship managers understand the appropriate time to reach out, with exactly the right information.

4. To build credibility

In the insurance industry, customers must rely on their agent, advisor, or wholesaler as an expert. Buyers don’t have the time to do their own research and stay up-to-date. Social media makes an enormously powerful and effective tool for sales reps to demonstrate expertise and consequently build trust. Industry-leading relationship managers share content via social channels to build credibility and educate customers. In addition, sharing content on social networks helps relationship managers stay top of mind with prospects with whom they haven’t yet engaged. When the prospect is ready to move forward, they know exactly who to contact to initiate sales conversations.