Call centers routinely record calls for quality control and training purposes. In a recent survey by Veritape reported in The Register, 95% of the call centers surveyed were found to be storing credit card data such as the three-digit verification numbers from the back of the cards in recordings of calls. But only 39% of the 133 call center managers interviewed realized that they shouldn’t be doing this. Even worse, only 3% of the 133 (that’s 4 people, by my calculation) actually wiped credit card information from the recordings.
As the PCI Data Security Standard (DSS) says:
Sensitive authentication data must not be stored after authorization (even if encrypted).
PCI DSS Requirements and Security Assessment Procedures, v1.2.1 – July 2009. Footnote 2 on page 5.
It’s easy to concentrate on computer and network security – after all, that’s what we hear about all the time – but it seems that we might have a failure to educate critical staff on security that applies to other areas of business.
When we talk to end users about security, we usually focus on the confidentiality part of the CIA triad – probably because it’s the most visible part of information security. But, every now and then, there’s a news item that reminds us about integrity and availability. And today was one of those days.
The Washington Post is reporting that a server failure over the weekend has wiped out the master copies of data accumulated by Sidekick smartphone users. This includes address books, calendars, to-do lists and photos.
Continue reading →
SC Magazine reports that MarkMonitor, an internet fraud and brand-protection vendor, has determined that the number of phishing URLs reached a record high during Q2 2009 with more than 150,000 phishing URLs being established – eclipsing the previous record set during Q1 2007.
According to the researchers, the huge spike was mainly due to phishing attacks that rapidly change DNS records of phishing URLs to avoid shutdown attempts from security vendors or companies whose brands are being spoofed. However, another reason for the spike was the increasing number of phishing attacks mimicking the login pages of social networks – the incidence of phishing attacks posing as social networks increased by 168 percent from Q2 2008 to Q2 2009.
These results are in conflict with the results presented in IBM’s mid-year security report which showed a significant drop-off in phishing attacks. According to that report, IBM’s analysts believe that Trojans are taking the place of phishing in attacks on financial targets (banks, credit unions …).
Interesting timing! Earlier this week, Cosaint rolled out a new security awareness course covering phishing, spear-phishing, and related forms of social engineering that use email as a vector. Let me know if you’d like to take a look.
Training isn’t immune from the changes that newspaper and book publishers are facing as production and distribution costs drop dramatically. These days, anyone can create a simple course at little to no cost (except their time) – especially if they choose a simple interface format such as LM-Light rather than a complex format like SCORM.
There’s an excellent (as usual) post on this subject on Tony Karrer’s eLearning Technology blog.
Why is this important for security awareness training (SAT)? Because it’s already removing cost as one of the barriers to widespread adoption. With the price of comprehensive web-based SAT training being a few dollars per student per year, there’s really NO EXCUSE for any organization – large or small – for not having such a program.
Browsing around some blogs referenced on Twitter (see … it really is useful for something!), I came across a blog run by a gentleman called Dave Ferguson.
In the blog’s “about” page, he writes:
… training deals only with skill-knowledge gaps, and those aren’t the only possible barriers to performance. Sometimes people know how to do their jobs, but still aren’t producing results. Success might depends on factors like:
- Information essential to the task
- Standards for how to do the job
- Feedback on how well they’re doing
- Tools and materials
- Time to do the job right
- Incentives for good performance
Continue reading →
You can’t help noticing it – people everywhere are using their cellphones, iPhones and Blackberries as much as (or more than) their laptops and desktop PCs to access web content.
This paper from a recent conference on learning technology talks about the implications from the point of view of view of educational establishments (universities and colleges) rather than business. But it’s going to affect businesses and government agencies, as well, as they absorb the millions of teenagers into the workforce over the next few years.
As security educators, this present us with 2 challenges for the years to come.
- We need to think about providing online security awareness materials that are easily accessible to mobile learners.
- We need to educate learners about the security issues that they face when using these mobile devices.
It’s not something that needs to happen overnight, but it’s an inexorable wave that’s going to hit us. So we might as well start getting prepared for it.
(Thanks to David Hopkins for providing a link to the original article in his blog.)
The New York Times has published a useful article on developing Disaster Recovery Plans for small businesses (and, I would assume, other organizations such as non-profits and government agencies).
Too many small organizations are putting themselves and, in some cases, their clients at risk by not having a Disaster Recovery Plan. If you’re in this position, heed this advice from the article: “Whatever you do, don’t wait.”
The Washington Post has published an article about the continuing availability of password-cracking services as YourHackerz.com, piratecrackers.com and hack-mail.net. They advertise openly, and offer to crack the password of Web-based email systems as Gmail, Facebook, Yahoo, Hotmail, and AOL for fees as low as $33.
Are their actions illegal? US federal law (and similar laws in many US states) prohibits hacking into email. But it’s a misdemeanor – not a felony – unless there’s illegal activity, and authorities don’t usually have resources to investigate misdemeanors. It’s also very difficult to know if an account has actually been compromised because the intrusion doesn’t leave much of a trace.
Continue reading →
It’s often difficult to justify security measures because of the lack of realistic data regarding the cost of security incidents. After all, few organizations want to publicize their mistakes! But, from time-to-time, a snippet of information becomes available that enables us to show the true value of security programs to management.
According to Infosecurity magazine, in May of 2009 the computer systems of Ealing Council (in London) were attacked by a computer virus when an infected USB memory stick was plugged into a PC on the network.
Continue reading →
DarkReading is carrying a report about research into Facebook security holes by a researcher known only as ‘theharmonyguy’. He/she is disclosing flaws that he/she has discovered in Facebook and the 3rd party applications that many people use.
So far, he/she has disclosed bugs in:
- FunSpace (8 million users)
- SuperPoke (2 million users)
- YellowPages.ca (a mere 1200 users)
with more disclosures promised for the rest of September.
Continue reading →
