If you would like to be notified when copies of

Keeping Your Data Secure II: The Human Factor

can be ordered, send an e-mail to:

info@snappytitles.com

The online resources for Keeping Your Data Secure: 101 Tips You Must Know

are now available here.

If you would prefer to purchase an e-book version of either book then simply e-mail us.

Keeping Your Data Secure Cover

Keeping Your Data Secure:

101 Tips You Must Know - Resources

 

 

 

 

 

 

 

 

 

General Resources

You can listen to a MODEM here (software to play MP3's is required)

You can download the checklist from the book here (PDF reader required)

www.webroot.com/En_US/sites/websecurity2/index.html

www.sans.org

The Barracuda Labs 2010 Annual Security Report can be seen at

www.barracudalabs.com/downloads/2010EndyearSecurityReportFINAL.pdf (PDF reader required)

The UK Information Commissioner’s advice can be seen at

www.ico.gov.uk/news/current_topics/privacy_dividend.aspx

The Ponemon Institute in the US carries out a great deal of research into Information Security.  Visit

www.ponemon.org/data-security

You can read more about Risk Management at

en.wikipedia.org/wiki/Risk_management

Resources for Tip 1

To actually get into the BIOS on most PCs, you switch on the power and then quickly press and hold the ‘Delete’ key.  Sometimes the ‘Delete’ key needs to be pressed repeatedly rather than being held down, and on some makes it will be the ‘Esc’, ‘F1’, ‘F2’ or ‘F10’ key that needs to be used, instead of the ‘Delete’ key.  If you can’t get into the BIOS using these methods then refer to your manufacturer’s manual or their website or help forums.

Some manufacturers restrict the settings that you can alter in the BIOS, as changing some BIOS settings would render your PC unusable.  Dell, Gateway, HP and Micron PCs are often locked down in this way.

I’ve put some screenshots of a typical modern BIOS here:

There’s a good article on the various do’s and don’ts of setting up your BIOS at

www.tomshardware.com/reviews/bios-beginners,1126.html

If you have an Apple Mac, there is a firmware password utility on your Mac OS installation DVD.  Look in Applications/Utilities on the disk.  You can also see instructions for setting up a BIOS password on your Mac computers at support.apple.com/kb/ht1352

To disable Automatic Login on your Macs, open System Preferences and go to Accounts.  Find the option called Login Options and then set Automatic Login to Off.

To disable ‘Autorun’ on Windows PCs, see the Microsoft Knowledge Base article on this subject at support.microsoft.com/kb/967715

You can read more about the attack on the US military in Iraq at

www.guardian.co.uk/technology/2010/sep/30/stuxnet-worm-new-era-global-cyberwar
and also have a look at
www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain

Resources for Tip 3

You can check the latest status of Microsoft’s Operating Systems at 

support.microsoft.com/gp/lifeselectindex

and at

support.microsoft.com/gp/lifesupsps#Windows

Resources for Tip 4

You can check the latest status of Microsoft’s Office software at 

support.microsoft.com/gp/lifeselectindex

and at

support.microsoft.com/gp/lifesupsps#Office

Resources for Tip 8

For a report on a Mac botnet, visit

www.theregister.co.uk/2009/04/16/new_ibotnet_analysis/ 

An article on the Safari patch referred to can be seen at:

www.computerworld.com/s/article/9213939/Apple_patches_62_bugs_in_massive_Safari_update

Paste “site:apple.com Apple security updates” into Google for the most up to date list of current Apple updates and patches.

To obtain your free Sophos Antivirus software for Macs used at home, visit

www.sophos.com/products/free-tools/free-mac-anti-virus/

Check the support status of Microsoft products for the Mac at

support.microsoft.com/gp/lifeselectindex  

Resources for Tip 11

Turn of Autorun on all your PCs with this helpful Microsoft Knowledge Base article at

support.microsoft.com/kb/967715

Resources for Tip 13

To see how long an unprotected PC can survive connected to the Internet, visit the SANS Institute Internet Storm Center pages at

isc.sans.edu/survivaltime.html  - it is frightening!

Mac Firewall settings are sometimes in need of a bit of beefing up.  This site has useful guidance on how to go about it:

www.silvester.org.uk/OSX/wrangling_ipfw.html

Resources for Tip 17

For details on the Ealing Council virus outbreak, see

www.scmagazineuk.com/ealing-council-facing-501000-fine-after-its-network-was-hit-by-a-virus-that-crippled-it-for-weeks/article/148144/

The BBC have a good page covering the disaster at HMRC – visit

news.bbc.co.uk/1/hi/uk_politics/7104368.stm

See Microsoft Knowledge Base article “How can I prevent users from connecting to a USB storage device?” at:

support.microsoft.com/kb/823732/

You can also disable all USB ports in the BIOS on many PCs – there are screenshots of a typical BIOS here.

You might not want to do that though, as often your mouse, keyboard, and other essential peripherals are connected via USB!  Products that you could consider include:

Absolute Software: www.absolute.com/en/products.aspx

DeviceLock Inc.: www.devicelock.com/

Resources for Tip 18

Kevin Beaver is one of the most well know White Hat Hackers around, and his website is worth a visit:

www.principlelogic.com/

Microsoft’s BitLocker is pretty good, but have a look also at:

www.pgp.com/

These articles will give you some idea how many laptops, PDAs and Phones are stolen or mislaid:

www.telegraph.co.uk/travel/travelnews/2482615/Heathrow-Airport-is-laptop-crime-capital.html

www.theregister.co.uk/2005/01/25/taxi_survey/

www.channelregister.co.uk/2010/12/03/intel_laptop_security_panel/print.html

Resources for Tip 19

www.checkpoint.com/products/datasecurity/pc/

www.symantec.com/business/whole-disk-encryption

www.sophos.com/products/enterprise/encryption/disk-encryption-for-mac/

Resources for Tip 20

To see what makes of computer have a TPM module built in, visit:

www.trustedcomputinggroup.org/about_tcg/tcg_members

You can read more about the TPM initiative at:

en.wikipedia.org/wiki/Trusted_Platform_Module

Resources for Tip 21

Setting up wireless connections securely is essential.
Here are links to guides from Microsoft and Apple for the steps to take on Windows 7, Windows Vista, Windows XP and Mac OS X.

windows.microsoft.com/en-US/windows7/Setting-up-a-wireless-network

windows.microsoft.com/en-US/windows-vista/Setting-up-a-wireless-network

www.microsoft.com/windowsxp/using/networking/setup/wireless.mspx

www.apple.com/findouthow/mac/#wirelessbasics

Resources for Tip 22

For suitable products, have a look at:

www.securitykit.com/pc_phonehome.htm

www.gadgettrak.com/

preyproject.com/

www.brigadoonsoftware.com/

www.absolute.com/en/products.aspx

For more information about Intel’s new Anti-Theft Technology, see:

www.intel.com/technology/anti-theft/

Resources for Tip 23

The Proctor and Gamble case study can be seen at:

www.cio.co.uk/news/3214833/procter-and-gamble-allow-staff-to-use-own-laptops/

iPhones can be tracked with Apple’s MobileMe service.

Also you can look into PhoneTrace, iLocalis, Mobile Spy 3.0, iHound, Navizon and MyFoundCast, though I’m pretty sure some of these may not be available and/or legal for use in the UK.

www.gadgettrak.com/

www.mobilelocate.co.uk might be worth a look too.

Resources for Tip 24

Have a look at:

www.eset.co.uk/Products/MobileSecurity

Details of the Google Android Market problems can be seen here:

www.theregister.co.uk/2011/03/04/google_android_market_peril/

Resources for Tip 25

Full details of the story of the server sold on e-Bay are at:

news.bbc.co.uk/1/hi/uk/7581540.stm

www.theregister.co.uk/2010/08/06/ebay_photocopier_disposal_risk/

www.diskshred.co.uk/harddriveshredding.html

www.sitr.com/on_off_site_data_destruction.htm

The US Department of Defence (USDoD) used to recommend data deletion/overwriting software to specification DoD 5220-22.M, which overwrites data 7 times. The Gutman method overwrites data 35 times. 

Note that the USDoD no longer approves of overwriting for secure destruction, but the programs available below will do the job if you’re not trying to delete state secrets.  But seriously, if in doubt just destroy the hard disk.

Killing a Disk Wear Safety Goggles and Gloves!

www.active-eraser.com/

www.jetico.com/wiping-bcwipe/

www.dban.org/about

www.protectstar.com/

www.fileshredder.org/

www.evidencenuker.com/

Resources for Tip 26

For the background story, see

www.channelregister.co.uk/2010/12/03/intel_laptop_security_panel/page3.html

For products, visit:

stealthmark.com/solutions/standard_marking_products/

www.propen.com/english/index.php

juniperinnovations.co.uk/authentication-and-security-approach

www.stoptheft.com/site/index.php

www.smartwater.com/Home.aspx

www.selectadna.co.uk/

www.selectamark.co.uk/

www.redwebsecurity.com/

Resources for Tip 27

Gramm-Leach-Bliley Act
Visit:
en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act

Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Visit:
www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

For details of the two fines cited, see
www.hhs.gov/news/press/2011pres/02/20110222a.html
www.hhs.gov/news/press/2011pres/02/20110224b.html

PCI DSS
Visit the official site at:
www.pcisecuritystandards.org/security_standards/index.php

The Wells Fargo website has a useful FAQ page at:
www.wellsfargo.com/biz/help/merchant/faqs/pci
Also:
en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Sarbanes–Oxley Act
Visit:
en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

UK Data Protection Act
To check if your organisation needs to be registered with the UK’s Information Commissioner, visit:

www.ico.gov.uk/for_organisations/data_protection/notification/need_to_notify.aspx

To check if your organisation is registered, visit

www.ico.gov.uk/esdwebpages/search.asp

To find out more about the ‘Safe Harbor’ regulations, visit:

www.export.gov/safeharbor/

For details of the fines handed out by the Information Commissioner, see:

www.ico.gov.uk/~/media/documents/pressreleases/2010/first_monetary_penalties_press_release_24112010.ashx
and
www.ico.gov.uk/~/media/documents/pressreleases/2011/Monetary_penalties_ealing_and_hounslow_news_release_20110208.ashx

Resources for Tip 29

Symantec’s report is at

www.symantec.com/about/news/release/article.jsp?prid=20110117_04&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Jan_worldwide_attacktoolkits

Firewalls:

www.sonicwallonline.co.uk/

www.watchguard.com/international/uk/

www.juniper.net/uk/en/

www.cisco.com/en/US/products/ps6120/index.html

Resources for Tip 30

www.sonicwallonline.co.uk/

www.watchguard.com/international/uk/

www.juniper.net/uk/en/

www.cisco.com/en/US/products/ps6120/index.html

Resources for Tip 31

For details of the Library key logger incident, visit

menmedia.co.uk/manchestereveningnews/news/s/1407644_cybercrime_alert_after_bugs_found_in_library_computers

Resources for Tip 34

Visit www.cesg.gov.uk/ for more details on testing, particularly CHECK testing (www.cesg.gov.uk/products_services/iacs/check/index.shtml)

And you can also find a list of approved companies to carry out the tests for you.

www.itgovernance.co.uk/penetration-testing-packages.aspx (DOWN AT 24/04/2011)

www-935.ibm.com/services/us/index.wss/offering/iss/a1027030

Resources for Tip 35

www.sonicwallonline.co.uk/

www.watchguard.com/international/uk/

www.juniper.net/uk/en/

www.cisco.com/en/US/products/ps6120/index.html

Resources for Tip 50

www.airmagnet.com/products/enterprise/

h10144.www1.hp.com/products/wireless/HP_ProCurve_Mobility_Security_IDS_IPS_Series/overview.htm

www.cisco.com/en/US/products/ps9817/index.html

www.kismetwireless.net/

Resources for Tip 51

www.kismetwireless.net/

www.stumbler.net/

Resources for Tip 54

www.kismetwireless.net/

www.stumbler.net/

Resources for Tip 58

When you’re using Safari, by default it is set to open any files that it considers ‘safe’ after you’ve downloaded them.  Unfortunately Safari is over-reaching itself here, as it isn’t qualified to make that call.

So, in Safari, go to Preferences and take the tick out of the ‘Open “safe” files after downloading’ box.  There’s a screenshot here showing the default state with the tick still in place.

After downloading any file, you should always run a scan with your Anti-Malware software to be as sure as you can that you haven’t just downloaded software that is going to nuke your system or turn it into a Zombie.

Resources for Tip 60

See this site for details of the man who fled to Canada

news.idg.no/cw/art.cfm?id=6A368523-1A64-67EA-E443538172612DDA

Resources for Tip 65

For WSUS server details, visit:

www.microsoft.com/downloads/en/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylang=en

For horror stories about patches that have gone wrong, I recommend you subscribe to a wide variety of e-zines and forums related to Windows and Windows Server  topics, including especially the Register’s excellent hardware news, software news and security news – visit

account.theregister.co.uk/register/   to, erm, register.

Resources for Tip 68

See

www.theregister.co.uk/2009/07/01/conficker_council_infection/

For an example of malware that has been written to exploit weaknesses in some smart phones’ Operating Systems, see

www.theregister.co.uk/2010/12/31/china_android_trojan/

Resources for Tip 69

In the past I’ve used rather excellent software from NetSupport Ltd, but there are others out there.

www.netsupportdna.com/

Resources for Tip 72

Microsoft’s recommendation is here:

msdn.microsoft.com/en-us/library/ms179313.aspx

Have a look at :

www.exagrid.com/

www.backup-technology.com/

www.planbdr.co.uk/

www.backupdirect.net/

www.zmanda.com/index.html

aws.amazon.com/s3/

www.microsoft.com/windowsazure/storage/default.aspx

Resources for Tip 73

Have a look at :

www.backupdirect.net/lost-backup-tape-equals-big-fine-for-zurich

Resources for Tip 82

Have a look at :

www.cdph.ca.gov/Pages/NR10-098-.aspx

Resources for Tip 87

Have a look at :

www.cert.org/blogs/insider_threat/2010/10/interesting_insider_threat_statistics.html#more

Resources for Tip 90

Have a look at these stories:

January 2011 – a Transport Security Administration employee in Colorado Summers sabotaged a vetting database when told he was being terminated:
www.eweek.com/c/a/Database/Former-TSA-Contractor-Gets-Prison-for-Database-Sabotage-Attempt-715449/

October 2010 – an ex-employee of a loan company downloaded and used customer and prospective customer data:
www.databreaches.net/?p=14381

March 2010 – in Austin, Texas, an ex-employee ‘bricked’ cars belonging to the company that laid him off the previous month:
www.wired.com/threatlevel/2010/03/hacker-bricks-cars/

January 2010 – a company was locked out of its Google e-mail accounts by an unhappy ex-employee:
www.google.mw/support/forum/p/Google+Apps/thread?tid=2298c37322514da7&hl=en

September 2009 – after being told he wasn’t going to be offered a permanent job, a California IT contractor sabotaged the system that, amongst other things, detects leaks on Oil Platforms:
www.pcworld.com/article/172513/contractor_pleads_guilty_to_scada_tampering.html

July 2009 – a former IT Director deleted files and backups for the Houston Texas Organ Bank that had terminated her:
houston.fbi.gov/dojpressrel/pressrel09/ho071509.htm

April 2009 – a computer systems administrator who was laid off by an unnamed financial services company tried to extort better severance terms:
www.justice.gov/criminal/cybercrime/savtLaid.pdf

January 2009 – a computer contractor working for Fannie Mae was told he was being terminated in a couple of months – so he created a small program timed to make all 4,000 servers crash after he had left:
www.fredericknewspost.com/sections/news/display.htm?storyid=85822

October 2008 – a disgruntled former employee of Australia’s Northern Territory wrecked all of the government and computer systems in a single attack costing millions of dollars:
www.ntnews.com.au/article/2008/10/08/8185_ntnews.html

August 2008 – IT security firm Cyber-Ark Software Inc. spell out the dangers of not changing IT administrator passwords regularly.  This also makes it clear why you should put IT administrators on “Gardening Leave” immediately when you know they are leaving:
www.cyber-ark.com/news-events/pr_20080827.asp

June 2008 – an IT technician in California changed all the passwords controlling the San Francisco government fibre network – and wouldn’t divulge the new passwords despite being jailed for 4 years.  Why he became so upset has not been explained…
www.computerworld.com/s/article/9110470/Questions_abound_as_San_Francisco_struggles_to_repair_locked_network
and
en.wikipedia.org/wiki/Terry_Childs

January 2008 – when an IT administrator for an architectural practice saw what she thought was her job being advertised, she assumed she was going to be fired.  So she deleted 7 years’ worth of digital drawings, estimated to be worth over $7 million:
www.foxnews.com/story/0,2933,325285,00.html

December 2007 – an IT technician who had his computer privileges revoked attempted to shut down California’s electricity supply by operating an emergency ‘kill’ switch in a data centre:
www.pcworld.com/article/140587/admin_faces_prison_for_trying_to_axe_california_power_grid.html

December 2006 – an IT administrator who feared being laid off planted a “Logic Bomb” that would have wiped all data off the servers of a pharmaceutical company:
redmondmag.com/articles/2006/12/20/it-admin-accused-of-planting-logic-bomb.aspx

December 2005 – after a performance evaluation that he perceived as negative, an IT administrator resigned from his post at the San Diego Council of Community Health Clinics.  He then hacked into the network and disabled backups, before systematically deleting patient data and software:
www.justice.gov/criminal/cybercrime/osonSent.pdf

March 2002 – because he got a smaller bonus than he had been expecting, an IT manager planted a “Logic Bomb” that damaged files on over 2,000 servers of financial services company UBS Paine Webber, costing them over $3 million:
www.informationweek.com/news/security/showArticle.jhtml?articleID=196604138

October 2001 – after being turned down for a job, an IT administrator hacked into the Queensland, Australia waste water control system and diverted millions of litres of sewage into local parks and rivers, and even the grounds of a Hyatt Regency hotel:
www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/

Resources for Tip 96

For details of the Gawker.com hack, see

www.guardian.co.uk/technology/2010/dec/29/gawker-hacking-gnosis-six-months

And also

nakedsecurity.sophos.com/2010/12/15/the-top-50-passwords-you-should-never-use/

The passwords in the Gawker hack top 50, from most to least popular are:

123456

password

12345678

lifehack

qwerty

abc123

111111

monkey

consumer

12345

0

letmein

trustno1

dragon

1234567

baseball

superman

iloveyou

gizmodo

sunshine

1234

Princess

starwars

whatever

shadow

cheese

123123

nintendo

football

computer

fuckyou

654321

blahblah

passw0rd

master

soccer

michael

666666

jennifer

gawker

Password

jordan

pokemon

michelle

killer

pepper

welcome

batman

kotaku

Internet

The passwords coded into the Conficker worm are:

00

000

0000

00000

0000000

00000000

0987654321

1

11

111

1111

11111

111111

1111111

11111111

12

123

123123

12321

123321

1234

12345

123456

1234567

12345678

123456789

1234567890

1234abcd

1234qwer

123abc

123asd

123qwe

1q2w3e

2

21

22

222

2222

22222

222222

2222222

22222222

3

321

33

333

3333

33333

333333

3333333

33333333

4

4321

44

444

4444

44444

444444

4444444

44444444

5

54321

55

555

5555

55555

555555

5555555

55555555

6

654321

66

666

6666

66666

666666

6666666

66666666

7

7654321

77

777

7777

77777

777777

7777777

77777777

8

87654321

88

888

8888

88888

888888

8888888

88888888

9

987654321

99

999

9999

99999

999999

9999999

99999999

a1b2c3

aaa

aaaa

aaaaa

abc123

academia

access

account

Admin

admin

admin1

admin12

admin123

adminadmin

administrator

anything

asddsa

asdfgh

asdsa

asdzxc

backup

boss123

business

campus

changeme

cluster

codename

codeword

coffee

computer

controller

cookie

customer

database

default

desktop

domain

example

exchange

explorer

file

files

foo

foobar

foofoo

forever

freedom

fuck

games

home

home123

ihavenopass

Internet

Internet

intranet

job

killer

letitbe

letmein

Login

login

lotus

love123

manager

market

money

monitor

mypass

mypassword

mypc123

nimda

nobody

nopass

nopassword

nothing

office

oracle

owner

pass

pass1

pass12

pass123

passwd

Password

password

password1

password12

password123

private

public

pw123

q1w2e3

qazwsx

qazwsxedc

qqq

qqqq

qqqqq

quarry

queasd

qwe123

qweasdzxc

qweewq

qwewq

root

root123

rootroot

sample

secret

secure

security

server

shadow

share

sql

student

super

superuser

supervisor

system

temp

temp123

temporary

temptemp

test

test123

testtest

unknown

web

windows

work

work123

xxx

xxxx

xxxxx

zxccxz

zxcvb

zxcvbn

zxcxz

zzz

zzzz

zzzzz

 

 

 

 

Resources for Tip 98

In the past I’ve used rather excellent software from NetSupport Ltd, but there are others out there.

www.netsupportdna.com/

Resources for Tip 99

The Salary.com survey of time wasted can be seen at:

www.salary.com/Articles/ArticleDetail.asp?part=par1083

Resources for Tip 101

For details on the first fines handed out by the UK’s Information Commissioner, visit

www.itpro.co.uk/628864/ico-deals-out-160-000-in-data-breach-fines

and also

www.ico.gov.uk/~/media/documents/pressreleases/2010/first_monetary_penalties_press_release_24112010.ashx

For Information Security Awareness Training for your employees, visit

www.nsmtraining.com

 


Keeping Your Data Secure II: The Human Factor

ISBN: 978-0-9568165-1-1, Paperback, RRP £13.99/$24.99, Author: Stephen Gibbs

Due for publication in late 2011, 'Keeping Your Data Secure II: The Human Factor' begins where the previous title left off.

In the workplace, sensitive data that leaks out, whether by accident or design, can cost the organisation that leaked it millions of dollars to deal with. And sometimes the damage is simply too great to rectify – you can’t always put the genie back in the bottle. It can mean negative publicity, lost sales, a catastrophic drop in stock price, lost careers and even the closure of a business. All of which is bad news, for the organisation and for everyone who works there.

The statistics speak for themselves. The vast majority of data loss incidents could have been avoided if only the people involved had been made aware of the risks – and acted on that awareness. So, this book will explain to you what these threats are, and how to avoid them.

You can read a sample chapter here (PDF Reader required)